UnKn0wnBooof

I've just uploaded an update. I've checked all the script, I've added a logging function to the SP.bat, updated Wind.exe to support a few more programs, I'm not sure what else could be causing the problem. Maybe its the %COMPUTERNAME% variable? If you edit the SP.bat, you could add the following line of script: set COMPUTERNAME=MYCOMPUTER maybe that might help. It seems to work on everything I've tested it on though.

The passwords should be stored in "USBDRIVE:\Data\Backups\Computer-Name\what ever else" If the backup complete sound doesn't work, then it's probably because your Windows installation doesn't recognise the vbs file type. I believe it's because I forgot a string that tells Windows to use the vb interpreter. I'll see if I can fix it in the next release.

I think I've fixed it now. I wrote the program in visual basic and compiled it as a .exe

I think I've fixed it now. I wrote the program in visual basic and compiled it as a .exe

Aaaahh. I've fixed it now. I forgot to call the functions (like you said). I fixed it now. I'm new to the language but I seem to be learning fast. New code:

Hi, I'm working on the payload "ULTIMATE DATA THEIF!" and the program I developed "Wind.bat" doesn't work on all versions of Windows (I get a VB reg read error) so I've decided to write the program in Visual Basic. However, I cant get the program to print out the Windows product key - It just shows the start dialogue and exits. Current work: Thanks. Wind.zip

Hhhmmmm. This vb script error seems to be a really odd. Works on all of my machines. Perhaps I should re-write the code in C++ and compile it as a executable program. I haven't written a executable program before but I can give it a try. It will be some time before I upload an update since I'm usually busy.

Hhhmmmm. This vb script error seems to be a really odd. Works on all of my machines. Perhaps I should re-write the code in C++ and compile it as a executable program. I haven't written a executable program before but I can give it a try. It will be some time before I upload an update since I'm usually busy.

I think I've solved the problem. Download the update from the Dropbox link that you went to before. The problem was the compiled batch file (wind). I've decided to leave it as a batch file, AKA Its now open-source. I tested it on a friends Windows 8 machine. I believe 64BIT machines don't like compiled batch files so much.

I think I've solved the problem. Download the update from the Dropbox link that you went to before. The problem was the compiled batch file (wind). I've decided to leave it as a batch file, AKA Its now open-source. I tested it on a friends Windows 8 machine. I believe 64BIT machines don't like compiled batch files so much.

I'll try and see if I can fix this issue. I haven't had the issue on any of my computers. I'll release an update if I fix it. Keep an eye on the dropbox link to see if I upload an update.

Created a new topic. Wouldn't let me edit this one - bummer. Link: https://forums.hak5.org/index.php?/topic/30740-payload-ultimate-data-theif-new/

