Wabbe Posted September 6, 2015 Share Posted September 6, 2015 Hi, Having some problems using encoded payload (encoding done manually and on toolkit site) in conjunction with the twin duck flash. Half the time the string commands are not streamed correctly (characters missing at different positions). Below an example to illustrate : Encoded string command : STRING $driveletter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'Drive' } | select Name When I use the ducky, half the times everything is just fine. But the other half (and most of the time it happens on the command above (but also occasionaly with others) the command get streamed with characters missing. Some examples : $driveletter = Get-WMObject Win32_Volume | ? { $_.Label -eq 'Drive} | select Name $driveletter = Get-WMIbject Win32_olume | ? { $_.Label -eq 'Drive'} | select Name Anybody any ideas ? Kind Regards, Wabbe In attachment an example showing the actual run (and the coding side by side). Quote Link to comment Share on other sites More sharing options...
LukasS Posted September 6, 2015 Share Posted September 6, 2015 Hy :D Try this and adapt to your script :D STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d Quote Link to comment Share on other sites More sharing options...
Peyo Posted September 6, 2015 Share Posted September 6, 2015 In the payload, the key seems to be the delay before strings: 100 ms delay seems to works fine (as posted on the image), in contrast with the 50 ms before the command. Quote Link to comment Share on other sites More sharing options...
Wabbe Posted September 6, 2015 Author Share Posted September 6, 2015 @LukasS : I do realize that i can alter the mechanism in order to get the drive letter. That is not the problem, in fact most everything i implement works just fine as long as the strings are streamed correctly (which is not the case). So the problem is not the commands itself, the problem is the way the keys are streamed to the operating system ... @Peyo : The values in the example are a result of me playing with them in order to see how they would affect the streaming. Unfortunatly it doesn't make a difference if I delay for a 100 or more (or not), the results remain the same. I was thinking the problem could lay with the flash software. Does anybody know where i can find the latest versions (is kind of confusing because there are lots of links to github. I'm using the hex files dated april 16 2013. Maybe I'm wrong with this but any help woud be greatly appreciated. Kind regard, Wabbe Quote Link to comment Share on other sites More sharing options...
Peyo Posted September 6, 2015 Share Posted September 6, 2015 I'm using the Twin Duck Firmware from here: https://github.com/midnitesnake/USB-Rubber-Ducky/blob/master/Firmware/Images/c_duck_v2.1.hex, and works like a charm. Hope this can solve your issue. Quote Link to comment Share on other sites More sharing options...
Wabbe Posted September 7, 2015 Author Share Posted September 7, 2015 Hi Peyo, Thanx for your reply. It looks like it is somehow flash related since i'm getting different results ... but not the kind i was hoping for (situation is even worse ;-). Using the 2.1 version with a totally stripped down version of the payload (just invoking a basic powershell) fails 99% of the time. Characters are streamed inconsistently (different characters are ommited at different times) towards the operating system. I'm seeing the same behaviour with different ducky's on different target computers. Even with different flash versions (classical duck and twin duck). It doesn't really makes any sense, should be straightforward right (started to think in the direction of the language file, but in that case it should never work, and not 50% of the time) ... I'm missing something, just don't know what (maybe my common sense ;-). Any ideas are always welcome, maybe they will make me see the light ... Kind regards Quote Link to comment Share on other sites More sharing options...
Peyo Posted September 8, 2015 Share Posted September 8, 2015 Considering the different tests you've done, I believe that your RB is somehow damaged . I recommend you to review the Warranty clauses in : http://hakshop.myshopify.com/pages/policy#warranty Quote Link to comment Share on other sites More sharing options...
Wabbe Posted September 8, 2015 Author Share Posted September 8, 2015 Well, i have my doubts ... i'm seeing the same behaviour with two different rubber ducky's (would be an awfully big coincidence, and i don't really believe in coincidence ;-). I still have a third one laying around, will do some more tests tomorrow to see how that one behaves ... I still believe i'm missing something, just don't know what ... will keep you informed ... Maybe should start looking at the virtualisation layer of the targets (all running as vm's on different hardware). Maybe issue with the usb driver software (don't know, just guessing) ... As always, all insights welcome ... Quote Link to comment Share on other sites More sharing options...
Wabbe Posted September 8, 2015 Author Share Posted September 8, 2015 Well, looks like we nailed it ;-) Test (10 separate tests done) within the virtual machines -> success rate ± 50% Test (20 separate tests done) on the host machines -> success rate 100% So clearly something happening with the translation from physical to virtual layer (don't like it because it want it to work on virtual machines for all kinds of testing purposes) ... Will investigate tomorrow (or the day after) if I can optimize the usb behaviour on the VMWare virtual machines ... As Always, all insights welcome ... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.