hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'cleanup' of github.com:hak5/bashbunny-payloads into cleanup

cleanup
Foxtrot 2019-07-05 20:39:59 +01:00
parent f3cb607e0e 53aaa4d1c0
commit f582f57a34
21 changed files with 219 additions and 220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
payloads/library/execution/RAZ_VBScript/payload.txt
View File

@ -4,17 +4,15 @@
# Author: RalphyZ
# Version: 1.1a
# Target: Windows 7+
# Dependencies: VBScript (a.vbs) in the switch folder with this file
# Dependencies: Included a.vbs script
#
# Description: Executes a VBScript, concealed in a hidden PowerShell window
#
# Colors:
# | Status | Color | Description |
# | ---------- | ------------------------------| ------------------------------------------------ |
# | SETUP | Magenta solid | Setting attack mode, getting the switch position |
# | FAIL | Red slow blink | Could not find the a.vbs script |
# | ATTACK | Yellow single blink | Running the VBScript |
# | FINISH | Green blink followed by SOLID | Script is finished |
# LEDS:
# Magenta: Setting attack mode, getting the switch position
# Red Blink: Could not find the a.vbs script
# Yellow Single Blink: Running the VBScript
# Green Blink to Solid: Script is finished
# Magenta solid
LED SETUP
@ -43,4 +41,4 @@ QUACK ENTER
# Green 1000ms VERYFAST blink followed by SOLID
LED FINISH
exit 0
exit 0

11
payloads/library/execution/RevShellBack/payload.txt
View File

@ -1,12 +1,19 @@
#!/bin/bash
#
# Title: RevShellBack
# Description: Set up a reverse shell and execute powershell/generic commands in the background from the Bash Bunny via USB ethernet.
# Author: NodePoint
# Version: 0.1.3
# Category: Execution
# Target: Windows
# Attackmodes: Ethernet, HID
# Attack Modes: RNDIS_ETHERNET, HID
# Description: Set up a reverse shell and execute powershell/generic commands in the background from the Bash Bunny via USB ethernet.
#
# LEDS:
# Magenta: Setup
# Yellow Single Blink: Open CMD
# Yellow Double Blink: Start Reverse Shell
# Cyan Blink: Attack
# Green: Finished
# Set attack mode
LED SETUP

18
payloads/library/execution/ShellExec/payload.txt
View File

@ -2,17 +2,17 @@
# Title: ShellExec
# Author: audibleblink
# Target: Mac/Linux
# Target: Mac, Linux
# Version: 1.1
# Attack Modes: ECM_ETHERNET, HID
# Description: Create a web server on the BashBunny and force the victim to download and execute a script.
# Perfect for when mass storage isn't an option.
#
# Create a web server on the BashBunny and force
# the victim to download and execute a script.
# Perfect for when mass storage isn't an option.
#
# White | Ready
# Ammber blinking | Waiting for server
# Blue blinking | Attacking
# Green | Finished
# LEDS:
# White: Ready
# Amber Blink: Waiting for server
# Blue Blink: Attacking
# Green: Finished
LED SETUP
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E

20
payloads/library/execution/StickyBunny/payload.txt
View File

@ -1,15 +1,17 @@
#!/bin/bash
#
# Title: StickyBunny
# Author: Squibs
# Version: 0.3
# Plug2Pwn: 18s
# Title: StickyBunny
# Author: Squibs
# Version: 0.3
# Attack Modes: HID
# Target: Windows
# Runtime: 18s
# Description: Creates the sticky keys back door on a windows machine
#
# Creates the sticky keys back door on a windows machine
#
# Blue...............Preparing Attack
# Yellow.............Attacking
# Green..............GTFO
# LEDS:
# Blue: Preparing Attack
# Yellow: Attacking
# Green: Finished
#Open Admin Powershell
ATTACKMODE HID