Ultimate Data Thief (DT) By Lavanoid Volcanic GIVE THE DUCK POWER! Features of this payload: Backup Windows Logon Passwords (Doesn't work on Windows 8.1). Backup saved passwords from Chrome, IE, Firefox etc. Get directory listings of common document paths such as Music, Pictures etc. Init script support, meaning that you can add batch scripts in the "Init" directory so that DT will execute it. Get a visual notification when program has executed (MSG.exe must be integrated in Windows. Usually not available in Windows Home Premium/Home Edition). Get a sound notification when program has executed. This can be configured by editing the configuration file. Verbose logging of backup process. Shut-down,reboot or lock system when program execution has completed. Replace Administrator password every time the program is ran. (Disabled by default) Wipe the "Run" dialogue history so it seems that nothing was ever ran from it. Read a configuration file instead of editing the DT.bat. Configuration file: DT_Configuration.ini Integrated Netcat/Nmap to listen on a port (Used for a remote shell). Thanks Shannon Morse for talking about Netcat so much. Netcat will be installed as a Windows service so it has admin access, and it runs upon Windows startup. Default username and password: Lavanoid (Username), LavanoidVolcanic (Password). Run Mimikatz without AV detection, using PowerSploit to accomplish this - Requested by MB60893. Thank you soooo much MB60893! An internet connection is currently required to run this feature. Listing of workgroups and domains on the local network. Customised NetCat remote command line. Unmount the payload storage once execution of DT has completed. Anything else? Other new things: Edited the Compiler.bat to support SCRIPT_EX.bat Edited the payloads located in Scripts\Payloads Backup IE, Firefox, Opera etc. Cleaner DT.bat file, re-wrote the whole script for the 3rd time. Much more smaller and tidier now. The NetCat Terminal.bat uses a hashing algorithm for the password. Old Terminal.bat configuration files WILL be deleted since they WONT work with the newer version. Other features of this program: Checking of main files located in \Res. Checked with a size verification and Sha1Sum (Sha1Sum used in v2.1+) Re-wrote/Re-writing everything from scratch, with more variables that can be triggered/changed, as well as a major tidy up. Everything is much more cleaner than it was before. Added a "API" as I like to call it; to check files with a Sha1Sum verification. Usage: call :DT_Sha1Sum_Check_Compact "File name/path" "Expected Sha1Sum" In version 2.2, I also added a script that adds a firewall entry for netcat. Why didn't I do that in the first place? No longer need to use SCRIPT_EX.exe. Plans for later versions: Combining all EXE's together then encrypt them to avoid AV. Faster execution. Backup more programs. Add more cool features to show who's boss. Encrypt all the programs located in \Res so AV cant detect them and neither will they have to be stored in a encrypted zip archive. Known issues: Slow at "Backing up" data - this is simply because DT has to extract the required data from a encrypted zip archive. An attempt to avoid AV.Notes: New features are added in my free time. I'm usually busy so patience is most appreciated. Default username and password for the remote netcat login: Username: Lavanoid, Password: LavanoidVolcanic DON'T FORGET TO CHECK THE CONFIGURATION IN DT_Configuration.ini! You can open DT_Configuration.ini in any text editor. I personally use Notepad++ since it makes batch programming seem more fun. Payload (optimized for the 4CAP firmware): Payload (Optimized for the dual duck firmware by having a delay at the start): WANT FASTER EXECUTION? NO PROBLEM! Here's a payload that you can encode to execute DT even faster! I would have integrated it into Installer.bat but Microsoft's batch language is really stupid so it won't write part of the script properly. Faster payload: If you are using a different besides a firmware that waits for a key to be pressed, you may want to set a delay at the start of the above payload. I recommend DELAY 15000. This payload requires extra data to dump information, so you need to download all the files in the link below. Download the zip file and extract it on your desktop, then run the "Installer.bat". The installer will ask you questions to help you configure the duck and the payload. Once installed, you can re-insert the duck and the payload will be ready. Recommended Ducky Firmware: 4CAP - I recommend this firmware because Windows can take its time installing drivers (especially netbook's), so if Windows exceeds the delay time by installing drivers, then it wouldn't matter because as soon as you know that the drivers are installed - just press Caps lock 4 times. No time wasted :D . DOWNLOADS! Link to 4CAP: Here Payload and data dumping programs: Here (Dropbox) or Here (Github) Have fun! Disclaimer (a typical one) - I'm not responsible for any turn out. If you run this payload or any of the other programs included within the zip archive - then you accept FULL responsibility. I highly doubt that this payload and the programs will damage your system, but a disclaimer is always good to reassure developers. WARNING! For those of you who are upgrading from 2.4 to 2.5 - remove the NetCat.bat file located in Data\Init as the installer has been integrated into DT.bat REMEMBER: EDIT THE CONFIGURATION FILE BEFORE EXECUTING THIS PAYLOAD! GREAT NEWS!! I've been reviewing some of the code for DT and I've decided to make it even better. I've already made a lot of changes to the DT.bat and NetCat Terminal.bat BUT I'M NOT FINISHED! I'M JUST GETTING STARTED! Why not let the duck disable all other HID devices? I've already found some great programs that will allow me to accomplish this, now I just have to write the scripts! Unfortunately, I'm running Ubuntu (latest version) so since I am not running Windows, I am not able to execute my goals of making this payload better. I could write the script using text editors installed on Ubuntu but it just isn't the same as writing with Notepad++, neither can I test it afterwards. PATIENCE IS THE ESSENCE! My goal is to bring you the best payload possible! I wan't as many features as possible! I would really appreciate it if you leave a comment! Every comment counts (Negative comments are NOT appreciated however)

You also need the Twin Duck firmware (forgot to mention). If you don't want to use twin duck, then just put the 'Data' directory on another drive called "JUNK" or whatever you set the drive label as. The compiler should be stored on the duck if you want to install a payload directly on the duck.

