Writing a massive ducky script fast to brute force a windows app

[rcanpolat]

Hey guys and gals. 

I need to crack a password for a very very old piece of software (its over 20 years old at this stage and the dev is no longer supporting it). Pretty sure it was developed in Windows 98. The software gets activated with a 6 digit number. The apps way around brute force is to shut down the app after every failed attempt.

This is the code i need to loop... 1 million times (with the second string increasing by 1 digit every time) 😂. 

GUI r
DELAY 100
STRING C:\app\software\app.exe
ENTER
DELAY 1000
STRING 000001
ENTER
ENTER

What's would be the fastest way for me to write in the increasing 6 digit number (6th line of the code) into a script?

Currently i have an excel file open with column A populated with increasing numbers (cell A1=000000, A2=000001 etc). I can write the script to copy from the excel list after every attempt but would there be a more efficient way to code the numbers directly into the ducky script to increase the speed of the brute force. 

Short of that could you advise of some brute force software on windows that can follow the above script's flow since the app shuts down after every failed attempt and needs to be re-launched again. 

[rcanpolat]

2 hours ago, kdodge said:

If you don't need the actual leveraging of a real keyboard, you might just be able to use a C script to do this:

You would need to change the "main" to do what you need to do, maybe start with something like this:

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>

  /***rest of the functions here***/
  
int main(){
  unsigned char launch[64];
  uint32_t count = 0;
  gui_r();
  Sleep(100);
  string("C:\\app\\software\\app.exe");
  enter();

  for(count = 0; count < 1000000; count++){
    memset(launch, 0, sizeof(launch));
    sprintf(launch, "%06d", count);
    Sleep(1000);
    string(launch);
    enter();
    enter();
  }
  return 0;
}

 

Unfortunately for me i haven't got a clue how to write or compile c. I wouldn't know where to start. 

[Cribbit]

If you have access to Linux/Bash you could use it to generate the ducky script you want:

echo {000000..999999} | xargs -n 1 echo GUI r$'\n'DELAY 100$'\n'STRING C:\\app\\software\\app.exe$'\n'ENTER$'\n'DELAY 1000$'\n'STRING | sed '0~6 s/$/\nENTER\nENTER/g'>Ducky.txt

It will take some time to execute.

 

Edited June 5, 2020 by Cribbit

[rcanpolat]

22 hours ago, Cribbit said:

If you have access to Linux/Bash you could use it to generate the ducky script you want:

echo {000000..999999} | xargs -n 1 echo GUI r$'\n'DELAY 100$'\n'STRING C:\\app\\software\\app.exe$'\n'ENTER$'\n'DELAY 1000$'\n'STRING | sed '0~6 s/$/\nENTER\nENTER/g'>Ducky.txt

It will take some time to execute.

 

That worked very well for generating the code, although as you said it does take some time to execute and build. Its over 80mb. 

I've had to throttle the delay at 35, otherwise im getting mistypes waiting for the GUI to catch up. I've also shortened the path to the exe file to trim down the timing. At this rate it will take up to 4 days to crack the code which isn't too bad.

I would appreciate advice from anyone regarding speeding up this process. My ducky has never been flashed so i don't know if that changes anything. Its running the original firmware from around 2011 or around that period. 

[Cribbit]

@rcanpolat glad its working.

The firmware has never been updated to my knowledge. Even on the hak5 download page it's still 1.0

https://downloads.hak5.org/ducky

[rcanpolat]

8 hours ago, kdodge said:

With a Ubuntu/Mint/Kali distro (or probably any debian-base one), you grab the cross-compiling library MinGW from here:

$ sudo apt-get update
$ sudo apt-get install gcc-mingw-w64-x86-64 -y

Grab the "brute.c" file and move it to your Desktop (or where ever you want to)

$ cd ~/Desktop/
$ x86_64-w64-mingw32-gcc -o brute.exe brute.c

And if there is no compiling errors, you should have a brand new "brute.exe" file on your Desktop that you will be able to run on a windows machine, and act just like(-ish) a ducky. It won't work for certain things like UAC bypass, and other things like that, that require an actual USB keyboard, that's where the real USB Rubber Ducky is quite useful. If what you are needing is to just type into a standard user app, this might just work.

 

brute.c 2.88 kB · 1 download

That worked out quite well. I used Ubuntu for Windows to get a Linux terminal and compiled the code.

For reference I've had to edit it slightly as the app im cracking closes after every failed attempt so im running the below snippet instead to loop the reopening of the app after every attempt. 

I have noticed that background interrupts on Windows cause this to go out of sequence (and my actual Ducky as well) and instead the key strokes start triggering other apps to launch to the point of a system hangs and needs a force shutdown. This happens quite a lot on Windows and i suppose its only noticeable on such a long looping task like this. 

Given that it needs to be run for such a long period of time im probably going to run it in Windows safe mode without networking to give it the least chance of being interrupted. I've estimated this will crack the code in just over 2.5 days. 

Thank you to both kdodge & Cribbit👍

 for(count = 000000; count < 100000; count++){
    memset(launch, 0, sizeof(launch));
    sprintf(launch, "%06d", count);
    Sleep(110);
    string(launch);
    Sleep(0);
    enter();
    Sleep(0);
    enter();
    Sleep(0);
  unsigned char launch[64];
  uint32_t count = 0;
  gui_r();
  Sleep(100); 
  string("C:\\a\\s\\a.exe");
  enter();
  }
  return 0;