Jump to content

Key Combos in Ducky Script


Recommended Posts

In this thread Crackruckles pointed out that the command line editor can be run as administrator with the following:

  1. Press the Win keyboard key or click on Vista Start button.
  2. Type cmd into the Start Search textbox.
  3. Press Ctrl+Shift+Enter keyboard shortcut. Ctrl-Shift-Enter is the general keyboard shortcut that triggers elevation to “Run as Administrator”.
  4. Press Alt+C or press Continue to confirm the UAC elevation warning prompt.

The question is : Can Ducky Script handle three-key combos?

Sorry to start a whole new thread on this but I felt this was important enough to merit it (mods feel free to merge).

Link to comment
Share on other sites

Overwraith, you're a gentleman and a scholar. :)

Update: Sadly, having tried it, It doesn't run as hoped on either.

Here's a sample script I'm working with in Windows7/8.

DELAY 3000

Can anyone see why the CONTROL-SHIFT ENTER combo wouldn't work?

Personally I suspect that DuckyScript hasn't been set up to handle key-triples yet, though I would be happy to be proven wrong.

Edited by factgasm
Link to comment
Share on other sites


Also what keyboard are you encoding for?

Have you had any error output whilst compiling the binary?


Edited by 3mrgnc3
Link to comment
Share on other sites

I have tried both CTRL and CONTROL in the script. Neither produces compile error messages and both produce the same result at run time: The scripts run, the command line window pops-up (not as Administrator :() and the duck types the characters 'y' and 'e' at the prompt.

I'm using a UK keyboard but I have not set any parameters in my 'java -jar' line as presumably CTRL, SHIFT and ENTER are common on Western keyboards.

Edited by factgasm
Link to comment
Share on other sites

Personally I suspect that DuckyScript hasn't been set up to handle key-triples yet, though I would be happy to be proven wrong.

Sadly I suspect that you may be correct there mate. :(

Link to comment
Share on other sites

Good question.

There are several sources for the encoder. Unfortunately I can't remember which website I got the one I'm using from (possibly Github) and there's no identifying feature other than to tell you is a file called encoder.jar 52.6kb in size. You'll have to forgive me here, I'm new to this and fumbling my way through. :rolleyes:

The good news is that I have sidestepped the problems I mentioned earlier by using powershell, but the three-key-combo problem still remains.

Edited by factgasm
Link to comment
Share on other sites


you mentioned you are working on a script to work on windows 7 and 8...have you tried using the key combination on the target machine without the ducky?

The CTRL-SHIFT ENTER combination works great on WinXP, but I cannot make that key combination produce an admin level prompt on Vista, 7, or 8.

maybe I'm missing something...but for Vista, 7, and 8 I have to use something like https://forums.hak5.org/index.php?/topic/30100-payload-faster-uac-bypass/

I am using the command "net session >nul 2>&1" and then "echo %errorlevel%" to check for admin privileges...if the errorlevel is "0" it is admin and anything else is not.

Someone correct me if I'm missing something.


Link to comment
Share on other sites

Hmm. I noticed that you were trying to run the CMD terminal from the run dialog box. This won't work with a key combo. You would have to add some sort of powershell script to make it work correctly.

For Windows Vista or 7 (not sure about 8) Try just pressing the windows key, then type "cmd.exe", then press ctrl + shift + enter. The UAC dialog will come up, then press alt y for yes. And hey presto, one cmd!

If you are trying to do this for windows XP or newer, consider launching notepad and typing this into a file, then saving as a .bat script:

Credits to Matt for the great script and explanations (http://stackoverflow.com/questions/7044985/how-can-i-auto-elevate-my-batch-file-so-that-it-requests-from-uac-admin-rights/12264592#12264592)

:: Automatically check & get admin rights
@echo off
ECHO =============================
ECHO Running Admin shell
ECHO =============================

if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges )

if '%1'=='ELEV' (shift & goto gotPrivileges)
ECHO **************************************
ECHO Invoking UAC for Privilege Escalation
ECHO **************************************

setlocal DisableDelayedExpansion
set "batchPath=%~0"
setlocal EnableDelayedExpansion
ECHO Set UAC = CreateObject^("Shell.Application"^) > "%temp%\OEgetPrivileges.vbs"
ECHO UAC.ShellExecute "!batchPath!", "ELEV", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs"
exit /B

setlocal & pushd .

REM Run shell as admin (example) - put here code as you like
cmd /k

Give that a go and let me know the outcome!


Edited by MB60893
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...