Jump to content

unattended/silent run exe/vbs/bat from rubber ducky?


Recommended Posts

my goal is to give a usb pendrive in to the hands of admin .... so he is not goin to take a cofe when all this windows pop ups on monitor....

so the question is is any tricks or script exist that allow from one single rubber ducky to run - exe or vbs or bach script can run silently-invisilbe-unattended or at least just 1-2 sec pop up window ?

the victim machine xp win7 and do not have preinstaled powershell and not always have java instaled

any tricks ???

Link to comment
Share on other sites

So I have to wonder, are you intentionally spelling bad, is English your non-native language, or are you trying to mask your speech patterns/identity through some kind of bad English obfuscation algorithim? ("cofe", no capitalization, little punctuation) Just kidding, you just go on with your bad English thing we will try to decipher.

Regardless here is a script designed to run an EXE from your SD card provided the drive has the correct firmware installed on it.

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---runexe-from-sd

You will have to time this one, it might be a bit longer than your requirements specify, and a little coding might be required to translate to VB etc. There may be ways to trim down the amount of coding but the functionality is already fairly bare.

What you could do is put a big delay at the beginning of the script so that it executes some time after he plugs it in. There isn't really a way of determining whether he is actually away from the computer. Another thing you should be aware of is that many of the firmware types have a limit on the size of the scripts you can build, and delays essentially count as a byte for each delay to the ducky. So too big of delays will cause the end of the script not to execute if you get it wrong. Is essentially an overflow condition without the associated exploitation. The limit is on the ducky's memory. I am not sure if further firmware development would fix the problem, or if it has already been fixed just experiment with it (the delays). I often wonder if there would be some way of intercepting keystrokes with the ducky to determine if the computer is idle or not, but I think that it would probably be impossible but I have no evidence either way.

Edited by overwraith
Link to comment
Share on other sites

Regardless here is a script designed to run an EXE from your SD card provided the drive has the correct firmware installed on it.

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---runexe-from-sd

hi thanks for ur post........seems like it useful but i have question, is this script may work directly from SD card or only if SD card inserted in rubber ducky? do i have to buy one usb rubber ducky to run it or not?

.... it is work like shown in this video

where demands 2 pendrive and show 2 cmd window with stupid way to cover attack under win update?

or this script works absolutely silent? and it works on win XP without powershel and java installed?

Link to comment
Share on other sites

Ducky's are keyboards, they have to type, and the only way to execute their commands is via vb script, batch, etc all of which require you to type into a command prompt or power shell. The Ducky attack will not be completely silent, especially when the duck has to run it's code, but the script does have an invis.vbs script which trys to make it more silent than it would be otherwise, by making the batch script which waits for the ducky SD card to connect silently. The SD card (micro sd) attaches to the USB rubber ducky, and that is where the injection file resides, the actual bytes the ducky types out are in the inject.bin file on the micro sd. You need to compile scripts into these binary files and put them on the SD, and plug the sd into the ducky for it to run anything. There are firmware types which allow you to use the SD card attached to your ducky for mass storage as well, which is what I am asking you to install on your ducky (is called flashing). The SD card usually takes a while to connect, but I think it has gotten faster for some reason over the past couple of years. Don't know if it is associated with my computer rebuild or firmware upgrades or what. Another feature that attempts to minimize the ducky's impact to the screen is this part of the script:

ALT SPACE
STRING M
DOWNARROW
REPEAT 100

This basically takes the command prompt which pops up, and moves it off the screen via the down arrow and some keystrokes. If the user is looking at the screen they will notice, but this is at least an attempt to minimize the screen footprint. Some people have said you could use the windows screen saver by calling some DLLs in order to completely shroud the visual impact. I would have to go hunt for that post.

I would love to have the ducky revamped in order to support a separate mass storage section, in addition to the SD card, but It would probably make the ducky bigger, more expensive etc. I wouldn't mind if there was a specific version I could buy which was a little more expensive, but some attacks seem to require different parameters. For instance what if you are exclusively running exes on one ducky off attached mass storage, and you are never going to loose that one in a parking lot or something. You would be able to invest a little more money into it. Now say on the other hand you wanted to literally blanket parking lots with these things, then you want it as cheap as possible because you might not get them back. You almost need a couple of different versions.

