no42

The payloads are made from your ducky script instructions, if you want a reverse one, you must code it yourself!

Slight deviation from anti-forensics.... Also Philip Polstra has demoed an interesting forensic capability with FTDI chips http://itm.iit.edu/netsecure11/PhilipPolstra_USBForensics.pdf its interesting as he goes into some details on the USB protocol. He is probably working on some interesting USB developments this year. He's another to keep an eye on. He chose FTDI, as he initially thought AVRs weren't up to the job, my firmware releases have proved otherwise.

You could even do the some old skool Social Engineering type phone calls before hand, complain about your keyboard, ask the person about their keyboard, how they like it, and any identifying manufacturing marks e.g Dell, Logitech because you want to go out and try one for yourself Then look up the VID & PID on: http://code.google.com/p/ducky-decode/wiki/Keyboard_VID_PIDS

Obviously depends on the systems Software Restriction Policies (SRP), these are often mis-configured, and in some conditions can be bypassed.

Not with version 2 firmware (normally whitelist is based off VID & PID), assuming you have a laptop you can re-write vidpid.bin to support the VID&PID of known device (obtainable from device manager on Win_X or lsusb (usbutils package)(or at least dev) on Unix). Bypass AV/HBSS for the win!

Cant think of any... But you could use truecrypt and the hidden OS feature: http://www.truecrypt.org/docs/?s=hidden-operating-system

Ducky Script and the firmware still have some limitations like ALT codes( ALT+014) are not supported, the next major revision might support this ;) Current developments, we are working on supporting mouse movements, clicks etc. I see the Ducky project centred around the hardware, firmware, encoder. The language maps and payloads will always be down to individuals or the community. Moving onto specific payload encodings, is a common topic in pentesting and AV evasion, maybe best suited in another sub-forum.

A user previously mentioned in the forum that they got a free sample from this website that works with the Ducky: http://www.4imprint.com/search/usb/product/7409-128/USB-Swing-Flash-Drive-128MB.

Potentially, Yes. Depends if your target is log monitoring or has a dedicated SIEM. Why don't you set up a quick backtrack box in the cloud (eg Amazon AWS)? Then delete it once you have finished.

Thanks. Imported the changes into the Ducky Decode SVN. Thanks again for all your help Snake

All depends on the router (& firewall policies). Questions: how is the payload getting introduced? do you have prior knowledge on security policies (eg firewalls, proxies)? A reverse shells purpose, is for leaving the network and hitting a publicly accessible IP, depending on the number of obstacles in the way.

Hey, no need to say sorry are you on windows? as your original command has / as directory limiters (which are unix/osx) on windows the command is java -jar encoder.jar -l resources\de.properties -i input.txt Least we're now know that there are only a few chars wrong or missing. I guess the missing ones are higlighted in red in the picture above, what is the combination to get these keys?

Never got around to trying - I guess it depends on the BIOS. I know some BIOS's can be bit weird with HID devices.

Your not being a pain, your very helpful. I assume you looking at a german keyboard. problem is key_\ doesnt exist its ISO_8859_1_E4 = KEY_BACKSLASH based on the above keyboard, I think you want ISO_8859_1_E4 = KEY_QUOTE I could be wrong - its difficult to build key maps when your not native to a specific language, or have the specific keyboard

public facing server, default web application on port 80 check out http://cnet.robtex.com/194.81.199.html for other hostnames.

In my tests mass storage has always loaded first (10-60secs); guess it depends on the system & I always use a moderate DELAY 3000 to begin with on inject.bin

Its possible we're just limited on space and memory! YUMI - haven't tried; in theory you can have anything on the sdcard, the payload just has to be inject[123].bin USB-PS2 - again havn't tried, but currently cant see why not.

Read the source Luke. Bad pun, but its all about learning USB descriptors and manipulating the fields; insanely large numbers for size fields, insanely long strings in text/unicode fields. Its been done in the past with other chips (teensy and PS3, Arduino & caiaq audio) Heres some info to start you off: http://labs.mwrinfosecurity.com/assets/135/mwri_t2-usb-fun-with-plug-and-0wn_2009-10-29.pdf http://labs.mwrinfosecurity.com/blog/2011/07/14/usb-fuzzing-for-the-masses/

If its incorrect remove it! If there are any unknown mappings from your ducky script, the encoder (latest) will tell you.

Its a possibility, but then depending on the network/application this could easily be scripted (and scripts tend to be faster). Eg. samba logins to lock out windows domain credentials. Sorry, if I'm shooting your plan down, but keep them ideas coming!

The empty keys on the bottom row are left_gui, space, right_gui

Currently this is not supported. Once the community catches up, and we have more developers. We can then look to adding in this support.

This would be better, following the western character map (http://www.charset.org/charactersets.php?charset=iso-8859-1), depends on what character sets your system is using(ASCII is an American Standard so it would stay the same): ISO_8859_1_23= KEY_MINUS, MODIFIERKEY_RIGHT_ALT the key_minus, right_alt needs to change to your combination of keys used to get # Hope this helps.

The best full length description of defences is from Iron Geek's Plug and Prey Paper, which covers Windows 7+ Group Policy and Linux udev http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices There is currently, no method of prevent this on OSX except Device Control Software; which is easily bypassed

OK - looks like the de.properties is still broken I dont know if there are 2x keyboards T1 and T2. I wish more people would feedback. The z and y is easy to fix, by swapping the keys in de.properties. Eg ASCII_59 = KEY_Z, MODIFIERKEY_SHIFT // 89 Y ASCII_5A = KEY_Y, MODIFIERKEY_SHIFT becomes ASCII_59 = KEY_Y, MODIFIERKEY_SHIFT // 89 Y ASCII_5A = KEY_Z, MODIFIERKEY_SHIFT Its a lot to ask, but are you upto patching the de.properties? Thanks for the feedback.