Payload not working on XP machines

[factgasm]

I was experimenting with some innocuous Ducky scripts at a local internet cafe and, much to my surprise, it appeared that their rickety old Windows XP computers were able to stop the Ducky in its tracks. How come? Well, certainly those machines had been installed with some antivirus software called S****** (I won't name it here, PM me if you need to know) . Even before the Duck got to send so much as one key stroke the AV kicked in and an autorun.inf file appeared on the Duck's SD card. While the Duck did execute its binary file, the Diskpart/WMIC code for determining the Duck's volume name ("Ducky") didn't work - it just gave the error message "volume - Alias not found".

Was this snag caused by the AV?

UPDATE: Further to this, I have just run the Diskpart/WMIC code in an XP virtual machine on my own laptop at home (clean install, no AV) and got the same error message as yesterday: "volume - Alias not found"

This suggests that the payload's failure to execute at the internet cafe yesterday wasn't down to AV on the host machine, but down to the payload being incompatible with XP. Here's some steps that replicate the error:

The good news is that despite an autorun.inf file being written to the Duck's SD Card by the host machine, the Ducky still executed its payload anyway, even if that payload didn't work properly. Your thoughts please.

[Oli]

The ducky is essentially a keyboard just blindly executing a predefined set of keystrokes so it is going to work 99% (bar edge cases relating to VID/PID etc) once drivers are installed.

The script is using a fairly hacky way to detect a USB dongle - just run and debug the actual script. Hacky method of doing things are likely to be easily broken / change for system to system.

I'm guessing you actually remembered to name a separate flash USB drive as "DUCKY? You say "the AV kicked in and an autorun.inf file appeared on the Duck's SD card.". The script needs a separate USB drive called ducky and nothing should be actually changing the Ducks SD card - are you using one of the other firmwares to use the ducky as a mass storage device or something?

[Broti]

Are you sure that WMIC is installed? It's normally not included in XP Home, if my research is correct.

[overwraith]

If you put a file "exfiltrate.txt" on your flash drive, then I think this command will probably work, may need some tweaks.

for %i in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do if exist %i:\exfiltrate.txt set myd=%i:

Edited September 15, 2014 by overwraith

[factgasm]

@Broti, Neither these two methods worked on XP, though both did on Vista forwards.

for /f %D in ('wmic volume get DriveLetter^, Label ^| find "DUCKY"')

for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"')

@Overwraith, many thanks for the code, this definitely works on XP. Not pretty, but certainly effective.

@Oli. Me slightly confused. Here's how I have been using the Duck:

• I take a Micro SD Card making sure it has volume name 'Ducky'
• Using the supplied USB adapter I connect that Micro SD Card to my laptop and do all my development work with it attached that way.
• All my bin files go on that Micro SD Card, along with any other files I might need such as Mr Gray's executables.
• This way all the files I need for an attack are stored in one place.
• I then unplug the USB adapter from my laptop and slide the Micro SD Card into the USB Ducky Micro SD Card socket,
• I then insert the USB Ducky into a USB socket on the target machine.

Have I got the wrong end of the stick? (I am happy to make a fool of myself here if it means I get my attacks right in future).