HeadScratchCode Posted June 4, 2017 Share Posted June 4, 2017 I'm having trouble writing a powershell script that will 'exit' the terminal after running the code. This problem occurs when using a Quack script on the Bash Bunny. Here's the end part of the Ducky script into that I wrote: Quote STRING del ip.txt ENTER DELAY 100 STRING exit ENTER I pretty sure that's correct, and it should exit after deleting a file called ip.txt However, no such luck. What I have tried to solve the problem: STRING EXIT STRING Exit STRING exit; STRING del ip.txt; exit; But, no of these make a difference. I even checked a Ducky script written by DarrenHak5 who has the same way of exiting the powershell terminal. So, I can't understand why it's not working for me. If I manually type exit it will do so, if the HID type it, it will not exit. Guys, do you have any suggestions? Thanks Quote Link to comment Share on other sites More sharing options...
digip Posted June 4, 2017 Share Posted June 4, 2017 If in CMD then POWERSHELL? STRING exit ENTER STRING exit ENTER ?? Quote Link to comment Share on other sites More sharing options...
HeadScratchCode Posted June 4, 2017 Author Share Posted June 4, 2017 The script opens straight into powershell. Here's the full code: https://github.com/hak5/bashbunny-payloads/pull/225/files Quote Link to comment Share on other sites More sharing options...
HeadScratchCode Posted June 4, 2017 Author Share Posted June 4, 2017 Solved it! Just needed to increase the DELAY time after it sends the email. Appreciate your time trying to help. Quote Link to comment Share on other sites More sharing options...
digip Posted June 4, 2017 Share Posted June 4, 2017 Cool beans, glad you got it working. TIP: if powershell is disabled on a system (like I have it on my system with GPO) you can change the "+STRING POWERSHELL" to "+STRING cmd /k powershell", for which then there would be two exits needed. I only mention using cmd in the event powershell is disabled, while cmd is still open. You can set a group policy to disable both cmd and powershell too if you want to defend against this kind of attack using gpedit.msc, but only on Windows Pro and above versions. Home users would have to use a registry edit to do the same thing since gpedit is not available to them on home editions. These are smaller mitigations, as there are VBS and other scripting languages you could use as well, but cmd and powershell user environments can be disabled which is 99% of the HID based attacks you will see. Quote Link to comment Share on other sites More sharing options...
HeadScratchCode Posted June 5, 2017 Author Share Posted June 5, 2017 19 hours ago, digip said: Cool beans, glad you got it working. TIP: if powershell is disabled on a system (like I have it on my system with GPO) you can change the "+STRING POWERSHELL" to "+STRING cmd /k powershell", for which then there would be two exits needed. I only mention using cmd in the event powershell is disabled, while cmd is still open. You can set a group policy to disable both cmd and powershell too if you want to defend against this kind of attack using gpedit.msc, but only on Windows Pro and above versions. Home users would have to use a registry edit to do the same thing since gpedit is not available to them on home editions. These are smaller mitigations, as there are VBS and other scripting languages you could use as well, but cmd and powershell user environments can be disabled which is 99% of the HID based attacks you will see. I've made a note of your tip. Appreciate it! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.