USB

File Exfiltration

Uses a slightly modified form of Hak5's keystroke reflection to exfiltrate data via Caps Lock, Scroll Lock, and Num Lock. A bit slow, but it works nonetheless.

Uses powershell to run the exfiltration command. Make sure Win+R and powershell is accessible on the target system before running.

This uses SDR data transfer instead of DDR - this will be changed in a later update, which should speed up the transfer process by ~100%

Ducky Payloads

Shows all DuckyScript payloads saved in ./payloads

Runs the payload when chosen.

LOLBAS

Shows all LOLBAS payloads saved in ./core/LOLBAS.

Some payloads use environment variables, while some do not. None of them will tell you that, though, so it's not recommended to use this yet. Here's the list of the environment variables that the scripts use:

The descrpitions of the environment variables are infact, non-descriptive. My fault

  • DS_FILE is used for a target file on the host

  • DS_IP is used for target IP address

  • DS_PORT is used for target port of a command

  • DS_WEBDAV is used for a web drive, ex: FTP drive for exfilling files

  • DS_EXECUTABLE is used for a target executable, to run on the host

  • DS_REVERSE_SHELL is used for a reverse shell on another host: example of this value is 10.10.10.10:8466

  • DS_INPUT is usually used for input files, like a prompt or etc.

  • DS_OUTPUT is usually used for output files, like logs

  • DS_SOURCE is used for a source url, to download payloads or etc.

  • DS_DIRECTORY is used for the directory of a file

  • DS_HEXFILE is rarely used but is used for certutil-hex.txt and more to come

  • DS_FAKEFILE is used for alt. data streams in cmd, and is used for running a file as a batch file

Toggle USB Ethernet

Turns on and off the RNDIS ethernet adapter gadget. On boot, it is enabled.

Toggle Mass Storage

Enable and disable the USB mass storage gadget. On boot, it is enabled. This also mounts it on Pwnhyve's linux system, so you can access files through SSH.

Hide USB device

Hides the entire USB gadget, and make the device look unplugged to the host system.

Drive Stealer

This requires a USB to microUSB adapter connected to the Pi.

When a USB drive is plugged in, this plugin will automatically scour the USB drive for valuable files - by default it's only document files, but it's editable in the main configuration of Pwnhyve.

By default, these file types are exfiltrated:

".xlsx",
".pdf",
".txt",
".docx",
".pptx",
".pptm",
".ppt",
".xps",
".potx",
".potm",
".pot",
".ppsx",
".ppsm",
".pps",
".mp4",
".jpg",
".png",
".bmp",
".html",
".mhtml",
".exe"

All found files are copied to /tmp/pwnhyveExtractedUsb.

PreviousSystemNextWiFi

Last updated