Remote-access Guide

ducky remote access payload

by Maude Stanton Published 3 years ago Updated 2 years ago
image

What is the USB rubber ducky payload?

This very short USB Rubber Ducky payload simply opens the Windows run dialog, types in a single line of powershell and runs it. This powershell snippet will download and execute whatever other powershell script we host on our web server. On our web server we’ll need to host the powershell reverse shell code.

What is the HAK5 USB rubber ducky repository?

This repository contains payloads and extensions for the Hak5 USB Rubber Ducky. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads. A "flash drive" that types keystroke injection payloads into unsuspecting computers at incredible speeds.

How many payloads has Ducky encoded and decoded?

We have encoded 989383 payloads since 2014. Decode an existing inject.bin file back to Ducky text. We have decoded 87852 payloads since 2014. A python library to encode and decode from the comfort of your own device. No cloud required!

How does this payload work on the twin duck firmware?

This payload will work on the twin duck firmwares by executing a script that waits for the ducky to mount the removable storage. The payload also uses some of the member googleknowsbest’s code. The for loop which polls for the ducky is the code to which I am referring to.

image

What is USB Rubber Ducky payloads?

A USB Rubber Ducky payload may be inline or staged. An inline payload, often called an a single or non-staged payload, is designed to carry out the desired task in one, self contained step. They do not rely on any external resource such as a netcat listener or meterpreter handler.

What is duckNet?

duckNet is cluster of systems infected with persistentReverseDucky, which are managed by duckNetManager. There are many forms of remote access which may be used by different actors for various purposes.

What does payload do?

Payload will edit the hosts file to allow you to redirect web pages where you would like the user to go.

What is the line that says "STRING START %myd% myEXE.bat"?

The following is a payload I have been working on that waits until a drive labeled “DUCKY” is mounted. I have used some of midnightsnake’s code in this payload. The name of the file that is run can be changed to .exe, I am just having it run a batch for testing purposes. The line that says “STRING START %myd%myEXE.bat” is the line that executes the executable.

Does the Ducky script have white space?

Encoders also now support white space in the duck script, so functions have been separated with white space. The following is a newer version of the RunEXE from SD payload which uses googleknowsbest’s method for finding the “DUCKY” drive, which is more portable than the previous version’s method.

Can Twin Duck run on Windows?

I don’t know how useful this will be, but it is here if you need it. This only runs on Windows systems, but should run on all current Windows thanks to some code written by googleknowsbest. Change “JavaApp” to the name of your application.

Do you use spaces in payload names?

Please give your payload a unique and descriptive name. Do not use spaces in payload names . Each payload should be submit into its own directory, with - or _ used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.

Can you send payloads through pull request?

You can send payloads through a pull request if you so wish, however i do not check very frequently and I will not spend time reviewing payloads that don't seem useful

Can a payload damage a device?

Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution. In addition payloads in this repository is for payloads that may or may not be modifed by me so please check source before using!

What encryption does Keld Norman use?

Building upon the earlier WiFi2DNS payload that uses stealthy DNS exfiltration, Keld Norman has applied AES-256 encryption for a much more secure transit of ...

Is PSK exfiltrated DNS?

WiFi names and PSK are exfiltrated over DNS.

The 3 Second Reverse Shell with a USB Rubber Ducky

In this tutorial we’ll be setting up a Reverse Shell payload on the USB Rubber Ducky that’ll execute in just 3 seconds.

The Ducky Script

Replace the URL above with the address of your web server where we’ll be hosting the powershell reverse shell script.

The Web Server

On our web server we’ll need to host the powershell reverse shell code. This powershell TCP one liner from Nishang works great:

The Netcat Listener

Now that we have our USB Rubber Ducky payload written and our powershell reverse shell code hosted on our web server we’re ready to setup the listener. A simple netcat -lp 4444 from our publicly accessible server referenced in the powershell above will do fine in this case.

image

Boring Utility

  • Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. …
See more on github.com

Hacks & Exploits

Information Gathering

Malicious

  • Hello World
    For testing functionality.
  • Hide cmd window
    The following is an example of how to hide the command window below the bottom of the screen while typing in commands. The window movement part of the script can also be used on any other window. CMD.exe is also run with some command line flags for changing the appearance …
See more on theatomheart.net

Pranks

  • Reverse shell
    Opens administrative CMD prompt, creates decoder.vbs containing code to convert base64 encoded ascii to binary, creates text file including base64 ascii of binary file to create reverse shell. converts second file to exe with first file. Executes with host and port parameters. Receive …
  • Fork bomb
    Opens a command prompt as administrator with run, uses con copy to create fork bomb batch(if you don’t know what this is then see: http://en.wikipedia.org/wiki/Fork_bomb). Then saves the .bat file under the start up program folder and runs it the first time.
See more on theatomheart.net

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9