hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #306 from TW-D/master 

Add "X-Frame-Options" Scanner
pull/317/head
Dallas Winger 2023-04-24 16:47:29 -04:00 committed by GitHub
parent 6689787c8a 279dda3009
commit 5d7cee9eba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 205 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
payloads/library/recon/x-frame-options_scanner/README.md Normal file
View File

@ -0,0 +1,69 @@
# "X-Frame-Options" Scanner
- Title: "X-Frame-Options" Scanner
- Author: TW-D
- Version: 1.0
- Category: Recon
## Description
Uses the "Microsoft Edge" web browser to search for web servers within
a range of IPv4 addresses that do not have an "X-Frame-Options" header.
Then exports the results to a PDF file accessible in the Rubber Ducky.
The results contain the tested IPv4 addresses and the HTML rendering.
## Tested On
>
> Microsoft Edge (Windows 10)
>
| X-Frame-Options | Encryption | Detectable |
| --- | --- | --- |
| None | None | Yes |
| Set to SAMEORIGIN | None | No |
| Set to SAMEORIGIN | Self-Signed Certificate | No |
__NOTE :__ *All cases could not be tested.*
## Configuration
In the "payload.txt" file, replace the values of the following constants :
```
REM ---
REM USB Rubber Ducky label.
REM ---
DEFINE #RD_LABEL DUCKY
REM ---
REM Format of an allowed IPv4 address range.
REM 192.168.0.X-192.168.0.Y where (X < Y)
REM ---
DEFINE #LAN 192.168.0.1-192.168.0.50
```
## Advanced Configuration
In the "main.js" file available in the "recon_files/assets/js/" directory,
you can add new ports to be tested for each host :
```js
if (LAN) {
Promise.all(
[
...,
recon('http', 8080),
recon('https', 8443)
]
);
}
```
## Usage
At the root of the USB Rubber Ducky, copy the "recon_files/" folder.

40
payloads/library/recon/x-frame-options_scanner/payload.txt Normal file
View File

@ -0,0 +1,40 @@
REM TITLE : "X-Frame-Options" Scanner
REM AUTHOR : TW-D
REM TARGET : Microsoft Edge
REM VERSION : 1.0
REM CATEGORY : Recon
REM REQUIREMENT : DuckyScript 3.0
ATTACKMODE HID STORAGE
DELAY 10000
REM ---
REM USB Rubber Ducky label.
REM ---
DEFINE #RD_LABEL DUCKY
REM ---
REM Format of an allowed IPv4 address range.
REM 192.168.0.X-192.168.0.Y where (X < Y)
REM ---
DEFINE #LAN 192.168.0.1-192.168.0.50
SAVE_HOST_KEYBOARD_LOCK_STATE
IF ( $_CAPSLOCK_ON ) THEN
CAPSLOCK
DELAY 500
END_IF
IF ( $_NUMLOCK_ON == FALSE ) THEN
NUMLOCK
DELAY 500
END_IF
GUI r
DELAY 1500
STRINGLN CMD /K "MODE CON:COLS=18 LINES=1 && FOR /F %d IN ('WMIC Volume GET DriveLetter^, Label^|FINDSTR "#RD_LABEL"') DO @SET RD_LABEL=%d"
DELAY 2000
STRINGLN START MSEDGE --headless --disable-gpu --run-all-compositor-stages-before-draw --print-to-pdf="%RD_LABEL%\loot_%RANDOM%.pdf" "%RD_LABEL%\recon_files\index.html?lan=#LAN" && EXIT
RESTORE_HOST_KEYBOARD_LOCK_STATE

25
payloads/library/recon/x-frame-options_scanner/recon_files/assets/css/style.css Normal file
View File

@ -0,0 +1,25 @@
body {
margin: 0;
}
h1, #url {
text-align: center;
}
#url {
font-size: small;
border-width: 1px;
border-style: solid;
border-color: white;
color: whitesmoke;
padding: 1vh 0 1vh 0;
background-color: lightslategray;
}
iframe {
min-width: 100vw;
max-width: 100vw;
min-height: 98vh;
max-height: 98vh;
border-style: none;
}

2
payloads/library/recon/x-frame-options_scanner/recon_files/assets/js/constants.js Normal file
View File

@ -0,0 +1,2 @@
const LAN = (new URLSearchParams(document.location.search).get('lan'));
const OUTPUT = document.querySelector('#output');

15
payloads/library/recon/x-frame-options_scanner/recon_files/assets/js/functions/recon.js Normal file
View File

@ -0,0 +1,15 @@
async function recon(scheme, port) {
for (let target of targets()) {
let url, div, iframe;
url = (scheme + '://' + target + ':' + port + '/');
div = document.createElement('div');
div.id = 'url';
div.innerText = url;
iframe = document.createElement('iframe');
iframe.sandbox = 'allow-same-origin allow-scripts';
iframe.src = url;
OUTPUT.appendChild(div);
OUTPUT.appendChild(iframe);
await sleep();
}
}

7
payloads/library/recon/x-frame-options_scanner/recon_files/assets/js/functions/sleep.js Normal file
View File

@ -0,0 +1,7 @@
function sleep() {
return(
new Promise(
resolve => setTimeout(resolve, 1250)
)
);
}

18
payloads/library/recon/x-frame-options_scanner/recon_files/assets/js/functions/targets.js Normal file
View File

@ -0,0 +1,18 @@
function targets() {
let bounds, wholes, hosts;
bounds = LAN.split('-');
wholes = [bounds[0].split('.'), bounds[1].split('.')];
hosts = [parseInt(wholes[0].pop()), parseInt(wholes[1].pop())];
wholes = [wholes[0].join('.'), wholes[1].join('.')];
if (wholes[0] === wholes[1]) {
let whole, targets;
whole = wholes[0];
targets = new Array();
for (let host = hosts[0]; host <= hosts[1]; host++) {
targets.push(whole + '.' + host);
}
return(targets);
} else {
return(new Array());
}
}

8
payloads/library/recon/x-frame-options_scanner/recon_files/assets/js/main.js Normal file
View File

@ -0,0 +1,8 @@
if (LAN) {
Promise.all(
[
recon('http', 80),
recon('https', 443)
]
);
}

21
payloads/library/recon/x-frame-options_scanner/recon_files/index.html Normal file
View File

@ -0,0 +1,21 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" type="text/css" href="./assets/css/style.css?version=1.0.0" />
</head>
<body>
<main>
<section>
<h1>X-FRAME-OPTIONS Scanner</h1>
<div id="output"></div>
</section>
</main>
<script type="text/javascript" src="./assets/js/constants.js?version=1.0.0"></script>
<script type="text/javascript" src="./assets/js/functions/targets.js?version=1.0.0"></script>
<script type="text/javascript" src="./assets/js/functions/sleep.js?version=1.0.0"></script>
<script type="text/javascript" src="./assets/js/functions/recon.js?version=1.0.0"></script>
<script type="text/javascript" src="./assets/js/main.js?version=1.0.0"></script>
</body>
</html>