Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Everything posted by TeCHemically

  1. I am not seeing where this can be pulled down in this post.
  2. I have setup and confirmed the funcitonality of this payload via tcpdump; but the Invoke mimikatz payload's "rx.php" fails to create .creds files. Confirmed appropriate permissions on the php script for www-data. Still nothing is created and no creds are captured. I can see them get sent to the server via packet capture; but if that's not running I don't ever see the creds files the rx.php script is supposed to create.
  3. If grabbing the creds from the responder.db on the pi zero implementation you do the following: sqlite3 /home/pi/tools/responder/Responder.db select * from responder; Getting the creds from the lanturtle they should be under the loot directory. Possibly the file is accessed by the same means. Sorry, I don't own a lanturtle yet so I'm not sure. I'm hesitant to purchase one for actual engagements because stability and repeatability is key. Having to re-flash 5 times to get it to work doesn't fill me with confidence. Once I have extra cash lying around I'll def get one to play with; but if someone can testify to the stability and reliability of the lanturtle in red team engagements for the quickcreds and any other functionality then i'll grab one right away. Here's to hoping I get a ton of responses about its reliability!! :)
  4. Sorry, I wasn't clear in my post. I'm not referring to using this on any of my pineapples. I meant using poisontap in general according to the prescribed method.
  5. Has anyone gotten the poisontap to work successfully? It appears to function properly when looking at tcpdump on the target; but I never get anything reaching out to the nodejs control server. Also, how does one interact with the nodejs server? Navigating to the server's interface:port give a "sorry unknown url" error.
  6. I have setup the pi zero with responder and it "functions successfully"; but unless your target has the "RNDIS ethernet gadget" driver installed it isn't going to grab any creds. This effectively makes the device useless since almost no targets you will ever come across on a pentest will have this driver installed given the complexity of the driver install (see steps for installation here-> https<colon slash slash>github<dot>com/ev3dev/ev3dev/wiki/Setting-Up-Windows-USB-Ethernet-Networking). With much time wasted on this effort (well, not that much; but still quite a let down) I am hesitant to grab a lanturtle. Seeing many users here unable to grab or keep credentials has me a fair bit gun shy. wasting $5 on a pi zero is one thing; but $50 on a lanturtle that I may have to spend hours or days on getting to work is not something I have the time or patience for. Does this work reliably? Can anyone testify to its usefulness on actual engagements? Thanks to all who reply!
  7. I am having the same issue with ettercap. It starts but once I hit refresh it immediately changes to "ettercap not running". Tried running it on br-lan & eth0.
  8. factory reset and SD format fixed issue, issue resolved (shotgun method)
  9. Ettercap and sslstrip will not install on my MK5. Notifications says they install successfully; but when I go back to the infusion list is says they need to be updated again. I have tried removing and rebooting but no love. Still does the same thing on these 2 infusions.
  10. This script is now failing in Kali. I have tried on 2 separate install that are up to date and get the following error: [*] Generating shellcode No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload Found 0 compatible encoders reverse_powershell_ducky.rb:51:in `gsub': invalid byte sequence in UTF-8 (ArgumentError) from reverse_powershell_ducky.rb:51:in `clean_shellcode' from reverse_powershell_ducky.rb:45:in `shellcode_gen' from reverse_powershell_ducky.rb:90:in `<main>' Any help is greatly appreciated as this is my go to method in testing due to its AV evasion ability Also, would it be possible to have this script accept domain names as well as IP addresses?
