no42

can you post a link to your inject.bin? thanks

Is it a windows 8 thing? Been using twinduck for months now with no problems. Could be a timing issue? Im guessing you used the UAC bypass/acceptance "alt-y" to get the admin cmd.exe, so it initially looks like a sticky 'y' - very strange. try tweaking your timings? throw in an extra "enter" between the "alt y" and the "string for ..."

Its good that you've worked out that you need to tweak the timings, but just to check what firmware are you using stock/community?

The arrogance and idiocy goes both ways. I was pentesting within a large company the other week, and the IT manager was simply just rude. Always cracking jokes, that we build pig-pens, dog-houses, baby-pens. That we cant do our job when our pens run out of ink. That same sadist even farted purpose in the direction of our faces as he got up to go to the water cooler. I think the worst thing was he was encouraging the other system admins and technical support teams to join in on the fun/abuse. It became a very hostile environment quite quickly. Help and support disappeared virtually straight away, and it became very hard to do a thorough test in the limited time available. When it came to requiring credentials for patch checking, none were handed over... the response "go find a post-it with someones password on - hahaha", our test scope only had permission for VA and build-reveiws, we were specifically told NO EXPLOITATION, which is usually a big part of pen testing to demonstrate risk. In the end we found some admin accounts with weak passwords antivirus:antivirus, but as soon as they discovered we found had found a high-permission account they would disable the account and change the password. The assessment was getting very frustrating. But we did manage to severely own them in the end ;) - using the IT managers admin-all-keys-to-the-kingdom-account and weak password (6 character password, no special or numerics) (obtained from shoulder surfing!). Turns out the password was his wife's name. The problem with pen testing and corporate IT, is that corporate IT departments no longer want penetration tests in fear of highlighting issues they need to fix. IT departments have gotten lazy, pen testing has now become VA (Vulnerability Assessments) with limited scope and support, limited time due to limited budgets (or just penny pinching from financial mangers). I do not know if this is down to dumb IT managers that have been promoted or sidestepped into that role to prevent them doing further damage to the company, or simply because the upper management cant fire them. I find a lot of bad IT managers are only there because of the "Peter Principle". As to getting frustrated about companies not fixing issues I can see where pen testers feel the pain. I was at an organisation 3 years ago that got badly owned through their website. The pentest highlighted the way the attackers got in, and the report laid out all recommendations to fix the holes. The company also paid for security consultancy and training to help the development and technical teams think more about security. I new system was developed, and it looked like the company was moving forward in the right direction. Low and behold, the following year they got owned again? Investigation took place and no changes had been made from the previous year. By this point I was friendly with the developers and asked them what happened? Their responses "the board would not sign off on our changes", I was furious - all that hard work for nothing. But what I was feeling was nothing compared to the development and technical team, they realised that no-matter what they did their actions would always by blocked/prevented by someone else; they lost all love and pride for their work. slowly became lazy and uninterested in their jobs. The best ones eventually moved into other companies, for better challenges and working environment, the ones that had simply given up are still there to this day. and YES, 3 years on and they are still vulnerable to the same vulnerabilities, and they still get owned once/twice a year (you would think it would be more!), every 6 months I'm called in to attempt to perform a clean up - very frustrating! Overall, we're a Team! IT geeks need pentesters to highlight problems in their environments so that they can fight for extra resources to fix the problems; no one wants to be pwned! IT geeks can learn tricks/new skills from pentesters, and more importantly vice-versa! IT geeks can supply pentesters with interesting bugs, and crash dumps that can become the next 0-day's, or even the name and version of products their using so pentesters can undertake research. Pentesters should fight and support the IT geeks (like the way Tron fights for the Users!), in the same way IT geeks need to support and fight for the Pentesters!

1. Type it into a text file, using your favourite editor: nano, vi, notepad, notepad++. 2. Save as txt file eg. payload.txt 3. run the file through the encoder to generate a new inject.bin eg. java -jar encoder -i payload.txt -o /path/to/sdcard/inject.bin 4. put the sdcard into the ducky 5. put the ducky into the computer The ducky reads the inject.bin file for instructions, the plain-text language above is the high-level programming language called Ducky-Script.

The payloads are already out there, why cant you just piece them altogether, or use the detour-duck to trigger different payloads. You will actually learn more, and benefit more from doing this yourself. Would you not feel better, and feel that you've accomplished something if you do the science project on your own, rather than getting someone else to do the hard work! There are no short cuts in life!

In comparison the max speed of the Ducky is 150Kbits/sec (MMC speed) a fast SDIO license & software can reach 4MB/sec (27x faster), a fast USB Drive can achieve approx. 14MB/sec (96x faster). SDIO licenses are expensive $$$, unless a 3-letter acronym company would like to sponsor the Ducky!

Of course just look at the Ducky_Hard_Coded source example in the SVN. You need Windows, Atmel Studio (5/6 not 6.1!), and you need to compile the firmware each time you want to make a change!

