-
Posts
742 -
Joined
-
Last visited
-
Days Won
5
Posts posted by overwraith
-
-
There's also this payload. Uses a VB script to open a webpage and also supports opening of multiple tabs. Made specifically for IE.
REM AUTHOR: overwraith REM MOBILETABS.TXT BEGINS GUI R STRING cmd /Q /D /T:0a /F:OFF /V:OFF /K DELAY 500 ENTER DELAY 750 REM DELETE THE SCRIPT IF IT ALREADY EXISTS STRING DEL /Q MobileTabs.vbs ENTER REM VB SCRIPT FOUND AT: REM http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/438407-command-line-open-several-websites-multiple-tabs.htmlinternetexplorer REM INPUT FILE MobileTabs.vbs STRING copy con MobileTabs.vbs ENTER STRING on error resume next ENTER STRING navOpenInBackgroundTab = &h1000 ENTER STRING set oIE = CreateObject("InternetExplorer.Application") ENTER STRING Set args = WScript.Arguments ENTER STRING oIE.Navigate2 args.Item(0) ENTER STRING for intx = 1 to args.count ENTER STRING oIE.Navigate2 args.Item(intx), navOpenInBackgroundTab ENTER STRING next ENTER STRING oIE.Visible = true ENTER CONTROL Z ENTER REM RUN THE VB SCRIPT TO LAUNCH INTERNET EXPLORER REM THE DOUBLE QUOTES BECOME MORE IMPORTANT FOR LONGER URLs STRING MobileTabs.vbs "http://www.google.com/" "http://mwomercs.com/" "http://hak5.org/" "http://forums.hak5.org/index.php?/forum/56-usb-rubber-ducky/" ENTER
I'm thinking you also might want to take a look at the DNS poisoning payloads. Modifies the Hosts file and makes the web browser go to someplace unintended.
-
I think I figured it out. Ducky inject.bin didn't get copied to the root of the SD card. I must not have executed the batch file to move it, or there was a ducky compile error which caused the duck to not run. Sorry for the false alarm.
-
Actually, the ducky wouldn't even run.
-
The only programs I was using was the cmd.exe and internet explorer. The payload was a modified version of the mobile tabs payload I implemented:
REM MOBILETABS.TXT BEGINS REM HIDE COMMAND WINDOW CONTROL ESCAPE STRING cmd /Q /D /T:7F /F:OFF /V:OFF /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM DELETE THE SCRIPT IF IT ALREADY EXISTS STRING DEL /Q MobileTabs.vbs ENTER REM VB SCRIPT FOUND AT: REM http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/438407-command-line-open-several-websites-multiple-tabs.htmlinternetexplorer REM INPUT FILE MobileTabs.vbs STRING copy con MobileTabs.vbs ENTER STRING on error resume next ENTER STRING navOpenInBackgroundTab = &h1000 ENTER STRING set oIE = CreateObject("InternetExplorer.Application") ENTER STRING Set args = WScript.Arguments ENTER STRING oIE.Navigate2 args.Item(0) ENTER STRING for intx = 1 to args.count ENTER STRING oIE.Navigate2 args.Item(intx), navOpenInBackgroundTab ENTER STRING next ENTER STRING oIE.Visible = true ENTER CONTROL Z ENTER REM LATER WILL TYPE THE WEBSITES TO A TEXT FILE, REM AND SEND THE FILE TO THE VB SCRIPT REM RUN THE VB SCRIPT TO LAUNCH INTERNET EXPLORER STRING MobileTabs.vbs "http://www.google.com/" "http://mwomercs.com/" "http://hak5.org/" "http://forums.hak5.org/index.php?/forum/56-usb-rubber-ducky/" ENTER
-
I just wrote a payload on my Windows 7 desktop 64 bit computer, and took my ducky to another Windows 7 32 bit computer that I own, and the payload didn't execute on the 32 bit machine. It executes fine on the 64 bit version. The number of bits shouldn't be a problem though, because the ducky is just a keyboard. Does anyone have any idea whats going on? I am running twin duck firmware with the swappable VID/PID number. I also know for a fact that the payload is flawlessly coded.
-
We gotta keep in mind however that different peoples security settings are going to be different, so maybe we shouldn't focus the development along one path too much, because some people may lock down the powershell and download prompt and not the command prompt, or vice versa, or limit the files people can download, but not limit what people bring in on their mass storage.
-
Its ok, I admit it would be of limited value. I foresee one day the ducky will be typing in buffer overflows, and format string exploits etc, but I wouldn't know how to find bugs and exploit them.
-
Had an idea for the USB rubber ducky. Apparently if you know someone's account name on some networks and you type their password incorrectly several times, the system will sometimes lock out that particular user for a period of time. The USB rubber ducky could theoretically be used to exacerbate this issue if you know a few users names, and type in their passwords incorrectly repeatedly. Thoughts?
-
The encoder should be in a jar file, not a java file. If it is in a java file drop the -jar part.
java -jar encoder.java -l resources/de.properties -i hello.txt -o inject.binAdditionally, if you're in the U.S. you shouldn't need to specify any keyboard settings.
-
Are there any USB cases online that could be used for the USB rubber ducky that are different from the ones sold in the hak shop? The metal rotating thing is getting a little bit annoying.
-
Hand them a USB rubber ducky with a mean batch script on it and smile ;) .
-
Good, and remember, the -o command is optional, if the encoder and text file is located on the root of the flash drive you don't even need to type it.
-
yes, replace with duckencode .jar the name of the encoder changed between versions 1.2 and 2.1.
-
Ok, I just tried to use power shell, and you're right, its just like the command line, and should work for our purposes. We are going to change the hello world you are using so we can actually see the output in a text program, so here's the hello world program I put on the duck site.
