sn0wfa11 Posted June 6, 2015 Share Posted June 6, 2015 Below are instructions for using Veil-Evasion to produce a Windows Powershell payload for a Meterpeter reverse TCP connection and injecting it using a USB Rubber Ducky. This is my first tutorial post, so if my formatting is a bit off... too bad ;) This method has a few benefits over the method provided using the "Simple-Ducky" program. It is injected completely through text input typed in by the Ducky into the Windows Command Shell It does not require the target computer to download a compiled file from a web server to set up the connection. You do not have to host a web server for the payload. (Less open ports on your machine, always a good thing.) Virus scanners are (hopefully) not going to pick this up because it is being entered directly into the Command Shell by Ducky. The flip side is that this is a larger payload for Ducky to type out so you will have to plan accordingly. Initial Setup (If you are running Kali, BlackBox, Backtrack, etc. you are probably almost set up already.) Install and setup Metasploit if you have not already. Install and setup Veil-Evasion (Homepage is here). Veil-Evasion is now available in the Kali repository. Use: apt-get install veil-evasion -y Note on initial install: You need to run veil-evasion after it is loaded by apt-get to set everything up. It says you don't have to run it as root, but you need to run it as root! Setup can take a bit. Set up Ducky Encoder or whatever you choose to use to make your inject.bin. Payload Generation Start veil-evasion. Type "list" to see the list of available payloads. Enter the number for the "powershell/meterpreter/rev_tcp" payload. (Was 22 for me.) Set you LHOST and LPORT the same as you would do setting up a payload in Metasploit. Type "generate". Enter the name you want for the payload. Veil will generate the payload in a .bat file in the "Veil-Output" directory under "source". (Most likely in the /usr/share/ directory.) Veil will also generate a Metasploit resource file for setting up a listener that you can use if you want. However, if you are behind a NAT router you will need to plan accordingly. Find and open the .bat file in the text editor of your choice and copy off the first section of the file as follows: powershell.exe -Nop.....ReadToEnd();" (The first .ReadToEnd() and don't miss the quotation mark at the end, you will need that.) If your target is a 64 bit machine you will need to add "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\" prior to the powershell.exe in order for your payload to work. Set up your Ducky script as you like to account for driver install, etc. Have it open a standard command shell and copy and paste the text you cut out above into the Ducky script as a STRING: Create you inject.bin file and put it on your Ducky.Operation Start a windows/meterpreter/reverse_tcp listener in Metasploit on your machine. (32 bit, not the x64 payload) Plug the Ducky into your target machine and away you go. The Command Shell window will automatically close once the Powershell script begins to execute. You may need to migrate to another x86 process to get full Meterpreter functions. A few notes If you try to run this sever times in quick succession on a target machine the subsequent tries may not go through as Powershell likes to hang on for a bit. Killing the initial process after migrating might fix this. I've tested this on the following:Windows 7 Pro x64 (physical machine with a physical network, through a restrictive firewall... Reverse connections rock!) Windows 8.1 Pro x64 - Virtual Windows 10 Pro x64 Technical Preview - Virtual Windows Server 2008 R2 - Virtual Windows Server 2012 R2 - Virtual Enjoy. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.