Jump to content


This topic is now archived and is closed to further replies.


[Payload]: Mr Gray's Password, History recovery tool for Rubber Ducky

Recommended Posts

Hi there! First of all - great payload!

I've been poking with the Ducky for almost a week. Tinkering with, one finds himself constantly reinserting it. I'm not quite sure if this ca lead to drive corruption, but I would hate it to get a chance to use the ducky and find its storage corrupt from not safely removing the drive. I'm not quite sure if you will find this helpful, considering the slight overhead it execution time, but here it goes.

I use RemoveDrive to eject the usb storage drive, at the end of the payload. I've considered devcon, with its many applications (removing all entries on a PID), but found it unsuitable as it requires reboot.

This is what I use.

REM ######
REM Determine the OS architecture and set %arch% variable.
REM ######
STRING if "%PROCESSOR_ARCHITECTURE%" EQU "AMD64" (set arch=64) else (set arch=32)
STRING set arch=%arch%
REM ######
REM Start RemoveDrive with \ and -L options to eject the USB storage
REM RemoveDrive download URL http://www.uwe-sieber.de/drivetools_e.html
REM Place RemoveDrive versions as follows:
REM 32 bit in \removedrive\32
REM 64 bit in \removedrive\64
REM ######
STRING %DUCKYdrive%\removedrive\%arch%\RemoveDrive.exe \ -L

Do you find this a necessary/useful precaution?

Share this post

Link to post
Share on other sites

Nirsoft is detected by every AV available, there are a few other commandline apps that are fully undetected that will export password lists into text files.

can you please share those?

I would love to see these other FUD command line tools....

Share this post

Link to post
Share on other sites

I would be grateful if someone could explain how to bypass UAC when executing these programs.

I tried this script on a plain Windows 7 machine and UAC immediately requested permission from the user to run some of them.

UPDATE: I carried out an exercise to determine which of the 19 executables triggers UAC. It appears that five will trigger it as follows

Executable Trigggers UAC?

BrowsingHistoryView.exe No

BulletsPassView.exe No

ChromeHistoryView.exe No

ChromePass.exe No

Dialupass.exe Yes

iepv.exe No

mailpv.exe No

mspass.exe No

netpass.exe Yes

OperaPassView.exe No

OutlookAddressBookView.exe No

PasswordFox.exe No

PasswordScan.exe Yes

pspv.exe No

RouterPassView.exe No

SkypeLogView.exe No

SniffPass.exe Yes

WebBrowserPassView.exe No

WirelessKeyView.exe Yes

Share this post

Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...