DELAY 3000 GUI R DELAY 500 STRING notepad DELAY 500 ENTER DELAY 750 STRING Hello World!!! ENTER
For now don't even bother with trying to flash the ducky, it isn't strictly required for learning purposes.
The following is what I would type into Power shell assuming that both the encoder, and the hello world text document are both on the root of the drive:
Windows PowerShell Copyright © 2012 Microsoft Corporation. All rights reserved. PS C:\Users\UserName> J: PS J:\> java -jar encoder.jar -i HelloWorld.txt PS J:\>
-
It sounds like you didn't go through the flashing process, so you sill have the stock firmware. Post the helloworld.txt file here so we can see it, there might be something there. Also, make sure you are using the encoder correctly. Typically the inject.bin is not created in power shell, but is created in the command line.
example of command:
J:\> java -jar J:\Encoder_V1.2\duckencode.jar -i J:\HelloWorldFolder\HelloWorld.txt -o J:\inject.bin
Also, make sure the inject.bin is on the root of the SD card.
-
Re-flashing the ducky might work. Do you have any special firmware installed?
-
-
Threw together a payload which you can get at this other forum post:
http://forums.hak5.org/index.php?/topic/28697-question-is-it-possible-to-run-exes/
Will need slightly modified to run a jar, but is pretty straight forward.
-
The following is a payload I have been working on that waits until a drive labeled "DUCKY" is mounted. I have used some of midnightsnake's code in this payload. I have been having some problems with delays so I went a little overboard with the "DELAY 25" codes. The name of the file that is run can be changed to .exe, I am just having it run a batch for testing purposes. The line that says "STRING %myd%\myEXE.bat" is the line that executes the executable.
REM Author: overwraith REM Name: RunEXE.txt REM Purpose: Run an executable file off of the SD card after it mounts. DELAY 4000 REM Using the run command for a broader OS base. GUI R STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER DELAY 25 REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists DELAY 25 STRING erase /Q DuckyWait.bat DELAY 25 ENTER DELAY 25 STRING copy con DuckyWait.bat DELAY 25 ENTER DELAY 25 REM DuckyWait.bat DELAY 25 STRING :while1 DELAY 25 ENTER DELAY 25 STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d DELAY 25 ENTER DELAY 25 STRING if Exist %myd% ( DELAY 25 ENTER DELAY 25 STRING goto break DELAY 25 ENTER DELAY 25 STRING ) DELAY 25 ENTER DELAY 25 STRING timeout /t 30 DELAY 25 ENTER DELAY 25 STRING goto while1 DELAY 25 ENTER DELAY 25 STRING :break DELAY 25 ENTER DELAY 25 REM Continue script. DELAY 25 STRING %myd%\myEXE.bat DELAY 25 ENTER DELAY 25 CONTROL z DELAY 25 ENTER DELAY 25 REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. DELAY 25 REM Delete vbs file if already exists DELAY 25 STRING erase /Q invis.vbs DELAY 25 ENTER DELAY 25 REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up DELAY 25 STRING copy con invis.vbs DELAY 25 ENTER DELAY 25 STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False DELAY 25 ENTER DELAY 25 CONTROL Z DELAY 25 ENTER DELAY 25 REM RUN THE BATCH FILE DELAY 25 STRING wscript.exe invis.vbs DuckyWait.bat DELAY 25 ENTER DELAY 25 STRING EXIT ENTER
The following is the batch file that is run after the "DUCKY" drive has been mounted. Everything is being run invisibly, so you will need to check for the existence of "Message.txt" which will probably be in "C:\Windows\system32".
REM Message.txt echo Hello Wolrd!!! echo Hello World!!! > Message.txt
P.S. when is the online payload generator getting back online!!! I need the REPEAT command!!!! You will need to replace REPEAT in the beginning of the code with 100 repeats, so copy paisty.
-
I did some reaserch and wondered if, instead of a batch file to detect whether the Ducky SD is mounted or not, we could just do something like this:
bool init_sd_card(void) { return (card.init(SPI_HALF_SPEED, sd_chip_select) && volume.init(&card) && root.openRoot(&volume)) ? true : false;}
That one is for the Teensy so I have no idea on whether it would work on the Ducky or not. Just thought it might work seeing as how similar they are.
That looks a lot like C language, ducky's are programmed with duckscript. I sometimes wish we could program the ducky with C. I think the only way to really do this is to have the ducky type out either a batch script or a VB script.
-
I have looked over some of the pages and decided that unfortunately I do not have enough money to pursue a project like this (Some of the Wi-Fi boards were $ 84 or so). If I were to attempt a project like this it would only be if it were possible to have cheap enough hardware that half the hardware can be left behind after an attack. Angry admins normally don't let you keep your hardware, especially if it is a remote hack. I also have no previous teensy programming experience, I would need resources to learn about them before even thinking about a project like this.
-
I am going to have to look into this, how much understanding of the hardware is required? Is there any soldering involved? I am a programmer type, so have little knowledge of hardware type stuff.
-
I just tested my code snippet. It is so gratifying when a plan comes together. Tell the ducky to make a batch file, then run it. Added another '%' to make the for loop run in a batch file.
REM DuckyWait.bat :while1 for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d if Exist %myd% ( goto break ) goto while1 :break REM Continue script.
-
yeah, the script should look for a drive labeled 'ducky', and loop until the drive exists. When it does exist, it will break out of the loop. The part that looks for the ducky drive:
for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d
was actually written by midnightsnake. The rest of it is my untested solution to the problem of waiting for the drive to exist. I have not actually tested it yet, so no guarantees.
[Suggestion][Payload] Ducky payload persistence windows
in Classic USB Rubber Ducky
Posted
I think for escalation of privileges we would need some form of exploit that would take control of an application running under admin privileges right?