Jump to content

Recommended Posts

Hello everyone. I've flashed my Ducky to a Twin Ducky, hence I put on software (portable) with Command-Line Options. My goal is to successfully plug it into a Stand-Bye computer and actually make it work, make it execute. But the huge problem is the Anti-Virus. (Norton Small Business Edition). This AV keeps removing all the files and is really a pain in the ass. I was wondering if there was a way to once plugged in, let the Ducky (Temporary) Kill the Anti-Virus. Just so it doesn't have an scanning on, so it will not detect the file, and once everything is back up me and the Ducky will be gone. I have the Advantage because one, it's Windows 7 and the accounts that are being logged onto are Administrator-Privileged, so Pressing Yes or No with the Ducky will not be a problem. I really need help.

1. Plug in the Ducky

2. Payloads Activate;

Kill's Anti-Virus (Short While just so files can get through)

3. Run the file (Command-Line)

Be Out.

I just need to learn how to Kill the AV. For Norton Small Business Edition it's pretty complex to just disable it straight from the Control Panel.

Thanks, so much.

-Mathew

Link to post
Share on other sites

if you use metasploit to gain a reverse_tcp connection  once you gain a meterpreter session you can run the killav command

but if the problem is that you cant get past the antivirus to drop your  shell code or payload    you can try    Veil-Evasion 

create a payload with veil  it has an option to encode ruby into your payload and several other methods  

or if you have physical accsess to the keyboard of the target machine  and if you have enough time norton should be running in the bottom right

hand corner just right click on the norton icon it should have a disable sheilds button   .....disable it temporarely until you get whatever it is that you was trying to do

but veil-evasion works 4 me  gain a reverse tcp session  then you are back doored in   ....  my recent exploit ...what i did was  i had my metasploit listener setup at home

then i  put my veil-evasion payload on to a regular usb thumb drive  and went to a friends house "i had permision lol"  and i put it in the machine right clicked on the veil evasion payload  and chose run as administrator  and it walked past the antivirus no problem   and i had my phone ssh 'd   into my listening machine at home so i had full control on the go .......i know this isnt probably what you were looking for  i hope it helped ...if not  theres some really smart  really experienced pentesters on this forum just hang around be patient one of these guys should be able to help 

 

Link to post
Share on other sites

You need a payload that runs in memory and never touches disk. More than likely, a powershell exploit, if you can get to powershell. You wan tto go to the command line before trying to kill AV, and if possible, work around it, without having to kill it to get your reverse shell first. Anything that the system can read off the thumb drive as a file, AV is going to kill, which is why you use powershell to decode directly into memory your program to execute, which can be stored as simple base64 text, no executables to trip AV.

Link to post
Share on other sites

This is the code:

DELAY 1000
GUI R
DELAY 100
STRING powershell
DELAY 100
ENTER
DELAY 1000
STRING $usbPath = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'D' } | select name
DELAY 500
ENTER
STRING cd $usbPath.name
DELAY 100
ENTER
STRING ./p /stext log.txt
DELAY 100
ENTER
STRING exit
DELAY 100
ENTER

 

"P" is the program i am trying to execute which support's command-line features. Sorry I am completely new to this, sorry for asking for so much but how would I manage to this?

 

Link to post
Share on other sites

Check the ducky section maybe? There should be examples for reverse shells in base64 stagers(hopefully) or some kind of example that runs a base64 payload in memory. If not there, sure googling will turn up something. The main thing about the ducky is you might want to use it to write to for mass storage, but you probably don't want payloads in the mass storage side, as AV will pick them up, hence the base64 encoding of a binary to decode and run only in memory, which will help hide your steps.

Darren covers using a stager here - https://www.hak5.org/episodes/hak5-2110-how-to-get-a-reverse-shell-in-3-seconds-with-the-usb-rubber-ducky but if I recall, his was for a reverse shell that downloads a separate  PS1 script from the web, which might get caught by AV, but I can't remember if he makes it run from ram for the whole process or if it ever downloads to disk.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...