The additional flash drive in the video is to expedite the mass storage attachment, because ducky mass storage can sometimes be slow. It is especially slow when moving files onto the duck, and it is slow to connect. This script is designed however to support either the firmware upgrade, or the addition of the flash drive. If you are running an exe off the duck the slowness of the duck should be ok, especially if the exe isn't very big (the best viruses aren't big).

If you want to use this script you will need to rename the target drive "DUCKY", or find the associated text in the batch script and change it to whatever you want to rename your SD card to. You should label the SD card something that will be unique that the script will be able to discern where it is. Read the whole text on the associated page I linked you to.

This script does not appear to require powershell, if it does it should be fairly easy to remove. The scripts are in sequential order from oldest version to newest versions at the bottom of the page. The newest version has a special brute force type drive selection technique because we were having problems with not having admin access on previous scripts. Now it does not require that pesky diskpart command to parse the attached drives.

for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( 
Link to comment
Share on other sites

  • 1 month later...

am just got my usb rubber ducky

but when i insert it doest show like any usb drive inserted .so? how to rename drive to DUCKY?

default script hello world is works btw ..but not always ...seems like it depends on which active window right now if i watch youtube video the script lost active window....little bug

and other quest what is Twin Duck payload from this page?http://www.ducktoolkit.com/Home.jsp

thanks in advance

ps

in videos hack5 too much time spend for adds and empty bla-bla-bla much close to the deal please.... however Darren a cool

Link to comment
Share on other sites

i clearly ask befoe and again is this trick demands 2 pendrive and show 2 cmd window with stupid way to cover attack under win update?

u said

If you want to use this script you will need to rename the target drive "DUCKY", or find the associated text in the batch script and change it to whatever you want to rename your SD card to. You should label the SD card something that will be unique that the script will be able to discern where it is

i guess u said no

but what i read in u skript

the SD card after it mounts. Uses googleknowsbest's slightly more portable method to find the "Duck

but i dont see any new drive instaled when i insert rubber ducky ? what i should say to admin sorry it broken? and i dont have cool music for u and those strange cmd pop ups just for cool? :wub::lol:

Link to comment
Share on other sites

  • 2 months later...

A bit of a revival to the thread here.

i clearly ask befoe and again is this trick demands 2 pendrive and show 2 cmd window with stupid way to cover attack under win update?

u said

i guess u said no

but what i read in u skript

the SD card after it mounts. Uses googleknowsbest's slightly more portable method to find the "Duck

but i dont see any new drive instaled when i insert rubber ducky ? what i should say to admin sorry it broken? and i dont have cool music for u and those strange cmd pop ups just for cool? :wub::lol:

The reason there is no drive inserted (So that you can rename it), is because you have to flash the Twin Duck Firmware. It can be found easily on the ducky wiki/forums or with google. After flashing Twin Duck you will have a new drive" as you termed it, to rename! No second flash drive required!

I recommend reading and learning a bit about a product before buying it sir! No offense meant! :)

Link to comment
Share on other sites

Hold on people... Sorry for leaving this forum unattended for so long. Maddog is right, you have to actually install the firmware. There used to be a pretty good word doc that midnight snake made online. It was on the ducky decode website, you'll have to google. If it isn't there any more you will have to go to darren's github page, and read the flashing page there. https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Flashing-ducky

You don't have to necessarily learn a whole lot about the ducky before buying it, you should be able to follow some procedures outlined online however, you should be able to figure out how to google for what you need, you should have the intention and drive to learn something programatical. A lot of rubber ducky related stuff is scripting, programming, windows scripting, and firmware development, etc. You don't necessarily have to learn everything right away, but you should have the intention and drive to actually go out and find and follow some of the tutorials already online.

I actually didn't know a whole lot about ducky dev when I first got the usb rubber ducky, in fact it is actually probably one of the tamest, and most user friendly tools you can buy in the hak-shop. I still don't know as much as I want to, but that is going to require grokking shellcode and by extension ASM and reversing. That could get a little bit intense, and looking for a job right now is taking priority to extra-cirricular activities.

Long story short you have to exert some effort on your part, mainly going through the online tutorials and the scorecard links that hak 5 gave you.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...