Xcellerator
-
Posts
285 -
Joined
-
Last visited
-
Days Won
10
Posts posted by Xcellerator
-
-
I like it! I wrote the original payload for Utilman. I've never heard of this method before, but I really like the sound of it! Is cmd.exe still ran with SYSTEM level privileges, like Utilman.exe is, though? I doubt that the debugger would cause it not to, but that would really put a dampner on aim of the payload.
-
Hi guys,
I read this article here, and thought that it'd work great as a Ducky Payload. I originally wrote it for my Teensy board (I don't have a USBRD) but then rewrote it for the Ducky. I admit it's not the cleanest code in the world (the Teensy version), but it works.
The delays are just a guide to work with MOST machines, but on a faster machine (a server for example, :o ), I'm sure you could reduce them greatly.
Here is the link the code on the USBRD Wiki: LINK, and there is also a link to the pastebin with the Teensy version aswell in the description.
Let me know what you think!
-
DMZ would be easier, seeing as it is easier to activate and deactivate. It also leaves the computers VERY open...
-
Hi guys,
I was playing around with a bash script called Vanish (HERE) which uses Metasploit to create an undetectable reverse shell.
I tried on my windows laptop and sure enough, my AV didn't pick it up and it worked perfectly, spawning a meterpreter session on my backtrack machine. However, the program required an open DOS window (ie, it didn't run silently...) So I looked around and eventually wrote and fairly long batch script to run any file silently. It works from the startup directory, so I figured I just need to copy this script and any file named "syschck.exe" over via SMB to the targets computer and get them to restart.
So, here it is: MEDIAFIRE. It's in TXT format, so you'll need to rename it if you want to run it.
Please tell what you think, if you've been following the USB Rubber Ducky development, you'll see I used a similar trick to the reverse shell payload found on the wiki.
-
You could try creating an adhoc network with one of the computers to check to see if it is just the connection that is the problem. a Ad-Hoc network is basically one of more computers connecting to another. No internet is involved but it uses DHCP so internal ip adresses are assigned automatically.
Then you can ipconfig to find out what the ip addresses are and then try your script.
Also, in the firewall of the router of the victim, ensure that any active firewall is disabled momentarily during your test...
-
If both computers you're working with are inside the same network, then try using the internal ip addresses given by your router. (Probably 192.168.1.x, but could be different)...
I take it you know how to get that on Windows, but if you don't, ipconfig in CMD will do it...
If they are on different networks, keep in mind that one of the routers (if not both) could have built in firewalls blocking the connection... Happened to me with my BT Home Hub...
-
No, Gargoyle routers is just a 2100C, I think, or might be a 2200, but not sure...
-
Does anyone know there the iMesh 51 can bought (with Intl. Shipping - I live in UK)...
-
It does look very similar to the Alfa AP51, does anyone know of any identical hardware to the AP51. Remebering the Fon 2100, there were loads of other models from different manufacturers with the same hardware.
-
If the user has access to any type of storage area, be it local, network or removeable, then you could do what I did and create a shortcut to the following:
C:\Windows\System32\reg.exe add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD
Which would allow cmd.
This worked at my school, which ran windows server 2003 over a network or windows xp machines. Group Policy was set up to make the majority of the restrictions in the local registry. If this is the case then this would work. There are others that you'd be able to find aswell, such as the run button and the shutdown button.
If, when you try to run command prompt via a shortcut without running the above registry change first, and you the cmd window appear, but with some text about being disabled by the system administrator, then I'd expect this to work.
-
I'll bite, please share...
Thanks..
-
Depends on the AV.
I use Avast and while in a testing environment, I have to disable it to get any payloads past it.
Perhaps that's a good thing? ;)
-
Yeah, I use SET with my Teensy++ 2.0. I don't think you can use it with the ducky, unless you flash your own code to it once the source is released...
-
Why not use the Ducky Downloader from the Wiki to download the TightVNC package and then run it?
-
I had the same problem because version 0.1 of the duckencoder had been uploaded by mistake. Make sure you have the latest version of the duckencoder (I reccomend re-downloading it...)
-
The same way that any Microcontroller can light up.
A piece of code waits for the num lock button to be pressed, and then turns the light on. Once the light is on, it appears that it also toggles something in Windows as well. I think this is right, because according to your post above, the num lock function in a ducky script activates on a physical keyboard as well..
Also, may I ask, is your physical keyboard USB or PS/2?
-
Well, it appears that windows stores the numlock toggle, not the keyboard.
All the same, a HID is incapable of receiving information... (AFAIA)
-
Try ./Lock.txt for input file aswell..
./ means current directory
../ means directory above
you can string them together...
../../../../../../root/lock.txt
for example...
-
The Duck is a different keyboard to what is connected, not an addon to it.
For Example, If you have two keyboards plugged into a machine, if you push num lock on one of them, it will only activate the num lock for THAT one, not the second one...
-
Have you tried java -jar ./duckencode.jar?
Make sure you are in the directory with duckencode.jar file.
-
Well, it could be tricky because the USBRD is a separate keyboard to any PS/2 or USB keyboards you may have connected to your PC as well. Also, seeing as they are both HID devices they communicate one-way to the PC. So the USBRD wouldn't be able to acknowledge any change in caps lock from another HID device. (As far as I am aware).
You could do a similar thing by soldering a button(s) to the ducky and then adding your own code to the firmware to execute Inject1.bin, Inject2.bin, Inject3.bin, etc depending on how many times the button was pressed in sequence (over a 3 second time stop, for example). However, you would need to wait for firmware to be released on the wiki...
-
Disable your AV?
Or maybe implementing a cloaked EXE to hide it?
-
I believe you can get Jasager working with ICS on some Alfa models. (Maybe the Alfa AP51)?
-
Of course not, but surely the new firmware will still be open source?
[Version 1] Payload - Utilman Exploit Without Touching A File
in Classic USB Rubber Ducky
Posted
I have now. This is a great find! I'm sure people will be able to find many applications for this idea...