UnKn0wnBooof
-
Posts
146 -
Joined
-
Last visited
-
Days Won
1
Everything posted by UnKn0wnBooof
-
ALL HACKERS UNITE! Recover as many product keys as possible via the Windows registry Ok, so I've started writing in Microsoft Visual Basic (2010) again, and I've already written scripts to recover a few product keys but I believe that if we all work together, then we can build the ultimate command line product key recovery tool. All I need is the location of the product keys and key names, such as HKEY_LOCAL_MACHINE\Software\Company\Product\Registration\ProductKey Using these locations of keys, I can simply implement these locations into the recovery program. This program is currently integrated into my duck payload "Ultimate Data Thief" and is named Wind (recovering keys is a breeze) , but it only recovers Windows product keys and was updated last year. Now that I've started working on the project again, I want the hacker community to make it better as well as open source. This is the contents of the Main.vb file: Sooo, you lot in? Help is most appreciated.
-
Ok, So I've been doing my research and I've tried a few file binders, but when I scan the outputted file with https://www.virustotal.com/uk/ , It's still detected as a virus. Anyone know of some good file binders? Thanks.
-
Indeed, a fusion of the scripts is definitely possible. Although AV will detect the programs, I am going to deal with that issue by fusing all the programs as one and then encrypt them so that when they run, AV won't know what it is.
-
I believe I've just fixed the problem. I'll upload the update within the next 12 hours as I currently don't have the time to do so. I've also edited the NetCat Terminal.bat file so it has more functions than the previous versions :D . Hope this update will solve your problems ;) .
-
I believe I have solved your problem. I edited the SCRIPT_EX.bat file to be able to self elevate itself so the SCRIPT_EX.exe file is no longer needed. I've also edited the Installer.bat and Compiler.bat so that newly created inject.bin files are written to execute SCRIPT_EX.bat instead of SCRIPT_EX.exe. Just download the update, extract it, remove SCRIPT_EX.exe from the duck as well as inject.bin; then run Installer.bat to copy the required files. Hope this update works ;)
-
HHHmmm. So I guess I'd have to find a different way of executing the the Data Thief batch file. I could write a program with Visual Basic but unfortunately, I no longer have the required tools to write a program because my netbook hard drive got fried :/. I could try writing a self elevating batch script. I realized that the Slax Linux installer batch file has the ability to self elevate. I'll look into it. I guess AV picks up the SCRIPT_EX.exe file as a virus because its a compiled batch script and a lot of people compile batch scripts for malicious purposes. I compiled it with Abyss Quick Batch File Compiler. I'll see if I can release a fix within the next few days. Thanks.
-
Is it possible that you send me your backup log, tell me what file was detected by your AV and send the installation parameters? E.g. Installation path like: "C:\Program Files\Antivirus", Service name: "Antivirus Service", and most important, the AV exe name: "AntivirusUI.exe" or/and "AntivirusSVC.exe". A directory listing of your antivirus programs installation path would be cool. You can do this by running cmd.exe, then use this command: DIR "C:\Program Files\Antivirus" > "%USERPROFILE%\Desktop\DirectoryListing.txt" You would obviously have to edit the directory part. Thanks for the bug report :D
-
How does Anti Virus Work - Bypassing
UnKn0wnBooof replied to UnKn0wnBooof's topic in Classic USB Rubber Ducky
Looking into it now... Thanks everyone. -
I've been browsing the web trying to find ways of bypassing AV (Antivirus), the first page I visited was: https://community.rapid7.com/community/metasploit/blog/2012/05/08/eternal-sunshine-of-the-spotless-ram and then I decided to do a bit of Googling and found this: http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/ All of them require Metasploit to be ran. Anyone got any ideas of bypassing AV without the need of a secondary computer? Of course, there's the method if killing the AV UI and Service, but I'm sure AV software has ways to prevent that, and I'd also need as much information as possible about different AV software such as service name, installation path etc. You lot have any ideas?
-
I used Mimikatz in the previous versions of Data Thief, but it does trigger Microsoft Security essentials (Why pay for antivirus?). I bypassed this issue by storing Mimikatz in a encrypted zip archive then when needed, 7-zip would decrypt the archive and then run Mimikatz, the advantage of this is that since the Duck RW speeds are slow, antivirus cannot scan the Duck because it is in use by 7-Zip and Mimikatz. Some (if not all) people think its bad that the Duck has slow RW speeds, but I think it gives us the advantage. The advantage of procdump is that it doesn't trigger AV, but it can be slow :/. Another thing is - Mimikatz doesn't work with Windows 8.1 due to the new security enhancements. I don;t have Windows 8, but I did try it on a friends PC. I would have Windows 8 but they have a OEM key (they key you get when you buy a computer) so I can't activate it - I need a genuine Windows key :/. Anyway - back to the main subject. Mimikatz has been implemented in data thief already. Thanks anyway though :D . Before I release DT (Data Thief) - I recommend installing the Duck 4CAP firmware (you can get it on Ducky Decode). I recommend it because if Windows takes its time installing the drivers (Common with netbook computers), you don't have to worry about it exceeding the delay time.
-
Ok, I was looking around in the internet for a generic, transparent USB case for the duck. I want a transparent case because then I can see the led pulse, unfortunately - no luck . However - I did come across this site that provides custom USB memory sticks: http://www.brandedmemorysticks.co.uk and this: http://www.flashbay.co.uk/ I'm not sure if the cases provided would fit the Duck however <_< .
