I really missed the BB's original variable "$SWITCH_POSITION" since in my testing BB's payload I'm maintaining it in my code as:
ORIGINAL_SWITCH="/root/udisk/payloads/$SWITCH_POSITION"
Thanks to @catatonicprime for offering the fix for this issue.
Sometimes the host name is the same as the username so we will add it to the username and the password wordlists automatically to be used during the brute force attack.
* Adding Jackalope, a Bunny+Metasploit chimera project.
* Fixing inaccurate documentation.
* Generate the password entry payload on the alternate switch.
* Additional documentation concerning alternate payload mechanism.
* Branding
* Update readme.md
* rearchitecting payload to be independent. No longer overwrites alternate payload location. Uses WAIT interface to interact with the tester to reuse a password, clear the password, and re-attack the machine.
* Response to Hak5 2506
* A random 'e' ended up on line 58.
Line is blank now like it is supposed to be.
* Created readme
STAGE2 made more sense when it was STAGE1/STAGE2, but the transcoding is a special stage and the typing is stage 2 since the transcoding had to be done first.
Some more shortening. Only 183 characters!
powershell -w h "$p=$home+'\b.jpg';iwr h4k.cc/b.jpg -O $p;SP 'HKCU:Control Panel\Desktop' WallPaper $p;1..59|%{RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True;sleep 1}"
* Omit http:// from URI
* powershell -w h to start a hidden powershell windows
* set variable $p for later re-use (saves characters)
* Omit -Uri and redundant characters in -Outfile (-O)
switches
* 1..59|% to create a loop for 60 seconds
* use $home as directory
Gets COM& Serial Device PID&VID if doing a walk about and want to collect info on HID/PID&VID + MI for future use. just a thought
#Get - Com & Serial Devices
$COMDevices = Get-Wmiobject Win32_USBControllerDevice | ForEach-Object{[Wmi]($_.Dependent)} | Select-Object Name, DeviceID, Manufacturer | Sort-Object -Descending Name | Format-Table
"COM & SERIAL DEVICES"
"==================================================================" + ($COMDevices | Out-String)
""
Removes all Variables created during the session. I noticed my version of PS was storing them between simulated attacks. so removing them entirely was my resolve.
Remove-Variable -Name computerPubIP,
computerIP,IsDHCPEnabled,Network,Networks,
computerMAC,computerSystem,computerBIOS,computerOs,
computerCpu, computerMainboard,computerRamCapacity,
computerRam,driveType,Hdds,RDP,WLANProfileNames,WLANProfileName,
Output,WLANProfileObjects,WLANProfilePassword,WLANProfileObject,luser,
process,listener,listenerItem,process,service,software,drivers,videocard,
vault -ErrorAction SilentlyContinue -Force
- Clean up traces
- Bugfixes on newer firmware
- Improved documentation
- Fake hardware identifier
- Added persistence via autostart
- Disconnect on end
* Updated all Payloads for Version 1.2+
Fixed Style Issues on extensions and payloads.
Added GET TARGET_OS to get.sh
Removed and Fixed all uses ducky_helper.sh (Issue #248)
Removed all mention of DUCKY_LANG (Issue #248)
Renamed Payloads with spaces in name
Added an extension to keep Macs Happy
Added a payload for Mac DNS poisoning
Fixed Issue #271 changed wget to curl -o
Implemented PR #268
Implemented PR #273
* Fixed e.cmd
* Fix e.cmd pt2
* Fixed Issues
Fixed issues pointed out by @sebkinne
Fixed styling errors
Got mac attacks working now. SEDing in place on a mac seems like something that really makes the terminal unhappy. Did the same thing with a python one-shot command.
Windows line endings removed. Grrrr. WTF, microsoft?
Found and fixed bug caused by missing default ssh config files making the program index into a NoneType by checking to make sure there's data there before indexing in.
Added the blanket try/except block for silent failures. Main cause of these appears to be very badly written (invalid) ssh commands. This is probably the best behavior the program could have with these... just silently run them and let them fail normally. Do not pass go, do not collect 200 passwords.
Version has been tested to deal with some command line scenarios. Still want to test its ability to work with paramiko, including trying to get it to install if it hasn't already.
* Add macDesktop prank
Runs a script in background that will download pictures of my little pony (or whatever else you'd like, just change the urls to the pictures) and randomly sets that as their desktop background every 45 minutes - 5 hours. You can change number in for loop to decide how many times it will change their background.
https://forums.hak5.org/topic/41605-payload-macwallpaper/
* Update readme
* Save process Id as file name to /tmp
Save process Id as file name to /tmp so that you can easily kill the prank if someone is screaming at you.
* Local hosts DNS spoofing attack
This is a simple hosts DNS spoofin attack, where the target gets redirected to a set IP when going to a certain website.
