5a77792c1d
* Updated all Payloads for Version 1.2+ Fixed Style Issues on extensions and payloads. Added GET TARGET_OS to get.sh Removed and Fixed all uses ducky_helper.sh (Issue #248) Removed all mention of DUCKY_LANG (Issue #248) Renamed Payloads with spaces in name Added an extension to keep Macs Happy Added a payload for Mac DNS poisoning Fixed Issue #271 changed wget to curl -o Implemented PR #268 Implemented PR #273 * Fixed e.cmd * Fix e.cmd pt2 * Fixed Issues Fixed issues pointed out by @sebkinne Fixed styling errors |
||
|---|---|---|
| .. | ||
| payload.txt | ||
| readme.md | ||
| run.ps1 | ||
readme.md
Author : Paul Murton
Notes :
My background is in Computer Forensics and Incident Response. I am new to Powershell, so it's likely that the script is inefficient, but it does work.
A (naive) user may attempt to hide image(picture) files by simply renaming them to appear to be other filetypes (i.e. Word documents etc). This payload uses a powershell script to walk the userprofile to look for image files that have been hidden in this manner.
It ignores files with image extensions, and checks the file headers for known image file headers.
The output is put into a CSV file in the folder \loot\image-files
The script can be easily modified to search for other filetypes (maybe mpg movie files etc)
It should be noted that payload is NOT forensically sound, and if "proper" forensic tools are available, they should be used.
Tested on ver 1.3
STATUS
| LED | Status |
|---|---|
| Purple (blinking) | Attack in progress |
| Green (blinking) | Attack Finished |