Mike Weaver miketweaver

Empire with a Ducky

by bashNinja (Mike Weaver)

Goals

In this lab, you will work with a rather simple device, a RubberDucky. It acts as a Keyboard HID which will be automatically detected and accepted by most modern operating systems. This allows you to exploit the trust of a local user on a keyboard and run commands at speeds beyond 1000 words per minute bypassing traditional countermeasures. We will start by writing a simple attack on a Windows Machine, and then we will move onto more complex payloads.

Background Information

The RubberDucky comes in two parts. The Ducky itself and a MicroSD card. The MicroSD card needs to be formatted to FAT or FAT32. The Ducky reads a file from /inject.bin which is an encoded version of our payload.

GPG Practical Exercise

Create your master keys

Create gnupg folder
```
$ mkdir -p ~/.gnupg/
```

Install NightShade

Get NightShade Files

git clone https://github.com/UnrealAkama/NightShade
cd NightShade

Setup Pip and Postgres

sudo apt update

Command:

curl -X POST   https://api.passwordctf.com/hashes   -d '{
"data": {
"user_name": "USERNAME GOES HERE",
"api_key": "API KEY GOES HERE",
"hashes": [
"a2477e96493f08578eac08f015ec74ead449cd04:73f1e0a2254a21f094652b8b82b2f586"
]
}

So, for validation, here is my suggestion. Works for however people want to submit (separate hashes.txt, password.txt or combined "hash:pass" file).

grab a copy of mdxfind/mdsplit from http://hashes.org . Ensure you have the contest-orginal pcrack.master.hashed.txt file (it will be read-only).
If separate files:

     mdxfind -f pcrack.master.hashed.txt -h ^sha1$ plaintext.txt >result
     mdsplit -f result hashes.txt

You will be left with hashes.txt and hashes.SHA1x01. The hashes.SHA1x01 are the validated number of cracks (wc -l to get number), and any invalid hash submissions will be in hashes.txt. If this file is empty, all hashes validated.

	#!/usr/bin/perl;

	my $Matchlist = "abcdefghijklmnopqrstuvwxyz0123456789";
	my $Length = 14;
	my $RandomDevice = "/dev/urandom";
	my $password = "";

	open RANDOMDEVICE, $RandomDevice
	or die "Can't open random device $RandomDevice: $!\n";

	-- Really random test code for the MAx7219.
	-- Chain 7 segment display off dev board
	-- Chain 8x8 matix off of 7 segment display.
	-- run this code to get 87654321. Assuming the L to R digit layout is just the
	-- dev boards we picked up.

	-- Functions:
	--
	-- DISPLAY.text(str)
	-- Displays the text, takes a string.

	#!/bin/bash
	#Copyright 2017 Mike Weaver
	#Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
	#The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
	#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE

	#!/usr/bin/env python
	import hashlib

	score = 0

	plaintext = "plaintext.txt"
	hashes = "hashes.txt"

	plainfile = open(plaintext)
	hashfile = open(hashes)

	#!/usr/bin/env python
	import hashlib
	import binascii

	score = 0

	hashfile = "newformat.txt"

	# Notes:
	# Chars 0-39 are the first 40 chars of the hash