* Create README.md
* Update README.md
When no Internet connection is available the command runs into an error:
"The remote name could not be resolved: 'ipinfo.io'"
Fixed this with a try and catch block
The command also runs into an error when Internet Explorer was never started.
"Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the
UseBasicParsing parameter and try again"
Fixed this with the -UseBasicParsing parameter
* USB Intruder
Initial upload of the USB Intruder v1.1
Tested on Windows 7 and Windows 10.
* USB Intruder
Updated Readme.
Forgot to add a line.
* Update...again...
Added link for forum comments/discussion.
* USB Intruder
USB Intruder v1.1 Commit.
* Powershell SMB Delivery
* fixed smbserver.py call
* Updated to use HID and RNDIS_ETHERNET at the same time. Upgraded to Golang webserver
* Removed binary
* WifiPass payload
Based on the WiFiCreds payload, with a focus on WPA networks and wider OS scope.
* Lights
Solid rather than blinking
* Extra comment
* Update payload.txt
* Create readme.md
* Update readme.md
* Update payload.txt
* Update readme.md
* Update readme.md
* Update readme.md
* Update readme.md
* Fixed for 1.0 and 1.1
Fixed the payload for 1.0 but if you want it ported for 1.1, change line 38 to (LED M)
* Made 1.1 compatible.
Still need to examine Get-BrowserData.ps1
* Mac Reverse Shell
Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, s.sh. It then runs the script in the background and closes the terminal window.
* Added variables for IP and Port of the Netcat Listener
For ease of use, variables were added at the top for the IP Address and Port of the Netcat Listener. Change those values to your listener and no other edits should be needed.
* Added persistence (and a reason to have a dropper)
This payload creates a bash reverse shell inside a script and adds persistence by adding the script to the Mac Launch Agent at a user defined interval.
* Mac Reverse Shell
Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, s.sh. It then runs the script in the background and closes the terminal window.
* Added variables for IP and Port of the Netcat Listener
For ease of use, variables were added at the top for the IP Address and Port of the Netcat Listener. Change those values to your listener and no other edits should be needed.
* Added persistence (and a reason to have a dropper)
This payload creates a bash reverse shell inside a script and adds persistence by adding the script to the Mac Launch Agent at a user defined interval.
* Fixed additional MacReverseShell
* Added readme.md files
* Added readme.md files
* Added readme.md
* Added readme.md files
* Added readme.md files
* Updated for firmware 1.1
* Updated for firmware 1.1
* Added ThemeChanger and updated for firmware 1.1
* Updated readme.md
* Updated for firmware 1.1 - using RUN command
* Fixed issues with the new RUN - reverted
* Fixed a few script problems
* removed binary and updated readme.md
* added a check for themepack
* edited themechanger readme
* updated readme.md and version
Undercover bunny is a Bash Bunny script that creates a wifi network when connected using the hosts internet connection.
Added LED's
Update Undercover Bunny
Rename Undercover Bunny to payload.txt
Moved UndercoverBunny into the correct payload folder
* Updated for firmware version 1.1
Updated version number.
Updated LED status table.
* Update Ducky Template for firmware 1.1
Updated LED statuses
Updated language to DUCKY_LANG
removed 'source bunny_helpers.sh' and used 'GET SWITCH_POSITION' instead.
* Fix DUCKY_LANG vs. DUCK_LANG typo
Fix typo pointed out by Sebkinne
* Update payload.txt
* DumpCreds Version 2.1
- new payload.txt special for BashBunny FW 1.1
- minor changes in main.ps1
- insert some code for debugging
* Updadet becaus new fork sync
* new payload.txt special for BashBunny FW 1.1
+ minor changes in main.ps1
+ insert some code for debugging
* Adding the MacPhish payload, uses HID and STORAGE modes on BashBunny. For OS X, uses spotlight to launch terminal, then uses osascript command to phish for the users password, then saves the phished password back to the bashbunny.
* Update readme.md
* Scan for files that contain a specific phrase and exfil info about them
* Delete FileInfoExfil
* Create FileInfoExfil
* Delete FileInfoExfil
* Scans system for files beginning with a specific phrase and exfils data from them
* Delete ducky_script.txt
* Delete p.bat
* Delete payload.txt
* Exfil file information to the loot folder
Exfiltrates file information of files that contain a specific phrase, including if it is a directory, the file path and file size (in KB) to the loot folder of the BashBunny.
* Delete p.ps1
* Add files via upload
* Create readme.md
* Delete readme.md
* Create readme.md
* Update payload.txt
* Update readme.md
* added wifi grabber and windows meterpreter staged payload
* created details and updated content of payloads - ready for publication to hak5 bash bunny scripts
* created details and updated content of payloads - ready for publication to hak5 bash bunny scripts
* Added a rename file
* added the rename file
* Mac Reverse Shell
Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, s.sh. It then runs the script in the background and closes the terminal window.
