Jump to content

ApacheTech Consultancy

Active Members
  • Posts

    131
  • Joined

  • Last visited

  • Days Won

    5

Everything posted by ApacheTech Consultancy

  1. Does that mean you can chain-load scripts together? Your main script: DELAY 10000 REM // Run inject1 NUM-LOCK DELAY 50 NUM-LOCK DELAY 10000 REM // Run inject2 CAPS-LOCK DELAY 50 CAPS-LOCK DELAY 10000 REM // Run inject3 SCROLL-LOCK DELAY 50 SCROLL-LOCK
  2. I've done this an easier way, I think. I've made a small, stealthy C#.NET file which uploads files to my FTP server. It's programmed with lots of try...catch blocks that simply gracefully degrade the program if it comes across any errors at all. I call it Firefox Extinguisher. There's currently four flavours of the program: FFE: Mission Critical - Uploads key3.db, signons.sqlite and cert8.db of all profiles (scans profiles.ini for non-standard installations). FFE: Sidejacker - The same as above, but includes cookies.sqlite, places.sqlite and any bookmark backups. FFE: Clone Wars - Uploads the entirety of any Firefox profile path found. FFE: DEFCON1 - Uploads all Firefox profiles, My Pictures, My Documents and acts as a daemon watching for changes in any Sidejacker files, reuploads any updated files and persists through reboot. The memory footprint is only about 120KB on idle. All versions come with LockSafing, allowing files to be uploaded, even if they are currently in use (i.e. if Firefox is open and in use). I know it's slightly on a tangent to the thread, but if yo do have any background in programming, or fancy playing around with .NET, it's a relatively simple app to write and a lot easier to run with the duck, using the wget and execute script.
  3. I've got a question about this firmware. Because it depends on whether the modifier keys are pressed or not (CAPS LOCK, NUM LOCK), does the modifier count against the strings being inputted. For example, with the caps lock LED lit, EVERYTHING i TYPE WILL COME OUT LIKE THIS even though I'm typing like this. Does the duck work on ASCII codes or keymaps to "type"? Similarly, on my laptop, if I type with NUM LOCK turned on, 5t c60es 64t 36625ng 352e th5s, when I'm typing like this. Because of this, I never turn num lock on, on my laptop. On my desktop however, num lock is never turned off.
  4. The Duck hasn't been mentioned in the comments though... yet.
  5. Ahh, you mean on a domain network. If it's a standalone computer, you don't have that problem. Can you though, copy the program, with any dependencies needed to a suitable location and use it from there, setting the environment path if needed. I know you can do that with a few escalated privilege programs. It just depends if it's the program itself, or the directory it runs in by default that is secured by the UAC. Or, test if you can run cmd as Admin and run it from the command line. Depending on group policies, this may be an option. Either way, the first move would be a bit of SE to find out what rights the user actually has and how far you can push the boundaries without breaking the inherent trust... then use the duck for those parts. Obviously, any admin password protected areas couldn't be used, but if you can piggy back the command into a batch file that automatically gets run as admin... Or, use the utilmon (WindowsGate, etc) backdoor to run stuff as SYSTEM.
  6. What about just getting round any UAC with the duck? LEFT ARROW DELAY 500 ENTER The UAC's inherent trust that there is someone at the computer typing is one of the flaws that the duck was designed to bypass.
  7. Yeah, you'd lose most of the overall gain through time taken mounting the RAMDISK. However, for computationally expensive scripts, it would increase its gain the longer the script was running for. Anything that runs iterations, such as a bruteforcer would benefit, as once the ramdisk is mounted, it would pick up speed. EDIT: Thinking about it, a ramdisk would mean a traceless attack. No bytes are written to the disk and the machine's own memory would be left untouched, bar the mountings.
  8. Is there anyway to use the card itself as a form of RAMDISK, which could extend its performance ratios. I know it would only be an artificial speed increase, so far as benchmarking goes, but it may decrease latency a bit.
  9. Dependent on circumstance: Hack the Gibson! Add a couple of 0's to your print credit reference in the database. As said above, dump every password file you can find. Run Metasploit with full admin rights. Change AD group or user policies. Find a user that hardly ever logs on, change their password and then give them Admin rights. Leave a backdoor. Hack naked!
  10. If it's possible to make a 4 kilobyte partition, you could section off that partition for the inject.bin and the rest for "Essential Applications". Then truecrypt the entire drive with the dual password method shown on the show a few seasons back. One password can be known publicly, or at least safely to show the DuckScript partition and the other would unlock the entire drive. So far as Mr Official knows, you have a four kilobyte SD card with a single file on it which cannot be run by anything and doesn't seem to do anything. It's only the name that's suspicious. I'd like a stealthduck firmware which allows you to rename the inject.bin as something inconspicuous like memtest.bin or bootmgr.bin. Something easily overlooked. Or one that you can flash the inject.bin to the ROM alongside the firmware so that it can be run with no card.
  11. Isn't the new firmware 155Kbps rather than 80Kbps? Or did I just dream reading that somewhere?
  12. One thing that a lot of people don't realise is that 127.0.0.1 is only one address in a range of addresses that can be used as a loopback address. If you have XAMPP or anything you can call localhost to, try typing in 127.0.0.254, or any number from 1-254 in the last octet. It will yield the same result as 127.0.0.1. :D Some exploits ...erm... exploit this fact by referring to 127.0.0.x with a random value from 2-254 to remain unseen by docile AVs and poorly tuned firewalls that only scan the default 127.0.0.1.
  13. It's the Duck that should be naked; i.e. with no cover on it, just the board. For you, clothing is optional at best. Just thought I should clarify that bit. Winners Hack Naked!
  14. First of all, Uninstall any USB Mass Storage and other USB devices you do not recognise. Choose the "Display Hidden Devices" option. If you've flashed the Duck, also uninstall any AMTEL drivers. I mean here to Uninstall them, not just Disable them. There are freeware programs which will uninstall any non-essential and non-breaking drivers which are not currently attached or running on the computer. Next, run the SD card in a card reader to make sure that works. Move any essential files on it to a temporary directory and format the drive in FAT32. Do this even if it has been recently formatted; we're going for a totally fresh install of the Duck. Now, place the duck, naked, in the pc with no SD card. Hopefully lights should appear and Windows should try to install new drivers for it. If you see any red lights, we know it's working to here and all is good. Next, try it with the freshly formatted SD card. Again, red lights are good. If there are no red lights, try following the Reflashing guide here: http://forums.hak5.org/index.php?/topic/28254-tutorial-re-flashingupgrading-the-ducky-winxp-32bit/ with your ROM of choice available from the repository here: http://code.google.com/p/ducky-decode/downloads/list Once all this has failed, then we can start to talk about it being broken.
  15. I bought my USB-RD about three or four weeks ago now and it came complete with a little purple rubber duck. There's no hole in it's arse for for the USB, and it doesn't squeak when you squeeze it, but it's still a nice little toy. :) There have been incidents (me included) where the 256MB SD Card which comes with the USB-RD doesn't work. In this case, small cards are available very cheaply from many different outlets. Just make sure any card you use is formatted as FAT32 or VFAT. The SD Card only relies on having an inject.bin file in it's root directory. Other than that, the card can have any amount of extra files and can even be formatted as a bootable drive. I'm currently using a 32GB SD Card with a BackTrack 5 Live CD on it, using Yumi. I'm using the TwinDuck Firmware. The USB-RD does not come with any software, compilers or payloads, but it does have a reference card showing the syntax for DuckyScript, and sample payloads are available on these forums. Welcome to DuckClub. Please obey the rules of DuckClub. ;)
  16. Is this much different than using "at"? Thank you by the way, this is pretty much perfect for my "FireFox Extinguisher" payload, if it works the way I think it does.
  17. I've found a much better video than the one above which explains subnetting in the most wonderfully simple way. I don't think you can get a more definitive, concise guide than this:
  18. I suspect somebody made him a bet... He managed to explain in very convoluted terms, what subnetting is and what subnet masks are, without ever using the word "binary". *strokes beard* The first half is pretty good, but the subnetting part isn't explained very well at all.
  19. Thank you. I thought that was the case, but my brain wouldn't work out the maths. I'm still trying to master subnetting. I understand all the binary logic and binary arithmetic that goes with it, it's just the networking logistics that's I'm having trouble with. On a /26, would you need 4 routers to allocate DHCP addresses properly? Without using VLANs of course. Or would a single router on .1 be able to allocate to all depending on the switch? EDIT: Oh, and while I'm on a roll, is it better to split via hardware VLANs or software subnets?
  20. Depending on the source, a lot of JavaScript coders are lazy and simply MD5 their MD5 hashes. They're harder, but not impossible to rainbow. It's very bad practice to do so.
  21. A couple of questions of subnetting and DHCP. 1. When splitting a Class C network into subnets, do you create extra broadcast and listen addresses? For instance, does a /25 network have listen addresses at .0 and .128 and broadcast addresses at .127 and .255? Likewise, a /26 network would have listen addresses at .0, .64, .128 and .192 and broadcast addresses at .63, .127, .191 and .255? 1a. If so (or even if not), are there any over overheads to consider when subnetting a Class C network? 2. The dreaded case of printers getting caught in the DHCP pool. A simple question, when statically allocating printers on a subnet, is it better to place them at the end of the subnet stack and limit the DHCP pool to that point; or keep them at the beginning of the subnet stack and shift the beginning of the DHCP pool? I've been told both in the past and I suppose it's a matter of taste, but are there any best practices on the subject?
  22. You could use the wget download script to download a RIckRoll wav and save it as "Windows Logon Sound.wav" in the appropriate folder. :p @Protocol. Ahh, I did not know that. I've uninstalled IE and every other browser. :p
  23. Also, in Firefox, pressing Ctrl+L takes you to the location bar, with all the current text selected.
  24. You could indeed. :D Or even use the MultiDuck to deploy different prefixes based on keyboard LEDs. :D
  25. 0.0.0.0 is used in a few different ways; but first of all, it may be important to understand what 127.0.0.1 is. 127.0.0.1 is a loopback IP address to the computers own NIC. It's the address you use when you want to contact yourself. It is important to have this ability so that networkable components do not fail automatically when used on a stand alone computer. It is often known as localhost. Locally hosted TCP/UDP/HTTP/FTP or any other network or transport layer protocols (which use routed packets rather than frames) will use this address. When on a LAN, 127.0.0.1 works in much the same way as connecting to your own, allocated Local IP address, say 192.168.1.254. The key difference though is that when connecting to 127.0.0.1, the traffic never touches the LAN, as it would connecting to 192.168.1.254. 0.0.0.0 can be seen initially as a default IP address. It is the IP that is used by a computer that has not yet been allocated an IP by a DHCP server, but is associated with a network. It is also the address that a computer uses is a DHCP allocation fails. In this case it is used as a fallback, or a promise of an IP in the future. Because 0.0.0.0 is an unroutable address, multiple computers can have the same IP and will receive broadcast and probe packets, but they do not yet have a place on the network. The other way in which 0.0.0.0 is used is as a mask to mean "any IPv4 address". This is essentially a blanket "listen" request for all IPs. Think of it as an inbound version of 255.255.255.255.
×
×
  • Create New...