Jump to content
Sign in to follow this  
Phoenix75

Rubber Ducky outside MR Robot? Any payload is really working on Windows 10 with Defender Active?

Recommended Posts

Hi to all, I've bought this device for pentesting and learning. I'm quite a newbie about that kind of hardware..but it seems that the actual Windows Defender of 1903 Windows Edition prevent every kind of payload working. Is that true? I've tried quite 50 payloads. With a System with Defender on it not starts at all. I've also flashed the Ducky with Twin Ducky...it seems that is worse..it takes sometimes to analyze the usb and sometimes finds the inject.bin and remove it. All payload with "gmail send" are not working because of authentication, every payload with password grabbing are not working because Nirsoft removed command line text export for security purposes...so this is a useless expensive usb key and nothing more?

Now, my question: It's really possibile outside Mister Robot series using that device in a real environment? Because I've invested about 20 hours on it and i don't find a way to make it really have a real use if the system is protected..but i've spent aout 90$ in my country for buying it.

If somenone has been able to make it works i will be glad to know. 

Thank You.

 

Share this post


Link to post
Share on other sites

Some of the payloads will not work due to security patches. This is not a device that you can plug into a computer and magically works just because you saw it in a video ... Obviously, you will have to modify and =/= or create (your own) payloads to bypass Windows Defender. I do not own a ducky, but I do own a bunny, which does work in a real environment (because I craft my own payloads).

Share this post


Link to post
Share on other sites

Sorry...there must be a kind misunderstanding. I'm telling that if you plug the ducky into a Windows 10 actual environment, this environment doesn't permit the launch of the ininjection file...you're telling me that i've to improve. 🙂 If isn't possible to launch a file from a USB keyboard emulator like Rubber Ducky is the device is useless and how do you right told, good only for demo online and for selling it. The thing that hurt me is that is still sold on Amazon and on the HAK5 site when it's clear that today you can't use it in a real environment. If you tell me that bunny works maybe i can try...but i've doubt that you can bypass a windows machine with an antivirus full modules enabled..have you tried? if not bypass, will turn also that hardware in a useless one.

I'm talking about windows because 95% of pc's of the world are windows based.

Thank you very much anyway for your support, nice to meet you. 

Share this post


Link to post
Share on other sites

Guess I need a little more info.  What is the build of your win10 box?  My latest is 17763 and the one I'm on at the moment is 14393.  Both have defender fully updated and I've been testing different inject.bin files on my rubber ducks all day.  One even has the twin duck firmware on it.  Win10 and defender and not blocking or deleting anything.  Could you give a bit more info on your machine?  Or has anyone else run into issues with this as well?  I'll gladly test what I can on my side to see if I can replicate the issues you are having. 

Worse case you could always setup a VM and have it attack the VM and with that you could put any OS you want on there.  But like theUNKNOWN said, you'll have to do some work to get the duck to do what you'd like to do.

Share this post


Link to post
Share on other sites
15 hours ago, Phoenix75 said:

Sorry...there must be a kind misunderstanding. I'm telling that if you plug the ducky into a Windows 10 actual environment, this environment doesn't permit the launch of the ininjection file...

what happens if you try to run the default payload:

DELAY 2000
GUI r
DELAY 500
STRING notepad.exe
ENTER
DELAY 1000
STRING Hello World!

Is that blocked as well?

Share this post


Link to post
Share on other sites

Thank you all.

The windows version i'm using is the latest 1903 (build 18362.295) the ducky has installed the 2.1 firmware, also tried with twin ducky 2.1 but has a keyboard bug i've seen so i've used 2.001. With twin ducky the AV inspect immediately the partition and lock the injection file, sometimes it removes it.

I've tried 2 phisical machines and 1 vm. Same behaviour. I still not understand what you guys mean when tell "you've to work on it", if the system lock immediately the usb device when you plug it you can work for years but there's no solution to that...making device a useless peace of plastic. :)

when i go home i try the Unknown script. I'll update you. Thank you for your help.

