usbrubberducky-payloads icon indicating copy to clipboard operation
usbrubberducky-payloads copied to clipboard

Published 20 hours ago verified publisher icon hak5

[Ducky-Harvest] General questions

Open InfiniteBSOD opened this issue 6 months ago • 0 comments

Payload Title

Ducky-Harvest

Payload URL

https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/library/credentials/Duckie-Harvest/payload.txt

Payload Setup

In Payload.txt changed the following: $_OS = WINDOWS DEFINE #DUCKY_DRIVER_LABEL DUCKY

In sy_cred.ps1 changed the following: $DRIVE = 'OUTPUT' # Drive letter of the USB Rubber Ducky $IP = '' # IP address of the attacker machine $PORT = '' # Port to use for the reverse shell

Problem Description

In Payload.txt on this row: $duckletter = (Get-CimInstance -ClassName Win32_LogicalDisk | Where-Object { $_.VolumeName -eq '#DUCKY_DRIVER_LABEL' }).DeviceID;cd $duckletter

Question 1: How can it identify a driveletter for "#DUCKY_DRIVER_LABEL" when it isn't mounted as a storage device? The error we get is that it can't "cd" to "$duckletter" since the variable duckletter is NULL. "Cannot process the argument because of the value of argument 'path' is null".

Question 2: If we change #DUCKY_DRIVER_LABEL to a recognized storage device which returns a driveletter we get a lot of other errors which is due to malformed input. For instance "Get-CimInstance" is written as "et-CimInstance" for some reason.

Question 3: How exactly is the:

# IP address of the attacker machine
# Port to use for the reverse shell

meant to work? Then we need to have another device on the network which runs some application / service and that device isn't a RubberDucky?

Troubleshooting steps

Changing the "DEFINE #DUCKY_DRIVER_LABEL" from "DUCKY" to "OUTPUT" which is a recognized storage device.

Suspected Cause

No response

Screenshots or additional information

No response

Checklist ✅ - READ CAREFULLY

  • [X] I checked and didn't find a similar issue already reported
  • [X] I am using PayloadStudio to encode this payload
  • [X] I made sure to redact any private information in the details shared above
  • [X] I have read and followed the documentation provided by the original payload author and configured the payload (if required)
  • [X] I have confirmed I am deploying this payload with the correct device intended by the original author (Original USB Rubber Ducky vs New USB Rubber Ducky)
  • [X] I have confirmed I am deploying this payload on the correct target host intended by the original author (Windows, Mac, Linux, etc)
  • [X] I have confirmed the payload is compiled in the correct keyboard language for the target host I'm trying to deploy it on (US, DE, etc)
  • [ ] I have actually read the above checkboxes before checking them, including this one, which I have intentionally left unchecked as confirmation of this statement

Agreement

  • [X] I believe this is an issue with the actual payload itself. I acknowledge this form is not a request for help following instructions.
  • [X] I have carefully read and filled out every section of this issue form to the best of my ability. I acknowledge by providing insufficient information I cannot receieve adequate assistance.

InfiniteBSOD avatar Aug 09 '24 22:08 InfiniteBSOD