Meterpreter Reverse TCP Ducky Injection using Powershell and Veil

[sn0wfa11]

Below are instructions for using Veil-Evasion to produce a Windows Powershell payload for a Meterpeter reverse TCP connection and injecting it using a USB Rubber Ducky.

This is my first tutorial post, so if my formatting is a bit off... too bad ;)

This method has a few benefits over the method provided using the "Simple-Ducky" program.

• It is injected completely through text input typed in by the Ducky into the Windows Command Shell
• It does not require the target computer to download a compiled file from a web server to set up the connection.
• You do not have to host a web server for the payload. (Less open ports on your machine, always a good thing.)
• Virus scanners are (hopefully) not going to pick this up because it is being entered directly into the Command Shell by Ducky.

The flip side is that this is a larger payload for Ducky to type out so you will have to plan accordingly.

Initial Setup (If you are running Kali, BlackBox, Backtrack, etc. you are probably almost set up already.)

1. Install and setup Metasploit if you have not already.
2. Install and setup Veil-Evasion (Homepage is here).
   1. Veil-Evasion is now available in the Kali repository. Use: apt-get install veil-evasion -y
   2. Note on initial install: You need to run veil-evasion after it is loaded by apt-get to set everything up. It says you don't have to run it as root, but you need to run it as root! Setup can take a bit.
3. Set up Ducky Encoder or whatever you choose to use to make your inject.bin.

Payload Generation

• Start veil-evasion.
• Type "list" to see the list of available payloads.
• Enter the number for the "powershell/meterpreter/rev_tcp" payload. (Was 22 for me.)
• Set you LHOST and LPORT the same as you would do setting up a payload in Metasploit.
• Type "generate".
• Enter the name you want for the payload.
• Veil will generate the payload in a .bat file in the "Veil-Output" directory under "source". (Most likely in the /usr/share/ directory.)
• Veil will also generate a Metasploit resource file for setting up a listener that you can use if you want. However, if you are behind a NAT router you will need to plan accordingly.
• Find and open the .bat file in the text editor of your choice and copy off the first section of the file as follows: powershell.exe -Nop.....ReadToEnd();" (The first .ReadToEnd() and don't miss the quotation mark at the end, you will need that.)

• If your target is a 64 bit machine you will need to add "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\" prior to the powershell.exe in order for your payload to work.

• Set up your Ducky script as you like to account for driver install, etc. Have it open a standard command shell and copy and paste the text you cut out above into the Ducky script as a STRING:

• Create you inject.bin file and put it on your Ducky.

Operation

• Start a windows/meterpreter/reverse_tcp listener in Metasploit on your machine. (32 bit, not the x64 payload)
• Plug the Ducky into your target machine and away you go.
• The Command Shell window will automatically close once the Powershell script begins to execute.
• You may need to migrate to another x86 process to get full Meterpreter functions.

A few notes

• If you try to run this sever times in quick succession on a target machine the subsequent tries may not go through as Powershell likes to hang on for a bit. Killing the initial process after migrating might fix this.
• I've tested this on the following:
  • Windows 7 Pro x64 (physical machine with a physical network, through a restrictive firewall... Reverse connections rock!)
  • Windows 8.1 Pro x64 - Virtual
  • Windows 10 Pro x64 Technical Preview - Virtual
  • Windows Server 2008 R2 - Virtual
  • Windows Server 2012 R2 - Virtual

Enjoy.

[marando]

doesn't work for me (tested on win 10 pro). Sending stage fails, doesn't get an session.

[cdorka]

Im testing this as well. Will report back when final. So far it didnt work, but that was my initial run. I need to tweak it a bit.

[cdorka]

i got an error.

Exception handling request: The :puid parameter must be exactly 8 bytes

will troubleshoot

[cdorka]

i got an error.

Exception handling request: The :puid parameter must be exactly 8 bytes

will troubleshoot

disregard this.

I got shell, then symantec AV ate it. Will have to update Veil or figure out some different encoding

[BeNe]

disregard this.

I got shell, then symantec AV ate it. Will have to update Veil or figure out some different encoding

Seems like Symantec AV doesn´t detect the the crypted payload inside the file - but the network stream during a connection to your server.

So the problem is the meterpreter connection itself, not the file. There is no way to change this as i know...

[M1k3]

Hi guys,

I face a problem which I guess is not that big a deal.

When I open run the exploit it doesn't open the meterpreter but it stays at the [*] sending stage

Cheers

[Xcellerator]

Seems like Symantec AV doesn´t detect the the crypted payload inside the file - but the network stream during a connection to your server.

So the problem is the meterpreter connection itself, not the file. There is no way to change this as i know...

Does Veil not support reverse_https? reverse_tcp is just plaintext all the way - you even sniff it in wireshark if you wanted too. If it is indeed just the AV picking up the stream, then try using reverse_https and see if you different results.

[cdorka]

Does Veil not support reverse_https? reverse_tcp is just plaintext all the way - you even sniff it in wireshark if you wanted too. If it is indeed just the AV picking up the stream, then try using reverse_https and see if you different results.

Yes it does support reverse_https. I just recreated my payload and put it on the ducky. Worked like a champ bypassing Symantec AV.