Share this post


Link to post
Share on other sites

Ok so very briefly I tried mine on 1903 and still so far so good.  That was a vm though and I probably didn't give it enough time to fully update itself.  So I'm going to let it run for a bit and make sure everything is fully up to date.  I'll also install it on a fresh system and see if that makes a difference at all.  But you did bring up a very good point and that's firmware on the duck.  Not sure how I can check mine but my ducks are older.  I know back in the day there was a hardware version or something that had to do with the duck's color.  I have a blue one and a green one.  I think I've seen pics where there's red and maybe even black ones as well.  Wouldn't think that would make a difference but maybe it does.  I'll keep digging.  I am glad to see that your experimenting a bit though, using two physical machines and a vm.  Much better than some people just saying it doesn't work it doesn't work.  Awesome that your troubleshooting.  If you wouldn't mind, could you get an older version of Win10 and make a VM out of it?  I'd be curious if you have the same issues or if it starts to work.  One of the VMs I tested yesterday was from: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Share this post


Link to post
Share on other sites

Bob, firstly thank you..I own 35 technical certifications in systems, networks and security...I'm a 6 times MVP and a CEH...before coming here crying i've done somekind like 10 hours of trials. 😂 I'm quite sure that on a 1703 or 1803 Windows distribution is working, but, surely, i can do a try.

If Defender is in down in the system (and there's a different suite like Kaspersky for example) the Ducky runs. BUT if i put on rogue keyboard option in Kaspersky suite you obtain the same behaviour: the payload don't works at all. Now, as you understand, it's clear that i don't want a magic wand for hacking everything, but a simple system with a professional AV is quite mandatory today. When i go to attend at some colleagues speeches about cybersecuirty they're every time showing a magic disposal that putted on is working and cracks magically the host. I was tired to see that...so i tried to buy also a "magic one" but that has only enforced my idea..if a system is right protected, cracking it without a social engineering attack is quite impossibile.

Anyway, sorry for the talk. My duck is quite blue-green inside and black outside. It would be fantastic if you could tell the firmware you've installed..but there are only 3 versions i've found for classic duck and only other 3 for twin duck..all others ar for other purposes.

Thank you for now. I'll update.

 

Share this post


Link to post
Share on other sites
Posted (edited)
4 hours ago, Phoenix75 said:

BUT if i put on rogue keyboard option in Kaspersky suite you obtain the same behaviour: the payload don't works at all.

That AV option probably means, inserting ANY new keyboard into the computer after the AV is booted up will be blocked, because the Ducky is really just a (fancy) keyboard.

Edited by kdodge
typo

Share this post


Link to post
Share on other sites

If you go to https://ducktoolkit.com/encode

And create a simple payload like the one kdodge has above.  If you download the inject.bin, your system reacts to it and deletes it?

I wish I could have been more helpful but both a physical machine with 1903 and a vm with 1903 didn't seem to mind either of my ducks.  Both were fully updated and I made sure defender had all of the latest definitions.  Is there anything else that could make your machine not like the duck?  Your just using the defender that came with Win10 correct?  When you say you turn defender off and use Kaspersky you also run into issues, does that mean you have two AV's installed on your machine?  If so I wonder if it's Kaspersky the whole time.  Which if that's the case then that's a good thing...Kaspersky is smart enough to not let a computer fall for the duck.

 

  • Like 1

Share this post


Link to post
Share on other sites

there are also ways to alter the fingerprint of the Ducky too. The project is open source so you can edit the source files to obfuscate the Ducky's fingerprint and recompile the firmware, making it even harder to recognize it as hacking tool. You can change the USB_DEVICE_MANUFACTURE_NAME, USB_DEVICE_PRODUCT_NAME, UDI_MSC_GLOBAL_VENDOR_ID, as well as make an encoder for the inject.bin file so the payloads are obfuscated.

What I suspect is the real problem, after the Win10 boots up, and Kaspersky has that option enabled, he could plug in a plain-old standard 104-key keyboard and the AV will have a temper-tantrum, thinking its a hack tool. At that point no HID injection will work. 

