no42
-
Posts
925 -
Joined
-
Last visited
-
Days Won
17
Posts posted by no42
-
-
Made the mistake of upgrading to Atmel Studio 6.1, which wanted to upgrade all the firmware-code and base libraries.
Downside: it corrupted all my code :(
Upside: I had a backup :)
Downside --: It still seems to have messed up a few libraries, compiling the USB and Twin-Duck v2.1 with speed enhancements either refuse to compile, or when they do eventually compile are slower. Oddly the write speed is faster than read speed (137/100KB w/r compared to previous 160/200KB w/r (w/r=write/read))????
After a day wrestling with the clock - no improvement - which suggests its something todo with the base libraries / particular version of the framework (and i cant remember the previous one I was on? 3.1.xxxx?)
Now to decide whether to continue with 6.0 Framework, or rewrite everything in 6.1.
So if there are any people out there compiling from source/learning to program the Ducky I suggest you stick with the Atmel Studio version 6.0!!!
~~Snake
-
Produced due to demand: a merge of the multi-duck (former Naked Duck, now know as Detour Duck), and the Twin-Duck firmwares.
Duck will initially mount as Mass Storage Device.- Numlock - triggers payload 1 (inject.bin)
- Capslock - triggers payload 2 (inject2.bin)
Due to memory restrictions, as both payloads are loaded into Ducky memory - you are limited to 2048-Bytes of instructions!
Also only one payload can be triggered, so you have a choice payload A or payload B. NOT BOTH!!!Download:
http://code.google.com/p/ducky-decode/downloads/detail?name=cm_duck.hex&can=2&q=
~~Snake
-
Until someone can figure out the memory internals and manipulate them, we're stuck with the 4KB limit. Otherwise use the other HID-only firmwares that have no-limit, as the payload is read directly from the inject.bin file.
If the inject.bin was compressed, it would have to be expanded in memory, where the 4096Byte limit exists.
How to get into firmware development - read : http://forums.hak5.org/index.php?/topic/28627-info-how-i-wrote-the-community-edition-firmware/
Also don't use Atmel Studio 6.1 - major changes it breaks the current code (as I found out yesterday), highlights the importance of backing up your code.
Current firmware uses version 5 or 6 of Atmel Studio.
-
chances are that the reverse.exe is 16-bit; fine on 32bit systems not for 64bit applications.
I'd use metasploit to generate a 64bit reverse shell, and use that instead.
-
You could brute-force windows, but then your limited to GPO (Group Policy Restrictions) on typical corporate/institute machines.
-
The limit is only on the Twinduck firmware, as it has to load the inject.bin into memory.
So its the inject.bin that has the limit.
Until someone can figure out the memory internals and manipulate them, we're stuck with the 4KB limit. Otherwise use the other HID-only firmwares that have no-limit, as the payload as read directly from the inject.bin file.
-
Depends on firmware. The only limits are on TwinDuck firmware, which is limited to 4096 Bytes.
Whats your output? You have a lot of STRINGS, are they replicated correctly? might have to insert some small delays (eg DELAY 20), just to give the HID messages a small rest, so the computer can catch up?
-
try changing the cmd /c string to
STRING reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d www.yahoo.com /f EXIT
reg might be case sensitive on the /v /d /f; you appear to have CAPS enabled, what happens when you disable CAPS_LOCK?
-
The problem is, the ducky relies on HID injection (keyboard injection), so it needs the focus of current windows to operate correctly (just like macros), as soon as your window-focus changes, the payload will cease to function correctly, as the payload will be split between 2+ windows.
The advantage is the Ducky types really fast, so just alt-f4 to close the window once the payload is complete, and hopefully no-one will be the wiser (or their distracted or AFK) and completely miss the command prompt.
Alternatively - use the twin-duck firmware to execute directly from the sdcard! Save's from downloading (time/bandwidth), or even a valid http connection ;)
-
Yes!!!
Descriptions about why S001 & S002 are on the download page
Basically, the HID triggers are different - LOCK_KEYS or GPIO button.
-
Would be epic to have everything into one, i wonder if the Mass Storage just shows the content of the SD
like it would do when you have it in your SDcard reader. Would seem a little bit suspicious ( a regular USB Stick that has a file on it, called inject.bin, lol) :PEvery firmware has the HID in it already right? Probably yes^^- Mass Storage acts like a USB drive - No HID Injection!