Think its cross compile or make it yourself Ref: https://forum.openwrt.org/viewtopic.php?id=21468

Buy your own 4G/3G dongle or tether your phone (data plan permitting)

Sounds like your asking about stagers - notice the "staged" keyword in brackets at the end. windows/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a piped command shell (staged) windows/shell/bind_nonx_tcp Listen for a connection (No NX), Spawn a piped command shell (staged) windows/shell/bind_tcp Listen for a connection, Spawn a piped command shell (staged) windows/shell/find_tag Use an established connection, Spawn a piped command shell (staged) windows/shell/reverse_http Tunnel communication over HTTP, Spawn a piped command shell (staged) windows/shell/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Spawn a piped command shell (staged) windows/shell/reverse_ipv6_tcp Connect back to the attacker over IPv6, Spawn a piped command shell (staged) windows/shell/reverse_nonx_tcp Connect back to the attacker (No NX), Spawn a piped command shell (staged) windows/shell/reverse_ord_tcp Connect back to the attacker, Spawn a piped command shell (staged) windows/shell/reverse_tcp Connect back to the attacker, Spawn a piped command shell (staged) Basically, the shellcode in the exploit is a simple reverse connect, download & execute; which generally AV's will allow as it appears non-malicious. The shellcode it downloads from your metsploit instance is the malicious part that contains the body of the main exploit. Once this has finished downloading into memory, the shellcode will execute this new code triggering the exploit. As this doesnt touch the disk, some fairly rubbish AV configurations wont flag/discover the exploit code. If however, you use a high end product like McAfee with "Memory On-Access Scanning" capabilities - this exploit will still be detected! Check out corelancoders website on generating shellcode if you wish to learn more, as a start: https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

Just installed Kali 1.0.3 (32bit) in a VM and got it working with the following instructions ( [ ] denote manual actions): apt-get update apt-get install cmake libusb-1.0.0-dev pkg-config build-essential libnl-dev libncurses-dev libpcap-dev libcap-dev wget http://www.kismetwireless.net/code/kismet-2011-03-R2.tar.gz [manually download libbtbb version 2012-10-R3, and ubertooth 2012-10-R1 from respective source forge repository] [extract libbtbb] cd libbtbb-2012-10-R3 make;make install cd .. [extract ubertooth (tar -xJf ubertooth*.xz)] cd ubertooth-2012-10-R1/host/ make;make install cd .. cd kismet-2011-03-R2 ln -s ../ubertooth-2012-10-R1/host/kismet/plugin-ubertooth ./ ./configure make && make plugins make install && make plugins-install [Add "pcapbtbb" to the "logtypes=..." line in kismet.conf] kismet -c ubertooth [ubertooth failed to start, so I then enabled the plugin manually... shift-~, Kismet,move down to plugins, select plugins, enter, highlight ubertooth, space, tab,tab,enter] Then it was all working!

First try "apt-get remove kismet" which should remove the repository one. Then try "which kismet" as you might have a manually installed/compiled within '/usr/local' or another subdirectory. I was using Ubuntu 12.04 when using the instructions above #4 and it worked fine for me.

Find and download the Encoder.jar (theres one on ducky-decode website (see my signature) within the downloads section - i recommend version 2.6). You will need to have Java 1.7 installed http://java.com/en/download/index.jsp Head over to the github payloads section or https://github.com/hak5darren/USB-Rubber-Ducky/wiki/My-first-payload copy a payload into a text file eg. payload1.txt use the encoder to generate a inject.bin "java encoder.jar -i payload1.bin -o inject.bin" copy the inject.bin into the root of the sdcard put the sdcard into the ducky, the ducky into your computer watch the payload launch

That would be useful thanks

right the code is definitely "03 82" however, its being transmitted on a second endpoint. Its going to take a bit of time, and analysis to figure out this endpoint is setup, it also means a firmware modification and a possible subsequent encoder mod (so the ducky knows it needs to swap endpoints) What is an endpoint? Think of it as a port or communication channel, you define EndPoints (EP) for different applications or communication flow; 1xEP = Keyboard (Ducky.hex), 2xEP= Keyboard & Mass Storage (Twin Ducky uses this!)

ok, the raw data for the sleep code is "03 82" but can you sniff the entire conversation... start sniffer, insert keyboard, push A (5x), then sleep (3x), then stop the sniffer - just want to check the HID report packets (these contain the Page number etc). Thanks Snake

Macbook Pro's appear to be popular these days. Really depends on your requirements? what size laptop are you willing to use? what weight laptop are you willing to carry around? Operating System preferences? Will you be running virtual machines? Will you use it to play movies (DVD/Blueray)? Will you be playing network-games eg Call of Duty etc. ? Basic spec: i5/i7 core processor 2.3GHz+ 8GB RAM minimum ~500GB SSD (Solid State Drive) HDD Built in Wifi & Bluetooth Nvidia Geforce Graphics Card (but you may be limited to an Intel HD on your budget) USB 3 ports (but if your using virtual machines you probably want some USB 2 ports aswell) DVD/Blueray player for movies on the go?

