mrmattmc Posted March 9, 2014 Share Posted March 9, 2014 So I just came across the Ducky the other day. Nice!! :D I expect to receive my Ducky some time next week. Anyway, was a little disappointed to discover the super slow data speeds when using the twin duck options. :( I like the idea of using a usb adapter to plug both drives in simultaneously but am not to enthused about a big cable adapter. So, I ordered this dual adapter from Amazon for $10. Not trying to plug this product just sharing my thoughts here. http://www.amazon.com/Cute-USB-2-Port-Splitter-White/dp/B00A81ISJ6/ref=pd_bxgy_pc_img_y I plan on using the Ducky as the instigator. Auto load the files then switch over to the fast usb device to load/finish up. Anyone else cobbled together something like this? I really want to keep the entire process as silent as possible with minimal user interaction. I even plan on having a drive removal script running to detect removal and perform silent housekeeping chores as the user is walking away. I will be starting this project in the coming weeks. So any advice would be appreciated. I will post progress reports as it develops. Goals: 1. Prompt user... Start Duck and Run or Access Data only. This allows the user to start the powerfull ducky process or simply access the data acquired on the fast usb drive without having to remove the data drive from the dual setup. Seems like this might require the dual payload options. One for simple data access and one for FULL ON DUCKY! 2. I intend to make temporary changes to the target pc. I would like to save these changes to a local temp directory and let the exit housekeeper restore all this as I am walking away. 3. Ducky drive and FastUSB drive will have fixed names but I expect to need to specify drive letters to avoid numerous calls to variables. So, might be assigning drive letters. Although, perhaps variables are better to avoid drive letter conflicts on the numerous target pc's. Any thoughts on this??? 4. Is anyone aware of a print payload? What I intend to do with the finished product is entirely above board. With that said I do need to print a single page after removing the drive(s) from the target pc. I know USB to default printer is a clunky process but just thought I would see if anyone has seen anything a little more reasonable for implementation in this context. I am still in the process of reading the entire Ducky forum to make sure my questions have not already been answered but any advice, direction or script help would be appreciated. As I said above, I will post updates along the way and intend to provide a complete fileset upon completion. Quote Link to comment Share on other sites More sharing options...
overwraith Posted March 9, 2014 Share Posted March 9, 2014 I looked into the printing process, and I found a few things. The standard print command only works if the computer is directly connected to the breached computer, and the networked print command is a little hard to use. I have never used these before. There are work arounds on some of the online forums for getting lists of printers and such using scripts. I think a better solution for printing would be simply running a notepad command with the file and path as an argument, and manually printing it yourself. Another possible way would be to code your duck firmware to run a different payload when you press the button. You could have it auto-run the first time, and when you want to finish up, press the button which does the clean up. By using the modified duck firmware you could script it to automatically print the file using keystrokes. Alternatively you could use functionality like in the duck slurp payload (v2) or the flash drive slurp payload, which I believe does have clean up capabilities. You should also think about what language you are going to program it in. The main ones that most duck payloads use are batch, powershell, and visual basic. Actually many payloads use a combination of these three for increased functionality. You could also make the main program a simple executable program if you wanted to, and it would probably be easier to get information about the drives that way. Then the ducky would only be starting the executable. If you use batch, you will probably have to use the visual basic file invis.vbs to make the batch file run invisibly, because the modern OS's don't allow batch files to run invisibly any more. The ducky slurp, and flash drive slurp payloads also have some code for keeping track of which drive is which, they use the drive's label to differentiate which one is the exfiltration drive, and which one is a target drive. The code for these two payloads were written in batch though. Quote Link to comment Share on other sites More sharing options...
overwraith Posted March 9, 2014 Share Posted March 9, 2014 Also, tell me how that USB adapter works for you. I have a really thick gorilla drive, and am wondering if there would be enough room between the duck and the other drive for it. Quote Link to comment Share on other sites More sharing options...
mrmattmc Posted March 9, 2014 Author Share Posted March 9, 2014 Thanks for the help. I have made some progress on the printing front myself. As I learn more about using keystrokes to initiate processes I will definitely look into that as means to print. Currently I am having great success using the DOSPRN program. It looks like I can just copy the need files to the target computer without "installing" the program and run a simple print command. I have been playing with a batch file like this one for testing. This is after I have copied the working files to the target pc. I added the timout because without it i just kill the process before it sends the print job to the printer. I plan on running all this invisible with the vbs file so all you see is the printer kicking out a page @echo off start c:\DOSPRN\DOSprn.exe copy printerlist.txt c:\prnspl timeout 9 rem taskkill /F /IM dosprn.exe for 32bit os C:\Windows\Syswow64\TaskKill /F /IM dosprn.exe exit As far as languages go I definitely will be using batch files and visual basic for running invisible. If I understand correctly powershell is an addon? As my target pc's will range from XP to Win 7 I would prefer to stay within the native capabilities of these os's and may shun powershell for that reason. One of the first payloads I looked at was ducky slurp. One of the scripts that really attracted me was the wait script to detect drive insertion. Here https://forums.hak5.org/index.php?/topic/30179-payload-duck-slurp-v2-silent/?p=239703 I posted about flipping the logic to detect drive removal. I really like this option as I can initiate some failsafe/housekeeping routines so I dont have to have the user do A,B,C before leaving. They just unplug the drive and the exit routines take care of the rest. Its sunday, I ordered my ducky on saturday. I want to start counting the days till i get my ducky but the math eludes me at the moment. Quote Link to comment Share on other sites More sharing options...
mrmattmc Posted March 9, 2014 Author Share Posted March 9, 2014 I plan on posting some pics of the adapter with ducky and some assorted usb drives. I have a couple of the nano micro usb sdmc card readers and definitely will be testing those as well. I may even look into a different shell for the ducky for size and aesthetics purposes. Quote Link to comment Share on other sites More sharing options...
mrmattmc Posted March 15, 2014 Author Share Posted March 15, 2014 Duck and stuff. Quote Link to comment Share on other sites More sharing options...
madhak Posted March 18, 2014 Share Posted March 18, 2014 Hey that remind me of my old ducky, I used a small hub too with a naked flash drive and a teensy: http://madhak.com/?p=41 I was using VBS too, the ducky would just locate the mass storage and run a more complex task from there Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.