Afterthought:

One thing he could try is to use the exact same VID/PID as the keyboard that is in use on the Win10. Kaspersky might be stupid enough to assume they are the same keyboard and you might just eek by. Or you might also need to alter the other 3 variables that I listed above to also mimic the current Win10 keyboard that's in use.

Share this post


Link to post
Share on other sites
Quote

If you go to https://ducktoolkit.com/encode

And create a simple payload like the one kdodge has above.  If you download the inject.bin, your system reacts to it and deletes it?

sometimes yes, sometimes simply not starts.

Quote

When you say you turn defender off and use Kaspersky you also run into issues, does that mean you have two AV's installed on your machine?  

I see that you're a Linux one 🙂 when you install a different AV on a Windows machine, automatically Defender disable itself because the system is happy that there's a new AV installed. It's quite impossibile to uninstall Defender anyway.

Quote

What I suspect is the real problem, after the Win10 boots up, and Kaspersky has that option enabled, he could plug in a plain-old standard 104-key keyboard and the AV will have a temper-tantrum, thinking its a hack tool. At that point no HID injection will work. 

Afterthought:

One thing he could try is to use the exact same VID/PID as the keyboard that is in use on the Win10. Kaspersky might be stupid enough to assume they are the same keyboard and you might just eek by. Or you might also need to alter the other 3 variables that I listed above to also mimic the current Win10 keyboard that's in use.

 

I agree with you. I think that with the right firmware maybe it can works. But finding the right one is not simple, i'll continue trying and update...thank you all.

Share this post


Link to post
Share on other sites

So maybe I miss understood something from the beginning.  How I read your problem is you have a Win10 box at 1903 with windows defender (which is built in) and that's it.  Is that not correct?  Did you also have Kaspersky this whole time as well?  I completely understand how AVs work.  Windows wants something so if you have Kaspersky it disables defender.  Likewise if you turn Kaspersky off defender will kick in.  So I guess the main question is did you have Kaspersky installed but disabled the whole time?  Or did you in fact have just a vanilla Win10 at 1903 with just defender?  If so then again I'm curious what makes your box different than mine.  Or your duck different than mine.  Because I setup a brand new box, put win10 1903 with all the updates, all of the defender updates, and I have absolutely no issues with either of my ducks.  I can run a hand full of scripts without issue.  Only thing I had bark at me yesterday was defender didn't like me trying to use minikatz but that was it.  So what could be different?

 

Share this post


Link to post
Share on other sites
On 8/27/2019 at 3:04 PM, Bob123 said:

So maybe I miss understood something from the beginning.  How I read your problem is you have a Win10 box at 1903 with windows defender (which is built in) and that's it.  Is that not correct?  Did you also have Kaspersky this whole time as well? 

 

Correct. Kasperksy is another try. Ad you told, when you put a different antivirus on Defender goes down and kick in only if you uninstall the third party AV. For completing the issue (and before approaching here...) I've tried to use a 1903 with a different AV also. that because few people use Defender in a business environment. Anyway, my consideration are adressed on that: if a simple Defender can stop the Ducky, what can do a professional AV? The same thing. 🙂 Is there a way for knowing the firmware\release version of the duck and what kind of firmware there's installed? I think same as you: new Ducky are different from older ones..or...you've a firmware on it that bypass all the issue i've...

Share this post


Link to post
Share on other sites

@kdodge 

Quote

One thing he could try is to use the exact same VID/PID as the keyboard that is in use on the Win10. Kaspersky might be stupid enough to assume they are the same keyboard and you might just eek by. Or you might also need to alter the other 3 variables that I listed above to also mimic the current Win10 keyboard that's in use.

maybe it works...but i don't know anticipately the id of the keyboard...you agree? 🙂 so...if i've every time access before to the platform for showing it that Ducky became just a toy for bathroom..:-) 

Share this post


Link to post
Share on other sites

yeah, i don't know how you can just generically use the Ducky in that circumstance, I was just see what was possible to do. that AV is probably breakable in some way.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...