Jump to content

String command issues (but not always ...)


Recommended Posts


Having some problems using encoded payload (encoding done manually and on toolkit site) in conjunction with the twin duck flash.

Half the time the string commands are not streamed correctly (characters missing at different positions).

Below an example to illustrate :

Encoded string command : STRING $driveletter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'Drive' } | select Name

When I use the ducky, half the times everything is just fine. But the other half (and most of the time it happens on the command above (but also occasionaly with others) the command get streamed with characters missing. Some examples :

$driveletter = Get-WMObject Win32_Volume | ? { $_.Label -eq 'Drive} | select Name

$driveletter = Get-WMIbject Win32_olume | ? { $_.Label -eq 'Drive'} | select Name

Anybody any ideas ?

Kind Regards,


In attachment an example showing the actual run (and the coding side by side).


Link to comment
Share on other sites

@LukasS : I do realize that i can alter the mechanism in order to get the drive letter. That is not the problem, in fact most everything i implement works just fine as long as the strings are streamed correctly (which is not the case). So the problem is not the commands itself, the problem is the way the keys are streamed to the operating system ...

@Peyo : The values in the example are a result of me playing with them in order to see how they would affect the streaming. Unfortunatly it doesn't make a difference if I delay for a 100 or more (or not), the results remain the same.

I was thinking the problem could lay with the flash software. Does anybody know where i can find the latest versions (is kind of confusing because there are lots of links to github. I'm using the hex files dated april 16 2013. Maybe I'm wrong with this but any help woud be greatly appreciated.

Kind regard,


Link to comment
Share on other sites

Hi Peyo,

Thanx for your reply.

It looks like it is somehow flash related since i'm getting different results ... but not the kind i was hoping for (situation is even worse ;-). Using the 2.1 version with a totally stripped down version of the payload (just invoking a basic powershell) fails 99% of the time. Characters are streamed inconsistently (different characters are ommited at different times) towards the operating system.

I'm seeing the same behaviour with different ducky's on different target computers. Even with different flash versions (classical duck and twin duck). It doesn't really makes any sense, should be straightforward right (started to think in the direction of the language file, but in that case it should never work, and not 50% of the time) ...

I'm missing something, just don't know what (maybe my common sense ;-).

Any ideas are always welcome, maybe they will make me see the light ...

Kind regards

Link to comment
Share on other sites

Well, i have my doubts ... i'm seeing the same behaviour with two different rubber ducky's (would be an awfully big coincidence, and i don't really believe in coincidence ;-).

I still have a third one laying around, will do some more tests tomorrow to see how that one behaves ...

I still believe i'm missing something, just don't know what ... will keep you informed ...

Maybe should start looking at the virtualisation layer of the targets (all running as vm's on different hardware). Maybe issue with the usb driver software (don't know, just guessing) ...

As always, all insights welcome ...

Link to comment
Share on other sites

Well, looks like we nailed it ;-)

Test (10 separate tests done) within the virtual machines -> success rate ± 50%

Test (20 separate tests done) on the host machines -> success rate 100%

So clearly something happening with the translation from physical to virtual layer (don't like it because it want it to work on virtual machines for all kinds of testing purposes) ...

Will investigate tomorrow (or the day after) if I can optimize the usb behaviour on the VMWare virtual machines ...

As Always, all insights welcome ...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...