[Mr Robot Hack]

On 10/18/2016 at 8:21 PM, Ferryman said:

Well I attempted to put the mimikatz.exe on the ducky sd with the inject.bin file, but that didn't work. I turned off AV  and Firewall just to rule out that and still nothing. I am thinking your right. It has to be an I'm.ps1 script.

You have to rename mimikatz and all the references to it in the ps1 script, AV is only catching the name. Thats what worked for me. 

[Mr Robot Hack]

I attached the Ducky Code I used, If there are any suggestions for changes please let me know. I will add that this code assumes that the executionpolicy is set to bypass, however it could be written in to change that. 

15secondhack.txt

[Mr Robot Hack]

use Twin Duck firmware to redirect the output to the duck itself. I actually ended up storing the invoke-mimikatz on the duck itself to keep from needing to download it. I modified the script so most AV will not catch it. I used a command prompt to find the duck drive, then used that to set the variable. Dumped the creds to a text file back on the duck drive. I found all the information between the newest video from Mr. Robot hack and an older video they reference in that video where they show the same execution without upload. After some mods I was able to make it work pretty well.