23
payloads/library/execution/exe_UACBypassD&E/payload.txt
View File

@ -1,14 +1,24 @@
# Title: UACBypass
# Author: Skiddie
# Version: 1.1
# Target: Windows
# Title: UACBypass
# Author: Skiddie
# Version: 1.1
# Target: Windows
# Attack Modes: HID, STORAGE
#
# Description: Download and executes any binary executable with administrator privileges WITHOUT prompting the user for administrator rights (aka UAC bypass/exploit). Please define URL and SAVEFILENAME in the a.vbs script. Target does need internet connection. Works on Windows 7 - Windows 10. The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges. However from what i am aware version 7,8 and 8.1 are still effected. Currently fastest download and execute for HID attacks to date. (with UAC bypass)
# Description: Download and executes any binary executable with administrator privileges WITHOUT prompting
# the user for administrator rights (aka UAC bypass/exploit). Please define URL and SAVEFILENAME
# in the a.vbs script. Target does need internet connection. Works on Windows 7 - Windows 10.
# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges.
# However from what I am aware version 7,8 and 8.1 are still effected.
# Currently fastest download and execute for HID attacks to date. (with UAC bypass)
#
# LEDS:
# Magenta: Starting
# Green: Finished
#Define your bunny storage stick name
DRIVER_LABEL='BashBunny'
#RED means starting
#Magenta means starting
LED SETUP
#Gets File locations
@ -17,7 +27,6 @@ GET SWITCH_POSITION
#We are a keyboard
ATTACKMODE HID STORAGE
QUACK DELAY 500
RUN WIN powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''$DRIVER_LABEL''').Name+'payloads\\$SWITCH_POSITION\a.vbs')"
QUACK DELAY 1000

17
payloads/library/execution/psh_DownloadExec/payload.txt
View File

@ -4,18 +4,17 @@
# Author: LowValueTarget
# Version: 1.2
# Category: Powershell
# Target: Windows XP SP3+ (Powershell)
# Target: Windows XP SP3+
# Attackmodes: HID, RNDIS_ETHERNET
# Firmware: >= 1.3
# Description: Quick HID attack to retrieve and run powershell payload from BashBunny web server.
# Ensure p.txt (your powershell payload) exists in payload directory
#
# Quick HID attack to retrieve and run powershell payload from BashBunny web server
# ensure p.txt (your powershell payload) exists in payload directory
#
# | Attack Stage | Description |
# | ------------------- | ---------------------------------------- |
# | Stage 1 | Running Initial Powershell Commands |
# | Stage 2 | Delivering powershell payload |
#
# LEDS:
# Yellow Single Blink: Running Initial Powershell Commands
# Yellow Double Blink: Delivering powershell payload
# Green: Finished
# Red Blink: Failure
ATTACKMODE RNDIS_ETHERNET HID
LED SETUP

30
payloads/library/execution/psh_DownloadExecSMB/payload.txt
View File

@ -4,26 +4,22 @@
# Author: LowValueTarget
# Version: 2.0
# Category: Powershell
# Target: Windows XP SP3+ (Powershell)
# Attackmodes: HID, RNDIS_ETHERNET
# Target: Windows XP SP3+
# Attack Modes: HID, RNDIS_ETHERNET
# Firmware: >= 1.2
# Required Tools: impacket
# Description: Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer.
# Possibilities are limitless! Credentials captured by are stored as loot.
# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures)
#
# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Possibilities are limitless!
# Credentials captured by are stored as loot.
# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures)
#
# Required tools: impacket
=======
# Credentials captured by are stored as loot.
# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures)
#
# Required tools: impacket
#
# | Attack Stage | Description |
# | ------------------- | ------------------------------|
# | Stage 1 | Powershell |
# | Stage 2 | Delivering powershell payload |
# LEDS:
# Magenta: Setup
# Yellow Single Blink: Powershell
# Yellow Double Blink: Delivering powershell payload
# White: Clean up
# Green: Finished
#
ATTACKMODE RNDIS_ETHERNET HID
# SETUP

23
payloads/library/exfiltration/BlackBackup/payload.txt
View File

@ -1,16 +1,17 @@
# Title: BlackBackup
# Author: JWHeuver & JBaselier
# Version: 1.0
#
# Runs powershell script to get Wlan and logon credentials
# from computer and save them on USB drive (Storage attack)
#
# Purple.............Loading
# Green .............Execute Credential Ripper Powershell
# Off................Finished
#
#!/bin/bash
# Title: BlackBackup
# Author: JWHeuver & JBaselier
# Version: 1.0
# Description: Runs powershell script to get Wlan and logon credentials
# from computer and save them on USB drive (Storage attack)
#
# LEDS:
# Purple: Loading
# Green: Execute Credential Ripper Powershell
# Off: Finished
#
# OPTIONS - More options available in the Powershell payload
OBFUSCATECMD="N" # Y=yes or N=no

