Adams Posted March 15, 2017 Share Posted March 15, 2017 I just made a basic test script to open a notepad file. It works fine when the computer is unlocked but when the computer is locked (WIN+L) it doesnt seem to fire. The lights change as they should and I can hear the beep sound like the commands are being rejected. I would expect with this script that when I unlock the computer I would see an open notepad window. Thanks in advance for any help? #!/bin/bash LED R ATTACKMODE HID LED R G Q DELAY 3000 Q GUI r Q DELAY 500 Q STRING notepad.exe Q ENTER REM QUACK switch1/ducky.txt LED G 500 Quote Link to comment Share on other sites More sharing options...
LowValueTarget Posted March 15, 2017 Share Posted March 15, 2017 (edited) Adams, that's not how it works. When the computer is locked, keyboard strokes are either applied to the password field to unlock the computer or otherwise ignored. The reason quick creds and poisontap work on locked computers is because their primary attack vector is the bb masquerading as a usb to ethernet adapter (unchecked, 'installed' and useable). Even then, the remainder of the attack exploits known behavior on network devices and the traffic therein. Quick creds, and poisontap do not utilize the HID attack mode. Edited March 15, 2017 by LowValueTarget Quote Link to comment Share on other sites More sharing options...
Adams Posted March 15, 2017 Author Share Posted March 15, 2017 ah ok. Thanks. So nothing that uses the QUACK commands will work while the computer is locked. Can the power shell be used to change a background or screen saver while the computer is locked? Quote Link to comment Share on other sites More sharing options...
RazerBlade Posted March 15, 2017 Share Posted March 15, 2017 Please read the wiki before you start. This is really basic and you still mess it up. Quote Link to comment Share on other sites More sharing options...
theonewhoknocks Posted March 16, 2017 Share Posted March 16, 2017 Razer, no need to be brash. However, RTFMing is a good strategy to have productive forum posts. Quote Link to comment Share on other sites More sharing options...
Decoy Posted March 16, 2017 Share Posted March 16, 2017 While you might not be able to run Duckyscript on a locked machine, if all you're looking to do is modify the background or screensaver - you can do this remotely via regedit on Windows Machines. All you need is the host name or IP of the Computer on the network (assuming you're on the same network). Once connected to their registry remotely, you can modify all sorts of things, including (but not limited to) their background, screensaver, you can even swap their mouse buttons or keyboard keys. You could write a simple payload which you could execute on your own machine to automate the process if you were so inclined. Quote Link to comment Share on other sites More sharing options...
Decoy Posted March 16, 2017 Share Posted March 16, 2017 Alternatively if you don't mind leaving the Bash Bunny behind temporarily - you could always use the DELAY command if you knew the user was returning within a certain time frame. You can set a delay of a few minutes - and the script would execute once the PC is later unlocked. Using some of the common obfuscation techniques from the Rubber Ducky - you should be able to do this quickly and quietly, and then later return to scoop up the evidence. 1 Quote Link to comment Share on other sites More sharing options...
Adams Posted March 16, 2017 Author Share Posted March 16, 2017 Thanks Decoy that's what I finally thought too. I guess I just have to set a the right delay. I am very interested in your remote payload to prank if you have any examples or can point me in the right direction. Quote Link to comment Share on other sites More sharing options...
Decoy Posted March 16, 2017 Share Posted March 16, 2017 Open Regedit, and choose "Connect to Network Registry". Enter in the name/host of the PC you're trying to connect to and click Ok. Once you've connected, navigate to the remote PC registry, and go into Control Panel. From there you can do quite a few things. Good luck! Quote Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted March 16, 2017 Share Posted March 16, 2017 3 hours ago, Decoy said: Open Regedit, and choose "Connect to Network Registry". Enter in the name/host of the PC you're trying to connect to and click Ok. Once you've connected, navigate to the remote PC registry, and go into Control Panel. From there you can do quite a few things. Good luck! Why you're talking about this as it's easy-peasy thing to do? :D There's a must-of a lot of requirements to be done before you will be able to remotely accessing a Windows Registry! Quote Link to comment Share on other sites More sharing options...
Decoy Posted March 16, 2017 Share Posted March 16, 2017 34 minutes ago, Mohamed A. Baset said: Why you're talking about this as it's easy-peasy thing to do? :D There's a must-of a lot of requirements to be done before you will be able to remotely accessing a Windows Registry! Actually it's not that difficult. We do it at work all the time to prank each other. Like I said - if you're on the same network and it's pranking co-workers - this is extremely easy. You wouldn't be able to do something like this from your house. Quote Link to comment Share on other sites More sharing options...
wrewdison Posted March 17, 2017 Share Posted March 17, 2017 I don't use Windows so forgive my ignorance but... wouldn't remotely editing the registry of another windows machine on the same network require you to authenticate to that machine? Quote Link to comment Share on other sites More sharing options...
Decoy Posted March 18, 2017 Share Posted March 18, 2017 Not necessarily. In our case we all happen to be Administrators - so I've never had to Authenticate. I've done it on my home network as well though and don't ever remember having to authenticate. As long as your part of the same network/workgroup I don't think you do. Quote Link to comment Share on other sites More sharing options...
Adams Posted March 18, 2017 Author Share Posted March 18, 2017 If you're on a domain and you do not have admin it doesn't work. I tried at work and it doesn't work. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.