Double Negative Posted April 21, 2015 Share Posted April 21, 2015 Is it possible to use ducky to do a quick bypass of the windows lockscreen? Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 21, 2015 Share Posted April 21, 2015 (edited) NO. The objective is to find the users who don't lock their computers. Edited April 21, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
Double Negative Posted April 21, 2015 Author Share Posted April 21, 2015 So the objective is to find the users, who don't lock their computers... and who have admin rights... and who have powershell... Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 21, 2015 Share Posted April 21, 2015 (edited) Unfortunately yes, if you want to elevate privileges learn assembly language. The ducky is built for arbitrary execution of code, the code in question must do the actual privilege escalation (an exe or virus or payload). I would recommend "The Shellcoder's Handbook", and "Assembly Language for x86 Processors". It is hard to make code that actually does anything useful with the ducky without knowing some penetration testing skills. I myself need to come up with some time to read these two books I bought. Edited April 21, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
Double Negative Posted April 21, 2015 Author Share Posted April 21, 2015 While I really love to read, I always hope for good & intelligent people to linger around the forums, so I can learn something + save some time. Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 21, 2015 Share Posted April 21, 2015 (edited) Think about your question in the context of what the ducky actually is, a keyboard. The ducky's only way to execute code is to use the built in scripting languages built into the computer, the languages admins use. You can only use scripting logic in order to do things like navigate to the Micro SD card and execute an exe which is there. Asking us to do it without things like powershell and batch, and vb is impossible! And an attempt to get past the Windows lock screen is down right magic. How do you get past the lock screen without some kind of hole in the dlls of the system or some buffer overflow? I don't think such a hole exists in the security, people would have found it by now. The USB rubber ducky's only method of attack is running automated scripts on already unlocked computers, dropping stuff there, or executing something with actual teeth. I am sorry if I sounded a little bit terse towards the beginning of this thread, but your question calls into question your intelligence even as you call into question mine. I have coded several payloads, some tools including the vid/pid swapper with some help, and payloads such as run exe from sd, and the duck slurp payload. Were you calling into question my intelligence when you said this? "I always hope for good & intelligent people" Edited April 21, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
Double Negative Posted April 21, 2015 Author Share Posted April 21, 2015 I didn't exclude you with that sentence, I thought that was obvious. Only thing I could think of was shutting windows down, then starting Windows in safe mode, do the sticky keys bypass, reboot, trigger sticky keys, download shell and then just shut the PC down... Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 21, 2015 Share Posted April 21, 2015 (edited) Sorry. The text sounded different than it probably should have in my head. I have also had a rough week/month/year/5year. After looking on youtube, I am saying it might be possible. You should try, it looks like you'll need back track linux / kali on a cd rom/flash drive. I just didn't think something like that would be possible, it might have been patched by now. You would need at least one payload for the kali portion of the attack, and one for the actual reprogramming of the user password. The duck script would appear to be almost an afterthought if this payload were implemented. According to the youtube video it is just a bios tweak a couple of copies, shift shift shift... and a net user command. I don't think that it is possible to include the kali distro actually on the usb rubber ducky as a partition, you would need some extra media. You can't include everything in one payload, you would have to split into multiple payloads via detour duck or something. Edited April 21, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
Double Negative Posted April 21, 2015 Author Share Posted April 21, 2015 No worries. You don't need no Kali for this. Just good old safe or repair mode and some time. Quote Link to comment Share on other sites More sharing options...
Double Negative Posted April 21, 2015 Author Share Posted April 21, 2015 Somehow can't find the edit button, but wanted to add - this method is too tidious & easy imo. Quote Link to comment Share on other sites More sharing options...
overwraith Posted April 21, 2015 Share Posted April 21, 2015 (edited) Edit is bottom right hand corner of the posted text, looks almost translucent until you mouse over it, to the left of multi-quote and quote. The video I watched essentially booted into back track and exchanged a couple of files, renaming them, then booted back into Windows, triggered sticky keys, and that popped open a command prompt. Try it out without the ducky first, and when you have the procedure down you can translate to duck script, or you can post the procedure here, and people can help you code it to duck script. I don't have a machine right now that I can try this out on except my personal one, and I try not to do things like set passwords. I want it to boot up and not nag me for annoying things like passwords at home. Perhaps I should try to build a PC for testing this but it could take a while. Edited April 21, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
s1tl Posted May 3, 2015 Share Posted May 3, 2015 I know this is a bit off, but it is possible to reset a password before login. I have used the "stick keys" bypass a lot go fix friend's forgotten password problems. Basically you boot off a live cd replace sethc.exe with cmd.exe. hit shift 5 times and pop admin shell. from there you can create/reset a local admin password. https://4sysops.com/archives/forgot-the-administrator-password-the-sticky-keys-trick/ Quote Link to comment Share on other sites More sharing options...
bmintz Posted May 4, 2015 Share Posted May 4, 2015 I think Kon-Boot will do the job very well, in this case. When booted from a USB drive, Kon-Boot will let you log in to any Windows account without a password. It then provides privilege escalation which you could automate with the Ducky. Cheers! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.