* Added variables for IP and Port of the Netcat Listener
For ease of use, variables were added at the top for the IP Address and Port of the Netcat Listener. Change those values to your listener and no other edits should be needed.
* Added persistence (and a reason to have a dropper)
This payload creates a bash reverse shell inside a script and adds persistence by adding the script to the Mac Launch Agent at a user defined interval.
* InfoGrabber by MrSnowMonster - Version 1.0
A payload that collects information about a wndows computer and places it in a textfile.
* Update readme.md
* Update readme.md
* Update readme.md
* Update readme.md
* Update readme.md
* Update readme.md
* Update readme.md
* Update readme.md
* Update readme.md
* Update readme.md
* Update readme.md
* Update readme.md
* Version 1.1
* Update info.ps1
Added some mor informations and repaired "0123"
Testen on Win10
* Update 2
added windows passwords
* Update 1.1
Updated
* Initial commit
HID Powershell attack to dump WiFiCreds
* Update readme.md
* changed initial LED blink color to white
* Changed initial LED color to white
* Changed initial LED Color to white
* swapped sync before LED
* switched from powershell to batch
* Update payload.txt
* using powershell again , updated version and LEDs
* using powershell, added usb eject, Win 7,8,10
* added window resizing to hide payload typing
* Update payload.txt
* pull request
* BrowserCreds Pull
* separate powershell script called from payload
also added result detection
* update LEDs
* Update payload.txt
* initial commit
* Update payload.txt
* initial pull
* initial commit
* BlackBackup
BlackBackup is a Powershell (and thus Windows) backup script that is easy to configure. Make quick backups of files, the registry, passwords, WiFi Keys, SAM database etc. and save them to the BashBunny. This is a HID + STORAGE attack. Now, let's eat some carrots!
* Update credentials.ps1
* Created payload to shell an amazon fire tv
The payload performs keyboard emulation in order to enable ADB and unknown sources on the target FireTV. Once this is completed the payload then installs a payload.apk file via ADB and then runs it.
* Created readme
* Add files via upload
Init of DumpCreds 2.0
Dumps the usernames & plaintext passwords from
- Browsers (Crome, IE, FireFox)
- Wifi
- SAM Hashes
- Mimimk@tz Dump
- Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist)
without
- Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
- Internet connection (becaus Firewall ContentFilter Blocks the download sites)
* Minor Fix
* Somf file to much
* Changes in main.ps1 - paralellize the Powershell scripts
Changes in payload.txt - Universal payload no matter if admin rights or not
Some minor changes in all PS\*.ps1 files
Signed-off-by: qdba <dieter@baur.nu>
* Forget a File
* WifiCreds changed
* Changes in README.md
* Changed Get Chrome-Cred.ps1 from https://github.com/EmpireProject/Empire/tree/master/data/module_source/collection
Changed BUILD in main.ps1
Changed Build and Credits in README.md
* optimized WiPassDump payload to run in one file and a bit quicker.
* Create Prank folder and add UnifiedRickRoll payload
* Added UnifiedRickRoll support for windows
* Updated documentation on UnifiedRickRollWindows
* Causes payload to use roughly 30 times less processing power.
* Added Ascii-Prank Rick roll and Photo-Booth prank
"username" is not a valid value for the type attribute in an input tag,
which causes it to fail formal validation. Probably would never
*really* affect anything, but...you know...
* removed the paranoia mount. we don't need to test that the kernel
is doing it's job when mount fstab
* log to a persistent location
* edited ignore loop to include hidden directories
This payload was made in collaboration with audibleblink through irc. We both came up with the same idea, but I took it a step further, by adding a git-pull/update after the first payload execution. Original repo at https://github.com/mathew-fleisch/Git-Bunny-Git
- fixes lootdir path
- dont capitalize var names that aren't exported
- indentation
- escape shell characters that are passed to QUACK
- account for variable copy times by joining cp and exit commands
- sync the disk
by the use of bunny_helpers.sh possible problems with the command "find" are avoided. If the user only copies the payload from the library folder then find will find two destinations for the portal.html and therefore the script will fail.
Within the forum https://forums.hak5.org/index.php?/topic/40237-install-tools/
there were several problems mentioned which are solved with this update:
1. No need to move instead of copying tools_to_install to the switch directory due to use of bunny_helpers.sh
2. Check if everything is copied works even when the user OS has added hidden files (removing hidden files before test)
This payload executes a VBScript as the payload. The sample VBScript creates a netcat reverse shell, but any VBScript can be substituted. netcat.exe must be sourced elsewhere.
A simple script to create a netcat reverse shell. For Red Teamers - you can auto_increment the listener port by setting a flag to true in payload.txt. netcat.exe is not included and must be sourced elsewhere.