40
payloads/library/exfiltration/FileInfoExfil/payload.txt
View File

@ -1,18 +1,21 @@
#Title: FileInfoExfiltrator
#Author: A_SarcasticGuy
#Version: 1.0
#Target: Windows
#!/bin/bash
# Title: FileInfoExfiltrator
# Author: A_SarcasticGuy
# Version: 1.0
# Attack Modes: HID, STORAGE
# Targets: Windows
# Description: Runs Powershell that calls a .ps1 file to scan (in all subdirectories of path provided)
# for all files (by default starting on c:/) beginning with a #specific phrase (default "pass*")
# to then be outputted to a text file in the loot directory, in a subfolder with the name of the
# system and with a file name of the date and time of the scan.
# NOTE: p.ps1 MUST be in loot/payloads/ for this to work.
#
#Runs Powershell that calls a .ps1 file to scan (in all subdirectories of path provided) for all files (by default starting on c:/) beginning with a #specific phrase (default "pass*") to then #be outputted to a text file in the loot directory, in a subfolder with the name of the system and with a #file name of the date and time of the scan.
# LEDS
# Magenta: Script Started
# Yellow: Ducky Script Started
# Red: Failed to run Ducky Script, see log file
#
# Options: Search Directory: Find in p.bat (default c:/)
# Search criteria: Find in p.bat (default "pass*")
#
# Purple LED..................Script Started
# Yellow LED..................Ducky Script Started
# Red LED.....................Failed to run Ducky Script, see log file
#
# NOTE: p.ps1 MUST be in loot/payloads/ for this to work.
#
LED SETUP
@ -23,29 +26,18 @@ ATTACKMODE HID STORAGE
if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
#Call ducky script
LED STAGE1
QUACK ${SWITCH_POSITION}/ducky_script.txt
QUACK DELAY 10000
LED FINISH
else
LED FAIL
#Red LED if unable to load script
echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
exit 1
fi

8
payloads/library/exfiltration/MacPDFExfil/payload.txt
View File

@ -4,9 +4,9 @@
# Author: k1ul3ss
# Props: audibleblink
# Version: 1.0
# Category: Exfiltration
# Target: macOS
# Attackmodes: HID, Storage
# Targets: macOS
# Attack Modes: HID, Storage
# Description: Finds all PDFs in the users Home directory, and then copies them to the Bunnys storage.
ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E
@ -28,4 +28,4 @@ QUACK STRING find \~ -name \'*.pdf\' -exec cp \"{}\" $lootdir \\\;\; killall Ter
QUACK ENTER
# sync the filesystem
sync
sync

11
payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt
View File

@ -3,10 +3,15 @@
# Title: Powershell Extractor
# Author: $irLurk$alot
# Version: 1.0
# Target: Windows
# Targets: Windows
# Attack Modes: HID, STORAGE
# Description: Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn runs powershell script to copy move and extract data.
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn runs powershell script to copy move and extract data.
# LEDS:
# Magenta: Setting Up
# Yellow Blink: Executing Powershell
# Green: Finished
LED SETUP

11
payloads/library/exfiltration/SmacAndGrab/payload.txt
View File

@ -2,13 +2,14 @@
#
# Title: sMacAndGrab
# Author: audibleblink
# Target: macOS
# Targets: macOS
# Version: 1.2
# Attack Modes: STORAGE, HID
# Description: Backup a list of files from macOS
#
# Backup a list of files from macOS
#
# Yellow (blinking)...Attacking
# Green...............Finished
# LEDS:
# Yellow Blink: Attacking
# Green: Finished
LED ATTACK
ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E

22
payloads/library/exfiltration/SmartFileExtract/payload.txt
View File

@ -1,16 +1,18 @@
#!/bin/bash
#
# Title: ExecutableInstaller
# Author: IMcPwn (original)
# Additions: SaintCrossbow (only for the parts to run SFE)
# Version: 1.0
# Target: Windows 7+
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies payload.exe from the root of the Bash Bunny and then executes it
# using the --startup parameter. Change these settings inside of e.cmd.
# Title: SmartFileExtract
# Author: IMcPwn
# Props: SaintCrossbow
# Version: 1.0
# Targets: Windows
# Description: Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies payload.exe from the root of the Bash Bunny and then executes it
# using the --startup parameter. Change these settings inside of e.cmd.
#
# LEDS:
# Red: Attacking
# Green: Finished
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh

6
payloads/library/exfiltration/TwoStageMac/payload.txt
View File

@ -1,12 +1,18 @@
# Title: TwoStageMac
# Description: A simple two stage payload for OSX. Sample second stage
# does some device profiling.
#
# Author: Draxiom
# Props: jdetmold
# Version: 1.0
# Category: Exfiltration
# Target: OSX
# Attack Modes: HID, STORAGE
# LEDS:
# Magenta - Setup
# Yellow Blink - Attacking
# White - Clean up
# Green - Finished
LED SETUP
ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE

20
payloads/library/exfiltration/browserData/payload.txt
View File

@ -2,16 +2,17 @@
#
# Title: BrowserData
# Author: zachstanford
# Version: 0.1 (Tested on Windows 10)
# Version: 0.1
# Targets: Windows
# Attack Modes: HID, STORAGE
# Description: Dumps browser info like history and bookmarks from powershell script
# then saves them in /root/udisk/loot/BrowserData/%ComputerName%
# Credits to this Empire's powershell script:
# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-BrowserData.ps1
#
# Dumps browser info like history and bookmarks from powershell script
# then saves them in /root/udisk/loot/BrowserData/%ComputerName%
# Credits to this Empire's powershell script:
# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-BrowserData.ps1
#script
# Blue...............Running Script
# Purple.............Finished
# LEDS:
# Blue: Running Script
# Magenta: Finished
# Not sure if this is the right variable. Feel free to change it.
@ -23,7 +24,6 @@ LED R SLOW
LOOTDIR=/root/udisk/loot/BrowserData
mkdir -p $LOOTDIR
LED B SLOW
# wait 6 seconds for the storage to popup

15
payloads/library/exfiltration/dropbox-exfiltrator/payload.txt
View File

@ -1,9 +1,14 @@
# Dropbox Exfiltrator
# Title: Dropbox Exfiltrator
# Author: Hak5Darren
# Props: jimcola99 Buchanan
# Demo: Hak5 episode 2505
# Target: Windows Vista+
# Category: Exfiltration
# Props: jimcola99, Buchanan
# Demo: Hak5 Episode 2505
# Targets: Windows
# Description: Exfiltrate via DropBox
#
# LEDS:
# Magenta: Setup
# Yellow Blink: Getting Script
# Green: Finish
LED SETUP
ATTACKMODE HID

24
payloads/library/exfiltration/ftp_exfiltrator/payload.txt
View File

@ -1,19 +1,17 @@
#!/bin/bash
#
# Title: FTP Exfiltrator
# Author: Nutt
# Version: 1.0
# Target: Windows
# Title: FTP Exfiltrator
# Author: Nutt
# Version: 1.0
# Targets: Windows
# Description: Exfiltrates files from the users Documents folder FTP's all files/folders to a specified
# FTP site named by the victim hostname. Powershell FTP script will stay running after
# BashBunny is unpluggedonce light turns green unplug and check FTP site.
#
#Exfiltrates files from the users Documents folder
#FTP's all files/folders to a specified FTP site named by the victim hostname.
#Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site.
#Executes 1.ps1
#Purple.........Setup
#Red............Failed - Need to work on
#Green..........Finished
# LEDS:
# Purple: Setup
# Red: Failed - Need to work on
# Green: Finished
LED SETUP
GET SWITCH_POSITION

43
payloads/library/exfiltration/optical-exfiltration/payload.txt
View File

@ -1,31 +1,22 @@
#!/bin/bash
#
# Title: Optical Exfiltration
# Author: bg-wa
# Version: 1.0
# Category: HID
# Target: *NIX
# Attackmodes: HID
# Sources: Hak5 2320, https://github.com/bg-wa/QRExtractor
# Title: Optical Exfiltration
# Author: bg-wa
# Version: 1.0
# Targets: macOS, Linux
# Attack Modes: HID
# Sources: Hak5 2320, https://github.com/bg-wa/QRExtractor
# Description: Quick HID only attack to write an HTML/JS file to target machine
# and open a browser, to exfiltrate data Using QR Codes and a video recording device.
# Optional html params:
# base64: Passing a base64 string to this param will auto-start processing QR Codes.
# playback: Passing the string "finish" to this param will auto-play the results, when QR codes finish rendering.
# Example: Ln65: Q STRING firefox "$target_html?playback=finish&base64=my_long_string"
#
# Quick HID only attack to write an HTML/JS file to target machine
# and open a browser, to exfiltrate data Using QR Codes and a video
# recording device.
#
# Optional html params:
# base64: Passing a base64 string to this param will auto-start processing QR Codes.
#
# playback: Passing the string "finish" to this param will auto-play the results,
# when QR codes finish rendering.
#
# Example:
# Ln65: Q STRING firefox "$target_html?playback=finish&base64=my_long_string"
#
# | Attack Stage | Description |
# | ------------------- | ---------------------------------------- |
# | SETUP | Open vi |
# | ATTACK | Writing HTML |
# | FINISH | Browser Ready/Processing |
# LEDS:
# Magenta: Open vi
# Yellow Blink: Writing HTML
# Green: Browser Ready/Processing
#
ATTACKMODE HID
@ -65,4 +56,4 @@ Q ENTER
Q STRING firefox "$target_html"
Q ENTER
LED FINISH
LED FINISH