-
Thanks. As for OSX, unfortunately - I don't have a OSX system :( otherwise I would have definitely created a payload for mac systems too. However, I have been looking into how the mac OS works by Googleing a lot. It's a lot like Linux (Is it Linux based?). Anyway, if I ever get my hands on a Apple computer (Maybe in the next 2/3 years? - I'm not someone with much money ) I'll let you know.
-
HHHmmmmm. Seems like a good idea to implement Metasploit in the payload - however, I'd need support from a group of people who have different antivirus programs. Then I'd need them to write batch files that can successfully terminate the AV user interface. Then I'd need them to make notes of what service their AV programs run under - this way, once elevation has been granted (through Metasploit) - we could just kill the AV services. If you manage to successfully get a script that can be added to the payload which has Metasploit implemented, then that would be great. I don't have much time to tinker with Metasploit so it would be great if you guys can mess around with it instead. Great idea though :D .
-
I removed the payload because of reasons that I currently don't want to discuss. All I'm saying is - its a secret . I also think that people should realize how much potential this payload has, compared to the other simple payloads out there. My aim is to make the ultimate payload. Anyway, any help would be appreciated. Do you have any ideas of what else I could add? Any example scripts that I could manifest into the current system batch file would be cool. By "System batch file", I mean the SP.bat file. I'll re-upload the payload within a week or two. You might be wondering why so long. Well - like I said, a secret .
-
Hi again, As you know, there are others on this forum that want to change the name of their duck, etc to make it more annonymous - so I have a simple idea (may not be simple to program however, I'm not sure); edit the firmware so it can read a configuration file on the SD card - just like how the duck reads the "inject.bin" file. So for example, there could be a file on the SD card called "config.bin" which contains the following: The firmware I've started using is the "4CAPS" firmware since I don't have to wait for a delay. I think its perfect for my payload "ULTIMATE DATA THIEF!". Thanks. I know you're busy so take your time :D
-
[Request for Midnitesnake] Modified Duck Firmware
UnKn0wnBooof replied to UnKn0wnBooof's topic in Classic USB Rubber Ducky
I understand. Happy X-mas. Another developer that I know who is really busy is Ponury (A guy who makes the Android app "WifiKill"), I love hard workers. -
Hi, I've downloaded the source for the c_duck firmware, and I changed a few of the properties so the duck has a different name - at least most of it anyway, but when I compile it and then flash it; the duck registers as a Mass Storage Device, but the duck won't emulate the keyboard, and the USB Mass Storage has the name "ATMEL Ducky Storage USB Device". I've changed all the strings in the "config_usb.h" so the name is different but it still doesn't work. All I've changed is: Still no luck. Also, when I compile the program, I get errors related to "input", the errors I get are: "input is not relaxable" and "no return statement in function returning non-void". I want to edit the "Composite_Duck_4cap" firmware but I can't find the source, so I'm using the "Composite Duck" firmware to see if I can successfully modify the code. Is it possible for you to upload a custom version of the "Composite Duck" firmware so that the Duck doesn't register as a Duck? Such as what I was trying to acomplish in the Quote above... Thanks. And thank you for all your work so far! You really do take care of the Ducky project :)
-
Simple 3D Printed Rubber Ducky Case
UnKn0wnBooof replied to franck's topic in Classic USB Rubber Ducky
Dude, YOUR AWSOME! I wish I had a 3D Printer now, thats sooo cool! -
[Question] Android and the Duck Encoder
UnKn0wnBooof replied to UnKn0wnBooof's topic in Classic USB Rubber Ducky
Thank's for the useful information, best reply so far :) but I'm looking for something like a java binary thats compiled for the arm architecture, and then placing it in the /system/xbin area. This way, I can make a online compiler with my Android, I use Bit Web Server to host web pages, so if I was able to run a java command from PHP, then I can compile ducky script's through a web ui. This should also mean that the app won't be killed if you rotate the screen,since its running on a server side interpreter. -
Well, without Administrative access, the only things the payload can do really is get Chrome login data, and Windows product keys. The procdump won't work because it requires access to another programs ram data - which needs admin access, Mimikatz won't work because once again - needs access to another programs ram data, and wifi keys cannot be recovered because of Microsofts encryption methods. You can export the wifi keys, but they will ONLY work on the machine that you "backed" them up from; if you try importing the keys on another machine - it won't work. So the answear to your question is yes, you can use the payload without admin access (you need to tell the payload to run "SCRIPT_EX.bat" instead of "SCRIPT_EX.exe"), but you won't be able to get much data without it. It's all down to what information you want.
-
I've just uploaded another update. One of the batch labels in the SP.bat file were misspelt. My keyboard didn't enter the "_" for the 64_bit label. Should be working perfectly now. Comment if you encounter any more issues.
-
Is it possible to run the Duck Encoder on Android using the Terminal Emulator?
-
I think your right. I havent had the issue with my systems but there is a possibility that the properties file needs tinkering with.
-
Hhhmm. That's not a issue with the payload. Either that's an issue with the encoder or it's because you don't have all the required packages installed to use the encoder. These links may help: https://code.google.com/p/ducky-decode/wiki/Encoder_Howto I believe you also need Microsoft Visual C++ 2010 Redistributable. You can download the web installer from my Dropbox account: https://www.dropbox.com/l/i2teEbn96XtxpwQ9WfnNtf Hope this helps.
-
It could also be that your edition of Window's doesn't support the "set /a" function - which is used to add up. I guess it requires a little tinkering with the SP.bat.