From 81ae8f0e8c46e014bb5f0aa6c64e74740e2d1cc8 Mon Sep 17 00:00:00 2001
From: Luu <112649910+luu176@users.noreply.github.com>
Date: Thu, 31 Oct 2024 12:56:53 +0100
Subject: [PATCH] Create README.md

---
 .../library/exfiltration/NTLM_ducky/README.md | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 payloads/library/exfiltration/NTLM_ducky/README.md

diff --git a/payloads/library/exfiltration/NTLM_ducky/README.md b/payloads/library/exfiltration/NTLM_ducky/README.md
new file mode 100644
index 0000000..b43d458
--- /dev/null
+++ b/payloads/library/exfiltration/NTLM_ducky/README.md
@@ -0,0 +1,30 @@
+# Exfiltrate NTLM Hash - Windows ✅
+
+A Rubber Ducky payload to exfiltrate NTLM hash files from a Windows machine onto the SD card.
+
+## Description
+
+This payload script captures and <strong>exfiltrates NTLM hash files</strong> from a Windows machine. It uses PowerShell commands to locate and save the SAM and SYSTEM files, which contain hashed user passwords, <strong><u>onto the Rubber Ducky's SD card</u></strong> for later extraction and analysis. Upon successful file extraction, <strong> the payload triggers a visual confirmation by <u>blinking the Caps Lock LED</u> </strong>
+
+
+### Settings
+
+- **Drive Label:** Set the target drive label for Rubber Ducky storage (default: `DUCKY`).
+- **Number o:** Ensure the payload has the necessary permissions for registry access.
+- **Extension Requirements:** This payload includes a passive Windows detection extension for compatibility.
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align="center">
+  <table>
+    <tr>
+      <td align="center" width="96">
+        <a href="https://github.com/luu176">
+          <img src="https://avatars.githubusercontent.com/u/112649910?v=4" width="48" height="48" />
+        </a>
+        <br>GitHub
+      </td>
+    </tr>
+  </table>
+</div>