14
payloads/library/exfiltration/simple-usb-extractor/payload.txt
View File

@ -1,4 +1,16 @@
# Executes z.cmd from the switch position's folder, thus launching x.cmd silently using i.vbs
#!/bin/bash
#
# Title: simple-usb-extractor
# Version: 1.0
# Author: danthegoodman1
# Targets: Windows
# Attack Modes: HID, STORAGE
# Description: Executes z.cmd from the switch position's folder, thus launching x.cmd silently using i.vbs
#
# LEDS:
# Yellow Blink - Attacking
# Green - Finished
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE

53
payloads/library/exfiltration/smb_exfiltrator/payload.txt
View File

@ -4,47 +4,20 @@
# Author: Hak5Darren
# Props: ImNatho, mike111b, madbuda
# Version: 1.1
# Category: Exfiltration
# Target: Windows XP SP3+ (Powershell)
# Attackmodes: HID, Ethernet
# Target: Windows XP
# Attack Modes: HID, RNDIS_ETHERNET
# Requires: Impacket Tool
# Description: Exfiltrates select files from users's documents folder via SMB.
# Liberated documents will reside in Bash Bunny loot directory under
# loot/smb_exfiltrator/HOSTNAME/DATE_TIME. Exfiltration options configured from included s.ps1 script.
#
# CHANGELOG
# =========
# Rewrite of the original SMB Exfiltrator payload with:
# - Faster copying, using robocopy multithreaded mode
# - Faster finish, using a EXFILTRATION_COMPLETE file
# - Offload logic to target PC for accurate date/time
# - Clears tracks by default without second run dialog
# - Test-Connection handling by ICMP (no lame sleeps)
# - Hidden powershell window by default
#
# REQUIREMENTS
# ============
# Needs impacket to be copied to /tools/impacket and installed
# Option A:
# 1. Download impacket from https://github.com/CoreSecurity/impacket
# 2. Copy impacket folder to /tools on the Bash Bunny flash drive
# 3. Boot Bash Bunny into arming mode and connect to console via serial
# 4. Issue "python /tools/impacket/setup.py install"
# Option B:
# 1. Download impacket deb package
# 2. Copy impacket.deb to /tools on the Bash Bunny flash drive
# 3. Boot Bash Bunny into arming mode. Impacket will install automatically.
#
# LED STATUS
# ==========
# FAIL........Failed to find dependencies
# STAGE1......HID Stage
# STAGE2......Ethernet Stage
# SPECIAL.....Receiving Files
# CLEANUP.....Moving Liberated Files
# FINISH......Finished
#
# OPTIONS
# =======
# Exfiltration options configured from included s.ps1 script
# LEDS:
# Red: Failed to find dependencies
# Yellow Single Blink: HID Stage
# Yellow Double Blink: Ethernet Stage
# Cyan: Receiving Files
# White: Moving Liberated Files
# Green: Finished
######## INITIALIZATION ########
REQUIRETOOL impacket

14
payloads/library/exfiltration/usb_exfiltrator/payload.txt
View File

@ -3,14 +3,16 @@
# Title: USB Exfiltrator
# Author: Hak5Darren
# Version: 1.1
# Target: Windows XP SP3+
# Target: Windows XP
# Props: Diggster, IMcPwn
# Category: Exfiltration
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies documents to the loot folder on the Bash Bunny.
# Description: Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies documents to the loot folder on the Bash Bunny.
#
# LEDS:
# Yellow Blink: Attacking
# Green: Finished
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE