Jump to content

Recommended Posts

I just made a basic test script to open a notepad file. It works fine when the computer is unlocked but when the computer is locked (WIN+L) it doesnt seem to fire. The lights change as they should and I can hear the beep sound like the commands are being rejected.

I would expect with this script that when I unlock the computer I would see an open notepad window.

Thanks in advance for any help?

#!/bin/bash
LED R
ATTACKMODE HID

LED R G

Q DELAY 3000
Q GUI r
Q DELAY 500
Q STRING notepad.exe
Q ENTER

REM QUACK switch1/ducky.txt

LED G 500

 

Link to post
Share on other sites

Adams, that's not how it works. When the computer is locked, keyboard strokes are either applied to the password field to unlock the computer or otherwise ignored.

The reason quick creds and poisontap work on locked computers is because their primary attack vector is the bb masquerading as a usb to ethernet adapter (unchecked, 'installed' and useable). Even then, the remainder of the attack exploits known behavior on network devices and the traffic therein.

Quick creds, and poisontap do not utilize the HID attack mode.

Edited by LowValueTarget
Link to post
Share on other sites

While you might not be able to run Duckyscript on a locked machine, if all you're looking to do is modify the background or screensaver - you can do this remotely via regedit on Windows Machines. All you need is the host name or IP of the Computer on the network (assuming you're on the same network). Once connected to their registry remotely, you can modify all sorts of things, including (but not limited to) their background, screensaver, you can even swap their mouse buttons or keyboard keys. You could write a simple payload which you could execute on your own machine to automate the process if you were so inclined.

Link to post
Share on other sites

Alternatively if you don't mind leaving the Bash Bunny behind temporarily - you could always use the DELAY command if you knew the user was returning within a certain time frame. You can set a delay of a few minutes - and the script would execute once the PC is later unlocked. Using some of the common obfuscation techniques from the Rubber Ducky - you should be able to do this quickly and quietly, and then later return to scoop up the evidence.

  • Upvote 1
Link to post
Share on other sites

Thanks Decoy that's what I finally thought too. I guess I just have to set a the right delay.

I am very interested in your remote payload to prank if you have any examples or can point me in the right direction.

Link to post
Share on other sites

Open Regedit, and choose "Connect to Network Registry". Enter in the name/host of the PC you're trying to connect to and click Ok. Once you've connected, navigate to the remote PC registry, and go into Control Panel. From there you can do quite a few things. Good luck!

regedit1.png

regedit2.png

regedit3.png

Link to post
Share on other sites
3 hours ago, Decoy said:

Open Regedit, and choose "Connect to Network Registry". Enter in the name/host of the PC you're trying to connect to and click Ok. Once you've connected, navigate to the remote PC registry, and go into Control Panel. From there you can do quite a few things. Good luck!

regedit1.png

regedit2.png

regedit3.png

Why you're talking about this as it's easy-peasy thing to do? :D

There's a must-of a lot of requirements to be done before you will be able to remotely accessing a Windows Registry!

Link to post
Share on other sites
34 minutes ago, Mohamed A. Baset said:

Why you're talking about this as it's easy-peasy thing to do? :D

There's a must-of a lot of requirements to be done before you will be able to remotely accessing a Windows Registry!

Actually it's not that difficult. We do it at work all the time to prank each other. Like I said - if you're on the same network and it's pranking co-workers - this is extremely easy. You wouldn't be able to do something like this from your house.

Link to post
Share on other sites

Not necessarily. In our case we all happen to be Administrators - so I've never had to Authenticate. I've done it on my home network as well though and don't ever remember having to authenticate. As long as your part of the same network/workgroup I don't think you do.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...