M47H3W Posted April 10, 2015 Share Posted April 10, 2015 Hello, I just have a few questions about using a reverse shell payload with the rubber ducky. Since I am not familiar with powershell, I will be using the reverse shell code from ducktoolkit.com. My questions: 1. If the user restarts their computer, will the reverse shell still work? If not how can I make it still work after a reboot? 2.Is it detected by any antiviruses ? Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted April 10, 2015 Share Posted April 10, 2015 1. Afraid not. What you're after is persistence. There are a huge myriad of ways to gain persistence though once you have a shell. I'd suggest reading through these: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394. They have what are probably the easiest ways to keep persistence going. 2. Unfortunately, a binary like this will probably be detected by most antivirus. The VirusTotal report currently says that 25/57 AV vendors will recognise it as malicious. Report: https://www.virustotal.com/en/file/413d54659bc768f8df22344db3aa2164e98096f367cc7baa41f8f748c0fede21/analysis/1428692100/, so it doesn't look so good... A general thing to keep in mind is that if you write your own binary, or even generate one from metasploit (not a meterpreter executable, they're always picked up) you stand a much better chance of if not being detected. Just don't upload them all the VirusTotal, that just increases the chance of detection. (It didn't matter in this case because it's already heavily detected..) Quote Link to comment Share on other sites More sharing options...
illwill Posted April 29, 2015 Share Posted April 29, 2015 I made the reverse shell like 9 years ago it was packed using MEW so alot of AVs detected it because of that. if you want to use a different packer and add some changes to have it add itself to the registry for persistence, the source can be found here https://github.com/xillwillx/MiniReverse_Shell_With_Parameters Quote Link to comment Share on other sites More sharing options...
s1tl Posted May 4, 2015 Share Posted May 4, 2015 why not just schedule a task with the ducky to call home at set times? There are a ton of very simple programs to do reverse shells with varying levels of encryption/obfuscation that you could put in a place like %appdata% that would be easy enough to hide. https://technet.microsoft.com/en-us/library/cc772785(v=ws.10).aspx Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.