Jump to content

no42

Dedicated Members
  • Posts

    925
  • Joined

  • Last visited

  • Days Won

    17

Posts posted by no42

  1. you probably want cm_duck.hex; (alpha)

    Duck will initially mount as Mass Storage Device.

    Numlock - triggers payload 1 (inject.bin)
    Capslock - triggers payload 2 (inject2.bin)

    Due to memory restrictions, as both payloads are loaded into Ducky memory - you are limited to 2048-Bytes of instructions per inject-payload!

    Also only one payload can be triggered, so you have a choice payload A or payload B. NOT BOTH!!!

    Or even SP002

    From Forum Request(http://forums.hak5.org/index.php?/topic/28470-custom-firmware-request/), to stop auto-loading HID payload.

    Now HID starts injecting on GPIO trigger.

    1. What Firmware are you using?
    2. Which Encoder are you using?

    Your payload is using a duck-encoder version 1 script.

    You may need to tweak the delays, and insert an initial long delay (eg DELAY 3000) on the first line of the ducky script payload. This is why your seeing the random programs open.

    Alternatively , if your using Encoder v2+ search the forums for an updated script that is more compatible with the latest developments.

  2. And this is the problem. Some policies, although sound fine and good, aren't workable. Like the 1 minute screen saver madness. We tried this, which I've never agreed with, and it's unworkable. People do sit and read at times on their screen, or compare figures on screen to print outs. The screen saver kicking in every 1 min was driving people nuts and just isn't productive. Same with draconian group policies which even prevent us, the IT staff from fixing a problem in 5mins, having to spend 20 mins instead, fighting with group policy.

    I don't have a ducky to test, but I wonder if Lumension would work to block this. It's what we use to restrict access to USB ports. You can plug a USB stick in, but it won't let you write to it because Lumension requires it be encrypted first with the Lumension encryption.

    Agree with you on the 1 minute screensaver issue.

    Lumension is ok, it can block the Ducky in its default setting.

    But the Ducky has a secret (not so secret) weapon to bypass DLP solutions like Lumension :) I know they panicked and re-wrote some of their software just over a year ago. I havnt had chance to assess all their solutions / new products / new versions, so it may com down to configuration.

    So I just want to take this opportunity to say "Hi Lumension, McAffee, Sophos, Symantec! I know your watching me ..... I'm still waiting for that second date!"

  3. As a start try adding the commands below to pt.properties

    ISO_8859_1_E1 = KEY_RIGHT_BRACE, MODIFIERKEY_RIGHT_ALT

    ISO_8859_1_EA = KEY_RIGHT_ASH, MODIFIERKEY_RIGHT_ALT

    Also try:

    ASCII_28 = KEY_9, MODIFIERKEY_SHIFT

    ASCII_29 = KEY_0, MODIFIERKEY_SHIFT

    ASCII_3D = KEY_EQUALS, MODIFIERKEY_SHIFT

    Ideally, I need you to run a plug in a usb keyboard , run a usb sniffer (usblyzer) press each key that is missing 5x, and record the order you pressed the keys. Then mail me the results.

    Thanks

  4. Thanks...I do have JRE (I got the JDK, and I understand JRE is part of that). Is there a particular directory I need to extract to after DLing the zip ? Java is confirmed in my path, but javac encoder.jar brings up file not found: encoder.java. Java encoder returns "could not find or load main class encoder". Makes me think I just need to drop this thing into a different directory...

    Javac is "java-compiler" for compiling the source .java files to .class files. I think your using the precompiled build, not the source here.

    you want to unzip the encoder.zip anywhere you want, i like on the sdcard. Open up a prompt, cd to the drive letter, java -jar encoder.jar -h

  5. Its java based, if you have java installed and its in your path, you can follow the example highlighted above.

    The encoder.jar, is pre-packaged so will run on its own within a JRE. If you do not have a JRE download from http://www.java.com/getjava/

    If you download the source from the SVN, you will need to compile the code with a java JDK.

    More on the Encoder can be found : https://code.google.com/p/ducky-decode/wiki/Encoder_Howto

  6. Thanks, I'll try it!

    Isn't there something wrong with this (if ]%DUCKYdrive%[ EQU ][ ( ) line?

    STRING if [%DUCKYdrive%] EQU [] (

    looks like your [ ] square-brackets are the wrong way around

    try swapping

    ASCII_5B = KEY_RIGHT_BRACE, MODIFIERKEY_RIGHT_ALT
    // 91 [
    ASCII_5C = KEY_NON_US_100, MODIFIERKEY_RIGHT_ALT
    // 92
    ASCII_5D = KEY_LEFT_BRACE, MODIFIERKEY_RIGHT_ALT
    // 93 ]
    

    with

    ASCII_5D = KEY_RIGHT_BRACE, MODIFIERKEY_RIGHT_ALT
    // 91 [
    ASCII_5C = KEY_NON_US_100, MODIFIERKEY_RIGHT_ALT
    // 92
    ASCII_5B = KEY_LEFT_BRACE, MODIFIERKEY_RIGHT_ALT
    // 93 ]
    
  7. Not working. :unsure:

    When I plug my ducky in, everything is going right, but it stops with 'EXIT' in the command prompt (stays there and command prompt doesnt go away).

    When I plug the flash drive 'DUCKY' in, he copies nothing and there's no new folder...

    When I execute the Duckslurp.bat, he creates a folder, but no files.

    To encode, I used this commandline: java -jar encoder.java -l resources/be.properties -i input_file.txt -o inject.bin (v.2.6)

    Plz help me out.

    Prefix every line with STRING, and re-encode,

    then open notepad, make sure it remains the active window, while inserting the Ducky.

    the Ducky should then start typing into notepad.

    This output will enable us to do some debugging!

    Also are you Windows or Linux the \ or / after "resources" might make a difference?

  8. aah, when you use -l uk, your using the built in language map that may be slightly older.

    Update the SVN repository and try:

    java -jar encoder.jar -l resources\gb.properties -i input.txt -o inject.bin

    I've changed some of the country codes to ISO-3166-1 to avoid confusion as the Ducky hits worldwide (UK is Ukraine); GB is Great Britain following ISO-3166-1 compliance.

    Otherwise the new gb.properties file can be downloaded from here: gb.properties

  9. No as REM instructions are ignored, the calculation is not related directly to the file size (due to blank lines and REM lines), each keystroke is typically represented as two bytes (incase shift/alt/ctrl is used as a modifier) so both "shift-a" and "a" are represented by 2-bytes. In Twin Duck you can have approximately 4096 bytes or 2048 key presses, as there are two optional payloads in this alpha build this memory is now halfed ; 2048 bytes = 1024 key presses for each payload to fit in memory

×
×
  • Create New...