  11. WOW, just...WOW man...the new simple-ducky is freaking BEAUTIFUL!!! Amazing work Skysploit; a true inspiration! Way to go and THANK YOU! :D :D
  12. Tried it again and I get the following. It is acting like the shell is there but I cannot interact at all. In fact the shell is acting like it is on the perimeter not the host behind the public IP. I usually see the public IP then the internal host when I use reverse_tcp. In this method I get the shell functioning and on the internal client PC. Does the reverse_https payload require something else? Is it not pulling down the stage? Does this payload behave differently than reverse_tcp? exploit(handler) > exploit -j [*] Exploit running as background job. [*] Starting the payload handler... [*] <Public IP address>:60476 Request received for /JuQL... [*] <Public IP address>:60476 Staging connection for target /JuQL received... [*] Patched user-agent at offset 657384... [*] Patched transport at offset 657044... [*] Patched URL at offset 657112... [*] Patched Expiration Timeout at offset 657868... [*] Patched Communication Timeout at offset 657984... [*] Meterpreter session 1 opened (<IP address>:443 -> <Public IP address>:60476) at 2013-10-04 17:21:11 -0500
  13. I started the 32 bit listener and created the fxsst.dll with a 32bit reverse_https payload. When it runs I get the following on my listening machine: Starting the payload handler... [*] <IP address>:5465 Request received for /JuQL... [*] <IP address>:5465 Staging connection for target /JuQL received... [*] Patched user-agent at offset 657384... [*] Patched transport at offset 657044... [*] Patched URL at offset 657112... [*] Patched Expiration Timeout at offset 657868... [*] Patched Communication Timeout at offset 657984... [*] Meterpreter session 1 opened (<IP address>:443 -> <IP address>:5465) at 2013-10-04 13:47:46 -0500 [-] Failed to load extension: No response was received to the core_loadlib request.
  14. Very nice! I am having issues though. When the powershell command is entered a ton of red text flies by and the window disappears. No shell results. Sorry I don't have more information. Any help and direction is appreciated!
  15. Ok, after further testing this seems to be begin caused by read write errors likely associated with the ducky drive not unmounting correctly. No matter if I dismount from windows explorer or the system tray, it still stays visible and navigable in the windows explorer window. I have told it to dismount from the explorer window and the system tray many times and it always throws up the "safe to remove" balloon; but alas, once I do remove it I get alternating fast and slow red clinking and not drive mount or code execution on the twin duck whenever it is inserted into any client. I have reflashed the firmware to no avail. Is any one else having these SD card corruption/dismount errors? EDIT: putting the "inject.bin" file on the root with 2 other file folders causes this thing to fail. If I remove the inject.bin I am able to mount ducky storage. So with any payload on it the thing totally fails. With no payload the storage will mount. If I have the payload there but named incorrectly then I still have access to the storage. I am only seeing this failure now with the payload on the root of the SD named properly (inject.bin).
  16. I am very interested in this as well. I was looking at scriptjunkie's article "Why Encoding Does not Matter and How Metasploit Generates EXEs" and was wondering how I could implement the c output of my custom shellcode into a custom or pre-existing exe. Any resources and/or advice is greatly appreciated!
  17. scriptjunkie detailed this type of thing in an article on his site called "Why Encoding Does not Matter and How Metasploit Generates EXEs". So, should I attempt to modify an existing exe or is is simpler to create my own for this purpose?
  18. I used msfvenom and it gave me the output of my custom shellcode. How difficult is it to implement that into a custom exe/ exe template that I can use for AV evasion? I have a thread on this started under security if you could shed some light that would be amazing, thanks for all your help! :)
  19. I would like to know if there is a way to generate random exe templates for injecting custom shellcode into; just like msf pro does. Is there a manual way to do this? If not, where can I find the information I will need to write my own? I am not a programmer so this will need to be VERY good instruction for me to be able to follow. I am willing to learn but I am very inexperienced here. I basically need to be able to create my own custom/random exe template then know how to add the custom shellcode into it that is created by msfvenom's output so that it runs. Thanks to all who help!
  20. So, I have to ask. Since you have "I remember" playing on that vid. Do you recognize my avatar?
  21. Beautiful, great work man! I just watched your vid. You have yourself another subscriber.
  22. I am having issues with msfvenom though. Using msfpayload and piping into msfencode worked to create the aforementioned dll but I don't see the options I need in the help of msfvenom.
  23. So to start the handler would I use the following: use exploit/multi/handler set LHOST set LPORT 443 set PAYLOAD windows/windows/x64/meterpreter/reverse_https set ExitOnSession false exploit -j
  24. You are quite right about everything you said. Thank you for your help; you have been a HUGE blessing! :D
  • Create New...