- Mass Storage and Twin Duck Firmware, give access to the sdcard just like an sd-reader, so you see all files depending on your system and ACLs
-
Here's a start for your research:
-
This setup has worked in the past:
WiFi -> Pineapple Karma Attack -> Ettercap/dsniff/tcpdump (to sniff traffic(with appropriate filter))
-
what file?
-
Two programs come to my mind:
- aespipe
- aesutil
Demo of aesutil:
$ /opt/local/bin/aes -e -b -s "Encrypted me" -p password hq6kK1M5d5x45DCF7pmELXUzW3ARHV9A/zJcTw== $ /opt/local/bin/aes -d -b -s "hq6kK1M5d5x45DCF7pmELXUzW3ARHV9A/zJcTw==" -p password Encrypted me $
flags:
-e encrypt
-d decrypt
-b base64 encode/decode (otherwise you get non-printable chars)
-s this_string (blank for stdin)
-p the encryption/decryption password
-
got a small problem with the STRING command;
STRING ABC - works
STRING A B C - causes a hang
and for some strange reason, Java was matching REM statements as REPEAT???
1 REM = INFINITE REPEAT??
This should now be resolved!
-
Just incremented to V2.4
Added the REPEAT command, due to number of user requests.
Please Test and Enjoy
-
Just implemented the REPEAT command in Encoder v2.4.
If you could please participate in testing, and post feedback here.
Thanks
Snake
-
But do i need something extra to be able to run files from the SDcard while being mounted by the ducky? o.0
please explain :D
You need TwinDuck Firmware.
What firmware are you running at the moment?
-
No, sadly it would just be another Ducky in disguise.
I suppose you could add in a switching circuit to flick between mouse mode and ducky mode???
Two lots of HID messages on the same wire, would just confuse the OS.
-
Well, I'm an undergrad student who is looking for a final year project for my degree. :P I have no real background in firmware though, or C.
Its just C code, means just getting used to the code. Doing these war-games (http://www.overthewire.org/wargames/) was good practice for learning C.
-
We are aware, its a matter of getting the balance right. It types so fast it sometimes/rarely skips characters.
I've tweaked the current speed on the v2 firmware where I felt the balance was right, as the Ducky works best when it types fast, rather than typing at the speed of a human.
With the payloads, its about splitting up large strings (not always best) and using delays
How does your test-code fair if you insert "DELAY 50" or "DELAY 100" inbetween CMD CONTROL f, STRING X and the ENTER statements?
The extra DELAYS will hopefully give the HID buffer time to catch up.
-
Can still be done.
Get your self a usb mouse open it up, separate the four wires from the cable, hook them up to a USB-female header (you will need to solder them in the right manner), plug in Ducky. Reassemble case.
Female USB A Header http://www.digikey.com/scripts/dksearch/dksus.dll?FV=fff40016%2Cfff802e4&k=usb+female&vendor=0&mnonly=0&newproducts=0&ptm=0&fid=0&quantity=0&PV28=872&PV392=1544
USB mouse, wire, soldering iron, solder easy sourced.
-
It is possible to chain them..... but looking at the recent source, I put in an extra true/false statement to stop them chaining. Not sure if I released this (as Im always tinkering)? Anyhow, I'll look more into this tomorrow (if I have time).
If you want chaining I can bring it back, but why would you want it? as everything can fit in a big script anyway?
It was only invented to ease off swapping sdcards, or recompiling inject.bins.
But yes, it is handy to have the relevant trigger key as the first line, when using the m_duck_X.hex firmware to stop the *LOCK keys interfering with the payload.
Note: using the LED lights was thought of a method to extract data from the host, without the mass storage partition. However, its faster to disguise data in HID reports. It is possible, its been done with a Teensy, but the author is selling the code not releasing under open-source. We can do this with the ducky - Im hoping someone can pick up the challenge. (Preferably a grad-student who has time, and needs an end-of-year project for their degree).
[Firmware] Twin & Detour Duck Projects Merge (Alpha)
in Classic USB Rubber Ducky
Posted
I currently only have 4096 Bytes to work with (TwinDuck), for two payloads 4096/2 = 2048 Bytes
you actually only have 2046, just to prevent one payload overflowing into the other(I have hardest \0 (null byte)s) at positions 2047 & 2048!
Memory space is tight!!!