Basically, you run the compiler.bat to compile the inject.txt file into a inject.dat file. The file will be saved in the same directory as the .txt. Just place your ducky scripts in 'Data\Projects\<name of project>' and the file MUST be named 'inject.txt'. The compiler will install on any USB drive as long as it is stored on a USB drive-the name doesn't matter. I used some special variables so the compiler knew what drive it is stored on. The sp.bat file has a few "triggers" inside of it. Just open it with a notepad editor (I use notepad++) and change the configuration part of it. There is a variable called "avoid_antivirus" and by default that is set as true so you can set it as false if you wish. When it's set as true, some command's won't execute such as Chromepass, Mimikatz, etc. However, you can enable the proc_dump program (by changing the other variables) to avoid antivirus, but still get a users password. inject.txt was designed to find the drive 'JUNK' so you can edit it so it will find a different label instead. It doesn't have to be named 'JUNK'. If you open some of the other files in a text editor, you should be able to figure out what they do. Just extract data.zip and place all the files on the duck. SP.bat is executed by 'SCRIPT_EX.exe' which has an Administrator manifest so you don't need the Powershell. SCRIPT_EX.exe is launched by the inject.dat file (payload). The compiler is just a tool designed to make your duck experience easier.

Just updated the "Backup_Eraser.bat" , "SP.bat" and "Data.zip" file. Just download and extract the "Data.zip". Changes: Backup_Eraser.bat - Forgot to replace the directory variable with "Backups", it was set as "Pass" so it wouldn't locate any backups. SP.bat - Minor bug fixes and spelling corrections. I misspelt "process_dump" by adding an extra character. Previous value: proccess_dump. Whoops.

You can't recover wifi keys without admin access. I've already attempted it, aswell as taking a look at some of Microsoft's tutorials on how the encryption angorithm works. It's impossible to recover the keys without the correct permissions. The payload "ULTIMATE DATA THEIF!" does way more than just stealing wifi passwords.

Maybe you should take a look at my Ducky payload. Its called "ULTIMATE DATA THEIF!!". It should definitely answer your question.

Ok, so there's a lot of cool Ducky scripts out there, my personal favourite is the script that steals Windows passwords - AWSOME!!! But do any scripts aim to get more than just a Windows password? Do any of them "Backup" Google Chrome Login Data, WiFi keys, Windows Product Keys or Replace the Administrator password or even hide the account so you can have "stealthy" remote access via Windows Shares (Known as SMB)? I THINK PAYLOADS SHOULD DO MORE! So... I introduce the ULTIMATE DATA THEIF!!! Payload: Unfortunately, the forum only allows a maximum of 500kb of upload space and the extra data is just over 1MB so I put the file on my Dropbox account instead. Link: https://www.dropbox.com/sh/ad8jegywipd3l76/jo2KqlU3CB READ ME!!.txt contents: SCRIPT/PAYLOAD BY LAVANOID VOLCANIC THE DIRECTORIES ABOVE OR BELOW (DEPENDING ON YOUR CONFIGURATION) SHOULD BE COPIED TO THE ROOT DIRECTORY OF THE DUCKY DRIVE. YOU SHOULD EDIT THE SP.BAT FILE AND THE INJECT.TXT FILE TO SUIT YOUR REQUIREMENTS. FILE LOCATIONS: SP.bat -- Data\SP.bat inject.txt -- Scripts\Projects\Steal_Data\inject.txt Compiler.bat -- Scripts\Compiler.bat COMPILER.bat description: The compiler batch file basically takes away the hassle of entering all those annoying time draining commands. If the Compiler.bat file is stored on the Duck, the compiler will ask if you want to install it on the Duck. WHAT I HOPE: I hope that my project will be featured in one of the Hak5 videos since I do like some attention. THIS WORLD IS LONELY YOU KNOW!! Thank you for choosing to spend a bit of your time by poking your nose into my work.