paint-brush
How to Run a Ducky-Script Fake Windows Loginby@potentialthreat
3,124 reads
3,124 reads

How to Run a Ducky-Script Fake Windows Login

by Moti BrodyApril 13th, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

The Ducky-script-Fake-Windows-Login is a fun and crafty script. It takes advantage of the Rubber Ducky USB device or Flipper Zero to execute a series of commands on the target computer. When the user enters their password and clicks "Submit," the script captures the password and uploads it to Dropbox.
featured image - How to Run a Ducky-Script Fake Windows Login
Moti Brody HackerNoon profile picture


Picture this: your buddy steps away from their computer for a moment, and when they return, they're greeted by a fake Windows login screen, prompting them to enter their password. Little do they know, you've just pulled off a harmless prank using the Ducky-script-Fake-Windows-Login!


This article will guide you through the process of setting up and using this amusing script, available at https://github.com/Potential-Threat/Ducky-script-Fake-Windows-Logon.


Disclaimer: Please note that this script is for educational and entertainment purposes only. Always obtain permission from the computer's owner before using it.


Demo


sick! no?


What You'll Need:

How to Set It Up:

  1. Download the script from the GitHub repository: https://github.com/Potential-Threat/Ducky-script-Fake-Windows-Logon.


  2. Open the script.txt file in a text editor.


  3. Replace the <YOUR_ACCESS_TOKEN_HERE> placeholder on line 45 with your own Dropbox access token: STRING $DropBoxAccessToken = 'YOUR_ACCESS_TOKEN_HERE'.


  4. Save the changes to the script.txt file.


  5. Deploy the payload to your Rubber Ducky USB device or Flipper Zero.


To obtain a Dropbox access token, follow these steps:

  • Sign in to your Dropbox account or create one if you don't have one already: https://www.dropbox.com/.


  • Go to the Dropbox Developer App Console: https://www.dropbox.com/developers/apps.


  • Click the "Create app" button.


  • Select "Scoped access" under "Choose an API" and choose "Full Dropbox" under "Choose the type of access you need." This allows your app to access all files and folders in your Dropbox account.


  • Give your app a unique name, for example, "FakeWindowsLoginPrank," and click "Create app."


  • In the "OAuth 2" section of your app's settings page, click the "Generate" button to create a new access token. Your access token will be displayed in a text field.


  • Copy your access token and use it to replace the <YOUR_ACCESS_TOKEN_HERE> placeholder in the script.txt file, as mentioned in the previous instructions.


  • Keep in mind that your access token is sensitive information, as it provides full access to your Dropbox account. Do not share it with others or expose it in public repositories. Store it securely and remember to revoke it if you suspect that it has been compromised.

How to Use It:

  1. Insert the Rubber Ducky USB device or Flipper Zero into the target computer.
  2. The script will automatically run, displaying a fake Windows login screen.
  3. When the user enters their password and clicks "Submit," the script captures the password and uploads it to the specified Dropbox account.

How It Works:

The Ducky-script-Fake-Windows-Login is a fun and crafty script that takes advantage of the Rubber Ducky USB device or Flipper Zero to execute a series of commands on the target computer.


The script first minimizes all windows, then opens PowerShell with administrative privileges. It proceeds to disable Microsoft Real-Time Protection and opens Notepad to save a script that uploads the captured password to Dropbox.


Next, it downloads and executes the FakeLogonScreenToFile.exe file, displaying a fake Windows login screen to the user. When the user enters their password, the script captures the input and uploads it to Dropbox using the provided access token.


Please remember that this script is intended for fun and educational purposes only. Always obtain permission from the computer's owner before using it. The author and contributors are not responsible for any illegal actions performed with the help of this script. Happy Hacking!