svetoslav Posted February 9, 2014 Share Posted February 9, 2014 Hi there! First of all - great payload! I've been poking with the Ducky for almost a week. Tinkering with, one finds himself constantly reinserting it. I'm not quite sure if this ca lead to drive corruption, but I would hate it to get a chance to use the ducky and find its storage corrupt from not safely removing the drive. I'm not quite sure if you will find this helpful, considering the slight overhead it execution time, but here it goes. I use RemoveDrive to eject the usb storage drive, at the end of the payload. I've considered devcon, with its many applications (removing all entries on a PID), but found it unsuitable as it requires reboot. This is what I use. REM ###### REM Determine the OS architecture and set %arch% variable. REM ###### DELAY 400 STRING if "%PROCESSOR_ARCHITECTURE%" EQU "AMD64" (set arch=64) else (set arch=32) ENTER STRING set arch=%arch% ENTER REM ###### REM Start RemoveDrive with \ and -L options to eject the USB storage REM RemoveDrive download URL http://www.uwe-sieber.de/drivetools_e.html REM Place RemoveDrive versions as follows: REM 32 bit in \removedrive\32 REM 64 bit in \removedrive\64 REM ###### DELAY 400 STRING %DUCKYdrive%\removedrive\%arch%\RemoveDrive.exe \ -L ENTER Do you find this a necessary/useful precaution? Quote Link to comment Share on other sites More sharing options...
KyleKaotic Posted March 10, 2014 Share Posted March 10, 2014 (edited) Nirsoft is detected by every AV available, there are a few other commandline apps that are fully undetected that will export password lists into text files. can you please share those? I would love to see these other FUD command line tools.... Edited March 10, 2014 by KyleKaotic Quote Link to comment Share on other sites More sharing options...
factgasm Posted September 16, 2014 Share Posted September 16, 2014 (edited) I would be grateful if someone could explain how to bypass UAC when executing these programs. I tried this script on a plain Windows 7 machine and UAC immediately requested permission from the user to run some of them. UPDATE: I carried out an exercise to determine which of the 19 executables triggers UAC. It appears that five will trigger it as follows Executable Trigggers UAC? BrowsingHistoryView.exe No BulletsPassView.exe No ChromeHistoryView.exe No ChromePass.exe No Dialupass.exe Yes iepv.exe No mailpv.exe No mspass.exe No netpass.exe Yes OperaPassView.exe No OutlookAddressBookView.exe No PasswordFox.exe No PasswordScan.exe Yes pspv.exe No RouterPassView.exe No SkypeLogView.exe No SniffPass.exe Yes WebBrowserPassView.exe No WirelessKeyView.exe Yes Edited September 17, 2014 by factgasm Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.