Twin Duck Firmware - Which one?

[Captain]

Hopefully someone smarter than me can help me out.

Which firmware should I be loaded for twin duck functionality? All I can seem to get working is the c_duck_v2_S001.hex which triggers on caps,num, or scroll lock. I have test it, and it worked great. However, rewriting scripts to account for caps lock is . . .well tiresome. 

In theory c_duck_v2.1.hex should be the "standard" image that deploys the inject.bin automatically. However, I cant seem to get that one to work.

Am I using the wrong firmware?

Thanks

[winter_soldier]

see the above.

Also you could just double-tap the Lock buttons?

[Captain]

On 8/13/2016 at 7:45 AM, winter_soldier said:

see the above.

Also you could just double-tap the Lock buttons?

Yeah, that's what I've been doing. Frankly, it may actually work better doing it this way as you can initiate carious payloads for different OS's

 

 

[UnixSecLab]

So as of the time of this writing, there are 2 "Composite" firmware images on the github site.  I tried both, and neither of them do the auto-payload after storage mount.  One of them has "cap" in the name, which lead me to believe it would be similar to the old image that allowed triggering the payload manually by double tapping the caps lock key as mentioned in this thread, but neither image actually seems to do that in my testing.  Both images DO allow manual triggering of the payload via a push of the button on the Ducky itself.

I also played with copying .bin files around after mounting to see if manual injection uses the "inject.bin" that is on the card at load time, or if it uses the "inject.bin" that's on the card at time of triggering the payload event.  It only uses the "inject.bin" that is on the card at initial load.  Just putting this here for reference.

Does anyone know if another Composite that allows triggering from a caps-lock double tap, or automatic payload after a delay?  Is there a reason this was changed, or did I maybe grab a bad copy of the "caps" version that's out there right now?  The two images I tested were:

Composite_Duck_S003.hex

Composite_Duck_4cap.hex

Thanks!

[winter_soldier]

4cap - means 4x caps lock

can't remember seeing S003 ? maybe someone (or the requestor) could shed light here? I thought these were Special Requests? or Sponsored developments ?

[UnixSecLab]

4 hours ago, winter_soldier said:

4cap - means 4x caps lock

can't remember seeing S003 ? maybe someone (or the requestor) could shed light here? I thought these were Special Requests? or Sponsored developments ?

I just re-flashed the 4cap firmware.  I assume when you say "4cap - means 4x caps lock" that I should hit the caps lock key 4 times to trigger the pay load (so "on, off, on, off") and not "turn it on 4 times" which would be an 8 press sequence.  No matter how many times I hit caps lock, it never triggers a pay load with this firmware.  I assume that means the firmware is faulty.  I did do a diff against the S003 and the 4cap to be sure I didn't somehow overwrite 4cap with S003 on accident, since both work by pressing the button on the ducky itself.  They are different.

[bored369]

33 minutes ago, UnixSecLab said:

I assume when you say "4cap - means 4x caps lock" that I should hit the caps lock key 4 times to trigger the pay load (so "on, off, on, off") 

Correct. Also the S003 I believe is supposed to be button press only. (i'm not sure about that).

I found last night that I had to use the Hak5 encoder on the github to be able to have the payload run on the Composite firmwares, the online encoder would not work for some reason.  Once I used that and encoded it locally it all worked without issues.

I couldn't get eh c_duck_v2.1 version working at all where it runs automatically on insert.

[UnixSecLab]

9 minutes ago, bored369 said:

Correct. Also the S003 I believe is supposed to be button press only. (i'm not sure about that).

I found last night that I had to use the Hak5 encoder on the github to be able to have the payload run on the Composite firmwares, the online encoder would not work for some reason.  Once I used that and encoded it locally it all worked without issues.

I couldn't get eh c_duck_v2.1 version working at all where it runs automatically on insert.

The S003 does indeed work only by button press.

I modified my ducy script to be sure the payload would be different, re-encoded with the encoder.jar (fresh one from the site,) and uploaded it to the ducky's SD card to test this again.  The caps lock still does nothing with the 4cap HEX file firmware.  Button press on the duck still works, and it does deliver the new payload when I do that.  I think the firmware is faulty, or I'm not holding my tongue just right when I bang on the caps lock key :)

I appreciate the responses so far, and I'll keep my eyes peeled for an updated firmware in the future.  Or I'll try to figure out how to compile my own HEX firmware from the sources directory on the github so I can "fix" it myself, if nobody else does.

[UnixSecLab]

And I have a fast update.  I've been testing this on a Linux Mint 17 workstation.  I had the thought that maybe something in how linux is handling the device may be why it's not firing the caps key event properly.  I plugged the ducky into a Windows 10 laptop to test this theory, and 4 taps of the caps lock does indeed trigger a payload event.  Now I need to investigate why Linux behaves differently.

Again, I appreciate the help.  I've got a post about this experience going up on my blog on Wednesday, so I need to go edit that now :)

[bored369]

Ahhh good to know, I have been only testing the caps lock thing on windows and not the linux that i was building and flashing on.

[UnixSecLab]

My write up on the testing I did: http://unixseclab.com/index.php/2016/09/07/hacker-tool-hump-day/

I never did figure out why Windows and Linux behave differently with the 4Cap firmware, but if I do, I'll post my findings here on the forums.  Thanks again for the help!