You forgot Drozer (Previously known as Mercury), for assessing Android Applications and finding security issues like injection, default passwords, weak crypto: https://labs.mwrinfosecurity.com/tools/drozer/

I don't know about simulations but here are some tips: Red Team Before Start of PlayWho will be the team organizer? The team organizer documents the networks, system names, OS versions, IP addresses, open ports, passwords, and updates configuration changes for everyone to see (such as on a whiteboard); helps to prioritize tasks; ensures that no systems are forgotten; monitors the functioning of the fictional production application(s) and otherwise maintains the “big picture” and a calm head while others are absorbed in the details and chaos of gameplay. Exactly which port numbers must be available on which systems for the scorebot? Try DoS attacks on these. How will the scorebot confirm that your other target application(s) are still running? Don’t block the scorebot. Which target systems are running the most vulnerable operating systems and/or services (such as IIS, RPC, SMB, and/or older unpatched software versions with known exploits)? Important to prioritize. What special tools will be available? Nmap, Nessus, Metasploit? Best to ask. Does everyone on the team know how to view live ports and established sessions? Does everyone know how to reset a password from the command line? Does everyone know how to escalate privileges on different architectures? Compile a list of default passwords (eg. the ones on your system, the opposing team may forget to change these) Who are you permitted to ask for help if necessary? What can or can’t they do for you? When Play BeginFull TCP & UDP Portscans Perform Service Enumeration and Software Version Enumeration on open ports. Interrogate each open port manually with netcat. Don't add new accounts, stay stealthy and use compromised accounts. Don't upload common files that trip Anti-Virus alerts (e.g cain and able). Dump local hashes Dump domain hashes Dump LSA secrets (windows) Dump cached passwords (windows) Snarf session tokens (windows) Finally, focus on your plan and don’t panic! Blue Team Before Start of PlayWho will be the team organizer? The team organizer documents the networks, system names, OS versions, IP addresses, open ports, passwords, and updates configuration changes for everyone to see (such as on a whiteboard); helps to prioritize tasks; ensures that no systems are forgotten; reminds players to periodically check for compromise; monitors the functioning of the fictional production application(s) and otherwise maintains the “big picture” and a calm head while others are absorbed in the details and chaos of gameplay. Exactly which port numbers must be available on which systems for the scorebot? Can’t block these. How will the scorebot confirm that your other target applications are still running? Don’t block the scorebot. Which target systems are running the most vulnerable operating systems and/or services (such as IIS, RPC, SMB, and/or older unpatched software versions with known exploits)? Important to prioritize. What special tools will be available? Process Explorer? WireShark? Tripwire? PowerShell? Best to ask. Does everyone on the team know how to view listening ports and established sessions? Does everyone know how to reset a password from the command line? Does everyone know how to kill a process? Does everyone know how to configure IPSec, the Windows Firewall and/or iptables for packet filtering? Who are you permitted to ask for help if necessary? What can or can’t they do for you? When Play BeginBlock all non-scorebot-required ports on all systems using IPSec/Windows Firewall/iptables. Assign a different 15+ character long passphrase to every administrative account on every system. Change all default application and service passwords to a different 15+ character passphrase. Remove all accounts from all administrative groups on each system except for one. Delete or disable all user accounts, including Guest, except for the one administrative account on each system. Establish a baseline by saving lists of your current processes, listening ports, services, device drivers, user accounts, and all files (“dir /s /b” or “ls –lARt”) to text files on each machine. If possible, generate a checksum database using a tool like Tripwire (or just md5sum). Use this information to detect compromise. Enable useful audit policies, clear all logs, and keep Event Viewer open (Windows) or “tail –f” critical log files (Linux). When you look at a log, if you notice that the only new events are of no security consequence, clear that log to reduce clutter during the games (it’s not real life). Continuously watch your list of established sessions, running processes, target applications and logs to try to detect malicious changes. Write scripts or use command history (up-arrow or F7) to help automate this work. Detect changes and respond: kill offensive processes, delete new user accounts, delete new binaries, etc. Finally, focus on your plan and don’t panic!

Windows: USBlyzer, Busdog Linux: Wireshark (yes, it has USB support in the later versions >libpcap-1.0.0)

It's own forum would be handy. I've been playing with the übertooth recently

Honestly, no idea? Thats why I break out the USB sniffer to find out; but all my keyboards are standard 102/104 - no media keys.

If you have those keys on a usb keyboard, its easy to use a usb sniffer to capture those keys - then we can look at reversing them and getting them functional within the Ducky code.

It might depend on the keyboard, if you have power keys; this will then be dependant on a VID and PID combination. I dont have once of these special keyboards, and cant comment. If Dnucna is still on here, maybe he can answer the question, as he build that original keyboard.properties file.