[Question] Minimal Visual Impact

[marc]

Received my rubber ducky yesterday and I'm having great fun playing with some payloads. Sadly I don't have a win7 box to play with outside of my VM, and the Mac keyboard layout as well as being in the UK isn't the greatest thing in the world, but still loving the device. I recommend getting yourself a USB hub that also has a microSD slot; it makes for much faster payload writing and testing.

Here's an idea.

Given that the rubber ducky doesn't receive any info from the system itself, it completes its commands without receiving any feedback. As this is the case, longer payloads could be covered up visually with the following idea:

We write a small app that takes the clipboard, displays it fullscreen and always-on-top, and doesn't exit unless a certain key command is pressed. Say CTRL-H.

1. Printscreen is pressed

2. Code is executed to quickly download/run this app, which launches as above.

3. Other elements of the payload are completed in the background. Meanwhile, the printscreen from the beginning is being displayed due to the app running.

4. Eventually, the other elements of the payload are quit on completion, such as command windows etc etc.

5. CTRL-H is pressed to quit the printscreen display app which cuts back to the desktop looking exactly like the printscreen.

This would produce no more visual giveaways than the payload executing this app. Of course, when we have access to the microSD data itself as well as the HID, this should be a lot easier to implement. But it's just an idea to "lock" the screen whilst executing more complex procedures to avoid suspicion.

Edited March 7, 2012 by marc

[raytri3]

My favorite way to hide is: STRING cmd /Q /D /T:7F /F:OFF /V:OFF /K followed by ALT SPACE M downarrows to move it off screen.

Received my rubber ducky yesterday and I'm having great fun playing with some payloads. Sadly I don't have a win7 box to play with outside of my VM, and the Mac keyboard layout as well as being in the UK isn't the greatest thing in the world, but still loving the device. I recommend getting yourself a USB hub that also has a microSD slot; it makes for much faster payload writing and testing.

Here's an idea.

Given that the rubber ducky doesn't receive any info from the system itself, it completes its commands without receiving any feedback. As this is the case, longer payloads could be covered up visually with the following idea:

We write a small app that takes the clipboard, displays it fullscreen and always-on-top, and doesn't exit unless a certain key command is pressed. Say CTRL-H.

1. Printscreen is pressed

2. Code is executed to quickly download/run this app, which launches as above.

3. Other elements of the payload are completed in the background. Meanwhile, the printscreen from the beginning is being displayed due to the app running.

4. Eventually, the other elements of the payload are quit on completion, such as command windows etc etc.

5. CTRL-H is pressed to quit the printscreen display app which cuts back to the desktop looking exactly like the printscreen.

This would produce no more visual giveaways than the payload executing this app. Of course, when we have access to the microSD data itself as well as the HID, this should be a lot easier to implement. But it's just an idea to "lock" the screen whilst executing more complex procedures to avoid suspicion.